from:"Hugh McMaster"

Bug#1069829: ITP: python-samsung-mdc -- Samsung Multiple Display Control

2024-04-25 Thread Hugh McMaster

Package: wnpp
Severity: wishlist
Owner: Hugh McMaster 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: python-samsung-mdc
  Version : 1.12.1
  Upstream Contact: Victor Gavro 
* URL : https://pypi.org/project/python-samsung-mdc
* License : BSD-3-Clause
  Programming Lang: Python
  Description : Samsung Multiple Display Control

Samsung-MDC is an implementation of the Samsung Multiple Display Control
Protocol using python and asyncio.

Samsung-MDC allows users to control compatible Samsung displays through the
built-in RS-232C or Ethernet interface. 74 commands are supported.

This package includes a command-line interface and python module.

This is the Python 3 version of the package.



I usually install python-samsung-mdc via PyPi and use it to control multiple
Samsung large format displays.

Bug#1069161: libfreetype-dev: Unable to install libfreetype-dev, depends on libpng16-16

2024-04-18 Thread Hugh McMaster

Hi Laurent,

On Wed, 17 Apr 2024 at 18:45, Laurent Cheylus wrote:
>
> Package: libfreetype-dev
> Version: 2.13.2+dfsg-1+b1
> Severity: normal
>
> Dear Maintainer,
>
> I'm trying to install package libfreetype-dev version 2.13.2+dfsg-1+b1 on my
> Debian/testing but I have errors due to unresolved dependencies with 
> libpng16-16
> package.
>
> $ sudo apt install libfreetype-dev
> Reading package lists... Done
> Building dependency tree... Done
> Reading state information... Done
> Some packages could not be installed. This may mean that you have
> requested an impossible situation or if you are using the unstable
> distribution that some required packages have not yet been created
> or been moved out of Incoming.
> The following information may help to resolve the situation:
>
> The following packages have unmet dependencies:
>  libpng16-16t64 : Breaks: libpng16-16 (< 1.6.43-5)
>
> libpng16-16t64 package is installed on my system (from unstable):

[...]

> How can this problem be solved ?

This isn't a bug with freetype or libpng1.6. The problem is that
you've mixed packages from two different distributions during a large
and very complex transition.

Why are you installing packages from unstable (sid) on your testing
system? As you've seen, that is a guaranteed way to cause breakage.

You need to remove the libpng packages from your system and then
install the packages from testing. Then you will be able to install
libfreetype-dev.

Hugh

Bug#1052455: RE: freetype 2.12.1+dfsg-5+deb12u1 makes chromium segfault at startup

2024-02-24 Thread Hugh McMaster

Control: tag -1 -moreinfo
Control: retitle -1 bookworm-pu: package freetype/2.12.1+dfsg-5+deb12u3

Hi Jonathan,

On Sun, 11 Feb 2024 at 01:40, Jonathan Wiltshire wrote:
>
> On Sat, Feb 10, 2024 at 12:23:06AM +1100, Hugh McMaster wrote:
> > When is the next point release scheduled for?
>
> It isn't yet, but the normal candence is approximately every two months.
> You need to allow plenty for time for review and testing though. Please
> propose a source debdiff as usual.

I've prepared a source debdiff for the proposed freetype 2.12.1+dfsg-5+deb12u3.

This update includes the original patch and the additional typo fix
identified by Ben Wagner.

In terms of testing, grepping for PUT_COLOR_LAYERS_V1 or
TT_SUPPORT_COLRV1 yields almost the same group of packages.

chromium, firefox-esr, godot, thunderbird all have GUIs. These launch
and function as expected on my bookworm test system.

I also tested some of the openjdk-* demos, where the openjdk version
is installable on bookworm.

Hugh

freetype-2.12.1+dfsg-5+deb12u3.debdiff
Description: Binary data

Bug#1052455: RE: freetype 2.12.1+dfsg-5+deb12u1 makes chromium segfault at startup

2024-02-09 Thread Hugh McMaster

Hi Jonathan,

On Wed, 7 Feb 2024 at 04:47, Jonathan Wiltshire wrote:

> What's your plan at this point? We have skipped this update in two point
> releases now and it needs a resolution.

Thanks for following up. I’d actually forgotten about this.

I’d still like to disable the incomplete and incompatible COLRv1 support in
Bookworm’s FreeType library.

The additional patch Ben Wagner identified is required.

Chromium seems to have fixed the bug we encountered last year, as I tested
a build of FreeType as originally submitted and had no issues.

To avoid any surprises though, we should add the extra patch.

When is the next point release scheduled for?

Hugh

>

Bug#1059782: mesa-vdpau-drivers: Upgrade to 23.3.* breaks video rendering in tkinter

2023-12-31 Thread Hugh McMaster

Package: mesa-vdpau-drivers
Version: 23.3.1-4
Severity: important

Dear Maintainer,

Upgrading from 23.2.1-1 to any 23.3.* version breaks video rendering in Python
tkinter-based applications.

I'm embedding a python-vlc media player in tkinter to play videos. Playback is
fine when using 23.2.1-1 or older. However, after upgrading to any 23.3.*
version, a black square is displayed where the video output should be. Playback
is occurring, as audio can be heard.

I tracked the issue to the mesa packages, but I don't know how to debug this
further or identify the binary package causing the issue.

I'll attach a simple test case. Please install python3-tk and python3-vlc.


-- Package-specific info:
glxinfo:

name of display: :0
display: :0  screen: 0
direct rendering: Yes
server glx vendor string: SGI
server glx version string: 1.4
server glx extensions:
GLX_ARB_context_flush_control, GLX_ARB_create_context, 
GLX_ARB_create_context_no_error, GLX_ARB_create_context_profile, 
GLX_ARB_fbconfig_float, GLX_ARB_framebuffer_sRGB, GLX_ARB_multisample, 
GLX_EXT_create_context_es2_profile, GLX_EXT_create_context_es_profile, 
GLX_EXT_fbconfig_packed_float, GLX_EXT_framebuffer_sRGB, 
GLX_EXT_get_drawable_type, GLX_EXT_libglvnd, GLX_EXT_no_config_context, 
GLX_EXT_texture_from_pixmap, GLX_EXT_visual_info, GLX_EXT_visual_rating, 
GLX_MESA_copy_sub_buffer, GLX_OML_swap_method, GLX_SGIS_multisample, 
GLX_SGIX_fbconfig, GLX_SGIX_pbuffer, GLX_SGIX_visual_select_group, 
GLX_SGI_make_current_read
client glx vendor string: Mesa Project and SGI
client glx version string: 1.4
client glx extensions:
GLX_ARB_context_flush_control, GLX_ARB_create_context, 
GLX_ARB_create_context_no_error, GLX_ARB_create_context_profile, 
GLX_ARB_create_context_robustness, GLX_ARB_fbconfig_float, 
GLX_ARB_framebuffer_sRGB, GLX_ARB_get_proc_address, GLX_ARB_multisample, 
GLX_ATI_pixel_format_float, GLX_EXT_buffer_age, 
GLX_EXT_create_context_es2_profile, GLX_EXT_create_context_es_profile, 
GLX_EXT_fbconfig_packed_float, GLX_EXT_framebuffer_sRGB, 
GLX_EXT_import_context, GLX_EXT_no_config_context, GLX_EXT_swap_control, 
GLX_EXT_swap_control_tear, GLX_EXT_texture_from_pixmap, 
GLX_EXT_visual_info, GLX_EXT_visual_rating, GLX_INTEL_swap_event, 
GLX_MESA_copy_sub_buffer, GLX_MESA_gl_interop, GLX_MESA_query_renderer, 
GLX_MESA_swap_control, GLX_NV_float_buffer, GLX_OML_sync_control, 
GLX_SGIS_multisample, GLX_SGIX_fbconfig, GLX_SGIX_pbuffer, 
GLX_SGIX_visual_select_group, GLX_SGI_make_current_read, 
GLX_SGI_swap_control, GLX_SGI_video_sync
GLX version: 1.4
GLX extensions:
GLX_ARB_context_flush_control, GLX_ARB_create_context, 
GLX_ARB_create_context_no_error, GLX_ARB_create_context_profile, 
GLX_ARB_fbconfig_float, GLX_ARB_framebuffer_sRGB, 
GLX_ARB_get_proc_address, GLX_ARB_multisample, GLX_EXT_buffer_age, 
GLX_EXT_create_context_es2_profile, GLX_EXT_create_context_es_profile, 
GLX_EXT_fbconfig_packed_float, GLX_EXT_framebuffer_sRGB, 
GLX_EXT_no_config_context, GLX_EXT_swap_control, 
GLX_EXT_swap_control_tear, GLX_EXT_texture_from_pixmap, 
GLX_EXT_visual_info, GLX_EXT_visual_rating, GLX_MESA_copy_sub_buffer, 
GLX_MESA_gl_interop, GLX_MESA_query_renderer, GLX_MESA_swap_control, 
GLX_OML_sync_control, GLX_SGIS_multisample, GLX_SGIX_fbconfig, 
GLX_SGIX_pbuffer, GLX_SGIX_visual_select_group, GLX_SGI_make_current_read, 
GLX_SGI_video_sync
Extended renderer info (GLX_MESA_query_renderer):
Vendor: VMware, Inc. (0x15ad)
Device: SVGA3D; build: RELEASE;  LLVM; (0x405)
Version: 23.3.1
Accelerated: no
Video memory: 1MB
Unified memory: no
Preferred profile: core (0x1)
Max core profile version: 4.1
Max compat profile version: 4.1
Max GLES1 profile version: 1.1
Max GLES[23] profile version: 3.0
OpenGL vendor string: VMware, Inc.
OpenGL renderer string: SVGA3D; build: RELEASE;  LLVM;
OpenGL core profile version string: 4.1 (Core Profile) Mesa 23.3.1-4
OpenGL core profile shading language version string: 4.10
OpenGL core profile context flags: (none)
OpenGL core profile profile mask: core profile
OpenGL core profile extensions:
GL_AMD_conservative_depth, GL_AMD_draw_buffers_blend, 
GL_AMD_multi_draw_indirect, GL_AMD_shader_trinary_minmax, 
GL_AMD_texture_texture4, GL_ANGLE_texture_compression_dxt3, 
GL_ANGLE_texture_compression_dxt5, GL_ARB_ES2_compatibility, 
GL_ARB_ES3_compatibility, GL_ARB_arrays_of_arrays, GL_ARB_base_instance, 
GL_ARB_blend_func_extended, GL_ARB_buffer_storage, 
GL_ARB_clear_buffer_object, GL_ARB_clear_texture, 
GL_ARB_compressed_texture_pixel_storage, GL_ARB_conservative_depth, 
GL_ARB_copy_buffer, GL_ARB_copy_image, GL_ARB_debug_output, 
GL_ARB_depth_buffer_float, GL_ARB_depth_clamp, GL_ARB_direct_state_access, 
GL_ARB_draw_buffers, GL_ARB_draw_buffers_blend, 
GL_ARB_draw_elements_base_vertex,

Bug#1055102: odbcinst1debian2: Error while installing package

2023-11-02 Thread Hugh McMaster

Hi Janos,

On Wed, 1 Nov 2023 at 00:51, Janos Katein wrote:
>
> I wanted to install the odbcint1debian2 package and I expected it to
> install properly. But instead I got the following error message:
>
> Package failed to install:
> Error while installing package: trying to overwrite 
> '/usr/lib/x86_64-linux-gnu/libodbcinst.so.2.0.0', which is also in package 
> libodbcinst2

Do you use the Microsoft ODBC driver for SQL Server by any chance?

This bug has been reported a few times in recent months. In each case,
the submitter is trying to install unixodbc packages from Microsoft's
repository instead of Debian's repository.

The Microsoft packages contain a few different files, making them
incompatible with the Debian versions.

In any case, I spun up a VM with Debian Stable and had no problems
installing odbcinst1debian2 and libodbcinst2.

Bug#1053697: ITP: rsgain -- ReplayGain 2.0 loudness normalizer

2023-10-08 Thread Hugh McMaster

Package: wnpp
Severity: wishlist
Owner: Hugh McMaster 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: rsgain
  Version : 3.4
  Upstream Contact: complexlogic
* URL : https://github.com/complexlogic/rsgain
* License : BSD-2-Clause, BSD-3-Clause
  Programming Lang: C++
  Description : ReplayGain 2.0 loudness normalizer

rsgain (really simple gain) is a loudness normalizer that scans digital
audio streams and calculates loudness-normalized gain and loudness peak
values according to the EBU R128/ITU-R BS.1770 standard (-18 LUFS).

rsgain applies ReplayGain 2.0 loudness metadata tags to audio and video files
but does not modify the audio stream.

rsgain supports the AIFF, FLAC, APE, MP2, MP3, M4A, Musepack, Ogg, Opus, TAK,
WAV, WavPack and WMA audio formats. Video files with compatible audio streams
are also supported.

rsgain comes with several scan presets based on the default, EBU R128 and
legacy 'loudgain' scan settings.

Bug#1051150: RFS: blender-doc/3.6-1 [ITP] -- Blender Manual by the Blender Foundation

2023-10-04 Thread Hugh McMaster

Hi Jonathan,

Thanks for your work on this package. Just two more things to do.

On Tue, 3 Oct 2023 at 05:53, Jonathan Rubenstein wrote:
>
> Hey, I've implemented the requested changes, again with some
> questions/exceptions.
>
> > * Not all files in tools*/* are explicitly marked Apache-2.0, but
> > given most are, I think it's okay to assume that. In any case, the
> > attributable copyright is the same as for the main package.
>
> Not sure if this is asking for any particular action or just a comment
> on the situation.

That was just a comment.

1. Add a debian/README.source file and add a comment that says package
builders must install the package git-lfs before cloning upstream's
git repository.
2. Run `dch -r` to update the timestamp in d/changelog.

Once both of those items are done, please upload the final version to
Debian Mentors, and we should be good to go.

Hugh

Bug#1053217: bookworm-pu: package freetype/2.12.1+dfsg-5+deb12u2

2023-09-29 Thread Hugh McMaster

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: freet...@packages.debian.org
Control: affects -1 + src:freetype

[ Reason ]
This upload reverts a patch in FreeType 2.12+dfsg-5+deb12u1 that intended to
disable the experimental COLRv1 API but instead caused Chromium to segfault on
start-up.

A fix to the patch has been identified and verified but is out of scope due to
the timing of Debian 12.2.

[ Impact ]
Chromium will segfault on start-up, rendering the browser unusable.

[ Risks ]
None. This version disables the problematic patch, so Chromium starts as
expected.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
One-line patch to disable the problematic patch at build time.
diff -Nru freetype-2.12.1+dfsg/debian/changelog 
freetype-2.12.1+dfsg/debian/changelog
--- freetype-2.12.1+dfsg/debian/changelog   2023-09-25 19:45:10.0 
+1000
+++ freetype-2.12.1+dfsg/debian/changelog   2023-09-29 22:27:32.0 
+1000
@@ -1,3 +1,10 @@
+freetype (2.12.1+dfsg-5+deb12u2) bookworm; urgency=high
+
+  * debian/patches: Temporarily revert disable_COLRv1.patch to allow
+Chromium to start (Closes: #1053142).
+
+ -- Hugh McMaster   Fri, 29 Sep 2023 22:27:32 +1000
+
 freetype (2.12.1+dfsg-5+deb12u1) bookworm; urgency=medium
 
   * debian/patches: Disable COLRv1 support, which was unintentionally enabled
diff -Nru freetype-2.12.1+dfsg/debian/patches/series 
freetype-2.12.1+dfsg/debian/patches/series
--- freetype-2.12.1+dfsg/debian/patches/series  2023-09-25 19:45:10.0 
+1000
+++ freetype-2.12.1+dfsg/debian/patches/series  2023-09-29 22:02:16.0 
+1000
@@ -6,4 +6,4 @@
 fix-wild-free-svg.patch
 hardening.patch
 CVE-2023-2004.patch
-disable_COLRv1.patch
+#disable_COLRv1.patch

Bug#1053142: freetype proposed update breaks chromium

2023-09-29 Thread Hugh McMaster

Control: reassign 1053142 libfreetype6 2.12.1+dfsg-5+deb12u1

On Fri, 29 Sep 2023 10:37:22 +0200 Cord Beermann wrote:
> Hi,
>
> just wanted to give you a heads up on
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053142
>
> For me all chromium-Packages on stable die with a Segmentation Fault when
> libfreetype6 2.12.1+dfsg-5+deb12u1 is installed.
>
> Downgrading libfreetype6 to 2.12.1+dfsg-5 fixes it again.
>
> tested with chromium 114.0.5735.198-1~deb12u1, 116.0.5845.180-1~deb12u1,
> 117.0.5938.62-1~deb12u1
>
> Cord

Thanks. This is due to a bug in Chromium and a bug in FreeType.

I'm reverting the recent patch to FreeType to get Chromium going
again. The correct fix for FreeType has also been tested and verified,
and will be considered for bookworm after this weekend's 12.2 point
release.

Hugh

Bug#1052455: RE: freetype 2.12.1+dfsg-5+deb12u1 makes chromium segfault at startup

2023-09-28 Thread Hugh McMaster

On Thu, 28 Sep 2023 at 21:44, Hugh McMaster wrote:

> Hi Andres,
>
> On Thu, 28 Sept 2023 at 18:49, Andres Salomon wrote:
> >
> > Control: affects -1 chromium
> >
> >
> > On Thu, 28 Sep 2023 01:24:00 +0900 SuperCat wrote:
> > > Hi,
> > >
> > > In chromium source code, function SkScalerContext::GlyphMetrics
> > > SkScalerContext_FreeType::generateMetrics() will call
> > > FT_Get_Color_Glyph_Paint() if macro TT_SUPPORT_COLRV1 exists. Somehow
> > > FT_Get_Color_Glyph_Paint will be a NULL pointer if this patch applied,
> and
> > > chromium will not be able to run.
> >
> >
> > This smells like an ABI change that doesn't really seem appropriate for
> a point release update. I can patch TT_SUPPORT_COLRV1 out of bookworm's
> Chromium, but I wonder if any other packages are using it on bookworm?
> >
> > For the record, Skia has the following code:
> >
> > #ifdef TT_SUPPORT_COLRV1
> >
> > // So undefine TT_SUPPORT_COLRV1 before 2.11.1 but not if FT_STATIC_CAST
> is defined.
> > #if (((FREETYPE_MAJOR)  < 2) || \
> >  ((FREETYPE_MAJOR) == 2 && (FREETYPE_MINOR)  < 11) || \
> >  ((FREETYPE_MAJOR) == 2 && (FREETYPE_MINOR) == 11 &&
> (FREETYPE_PATCH) < 1)) && \
> > !defined(FT_STATIC_CAST)
> > #undef TT_SUPPORT_COLRV1
> >
> >
> > So on bullseye (with freetype 2.10) it doesn't try to use COLRV1. On sid
> (with freetype 2.13) it will use COLRV1. If freetype's COLRV1 is going to
> remain disabled on bookworm via the proposed-update (with chromium being
> the only broken package), then I'll probably just bump that version check
> to only allow TT_SUPPORT_COLRV1 with FREETYPE_MINOR >= 13.
>
> FreeType 2.12.1 was released with experimental COLRv1 support enabled.
> This was unintentional, as the implementation shipped in this release
> was incomplete and incompatible with the final COLRv1 API.
>
> Upstream's intention was to enable COLRv1 support in FreeType 2.13.0,
> which has a stable and complete COLRv1 API.
>
> I'm surprised Chromium actually used an experimental API, although
> this version check copied above seems like a bug.
>
> Grepping for TT_SUPPORT_COLRV1 yields a small number of packages.
> firefox*, godot and paraview are fine. Most of the openjdk-* packages
> aren't in bookworm.


After discussing the timing of Debian 12.2 with a release manager, I’ll
revert the change shortly.

Hugh

>

Bug#1051150: RFS: blender-doc/3.6-1 [ITP] -- Blender Manual by the Blender Foundation

2023-09-28 Thread Hugh McMaster

Hi Jonathan,

On Wed, 27 Sept 2023 at 05:48, Jonathan Rubenstein wrote:
>
> Control: tags -1 - moreinfo
>
> Hey, I have completed the requested changes with a few exceptions.

Nice work. We're almost there.

d/copyright:
* Please update your explanatory comment to the following:

Comment: A cursory search will find many ":License: GPL" lines in these files.
 Those ":License: GPL" lines are part of a template describing other software
 that is GPL-licensed but not included in this package. The file containing
 the template (and the template itself) is licensed as CC-BY-SA-4.0.

* Email addresses are optional in Files stanzas. I don't include them
because I find they add clutter, but it's a personal choice.
* Not all files in tools*/* are explicitly marked Apache-2.0, but
given most are, I think it's okay to assume that. In any case, the
attributable copyright is the same as for the main package.

d/control:
* Remove versioned dependency from libjs-mathjax.

d/rules:
* In override_dh_auto_build, the `export` command should only appear
once, and only at the start of the line.

d/source/overrides:
* I see you added an override for
'very-long-line-length-in-source-file' in
'resources/templates/footer.html'. Lintian also emits the tag for a
lot of .webp graphics files, so let's take care of them all with one
global override. Please change your source overrides to the following:

# This may appear to be a binary file to lintian, but it's not
source-is-missing [resources/templates/footer.html]

# WebP graphics files; resources/templates/footer.html
very-long-line-length-in-source-file

Bug#1052455: RE: freetype 2.12.1+dfsg-5+deb12u1 makes chromium segfault at startup

2023-09-28 Thread Hugh McMaster

Hi Andres,

On Thu, 28 Sept 2023 at 18:49, Andres Salomon wrote:
>
> Control: affects -1 chromium
>
>
> On Thu, 28 Sep 2023 01:24:00 +0900 SuperCat wrote:
> > Hi,
> >
> > In chromium source code, function SkScalerContext::GlyphMetrics
> > SkScalerContext_FreeType::generateMetrics() will call
> > FT_Get_Color_Glyph_Paint() if macro TT_SUPPORT_COLRV1 exists. Somehow
> > FT_Get_Color_Glyph_Paint will be a NULL pointer if this patch applied, and
> > chromium will not be able to run.
>
>
> This smells like an ABI change that doesn't really seem appropriate for a 
> point release update. I can patch TT_SUPPORT_COLRV1 out of bookworm's 
> Chromium, but I wonder if any other packages are using it on bookworm?
>
> For the record, Skia has the following code:
>
> #ifdef TT_SUPPORT_COLRV1
>
> // So undefine TT_SUPPORT_COLRV1 before 2.11.1 but not if FT_STATIC_CAST is 
> defined.
> #if (((FREETYPE_MAJOR)  < 2) || \
>  ((FREETYPE_MAJOR) == 2 && (FREETYPE_MINOR)  < 11) || \
>  ((FREETYPE_MAJOR) == 2 && (FREETYPE_MINOR) == 11 && (FREETYPE_PATCH) < 
> 1)) && \
> !defined(FT_STATIC_CAST)
> #undef TT_SUPPORT_COLRV1
>
>
> So on bullseye (with freetype 2.10) it doesn't try to use COLRV1. On sid 
> (with freetype 2.13) it will use COLRV1. If freetype's COLRV1 is going to 
> remain disabled on bookworm via the proposed-update (with chromium being the 
> only broken package), then I'll probably just bump that version check to only 
> allow TT_SUPPORT_COLRV1 with FREETYPE_MINOR >= 13.

