Bug#930311: lintian: Possible exception to package-contains-documentation-outside-usr-share-doc

2019-06-11 Thread Niels Thykier
Chris Lamb:
> Hi Niels,
> 
>> My question is: Should we move this exception to lintian itself and
>> stop having people automate overrides
> 
> Oh, without any doubt here — the idea of automatically-generated
> overrides simply makes me squirm.
> 
> (Shall we begin by cloning this bug "against" dh-r?)
> 
> 
> Regards,
> 

Re:
https://salsa.debian.org/lintian/lintian/commit/a16cd3a1c812c8894bddf9b920561eb0dd602d85

I suspect we should probably match usr/lib/R/site-library/ as a prefix
rather than an exact match.  My guess is that they have a "per-package"
folder structure beneath that directory.

Thanks,
~Niels



Bug#930311: lintian: Possible exception to package-contains-documentation-outside-usr-share-doc

2019-06-10 Thread Niels Thykier
Chris Lamb:
> Hi Niels,
> 
>> My question is: Should we move this exception to lintian itself and
>> stop having people automate overrides
> 
> Oh, without any doubt here — the idea of automatically-generated
> overrides simply makes me squirm.
> 
> (Shall we begin by cloning this bug "against" dh-r?)
> 
> 
> Regards,
> 

If we intend to create the exception in lintian, I would personally
probably go with making the exception first and then filing the bug
against dh-r to remove the auto-generation.  But either way works (for
me at least) and if you prefer the other order, then lets do that by all
means.

Thanks,
~Niels



Bug#930311: lintian: Possible exception to package-contains-documentation-outside-usr-share-doc

2019-06-10 Thread Niels Thykier
Package: lintian
Version: 2.15.0
Severity: normal

Hi,

I noticed that the dh-r package by default creates an override for
package-contains-documentation-outside-usr-share-doc when the R
package puts documentation in usr/lib/R/site-library:

"""
my $check_for_docs = `find debian/$dh{FIRSTPACKAGE} -type f -name "*.md" -o 
-name "*.Rmd" -o -name "README" -o -name "README.md" | grep -v 'usr/share/doc'`;
if ( $check_for_docs ) {
say "Create lintian-override for 
package-contains-documentation-outside-usr-share-doc due to $check_for_docs";
open(my $lintian, ">>", "debian/lintian-overrides");
say $lintian "# The documentation is where it is expected by GNU R 
users";
say $lintian "$dh{FIRSTPACKAGE}: 
package-contains-documentation-outside-usr-share-doc usr/lib/R/site-library/*";
close $lintian;
}
"""
(source: https://sources.debian.org/src/dh-r/20190121/dh/R.pm/?hl=3#L268)

My question is: Should we move this exception to lintian itself and
stop having people automate overrides or should something else be
done?  (To be explicit: The latter is an open question as I am not
sure what the "proper something else" would be in this case)

Thanks,
~Niels



Bug#929913: unblock: simple-cdd/0.6.7

2019-06-04 Thread Niels Thykier
Vagrant Cascadian:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: vagr...@debian.org, debian-b...@lists.debian.org
> 
> Please unblock package simple-cdd
> 
> This update fixes several release-critical and important bugs, as well
> as documentation updates.
> 
> Several issues were reported with expired keys in the archive keyring
> breaking builds with simple-cdd, even when the expired key was not
> used to verify the repositories being checked. This was fixed by
> allowing expired keys to be present in the keyring used by reprepro
> (though are not treated as valid for verifying Release files).
> 
> A typo was fixed that caused a traceback in gpg verification, and now
> reports the failing command.
> 
> The --batch argument was added to gpg calls, which are all
> non-interactive, which allows it to work in docker environments.
> 
> Contact information in the README was no longer valid, and so it was removed.
> 
> Fix a number of issues with changes in qemu arguments, and re-add the
> missing support to pass arbitrary qemu options.
> 
> Update example configuration files, removing obsolete options and
> adjusting a syntax change in some options which no longer support
> variables.
> 
> The ltsp profile was updated to use the defaults for
> ltsp-client-builder, with commented examples for using the non-default
> values. NFS is no longer used in LTSP by default, so is no longer
> configured, and the example to configure DHCP was updated to use
> dnsmasq.
> 
> The test profile was updated with new and changed preseeding options,
> as well as options passed to qemu.
> 
> The default profile updated the example to avoid asking to set up
> another CD.
> 
> The router profile example ethernet interface name was updated to be
> consistant with current naming conventions.
> 
> [...]
> 
> 
> unblock simple-cdd/0.6.7
> 
> 
> Thanks for all your work towards releasing Debian!
> 
> live well,
>   vagrant
> 

Looks good to me, CC'ing KiBi for a d-i ack before completing the unblock.

Thanks,
~Niels



Bug#929912: unblock: ltsp/5.18.12-3

2019-06-04 Thread Niels Thykier
Control: tags -1 confirmed d-i

Vagrant Cascadian:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: vagr...@debian.org, debian-b...@lists.debian.org
> 
> Please unblock package ltsp
> 
> This fixes two release-critical bugs, an important bug, and updates
> the debconf translation for Dutch.
> 
> Builds from unsigned CDs failed due to changes in apt being more
> strict regarding unsigned repositories. This is fixed by passing the
> --trust-file-mirror option introduced in ltsp-build-client upstream,
> but not added to the default arguments for the ltsp-client-builder
> .udeb. This .udeb is not used in the default debian-installer images,
> and thus should have no impact on them.
> 
> The tool to build an LTSP chroot environment failed to detect the
> codename in buster now that /etc/debian_version contains a version,
> instead passing the version of Debian "10" to debootstrap, resulting
> in a failure to build. The upstream fix was to switch back to using
> lsb_release, and the patch applied to this version.
> 
> An important issue in the arguments for mounting loopback images was
> discovered and fixed upstream, ensuring read-only mounts which might
> otherwise lead to filesystem inconsistancies with ext4 or other
> writeable filesystems, and fixing a typo in the loop argument passed
> to mount. The upstream patch is included in this version.
> 
> Additionally, the Dutch debconf message translation was included in
> this version.
> 
> [...]
> 
> unblock ltsp/5.18.12-3
> 
> 
> Thanks for all your work on releasing Debian!
> 
> 
> live well,
>   vagrant
> 

Looks good to me, CC'ing KiBi for a d-i ack before completing the unblock.

Thanks,
~Niels



Bug#929776: unblock: rrdtool/1.7.1-2

2019-05-30 Thread Niels Thykier
Control: tags -1 moreinfo confirmed

Jean-Michel Vourgère:
> Package: release.debian.org
> User: release.debian@packages.debian.org
> Usertags: unblock
> Severity: normal
> 
> Please allow me to add an upstream patch in order to fix segfaults in rrdtool 
> daemon, that occurs when xport'ing an non-existent RRD file.
> 
> unblock rrdtool/1.7.1-2
> 

Please go ahead with the upload and remove the moreinfo tag when it is
ready to be unblocked.

Thanks,
~Niels



Bug#924948: unblock: onedrive/2.2.6-2

2019-05-30 Thread Niels Thykier
Norbert Preining:
> Hi Paul,
> 
> On Thu, 30 May 2019, Paul Gevers wrote:
>> On Tue, 19 Mar 2019 07:50:10 +0900 Norbert Preining
> 
> What a time lag for a release related bug, impressive.
> 

Hi Nobert,

I can understand that the delay in the reply is unsatisfying to you  -
personally, I am not happy about such delays either.

However, I find remarks like the above unhelpful and uncalled for at
best - not to mention draining energy- and motivation-wise.  Please keep
future communication professional.

A much better approach would have been to ask us an update (in a
friendly/professional manner) in case we had forgotten about the
request.  This might have gotten you a reply much earlier.

Thanks,
~Niels



Bug#929750: debhelper: dh_installdocs errs out on non-matching pattern in v10 mode

2019-05-30 Thread Niels Thykier
Control: tags -1 moreinfo

On Thu, 30 May 2019 13:44:27 +0200 Andreas Metzler  wrote:
> Source: debhelper
> Version: 12.1.1
> Severity: normal
> 
> Hello,
> 
> one of the *changes* in v11 mode is the following:
> | The helpers dh_installdocs, dh_installexamples, dh_installinfo, and
> | dh_installman now error out if their config has a pattern that does
> | not match anything or reference a path that does not exist.
> 
> However I see this behavior for dh_installdocs in v10 mode, too:
> -
> (sid)ametzler@argenau:/tmp/GNUTLS/gnutls-3.6.8$ cat debian/compat
> 10
> (sid)ametzler@argenau:/tmp/GNUTLS/gnutls-3.6.8$ cat debian/gnutls-doc.docs
> doc/gnutls.pdf
> (sid)ametzler@argenau:/tmp/GNUTLS/gnutls-3.6.8$ dh_installdocs 
> -O--builddirectory=b4deb --no-act --verbose -pgnutls-doc ; echo $?
> dh_installdocs: Cannot find (any matches for) "doc/gnutls.pdf" (tried in .)
> 
> 2
> -
> 
> I cannot say when this bug was introduced, it might be long-standing.
> 
> cu Andreas
> 
> [...]
> 

Hi Andreas,

The code is working as intended, but I think you have found the
documentation confusing.

 * Suggestions for improving the docs are welcome.

The root issue here is that "doc/gnutls.pdf" is not a pattern (in the
compat 11 sense).  A pattern would be something like "doc/*.pdf".

The "non-pattern" case has been an error since compat 5[1].  Compat 11
extends that to patterns as well (to match dh_install, where this has
been an error since compat 5 as well).


Thanks,
~Niels

[1] Note: debhelper did have a regression at some point for an extended
period of time where non-patterns did not trigger errors as intended -
though the fix for that regression is not recent (fixed during
debhelper/11 AFAIR), so I doubt it is related to this bug.



Bug#929731: unblock: flash-kernel/3.99

2019-05-29 Thread Niels Thykier
Control: tags -1 confirmed d-i

Vagrant Cascadian:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: vagr...@debian.org, debian-b...@lists.debian.org
> 
> Please unblock package flash-kernel
> 
> This upload adds support for two additional boards, one additional name
> for another board, and updates the Uploaders list. The changes should be
> very low risk to existing platforms, and really appreciated by people
> with the added boards.
> 
> 
> [...]
> 
> unblock flash-kernel/3.99
> 
> 
> Thanks for considering!
> 
> live well,
>   vagrant
> 

Hi,

Thanks, this is marked OK from a release team PoV.  Adding KiBi for a
d-i ack before the final unblock.

Thanks,
~Niels



Bug#929607: unblock: qemu/1:3.1+dfsg-8 (pre-upload)

2019-05-27 Thread Niels Thykier
Control: tags -1 moreinfo confirmed

Michael Tokarev:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Hi!
> I've prepared next release of the qemu debian package, with
> a few bugfixes, and am asking if it's okay to upload these
> changes to unstable (targetting buster). The change includes
> 3 security fixes which should go anyway, and 2 "other" fixes
> which are questionable, hence the pre-approval bugreport/question.
> 
> All changes are "easy" ones, and are mostly one-liners and are
> easy for review. All bugfixes has been appied upstream too.
> 
> Is it okay for the changes to go to buster?
> 
> Thanks,
> 
> /mjt
> 
> [...]
> +
> unblock qemu/1:3.1+dfsg-8
> 
> [...]
> 

Please go ahead with the upload and remove the moreinfo tag once it is
ready to be unblocked.

Thanks,
~Niels



Bug#929215: unblock: systemd/241-4

2019-05-26 Thread Niels Thykier
Michael Biebl:
> Am 20.05.19 um 14:06 schrieb Michael Biebl:
>> Am 19.05.19 um 12:47 schrieb Niels Thykier:
>>
>>>>   * Add check to switch VTs only between K_XLATE or K_UNICODE.
>>>> Switching to K_UNICODE from other than L_XLATE can make the keyboard
>>>> unusable and possibly leak keypresses from X.
>>>> (CVE-2018-20839, Closes: #929116)
>>>>
>>>> https://salsa.debian.org/systemd-team/systemd/commit/5a564c6ef3906c0f3885a3a2aafce772393f760a
>>
>> In the mean time a regression was reported caused by this patch.
>> I marked the bug as RC. Given how long it takes to find a solution
>> upstream, I will either upload a fix for that or revert/drop the patch
>> again.
> 
> I've reverted this patch in 241-5, as no fix is available yet.
> No other changes were made in 241-5.
> 
> Regards,
> Michael
> 

Ack, thanks for handling this. The changes in 241-5 lgtm. :)

Thanks,
~Niels



Bug#884999: debhelper: Please default Rules-Require-Root to no

2019-05-25 Thread Niels Thykier
Hideki Yamane:
> Hi,
> 
> On Fri, 24 May 2019 10:47:22 -0700
> Sean Whitton  wrote:
>> (surely we are a very long way from r-r-r: no for every package?)
> 
>  I don't think so since lintian info about 
> "should-specify-rules-requires-root"
>  containts only 98 packages.
>  https://lintian.debian.org/tags/should-specify-rules-requires-root.html
> 
>  mandatory "r-r-r: no" in dpkg-dev and full rebuild shows exact numbers
>  to be dealt with, IMO.
> 
> 

The use of "r-r-r: no" will also disable dpkg-buildpackage detection of
missing build-{arch,indep} targets.  IOW, you need to add

https://lintian.debian.org/tags/debian-rules-missing-recommended-target.html

To your list of packages needing a fix before "r-r-r: no" can be the
default.

Additionally, lintian cannot/does not detect cases where a package use
(fake)root during the install step (e.g. upstream) but then later
"undoes" the ownership to root:root (e.g. dh_fixperms).  Just as an FYI,
so you know the lintian check is incomplete (I have no idea how many
instances we have of that - so it might be a non-issue).

Thanks,
~Niels



Bug#884999: debhelper: Please default Rules-Require-Root to no

2019-05-24 Thread Niels Thykier
Sean Whitton:
> Hello,
> 
> On Fri 24 May 2019 at 01:42PM +09, Hideki Yamane wrote:
> 
>> Hi,
>>
 In summary: The debhelper fundamentally cannot affect whether
 Rules-Requires-Root: no is default or not.  The debhelper compat level
 system is the wrong interface to do this as well.

 That said, in a distant future, I hope we can flip the default of
 Rules-Requires-Root.  But when that comes, it will not be via a
 debhelper compat level AFAICT.
>>
>>  If we want to implement "Rules-Requires-Root: no" mandatory,
>>  is it dpkg-dev and policy issue?
> 
> Requiring maintainers to put `Rules-Requires-Root: no` in every single
> d/control file would be a debian-policy bug, yes.
> 
> Changing debhelper's default, if that remainder overrideable by the
> maintainer, would not be.
> 
> (surely we are a very long way from r-r-r: no for every package?)
> 

FYI, debhelper is *not* in control of the default for r-r-r (as stated
in the quoted text).  Therefore, "Changing debhelper'r default" cannot
be the solution here.

Thanks,
~Niels



Bug#929452: release.debian.org: [pre-approval] testing-proposed-updates for unicode changes

2019-05-23 Thread Niels Thykier
Control: tags -1 moreinfo

Xavier Guimard:
> Package: release.debian.org
> Severity: normal
> 
> Hi all,
> 
> dur to unicode change, 2 nodejs packages require an update:
>  - node-regenerate-unicode-properties
>  - node-regexpu-core
> 
> These 2 packages have been updated in unstable so can no more be updated
> using the normal way. The proposed changes are very few (patch to update
> package.json + debian/control dependency update from node-unicode-11.0.0
> to node-unicode-12.0.0).
> 
> These updates are required since they are both dependencies of node-rollup
> which is a build dependency of ~20 packages.
> 
> Do you authorize me to upload these 2 +deb10u1 packages in
> testing-proposed-updates? Packages are tested locally, build +
> autopkgtest OK.
> 
> Sorry for the inconvenience.
> 
> Cheers,
> Xavier
> 
> [...]
> 

The versions in unstable: Could they be used / unblocked as-is (without
needing anything else)?

Thanks,
~Niels



Bug#929387: unblock: libssh/0.8.7-1 (pre-upload approval)

2019-05-23 Thread Niels Thykier
Control: tags -1 moreinfo confirmed

Martin Pitt:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Three months ago, a new libssh upstream bug fix release 0.8.7 was done, which
> fixes a dozen security issues, crashes, and other bugs:
> 
>   https://git.libssh.org/projects/libssh.git/log/?h=stable-0.8
>   (the bits between 0.8.6 and 0.8.7)
> 
> (Our package already has the oldest three patches backported)
> At first I wanted to cherry-pick, but honestly I think we should have all 
> these
> fixes in buster, including the "Remove SHA384 HMAC" before that hits stable.
> 
> I haven't yet uploaded this new version, as I'd like to get your approval
> first. If you do approve, I'll upload it to unstable, otherwise to 
> experimental
> and later through s-p-u.
> 
> I attach the full debdiff between the current unstable/testing version and the
> one I'd like to upload. If you prefer looking at it on salsa:
> 
> These are the upstream changes:
>https://salsa.debian.org/debian/libssh/commit/aab54d0cc04dd
> and the corresponding packaging changes for it (dropping patches):
>https://salsa.debian.org/debian/libssh/commit/34591503a1b4b
> 
> I also added valgrinding to the autopkgtest, which exposes a bug:
>https://salsa.debian.org/debian/libssh/commit/59593bc7cf4
> 
> This bug also happens on 0.8.6 and earlier versions (not yet on 0.6.x), so 
> this
> is unrelated to this particular upstream update, but I'd still like to land it
> to avoid regressions under valgrind.
> 
> Thanks for considering!
> 
> Martin Pitt
> 

Hi Martin,

Please go ahead with the upload (with the debdiff attached to your
initial mail in the bug) and remove the moreinfo tag once it is in
unstable ready to be unblocked (e.g. autopkgtests have succeeded).

Thanks,
~Niels



Bug#928809: lintian: suggest adding gitlab-ci file

2019-05-22 Thread Niels Thykier
Chris Lamb:
> Dmitry Bogatov wrote:
> 
>>> [..]  I just think that lintian should be less pro-active at adding
>>> checks for things that are far from accepted.
>>
>> That is why I propose introducing concept of "controversial" checks.
> 
> I think we are all violently agreeing here. 
> 
>> Having Lintian plainly reject such proposals would mean need in creation
>> of something like "lintian-unofficial"
> 
> (Personally, I doubt someone would fork Lintian, more likely its
> output would become less and less "trusted". But both outcomes suck.)
> 
> 
> Best wishes,
> 

There would be no need to fork lintian over this.  Lintian supports
third-party checks (via third-party lintian profiles).  With files in
the proper place, you can have:

  lintian --profile debian/unofficial ...

run lintian's built-in plus the extra unofficial checks.

Thanks,
~Niels



Bug#929132: unblock (pre-approval): dbus/1.12.14-1

2019-05-19 Thread Niels Thykier
Control: tags -1 d-i confirmed

Simon McVittie:
> Control: tags -1 - moreinfo
> 
> On Fri, 17 May 2019 at 18:59:00 +0000, Niels Thykier wrote:
>> I am ok with these changes on the premise that you are ready to promptly
>> rollback to the bare minimum changes in case of regressions (regardless
>> of whether we see them before or after the migration).
>>
>> If you agree with this, please go ahead with the upload and remove the
>> moreinfo tag once it is ready to be unblocked.
> 
> Understood. If there are regressions, I can revert individual fixes if
> the cause is obvious, or if necessary do a 1.12.14+really1.12.12 upload.
> 
> I'm busy next weekend and will probably be checking email less frequently,
> so it would be ideal if you're able to set the age-days to cause migration
> on the 27th - that way I'll be more able to respond to any new regression
> reports that come from testing users shortly after migration.
> 
> I've uploaded 1.12.14-1 (no further changes, other than mentioning #928877
> in the changelog) and it has built on all release architectures, except
> 'all' which is still Needs-Build.
> 
> Thanks,
> smcv
> 

Ok. I have added an unblock and age-days 8 hint.  Also CC'ing KiBi for a
d-i ack before adding an unblock-udeb hint.