FreeType 2.12.1 was released with experimental COLRv1 support enabled.
This was unintentional, as the implementation shipped in this release
was incomplete and incompatible with the final COLRv1 API.

Upstream's intention was to enable COLRv1 support in FreeType 2.13.0,
which has a stable and complete COLRv1 API.

I'm surprised Chromium actually used an experimental API, although
this version check copied above seems like a bug.

Grepping for TT_SUPPORT_COLRV1 yields a small number of packages.
firefox*, godot and paraview are fine. Most of the openjdk-* packages
aren't in bookworm.

Bug#1052455: bookworm-pu: package freetype/2.12.1+dfsg-5+deb12u1

2023-09-24 Thread Hugh McMaster

Control: tags -1 -moreinfo

Hi Adam,

On Sun, 24 Sept 2023 at 05:53, Adam D. Barratt wrote:
>
> Control: tags -1 moreinfo
>
> On Fri, 2023-09-22 at 22:16 +1000, Hugh McMaster wrote:
> > FreeType 2.12.1 shipped with experimental COLRv1 support enabled.
> > This was
> > unintentional, as the implementation shipped in this release was
> > incomplete and
> > incompatible with the final COLRv1 API.
> >
> > Upstream's intention was to enable COLRv1 support in FreeType 2.13.0.
> >
> > Applications attempting to use the partial COLRv1 API in FreeType
> > 2.12.1 will
> > get unexpected (and incorrect) results.
> >
>
> Do we know if any applications shipped in bookworm attempt to use this
> partial API? If so, do we know how they'll handle the change?

The API function call appears in several packages that include
internal copies of FreeType: openjdk-{11, 19, 20} and godot
3.5.2-stable-2. However, none of them call PUT_COLOR_LAYERS_V1() to
access the API.

I doubt many people know the COLRv1 API is in FreeType 2.12.1, as the
API is not mentioned in the release notes for that version. In saying
that, upstream recommends disabling the COLRv1 API.

Bug#1052455: bookworm-pu: package freetype/2.12.1+dfsg-5+deb12u1

2023-09-22 Thread Hugh McMaster

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: freet...@packages.debian.org
Control: affects -1 + src:freetype

[ Reason ]
FreeType 2.12.1 shipped with experimental COLRv1 support enabled. This was
unintentional, as the implementation shipped in this release was incomplete and
incompatible with the final COLRv1 API.

Upstream's intention was to enable COLRv1 support in FreeType 2.13.0.

Applications attempting to use the partial COLRv1 API in FreeType 2.12.1 will
get unexpected (and incorrect) results.

FreeType 2.12.1 is the only version affected.

The patch included in this stable-p-u upload effectively disables COLRv1
support by making the public methods consistently return failure instead of
attempting to parse a format somewhat different from the final specification.

[ Impact ]
Applications attempting to use the partial COLRv1 API implementation in
FreeType 2.12.1 will get unexpected (and incorrect) results.

[ Risks ]
The patch is trivial. Calls to the public COLRv1-related methods consistently
fail, which is expected behaviour with the patch applied.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

[ Other info ]
I realise this isn't a 'standard' special case, as described in Section 5.5.1
of the Developer's Reference [0]. For instance, the bug doesn't impact
unstable, as it's not an issue in that more recent version. However, due to the
significant differences in API behaviour between this partial version and the
final specification, it is important to disable the partial COLRv1 support,
which was never supposed to be enabled.

I'm seeking your approval to make the upload to stable-p-u.

[0] https://www.debian.org/doc/manuals/developers-reference/pkgs.html#special-
case-uploads-to-the-stable-and-oldstable-distributions
diff -Nru freetype-2.12.1+dfsg/debian/changelog 
freetype-2.12.1+dfsg/debian/changelog
--- freetype-2.12.1+dfsg/debian/changelog   2023-04-20 21:08:03.0 
+1000
+++ freetype-2.12.1+dfsg/debian/changelog   2023-09-22 21:48:19.0 
+1000
@@ -1,3 +1,10 @@
+freetype (2.12.1+dfsg-5+deb12u1) bookworm; urgency=medium
+
+  * debian/patches: Disable COLRv1 support, which was unintentionally enabled
+by upstream in this version of FreeType (Closes: #1051816). 
+
+ -- Hugh McMaster   Fri, 22 Sep 2023 21:48:19 +1000
+
 freetype (2.12.1+dfsg-5) unstable; urgency=medium
 
   * debian/patches: Add a patch to fix CVE-2023-2004 (Closes: #1034612).
diff -Nru freetype-2.12.1+dfsg/debian/patches/disable_COLRv1.patch 
freetype-2.12.1+dfsg/debian/patches/disable_COLRv1.patch
--- freetype-2.12.1+dfsg/debian/patches/disable_COLRv1.patch1970-01-01 
10:00:00.0 +1000
+++ freetype-2.12.1+dfsg/debian/patches/disable_COLRv1.patch2023-09-22 
21:42:32.0 +1000
@@ -0,0 +1,22 @@
+Description: Disable COLRv1 support in FreeType 2.12.1.
+ FreeType 2.12.1 shipped with COLRv1 support enabled. This was unintentional,
+ as the partial implementation shipped is incomplete and incompatible with
+ the final COLRv1 API.
+ .
+ Applications attempting to use this version of the COLRv1 API will get
+ unexpected (and incorrect) results.
+Author: Hugh McMaster 
+Bug-Debian: https://bugs.debian.org/1051816
+Last-Update: 2023-09-22
+
+--- a/src/sfnt/sfdriver.c
 b/src/sfnt/sfdriver.c
+@@ -1220,7 +1220,7 @@
+ #define PUT_SVG_SUPPORT( a )  NULL
+ #endif
+ 
+-#define PUT_COLOR_LAYERS_V1( a )  PUT_COLOR_LAYERS( a )
++#define PUT_COLOR_LAYERS_V1( a )  NULL
+ 
+ #ifdef TT_CONFIG_OPTION_POSTSCRIPT_NAMES
+ #define PUT_PS_NAMES( a )  a
diff -Nru freetype-2.12.1+dfsg/debian/patches/series 
freetype-2.12.1+dfsg/debian/patches/series
--- freetype-2.12.1+dfsg/debian/patches/series  2023-04-20 21:08:03.0 
+1000
+++ freetype-2.12.1+dfsg/debian/patches/series  2023-09-22 21:34:52.0 
+1000
@@ -6,3 +6,4 @@
 fix-wild-free-svg.patch
 hardening.patch
 CVE-2023-2004.patch
+disable_COLRv1.patch

Bug#1051150: RFS: blender-doc/3.6-1 [ITP] -- Blender Manual by the Blender Foundation

2023-09-21 Thread Hugh McMaster

Control: tags -1 moreinfo

Hi Jonathan,

On Sun, 3 Sep 2023 17:51:51 +0300 Jonathan Rubenstein wrote:
> Package: sponsorship-requests
> Severity: wishlist
>
> Dear mentors,
>
> I am looking for a sponsor for my package "blender-doc":
>
>   * Package name : blender-doc
> Version  : 3.6-1
> Upstream contact : Blender Documentation Team 
>   * URL  : https://docs.blender.org/manual/
>   * License  : Apache-2.0, GPL-2.0-or-later, MIT, CC-BY-SA-4.0
>   * Vcs  : https://salsa.debian.org/JJRcop/blender-doc
> Section  : doc

For your first package, this is great. Now, let's make it even better. :)

d/copyright:
* Please restructure this file so your licence stanzas are at the
bottom. The order of stanzas is header, files, licences.
* Please start filenames/paths and copyright information directly
after the field name, so:
Files: XXX
Copyright: XX. Multiple lines can be aligned with spaces.
* You are missing several files that are GPL-licensed. I saw them in
the Add-ons section. Please check every file in the source package
carefully.
* You need to add a copyright stanza for debian/*, attributed to you.
GPL-2.0-or-later is often a good choice here, but it's your decision.

d/control:
* You don't need to specify versions for your (build-)dependencies, as
we're targeting sid/unstable. The exception is debhelper-compat, which
does need to be versioned (= 13).
* In the short and (long) binary package description, please indicate
the manual is in HTML format.

d/rules:
* Please combine your dh_auto_build overrides and exports into a single recipe:

override_dh_auto_build:
export http_proxy=127.0.0.1:9 https_proxy=127.0.0.1:9 PYTHONPATH=.
dh_auto_build -- html

* To disable the dh_auto_tests, add `export DEB_BUILD_OPTIONS +=
nocheck` to the top of d/rules and remove the override.
* Please add a line break between each target.

d/upstream/metadata
* Please add the Bug-Database, Bug-Submit and Changelog fields as
flagged by Lintian.

d/source/overrides
* While the line in footer.html is very long, it is not a binary. It's
actually a hyperlink that creates a new bug report upstream.
Please also override the very-long-line-length-in-source-file tag
(refer to your blender-doc mentors page to see what I mean).

d/blender-doc.doc-base:
* Is there a reason you've limited the line length to ~40 characters?
You can go up to 79, although you probably want less so the lines look
more balanced.

d/blender-doc.install:
* Install paths don't need a forward slash (/usr -> usr). You can also
simplify the line to:
build/html usr/share/doc/blender-doc

* Please run Lintian using `lintian -EviI *amd64.changes` and review the output.
  + Lintian identified some images files that have a .jpg extension
but according to `file` are actually PNG files. You might want to
raise this discrepancy with upstream.
  + Lintian also identified file-references-package-build-path when
blender-doc is built via sbuild. This could be another upstream bug.

Once you've addressed all of the points above, please remove the
'moreinfo' tag and I'll have another look. It might take me a few days
to get back to you once you've done that.

Hugh

Bug#1051779: ITP: docopt-ng -- command-line arguments parser (python3)

2023-09-12 Thread Hugh McMaster

Package: wnpp
Severity: wishlist
Owner: Hugh McMaster 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: docopt-ng
  Version : 0.9.0
  Upstream Contact: Nick Crews 
* URL : https://jazzband.co/projects/docopt-ng
* License : MIT
  Programming Lang: Python
  Description : command-line arguments parser (python3)

docopt-ng is a fork of the original docopt, which helps users
create beautiful command-line interfaces.
.
docopt-ng parses a command-line string and ensures that all options,
arguments and commands match the usage patterns and option descriptions
specified in a Python program's docstring.
.
Users can define valid usage patterns, option descriptions, arguments and
commands using patterns and syntax familiar to users command-line programs.
.
This is the Python 3-compatible version of the package.


The original docopt project has not been updated for many years.
docopt-ng is maintained by the jazzband project and comes with
maintenance, typehints, and complete test coverage.

Bug#1016703: mkdocs-material: Please package recent version

2023-09-07 Thread Hugh McMaster

Hi Sandro,

On Fri, 05 Aug 2022 20:06:20 +0200 Carsten Schoenert wrote:
> Package: mkdocs-material
> Version: 8.2.5-1
> Severity: wishlist
>
> Hello Sandro,
>
> could you please consider to package the recent upstream version of
> mkdocs-material?
>
> Could you also please (re)close the issue #1008691 by the newer version
> within the new changelog entry?
>
> As Paul Grevers explained to me has the BTS a problem if a bug report
> has the same version marked fixes as the report has been open against before.
> That's currently the reason the package isn't midrating to testing.

Do you need any help with packaging and/or maintaining mkdocs-material?

The latest upstream version builds on Debian once several more b-deps
are added, and python3- setuptools is replaced by
pybuild-plugin-pyproject.

If you don't have time, I'm happy to take care of the upload.

Kind regards,

Hugh

Bug#1025568: gparted: diff for NMU version 1.3.1-1.1

2023-08-21 Thread Hugh McMaster

On Tue, 22 Aug 2023 at 05:26, Phillip Susi wrote:
>
> I have an upload of 1.5 pending my sorting my gpg key out again.  Could
> you submit any changes as a PR on salsa?  I think I saw someone had done
> that for some minor issues ( was that you? ) but the CI failed.

The only change in the NMU was switching (build-)dependencies from
policykit-1 to pkexec. I can see that you've now committed that change
to the salsa repository, along with some other changes.

I didn't see a need to build-depend on libpolkit-gobject-1-dev, but
I'm not overly familiar with gparted's requirements.

Please let me know if I should submit a PR for the NMU on salsa
(noting you'd have to update the changelog to account for your recent
changes), or whether I should cancel the upload.

Bug#1025568: gparted: diff for NMU version 1.3.1-1.1

2023-08-21 Thread Hugh McMaster

Control: tags 1025568 + patch
Control: tags 1025568 + pending

Dear maintainer,

I've prepared an NMU for gparted (versioned as 1.3.1-1.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards,

Hugh
diff -Nru gparted-1.3.1/debian/changelog gparted-1.3.1/debian/changelog
--- gparted-1.3.1/debian/changelog	2022-01-13 03:23:19.0 +1100
+++ gparted-1.3.1/debian/changelog	2023-08-21 21:32:58.0 +1000
@@ -1,3 +1,10 @@
+gparted (1.3.1-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * debian/control: Replace policykit-1 with pkexec (Closes: #1025568).
+
+ -- Hugh McMaster   Mon, 21 Aug 2023 21:32:58 +1000
+
 gparted (1.3.1-1) unstable; urgency=medium
 
   * New upstream version 1.3.1
diff -Nru gparted-1.3.1/debian/control gparted-1.3.1/debian/control
--- gparted-1.3.1/debian/control	2022-01-13 02:52:18.0 +1100
+++ gparted-1.3.1/debian/control	2023-08-21 21:31:52.0 +1000
@@ -7,8 +7,8 @@
  libgtkmm-3.0-dev,
  libparted-dev (>= 2.22),
  parted,
+ pkexec,
  pkg-config,
- policykit-1,
  uuid-dev,
  yelp-tools
 Standards-Version: 4.5.0
@@ -19,7 +19,7 @@
 Package: gparted
 Architecture: any
 Depends: ${misc:Depends}, ${shlibs:Depends},
- gparted-common (= ${source:Version}), policykit-1
+ gparted-common (= ${source:Version}), pkexec
 Breaks: udisks2 (<< 2.1.5), gparted-common (= 1.0.0-0.1)
 Replaces: gparted-common (= 1.0.0-0.1)
 Suggests:

Bug#1039052: nmu: tclodbc_2.5.1-2+b1

2023-06-25 Thread Hugh McMaster

Control: tags -1 - moreinfo

Hi Sebastian,

On Sun, 25 Jun 2023 at 20:01, Sebastian Ramacher wrote:
>
> Control: tags -1 moreinfo
>
> Hi
>
> On 2023-06-25 16:14:39 +1000, Hugh McMaster wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian@packages.debian.org
> > Usertags: binnmu
> > X-Debbugs-Cc: tclo...@packages.debian.org
> > Control: affects -1 + src:tclodbc
> >
> > nmu tclodbc_2.5.1-2+b1 . ANY . unstable . -m "Rebuild against libodbc2 and
> > libodbcinst2."
>
> Why is that necessary?

I recently dropped the transitional packages libodbc1 and
odbcinst1debian2 from unixodbc.

Due to its age, the most recent version of tclodbc still depends on
libodbc1 and libodbcinst1 (from odbcinst1debian2). All other packages
have moved to libodbc2 and libodbcinst2.

A binNMU of tclodbc links against the newer libodbc2 and libodbcinst2
libraries with no build issues.

Hugh

Bug#1039052: nmu: tclodbc_2.5.1-2+b1

2023-06-25 Thread Hugh McMaster

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu
X-Debbugs-Cc: tclo...@packages.debian.org
Control: affects -1 + src:tclodbc

nmu tclodbc_2.5.1-2+b1 . ANY . unstable . -m "Rebuild against libodbc2 and
libodbcinst2."

Bug#1038235: please drop transitional package libfreetype6-dev from src:freetype

2023-06-17 Thread Hugh McMaster

Hi Holger,

On Sat, 17 Jun 2023 at 04:00, Holger Levsen wrote:
>
> Package: libfreetype6-dev
> Version: 2.12.1+dfsg-5
> Severity: normal
> user: qa.debian@packages.debian.org
> usertags: transitional
>
> Please drop the transitional package libfreetype6-dev (from the source package
> freetype) for trixie, as it has been released with bullseye and bookworm
> already.
>
>
> Description: FreeType 2 font engine, development files (transitional package)
> Package: libfreetype6-dev
> Version: 2.12.1+dfsg-5
>
> Thanks for maintaining freetype!

Great timing! Upstream released FreeType 2.13.0 during the freeze, and
I plan on uploading this new version soon.

`reverse-depends -b libfreetype6-dev` yields more than 200 r-b-deps on
libfreetype6-dev.

What is the recommended way to notify package maintainers that I am
dropping libfreetype6-dev? A mass bug filing?

Hugh

Bug#1038122: cp: cannot stat '/tmp/odbcinst.ini.bak'

2023-06-15 Thread Hugh McMaster

Hi Simon and Alan,

On Fri, 16 Jun 2023 at 09:24, Simon McVittie wrote:
>
> Control: severity -1 serious
> Control: block 1038041 by -1
>
> On Fri, 16 Jun 2023 at 03:49:12 +0930, Arthur Marsh wrote:
> > Attempting to upgrade odbc related packages from 2.3.11-2 to 2.3.11-3
>
> > Setting up unixodbc-common (2.3.11-3) ...
> > cp: cannot stat '/tmp/odbcinst.ini.bak': No such file or directory
> > dpkg: error processing package unixodbc-common (--configure):
> >  installed unixodbc-common package post-installation script subprocess 
> > returned error exit status 1
>
> Here's a repeatable reproducer for this bug:
>
> $ podman run --rm -it debian:sid # not sid-slim to avoid #1038067
> # apt update
> # apt upgrade
> # apt install unixodbc-common
> # rm /etc/odbcinst.ini
> # apt install --reinstall unixodbc-common
> ...
> Unpacking unixodbc-common (2.3.11-3) over (2.3.11-3) ...
> Setting up unixodbc-common (2.3.11-3) ...
> cp: cannot stat '/tmp/odbcinst.ini.bak': No such file or directory
>
> I don't actively use this package (it's installed as a dependency) so
> I haven't *intentionally* modified or deleted /etc/odbcinst.ini, but it
> wasn't present on my laptop for whatever reason, causing this failure
> mode during upgrades. Deleting configuration files is usually treated
> as an intentional sysadmin change that should be preserved.

/etc/odbcinst.ini should definitely be created during postinst if not
already present.

In this case, the log should show an error on preinst as well.

> I think the regression of failing to upgrade is a considerably worse
> bug than the old conffile record still being present in dpkg's database
> (#1009152). Is there a user-visible impact of #1009152 that makes it worth
> having this extra complexity? I'm not at all sure that
> https://bugs.debian.org/1009152#15 is the
> right thing to be doing here.

I tested multiple new install and upgrade scenarios, although it seems
likely I didn't test this particular scenario.

There is no user impact, other than a slightly non-clean system.

rm_conffile renames the conffile to conffile.dpkg-bak, which is only
deleted during package purge.

I'm now thinking a much better approach is to test for the presence of
the backup file during postinst and copy it back as /etc/odbcinst.ini.

That would greatly simplify things and avoid any breakage that we are
seeing now. I'll test this thoroughly, of course.

> Not *directly* related to the failure to upgrade, but I'm also
> concerned by this package using a fixed filename in /tmp to save and
> restore a root-owned configuration file. /tmp is world-writeable, so
> the worst-case assumption needs to be that a malicious local user has
> created /tmp/odbcinst.ini.bak with crafted contents (maybe as a directory,
> or a symlink to a location of their choice, or as a hard link). If so,
> then I'm worried that there might be something they can do to cause a
> denial of service, or worse, overwrite something (/etc/odbcinst.ini or
> otherwise) with attacker-controlled contents. If this tricky save/restore
> transaction is needed, it would be safer to use a root-owned location
> in /etc or /var that is namespaced appropriately for the package, for
> example perhaps "/etc/odbcinst.ini.maintscript-temp" analogous to dpkg's
> .dpkg-old and so on.

Yes, mktemp or tempdir would be more appropriate, although retrieving
the path in a different script is not so easy.

Bug#1038065: piuparts: Upgrades from lenny to boomworm fail

2023-06-15 Thread Hugh McMaster

Package: piuparts
Version: 1.1.7
Severity: normal

Dear Maintainer,

I am trying to test package upgrades from lenny to bookworm.

# piuparts --apt --allow-database --arch i386 --do-not-verify-signatures
--dpkg-noforce-unsafe-io --no-eatmydata -m 'http://archive.debian.org/debian/
main' --no-check-valid-until --scriptsdir /etc/piuparts/scripts --scriptsdir
/etc/piuparts/scripts-multi-distro-upgrade -i /etc/shells --skip-
logrotatefiles-test --warn-on-leftovers-after-purge --warn-on-others -d lenny
-d wheezy -d squeeze libsqliteodbc

The above command fails on error:

2m23.0s DEBUG: Starting command: ['chroot', '/tmp/tmp1r56fnsn',
'tmp/scripts/pre_distupgrade_allow_unauthenticated']
2m23.0s DUMP:
  FAIL: /etc/apt/apt.conf.d/unauthenticated-lenny exists
2m23.0s ERROR: Command failed (status=1): ['chroot', '/tmp/tmp1r56fnsn',
'tmp/scripts/pre_distupgrade_allow_unauthenticated']
  FAIL: /etc/apt/apt.conf.d/unauthenticated-lenny exists

piuparts detects the existnence of the'unauthenticated-lenny' and fails. I
can't seem to ignore the file with the -i option.


-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-9-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages piuparts depends on:
ii  debootstrap  1.0.128+nmu2
ii  debsums  3.0.2.1
ii  libjs-sphinxdoc  5.3.0-4
ii  lsb-release  12.0-1
ii  lsof 4.95.0-1
ii  mount2.38.1-5+b1
ii  piuparts-common  1.1.7
ii  python3  3.11.2-1+b1
ii  python3-debian   0.1.49

Versions of packages piuparts recommends:
ii  adequate  0.15.7

Versions of packages piuparts suggests:
pn  docker.io  
ii  schroot1.6.13-3+b2

-- no debconf information

Bug#1038041: bookworm-pu: package unixodbc/2.3.11-2+deb12u1

2023-06-15 Thread Hugh McMaster

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: unixo...@packages.debian.org
Control: affects -1 + src:unixodbc

I'd like to fix two bugs in the stable version of unixodbc (2.3.11-2).

[ Reason ]
(1) Users who upgrade their system from old versions of Debian (e.g. Lenny,
Squeeze, Wheezy etc.) with odbcinst1debian1 installed are unable to upgrade to
bookworm due to a missing Breaks+Replaces against two binary packages.

Although odbcinst1debian1 hasn't existed for years, dpkg complains because
/etc/odbc.ini is also in unixodbc-common, and /usr/bin/odbcinst is also in
odbcinst.

(2) Due to an oversight on my part, the stable version of unixodbc-common has
an obsolete conffile.

[ Impact ]
(1) Users with odbcinst1debian1 installed cannot upgrade to bookworm without
removing the binary package (which really shouldn't be installed anyway). Note
that the number of uses actually affected by this bug will be very small.

(2) No impact.

[ Tests ]
(1) Testing of staged upgrades with piuparts.

(2) Manual testing of package upgrades and purging with rm_conffile in relevant
maintscripts.

[ Risks ]
The changes are minimal and well tested.

[ Checklist ]
  [ x ] *all* changes are documented in the d/changelog
  [ x ] I reviewed all changes and I approve them
  [ x ] attach debdiff against the package in stable
  [ x ] the issue is verified as fixed in unstable
diff -Nru unixodbc-2.3.11/debian/changelog unixodbc-2.3.11/debian/changelog
--- unixodbc-2.3.11/debian/changelog2022-05-23 21:14:45.0 +1000
+++ unixodbc-2.3.11/debian/changelog2023-06-15 21:05:33.0 +1000
@@ -1,3 +1,11 @@
+unixodbc (2.3.11-2+deb12u1) bookworm; urgency=medium
+
+  * unixodbc-common, odbcinst: Add Breaks+Replaces against odbcinst1debian1
+  (Closes: #1037172).
+  * unixodbc-common: Remove obsolete conffile (Closes: #1009152).
+
+ -- Hugh McMaster   Thu, 15 Jun 2023 21:05:33 +1000
+
 unixodbc (2.3.11-2) unstable; urgency=medium
 
   * debian/control: Update Standards-Version to 4.6.1 (no changes needed).
diff -Nru unixodbc-2.3.11/debian/control unixodbc-2.3.11/debian/control
--- unixodbc-2.3.11/debian/control  2022-05-23 21:14:45.0 +1000
+++ unixodbc-2.3.11/debian/control  2023-06-15 19:50:03.0 +1000
@@ -88,6 +88,8 @@
 Multi-Arch: foreign
 Section: utils
 Depends: unixodbc-common (>= ${source:Version}), ${shlibs:Depends}, 
${misc:Depends}
+Replaces: odbcinst1debian1
+Breaks: odbcinst1debian1
 Description: Helper program for accessing ODBC configuration files
  UnixODBC is an implementation of the Open Database Connectivity standard,
  a database abstraction layer that allows applications to be used with
@@ -122,8 +124,8 @@
 Architecture: all
 Multi-Arch: foreign
 Depends: ${misc:Depends}
-Replaces: odbcinst (<< 2.3.9-1~), odbcinst1debian2 (<< 2.3.9-1~)
-Breaks: odbcinst (<< 2.3.9-1~), odbcinst1debian2 (<< 2.3.9-1~)
+Replaces: odbcinst (<< 2.3.9-1~), odbcinst1debian1, odbcinst1debian2 (<< 
2.3.9-1~)
+Breaks: odbcinst (<< 2.3.9-1~), odbcinst1debian1, odbcinst1debian2 (<< 
2.3.9-1~)
 Description: Common ODBC configuration files
  UnixODBC is an implementation of the Open Database Connectivity standard,
  a database abstraction layer that allows applications to be used with
diff -Nru unixodbc-2.3.11/debian/unixodbc-common.postinst 
unixodbc-2.3.11/debian/unixodbc-common.postinst
--- unixodbc-2.3.11/debian/unixodbc-common.postinst 2022-05-23 
21:06:12.0 +1000
+++ unixodbc-2.3.11/debian/unixodbc-common.postinst 2023-06-15 
20:00:39.0 +1000
@@ -6,4 +6,11 @@
 touch /etc/odbcinst.ini
 fi
 
+dpkg-maintscript-helper rm_conffile \
+/etc/odbcinst.ini 2.3.11-2+deb12u1~ unixodbc-common -- "$@"
+
+if [ "$1" = "configure" -o "$1" = "abort-upgrade" ] && [ -n "$2" ]; then
+cp -a /tmp/odbcinst.ini.bak /etc/odbcinst.ini
+fi
+
 #DEBHELPER#
diff -Nru unixodbc-2.3.11/debian/unixodbc-common.postrm 
unixodbc-2.3.11/debian/unixodbc-common.postrm
--- unixodbc-2.3.11/debian/unixodbc-common.postrm   2022-05-23 
21:06:12.0 +1000
+++ unixodbc-2.3.11/debian/unixodbc-common.postrm   2023-06-15 
20:00:34.0 +1000
@@ -6,4 +6,7 @@
 rm -f /etc/odbcinst.ini
 fi
 
+dpkg-maintscript-helper rm_conffile \
+/etc/odbcinst.ini 2.3.11-2+deb12u1~ unixodbc-common -- "$@"
+
 #DEBHELPER#
diff -Nru unixodbc-2.3.11/debian/unixodbc-common.preinst 
unixodbc-2.3.11/debian/unixodbc-common.preinst
--- unixodbc-2.3.11/debian/unixodbc-common.preinst  1970-01-01 
10:00:00.0 +1000
+++ unixodbc-2.3.11/debian/unixodbc-common.preinst  2023-06-15 
20:00:30.0 +1000
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+set -e
+
+if [ "$1" = "upgrade" ] && [ -e /etc/odbcinst.ini ]; then
+cp -a /etc/odbcinst.ini /tmp/odbcinst.ini.bak
+fi
+
+dpkg-maintscript-helper rm_conffile \
+/etc/odbcinst.ini 2.3.11-2+deb12u1~ unixodbc-common -- "$@"
+
+#DEBHELPER#

Bug#1037172: unixodbc-common,odbcinst: missing Breaks+Replaces: odbcinst1debian1

2023-06-07 Thread Hugh McMaster

Hi Andreas,

This is an unexpected bug report.

On Wed, 7 Jun 2023 at 09:39, Andreas Beckmann wrote:

> Package: unixodbc-common,odbcinst
> Version: 2.3.11-2
> Severity: serious
> User: debian...@lists.debian.org
> Usertags: piuparts
> Control: affects -1 + libsqliteodbc
>
> Hi,
>
> during a test with piuparts I noticed your package fails to upgrade from
> 'lenny' to 'squeeze' to 'wheezy' to 'jessie' to 'stretch' to 'buster' to
> 'bullseye' to 'bookworm'.
> It installed fine in 'lenny', and upgraded to 'squeeze', 'wheezy',
> 'jessie', 'stretch', 'buster', and 'bullseye' successfully,
> but then the upgrade to 'bookworm' failed.
>


Can I ask why you’re testing from Lenny?

And what piuparts command line are you using?


In case the package was not part of an intermediate stable release,
> the version from the preceding stable release was kept installed.
>
> From the attached log (scroll to the bottom...):
>
> ...
>   Selecting previously unselected package unixodbc-common.
>   Preparing to unpack .../22-unixodbc-common_2.3.11-2_all.deb ...
>   Unpacking unixodbc-common (2.3.11-2) ...
>   dpkg: error processing archive
> /tmp/apt-dpkg-install-JsWDst/22-unixodbc-common_2.3.11-2_all.deb (--unpack):
>trying to overwrite '/etc/odbc.ini', which is also in package
> odbcinst1debian1 2.2.11-16
> ...
>   Selecting previously unselected package odbcinst.
>   Preparing to unpack .../25-odbcinst_2.3.11-2_amd64.deb ...
>   Unpacking odbcinst (2.3.11-2) ...
>   dpkg: error processing archive
> /tmp/apt-dpkg-install-JsWDst/25-odbcinst_2.3.11-2_amd64.deb (--unpack):
>trying to overwrite '/usr/bin/odbcinst', which is also in package
> odbcinst1debian1 2.2.11-16
> ...
>   Errors were encountered while processing:
>/tmp/apt-dpkg-install-JsWDst/22-unixodbc-common_2.3.11-2_all.deb
>/tmp/apt-dpkg-install-JsWDst/25-odbcinst_2.3.11-2_amd64.deb
>
> The mentioned Breaks+Replaces may have been there in the past,
> but on some upgrade paths originating in lenny the obsolete packages may
> have survived without being affected by B+R so far.
>
> (In the concrete case, libsqliteodbc/lenny had a dependency on
> odbcinst1debian1, libsqliteodbc/bookworm has a dependency on odbcinst
> while in all releases inbetween there was no pdenedency on an *odbc*
> package at all.)



Wow. odbcinst1debian1 hasn’t existed for years.

We’re only a few days from the release of Bookworm, so this will need to be
fixed in the first point release.

In saying that, the number of users impacted by this upgrade path must be
very small.

Hugh

Bug#1034634: unblock: freetype/2.12.1+dfsg-5

2023-04-20 Thread Hugh McMaster

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: freet...@packages.debian.org
Control: affects -1 + src:freetype

Please unblock package freetype.

[ Reason ]
An integer overflow vulnerability was discovered in FreeType (specifically, the
tt_hvadvance_adjust() function). This is CVE-2023-2004.

[ Impact ]
FreeType 2 can crash when getting TrueType font metrics due to the overflow.

[ Tests ]
Chromium's OSS-Fuzz project regularly fuzzes the FreeType source. After the
upstream fix was applied, the vulnerability was fixed.

[ Risks ]
The patch is non-invasive and very small.

[ Checklist ]
  [ x ] all changes are documented in the d/changelog
  [ x ] I reviewed all changes and I approve them
  [ x ] attach debdiff against the package in testing

unblock freetype/2.12.1+dfsg-5
diff -Nru freetype-2.12.1+dfsg/debian/changelog 
freetype-2.12.1+dfsg/debian/changelog
--- freetype-2.12.1+dfsg/debian/changelog   2023-01-12 23:05:22.0 
+1100
+++ freetype-2.12.1+dfsg/debian/changelog   2023-04-20 21:08:03.0 
+1000
@@ -1,3 +1,10 @@
+freetype (2.12.1+dfsg-5) unstable; urgency=medium
+
+  * debian/patches: Add a patch to fix CVE-2023-2004 (Closes: #1034612).
+- Integer overflow in tt_hvadvance_adjust().
+
+ -- Hugh McMaster   Thu, 20 Apr 2023 21:08:03 +1000
+
 freetype (2.12.1+dfsg-4) unstable; urgency=medium
 
   [ Debian Janitor ]
diff -Nru freetype-2.12.1+dfsg/debian/patches/CVE-2023-2004.patch 
freetype-2.12.1+dfsg/debian/patches/CVE-2023-2004.patch
--- freetype-2.12.1+dfsg/debian/patches/CVE-2023-2004.patch 1970-01-01 
10:00:00.0 +1000
+++ freetype-2.12.1+dfsg/debian/patches/CVE-2023-2004.patch 2023-04-20 
21:03:11.0 +1000
@@ -0,0 +1,42 @@
+Description: Prevent integer overflow in tt_hvadvance_adjust().
+ Fixes CVE-2023-2004.
+Author: Werner Lemberg 
+Origin: 
https://gitlab.freedesktop.org/freetype/freetype/-/commit/e6fda039ad638866b7a6a5d046f03278ba1b7611
+Bug-Debian: https://bugs.debian.org/1034612
+Last-Update: 2023-04-30
+
+--- a/src/truetype/ttgxvar.c
 b/src/truetype/ttgxvar.c
+@@ -42,6 +42,7 @@
+ #include 
+ #include 
+ #include FT_CONFIG_CONFIG_H
++#include 
+ #include 
+ #include 
+ #include 
+@@ -1133,14 +1134,17 @@
+outerIndex,
+innerIndex );
+ 
+-FT_TRACE5(( "%s value %d adjusted by %d unit%s (%s)\n",
+-vertical ? "vertical height" : "horizontal width",
+-*avalue,
+-delta,
+-delta == 1 ? "" : "s",
+-vertical ? "VVAR" : "HVAR" ));
++if ( delta )
++{
++  FT_TRACE5(( "%s value %d adjusted by %d unit%s (%s)\n",
++  vertical ? "vertical height" : "horizontal width",
++  *avalue,
++  delta,
++  delta == 1 ? "" : "s",
++  vertical ? "VVAR" : "HVAR" ));
+ 
+-*avalue += delta;
++  *avalue = ADD_INT( *avalue, delta );
++}
+ 
+   Exit:
+ return error;
diff -Nru freetype-2.12.1+dfsg/debian/patches/series 
freetype-2.12.1+dfsg/debian/patches/series
--- freetype-2.12.1+dfsg/debian/patches/series  2023-01-12 23:05:22.0 
+1100
+++ freetype-2.12.1+dfsg/debian/patches/series  2023-04-20 21:02:52.0 
+1000
@@ -5,3 +5,4 @@
 CVE-2022-31782.patch
 fix-wild-free-svg.patch
 hardening.patch
+CVE-2023-2004.patch

Bug#1031981: RFS: fonts-material-design-icons-iconfont/6.7.0+dfsg-1 -- Material Design Icons DX

2023-02-26 Thread Hugh McMaster

Package: sponsorship-requests
Severity: normal

Dear mentors,

I am looking for a sponsor for my package
"fonts-material-design-icons-iconfont":

 * Package name : fonts-material-design-icons-iconfont
   Version  : 6.7.0+dfsg-1
   Upstream contact : https://github.com/jossef/material-design-icons-iconfont
 * URL  : https://github.com/jossef/material-design-icons-iconfont
 * License  : Apache-2.0
 * Vcs  :
https://salsa.debian.org/hmc/fonts-material-design-icons-iconfont
   Section  : fonts

The source builds the following binary packages:

  fonts-material-design-icons-iconfont - Material Design Icons DX

To access further information about this package, please visit the
following URL:

  https://mentors.debian.net/package/fonts-material-design-icons-iconfont/

Alternatively, you can download the package with 'dget' using this command:

  dget -x 
https://mentors.debian.net/debian/pool/main/f/fonts-material-design-icons-iconfont/fonts-material-design-icons-iconfont_6.7.0+dfsg-1.dsc

Changes since the last upload:

 fonts-material-design-icons-iconfont (6.7.0+dfsg-1) unstable; urgency=medium
 .
   * New upstream version.
   * debian/copyright: Update for 2023.
   * debian/control:
 + Update Standards-Version to 4.6.2 (no changes needed).
 + Update short description.
   * debian/source/lintian-overrides: Update tags and syntax.

Regards,

-- 
  Hugh McMaster

Bug#1031329: Please disregard this bug report

2023-02-15 Thread Hugh McMaster

Hi Michael,

Thank you for the bug report and for confirming the issue is caused by a
recent change in the Microsoft repository.

On Wed, 15 Feb 2023 at 14:51, Michael Shipper wrote:

> It looks like the bug is in the Microsoft odbc package not the Debian odbc
> package.
>
> Please close this ticket.
>
Microsoft is tracking the issue on Github. [1]

I’ll leave this bug open until the issue is resolved, just in case other
users come across the same problem.

> [1] https://github.com/microsoft/linux-package-repositories/issues/36

Bug#1029194: libvulkan-dev: No longer multi-arch installable

2023-01-19 Thread Hugh McMaster

Package: libvulkan-dev
Version: 1.3.236.0-1
Severity: normal

Dear Maintainer,

While performing a standard package update, dpkg terminated due a multi-arch
conflict in libvulkan-dev. My system has both amd64 and i386 flavours
installed.

Relevant output:
Unpacking libvulkan-dev:i386 (1.3.236.0-1) over (1.3.231.1-1) ...
dpkg: error processing archive /tmp/apt-dpkg-install-WHdLcA/257-libvulkan-
dev_1.
3.236.0-1_i386.deb (--unpack):
 trying to overwrite shared
'/usr/share/cmake/VulkanHeaders/VulkanHeadersConfigVersion.cmake', which is
different from other instances of package libvulkan-dev:i386

Removing one of the arch versions allowed dpkg to finish upgrading all other
packages.


-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-1-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libvulkan-dev depends on:
ii  libvulkan1  1.3.236.0-1
ii  python3 3.11.1-1

libvulkan-dev recommends no packages.

libvulkan-dev suggests no packages.

-- no debconf information

Bug#1011049: freetype: breaks architecture bootstrap by depending on librsvg2-dev

2023-01-17 Thread Hugh McMaster

Hi Simon,

On Fri, 13 Jan 2023 at 06:20, Simon McVittie wrote:
>
> On Wed, 11 Jan 2023 at 16:55:05 +1100, Hugh McMaster wrote:
> > I've added support for your suggested build profile
> > (pkg.freetype.nodemos), since it's useful (and more efficient) to
> > build without the demos at times.
>
> If freetype2-demos does what its name suggests, then this might be
> in-scope for the non-package-specific build profile noinsttest ("Disable
> binary packages consisting entirely of automated tests, manual tests,
> example/demo programs and test tools"). The scope of noinsttest is a bit
> wider than its name suggests, because "as-installed" automated tests
> like gtk-4-tests and examples/demos/manual tests like gtk-4-examples
> seem like they have quite a lot in common.
>
> However, I see there are other packages that depend on freetype2-demos,
> which makes it unclear to me whether freetype2-demos *only* contains
> demos, or whether it also contains general-purpose utilities analogous to
> the ones in libglib2.0-bin (which would be out-of-scope for noinsttest).

freetype2-demos only contains programs used to test and showcase the
FreeType 2 font engine. They aren't general-purpose utilities.

Would this mean the binary package qualifies for the noinsttest build profile?

Bug#1011049: freetype: breaks architecture bootstrap by depending on librsvg2-dev

2023-01-10 Thread Hugh McMaster

On Mon, 16 May 2022 07:23:23 +0200 Helmut Grohne wrote:
> freetype participates in architecture bootstrap. As such, it must be
> careful about its Build-Depends. It now added librsvg2-dev, which is
> built from librsvg, which Build-Depends on rustc, which pulls llvm. This
> totally breaks architecture cross bootstrap.
>
> Beyond breaking practical architecture bootstrap, it also breaks
> theoretical architecture bootstrap, because librsvg Build-Depends on
> libfreetype-dev. This poses a cycle that cannot be solved.
>
> [snip]
>
>  * Judging the changlog, it could be demos that need rsvg without having
>the main library actually use rsvg. In that case, it would be easy to
>hide freetype2-demos behind a build profile (say
>pkg.freetype.nodemos) and conditionalize the dependency to that
>profile.

You are correct in saying that only the FreeType demos use librsvg if
it is available.

I've added support for your suggested build profile
(pkg.freetype.nodemos), since it's useful (and more efficient) to
build without the demos at times.

I have not yet added Build-Depends: librsvg2-dev  to debian/control, as upstream is looking at
supporting other lighter SVG libraries that have a much smaller
dependency chain.

I hope this helps. Please let me know if you have any concerns.

Hugh

Bug#1000084: modsecurity-apache: Bugs fixed in version 2.9.7

2023-01-10 Thread Hugh McMaster

Control: tags -1 fixed-upstream

Dear maintainer,

Upstream has recently released ModSecurity 2.9.7, which fixes these bugs.

It would be good to have these fixes in Bookworm.

Please note that you must pass --with-pcre2 to configure via debian/rules to 
enable PCRE2 support.

Kind regards,

Hugh

Bug#1014603: iusql fails if password contains semicolon

2022-12-06 Thread Hugh McMaster

Hi Joe,

On Sat, 9 Jul 2022 at 00:51, Joe Nahmias wrote:

> Package: unixodbc
> Version: 2.3.11-2
> Severity: normal
> File: /usr/bin/iusql
> X-Debbugs-Cc: j...@nahmias.net
>
> Hello,
>
> I was trying to connect to an MSSQL database using unixodbc/iusql with
> the FreeTDS driver. The password for the login was randomly generated
> and contained a semicolon ";" in it. This worked fine when using the
> FreeTDS tools tsql and fisql. However, the iusql tool from unixodbc
> failed as follows:
>
> $ iusql myDSN myLogin 'Y%4VtL?C@OuUwmWkksL;+!#V$JSo6' -v
> [FreeTDS][SQL Server]Unable to connect to data source
> [FreeTDS][SQL Server]Login failed for user 'myLogin'.
> [ISQL]ERROR: Could not SQLDriverConnect
>
> Changing the password in the database worked around the issue, but I
> guess iusql needs to do better escaping of special characters in the
> password.

This issue has been the subject of much upstream discussion in recent time,
including how to mitigate it.

You need escape any password containing a semicolon with braces and also
append a trailing semicolon.

For example: '{Password;123};'

Upstream has also committed a patch allowing users to pass in the full
connection string as one command-line argument. This helps but still
requires a trailing semicolon.

I expect a small update to the iusql man page will be the extent of any
further changes on this issue.

>

Bug#1024949: freetype: support the noudeb build profile

2022-11-28 Thread Hugh McMaster

Hi Helmut,

On Mon, 28 Nov 2022 at 08:04, Helmut Grohne wrote:

> Source: freetype
> Version: 2.12.1+dfsg-3
> Severity: minor
> Tags: patch
> User: helm...@debian.org
> Usertags: rebootstrap
>
> freetype builds a udeb package. It would be nice to be able to opt out
> of building it via the noudeb build profile. I'm attaching a patch for
> your convenience.