Thanks,
~Niels



Bug#929215: unblock: systemd/241-4

2019-05-19 Thread Niels Thykier
Control: tags -1 confirmed d-i

Michael Biebl:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package systemd
> 
> All patches are cherry-picked from upstream git.
> 
> Annotated changelog:
> 
> systemd (241-4) unstable; urgency=medium
> 
>   * journal-remote: Do not request Content-Length if Transfer-Encoding is
> chunked (Closes: #927008)
> 
> https://salsa.debian.org/systemd-team/systemd/commit/d8e4bc4487b0f32b39b15152040351261329e92a
> 
> Without this fix, systemd-journal-remote is pretty much completely
> broken, that's why I had marked this bug RC for the
> systemd-journal-remote package
> 
> 
>   * systemctl: Restore "systemctl reboot ARG" functionality.
> Fixes a regression introduced in v240. (Closes: #928659)
> 
> https://salsa.debian.org/systemd-team/systemd/commit/8127cbd86fadf245dd28666c1bfe82a3eb116448
> 
> 
>   * random-util: Eat up bad RDRAND values seen on AMD CPUs.
> Some AMD CPUs return bogus data via RDRAND after a suspend/resume cycle
> while still reporting success via the carry flag.
> Filter out invalid data like -1 (and also 0, just to be sure).
> (Closes: #921267)
> 
> https://salsa.debian.org/systemd-team/systemd/commit/efbcf5102f0ac7b43a2f7b8c79084fdfd2d1fa72
> 
> RDRAND is used by systemd for its hashmap implementation. On some AMD
> CPUs (AMD CPU family 22), RDRAND returns bogus data after
> suspend/resume, leading to severe mis-behaviour of systemd. Typical
> symptoms are failure to shutdown properly or when trying suspend again.
> 
> 
>   * Add check to switch VTs only between K_XLATE or K_UNICODE.
> Switching to K_UNICODE from other than L_XLATE can make the keyboard
> unusable and possibly leak keypresses from X.
> (CVE-2018-20839, Closes: #929116)
> 
> https://salsa.debian.org/systemd-team/systemd/commit/5a564c6ef3906c0f3885a3a2aafce772393f760a
> 
> 
>   * Document that DRM render nodes are now owned by group "render"
> (Closes: #926886)
> 
> https://salsa.debian.org/systemd-team/systemd/commit/e3772a013721083a740ab9dedbf060cf5b3c3709
> 
> Documentation update, which was explicitly requested for the
> video->render change of the the /dev/dri/renderD* devices.
> 
> KiBi (and debian-boot) is in CC
> 
> Full debdiff is attached.
> 
> Regards,
> Michael
> 
> unblock systemd/241-4
> 
> [...]
> 

Ok with with me.  Waiting for KiBi to give an ack from the d-i side
before I will fully unblock it.

Thanks,
~Niels



Bug#929171: unblock: espeakup/1:0.80-15

2019-05-18 Thread Niels Thykier
Control: tags -1 confirmed d-i

Samuel Thibault:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Hello,
> 
> As reported on Bug#929169, “the Linux kernel in Buster seems to take
> much longer (as much as 12s!) to detect some sound card such as the
> widespread Intel HDA. The current timeout in espeakup-udeb is thus way
> too short, and makes the Debian installer useless for blind people
> having such audio cards.”
> 
> In version 1:0.80-15 (debdiff attached) I have thus made the timeout
> longer. A proper solution would be to make espeakup startup event-based,
> but that would be very involved at this stage of development.
> 
> This version was confirmed to be fixing the issue on a few user systems.
> 
> Samuel
> 
> unblock espeakup/1:0.80-15
> 
> [...]

Ack from here; CC'ing KiBi for a d-i ack before it is fully unblocked.

Thanks,
~Niels



Bug#929029: unblock: apt-cacher-ng/3.2.1-1

2019-05-18 Thread Niels Thykier
Control: tags -1 moreinfo confirmed

Eduard Bloch:
> Control: retitle -1 [pre-approval] unblock: apt-cacher-ng/3.2.1-1
> 
> Hallo,
> * Niels Thykier [Wed, May 15 2019, 07:53:00PM]:
>> Control: tags -1 moreinfo
> 
> Sure, see attachments. As explained before, just a one-liner which uses
> existing functionality (same content as before, now from a real package
> build and git compare between tag/branch). If the meaning of the change
> is not understandable, please check the effect of forgiveDlErrors member
> in
> https://salsa.debian.org/blade/apt-cacher-ng/blob/upstream/sid/source/cacheman.cc
> and maybe related uses in
> https://salsa.debian.org/blade/apt-cacher-ng/blob/upstream/sid/source/expiration.cc
>  .
> 
> BTW, maybe I was not precise enough before: this is a request for
> pre-approval, the package is not uploaded yet.
> 
> Best Regards,
> Eduard.
> 

Thanks for the extra details. :)

Please go ahead with the change and remove the moreinfo tag when it has
been uploaded to unstable and it is ready to be unblocked.

Thanks,
~Niels



Bug#928770: sqlite3: CVE-2019-5018: Window Function Remote Code Execution Vulnerability

2019-05-18 Thread Niels Thykier
On Thu, 16 May 2019 20:09:52 +0200
=?UTF-8?B?TMOhc3psw7MgQsO2c3rDtnJtw6lueWkgKEdDUyk=?=  wrote:
> Hi,
> 
> On Thu, May 16, 2019 at 11:57 AM Pirate Praveen
>  wrote:
> > On Fri, 10 May 2019 21:04:33 +0200 Salvatore Bonaccorso
> >  wrote:
> > > Source: sqlite3
> > > The following vulnerability was published for sqlite3.
> > > CVE-2019-5018[0]:
> > > Window Function Remote Code Execution Vulnerability
> > Could this be that commit? I have not checked thoroughly only looked at
> > the commit message.
> >
> > "Prevent aliases of window functions expressions from being used as
> > arguments to aggregate or other window functions."
> >
> > https://sqlite.org/src/info/1e16d3e8fc60d39c
>  Can be, but not sure. At least four sqlite 3.x issues reported
> recently and as I know, usually upstream is not informed about these.
> :-/
> 
> > > [1] 
> > > https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0777
> 
> Regards,
> Laszlo/GCS
> 
> 


According to the TALOS link from the initial mail, TALOS informed the
vendor and the vendor provided on the same day as that commit.

"""
Timeline

2019-02-05 - Vendor Disclosure
2019-03-07 - 30 day follow up with vendor; awaiting moderator approval
2019-03-28 - Vendor patched
2019-05-09 - Public Release
"""

So this implies that there is a patch and it would be dated no later
than 2019-03-28 (caveat emptor: Time zones).  It *might* be fixed in
3.28 (TALOS does not mention it as vulnerable), but the changelog does
not mention this explicit[1].

Alternatively, it could be related to:
https://www.sqlite.org/src/info/4feb3159c6bc3f7e33959

This was released as a part of 3.27.2 and looks like it has the right
text as well.  What concerns me is that the ticket[0] is almost a week
before TALOS's timeline for "Vendor patched" plus it mentioned "free
that has not been malloc'ed" rather than "use after free".  That said,
the test case examples for both issue are similar.

Thanks,
~Niels

[0] Related and correct commit appears to be:
https://www.sqlite.org/src/info/a21ffcd8176672e7

(Based on https://www.sqlite.org/src/info/579b66eaa0816561)

[1] https://www.sqlite.org/draft/changes.html



Bug#923592: marble: diff for NMU version 4:17.08.3-3.2

2019-05-18 Thread Niels Thykier
Control: tags 923592 + patch
Control: tags 923592 + pending


Dear maintainer,

I've prepared an NMU for marble (versioned as 4:17.08.3-3.2) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

Regards.

diff -Nru marble-17.08.3/debian/changelog marble-17.08.3/debian/changelog
--- marble-17.08.3/debian/changelog 2018-10-27 11:38:29.0 +
+++ marble-17.08.3/debian/changelog 2019-05-18 07:16:42.0 +
@@ -1,3 +1,13 @@
+marble (4:17.08.3-3.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+
+  [ Frédéric Bonnard ]
+  * Add Comment fields to the .desktop files as they are now
+required by the Appstream generator.  (Closes: #923592)
+
+ -- Niels Thykier   Sat, 18 May 2019 07:16:42 +
+
 marble (4:17.08.3-3.1) unstable; urgency=low
 
   * Non-maintainer upload.
diff -Nru marble-17.08.3/debian/patches/fix-923592.patch 
marble-17.08.3/debian/patches/fix-923592.patch
--- marble-17.08.3/debian/patches/fix-923592.patch  1970-01-01 
00:00:00.0 +
+++ marble-17.08.3/debian/patches/fix-923592.patch  2019-05-18 
07:14:54.0 +
@@ -0,0 +1,34 @@
+Description: Fix FTBFS due to missing comment/description
+ After that commit https://phabricator.kde.org/D16867, a description is
+needed in .desktop files.
+The keyword actually looked for by desktoptojson converter utility is
+"Comment=" .
+
+Author: Frédéric Bonnard 
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: marble-17.08.3/src/plasma/wallpapers/worldmap/metadata.desktop
+===
+--- marble-17.08.3.orig/src/plasma/wallpapers/worldmap/metadata.desktop
2017-10-20 03:52:49.0 +
 marble-17.08.3/src/plasma/wallpapers/worldmap/metadata.desktop 
2019-04-24 15:10:53.251732393 +
+@@ -23,6 +23,7 @@
+ Name[x-test]=xxWorld Mapxx
+ Name[zh_CN]=世界地图
+ Name[zh_TW]=世界地圖
++Comment=Shows a map of the world as wallpaper
+ Type=Service
+ Icon=marble
+ 
+Index: marble-17.08.3/src/plasma/applets/worldclock/package/metadata.desktop
+===
+--- marble-17.08.3.orig/src/plasma/applets/worldclock/package/metadata.desktop 
2017-10-20 03:52:49.0 +
 marble-17.08.3/src/plasma/applets/worldclock/package/metadata.desktop  
2019-04-24 15:09:41.781959847 +
+@@ -49,7 +49,7 @@
+ Name[x-test]=xxWorld Clockxx
+ Name[zh_CN]=世界时钟
+ Name[zh_TW]=世界時鐘
+-# not yet... Comment=Shows the time in different parts of the world
++Comment=Shows the time in different parts of the world
+ 
+ Icon=marble
+ Type=Service
diff -Nru marble-17.08.3/debian/patches/series 
marble-17.08.3/debian/patches/series
--- marble-17.08.3/debian/patches/series2018-10-27 11:38:29.0 
+
+++ marble-17.08.3/debian/patches/series2019-05-18 07:15:08.0 
+
@@ -1,3 +1,4 @@
 do_not_install_private_headers
 kubuntu_disable-MarbleRunnerManagerTest.diff
 qt5.11.patch
+fix-923592.patch



Bug#928908: unblock: libdebian-installer/0.119

2019-05-18 Thread Niels Thykier
Niels Thykier:
> Control: tags -1 d-i confirmed
> 
> Asbjørn Sloth Tønnesen:
>> Package: release.debian.org
>> Severity: normal
>> User: release.debian@packages.debian.org
>> Usertags: unblock
>>
>> Please unblock libdebian-installer/0.119 fixing RC bug #55
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=55
>>
>> Changes:
>>   libdebian-installer (0.119) unstable; urgency=medium
>>
>>   [ Cyril Brulebois ]
>>    * Drop support for arm*/ixp4xx and arm*/iop32x; support for those
>>  platforms was removed from the Linux kernel and therefore d-i.
>>    * Remove Christian Perrier from Uploaders, with many thanks for all
>>  his contributions over the years! (Closes: #927544)
>>  .
>>    [ Bastian Blank ]
>>    * Enlarge maximum line length in Packages and Sources files.
>>  (closes: #55)
>>
>> [...]
>>
> 
> OK from here.  CC'ing KiBi for a d-i ack.
> 
> Thanks,
> ~Niels
> 

(This time with KiBi actually in CC... apologies for the delay).



Bug#929132: unblock (pre-approval): dbus/1.12.14-1

2019-05-17 Thread Niels Thykier
Control: tags -1 moreinfo confirmed

Simon McVittie:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> I would like to follow the dbus upstream 1.12.x stable branch in buster,
> like I did for 1.8.x in jessie and 1.10.x in stretch. I am an upstream
> maintainer and prepared all recent upstream releases.
> 
> If the timing of this release is not suitable to make it into
> buster r0, it might be a good idea to backport the changes related to
> _dbus_rlimit_raise_fd_limit() (Debian bug #928877) as a patch, so that
> *those* can go into r0. As a result I haven't uploaded to unstable yet,
> to keep it possible to upload a backport via unstable if you'd prefer.
> 
> Annotated diffstat for the attached diff, filtered with "filterdiff -p1
> --exclude=Makefile.in --exclude=aclocal.m4 --exclude=build-aux/ltmain.sh
> --exclude=configure --exclude='*/Makefile.in'
> --exclude=aminclude_static.am --exclude=m4/libtool.m4":
> 
> [...]
> 
> Release preparation.
> 
> Thoughts?
> 
> Thanks,
> smcv
> 

Hi Simon,

I am ok with these changes on the premise that you are ready to promptly
rollback to the bare minimum changes in case of regressions (regardless
of whether we see them before or after the migration).

If you agree with this, please go ahead with the upload and remove the
moreinfo tag once it is ready to be unblocked.

Thanks,
~Niels



Bug#929001: unblock: pacemaker/2.0.1-4

2019-05-17 Thread Niels Thykier
Ferenc Wágner:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package pacemaker
> 
> Dear Release Team,
> 
> Three security issues were discovered in Pacemaker, all of which were
> fixed by the GitHub pull request #1749.  The main point of this update
> is fixing these security bug #927714 by including the relevant changes
> of the pull request as quilt patches.
> 
> An additional change is bumping the debhelper compat level from 11 to
> 12 to avoid the effect of #887904, that is, the daemon-not-running on
> reinstall.  Selectively bumping the level for dh_installinit and
> dh_installsystemd didn't seem to gain anything in this case, because I
> had to disable dh_dwz anyway and the remaining changes don't affect this
> package.
> 
> The last user-visible fixup is shipping the /var/log/pacemaker (and
> /var/log/pacemaker/bundles) directories, to enable detailed logging in
> the default configuration (instead of provoking error messages).
> 
> The test change is just a shorter wait for cluster startup.  It isn't
> performance related, a wait is part of the startup sequence, we just
> have to wait a little longer than that.
> 
> Finally, I dropped a quilt patch (against the build system) which lost
> its relevance when the build system was fixed upstream several releases
> ago.
> 
> [...]
> 


Unblocked, thanks.
~Niels



Bug#928908: unblock: libdebian-installer/0.119

2019-05-15 Thread Niels Thykier
Control: tags -1 d-i confirmed

Asbjørn Sloth Tønnesen:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock libdebian-installer/0.119 fixing RC bug #55
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=55
> 
> Changes:
>   libdebian-installer (0.119) unstable; urgency=medium
> 
>   [ Cyril Brulebois ]
>    * Drop support for arm*/ixp4xx and arm*/iop32x; support for those
>  platforms was removed from the Linux kernel and therefore d-i.
>    * Remove Christian Perrier from Uploaders, with many thanks for all
>  his contributions over the years! (Closes: #927544)
>  .
>    [ Bastian Blank ]
>    * Enlarge maximum line length in Packages and Sources files.
>  (closes: #55)
> 
> [...]
> 

OK from here.  CC'ing KiBi for a d-i ack.

Thanks,
~Niels



Bug#929029: unblock: apt-cacher-ng/3.2.1-1

2019-05-15 Thread Niels Thykier
Control: tags -1 moreinfo

Eduard Bloch:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please advise how to process with a required fix for the package 
> apt-cacher-ng.
> 
> The change is a one-liner and solves the bug #928957. Without it, the
> cache cleanup will fail for a lot of people in the next couple of years.
> But it touches the upstream source, that's why I would like to release
> it as minor upstream version (3.2.1, currently 3.2, and I am the
> upstream).
> 
> I remember how you handled a similar request of mine a couple of years
> ago, and this time I DEMAND a proper response here before I upload
> anything. Please don't ignore it again for weeks and don't tell me that
> this change is impossible to understand or to estimate WRT consequences;
> it is using an already existing interface in the exact usecase it was
> designed for. (see below)
> 
> Best regards,
> Eduard.
> 
> [...]
Hi Eduard,

I acknowledge that you were not happy with our handling of your previous
unblock request for apt-cacher-ng about two releases ago.  However, I do
not feel this request/email - i.e. the third paragraph of it - is a
productive nor a professional way to go about it.

I will refuse to consider this request at its current tone, but I am
willing to review one written in a professional manner.

Thanks,
~Niels



Bug#928172: fixing debian-security-support upgrades from stretch (for good)

2019-05-13 Thread Niels Thykier
Sean Whitton:
> Hello,
> 
> On Mon 13 May 2019 at 11:52AM +00, Holger Levsen wrote:
> 
>> [re-sent with debian-release list address corrected...]
> 
> Also resending.  Sorry.
> 
>> so there is "#928172 debian-security-support: fails to upgrade from 
>> 'testing':
>> dpkg: error: error executing hook" which happens when base-files is upgraded
>> before debian-security-support (but doesnt happen if d-s-s is upgraded 
>> first...)
>>
>> So I think this can only be fixed properly (=without asking people to
>> upgrade to the latest stretch pointrelease but instead allowing upgrades
>> to buster from *any* stretch pointrelease) by adding a "pre-depends:
>> debian-security-support (>= 2019.04.25)" to base-files in buster.
> 
> I didn't think we supported upgrades from anything but the latest point
> release of the previous stable release?
> 
> My belief is based on the release notes saying that you should upgrade
> to the latest point relesae first.
> 

My understanding is that we prefer that upgrade paths works regardless
of which minor version of the stable release you upgrade from (to the
extend possible).

Thanks,
~Niels



Bug#928939: unblock: hello/2.10-2

2019-05-13 Thread Niels Thykier
Control: tags -1 moreinfo confirmed

Santiago Vila:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Hello. I'm asked to make a release of hello to fix the version skew
> created by the test security upload for stretch. Since this package
> serves as example, there are several things that I could fix as well,
> but I consider "safe enough" the ones in this debdiff.
> 
> This is not uploaded yet. Waiting for approval.
> 
> Thanks.
> 
> [...]
> 

Please go ahead with the upload and remove the moreinfo tag once it is
uploaded and ready to be unblocked.

Thanks,
~Niels



Bug#928889: debhelper: dh_autoreconf says "sh: 1: build-aux/git-version-gen: not found"

2019-05-12 Thread Niels Thykier
Control: tags -1 moreinfo

Santiago Vila:
> Package: debhelper
> Version: 12.1.1
> 
> Hello Niels.
> 

Hi,

> I tried using compat version 12 in package "hello" and this is what happened:
> 

For reference/FYI, I suspect this will happen already at compat 10 or
later (I noted that hello in sid uses compat 9 and compat 10 is the
first to use dh_autoreconf by default).

> sh: 1: build-aux/git-version-gen: not found
> sh: 1: build-aux/git-version-gen: not found
> sh: 1: build-aux/git-version-gen: not found
> sh: 1: build-aux/git-version-gen: not found
> sh: 1: build-aux/git-version-gen: not found
> 
> Is this normal/expected/safe?
> 
> I'd like to see it documented somewhere.
> 
> Thanks.
> 

I think this is because of two things:

 1) The source does not include build-aux/git-version-gen
 2) The configure.ac references build-aux/git-version-gen and appears
to use it unconditionally[1]

So when dh_autoreconf does its job of regenerating the build scripts
from configure.ac, then it will trigger those warnings because of the
above.  I.e. this is a "hello"-specific issue.

Not sure what the proper fix is here.  Options include:

 * Have upstream include build-aux/git-version-gen in the source
   - Though it may need git and a git repo to work properly, so this
 might only make sense from the PoV of ensuring that we have the
 complete source of the build scripts.

 * Patch configure.ac to *not* rely on the build-aux/git-version-gen
   script

 * Skip reconfiguration by overriding dh_autoreconf (see [2] as an
   example).

I hope the above answers your question.

Thanks,
~Niels

[1]: https://sources.debian.org/src/hello/2.10-1/configure.ac/#L12

[2]:
"""
# Skip dh_autoreconf because .
override_dh_autoreconf:
"""



Bug#928428: unblock: [pre-approval] wicd/1.7.4+tb2-7

2019-05-12 Thread Niels Thykier
Control: tags -1 moreinfo

Axel Beckert:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> In the light of dhcpcd5 automremoval (#928056, #928104, #928105), I'd
> like to upload a wicd package which relies less on dhcpcd5.  [...]
> 
> [...]
> 

Hi Axel,

Thanks for looking at improving wicd.

AFAICT, the dhcpcd5 issues have been fixed and wicd is at the moment not
at risk of being removed from testing on that account.  If so, then I
would prefer deferring these changes to bullseye in general to reduce
the risks of regressions in testing at the moment.

Thanks,
~Niels



Bug#926681: unblock: acme-tiny/1:4.0.4-1

2019-05-12 Thread Niels Thykier
Control: tags -1 moreinfo confirmed

Samuel Henrique:
> I do understand that this is a new upstream release but it should be
> unblocked because it's a 198 line python script.
> 
> If we don't fix this, then acme-tiny will have to be removed from Buster.
> 
> @LetsEncrypt team, do you have any words on this?
> 


Sorry for the delay on this.

Please go ahead with the upload and remove the moreinfo tag once it is
in unstable and ready to be unblocked.

Thanks,
~Niels



Bug#904309: tilda: diff for NMU version 1.4.1-2.1

2019-05-11 Thread Niels Thykier
Sebastian Geiger:
> Hi Niels,
> 
> Thanks for the upload. It looks good to me. I think you can push that to the 
> repository. 
> 
> Best Regards
> Mit freundlichen Grüßen
> Dipl. Ing. Sebastian Geiger
> 
> [...]

Hi Sebastian,

Thanks for your feedback.

Just to confirm, when you wrote "push that to the repository", did you
mean push changes to the git repo on salsa (master branch) or remove the
delay of the upload to the archive (or both)?

Thanks,
~Niels



Bug#928489: unblock: spf-engine/2.9.0-4

2019-05-11 Thread Niels Thykier
Control: tags -1 moreinfo confirmed

Scott Kitterman:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package spf-engine
> 
> It's just been reported that postfix-policyd-spf-python is missing a
> depends on python3-pkg-resources, which caused me to discover it's also
> missing for pyspf-milter from the same source package.
> 
> This was not found up to this point because on most systems it is pulled
> in by another package.  The fix is minimal and has no regression risk
> (see attached debdiff).
> 
> Scott K
> 
> unblock spf-engine/2.9.0-4
> 

Hi,

Please upload the package to unstable and remove the moreinfo tag when
it is ready to be unblocked.