This is a great idea. I’ll add the patch to the next release.

Thanks for the suggestion and patch.

>

Bug#1004421: ITS: cadaver

2022-10-30 Thread Hugh McMaster

Hi Sebastian and Arnaud,

I've been working with upstream [1] to fix several issues in cadaver,
particularly its inability to regenerate its build system from source,
which is a major issue.

I'm pleased to report that we have a new upstream version, 0.24.

I believe Arnaud has taken over as maintainer but wanted to inform you
both of the new version.

Please let me know if you need any help with package maintenance. In
particular, this new version is a good opportunity to switch to dh
format in d/rules.

Bugs fixed by this upstream release include 605121 [2], 879882 [3] and
949059 [4].

Hugh

[1] https://github.com/notroj/cadaver
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605121
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879882
[4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949059

Bug#1020951: RFS: raptor2/2.0.15-3 [QA] -- Raptor 2 RDF syntax library

2022-09-29 Thread Hugh McMaster

Package: sponsorship-requests
Severity: normal

Dear mentors,

I am looking for a sponsor for my package "raptor2":

 * Package name : raptor2
   Version  : 2.0.15-3
   Upstream contact : Dave Beckett 
 * URL  : https://librdf.org/raptor/
 * License  : GPL-3+, LGPL-2.1+ or GPL-2+ or Apache-2.0,
LGPL-2.1+, public-domain
 * Vcs  : [fill in URL of packaging vcs]
   Section  : devel

The source builds the following binary packages:

  libraptor2-dev - Raptor 2 RDF syntax library development libraries and headers
  libraptor2-0 - Raptor 2 RDF syntax library
  raptor2-utils - Raptor 2 RDF parser and serializer utilities
  libraptor2-doc - Documentation for the Raptor 2 RDF syntax library

raptor2 does not have a repository on Salsa yet. As this is a QA Team
upload, can someone please create an empty repository in the Debian
namespace and grant me (hmc) privileges, so I can build it out?

To access further information about this package, please visit the
following URL:

  https://mentors.debian.net/package/raptor2/

Alternatively, you can download the package with 'dget' using this command:

  dget -x 
https://mentors.debian.net/debian/pool/main/r/raptor2/raptor2_2.0.15-3.dsc

Changes since the last upload:

 raptor2 (2.0.15-3) unstable; urgency=medium
 .
   * QA upload.
   * debian/changelog: Fix some typos.
   * debian/control:
 + libraptor2-dev: Drop Depends on pkg-config.
 + raptor2-utils: Drop Conflicts/Replaces (no longer needed).
 + libraptor2-doc:
   - Mark package Multi-Arch: foreign.
   - Remove documentation path from package description.
   * debian/patches:
 + Fix FTBFS when libxml2 is detected via pkg-config (Closes: #949490).
 + Fix a typo in an existing patch name.
   * debian/rules:
 + Don't install upstream's README file in all binary packages.
   The README file is now only installed in libraptor2-doc.
 + Drop dh_installchangelogs override.
 + Drop dh_strip override; dbgsym-migration is complete.
   * Drop "debian/tmp" from installation paths.
   * libraptor2-0: Add symbols file.
   * libraptor2-doc: Replace .install file with .docs.
   * lintian-overrides: Add overrides for very-long-line-length-in-source-file
 and source-is-missing messages.
   * Add debian/upstream/metadata file.

Regards,
-- 
  Hugh McMaster

Bug#949422: osmo: diff for NMU version 0.4.4-1.1

2022-09-28 Thread Hugh McMaster

Control: tags 949422 + patch


Dear maintainer,

I've prepared an NMU for osmo (versioned as 0.4.4-1.1). The diff
is attached to this message.

As this package is marked LowNMU, I will seek sponsorship to
upload shortly. Please let me know if you would prefer to upload
this version yourself.

Kind regards,

Hugh

diff -Nru osmo-0.4.4/debian/changelog osmo-0.4.4/debian/changelog
--- osmo-0.4.4/debian/changelog	2020-07-15 10:06:11.0 +1000
+++ osmo-0.4.4/debian/changelog	2022-09-29 14:59:38.0 +1000
@@ -1,3 +1,10 @@
+osmo (0.4.4-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * debian/patches: Use pkg-config to find libxml2 (Closes: #949422).
+
+ -- Hugh McMaster   Thu, 29 Sep 2022 14:59:38 +1000
+
 osmo (0.4.4-1) unstable; urgency=medium
 
   * New upstream version 0.4.4.
diff -Nru osmo-0.4.4/debian/patches/libxml2.patch osmo-0.4.4/debian/patches/libxml2.patch
--- osmo-0.4.4/debian/patches/libxml2.patch	1970-01-01 10:00:00.0 +1000
+++ osmo-0.4.4/debian/patches/libxml2.patch	2022-09-29 12:04:07.0 +1000
@@ -0,0 +1,29 @@
+Description: Use pkg-config to find libxml2
+Author: Maxim Gordienko 
+Bug-Debian: https://bugs.debian.org/949422
+Origin: upstream, https://sourceforge.net/p/osmo-pim/osmo/ci/843cf52c73f7fe9e89982b0795a206be1b90784d/
+Last-Update: 2022-09-27
+
+--- a/configure.ac
 b/configure.ac
+@@ -57,8 +57,7 @@
+ AM_PATH_GTK_3_0(3.10.0,,
+ AC_MSG_ERROR([GTK+ not found or too old (version < 3.10)]))
+ 
+-AM_PATH_XML2(2.0.0,,
+-AC_MSG_ERROR([You do not appear to have libxml2 installed.]))
++PKG_CHECK_MODULES([XML], [libxml-2.0 >= 2.9])
+ 
+ PKG_CHECK_MODULES(GTHREAD, gthread-2.0 >= 2.6.0)
+ 
+--- a/src/Makefile.am
 b/src/Makefile.am
+@@ -6,7 +6,7 @@
+ VERSION_MICRO := $(shell echo $(VERSION) | awk -F "." '{print $$3}')
+ AM_CPPFLAGS = -DREPO=$(ISREPO) -DREVISION=$(REVISION) -DLOCALEDIR=\"$(datadir)/locale\" -DDATADIR=\"$(datadir)\" \
+ 			  -DVERSION_MAJOR=\"$(VERSION_MAJOR)\" -DVERSION_MINOR=\"$(VERSION_MINOR)\" -DVERSION_MICRO=\"$(VERSION_MICRO)\" \
+-			  -DSOUNDSDIR=\"$(datadir)/sounds\" @GTK_CFLAGS@ @XML_CPPFLAGS@ -Wall -DGDK_DISABLE_DEPRECATION_WARNINGS \
++			  -DSOUNDSDIR=\"$(datadir)/sounds\" @GTK_CFLAGS@ @XML_CFLAGS@ -Wall -DGDK_DISABLE_DEPRECATION_WARNINGS \
+ 			  -DICONSDIR=\"$(datadir)/icons\" -DPIXMAPSDIR=\"$(datadir)/pixmaps\" \
+ 			  -DG_DISABLE_CAST_CHECKS
+ 
diff -Nru osmo-0.4.4/debian/patches/series osmo-0.4.4/debian/patches/series
--- osmo-0.4.4/debian/patches/series	1970-01-01 10:00:00.0 +1000
+++ osmo-0.4.4/debian/patches/series	2022-09-29 12:04:07.0 +1000
@@ -0,0 +1 @@
+libxml2.patch

Bug#949405: kannel: FTBFS with libxml2 2.9.10 (uses xml2-config)

2022-09-21 Thread Hugh McMaster

Control: tags -1 + patch fixed-upstream
Control: forwarded -1 https://redmine.kannel.org/issues/830

Patch applied upstream [1]

Hugh

[1] 
https://redmine.kannel.org/projects/kannel/repository/revisions/5326/diff/trunk/configure.in

Bug#1019654: cfengine3: Package latest LTS/non-LTS version

2022-09-12 Thread Hugh McMaster

Package: cfengine3
Version: 3.15.2-3.1
Severity: wishlist

Dear Maintainer,

Upstream support for the current version of CFEngine in Debian, 3.15 LTS, will
end on 31 December 2022.

Shortly after, the next Debian freeze will begin.

To ensure users of Debian Bookworm can install a more recent version of
CFEngine, please package 3.18 LTS or the most recent non-LTS version.

Thank you


-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.19.0-1-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cfengine3 depends on:
ii  e2fsprogs 1.46.5-2
ii  libacl1   2.3.1-1
ii  libc6 2.34-8
ii  liblmdb0  0.9.24-1
ii  libpam0g  1.5.2-2
ii  libpcre3  2:8.39-14
ii  libpromises3  3.15.2-3.1
ii  libssl3   3.0.5-2
ii  libvirt0  8.5.0-1
ii  libxml2   2.9.14+dfsg-1+b1
ii  libyaml-0-2   0.2.5-1
ii  lsb-base  11.2

Versions of packages cfengine3 recommends:
pn  python  

cfengine3 suggests no packages.

-- no debconf information

Bug#945623: cfengine3: diff for NMU version 3.15.2-3.2

2022-09-09 Thread Hugh McMaster

Control: tags 945623 + patch
Control: tags 949086 + patch
Control: tags 998014 + patch


Dear maintainer,

I've prepared an NMU for cfengine3 (versioned as 3.15.2-3.2). The diff
is attached to this message.

I require a sponsor to have it uploaded and intend to seek sponsorship
without delay due to the RC bug #992662.

Please let me know if you plan to take care of the upload yourself.

Regards,

Hugh McMaster
diff -Nru cfengine3-3.15.2/debian/changelog cfengine3-3.15.2/debian/changelog
--- cfengine3-3.15.2/debian/changelog	2022-05-22 02:25:35.0 +1000
+++ cfengine3-3.15.2/debian/changelog	2022-09-09 17:13:10.0 +1000
@@ -1,3 +1,21 @@
+cfengine3 (3.15.2-3.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * debian/control:
++ Build-Depend on pkg-config.
++ cfengine3: Recommend python3 instead of python (Closes: #998014).
+  * debian/patches:
++ Drop 883480-fix-crossbuild-libxml2.patch (no longer needed).
++ Use pkg-config to find libxml2 (Closes: #972893, #949086).
++ Remove /sbin from the CF3_PATH_ROOT_PROG macro PATH override to ensure
+  system tools can be invoked on usr-merged and non-usr-merged systems
+  (Closes: #992662).
++ Fix python3 and shell interpreter paths; use python3 syntax in upstream
+  apt_get module (Closes: #945623).
++ Fix spelling error in openssl3.patch metadata.
+
+ -- Hugh McMaster   Fri, 09 Sep 2022 17:13:10 +1000
+
 cfengine3 (3.15.2-3.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru cfengine3-3.15.2/debian/control cfengine3-3.15.2/debian/control
--- cfengine3-3.15.2/debian/control	2022-05-22 02:13:41.0 +1000
+++ cfengine3-3.15.2/debian/control	2022-09-09 16:55:06.0 +1000
@@ -2,17 +2,19 @@
 Section: admin
 Priority: optional
 Maintainer: Antonio Radici 
-Build-Depends: debhelper (>= 10),
- libssl-dev, 
- flex,
+Build-Depends:
+ debhelper (>= 10),
  bison,
- libpcre3-dev,
- libvirt-dev,
+ flex,
  libacl1-dev,
  liblmdb-dev,
- libxml2-dev,
  libpam0g-dev,
- libyaml-dev
+ libpcre3-dev,
+ libssl-dev,
+ libvirt-dev,
+ libxml2-dev,
+ libyaml-dev,
+ pkg-config
 Standards-Version: 4.1.1
 Homepage: https://cfengine.com/product/community/
 Vcs-Git: https://salsa.debian.org/cfengine-team/cfengine3.git
@@ -21,7 +23,7 @@
 Package: cfengine3
 Architecture: any
 Depends: lsb-base (>= 3.0-6), e2fsprogs, ${shlibs:Depends}, ${misc:Depends}, libpromises3 (= ${binary:Version})
-Recommends: python
+Recommends: python3
 Description: tool for configuring and maintaining network machines
  Cfengine is a suite of programs for integrated autonomic management
  of either individual or networked computers.
diff -Nru cfengine3-3.15.2/debian/patches/0011-fix_interpreters.patch cfengine3-3.15.2/debian/patches/0011-fix_interpreters.patch
--- cfengine3-3.15.2/debian/patches/0011-fix_interpreters.patch	2020-09-14 17:00:24.0 +1000
+++ cfengine3-3.15.2/debian/patches/0011-fix_interpreters.patch	2022-09-09 15:54:53.0 +1000
@@ -1,3 +1,8 @@
+Description: Update interpreter paths and file names
+Author: Hugh McMaster 
+Forwarded: no, not-needed
+Last-Update: 2022-09-09
+
 --- a/masterfiles/cfe_internal/core/watchdog/templates/watchdog.mustache
 +++ b/masterfiles/cfe_internal/core/watchdog/templates/watchdog.mustache
 @@ -1,4 +1,4 @@
@@ -6,27 +11,27 @@
  
  # Watchdog events are logged here.
  PIDFILE="/var/cfengine/watchdog.pid"
 a/masterfiles/modules/packages/apt_get
-+++ b/masterfiles/modules/packages/apt_get
+--- a/masterfiles/modules/packages/apt_get.in
 b/masterfiles/modules/packages/apt_get.in
 @@ -1,4 +1,4 @@
--#!/var/cfengine/bin/python
-+#!/usr/bin/python
+-#!@bindir@/python
++#!/usr/bin/python3
  
  import sys
  import os
 a/masterfiles/modules/packages/yum
-+++ b/masterfiles/modules/packages/yum
+--- a/masterfiles/modules/packages/yum.in
 b/masterfiles/modules/packages/yum.in
 @@ -1,4 +1,4 @@
--#!/var/cfengine/bin/python
-+#!/usr/bin/python
+-#!@bindir@/python
++#!/usr/bin/python3
  
  import sys
  import os
 a/masterfiles/modules/packages/zypper
-+++ b/masterfiles/modules/packages/zypper
+--- a/masterfiles/modules/packages/zypper.in
 b/masterfiles/modules/packages/zypper.in
 @@ -1,4 +1,4 @@
--#!/var/cfengine/bin/python
-+#!/usr/bin/python
+-#!@bindir@/python
++#!/usr/bin/python3
  
  #
  # Copyright 2016 Normation SAS
diff -Nru cfengine3-3.15.2/debian/patches/883480-fix-crossbuild-libxml2.patch cfengine3-3.15.2/debian/patches/883480-fix-crossbuild-libxml2.patch
--- cfengine3-3.15.2/debian/patches/883480-fix-crossbuild-libxml2.patch	2020-09-14 17:00:24.0 +1000
+++ cfengine3-3.15.2/debian/patches/883480-fix-crossbuild-libxml2.patch	1970-01-01 10:00:00.0 +1000
@@ -1,18 +0,0 @@
-Fix an issue with cross-builds where configure insists that xml2-config is
-unusable for cross-builds which will, in turn, break the builds.
-
-Patch provided by Helmut Gro

Bug#1019184: RFS: exif/0.6.22-3 -- command-line utility to show EXIF information in JPEG files

2022-09-04 Thread Hugh McMaster

Package: sponsorship-requests
Severity: normal

Dear mentors,

I am looking for a sponsor for my package "exif":

 * Package name: exif
   Version : 0.6.22-3
   Upstream Author : Dan Fandrich ,
 * URL : https://libexif.github.io/
 * License : LGPL-2.1+
 * Vcs : https://salsa.debian.org/debian-phototools-team/exif
   Section : graphics

The source builds the following binary packages:

  exif - command-line utility to show EXIF information in JPEG files

To access further information about this package, please visit the
following URL:

  https://mentors.debian.net/package/exif/

Alternatively, you can download the package with 'dget' using this command:

  dget -x https://mentors.debian.net/debian/pool/main/e/exif/exif_0.6.22-3.dsc

Changes since the last upload:

 exif (0.6.22-3) unstable; urgency=medium
 .
   * debian/control: Raise Standards-Version to 4.6.1 (no changes needed).
   * debian/copyright: Update for 2022.
   * debian/gbp.conf: Use DEP-14 branch naming; require signed tags.
   * debian/patches:
 + Add patch for CVE-2021-27815 (Closes: #1018814).
 + Prevent NULL pointer dereference with strncpy() in exif/actions.c.
   Thanks to Aron Xu for forwarding the upstream patch.

I currently maintain the related packages libexif and libexif-gtk with
DM upload permissions. I would like to take on more responsibility
with exif and upload as a DM as well.

Regards,
-- 
  Hugh McMaster

Bug#1017783: RFS: tablix2/0.3.5-4 [QA] -- Kernel for solving general timetabling problems

2022-08-20 Thread Hugh McMaster

Package: sponsorship-requests
Severity: normal

Dear mentors,

I am looking for a sponsor for my package "tablix2":

 * Package name: tablix2
   Version : 0.3.5-4
   Upstream Author : Tomaž Šolc 
 * URL : https://www.tablix.org
 * License : LGPL-2+, LGPL-2.1+, TinyScheme-BSD-3-Clause,
GPL-2+, public-domain, HPND-sell-variant
 * Vcs : [fill in URL of packaging vcs]
   Section : misc

The source builds the following binary packages:

  tablix2 - Kernel for solving general timetabling problems
  tablix2-doc - Kernel for solving general timetabling problems (documentation)

To access further information about this package, please visit the
following URL:

  https://mentors.debian.net/package/tablix2/

Alternatively, you can download the package with 'dget' using this command:

  dget -x 
https://mentors.debian.net/debian/pool/main/t/tablix2/tablix2_0.3.5-4.dsc

Changes since the last upload:

 tablix2 (0.3.5-4) unstable; urgency=medium
 .
   * QA upload.
   * Set Maintainer to Debian QA Group (see #994647).
   * Convert package to '3.0 (quilt)' format (Closes: #1007512).
   * debian/control:
 + Priority: extra -> optional.
 + Switch to debhelper-compat v13 and drop debian/compat file.
 + Build-Depends: add pkg-config; remove dh-autoreconf.
 + Raise Standards-Version to 4.6.1 from 3.9.8 (no changes needed).
 + Update package description.
 + Use HTTPS protocol.
 + Add documentation and examples package (tablix2-doc).
 + Declare Rules-Requires-Root: no.
 + Trim trailing whitespace.
 + Suggest gnuplot instead of Recommending it.
   * debian/copyright: Convert to DEP-5 format and update.
   * debian/patches:
 + Remove references to 'debian' from upstream build files.
 + Remove hard-coded 'localedir' override from configure.in.
 + Use pkg-config to find libxml2 (Closes: #949502).
 + Fix spelling and syntax errors in the man pages.
   * debian/rules:
 + Use the 'dh' build system (Closes: #949600).
 + Add hardening flags to DEB_BUILD_MAINT_OPTIONS.
   * debian/upstream: Add metadata file.
   * debian/watch: Update version, repository URL and archive regex.
   * tablix2: Don't install the *.la files (Closes: #810271).
   * tablix2.docs: Add doc-base file.
   * Override some Lintian warnings.

Regards,
-- 
  Hugh McMaster

Bug#1010785: gdome2: reproducible-builds: embedded build paths libgdome.so.*

2022-06-21 Thread Hugh McMaster

Hi Vagrant,

On Wed, 15 Jun 2022 20:41:05 -0700 Vagrant Cascadian wrote:
> Control: found 1010785 0.8.1+debian-8
>
> On 2022-05-09, Vagrant Cascadian wrote:
> > The build path is embedded in /usr/lib/libgdome.so.0.8.1:
> >
> >   
> > https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/gdome2.html
> >
> >   /build/1st/gdome2-0.8.1+debian/libgdome/gdome.c:65
> >   vs.
> >   /build/2/gdome2-0.8.1+debian/2nd/libgdome/gdome.c:65
> >
> >
> > The attached patch to debian/rules fixes this by passing
> > -ffile-prefix-map in CFLAGS and ensuring CFLAGS is passed to configure.
> >
> > Alternately, updating the packaging to use dh/debhelper at a recent
> > compat level would also likely fix this.
>
> Turns out simply switching to dh/debhelper was not sufficient...

Actually, switching to debhelper v13 was fine. The problem was the
manual CFLAGS logic in debian/rules.

With that removed and handled by debhelper, -ffile-prefix-map is
passed to the compiler correctly, along with other hardening and
security flags.

> Probably adjusting debian/rules with something like:
>
> override_dh_auto_configure:
> CFLAGS="$(CFLAGS) -ffile-prefix-map=$(CURDIR)" dh_auto_configure
>
> I'll try and provide an updated patch and confirm the fix at some
> point... though if someone else does it first I won't complain! :)

I ran `reprotest` with the attached patch applied and the builds were
reproducible. `blhc` also had no output (meaning there were no
issues).

I've uploaded a build to Debian Mentors [1]. If you are happy to
sponsor the upload, please do. Otherwise, please apply the patch and
upload yourself.

Hugh

[1] 
https://mentors.debian.net/debian/pool/main/g/gdome2/gdome2_0.8.1+debian-9.dsc

gdome2-0.8.1+debian-9.debdiff
Description: Binary data

Bug#1012475: RFS: gdome2/0.8.1+debian-8 [QA] -- DOM level2 library for accessing XML files

2022-06-07 Thread Hugh McMaster

Package: sponsorship-requests
Severity: normal

Dear mentors,

I am looking for a sponsor for my package "gdome2":

 * Package name: gdome2
   Version : 0.8.1+debian-8
   Upstream Author : Paolo Casarini 
 * URL : http://gdome2.cs.unibo.it/
 * License : LGPL-2.1+
 * Vcs : [fill in URL of packaging vcs]
   Section : libdevel

The source builds the following binary packages:

  libgdome2-dev - Development files for libgdome2
  libgdome2-0 - DOM level2 library for accessing XML files

To access further information about this package, please visit the
following URL:

  https://mentors.debian.net/package/gdome2/

Alternatively, you can download the package with 'dget' using this command:

  dget -x 
https://mentors.debian.net/debian/pool/main/g/gdome2/gdome2_0.8.1+debian-8.dsc

Changes since the last upload:

 gdome2 (0.8.1+debian-8) unstable; urgency=medium
 .
   * QA upload.
   * debian/changelog: Switch to DEP-5 format.
   * debian/control:
 - Use debhelper-compat v13 (Closes: #875888, #1010785).
 - Raise Standards-Version to 4.6.1 from 3.9.4 (no changes needed).
 - Declare packages Multi-Arch: same.
 - Declare Rules-Requires-Root: no.
 - Build-Depend on pkg-config.
   * debian/patches:
 - Add DEP-3 headers to patches 1 to 4.
 - Patch configure.in to use pkg-config to find libxml2 (Closes: #949147).
 - Update patch 1 to use Autoconf variables instead of calling xml2-config.
   * debian/rules:
 - Switch to the 'dh' build system.
 - Add hardening flags to DEB_BUILD_MAINT_OPTIONS.
   * debian/watch: Update to version 4.
   * libgdome2-0: Add install and symbols files.
   * libgdome2-dev:
 - Add install, docs and examples files.
 - Install gdome2.pc in a multi-arch location (Closes: #895991).
   * Don't install gdome-config, gdomeConf.sh, gdome2.m4 or libgdome.la.