Thanks,
~Niels



Bug#904309: tilda: diff for NMU version 1.4.1-2.1

2019-05-11 Thread Niels Thykier
Control: tags 904309 + patch
Control: tags 904309 + pending


Dear maintainer,

I've prepared an NMU for tilda (versioned as 1.4.1-2.1) and
uploaded it to DELAYED/7. Please feel free to tell me if I
should delay it longer.

Regards.

diff -Nru tilda-1.4.1/debian/changelog tilda-1.4.1/debian/changelog
--- tilda-1.4.1/debian/changelog2018-02-18 20:08:42.0 +
+++ tilda-1.4.1/debian/changelog2019-05-11 13:04:23.0 +
@@ -1,3 +1,15 @@
+tilda (1.4.1-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Import patch from upstream to set ensure tilda is run
+under the X11 backend.  This prevents crashes when the
+window manager uses Wayland by default.
+(Closes: #904309)
+  * Ret Rules-Requires-Root to no as tilda does not need
+(fake)root for building the debs.
+
+ -- Niels Thykier   Sat, 11 May 2019 13:04:23 +
+
 tilda (1.4.1-2) unstable; urgency=medium
 
   [ Sebastian Geiger ]
diff -Nru tilda-1.4.1/debian/control tilda-1.4.1/debian/control
--- tilda-1.4.1/debian/control  2018-02-18 19:46:04.0 +
+++ tilda-1.4.1/debian/control  2019-05-11 11:30:38.0 +
@@ -5,6 +5,7 @@
 Build-Depends: debhelper (>= 11), autopoint, pkg-config, libgtk-3-dev, 
libvte-2.91-dev, libconfuse-dev
 Standards-Version: 4.1.3
 Homepage: http://github.com/lanoxx/tilda
+Rules-Requires-Root: no
 Vcs-Git: https://salsa.debian.org/debian/tilda.git
 Vcs-Browser: https://salsa.debian.org/debian/tilda
 
diff -Nru tilda-1.4.1/debian/patches/02_set_supported_backend_to_X11.patch 
tilda-1.4.1/debian/patches/02_set_supported_backend_to_X11.patch
--- tilda-1.4.1/debian/patches/02_set_supported_backend_to_X11.patch
1970-01-01 00:00:00.0 +
+++ tilda-1.4.1/debian/patches/02_set_supported_backend_to_X11.patch
2019-05-11 11:29:06.0 +
@@ -0,0 +1,25 @@
+From 606b655d8d811f880d610dead7d6943a33199deb Mon Sep 17 00:00:00 2001
+From: Roman Hoellen 
+Date: Mon, 30 Apr 2018 09:18:49 +0200
+Subject: [PATCH] Set supported backend to X11
+Upstream-Commit: 
https://github.com/lanoxx/tilda/commit/606b655d8d811f880d610dead7d6943a33199deb.patch
+Forwarded: Not-needed
+
+---
+ src/tilda.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/tilda.c b/src/tilda.c
+index 8aa69828..92ce46c4 100644
+--- a/src/tilda.c
 b/src/tilda.c
+@@ -686,6 +686,9 @@ int main (int argc, char *argv[])
+ g_log_set_default_handler (tilda_log_handler, NULL);
+ #endif
+ 
++/* Set supported backend to X11 */
++gdk_set_allowed_backends ("x11");
++
+ tilda_window tw;
+ /* NULL set the tw pointers so we can get a clean exit on initialization 
failure */
+ memset(, 0, sizeof(tilda_window));
diff -Nru tilda-1.4.1/debian/patches/series tilda-1.4.1/debian/patches/series
--- tilda-1.4.1/debian/patches/series   2018-02-18 19:48:15.0 +
+++ tilda-1.4.1/debian/patches/series   2019-05-11 11:30:38.0 +
@@ -1 +1,2 @@
 01_install_metadata_in_new_location.patch
+02_set_supported_backend_to_X11.patch



Bug#928046: dosbox: input issues under Wayland (some keys not behaving)

2019-05-11 Thread Niels Thykier
On Fri, 26 Apr 2019 23:14:59 +0200 Stephen Kitt  wrote:
> Hi Jonathan,
> 
> On Fri, 26 Apr 2019 20:05:34 +0100, Jonathan Dowland  wrote:
> > Under GNOME/Wayland, when I launch DOOM2.EXE under DOSBOX, the arrow keys
> > are not recognised. Other keys are (ESC in particular works) and I can type
> > alphanumeric keys w/o error. DOOM relies upon raw keyboard input from DOS.
> > 
> > Logging into GNOME/Xorg and the problem goes away.
> 
> Thanks for the bug report. Does setting
> 
>   usescancodes=false
> 
> in dosbox-0.74-2.conf help?
> 
> Regards,
> 
> Stephen

Hi Jonathan,

Have you tried Stephen's suggestion of setting "usescancodes" and see if
that fixes the issue?

Thanks,
~Niels



Bug#928715: testing-pu: groonga/9.0.0-1+deb10u1

2019-05-11 Thread Niels Thykier
Control: tags -1 moreinfo confirmed

On Thu, 9 May 2019 23:10:14 +0900 Kentaro Hayashi
 wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock groonga package:
> 
> * It fixes #928304.
>   The bug is reported against 6.1.5-1 on stretch, but it need to be fixed on 
> testing and unstable package too. so I've prepared the update.
> 
> Note that it is already packages on testing (9.0.0-1) and unstable (9.0.1-1).
>  9.0.1-1 contains unrelated changes to #928304, so based on freeze policy,
> it seems that update package (9.0.0-1+deb10u1) should be uploaded to 
> testing-proposed-updates explicitly.
> 
> Here is the debdiff:
> 
> [...]

Hi,

Please go ahead with the upload and remove the moreinfo tag when the
upload is in tpu and ready to be unblocked.

Thanks,
~Niels



Bug#928675: debhelper: dh_dwz fails on /usr/bin/slt (it has no .debug_info section)

2019-05-08 Thread Niels Thykier
Control: tags -1 moreinfo

Daniel Kahn Gillmor:
> Package: debhelper
> Version: 12.1.1
> Severity: normal
> 
> using debhelper 12 on the slt package, i get the following error:
> 
>dh_dwz -O--buildsystem=golang
> dh_dwz: dwz -q -- debian/slt/usr/bin/slt returned exit code 1
> make: *** [debian/rules:5: binary] Error 1
> dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 
> 2
> debuild: fatal error at line 1182:
> 
> 
> if i try to run dwz by hand, i see:
> 
> 0 dkg@alice:~/src/slt/slt$ dwz debian/slt/usr/bin/slt 
> dwz: debian/slt/usr/bin/slt: .debug_info section not present
> 1 dkg@alice:~/src/slt/slt$ 
> 
> I'm currently overriding dh_dwz to avoid /usr/bin/slt in that package
> to get it to build cleanly.
> 
> Feel free to replicate on a debian unstable VM with:
> 
> sudo apt build-dep slt
> sudo apt install devscripts git-buildpackage
> debcheckout slt
> cd slt
> sed -i 's/.*dwz.*//' debian/rules
> gbp buildpackage -uc -us --git-ignore-new
> 
> thanks for maintaining debhelper!
> 
>--dkg
> 
> [...]
Hi,

Just to confirm, isn't the fundamental issue that slt is compiled
without debug symbols?  At least, that is what I gather from the
situation (admittedly, without having had time to build slt directly).

Thanks,
~Niels



Bug#880638: release-notes: Document apt sandbox support [buster]

2019-05-05 Thread Niels Thykier
On Sun, 24 Mar 2019 20:49:46 +0100 Paul Gevers  wrote:
> Control: tags -1 moreinfo
> 
> Hi all,
> 
> On Tue, 12 Feb 2019 21:34:00 +0000 Niels Thykier  wrote:
> > On Fri, 03 Nov 2017 07:37:12 +0100 Niels Thykier  wrote:
> > > Package: release-notes
> > > Severity: wishlist
> > > 
> > > --- News for apt (libapt-pkg5.0 libapt-inst2.0) ---
> > > apt (1.6~alpha1) unstable; urgency=medium
> > > 
> > >   All methods provided by apt except for cdrom, gpgv, and rsh now
> > >   use seccomp-BPF sandboxing to restrict the list of allowed system
> > >   calls, and trap all others with a SIGSYS signal. Three options
> > >   can be used to configure this further:
> > > 
> > > APT::Sandbox::Seccomp is a boolean to turn it on/off
> > > APT::Sandbox::Seccomp::Trap is a list of names of more syscalls to 
> > > trap
> > > APT::Sandbox::Seccomp::Allow is a list of names of more syscalls to 
> > > allow
> > > 
> > >   Also, sandboxing is now enabled for the mirror method.
> > > 
> > >  -- Julian Andres Klode   Mon, 23 Oct 2017 01:58:18 +0200
> > > 
> > > 
> > > Seems like it would be prudent to mention that in the release-notes
> > > for buster.
> > > 
> > > Thanks,
> > > ~Niels
> > > 
> > > 
> > 
> > Note tos self/update: The feature is (now) *off* by default (see #890489).
> 
> So, should we still mention this? At least it should only go into the
> whats-new section now.
> 
> Paul
> 
> 

I think it would make sense for two reasons:
 1) We had a severe security bug in apt recently and while sandboxing
would not have prevented it, it still shows that the apt developers
have been working on hardening apt in general and against future
threats.
 2) We advertise apparmor as a new default/recommendation to harden
Debian.  The apt sandboxing would strengthen the image of buster
providing better (opt-in) security compared to stretch.

But yes, it should certainly only be in "whats-new" given it is opt-in.

Thanks,
~Niels



Bug#928407: unblock: bind9/1:9.11.5.P4+dfsg-5

2019-05-05 Thread Niels Thykier
Control: tags -1 d-i confirmed

Bernhard Schmidt:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package bind9
> 
> -4 and -5 have the following changes over -3 currently in testing.
> 
> - CVE-2018-5743 (Bug#927923)
>   The patch for this have been pulled directly from upstream. There is an
>   additional patch needed for platforms without atomic support
> - Some additions to the AppArmor policy
>   The seldomly used case of bind9 directly serving ActiveDirectory zones from
>   Samba through a DLZ (Dynamically Loadable Zone) module was quite broken 
> before
>   because Samba in Buster changed some important paths and the AppArmor policy
>   only really got enforced in Buster. Thanks to Steven Monai for filing bugs
>   (928398, 920530) this should be fixed. I consider it low-risk because it 
> only
>   adds paths.
> - During Buster EDDSA crypto was temporarily disabled because it added a 
> dependency
>   on OpenSSL 1.1.1, which was at that point preventing testing migration. In
>   our eyes it makes no sense to keep it disabled. Ed448 is currently broken
>   upstream (https://gitlab.isc.org/isc-projects/bind9/issues/225) so there is 
> an
>   additional patch to keep that disabled.
> 
> -4 has been in sid for more than a week without reported regressions, -5 only
> adds a single line to the AppArmor policy
> 
> unblock bind9/1:9.11.5.P4+dfsg-5
> 

Hi,

I have flagged it as ok from the RT PoV and is CC'ing KiBi for a d-i
review before it is finally unblocked.

Thanks,
~Niels



Bug#928395: unblock: apt/1.8.1

2019-05-05 Thread Niels Thykier
Control: tags -1 moreinfo confirmed

Julian Andres Klode:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package apt
> 
> I'd like to add systemd inhibitor support to apt in buster, so people
> don't shoot each other in the foot, in case one admin reboots a machine
> while somebody else is installing patches.
> 
> The diff is quite small.
> 
> I'd also love to smuggle in some additional kernel package names in
> debian/apt.conf.autoremove - they don't really affect, only Ubuntu - we
> share the 1.8.y series for like 9 mo, but it's not an invasive change
> (there's like 0 potential of a regression), I think they are:
> 
>   linux-buildinfo
>   linux-image-unsigned
>   linux-source
> 
> But I have not committed them yet.
> 
> unblock apt/1.8.1
> 
> [...]


Hi,

Please go ahead with the upload and remove the moreinfo tag when it is
in unstable and ready to be unblocked.

Thanks,
~Niels



Bug#928455: [pre-a] unblock: perl6-zef/0.6.2-2

2019-05-05 Thread Niels Thykier
Control: tags -1 moreinfo confirmed

Mo Zhou:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> X-Debbugs-CC: Robert Lemmen , Dominique Dumont 
> 
> 
> Please unblock package perl6-zef
> 
> (explain the reason for the unblock here)
> 
> As I reported in #928454, the outdated mirror URL list renders zef,
> the perl6 package manager nearly unusable:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928454
> 
> Luckily we can fix the package for Buster by simply updating the list:
> https://github.com/ugexe/zef/blob/master/resources/config.json#L60-L62
> I asked upstream author on IRC and they acked that the mirror list is
> not likely to be changed for the Buster lifecycle.
> 
> (include/attach the debdiff against the package in testing)
> 
> ```
> --- config.json.orig  2019-05-05 03:31:08.251673414 +
> +++ config.json   2019-05-05 03:32:01.71262 +
> @@ -57,10 +57,9 @@
>  "name" : "p6c",
>  "auto-update" : 1,
>  "mirrors" : [
> -"http://ecosystem-api.p6c.org/projects1.json;,
> -"http://ecosystem-api.p6c.org/projects.json;,
> +
> "https://raw.githubusercontent.com/ugexe/Perl6-ecosystems/master/p6c1.json;,
>  "git://github.com/ugexe/Perl6-ecosystems.git",
> -
> "https://raw.githubusercontent.com/ugexe/Perl6-ecosystems/master/p6c1.json;
> +"http://ecosystem-api.p6c.org/projects1.json;
>  ]
>  }
>  },
> ```
> 
> unblock perl6-zef/0.6.2-2
> 
> [...]
> 


Hi,

Please go ahead with the upload and remove the moreinfo tag when it is
in unstable and ready to be unblocked.

For future reference:
 * We generally need to full debdiff to know exactly what we will be
   approving.  In this case, I assumed you need that change plus an
   upload to d/changelog only (hopefully sparing us from a round trip)
 * Assuming this is indeed the only change, it would have been faster
   and easier for both parties if you had uploaded it to sid in parallel
   with the unblock request.
- I appreciate that you may prefer a "rather safe than sorry"-
  approach, which is greatly appreciated with potential risky
  changes.


Thanks,
~Niels



Bug#928448: unblock: mmdebstrap/0.4.1-3

2019-05-05 Thread Niels Thykier
Control: tags -1 moreinfo confirmed

Johannes 'josch' Schauer:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Hello release team!
> 
> [...]
>
> I find especially support for old apt versions and derivative
> distributions important. If you tell me to go ahead, then I would need:
> 
> unblock mmdebstrap/0.4.1-3
> 
> All the patches I list in the following are attached to this mail as
> part of a debdiff where I applied all of them.
> 
> [...]
> 

Hi,

Please go ahead with the upload and remove the moreinfo tag when it is
in unstable and ready to be unblocked.

Thanks,
~Niels



Bug#928281: unblock: lemonldap-ng/2.0.2+ds-7 (pre-approval)

2019-05-01 Thread Niels Thykier
Control: tags -1 moreinfo confirmed

Xavier Guimard:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package lemonldap-ng
> 
> Hi all,
> 
> upstream authors of lemonldap-ng have updated language translations. I
> imported updated translation files in a patch. Do you think it is
> opportune to update lemonldap-ng package to have better l10n support in
> Buster?
> 
> Cheers,
> Xavier
> 
> unblock lemonldap-ng/2.0.2+ds-7
> 
> [...]

Please go ahead with the upload and remove the moreinfo tag when it is
in unstable and ready to be unblocked.

Thanks,
~Niels



Bug#926992: unblock: sia/1.3.0-1.1

2019-04-29 Thread Niels Thykier
Andreas Beckmann:
> Control: reopen -1
> Control: retitle -1 unblock: sia/1.3.0-1.1~deb10u1 [t-p-u]
> 
> On 2019-04-29 07:42, Niels Thykier wrote:
>> Ok, can you prepare a t-p-u upload to fix this directly in testing then?
> 
> What is the correct (or preferred) distribution for t-p-u uploads ?
> "buster" or "testing-proposed-updates" ? Attached patch uses the latter.
> 
> 
> Andreas
> 

Either way should work.

I think there is a slight preference for buster-proposed-updates because
it automatically updates in case buster becomes stable before the upload
is complete (but it has been a while since someone asked me).

Please go ahead with the upload, btw. :)

Thanks,
~Niels



Bug#926992: unblock: sia/1.3.0-1.1

2019-04-28 Thread Niels Thykier
Andreas Beckmann:
> On 2019-04-18 13:18, Niels Thykier wrote:
>> Andreas Beckmann:
>>> This NMU adds 'missingok' to the logrotate config, fixing piuparts
>>> unblock sia/1.3.0-1.1
>> Unblocked, thanks.
> 
> This is stuck behind golang-golang-x-sys.
> 
> Andreas
> 

Ok, can you prepare a t-p-u upload to fix this directly in testing then?

Thanks,
~Niels



Bug#928081: unblock: matrix-synapse/0.99.2-3.1

2019-04-28 Thread Niels Thykier
On Sat, 27 Apr 2019 12:30:03 -0400 Antoine Beaupre 
wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package matrix-synapse
> 
> The package currently in buster generates gigabytes of logs which can
> easily fill up disks on servers (RC bug #927057).
> 
> The following patch fixes the problem, and I can upload the fix
> if this is approved.
> 
> unblock matrix-synapse/0.99.2-3.1
> 
> [...]

Unblocked, thanks.
~Niels



Bug#928092: unblock: youtube-dl/2019.01.17-1.1

2019-04-28 Thread Niels Thykier
Control: tags -1 moreinfo confirmed

Antoine Beaupre:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package youtube-dl
> 
> youtube-dl, as often happens, has already lagged behind the youtube
> interface and cannot download stuff from there at all (RC bug #927862)
> 
> The attached patch (provided by carnil) fixes the issue.
> 
> unblock youtube-dl/2019.01.17-1.1
> 
> [...]
Please go ahead with the upload and remove the moreinfo tag once it is
in unstable and ready to be unblocked.

Thanks,
~Niels



Bug#928094: unblock (pre-approval): mutter/3.30.2-7

2019-04-27 Thread Niels Thykier
Control: tags -1 moreinfo confirmed


Simon McVittie:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> While preparing gnome-shell/3.30.2-9 (see separate unblock request) I
> thought I should also look into updating the closely-related mutter
> package from the upstream gnome-3-30 stable branch.
> 
>> [...] 
> 
> OK to upload?
> 
> Thanks,
> Simon
> 

Please go ahead with the upload and remove the moreinfo tag once the
upload is in unstable and ready to be unblocked.

Thanks,
~Niels



Bug#928093: unblock (pre-approval): gnome-shell/3.30.2-9

2019-04-27 Thread Niels Thykier
Control: tags -1 moreinfo confirmed

Simon McVittie:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Now that gnome-shell's RC bugs are (hopefully) dealt with, I'd like
> to update gnome-shell with the remaining bug fixes from the upstream
> gnome-3-30 branch, backported from 3.32.x development.
> 
>> [...]
> 
> Proposed diff attached, filtering out the translation update patches for
> brevity. Is this (plus a `dch -r`) suitable for upload to unstable?
> 
> Thanks,
> smcv
> 

Please go ahead with the upload and remove the moreinfo tag once the
upload is in unstable and ready to be unblocked.

Thanks,
~Niels



Bug#928090: unblock: ipywidgets/6.0.0-4

2019-04-27 Thread Niels Thykier
Control: tags -1 moreinfo confirmed

Sergio Durigan Junior:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Hi there,
> 
> I'd like to request the unblock of ipywidgets, please.  The current
> package in buster FTBFS due to a small JavaScript issue (RC bug #926802)
> in the build system of the package..  The patch below fixes the problem;
> I'm a member of the Python team, and can upload the fix if
> approved/needed.
> 
> Thanks,
> 

Please go ahead with the upload and remove the moreinfo tag when it is
in unstable and ready to be unblocked.

Thanks,
~Niels



Bug#928081: unblock: matrix-synapse/0.99.2-3.1

2019-04-27 Thread Niels Thykier
Control: tags -1 moreinfo confirmed

Antoine Beaupre:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package matrix-synapse
> 
> The package currently in buster generates gigabytes of logs which can
> easily fill up disks on servers (RC bug #927057).
> 
> The following patch fixes the problem, and I can upload the fix
> if this is approved.
> 
> unblock matrix-synapse/0.99.2-3.1
> 
> [...]
> 


Hi,

The changes look good from an RT PoV.  Please remove the moreinfo tag
when it has been uploaded and is ready to be unblocked.