The two reverse build-dependencies use pkg-config to find gdome2, so
there are no issues with the removal of gdome-config.

Regards,
-- 
  Hugh McMaster

Bug#1010305: buster-pu: package freetype/2.9.1-3+deb10u3

2022-04-28 Thread Hugh McMaster

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

This update fixes three security vulnerabilities in FreeType 2.9.1-3+deb10u2.

- CVE-2022-27404: heap buffer overflow via invalid integer decrement in
sfnt_init_face().
- CVE-2022-27405: segmentation violation via ft_open_face_internal() when
attempting to read the value of FT_LONG face_index.
- CVE-2022-27406: segmentation violation via FT_Request_Size() when attempting
to read the value of an unguarded face size handle.

It would be ideal to get these fixes into Buster.
diff -Nru freetype-2.9.1/debian/changelog freetype-2.9.1/debian/changelog
--- freetype-2.9.1/debian/changelog 2020-10-21 06:15:41.0 +1100
+++ freetype-2.9.1/debian/changelog 2022-04-28 21:11:36.0 +1000
@@ -1,3 +1,15 @@
+freetype (2.9.1-3+deb10u3) buster; urgency=medium
+
+  * Add upstream patches to fix multiple vulnerabilities. Closes: #1010183.
+- CVE-2022-27404: heap buffer overflow via invalid integer decrement in
+  sfnt_init_face().
+- CVE-2022-27405: segmentation violation via ft_open_face_internal() when
+  attempting to read the value of FT_LONG face_index.
+- CVE-2022-27406: segmentation violation via FT_Request_Size() when
+  attempting to read the value of an unguarded face size handle.
+
+ -- Hugh McMaster   Thu, 28 Apr 2022 21:11:36 +1000
+
 freetype (2.9.1-3+deb10u2) buster-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru freetype-2.9.1/debian/patches/CVE-2022-27404.patch 
freetype-2.9.1/debian/patches/CVE-2022-27404.patch
--- freetype-2.9.1/debian/patches/CVE-2022-27404.patch  1970-01-01 
10:00:00.0 +1000
+++ freetype-2.9.1/debian/patches/CVE-2022-27404.patch  2022-04-28 
21:06:58.0 +1000
@@ -0,0 +1,19 @@
+Description: Check `face_index` before decrementing to prevent heap buffer
+ overflow (CVE-2022-27404).
+Author: Werner Lemberg
+Origin: 
https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db
+Bug: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1138
+Bug-Debian: https://bugs.debian.org/1010183
+Last-Update: 2022-04-28
+
+--- a/src/sfnt/sfobjs.c
 b/src/sfnt/sfobjs.c
+@@ -923,7 +923,7 @@
+ face_index = FT_ABS( face_instance_index ) & 0x;
+ 
+ /* value -(N+1) requests information on index N */
+-if ( face_instance_index < 0 )
++if ( face_instance_index < 0 && face_index > 0 )
+   face_index--;
+ 
+ if ( face_index >= face->ttc_header.count )
diff -Nru freetype-2.9.1/debian/patches/CVE-2022-27405.patch 
freetype-2.9.1/debian/patches/CVE-2022-27405.patch
--- freetype-2.9.1/debian/patches/CVE-2022-27405.patch  1970-01-01 
10:00:00.0 +1000
+++ freetype-2.9.1/debian/patches/CVE-2022-27405.patch  2022-04-28 
21:08:12.0 +1000
@@ -0,0 +1,26 @@
+Description: Properly guard `face_index` before attempting to read its value
+ (CVE-2022-27405).
+Author: Werner Lemberg
+Origin: 
https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5
+Bug: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1139
+Bug-Debian: https://bugs.debian.org/1010183
+Last-Update: 2022-04-28
+
+--- a/src/base/ftobjs.c
 b/src/base/ftobjs.c
+@@ -2345,6 +2345,15 @@
+ #endif
+ 
+ 
++/* only use lower 31 bits together with sign bit */
++if ( face_index > 0 )
++  face_index &= 0x7FFFL;
++else
++{
++  face_index &= 0x7FFFL;
++  face_index  = -face_index;
++}
++
+ #ifdef FT_DEBUG_LEVEL_TRACE
+ FT_TRACE3(( "FT_Open_Face: " ));
+ if ( face_index < 0 )
diff -Nru freetype-2.9.1/debian/patches/CVE-2022-27406.patch 
freetype-2.9.1/debian/patches/CVE-2022-27406.patch
--- freetype-2.9.1/debian/patches/CVE-2022-27406.patch  1970-01-01 
10:00:00.0 +1000
+++ freetype-2.9.1/debian/patches/CVE-2022-27406.patch  2022-04-28 
21:09:23.0 +1000
@@ -0,0 +1,20 @@
+Description: Guard the `face->size` handle before attempting to read its value
+ (CVE-2022-27406).
+Author: Werner Lemberg
+Origin: 
https://gitlab.freedesktop.org/freetype/freetype/-/commit/0c2bdb01a2e1d24a3e592377a6d0822856e10df2
+Bug: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1140
+Bug-Debian: https://bugs.debian.org/1010183
+Last-Update: 2022-04-28
+
+--- a/src/base/ftobjs.c
 b/src/base/ftobjs.c
+@@ -3209,6 +3209,9 @@
+ if ( !face )
+   return FT_THROW( Invalid_Face_Handle );
+ 
++if ( !face->size )
++  return FT_THROW( Invalid_Size_Handle );
++
+ if ( !req || req->width < 0 || req->height < 0 ||
+  req->type >= FT_SIZE_REQUEST_TYPE_MAX )
+   return FT_THROW( Invalid_Argument );
diff -Nru freetype-2.9.1/debian/patches/series 
freetype-2.9.1/debian/patches/series
--- freetype-2.9.1/debian/patches/series2020-10-21 06:15:41.0 
+1100
+++ freetype-2.9.1/deb

Bug#1010304: bullseye-pu: package freetype/2.10.4+dfsg-1+deb11u1

2022-04-28 Thread Hugh McMaster

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

This update fixes three security vulnerabilities in FreeType 2.10.4+dfsg-1.

- CVE-2022-27404: heap buffer overflow via invalid integer decrement in
sfnt_init_face() and woff2_open_font().
- CVE-2022-27405: segmentation violation via ft_open_face_internal() when
attempting to read the value of FT_LONG face_index.
- CVE-2022-27406: segmentation violation via FT_Request_Size() when attempting
to read the value of an unguarded face size handle.

It would be ideal to get these fixes into Bullseye.
diff -Nru freetype-2.10.4+dfsg/debian/changelog 
freetype-2.10.4+dfsg/debian/changelog
--- freetype-2.10.4+dfsg/debian/changelog   2020-12-05 19:20:58.0 
+1100
+++ freetype-2.10.4+dfsg/debian/changelog   2022-04-28 19:54:23.0 
+1000
@@ -1,3 +1,15 @@
+freetype (2.10.4+dfsg-1+deb11u1) bullseye; urgency=medium
+
+  * Add upstream patches to fix multiple vulnerabilities. Closes: #1010183.
+- CVE-2022-27404: heap buffer overflow via invalid integer decrement in
+  sfnt_init_face() and woff2_open_font().
+- CVE-2022-27405: segmentation violation via ft_open_face_internal() when
+  attempting to read the value of FT_LONG face_index.
+- CVE-2022-27406: segmentation violation via FT_Request_Size() when
+  attempting to read the value of an unguarded face size handle.
+
+ -- Hugh McMaster   Thu, 28 Apr 2022 19:54:23 +1000
+
 freetype (2.10.4+dfsg-1) unstable; urgency=medium
 
   * New upstream version:
diff -Nru freetype-2.10.4+dfsg/debian/patches/CVE-2022-27404.patch 
freetype-2.10.4+dfsg/debian/patches/CVE-2022-27404.patch
--- freetype-2.10.4+dfsg/debian/patches/CVE-2022-27404.patch1970-01-01 
10:00:00.0 +1000
+++ freetype-2.10.4+dfsg/debian/patches/CVE-2022-27404.patch2022-04-28 
19:54:23.0 +1000
@@ -0,0 +1,30 @@
+Description: Check `face_index` before decrementing to prevent heap buffer
+ overflow (CVE-2022-27404).
+Author: Werner Lemberg
+Origin: 
https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db
+Bug: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1138
+Bug-Debian: https://bugs.debian.org/1010183
+Last-Update: 2022-04-28
+
+--- a/src/sfnt/sfobjs.c
 b/src/sfnt/sfobjs.c
+@@ -553,7 +553,7 @@
+ face_index = FT_ABS( face_instance_index ) & 0x;
+ 
+ /* value -(N+1) requests information on index N */
+-if ( face_instance_index < 0 )
++if ( face_instance_index < 0 && face_index > 0 )
+   face_index--;
+ 
+ if ( face_index >= face->ttc_header.count )
+--- a/src/sfnt/sfwoff2.c
 b/src/sfnt/sfwoff2.c
+@@ -2098,7 +2098,7 @@
+ /* Validate requested face index. */
+ *num_faces = woff2.num_fonts;
+ /* value -(N+1) requests information on index N */
+-if ( *face_instance_index < 0 )
++if ( *face_instance_index < 0 && face_index > 0 )
+   face_index--;
+ 
+ if ( face_index >= woff2.num_fonts )
diff -Nru freetype-2.10.4+dfsg/debian/patches/CVE-2022-27405.patch 
freetype-2.10.4+dfsg/debian/patches/CVE-2022-27405.patch
--- freetype-2.10.4+dfsg/debian/patches/CVE-2022-27405.patch1970-01-01 
10:00:00.0 +1000
+++ freetype-2.10.4+dfsg/debian/patches/CVE-2022-27405.patch2022-04-28 
19:54:23.0 +1000
@@ -0,0 +1,26 @@
+Description: Properly guard `face_index` before attempting to read its value
+ (CVE-2022-27405).
+Author: Werner Lemberg
+Origin: 
https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5
+Bug: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1139
+Bug-Debian: https://bugs.debian.org/1010183
+Last-Update: 2022-04-28
+
+--- a/src/base/ftobjs.c
 b/src/base/ftobjs.c
+@@ -2407,6 +2407,15 @@
+ #endif
+ 
+ 
++/* only use lower 31 bits together with sign bit */
++if ( face_index > 0 )
++  face_index &= 0x7FFFL;
++else
++{
++  face_index &= 0x7FFFL;
++  face_index  = -face_index;
++}
++
+ #ifdef FT_DEBUG_LEVEL_TRACE
+ FT_TRACE3(( "FT_Open_Face: " ));
+ if ( face_index < 0 )
diff -Nru freetype-2.10.4+dfsg/debian/patches/CVE-2022-27406.patch 
freetype-2.10.4+dfsg/debian/patches/CVE-2022-27406.patch
--- freetype-2.10.4+dfsg/debian/patches/CVE-2022-27406.patch1970-01-01 
10:00:00.0 +1000
+++ freetype-2.10.4+dfsg/debian/patches/CVE-2022-27406.patch2022-04-28 
19:54:23.0 +1000
@@ -0,0 +1,20 @@
+Description: Guard the `face->size` handle before attempting to read its value
+ (CVE-2022-27406).
+Author: Werner Lemberg
+Origin: 
https://gitlab.freedesktop.org/freetype/freetype/-/commit/0c2bdb01a2e1d24a3e592377a6d0822856e10df2
+Bug: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1140
+Bug-Debian: https://bugs.debian.org/1010183
+Last-Update: 2022-04-28
+
+--- a/src/base/ftobjs.c
 b/src/base/

Bug#1010022: RFS: microdc2/0.15.6-4.1 [NMU] -- command-line based Direct Connect client

2022-04-22 Thread Hugh McMaster

Package: sponsorship-requests
Severity: normal

Dear mentors,

I am looking for a sponsor for the package "microdc2":

 * Package name: microdc2
   Version : 0.15.6-4.1
   Upstream Author : Vladimir Chugunov
 * URL : http://corsair626.no-ip.org/microdc/
 * License : GPL-2+
 * Vcs : N/A]
   Section : net

The source builds the following binary packages:

  microdc2 - command-line based Direct Connect client

To access further information about this package, please visit the
following URL:

  https://mentors.debian.net/package/microdc2/

Alternatively, you can download the package with 'dget' using this command:

  dget -x 
https://mentors.debian.net/debian/pool/main/m/microdc2/microdc2_0.15.6-4.1.dsc

Changes since the last upload:

 microdc2 (0.15.6-4.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * debian/control: Build-Depend on pkg-config.
   * debian/patches:
 - Drop "disable-libxml2-version-check" in favour of pkg-config.
 - Refresh some patches due to removal of "disable-libxml2-version-check".
 - Use pkg-config to find libxml2 (Closes: #949413).

Regards,
-- 
  Hugh McMaster

Bug#1008872: dia2code: diff for NMU version 0.8.3-4.2

2022-04-03 Thread Hugh McMaster

Package: dia2code
Version: 0.8.3-4.1
Severity: normal
Tags: patch  pending

Dear maintainer,

I've prepared an NMU for dia2code (versioned as 0.8.3-4.2).

I intend to seek sponsorship for this upload.

Please feel free to tell me if you can assist.

Regards,

Hugh

diff -Nru dia2code-0.8.3/debian/changelog dia2code-0.8.3/debian/changelog
--- dia2code-0.8.3/debian/changelog	2022-04-03 19:49:30.0 +1000
+++ dia2code-0.8.3/debian/changelog	2022-04-03 17:55:21.0 +1000
@@ -1,3 +1,27 @@
+dia2code (0.8.3-4.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Use package format 3.0 (quilt).
+  * Use debhelper-compat v13 (Closes: #965485).
+  * Switch from 'cdbs' to 'dh' format.
+  * debian/changelog: Trim trailing whitespace.
+  * debian/control:
+- Drop versioned dependency on libxml2.
+- Drop cdbs, autotools-dev and patchutils from the Build-Depends list.
+- Build-Depend on pkg-config.
+- Raise Standards-Version to 4.6.0 from 3.7.3 (no changes needed).
+- Declare Rules-Requires-Root: no.
+- Add Homepage field.
+- Remove alternative recommends on dia-gnome (Closes: #878587).
+- Add ${misc:Depends} to the binary package Depends list.
+  * debian/copyright: Use DEP-5 format and update for 2022.
+  * debian/patches: Add descriptions and other metadata.
+  * debian/rules: Add hardening flags to DEB_BUILD_MAINT_OPTIONS.
+  * Use pkg-config to find libxml2 (Closes: #949091).
+  * Update debian/watch file.
+
+ -- Hugh McMaster   Sun, 03 Apr 2022 17:55:21 +1000
+
 dia2code (0.8.3-4.1) unstable; urgency=medium
 
   * Non-maintainer upload.
@@ -26,7 +50,7 @@
   * debian/control: updated standards version to 3.7.3
   * debian/control: removed build-dep on doc-to-man and added cdbs, patchutils
   * debian/rules: switched to cdbs
-  * debian/compat: updated to 5 
+  * debian/compat: updated to 5
   * debian/patches: managed patches by cdbs simple-patchsys
   * Fixed manpage: added some options missing
   * debian/dia2code.sgml: removed this file because it was used for to generate
@@ -75,7 +99,7 @@
 
 dia2code (0.8.1-2) unstable; urgency=low
 
-  * Prevent a crash in lolipop_implementation(). Patch from Patrice Neff 
+  * Prevent a crash in lolipop_implementation(). Patch from Patrice Neff
  (also forwarded upstream) (Closes: #19)
 
  -- Cyrille Chepelov   Fri, 15 Feb 2002 00:07:06 +0100
@@ -96,7 +120,7 @@
 dia2code (0.7-1) unstable; urgency=low
 
   * New upstream release
-  
+
  -- Cyrille Chepelov   Fri,  7 Dec 2001 14:39:15 +0100
 
 dia2code (0.5-11) unstable; urgency=low
@@ -120,9 +144,9 @@
 behaviour of core tools are quite in disagreement...)
   * new maintainer address (same maintainer, but NM)
   * bumped up the standards version number in debian/control.
-  * debian/dia2code.sgml: bumped up to DocBook 4.1 (hopefully). 
+  * debian/dia2code.sgml: bumped up to DocBook 4.1 (hopefully).
   changed the manpage author's address (mine).
-  
+
  -- Cyrille Chepelov   Sat, 24 Mar 2001 21:17:06 +0100
 
 dia2code (0.5-8) unstable; urgency=low
@@ -138,7 +162,7 @@
   * removed obsolete call to dh_testversion in debian/rules
   * removed call to dh_installmenu, as this program doesn't make sense
 without command-line arguments.
-  
+
  -- Cyrille Chepelov   Fri,  9 Mar 2001 09:52:28 +0100
 
 dia2code (0.5-6) unstable; urgency=low
@@ -176,8 +200,5 @@
 dia2code (0.5-1) unstable; urgency=low
 
   * Initial Release.
-  * 
 
  -- Cyrille Chepelov   Fri,  2 Mar 2001 21:32:10 +0100
-
-
diff -Nru dia2code-0.8.3/debian/compat dia2code-0.8.3/debian/compat
--- dia2code-0.8.3/debian/compat	2022-04-03 19:49:30.0 +1000
+++ dia2code-0.8.3/debian/compat	1970-01-01 10:00:00.0 +1000
@@ -1,2 +0,0 @@
-5
-
diff -Nru dia2code-0.8.3/debian/control dia2code-0.8.3/debian/control
--- dia2code-0.8.3/debian/control	2022-04-03 19:49:30.0 +1000
+++ dia2code-0.8.3/debian/control	2022-04-03 17:55:21.0 +1000
@@ -1,14 +1,20 @@
 Source: dia2code
 Section: devel
 Priority: optional
-Build-Depends: debhelper (>= 5), cdbs, libxml2-dev (>= 2.4.10), autotools-dev, automake, patchutils
+Build-Depends:
+ debhelper-compat (= 13),
+ automake,
+ libxml2-dev,
+ pkg-config
 Maintainer: Francesco Aloe 
-Standards-Version: 3.7.3
+Standards-Version: 4.6.0
+Rules-Requires-Root: no
+Homepage: https://sourceforge.net/projects/dia2code/
 
 Package: dia2code
 Architecture: any
-Depends: ${shlibs:Depends}
-Recommends: dia | dia-gnome
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Recommends: dia
 Description: a dia-UML code generator
  dia2code is a code generator which uses UML diagrams produced by dia,
  and turns them into C, C++, Java, Ada, PHP, Python, Shapefile, SQL,
diff -Nru dia2code-0.8.3/debian/copyright dia2code-0.8.3/debian/copyright
--- dia2code-0.8.3/debian/copyright	2022-04-03 19:49:30.0 +1000
+++ dia2code-0.8.3/debian/copyright	2022-04-03 17:09:51.0 +1000
@@ -1,17 +1,90 @@
-This package was debianized by Cyrille Chepelov  on
-Tue, 20 Feb 2001

Bug#1008485: cpm: diff for NMU version 0.32-1.4

2022-03-27 Thread Hugh McMaster

Package: cpm
Version: 0.32-1.3
Severity: normal
Tags: patch  pending

Dear maintainer,

I've prepared an NMU for cpm (versioned as 0.32-1.4).

I intend to seek sponsorship for this package. Please let me know
if my sponsor should delay the upload or if you can assist.