Thanks,
~Niels



Bug#927958: [pre-a] unblock: utf8proc/2.3.0-1

2019-04-27 Thread Niels Thykier
Control: tags -1 moreinfo confirmed

Mo Zhou:
> Hi,
> 
> Here are some incremental updates to 2.3.0-1 following the last mail:
> 
> +  * Patch: update unicode-data version strings to 12.1.0
> 
> Upstream code hard-coded unicode-data version in the code. I need to
> patch those string literals.
> 
> +  * Patch: Upstream didn't bump minor version in build system and header.
> 
> Upstream forgot to bump "MINOR" from 2 to 3 in the build system.
> 
> +  * Install the newly-added pkgconfig file. (Closes: #927260)
> 
> a very simple pkg-config file.
> 
> On Sat, Apr 27, 2019 at 02:38:44AM +, Mo Zhou wrote:
>> control: tags -1 -moreinfo
>>
>> Hi,
>>
>> Debdiff has been attached. The patch is enormously large (3MB) but
>> 99.9% of the content is automatically generated from unicode-data.
>> See my extremely detailed comments to diffstat below:
>>
>> [...]

Thanks for this. :)

Please go ahead with the proposed changes and remove the moreinfo tag
once it is in unstable and ready to be unblocked.

Thanks,
~Niels



Bug#927850: unblock: htslib/1.9-11

2019-04-26 Thread Niels Thykier
Control: tags -1 moreinfo

Andreas Tille:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package htslib
> 
> 
> [...]
> 
> 
> unblock htslib/1.9-11
> 
> [...]
Hi,

Please file a bug against ftp.debian.org requesting the removal of
htslib on i386.  Without this removal, htslib cannot migrate to testing
regardless of whether we unblock it or not.

Please include the bug id of that removal bug in a follow up and remove
the moreinfo bug when the removal bug has been filed.

Thanks,
~Niels



Bug#927912: unblock: gcalcli/4.0.4-2 (pre-approval)

2019-04-26 Thread Niels Thykier
Control: tags -1 moreinfo confirmed

Unit 193:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Howdy,
> 
> Pending approval, I'm uploading a version of gcalcli which contains an 
> upstream patch to fix the reliance on the Google shortening service.
> 
> If a user invokes one of the subcommands with '--details url', the 
> application hits traceback issues as the service has been shut down.
> 
> See https://github.com/insanum/gcalcli/issues/440 for more details of the 
> problem.
> 
> 
> The changelog reads:
> 
> gcalcli (4.0.4-2) unstable; urgency=medium
> 
>   * d/p/remove_url_shortening.patch: Remove the deprecated goo.gl service.
> 
>  -- Unit 193   Wed, 24 Apr 2019 19:46:16 -0400
> 
> 
> And debdiff:
> 
> [...]
> 

Please go ahead with the upload and remove the moreinfo tag when it is
in unstable and ready to be unblocked.

Thanks,
~Niels



Bug#927958: [pre-a] unblock: utf8proc/2.3.0-1

2019-04-26 Thread Niels Thykier
Control: tags -1 moreinfo

Mo Zhou:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package utf8proc
> 
> (explain the reason for the unblock here)
> 
> I'm astonished that the unicode (11.* -> 12.*) transition happend at
> such a deep freeze stage. utf8proc is tightly coupled with the
> unicode-data version, and the new unicode-data version incured FTBFS:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927941
> 
> The simplest way to fix this bug is to bump utf8proc to 2.3.0
> 
> (include/attach the debdiff against the package in testing)
> 
> According to upstream NEWs/changelog
> https://github.com/JuliaStrings/utf8proc/commit/eb39b060e7e518941a912e1f51bae1cc6316f547
> And the commit history (97ef668 -> 454f601)
> https://github.com/JuliaStrings/utf8proc/commits/master
> The major change from 2.2.0 (testing) to 2.3.0 (not yet packaged)
> is the support for unicode-data (= 12). There is no breaking change.
> So I request an unblock for 2.3.0-1
> 
> unblock utf8proc/2.3.0-1
> 
> [...]
> 

Please include a full debdiff of the changes.  The link to a master
branch with no clear marking of start/end commits makes it too time
consuming for us to evaluate the request.

Thanks,
~Niels



Bug#927980: unblock: librsvg/2.44.10-2.1 (pre-approval)

2019-04-26 Thread Niels Thykier
Control: tags -1 moreinfo confirmed

Boyuan Yang:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> X-Debbugs-CC: pkg-gnome-maintain...@lists.alioth.debian.org
> 927...@bugs.debian.org
> 
> Hello all,
> 
> I have prepared an NMU to fix bug https://bugs.debian.org/927886 .
> This bug in librsvg caused deepin-image-viewer to crash on startup.
> The patch is picked
> from upstream git trunk. The full debdiff is pasted in this mail.
> 
> I have confirmed that deepin-image-viewer will no longer crash with this 
> patch.
> 
> The upload hasn't been made yet. Please let me know if it looks okay
> to you and I'll upload the NMU later.
> 
> --
> Thanks,
> Boyuan Yang
> 
> [...]

Please go ahead with the upload and remove the moreinfo tag when the
upload is in unstable and ready to be unblocked.

Thanks,
~Niels



Bug#927901: unblock: lucene-solr/3.6.2+dfsg-19

2019-04-24 Thread Niels Thykier
Control: tags -1 moreinfo

Markus Koschany:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package lucene-solr
> 
> I made a mistake when I installed solr-permissions.conf into the wrong
> /etc/systemd/system/ directory. This makes solr unusable because
> tomcat can't write to /var/lib/solr. A user spotted the error and reported
> it here:
> 
> https://salsa.debian.org/java-team/lucene-solr/commit/ae53f09f37b18aa836640b256137a3a9e26e186f
> 
> The only change is installing this file to
> /etc/systemd/system/tomcat9.service.d now which makes it work again.
> 
> Regards,
> 
> Markus
> 
> 
> unblock lucene-solr/3.6.2+dfsg-19
> 
> [...]
> 

Hi,

Thanks for working to improve buster.

I suspect this change is missing an "rm_conffile" for this misplaced
configuration file (everything in /etc is by default tagged as a
conffile for anything built with debhelper).  Could you please have a
look at that and ensure this part is handled correctly?

(otherwise, I think the changes look good)

Thanks,
~Niels



Bug#927789: [pre-upload-approval] unblock: x2gobroker/0.0.4.1-1

2019-04-24 Thread Niels Thykier
Control: tags -1 moreinfo confirmed

Mike Gabriel:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package x2gobroker
> 
> [...]
> 
> light+love,
> Mike
> 
> unblock x2gobroker/0.0.4.1-1
> 
> [...]
Please go ahead with the upload and remove the moreinfo tag when it is
in unstable and ready to be unblocked.

Thanks,
~Niels



Bug#927816: unblock: shim-signed/1.30

2019-04-23 Thread Niels Thykier
Control: tags -1 moreinfo

Steve McIntyre:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package shim-signed
> 
> We've just got new signatures back from Microsoft to match our shim
> binaries for amd64, i386 and arm64. I've fixed up the packaging a lot
> to accommodate the new arches (previously we had amd64 only).
> 
> We've made a lot of progress with shim, and we're nearing the end of
> the process for Secure Boot in Buster. I'm asking for this unblock
> today to cover most of what we need, with potentially a further
> unblock for a new set of signed binaries with some shim bugfixes to
> come. That'll depend on how long new signatures take to come. (Yay!).
> 
> The main set of changes here are in version 1.29.
> 
> [...]

Hi,

Thanks for the work on shim-signed.

I am mostly happy with the changes, except for ...

> diff -Nru shim-signed-1.28+nmu1/debian/control shim-signed-1.30/debian/control
> --- shim-signed-1.28+nmu1/debian/control  2018-11-04 07:09:26.0 
> +
> +++ shim-signed-1.30/debian/control   2019-04-22 23:59:15.0 +0100
> @@ -1,15 +1,34 @@
>  Source: shim-signed
>  Section: utils
>  Priority: optional
> -Maintainer: Steve Langasek 
> -Build-Depends: debhelper (>= 9), shim, sbsigntool (>= 0.6-0ubuntu4), 
> po-debconf
> -Standards-Version: 3.9.4
> +Maintainer: Debian EFI Team 
> +Uploaders: Steve McIntyre <93...@debian.org>, Steve Langasek 
> 
> +Build-Depends: debhelper (>= 9),
> +# Need shim-unsigned version 15+1533136590.3beb971-5 so we can check the
> +# signature on the right version of shim. Version -6 saw arm64 toolchain
> +# changes that changed the binary. Ugh. :-(
> + shim-unsigned (= 15+1533136590.3beb971-5),
^

Testing has -6, so shim-signed is B-D'ing on a non-existent package
version.  IOW it will not be buildable in buster and unblocking it (plus
forcing it) would imply breaking the self-containedness of buster.

Thanks,
~Niels



Bug#927797: unblock: debian-archive-keyring/2019.1

2019-04-23 Thread Niels Thykier
Package: release.debian.org
Severity: normal
Tags: d-i
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package debian-archive-keyring, which includes the new
signing keys for buster.

I have taken the liberty of X-Debbugs-CC'ing Kibi for a d-i ack as
well.

"""
debian-archive-keyring (2019.1) unstable; urgency=medium

  [ Adam D. Barratt ]
  * Ensure separated keyrings for Wheezy's keys are removed.  Thanks
to Sven Joachim.
(Closes: #912214)

  [ Jonathan Wiltshire ]
  * Add my own key to the team-members keyring
  * Add Debian Stable Release key (10/buster) (ID: DCC9EFBF77E11517)
(Closes: #917536)
  * Add Debian Archive Automatic Signing Key (10/buster)
(ID: BCDDDC30D7C23CBBABEE) and Debian Security Archive Automatic
Signing Key (10/buster) (ID: C5FF4DFAB270CAA96DFA)
(Closes: #917535)
  * Refresh the signature over keyrings/debian-archive-keyring.gpg

  [ Niels Thykier ]
  * Add myself as uploader (Closes: #927765)

 -- Niels Thykier   Tue, 23 Apr 2019 13:42:28 +0200

"""

A diffstat:

"""

$ diffstat debian-archive-keyring.debdiff
 active-keys/add-buster-automatic  |  179 +++
 active-keys/add-buster-security-automatic |  179 +++
 active-keys/add-buster-stable |   58 
 active-keys/index |3 
 active-keys/index.gpg |   21 +
 debian/changelog  |   22 +
 debian/control|1 
 debian/debian-archive-keyring.maintscript |2 
 keyrings/debian-archive-keyring.gpg.asc   |   21 +
 team-members/add-5394479DD3524C51 |  357 ++
 team-members/index|1 
 team-members/index.gpg|   21 +
 12 files changed, 841 insertions(+), 24 deletions(-)
"""

Note that the majority of the changes are due to keyring changes,
which are base64 encoded and hench is included as a "textual" change
rather than a binary file change.  This inflates the diff size
considerably.

unblock debian-archive-keyring/2019.1

Thanks,
~Niels
Base version: debian-archive-keyring_2018.1 from testing
Target version: debian-archive-keyring_2019.1 from unstable