Regards,

Hugh
diff -Nru cpm-0.32/debian/changelog cpm-0.32/debian/changelog
--- cpm-0.32/debian/changelog	2020-08-19 04:15:38.0 +1000
+++ cpm-0.32/debian/changelog	2022-03-27 22:15:18.0 +1100
@@ -1,3 +1,31 @@
+cpm (0.32-1.4) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Switch to debhelper-compat v13.
+  * debian/changelog: Remove trailing whitespace.
+  * debian/copyright: Switch to DEP-5 format and update for 2022.
+  * debian/control:
+- Priority: extra -> optional.
+- Update Build-Depends:
+  + libgpgme11-dev -> libgpgme-dev.
+  + libncurses5-dev -> libncurses-dev (Closes: #851594).
+  + Require pkg-config.
+  + Remove autotools-dev and dh_autoreconf (no longer needed).
+  + Remove duplicate libcdk5-dev entry.
+- Declare Rules-Requires-Root: binary-targets.
+- Update Vcs-Git and homepage fields.
+- Raise Standards-Version to 4.6.0 (no changes needed).
+- Remove trailing whitespace.
+  * debian/patches:
+- Use pkg-config to find libxml2 (Closes: #949088).
+- Remove non-POSIX features from configure.in (Closes: #998786).
+- Rename 'ftbfs.patch' to fix-ftbfs-gcc-10.patch'.
+  * debian/rules: Remove unneeded dh arguments --parallel --with=autoreconf.
+  * Add debian/upstream/metadata file.
+  * Update debian/watch and point to GitHub.
+
+ -- Hugh McMaster   Sun, 27 Mar 2022 22:15:18 +1100
+
 cpm (0.32-1.3) unstable; urgency=medium
 
   * Non-maintainer upload.
@@ -17,7 +45,7 @@
 
   * Non-maintainer upload.
   * Fix ftbfs due to cdk.h moved from /usr/include/cdk to /usr/include
-(Closes: #802221) 
+(Closes: #802221)
 
  -- YunQiang Su   Sun, 18 Oct 2015 23:14:34 +0800
 
@@ -74,6 +102,6 @@
 
 cpm (0.25-1) unstable; urgency=low
 
-  * Initial release (Closes: #55, #588526) 
+  * Initial release (Closes: #55, #588526)
 
  -- Stig Sandbeck Mathisen   Mon, 17 Jan 2011 17:40:55 +0100
diff -Nru cpm-0.32/debian/compat cpm-0.32/debian/compat
--- cpm-0.32/debian/compat	2020-08-19 04:05:18.0 +1000
+++ cpm-0.32/debian/compat	1970-01-01 10:00:00.0 +1000
@@ -1 +0,0 @@
-9
diff -Nru cpm-0.32/debian/control cpm-0.32/debian/control
--- cpm-0.32/debian/control	2020-08-19 04:05:18.0 +1000
+++ cpm-0.32/debian/control	2022-03-27 22:03:31.0 +1100
@@ -1,32 +1,30 @@
 Source: cpm
 Section: utils
-Priority: extra
+Priority: optional
 Maintainer: Kacper Wysocki (Redpill-Linpro) 
 Uploaders: Stig Sandbeck Mathisen 
 Build-Depends:
- debhelper (>= 9~),
- autotools-dev,
- dh-autoreconf,
+ debhelper-compat (= 13),
  libcdk5-dev,
  libcrack2-dev,
  libdotconf-dev,
- libgpgme11-dev,
- libncurses5-dev,
- libncursesw5-dev,
+ libgpgme-dev,
+ libncurses-dev,
  libxml2-dev,
+ pkg-config,
  txt2man,
- zlib1g-dev,
- libcdk5-dev,
-Standards-Version: 3.9.5
-Vcs-Git: git://github.com/comotion/cpm.git
+ zlib1g-dev
+Standards-Version: 4.6.0
+Rules-Requires-Root: binary-targets
+Homepage: https://github.com/comotion/cpm
 Vcs-Browser: https://github.com/comotion/cpm
-Homepage: http://github.com/comotion/cpm
+Vcs-Git: https://github.com/comotion/cpm.git
 
 Package: cpm
 Architecture: any
 Depends: ${misc:Depends}, ${shlibs:Depends},
  libxml2-utils
-Description: Curses based password manager using PGP-encryption 
+Description: Curses based password manager using PGP-encryption
  This program is a ncurses based console tool to manage passwords
  and store them public key encrypted in a file - even for more than
  one person. The encryption is handled via GnuPG so the programs data
diff -Nru cpm-0.32/debian/copyright cpm-0.32/debian/copyright
--- cpm-0.32/debian/copyright	2020-08-19 04:05:18.0 +1000
+++ cpm-0.32/debian/copyright	2022-03-27 21:54:53.0 +1100
@@ -1,37 +1,34 @@
-This package was debianized by Lars Bahner  on
-Fri, 03 Apr 2009 14:59:19 +0200.
-
-It was downloaded from http://www.harry-b.de/dokuwiki/doku.php?id=harry:cpm
-
-Upstream Author:
-
-Harry Brueckner 
-
-Copyright:
-
-Copyright (C) 2005-2009 Harry Brueckner
-Copyright (C) 2010 Kacper Wysocki
-
-License:
-
-This package is free software; you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation; either version 2 of the License, or
-(at your option) any later version.
-
-This package is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU General Public License for more details.
-
-You should have received a copy of the GNU General Public License
-along with this package; if not, write to the F

Bug#1007238: apwal: diff for NMU version 0.4.5-1.2

2022-03-14 Thread Hugh McMaster

Source: apwal
Version: 0.4.5-1.1
Severity: normal
Tags: patch

Dear maintainer,

I've prepared an NMU for apwal (versioned as 0.4.5-1.2).

I intend to seek sponsorship for this upload.

Please feel free to let me know if you wish to handle this.

Kind regards,

Hugh


-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.16.0-4-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru apwal-0.4.5/debian/changelog apwal-0.4.5/debian/changelog
--- apwal-0.4.5/debian/changelog2022-03-14 22:17:36.0 +1100
+++ apwal-0.4.5/debian/changelog2022-03-14 22:04:23.0 +1100
@@ -1,3 +1,32 @@
+apwal (0.4.5-1.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Switch package to 3.0 (quilt) format.
+  * Use 'dh' format to avoid missing build-arch and/or build-indep
+targets in debian/rules (Closes: #999315).
+  * debian/changelog: Remove trailing whitespace.
+  * debian/control:
+- Use debian-compat v13.
+- Raise Standards-Version to 4.6.0 (no changes needed).
+- Declare Rules-Requires-Root: no.
+- Drop duplicate Section field.
+- Declare package Multi-Arch: foreign.
+  * debian/copyright: Use DEP-5 format and update for 2022.
+  * debian/patches:
+- Fix cross-building and other issues (Closes: #929646).
+  Thanks to Helmut Grohne for supplying a patch.
+- Don't override build system CFLAGS, CPPFLAGS or LDFLAGS.
+- Use pkg-config to detect libxml2 (Closes: #949051).
+- Don't manually strip the binary (Closes: #436940).
+- Fix install path to work with dh_auto_install.
+- Multiple spelling fixes (Lintian).
+  * debian/rules:
+- Switch to `dh' format.
+- Export hardening flags.
+  * Add debian/watch file.
+
+ -- Hugh McMaster   Mon, 14 Mar 2022 22:04:23 +1100
+
 apwal (0.4.5-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
@@ -19,4 +48,3 @@
   * Initial release (Closes: #230373).
 
  -- Sam Hocevar (Debian packages)   Wed, 25 Feb 2004 11:18:16 
+0100
-
diff -Nru apwal-0.4.5/debian/compat apwal-0.4.5/debian/compat
--- apwal-0.4.5/debian/compat   2022-03-14 22:17:36.0 +1100
+++ apwal-0.4.5/debian/compat   1970-01-01 10:00:00.0 +1000
@@ -1 +0,0 @@
-9
diff -Nru apwal-0.4.5/debian/control apwal-0.4.5/debian/control
--- apwal-0.4.5/debian/control  2022-03-14 22:17:36.0 +1100
+++ apwal-0.4.5/debian/control  2022-03-14 21:43:17.0 +1100
@@ -2,13 +2,14 @@
 Section: gnome
 Priority: optional
 Maintainer: Sam Hocevar (Debian packages) 
-Build-Depends: debhelper (>= 9), libgtk2.0-dev, libxml2-dev
-Standards-Version: 3.6.1.0
+Build-Depends: debhelper-compat (= 13), libgtk2.0-dev, libxml2-dev
+Standards-Version: 4.6.0
 Homepage: http://apwal.free.fr/
+Rules-Requires-Root: no
 
 Package: apwal
-Section: gnome
 Architecture: any
+Multi-Arch: foreign
 Depends: ${shlibs:Depends}, ${misc:Depends}
 Description: icon-based floating application launcher with transparency
  Apwal is a simple icon-based application launcher. It consists of two
diff -Nru apwal-0.4.5/debian/copyright apwal-0.4.5/debian/copyright
--- apwal-0.4.5/debian/copyright2022-03-14 22:17:36.0 +1100
+++ apwal-0.4.5/debian/copyright2022-03-13 19:57:41.0 +1100
@@ -1,25 +1,49 @@
-This package was downloaded from http://apwal.free.fr/ by Sam Hocevar
- on Wed, 25 Feb 2004 11:18:16 +0100.
-
-Upstream Author: Pascal Eberhard 
-
-Copyright (C) 2002-2004 Pascal Eberhard 
-
-  This program is free software; you can redistribute it and/or
-  modify it under the terms of the GNU General Public License as
-  published by the Free Software Foundation; either version 2 of the
-  License, or (at your option) any later version.
-
-  This program is distributed in the hope that it will be useful,
-  but WITHOUT ANY WARRANTY; without even the implied warranty of
-  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-  General Public License for more details.
-
-  You should have received a copy of the GNU General Public
-  License along with this program; if not, write to the
-  Free Software Foundation, Inc., 59 Temple Place - Suite 330,
-  Boston, MA 02111-1307, USA.
-
-On Debian GNU/Linux systems, the complete text of the GNU General
-Public License can be found in `/usr/share/common-licenses/GPL'.
-
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: Apwal
+Upstream-Contact: Pascal Eberhard 
+Source: http://apwal.free.fr
+Comment: This package was downloaded from http://apwal.free.fr by Sam Hocevar
+ on Wednesday, 25 February 2004 at 11:18:16 +0100.
+
+Files: *
+Copyright: 2002-2004 Pascal Eberh

Bug#1005887: unixodbc-dev does not contain unixodbc_conf.h

2022-02-22 Thread Hugh McMaster

Hallo Jan,

On Tue, 22 Feb 2022 at 07:06, Jan Wielemaker wrote:
>
> Thanks for your answer.  I'm not convinced.  You are telling that we
> must define macros to make sql.h get the right type for SQLBIGINT.
> Getting the right type (some alias for int64_t or a struct) is IMO
> something that should be done by unixodb such that the application
> gets a working SQLBIGINT that matches the library.  That is how it
> used to be as long as we use unixodbc.   sql.h used to do so by
> including the platform dependent type configuration file.  As it
> is working now, we actually have to know which of the HAVE_* and
> SIZEOF_* macros we must define before including sql.h.
> If this is no longer how it works, do you happen to know the
> motivation why not?

This is how the headers should ideally be used. However, most programs
don't #define SIZEOF_LONG_INT and rely on the presence of
unixodbc_conf.h to #define all relevant macros (generally, just
SIZEOF_LONG_INT and HAVE_LONG_LONG). This is much easier and most
likely the expected behaviour.

If you look at sqltypes.h, you'll notice #ifndef SIZEOF_LONG_INT then
#includes unixodbc_conf.h.

unixodbc_conf.h is an arch-specific header, which mostly contains
information on how unixodbc was built. Most of this information is not
relevant to downstream packages. I'm working with upstream to split
unixodbc_conf.h into a public header that contains relevant #defines
and a private header with the build-system information.

In the meantime, I'll update the Debian package to avoid this issue by
including the relevant macros from unixodbc_conf.h. That way, defining
SIZEOF_LONG_INT will not be required and everything should work as it
did previously.

Bug#1000512: psqlodbc: autopkgtests should Depend on odbcinst

2021-11-24 Thread Hugh McMaster

Source: psqlodbc
Version: 1:13.02.-1
Severity: important

The recent upload of unixodbc 2.3.9-2 to unstable triggered psqlodbc's
autopkgtests, which fail because odbcinst is not installed.

In previous versions of unixodbc, odbcinst was installed via odbcinst1debian2,
which was a dependency of unixodbc-dev.

odbcinst is no longer a dependency due to the creation of new binary packages
and file movement.

Please add odbcinst to your package's autopkgtest control file as soon as
possible to help unixodbc to migrate.


-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.15.0-1-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#998169: transition: unixodbc

2021-10-31 Thread Hugh McMaster

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Due to various changes, unixodbc's libraries, libodbc, libodbccr and libodbccr
have a new soversion.

Test results after rebuilding all reverse dependencies and reverse-build
dependencies:

The following packages FTBFS for reasons unrelated to unixodbc:
  * asterisk; see #997136
  * libghc-hdbc-odbc-dev (src:hdbc-odbc); not in testing
  * libmyodbc (src:myodbc); not in testing
  * pike8.0-odbc (src:pike8.0); not in testing
  * w1retap-odbc (src:w1retap); not in testing

tdbcodbc will require a source or NMU upload; see #997057, where the maintainer
says he will take care of this.

grass, vtk7, mysql-workbench and saga all require rebuilds once gdal is
rebuilt.


Ben file:

title = "unixodbc";
is_affected = .depends ~ "libodbc1" | .depends ~ "odbcinst1debian2" | .depends
~ "libodbc2" | .depends ~ "libodbccr2" | .depends ~ "libodbcinst2";
is_good = .depends ~ "libodbc2" | .depends ~ "libodbccr2" | .depends ~
"libodbcinst2";
is_bad = .depends ~ "libodbc1" | .depends ~ "odbcinst1debian2";

Bug#998064: sm: fails to display text containing letter 'e' due to errors in libfreetype after upgrade

2021-10-31 Thread Hugh McMaster

On Sun, 31 Oct 2021 at 01:36, Paul Wise wrote:
>
> I figured out that this command causes the issue:
>
>$ gsettings set org.gnome.desktop.interface font-antialiasing rgba
>
> and this command fixes the issue:
>
>$ gsettings set org.gnome.desktop.interface font-antialiasing grayscale

'grayscale' was the default font-antialiasing value on my test VM. I
also tested 'rgba' out of interest.

I didn't encounter any rendering issues with either value (note: I
restarted between test runs).

I also didn't get any terminal output with any combination of text or rotation.

I'll keep investigating. There's a few options to try yet.

Bug#997870: unixodbc-dev: libltdl-dev really required?

2021-10-30 Thread Hugh McMaster

Control: tags -1 pending

Hi Alexander,

Thank you for filing this bug report.

On Tue, 26 Oct 2021 at 23:09, Alexander Traud wrote:
>
> Package: unixodbc-dev
> Version: 2.3.6-0.1build2
>
> In salsa [1], I see that the dependency on libltdl-dev was added to the -dev 
> package in the year 2004 already. On the first glance, I found no 
> use/reference to libltdl-dev (except at build time). Therefore, I am curios 
> why this dependency exists on the -dev package (and is even a required 
> dependency).
>
> I found a reference of ltdl.h in odbcinstext.h. However, that part is guarded 
> with a compile-time-only define UNIXODBC_SOURCE. Is/was that the reason? If 
> yes, I created a Pull Request upstream to discuss or fix this: 
> 

I've had a look into the use of ltdl.h and UNIXODBC_SOURCE, and I've
come to the same conclusion you have: Debian builds don't use or
#define UNIXODBC_SOURCE at all.

I saw upstream had confirmed your thinking around UNIXODBC_SOURCE
being a compile-time define and merged your patch. I can't see or find
any reason for unixodbc-dev to depend on libltdl-dev, so I'll remove
that dependency when I release the next version.

I'll be starting a transition to unixodbc 2.3.9 soon, so this change
will need to wait until after that.

Bug#998103: RFS: loudgain/0.6.8+ds-2 [RC] -- ReplayGain 2.0 loudness normalizer

2021-10-30 Thread Hugh McMaster

Package: sponsorship-requests
Severity: important

Dear mentors,

I am looking for a sponsor for my package "loudgain":

 * Package name: loudgain
   Version : 0.6.8+ds-2
   Upstream Author : Matthias C. Hormann 
 * URL : https://github.com/Moonbase59/loudgain
 * License : BSD-2-Clause
 * Vcs : https://salsa.debian.org/hmc-guest/loudgain
   Section : sound

The source builds the following binary packages:

  loudgain - ReplayGain 2.0 loudness normalizer based on the EBU R128 standard

To access further information about this package, please visit the
following URL:

  https://mentors.debian.net/package/loudgain/

Alternatively, one can download the package with dget using this command:

  dget -x 
https://mentors.debian.net/debian/pool/main/l/loudgain/loudgain_0.6.8+ds-2.dsc

Changes since the last upload:

 loudgain (0.6.8+ds-2) unstable; urgency=medium
 .
   [ Debian Janitor ]
   * Remove version constraints on build-dependencies unnecessary since Buster.
 .
   [ Hugh McMaster ]
   * debian/gbp.conf: Use DEP-14 branch naming.
   * debian/control:
 - Build-Depend on zlib1g-dev | libz-dev (Closes: #997233).
 - Raise Standards-Version to 4.6.0 from 4.5.0 (no changes needed).
   * debian/source/lintian-overrides: Silence a line-length warning in
the upstream README.md file.

Regards,

-- 
  Hugh McMaster

Bug#998064: sm: fails to display text containing letter 'e' due to errors in libfreetype after upgrade

2021-10-30 Thread Hugh McMaster

Hi Paul,

On Fri, 29 Oct 2021 at 21:21, Paul Wise wrote:
>
> Not sure if this issue is a bug in sm or freetype, please reassign.
>
> Since the upgrade of freetype from 2.10.4+dfsg-1 to 2.11.0+dfsg-1,
> whenever I attempt to display a string in sm containing letter e,
> either via the command-line or by typing it into the text input,
> the entire string does not display, I get errors in the terminal
> and I cannot type any more input except for pressing Esc twice.
>
>$ sm e
>(sm:2529177): Gtk-WARNING **: 13:23:34.553: drawing failure for widget 
> 'GtkDrawingArea': error occurred in libfreetype
>
>(sm:2529177): Gtk-WARNING **: 13:23:34.574: drawing failure for widget 
> 'GtkBox': error occurred in libfreetype
>
>(sm:2529177): Gtk-WARNING **: 13:23:34.574: drawing failure for widget 
> 'GtkWindow': error occurred in libfreetype
>
> The problem stops happening if I downgrade freetype to 2.10.4+dfsg-1.
>
> The problem happens with some fonts but not every single font.

With which fonts are you seeing the problem?

> The problem happens for rotating 180° or 360° but not 90° or 270°.
>
> The problem happens with "e" "ea" "eaa" "eaaa" but not "e".
>
> The problem happens for me with GNOME Wayland and if I force X11.

I'm not seeing any issues or warnings using Cinnamon and X11 on Debian
Sid on these letter combinations or rotations.

I'll spin up a GNOME VM and report back.

> The problem only happens with my existing user account, not a new one.
>
> The problem still happens if I delete my fontconfig cache files.
>
> Folks on IRC say this does not happen in X11 KDE/MATE/Xfce/openbox/dwm
> and Wayland/X11 GNOME. One person found it does happen in X11 LXQt.
>
> When I compare the ltrace output, when the issue occurs, the function
> pango_cairo_show_layout returns 40 while it returns 0 otherwise.
>
> I tried recompiling freetype with support for the FT2_DEBUG environment
> variable but I can't find the error in the log output.

Bug#997057: tdbcodbc: Build-Depend on unixodbc-dev

2021-10-23 Thread Hugh McMaster

Source: tdbcodbc
Version: 1.1.2-1
Severity: important
Tags: ftbfs

Dear Maintainer,

I will soon be starting a transition with unixODBC that will cause a build
failure with src:tdbcodbc due to its hard-coded build-dependencies of libodbc1
and odbcinst1debian2.

To avoid issues with the transition to new the new packages, please update your
debian/control file to build-depend on unixodbc-dev. This will give you the
libraries required: libodbc2, libodbccr2 and libodbcinst2.

The binary tcl8.6-tdbc-odbc should also be updated to depend on unixodbc-dev.

Thank you


-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.14.0-3-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#993585: devscripts: uscan attempts to use the filenamemangle'd name with pgpsigurlmangle

2021-09-03 Thread Hugh McMaster

Package: devscripts
Version: 2.21.4
Severity: important

Dear Maintainer,

When using uscan to download the latest version of FreeType and its component
tarballs, uscan fails.

scan: Newest version of ft2docs on remote site is 2.11.0, specified
download version is 2.11.0
gpgv: can't open
'../https://download.savannah.gnu.org/releases/freetype/freetype-2.11.0-ft2docs.tar.xz.sig':
No such file or directory

It seems uscan is using the filenamemangle'd name as input to pgpsigurlmangle.

While I can (and will) update my string replacement pattern in d/watch, the
rules as they are now have previously worked without issue.


-- Package-specific info:

--- /etc/devscripts.conf ---
Empty.

--- ~/.devscripts ---
Not present

-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-8-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages devscripts depends on:
ii  dpkg-dev  1.20.9
ii  fakeroot  1.25.3-1.1
ii  file  1:5.39-3
ii  gnupg 2.2.27-2
ii  gpgv  2.2.27-2
ii  libc6 2.31-17
ii  libfile-dirlist-perl  0.05-2
ii  libfile-homedir-perl  1.006-1
ii  libfile-touch-perl0.11-1
ii  libfile-which-perl1.23-1
ii  libipc-run-perl   20200505.0-1
ii  libmoo-perl   2.005004-2
ii  libwww-perl   6.53-1
ii  patchutils0.4.2-1
ii  perl  5.32.1-5
ii  python3   3.9.2-3
ii  sensible-utils0.0.17
ii  wdiff 1.2.2-2+b1

Versions of packages devscripts recommends:
ii  apt 2.3.8
ii  dctrl-tools 2.24-3+b1
ii  debian-keyring  2021.07.26
ii  dput1.1.0
ii  equivs  2.3.1
ii  libdistro-info-perl 1.0
ii  libdpkg-perl1.20.9
ii  libencode-locale-perl   1.05-1.1
ii  libgit-wrapper-perl 0.048-1
ii  libgitlab-api-v4-perl   0.26-1
ii  liblist-compare-perl0.55-1
ii  liblwp-protocol-https-perl  6.10-1
ii  libsoap-lite-perl   1.27-1
ii  libstring-shellquote-perl   1.04-1
ii  libtry-tiny-perl0.30-1
ii  liburi-perl 5.08-1
ii  licensecheck3.2.11-1
ii  lintian 2.104.0
ii  man-db  2.9.4-2
ii  patch   2.7.6-7
ii  pristine-tar1.49
ii  python3-apt 2.2.1
ii  python3-debian  0.1.39
ii  python3-magic   2:0.4.20-3
ii  python3-requests2.25.1+dfsg-2
ii  python3-unidiff 0.5.5-2
ii  python3-xdg 0.27-2
ii  strace  5.10-1
ii  unzip   6.0-26
ii  wget1.21-1+b1
ii  xz-utils5.2.5-2

Versions of packages devscripts suggests:
ii  adequate 0.15.6
pn  at   
ii  autopkgtest  5.16
pn  bls-standalone   
pn  bsd-mailx | mailx
ii  build-essential  12.9
pn  check-all-the-things 
pn  cvs-buildpackage 
ii  debhelper13.5.1
pn  devscripts-el
pn  diffoscope   
pn  disorderfs   
pn  dose-extra   
pn  duck 
pn  faketime 
pn  gnuplot  
pn  how-can-i-help   
ii  libauthen-sasl-perl  2.1600-1.1
pn  libdbd-pg-perl   
ii  libfile-desktopentry-perl0.22-2
pn  libnet-smtps-perl
pn  libterm-size-perl
ii  libtimedate-perl 2.3300-2
pn  libyaml-syck-perl
pn  mmdebstrap   
pn  mozilla-devscripts   
pn  mutt 
ii  openssh-client [ssh-client]  1:8.4p1-6
ii  piuparts 1.1.4
pn  postgresql-client
pn  pristine-lfs 
ii  quilt0.66-2.1
pn  ratt 
pn  reprotest
pn  svn-buildpackage 
pn  w3m  

-- no debconf information

Bug#972085: gtkam: Build-Depends on libexif-gtk, which is moving to GTK3

2020-11-17 Thread Hugh McMaster

Hi Adrian,

On Tue, 17 Nov 2020 at 03:53, Adrian Bunk wrote:

> What is the point of moving libexif-gtk to GTK3 when the only package
> using it does not support it?
>
> This sounds like a mistake that should be reverted.

I already have. When I realised gtkam was an issue, I updated libexif-gtk
to build both GTK 2 and 3.

Unfortunately, gtkam is dead upstream, so nothing will change there.
However, several good alternatives exist.

The Debian QA team is also reluctant to remove gtkam due to its popcon
installation numbers.

That said, as libexif-gtk will have GTK 2 support for some time, this bug
severity can probably be downgraded.

If smcv does manage to remove GTK 2 during the next development cycle,
however, we will need to revisit this bug.

>

Bug#973413: RFS: idzebra/2.2.0-1 -- IDZebra documentation

2020-10-30 Thread Hugh McMaster

Package: sponsorship-requests
Severity: normal

Dear mentors,

I am looking for a sponsor for my package "idzebra":

 * Package name: idzebra
   Version : 2.2.0-1
   Upstream Author : Adam Dickmeiss 
 * URL : https://www.indexdata.com/resources/software/zebra/
 * License : GPL-2+, Expat-X, FSFULLR, FSFUL and GPL-2+,
FSFULLR and GPL-2+, FSFULLR and GPL-2+ and FSFUL
 * Vcs : https://salsa.debian.org/debian/idzebra
   Section : text

The source builds the following binary packages:

  idzebra-2.0-doc - IDZebra documentation
  libidzebra-2.0-mod-grs-xml - IDZebra filter grs.xml (XML filter)
  libidzebra-2.0-mod-grs-regx - IDZebra filters grs.regx, grs.tcl
  libidzebra-2.0-mod-grs-marc - IDZebra filter grs.marc (ISO2709 MARC reader)
  libidzebra-2.0-mod-text - IDZebra filter text
  libidzebra-2.0-mod-safari - IDZebra filter 'safari' (DBC)
  libidzebra-2.0-mod-dom - IDZebra filter 'dom' (XML DOM internal
document model with XSLT)
  libidzebra-2.0-mod-alvis - IDZebra filter alvis (XSLT filter for XML)
  libidzebra-2.0-0 - IDZebra libraries
  libidzebra-2.0-dev - IDZebra development
  idzebra-2.0-utils - IDZebra utility programs
  idzebra-2.0-examples - IDZebra example configurations
  idzebra-2.0-common - IDZebra common files
  libidzebra-2.0-modules - IDZebra modules
  idzebra-2.0 - IDZebra metapackage (the works)

To access further information about this package, please visit the
following URL:

  https://mentors.debian.net/package/idzebra/

Alternatively, one can download the package with dget using this command:

  dget -x 
https://mentors.debian.net/debian/pool/main/i/idzebra/idzebra_2.2.0-1.dsc

Changes since the last upload:

 idzebra (2.2.0-1) unstable; urgency=medium
 .
   [ Debian Janitor ]
   * debian/copyright: Use spaces rather than tabs to start continuation lines.
   * Set upstream metadata fields: Repository.
 .
   [ Hugh McMaster ]
   * New upstream version 2.2.0
 - Upstream now ships a pkg-config file (zebra.pc).
 - idzebra-config-2.0 is no longer packaged.
   * debian/control:
 - Use debhelper-compat version 13.
 - Build-Depend on libncurses-dev instead of libncurses5-dev.
 - Build-Depend on tcl-dev instead of tcl8.6-dev.
 - Mark libidzebra-2.0-dev Multi-Arch: same.
 - Drop Breaks+Replaces on very old binary version of idzebra-2.0-utils.
   * debian/copyright: Update for idzebra 2.2.0.
   * debian/not-installed: Add idzebra-config script, man page and symlinks.
   * debian/patches:
 - Remove idzebra-config-no-build-path.patch (no longer needed since
   idzebra-config-2.0 is no longer installed).
 - Remove pkg-config.patch (no longer needed).
 - Add patch to clean up left-over test files.
 - Add patch to convert upstream files encoded as ISO-8859-1 to UTF-8.
   * debian/rules:
 - Use pkg-config to detect the yaz library.
 - Set package install path for upstream examples.
 - Regenerate upstream documentation on each build.
 - Remove unneeded DEB_CCACHE_DIR export, git repository check,
   dh_auto_clean override and dh_shlibdeps override.
 - Remove unneeded 'clean' target and manual clean-up of auto-generated
   build files and test files.
   * debian/source/options: Ignore changes to auto-generated documentation.
   * idzebra-2.0-common: Add lintian override for national-encoding warning.
   * idzebra-2.0-doc: Install documentation in a subdirectory of the
 main package (idzebra-2.0).
   * idzebra-2.0-utils:
 - Install upstream binaries, man pages and symlinks.
 - Remove prerm and postinst maintenance scripts.
 - Add preinst maintenance script to remove update-alternatives symlinks.
   * libidzebra-2.0-dev:
 - No longer install idzebra-config-2.0 or its man page.
 - Remove prerm and postinst maintenance scripts.
 - Add preinst maintenance script to remove update-alternatives symlinks.
 - Install pkg-config file (zebra.pc).
   * idzebra-2.0-examples.install: Rename to idzebra-2.0-examples.examples.
   * idzebra-2.0-doc.install: Rename to idzebra-2.0-doc.docs

Regards,
--
  Hugh McMaster

Bug#972085: gtkam: Build-Depends on libexif-gtk, which is moving to GTK3

2020-10-12 Thread Hugh McMaster

Source: gtkam
Version: 1.0-3
Severity: serious
Tags: ftbfs
Justification: Policy 7.7

Dear Maintainer,

libexif-gtk is moving to GTK3 in response to #967573.

gtkman also only supports GTK2, which means it blocks the introduction of
libexif-gtk built on GTK3.

Upstream gtkam has seen no activity since October 2016 and appears dead.

If this is not the case, please ask them to convert the source to GTK2.

gtkam may need to be removed from Debian if no action is taken.

Thank you



-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.8.0-2-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

-- no debconf information

Bug#971899: armagetronad: Please package 0.2.9.0.1

2020-10-09 Thread Hugh McMaster

Package: armagetronad
Version: 0.2.8.3.5-1
Severity: normal
Tags: upstream

Dear Maintainer,

armagetronad is now at version 0.2.9.0.1 upstream. It would be good to have the
latest version in Debian.

In addition, your d/watch file is out of date. Upstream has moved to gitlab:
https://gitlab.com/armagetronad/armagetronad.

Finally, please mark armagetronad-common Multi-Arch: foreign.

Thank you



-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.8.0-2-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages armagetronad depends on:
ii  armagetronad-common 0.2.8.3.5-1
ii  libc6   2.31-3
ii  libgcc-s1   10.2.0-13
ii  libgl1  1.3.2-1
ii  libglu1-mesa [libglu1]  9.0.1-1
ii  libpng16-16 1.6.37-3
ii  libsdl-image1.2 1.2.12-12
ii  libsdl1.2debian 1.2.15+dfsg2-5
ii  libstdc++6  10.2.0-13
ii  libxml2 2.9.10+dfsg-6

armagetronad recommends no packages.

armagetronad suggests no packages.

-- no debconf information

Bug#971067: RFS: libexif-gtk/0.5.0-1

2020-10-01 Thread Hugh McMaster

Hi Andreas,

On Thu, 1 Oct 2020 at 02:49, Andreas Metzler wrote:
> Runtime library are generally installed as a dependency, when the
> depending package is rebuilt against the newer library apt will pull it
> in and the old library can be autoremoved.

Very nice.

> > I’m also targeting experimental to be safe, as I expected some breakage
> > from this change.
> [...]
>
> Also library transition will need to be coordinated with Debian release,
> pre-upload to sid.

Thanks for reminding me. :)

I've uploaded a new version of libexif-gtk to Debian Mentors, fixing
the issues discussed in this thread.

Thanks for your help with this.

Hugh

Bug#969536: libfreetype6-dev: It was found that the package does not contain freetype-config

2020-09-10 Thread Hugh McMaster

Control: tags -1 - a11y
Control: tags -1 + wontfix

On Sat, 5 Sep 2020 at 00:48, 欧阳春晖 wrote:
> It is found that the package does not contain freetype config, while
> that of Ubuntu contains freetype config. This may be a packaging error.
> Please fix it

I'm removing the a11y tag, since your bug report has nothing do to
with accessibility.

While you are correct that libfreetype-dev doesn't contain
freetype-config, the fact the script isn't installed is not a bug.

The upstream developers deprecated freetype-config around 2.5 years
ago. Debian hasn't packaged freetype-config since. In fact, the most
recent Debian package to contain freetype-config is 2.6.3-3.2+deb9u1
in Debian Stretch (oldstable).

All of this is to say that freetype-config won't be coming back. You
need to use pkg-config to detect the FreeType 2 library.

PKG_CHECK_MODULES([FT2], [freetype2]) will work as a starting point.

Bug#962755: exif: FTBFS on s390x: test failure

2020-06-29 Thread Hugh McMaster

Hi Nelson,

On Sun, 14 Jun 2020 at 11:51, Hugh McMaster wrote:
> On Sun, 14 Jun 2020 at 08:32, Nelson H. F. Beebe  wrote:
>> That is not the same version of exiftool that Boyuan reported, but there was 
>> no URL for his version.  I someone cares to send me a suitable source URL 
>> off list, I'll do another build with it on my new S/390 VM.

> Thank you. The software is exif, not exiftool.

Just wondering if you've had time to investigate the exif test failure
any further?

I'm trying to get some time to log in to a ppc64 machine, as that
architecture also has the failure.

Hugh

Bug#963694: buster-pu: package libexif/0.6.21-5.1+deb10u4

2020-06-25 Thread Hugh McMaster

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Dear release managers,

Two further security vulnerabilities were discovered in libexif, including
libexif 0.6.21-5.1+deb10u3.

This proposed update adds upstream patches to fix these vulnerabilities.

The package replaces the existing accepted version.

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.6.0-2-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8),
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
diff -Nru libexif-0.6.21/debian/changelog libexif-0.6.21/debian/changelog
--- libexif-0.6.21/debian/changelog 2020-05-25 22:01:18.0 +1000
+++ libexif-0.6.21/debian/changelog 2020-06-24 23:31:09.0 +1000
@@ -1,3 +1,12 @@
+libexif (0.6.21-5.1+deb10u4) buster; urgency=medium
+
+  * Add upstream patches to fix two security issues:
+- Fix a buffer read overflow in exif_entry_get_value() (CVE-2020-0182).
+- Fix an unsigned integer overflow in libexif/exif-data.c (CVE-2020-0198)
+  (Closes: #962345).
+
+ -- Hugh McMaster   Wed, 24 Jun 2020 23:31:09 +1000
+
 libexif (0.6.21-5.1+deb10u3) buster; urgency=medium
 
   * Add upstream patches to fix multiple security issues:
diff -Nru libexif-0.6.21/debian/patches/cve-2020-0182.patch 
libexif-0.6.21/debian/patches/cve-2020-0182.patch
--- libexif-0.6.21/debian/patches/cve-2020-0182.patch   1970-01-01 
10:00:00.0 +1000
+++ libexif-0.6.21/debian/patches/cve-2020-0182.patch   2020-06-24 
23:27:49.0 +1000
@@ -0,0 +1,28 @@
+Description: Fix a buffer read overflow in exif_entry_get_value() 
(CVE-2020-0182)
+ While parsing EXIF_TAG_FOCAL_LENGTH it was possible to read 8 bytes past
+ the end of a heap buffer. This was detected by the OSS Fuzz project.
+Origin: commit:f9bb9f263fb00f0603ecbefa8957cad24168cbff
+Author: Dan Fandrich 
+Last-Update: 2020-06-13
+
+---
+ libexif/exif-entry.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/libexif/exif-entry.c
 b/libexif/exif-entry.c
+@@ -1043,12 +1043,12 @@
+   d = 0.;
+   entry = exif_content_get_entry (
+   e->parent->parent->ifd[EXIF_IFD_0], EXIF_TAG_MAKE);
+-  if (entry && entry->data &&
++  if (entry && entry->data && entry->size >= 7 &&
+   !strncmp ((char *)entry->data, "Minolta", 7)) {
+   entry = exif_content_get_entry (
+   e->parent->parent->ifd[EXIF_IFD_0],
+   EXIF_TAG_MODEL);
+-  if (entry && entry->data) {
++  if (entry && entry->data && entry->size >= 8) {
+   if (!strncmp ((char *)entry->data, "DiMAGE 7", 
8))
+   d = 3.9;
+   else if (!strncmp ((char *)entry->data, "DiMAGE 
5", 8))
diff -Nru libexif-0.6.21/debian/patches/cve-2020-0198.patch 
libexif-0.6.21/debian/patches/cve-2020-0198.patch
--- libexif-0.6.21/debian/patches/cve-2020-0198.patch   1970-01-01 
10:00:00.0 +1000
+++ libexif-0.6.21/debian/patches/cve-2020-0198.patch   2020-06-24 
23:28:53.0 +1000
@@ -0,0 +1,52 @@
+Description: Fix an unsigned integer overflow in libexif/exif-data.c 
(CVE-2020-0198)
+ Use a more generic overflow check method and also check the second overflow 
instance.
+Origin: commit:ce03ad7ef4e8aeefce79192bf5b6f69fae396f0c
+Author: Marcus Meissner 
+Bug-Debian: https://bugs.debian.org/962345
+Last-Update: 2020-06-08
+
+---
+ libexif/exif-data.c | 10 ++
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/libexif/exif-data.c
 b/libexif/exif-data.c
+@@ -47,6 +47,8 @@
+ #undef JPEG_MARKER_APP1
+ #define JPEG_MARKER_APP1 0xe1
+ 
++#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || 
(structsize > datasize) || (offset > datasize - structsize ))
++
+ static const unsigned char ExifHeader[] = {0x45, 0x78, 0x69, 0x66, 0x00, 
0x00};
+ 
+ struct _ExifDataPrivate
+@@ -327,7 +329,7 @@
+   exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", 
"Bogus thumbnail offset (%u).", o);
+   return;
+   }
+-  if (s > ds - o) {
++  if (CHECKOVERFLOW(o,ds,s)) {
+   exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", 
"Bogus thumbnail size (%u), max would be %u.", s, ds-o);
+   return;
+   }
+@@ -420,9 +422,9 @@
+   }
+ 
+   /* Read the num

Bug#962751: RFS: shotdetect/1.0.86-5.1 [NMU] -- scene change detector

2020-06-24 Thread Hugh McMaster

Dear mentors,

On Sat, 13 Jun 2020 at 22:45, Hugh McMaster wrote:

> Package: sponsorship-requests
> Severity: normal
>
> Dear mentors,
>
> I am looking for a sponsor for the package "shotdetect"
>
>  * Package name: shotdetect
>Version : 1.0.86-5.1
>Upstream Author : Johan MATHE 
>  * URL : http://shotdetect.nonutc.fr/
>  * License : LGPL-2.1+
>  * Vcs :
> http://anonscm.debian.org/gitweb/?p=pkg-multimedia/shotdetect.git
>Section : video
>
> The source builds the following binary packages:
>
>   shotdetect - scene change detector
>
> To access further information about this package, please visit the
> following URL:
>
>   https://mentors.debian.net/package/shotdetect
>
> Alternatively, one can download the package with dget using this command:
>
>   dget -x
> https://mentors.debian.net/debian/pool/main/s/shotdetect/shotdetect_1.0.86-5.1.dsc
>
> Changes since the last upload:
>
>* Non-maintainer upload.
>* debian/rules:
>  - Include /usr/share/cdbs/1/rules/autoreconf.mk (Closes: #962127).
>  - Add dh-autoreconf and pkg-config to CDBS_BUILD_DEPENDS.
>* d/p/pkg-config.patch: Use PKG_CHECK_MODULES to find the libxml2 and
>  libxslt libraries (Closes: #948871, #949496).


I am still looking for a sponsor for shotdetect. :)

Kind regards,

Hugh

>

Bug#962755: exif: FTBFS on s390x: test failure

2020-06-13 Thread Hugh McMaster

On Sun, 14 Jun 2020 at 08:32, Nelson H. F. Beebe  wrote:

> [...]
> That is not the same version of exiftool that Boyuan reported, but there
> was no URL for his version.  I someone cares to send me a suitable source
> URL off list, I'll do another build with it on my new S/390 VM.


Thank you. The software is exif, not exiftool.

I’ll send you an upstream source link separately.

Hugh

>

Bug#962044: RFS: xmlstarlet/1.6.1-2.1 [NMU] -- command line XML toolkit

2020-06-08 Thread Hugh McMaster

Dear mentors,

On Tue, 2 Jun 2020 at 23:16, Hugh McMaster wrote:
> I am looking for a sponsor for my package "xmlstarlet"
>
>  * Package name: xmlstarlet
>Version : 1.6.1-2.1
>Upstream Author : Mikhail Grushinskiy 
>  * URL : http://xmlstar.sourceforge.net/
>  * License : Expat
>  * Vcs : 
> https://anonscm.debian.org/cgit/collab-maint/xmlstarlet.git
>Section : text
>
> Alternatively, one can download the package with dget using this command:

I am still looking for a sponsor for xmlstarlet. All help appreciated. :)

Hugh

Bug#961803: buster-pu: package libexif/0.6.21-5.1+deb10u3

2020-05-29 Thread Hugh McMaster

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Three additional CVEs were found in the upstream source after libexif
0.6.21-5.1+deb10u2 was uploaded.

This +deb10u3 version fixes those CVEs.

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.6.0-2-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8),
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Version in base suite: 0.6.21-5.1+deb10u1

Base version: libexif_0.6.21-5.1+deb10u1
Target version: libexif_0.6.21-5.1+deb10u3
Base file: 
/srv/ftp-master.debian.org/ftp/pool/main/libe/libexif/libexif_0.6.21-5.1+deb10u1.dsc
Target file: 
/srv/ftp-master.debian.org/policy/pool/main/libe/libexif/libexif_0.6.21-5.1+deb10u3.dsc

 changelog  |   28 
 patches/Improve-deep-recursion-detection-in-exif_data_load_d.patch |   13 
 patches/Reduce-maximum-recursion-depth-in-exif_data_load_dat.patch |7 
 patches/cve-2020-0093.patch|   24 
 patches/cve-2020-12767.patch   |   34 +
 patches/cve-2020-13112.patch   |  296 
++
 patches/cve-2020-13113.patch   |   52 +
 patches/cve-2020-13114.patch   |   63 ++
 patches/extra_colorspace_check.patch   |2 
 patches/fix-CVE-2019-9278.patch|   15 
 patches/series |5 
 11 files changed, 513 insertions(+), 26 deletions(-)

diff -Nru libexif-0.6.21/debian/changelog libexif-0.6.21/debian/changelog
--- libexif-0.6.21/debian/changelog 2020-02-01 20:43:18.0 +
+++ libexif-0.6.21/debian/changelog 2020-05-25 12:01:18.0 +
@@ -1,3 +1,31 @@
+libexif (0.6.21-5.1+deb10u3) buster; urgency=medium
+
+  * Add upstream patches to fix multiple security issues:
+- cve-2020-13112.patch: Fix MakerNote tag size overflow issues at
+  read time (CVE-2020-13112) (Closes: #961407).
+- cve-2020-13113.patch: Ensure MakerNote data pointers are
+  NULL-initialized (CVE-2020-13113) (Closes: #961409).
+- cve-2020-13114.patch: Add a failsafe on the maximum number of
+  Canon MakerNote subtags to catch extremely large values in tags
+  (CVE-2020-13114) (Closes: #961410).
+
+ -- Hugh McMaster   Mon, 25 May 2020 22:01:18 +1000
+
+libexif (0.6.21-5.1+deb10u2) buster; urgency=medium
+
+  [ Mike Gabriel ]
+  * Sponsored upload.
+  * debian/patches: Trivial rebase of various patches.
+
+  [ Hugh McMaster ]
+  * Team upload.
+  * Add upstream patches to fix two security issues:
+- cve-2020-12767.patch: Prevent some possible division-by-zero errors
+  in exif_entry_get_value() (CVE-2020-12767) (Closes: #960199).
+- cve-2020-0093.patch: Prevent read buffer overflow (CVE-2020-0093).
+
+ -- Mike Gabriel   Thu, 21 May 2020 11:26:42 +0200
+
 libexif (0.6.21-5.1+deb10u1) buster-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru 
libexif-0.6.21/debian/patches/Improve-deep-recursion-detection-in-exif_data_load_d.patch
 
libexif-0.6.21/debian/patches/Improve-deep-recursion-detection-in-exif_data_load_d.patch
--- 
libexif-0.6.21/debian/patches/Improve-deep-recursion-detection-in-exif_data_load_d.patch
2020-02-01 20:43:18.0 +
+++ 
libexif-0.6.21/debian/patches/Improve-deep-recursion-detection-in-exif_data_load_d.patch
2020-05-21 09:26:15.0 +
@@ -16,8 +16,6 @@
 the identifier CVE-2018-20030.
 ---
 
-diff --git a/libexif/exif-data.c b/libexif/exif-data.c
-index e35403ddba7c..a6f9c94f2fc2 100644
 --- a/libexif/exif-data.c
 +++ b/libexif/exif-data.c
 @@ -35,6 +35,7 @@
@@ -28,7 +26,7 @@
  #include 
  #include 
  #include 
-@@ -350,6 +351,20 @@ if (data->ifd[(i)]->count) {  
\
+@@ -352,6 +353,20 @@
break;  \
  }
  
@@ -49,7 +47,7 @@
  /*! Load data for an IFD.
   *
   * \param[in,out] data #ExifData
-@@ -357,13 +372,13 @@ if (data->ifd[(i)]->count) { 
\
+@@ -359,13 +374,13 @@
   * \param[in] d pointer to buffer containing raw IFD data
   * \param[in] ds size of raw data in buffer at \c d
   * \param[in] offset offset into buffer at \c d at which IFD starts
@@ -66,7 +64,7 @@
  {
ExifLong o, thumbnail_offset = 0, thumbnail_length = 0;
ExifShort n;
-@@ -378,9 +393,20 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
+@@ -380,9 +395,20 @@
if int)ifd) < 0) || ( ((int)ifd) >= EXIF_IFD_COUNT)

Bug#961020: Updated debdiff for libexif/0.6.21-2+deb9u2

2020-05-25 Thread Hugh McMaster

I've updated the debdiff for this release to include the changelog
entries for the sponsored upload.


libexif_0.6.21-2+deb9u3.debdiff
Description: Binary data

Bug#961020: Updated debdiff for libexif/0.6.21-2+deb9u2

2020-05-25 Thread Hugh McMaster

On Mon, 25 May 2020 at 22:18, Hugh McMaster wrote:
>
> I've updated the debdiff for this release to include the changelog
> entries for the sponsored upload.

Apologies. This is the correct debdiff.


libexif_0.6.21-2+deb9u2.debdiff
Description: Binary data

Bug#961020: stretch-pu: package libexif/0.6.21-2+deb9u2

2020-05-19 Thread Hugh McMaster

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

libexif 0.6.21-2+deb9u1 contains five security vulnerabilities currently marked
as "no DSA".

The attached debdiff fixes these vulnerabilities.

CVE-2020-12767 - division-by-zero errors
CVE-2020-0093  - read buffer overflow
CVE-2018-20030 - denial of service by wasting CPU
CVE-2017-7544  - out-of-bounds heap read
CVE-2016-6328  - integer overflow

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.6.0-1-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8),
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
diff -Nru libexif-0.6.21/debian/changelog libexif-0.6.21/debian/changelog
--- libexif-0.6.21/debian/changelog 2020-02-02 07:54:38.0 +1100
+++ libexif-0.6.21/debian/changelog 2020-05-19 18:41:18.0 +1000
@@ -1,3 +1,19 @@
+libexif (0.6.21-2+deb9u2) stretch; urgency=medium
+
+  * Team upload.
+  * Add upstream patches to fix multiple security issues:
+- cve-2016-6328.patch: Fix an integer overflow while parsing the MNOTE
+  entry data of the input file (CVE-2016-6328) (Closes: #873022).
+- cve-2017-7544.patch: Fix an out-of-bounds heap read in the function
+  exif_data_save_data_entry() (CVE-2017-7544) (Closes: #876466).
+- cve-2018-20030.patch: Improve deep recursion detection in the function
+  exif_data_load_data_content() (CVE-2018-20030) (Closes: #918730).
+- cve-2020-12767.patch: Prevent some possible division-by-zero errors
+  in exif_entry_get_value() (CVE-2020-12767) (Closes: #960199).
+- cve-2020-0093.patch: Prevent read buffer overflow (CVE-2020-0093).
+
+ -- Hugh McMaster   Tue, 19 May 2020 19:40:10 +1000
+
 libexif (0.6.21-2+deb9u1) stretch-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru libexif-0.6.21/debian/patches/cve-2016-6328.patch 
libexif-0.6.21/debian/patches/cve-2016-6328.patch
--- libexif-0.6.21/debian/patches/cve-2016-6328.patch   1970-01-01 
10:00:00.0 +1000
+++ libexif-0.6.21/debian/patches/cve-2016-6328.patch   2020-05-19 
18:36:53.0 +1000
@@ -0,0 +1,53 @@
+Description: Fixes an integer overflow while parsing the MNOTE entry data of 
the input file (CVE-2016-6328)
+Author: Marcus Meissner 
+Bug-Debian: http://bugs.debian.org/873022
+Last-Update: 2017-07-25
+
+Index: libexif-0.6.21/libexif/pentax/mnote-pentax-entry.c
+===
+--- libexif-0.6.21.orig/libexif/pentax/mnote-pentax-entry.c
 libexif-0.6.21/libexif/pentax/mnote-pentax-entry.c
+@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePenta
+   case EXIF_FORMAT_SHORT:
+ {
+   const unsigned char *data = entry->data;
+-  size_t k, len = strlen(val);
++  size_t k, len = strlen(val), sizeleft;
++
++  sizeleft = entry->size;
+   for(k=0; kcomponents; k++) {
++  if (sizeleft < 2)
++  break;
+   vs = exif_get_short (data, entry->order);
+   snprintf (val+len, maxlen-len, "%i ", vs);
+   len = strlen(val);
+   data += 2;
++  sizeleft -= 2;
+   }
+ }
+ break;
+   case EXIF_FORMAT_LONG:
+ {
+   const unsigned char *data = entry->data;
+-  size_t k, len = strlen(val);
++  size_t k, len = strlen(val), sizeleft;
++
++  sizeleft = entry->size;
+   for(k=0; kcomponents; k++) {
++  if (sizeleft < 4)
++  break;
+   vl = exif_get_long (data, entry->order);
+   snprintf (val+len, maxlen-len, "%li", (long 
int) vl);
+   len = strlen(val);
+   data += 4;
++  sizeleft -= 4;
+   }
+ }
+ break;
+@@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePenta
+   break;
+   }
+ 
+-  return (val);
++  return val;
+ }
diff -Nru libexif-0.6.21/debian/patches/cve-2017-7544.patch 
libexif-0.6.21/debian/patches/cve-2017-7544.patch
--- libexif-0.6.21/debian/patches/cve-2017-7544.patch   1970-01-01 
10:00:00.0 +1000
+++ libexif-0.6.21/debian/patches/cve-

Bug#960199: libexif: CVE-2020-12767

2020-05-11 Thread Hugh McMaster

Control: tags -1 + pending

This is already fixed upstream. I'll push it to Debian shortly.

Hugh

Bug#954981: libnet-z3950-simpleserver-perl: FTBFS without yaz-config

2020-03-31 Thread Hugh McMaster

On Fri, 27 Mar 2020 at 04:56, gregor herrmann wrote:
>
> On Thu, 26 Mar 2020 21:05:23 +1100, Hugh McMaster wrote:
> Fixed in git, waits for YAZ 5.29.0 to enter unstable (for the
> yaz-server.pc file).

YAZ 5.29.0-2 is now in unstable, so feel free to upload
libnet-z3950-simpleserver-perl when you have time.

Thank you for fixing this issue so quickly.

Hugh

Bug#949490: raptor2: FTBFS with libxml2 not shipping xml2-config

2020-03-06 Thread Hugh McMaster

This bug is triggered by Debian's build system. When using upstream
source, libxml2 is detected via pkg-config.

That said, the underlying configure.ac code is overly complex. While
xml2-config (and xslt-config) still exist, pkg-config is far easier to
use for detection.

I'm happy to patch the source. Are you happy to replace all calls to
xml2-config (and xslt-config) with the PKG_CHECK_MODULES macro? Given
that it's 2020, and many foo-config scripts have or are being
deprecated/removed, it's probably time to do so in raptor2 as well.

Bug#948792: [PATCH] Please use PKG_CHECK_MODULES to detect libxml2 and libslt

2020-02-28 Thread Hugh McMaster

Control: tags -1 + patch

Dear maintainer,

I have attached a patch to allow the `configure` routine to use
PKG_CHECK_MODULES to detect the libxml2 and libxslt libraries.

Thank you,

Hugh


0001-pkg_check_modules.patch
Description: Binary data

Bug#945948: [Pkg-phototools-devel] Bug#945948: libexif: diff for NMU version 0.6.21-5.2

2020-01-22 Thread Hugh McMaster

Hi Salvatore,

On Thu, 23 Jan 2020 at 02:18, Salvatore Bonaccorso wrote:

> I've prepared an NMU for libexif (versioned as 0.6.21-5.2) based on
> the upstream commit and uploaded it to DELAYED/5. Please feel free to
> tell me if I should delay it longer.

Thank you for preparing another NMU. I have already prepared 0.6.21-6 with
that upstream patch and some other changes.

Unfortunately, I mistyped the CVE ID in the changelog, so will fix that and
re-upload to d-mentors when I get home.

Hugh

>

Bug#920900: libicu-dev: icu-config is only deprecated

2020-01-08 Thread Hugh McMaster

On Tue, 26 Nov 2019 03:33:02 +0100, Alexander Prokoshev wrote:
> I would like to note that pkgdata is now broken because it tries to
> use [nonexistent] icu-config.

Upstream merged a patch [1] I sent to fix the pkgdata breakage earlier today.

László, can you please consider including it in a new Debian release?

Thank you,

Hugh

icu-pkgdata.patch
Description: Binary data

Bug#942855: RFS: yaz/5.27.2-1 -- utilities for YAZ Z39.50 toolkit

2019-10-22 Thread Hugh McMaster

Package: sponsorship-requests
Severity: normal

Dear mentors,

I am looking for a sponsor for my package "yaz"

 * Package name: yaz
   Version : 5.27.2-1
   Upstream Author : Adam Dickmeiss 
 * URL : https://www.indexdata.com/resources/software/yaz/
 * License : YAZ
 * Vcs : https://salsa.debian.org/debian/yaz
   Section : utils

The source builds the following binary packages:

  libyaz5 - YAZ Z39.50 toolkit (runtime files)
  yaz - utilities for YAZ Z39.50 toolkit
  yaz-doc - YAZ Z39.50 toolkit (documentation)
  libyaz-dev - YAZ Z39.50 toolkit (development files)
  yaz-illclient - utility for ISO ILL of YAZ
  yaz-icu - command line utility for ICU utilities of YAZ

To access further information about this package, please visit the
following URL:

  https://mentors.debian.net/package/yaz

Alternatively, you can download the package with dget using this command:

  dget -x https://mentors.debian.net/debian/pool/main/y/yaz/yaz_5.27.2-1.dsc

Changes since the last upload:

   * New upstream release.
   * debian/control:
 - Add Hugh McMaster as an Uploader.
 - Use debhelper-compat level 12.
 - Raise Standards-Version to 4.4.1 from 4.3.0 (no changes needed).
 - Add Rules-Requires-Root: no.
   * debian/copyright:
 - Update upstream copyright to 2019.
 - Add Hugh McMaster to the 'debian' block.
   * debian/patches:
 - Drop yaz-spelling-fixes.patch (merged upstream).
 - Fix more spelling errors (spelling-fixes.patch).
   * Add debian/upstream/metadata file.

Regards,

--
  Hugh McMaster

Bug#942439: libfont-freetype-perl: Regression test failing against FreeType 2.10

2019-10-16 Thread Hugh McMaster

Package: libfont-freetype-perl
Version: 0.12-1+b2
Severity: important
Tags: patch

Dear Maintainer,

Dear Maintainer,

The logic for computing the global ascender, descender and height of OpenType
fonts was slightly adjusted in FreeType 2.10.

This change is causing regression tests 22, 23 and 24 in libfont-freetype-perl
to fail.

While the Font::FreeType Perl module does actually return the correct values
for the above metrics (as calculated by FreeType), these values do not match
the expected values in the regression tests.

This failure, in turn, is blocking the migration of FreeType 2.10.1 to Testing.

Please apply the below patch to resolve this.

Thank you



-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.2.0-3-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libfont-freetype-perl depends on:
ii  libc6   2.29-2
ii  libfreetype62.10.1-2
ii  perl5.30.0-7
ii  perl-base [perlapi-5.30.0]  5.30.0-7

libfont-freetype-perl recommends no packages.

libfont-freetype-perl suggests no packages.

-- no debconf information
Description: Fix font metrics broken by an upstream FreeType change
 The logic for computing the global ascender, descender and height of OpenType
 fonts was slightly adjusted in FreeType 2.10. This change causes regression
 tests 22, 23 and 24 to fail.

Author: Hugh McMaster 
Bug: https://rt.cpan.org/Public/Bug/Display.html?id=129788
Last-Update: 2019-10-16

--- libfont-freetype-perl-0.12.orig/t/10metrics_oldstandart.t
+++ libfont-freetype-perl-0.12/t/10metrics_oldstandart.t
@@ -57,9 +57,9 @@ is($font->units_per_em, 1000, '$face->un
 my $underline_position = $font->underline_position;
 ok $underline_position <= -178 || $underline_position >= -198, 'underline 
position';
 is($font->underline_thickness, 40, 'underline thickness');
-is($font->height, 1482, 'text height');
-is($font->ascender, 952, 'ascender');
-is($font->descender, -294, 'descender');
+is($font->height, 1236, 'text height');
+is($font->ascender, 762, 'ascender');
+is($font->descender, -238, 'descender');
 
 subtest "charmaps" => sub {
 subtest "default charmap" => sub {

Bug#898820: libicu-dev is not Multi-Arch compatible

2019-01-02 Thread Hugh McMaster

389-ds-base has been uploaded to unstable.

On Wed, 2 Jan 2019 at 21:11, Hugh McMaster  wrote:
>
> Hi László,
>
> All of the packages you listed in message #15 are fixed or pending
> upload. Most are fixed upstream as well.
>
> * 389-ds-base is pending upload.
> * yaz is in the NEW queue.
> * gnustep-base is patched to use pkg-config, although it is compiled
> with --disable-icu-config, so
>   not actually affected.
>
> What is the next step?
>
> Hugh

Bug#915714: gnustep-base: Please use pkg-config to detect icu

2019-01-01 Thread Hugh McMaster

Control: severity -1 serious
Control: tags -1 + patch

Dear maintainer,

As the removal of icu-config from Debian is imminent, I have prepared a
patch for gnustep-base so its build system uses pkg-config to detect icu.

Please apply it as soon as possible.

I have also forwarded the patch upstream, but they have not yet responded.

Kind regards,

Hugh


icu_pkg-config.patch
Description: Binary data

Bug#917614: libnet-z3950-simpleserver-perl: Please Build-Depend on libyaz-dev

2018-12-29 Thread Hugh McMaster

Package: libnet-z3950-simpleserver-perl
Version: 1.15-1+b7
Severity: important

Dear Maintainer,

Your package currently build-depends on libyaz4-dev. However, this package
will soon be replaced by libyaz-dev during an upcoming transition.

Testing with libyaz-dev 5.27.1-1 installed results in your package FTBFS, as it
cannot satisfy its build-dependency on libyaz4-dev.

Please patch your package's Build-Depends list to use libyaz-dev.

With this change made, libnet-z3950-simpleserver-perl builds successfully.

Note that libyaz4-dev currently provides libyaz-dev.

Thank you



-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libnet-z3950-simpleserver-perl depends on:
ii  libc6   2.28-3
ii  libxml2 2.9.4+dfsg1-7+b3
ii  libxslt1.1  1.1.32-2
ii  libyaz4 4.2.30-4+b8
ii  perl5.28.1-3
pn  perlapi-5.28.0  

libnet-z3950-simpleserver-perl recommends no packages.

libnet-z3950-simpleserver-perl suggests no packages.

-- no debconf information

Bug#917611: idzebra: Please Build-Depend on libyaz-dev

2018-12-29 Thread Hugh McMaster

Source: idzebra
Version: 2.0.59-1
Severity: important

Dear Maintainer,

idzebra currently has a build-dependency on libyaz4-dev. However, this package
will soon be replaced by libyaz-dev during an upcoming transition.

Testing with libyaz-dev 5.27.1-1 installed results in idzebra FTBFS, as it
cannot satisfy its build-dependency on libyaz4-dev.

Please patch idzebra's build-dependency list to use libyaz-dev:

  -  libyaz4-dev | libyaz3-dev (>= 3.0.17), libexpat1-dev, tcl8.6-dev,
libxslt1-dev,
  +  libyaz-dev, libexpat1-dev, tcl8.6-dev, libxslt1-dev,

With this change made, idzebra builds successfully.

Note that libyaz4-dev currently provides libyaz-dev.

Thank you



-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#915394: Bug#915369: New upstream version 5.27.1

2018-12-17 Thread Hugh McMaster

Hi Vincent,

On Monday, 17 December 2018 8:04 PM, Vincent Danjean wrote:
> I started to work on 5.27.0 and just imported 5.27.1 with "gbp import-orig 
> --uscan".
> All of this is on salsa. Any help to go further is welcome (with push request
> or even direct commit)

Nice! Thank you for doing this so quickly.

I'll start working on the package, but will check the Salsa repo regularly, in 
case
you have pushed some commits.

Kind regards,

Hugh

Bug#915380: an: Please use pkg-config to detect icu

2018-12-04 Thread Hugh McMaster

X-Debbugs-CC: p...@debian.org

I forgot to add in the patch that an will need to build-depend on pkg-config as 
well.

Hugh

Bug#915264: libfolia: Please upgrade to version 1.15

2018-12-02 Thread Hugh McMaster

Package: libfolia6
Version: 1.6-2+b1
Severity: wishlist

Dear Maintainer,

The current version of libfolia is almost two years old and is missing several
bug fixes and enhancements.

It also does not work with icu 63.1.

Please upgrade to the latest upstream version - 1.15.

Thank you



-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.18.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libfolia6 depends on:
ii  libc62.28-1
ii  libgcc1  1:8.2.0-10
ii  libgomp1 8.2.0-10
ii  libicu60 60.2-6
ii  libstdc++6   8.2.0-10
ii  libticcutils2v5  0.14-1+b2
ii  libxml2  2.9.4+dfsg1-7+b2

libfolia6 recommends no packages.

libfolia6 suggests no packages.

-- no debconf information

Bug#915259: ucto: Please update the package to version 0.14

2018-12-02 Thread Hugh McMaster

Source: ucto
Version: 0.9.6-1
Severity: wishlist

Dear Maintainer,

The current version of ucto is nearly two years old and is missing out on many
upstream fixes and enhancements.

This version is also incompatible with icu 63.1, currently in testing.

Please update ucto to the latest upstream version - 0.14.

Thank you



-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.18.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#898820: libicu-dev is not Multi-Arch compatible

2018-11-21 Thread Hugh McMaster

Hi László,

What help do you need to resolve this bug?

Hugh

Bug#887606: Preparing NMU for dvipng

2018-11-07 Thread Hugh McMaster

Hi Varun,

I’m preparing an NMU for #887606 and was wondering if you’d like me to convert 
the package to debhelper at the same time? dvipng is currently using cdbs.

Regards,

Hugh

Bug#897982: tasksel: Please drop tamil-gtk2im from the task-tamil-gnome-desktop Recommends list

2018-10-01 Thread Hugh McMaster

> On 1 Oct 2018, at 4:21 am, Holger Wansing wrote:
> Hugh McMaster wrote:
>> How will switching to ibus-m17n affect the user experience or installation?
> 
> That's out of my skills, sorry.

No problem. If no one else has any objections, then I’m happy for you to drop 
the Recommends and/or replace it.

Bug#909778: libsdl2-dev: SDL_config.h no longer in cflags provided by pkg-config/sdl2-config

2018-09-29 Thread Hugh McMaster


> On 30 Sep 2018, at 12:01 am, Adrian Bunk  wrote:
> 
>> On Sat, Sep 29, 2018 at 01:39:05PM +, Hugh McMaster wrote:
>>> On Saturday, 29 September 2018 5:06 AM, Adrian Bunk wrote:
>>> The following fixes it properly:
>>> - revert the override_dh_install change, and
>>> - add --includedir=\$${prefix}/include/$(DEB_HOST_MULTIARCH) to confflags
>> 
>> This won't do what you think it will. Unfortunately:
>> 
>> 1. All headers end up being installed into /usr/include//SDL2.
>>   -- Not what we want.
> 
> This is not a problem.

True, but not ideal.

>> 2. /usr/include//SDL2 is hard-coded into sdl2-config, causing a file
>>conflict for multi-arch installations.
>> ...
> 
> This is actually a problem.
> 
> The minimal fix for that problem would be to add a dependency on 
> pkg-config to libsdl2-dev, and then do
> --cflags)
> -  echo -I@includedir@/SDL2 @SDL_CFLAGS@
> +  pkg-config --cflags sdl2
>   ;;

I’m not able to check right now, but I believe this will cause problems when 
libsdl2-dev is installed for a foreign architecture, because sdl2-config will 
call pkg-config for the native architecture instead. It would need to be 
qualified with the GNU triplet.

Bug#862119: Please mark libgstreamer-plugins-base1.0-dev Multi-Arch: same

2018-09-02 Thread Hugh McMaster

Dear maintainer,

The package libgstreamer-plugins-base1.0-dev is not currently multi-arch 
compatible.

Multi-arch support is needed to allow other packages, such as Wine, to build 
using
architecture-specific development files.

There are no file conflicts in libgstreamer-plugins-baase1.0-dev preventing it 
from becoming multi-arch co-installable.

Please mark the package Multi-Arch: same.

Also, please let me know if you would like me to prepare a patch for this.

Thank you

Bug#907794: libtiff-doc: Please mark libtiff-doc Multi-Arch: foreign

2018-09-02 Thread Hugh McMaster

Package: libtiff-doc
Version: 4.0.9-6
Severity: wishlist

Dear Maintainer,

Please mark libtiff-doc Multi-Arch: foreign in accordance with Debian's multi-
arch hinter.

Thank you



-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.17.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

-- no debconf information

Bug#907792: libfribidi-dev: Please mark libfribidi-dev Multi-Arch: same

2018-09-02 Thread Hugh McMaster

Package: libfribidi-dev
Version: 1.0.5-3
Severity: wishlist

Dear Maintainer,

Multi-arch support in libfribidi-dev is needed for packages such as
libgtk2.0-dev to become co-installable on different architectures.

libgtk2.0-dev has recently become Multi-Arch: same and libfribidi-dev
is now a blocker.

libfribidi-dev has no conflicting files preventing it from becoming multi-arch
co-installable.

Please mark the package Multi-Arch: same.

Thank you



-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.17.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libfribidi-dev depends on:
ii  libfribidi0  1.0.5-3

libfribidi-dev recommends no packages.

libfribidi-dev suggests no packages.

-- no debconf information

Bug#901052: Bug#898983: freetype: diff for NMU version 2.9.1-0.1

2018-08-02 Thread Hugh McMaster

Hi Steve,

On Wednesday, 25 July 2018 3:04 AM, Steve Langasek wrote:
> I am open to having you, or someone, fully take over maintainership of
> freetype.  But I do not believe that the changes proposed here are proper
> for an NMU.

Having given this a lot of thought over the past week, I'd be happy to
co-maintain freetype with you, as I believe I can benefit from your
experience with this package. However, should you wish to fully hand
over the package, that is okay too.

On Tuesday, 24 July 2018 11:08:35 -0700, Steve Langasek wrote:
> As long as you are the one dealing with whatever the regression of the day
> is across the distro as a result of the new upstream version, that's fine
> with me.

I will take care of any bugs that arise from the move to version 2.9.1.

If you have no objections, I'll add myself to the Uploaders list and begin
updating the package. Please let me know by Monday if you would like 
to make other arrangements.

--
Hugh McMaster

1 2 3 >

1 - 100 of 249 matches

Mail list logo