Hints in place:
==> freeze
  # These udebs can be handled directly by britney
  # but are currently blocked at the d-i RM's request
  block-udeb debian-archive-keyring

Excuses:



Filter applied (not reflected in the diffstat):
  filterdiff -x **/*.po -x **/*.pot

 active-keys/add-buster-automatic  |  179 +++
 active-keys/add-buster-security-automatic |  179 +++
 active-keys/add-buster-stable |   58 
 active-keys/index |3 
 active-keys/index.gpg |   21 +
 debian/changelog  |   22 +
 debian/control|1 
 debian/debian-archive-keyring.maintscript |2 
 keyrings/debian-archive-keyring.gpg.asc   |   21 +
 team-members/add-5394479DD3524C51 |  357 ++
 team-members/index|1 
 team-members/index.gpg|   21 +
 12 files changed, 841 insertions(+), 24 deletions(-)

gpgv: unknown type of key resource 'trustedkeys.kbx'
gpgv: keyblock resource '/home/nthykier/.gnupg/trustedkeys.kbx': General error
gpgv: Signature made 2018-10-28T17:26:50 UTC
gpgv:using RSA key F1FF5D0D7E002DF0FE55FB0CA65B78DBE67C7AAC
gpgv:issuer "ni...@thykier.net"
gpgv: Can't check signature: No public key
dpkg-source: warning: failed to verify signature on 
/tmp/tmpodpid684/debian-archive-keyring_2018.1.dsc
gpgv: unknown type of key resource 'trustedkeys.kbx'
gpgv: keyblock resource '/home/nthykier/.gnupg/trustedkeys.kbx': General error
gpgv: Signature made 2019-04-23T11:49:10 UTC
gpgv:using RSA key F1FF5D0D7E002DF0FE55FB0CA65B78DBE67C7AAC
gpgv: Can't check signature: No public key
dpkg-source: warning: failed to verify signature on 
/tmp/tmpodpid684/debian-archive-keyring_2019.1.dsc
diff -Nru debian-archive-keyring-2018.1/active-keys/add-buster-automatic 
debian-archive-keyring-2019.1/active-keys/add-buster-automatic
--- debian-archive-keyring-2018.1/active-keys/add-buster-automatic  
1970-01-01 00:00:00.0 +
+++ debian-archive-keyring-2019.1/active-keys/add-buster-automatic  
2019-04-23 11:40:11.0 +
@@ -0,0 +1,179 @@
+Comment: add buster automatic key
+Date: Mon, 22 Apr 2019 13:57:10 +0100
+Action: import
+Data: 
+  -BEGIN PGP PUBLIC KEY BLOCK-
+  
+  mQINBFyy5ecBEACxXGKUyi5dFjPhEFoz3IwKlVfDxySVg+hlhcUEO657UHf/7Ba5
+  wr9eHxjlbpxetAymSNnptgh8oaJWcokr9UjeaTbKrYGpRra7Wd1W+f++9tF7BVvV
+  +AWBaltD5NDuq+eQ7kj72oeMa7KAr4702ZokLgiTsS9dPeDAodx3/jMuV9VxlJ7q
+  w07bAoUdzhlPBcII3MOCMfQmtwIg27/qqekeOnrGtNwscugwVqcBATxRZ1wNAebJ
+  60FH9FQOtPZJnuv/q3KXqoneuSMKiBKferQ

Bug#927795: iptables: 140.113.0.0/16 is incorrectly parsed as "not-a-legal-address"

2019-04-23 Thread Niels Thykier
Control: tags -1 moreinfo

On Tue, 23 Apr 2019 20:08:27 +0800 "dongshe...@gmail.com"
 wrote:
> Package: iptables
> Version: 1.6.1
> Severity: normal
> 
> Dear Maintainers,
> 
> We found a weird bug: `iptables -L` will fail to parse this specific IP
> range 140.113.0.0/16 . It's incorrectly marked as "not-a-legal-address."
> 
> $ iptables --version
> iptables v1.6.1
> $ iptables -A INPUT -s 140.113.0.0/16 -p tcp -m tcp -j RETURN
> $ iptables -L INPUT
> Chain INPUT (policy ACCEPT)
> target prot opt source   destination
> f2b-sshd   tcp  --  anywhere anywhere multiport
> dports ssh
> RETURN tcp  --  not-a-legal-address/16  anywhere tcp
> $ iptables-save | grep 140.113
> -A INPUT -s 140.113.0.0/16 -p tcp -m tcp -j RETURN
> 
> However, this is definitely a valid IP range. 140.113.0.0/16 is the valid
> IP range in National Chiao Tung University in Taiwan. By the way, although
> it's incorrectly parsed, the rule still seems to work properly.
> 
> Please let me know if you need other information. Thank you.
> 
> Sincerely,
> bookgin

Hi bookgin,

By default, iptables does a reverse DNS lookup and 140.133.0.0 has a
reverse DNS entry with the literal value "not-a-legal-address".

"""
$ nslookup 140.113.0.0
Server: 127.0.0.1
Address:127.0.0.1#53

Non-authoritative answer:
0.0.113.140.in-addr.arpaname = not-a-legal-address.

Authoritative answers can be found from:
0.113.140.in-addr.arpa  nameserver = ns.NCTU.edu.tw.
0.113.140.in-addr.arpa  nameserver = ns2.NCTU.edu.tw.
"""

So I am pretty sure it is "working as intended".  If you want to disable
the reverse DNS lookup, please use "-n" (e.g. "iptables -L -n").  In
this case you should see that iptables uses the CIDR address that you
expect.

Thanks,
~Niels



Bug#926698: cpio: messes with /usr/sbin/rmt in --merged-usr environment

2019-04-23 Thread Niels Thykier
Niels Thykier:
> Hi Chris and Ruben,
> 
> Could either of you please have a look at this bug in cpio (you are
> listed as Uploaders)?  Even if it is just in the form of "ENOTME, NMU
> welcome".
> 
> Note that Anibal is MIA (per #925021).
> 
> Thanks,
> ~Niels
> 

Hi Chris,

Thanks for the fast upload.

Just to confirm, did you intend to use "test -L /sbin/rmt" instead of
"! test -L /sbin/rmt" as Andreas suggested?  I am concerned that we
might have missing negation at play and wanted to be sure before I
unblocked it.


Thanks,
~Niels


> On Tue, 9 Apr 2019 18:05:00 +0200 Andreas Beckmann  wrote:
>> Control: clone -1 -2
>> Control: reassign -2 tar 1.30+dfsg-5
>> Control: retitle -2: tar: prerm deletes /usr/sbin/rmt in --merged-usr 
>> environment
>> Control: retitle -1: cpio: prerm deletes /usr/sbin/rmt in --merged-usr 
>> environment
>>
>> On 2019-04-09 11:44, Andreas Beckmann wrote:
>>> 0m17.9s ERROR: WARN: Broken symlinks:
>>>   /etc/rmt -> /usr/sbin/rmt (tar)
>>>
>>> 0m22.0s ERROR: FAIL: After purging files have disappeared:
>>>   /usr/sbin/rmt -> /etc/alternatives/rmt not owned
>>
>> This is caused by the prerm script which contains this not merged-usr
>> aware code:
>>
>> if [ "$1" = remove ]; then
>> update-alternatives --remove mt /bin/mt-gnu
>> if test -L /sbin/rmt && test /sbin/rmt -ef /usr/sbin/rmt; then
>> rm -f /sbin/rmt
>> fi
>> fi
>>
>> Cloning the bug to tar, since its prerm contains a similar construct.
>> (And I don't mean the update-alternatives call ...)
>>
>> remove|deconfigure)
>> update-alternatives --remove rmt /usr/sbin/rmt-tar
>> if test -L /sbin/rmt && test /sbin/rmt -ef /usr/sbin/rmt; then
>> rm -f /sbin/rmt
>> fi
>> ;;
>>
>> Probable use
>>
>>   if ! test -L /sbin && test -L /sbin/rmt && ...
>>
>>
>> Andreas
>>
>>



Bug#926698: cpio: messes with /usr/sbin/rmt in --merged-usr environment

2019-04-23 Thread Niels Thykier
Niels Thykier:
> Hi Chris and Ruben,
> 
> Could either of you please have a look at this bug in cpio (you are
> listed as Uploaders)?  Even if it is just in the form of "ENOTME, NMU
> welcome".
> 
> Note that Anibal is MIA (per #925021).
> 
> Thanks,
> ~Niels
> 
> [...]
Hi Chris,

FYI, Ruben's email bounces with "No such user" in the other end.
Accordingly, you are currently the only (trivially reachable)
maintainer/uploader left of cpio.

Thanks,
~Niels



Bug#926698: cpio: messes with /usr/sbin/rmt in --merged-usr environment

2019-04-23 Thread Niels Thykier
Hi Chris and Ruben,

Could either of you please have a look at this bug in cpio (you are
listed as Uploaders)?  Even if it is just in the form of "ENOTME, NMU
welcome".

Note that Anibal is MIA (per #925021).

Thanks,
~Niels

On Tue, 9 Apr 2019 18:05:00 +0200 Andreas Beckmann  wrote:
> Control: clone -1 -2
> Control: reassign -2 tar 1.30+dfsg-5
> Control: retitle -2: tar: prerm deletes /usr/sbin/rmt in --merged-usr 
> environment
> Control: retitle -1: cpio: prerm deletes /usr/sbin/rmt in --merged-usr 
> environment
> 
> On 2019-04-09 11:44, Andreas Beckmann wrote:
> > 0m17.9s ERROR: WARN: Broken symlinks:
> >   /etc/rmt -> /usr/sbin/rmt (tar)
> > 
> > 0m22.0s ERROR: FAIL: After purging files have disappeared:
> >   /usr/sbin/rmt -> /etc/alternatives/rmt not owned
> 
> This is caused by the prerm script which contains this not merged-usr
> aware code:
> 
> if [ "$1" = remove ]; then
> update-alternatives --remove mt /bin/mt-gnu
> if test -L /sbin/rmt && test /sbin/rmt -ef /usr/sbin/rmt; then
> rm -f /sbin/rmt
> fi
> fi
> 
> Cloning the bug to tar, since its prerm contains a similar construct.
> (And I don't mean the update-alternatives call ...)
> 
> remove|deconfigure)
> update-alternatives --remove rmt /usr/sbin/rmt-tar
> if test -L /sbin/rmt && test /sbin/rmt -ef /usr/sbin/rmt; then
> rm -f /sbin/rmt
> fi
> ;;
> 
> Probable use
> 
>   if ! test -L /sbin && test -L /sbin/rmt && ...
> 
> 
> Andreas
> 
> 



Bug#927778: unblock: bind9/1:9.11.5.P4+dfsg-3

2019-04-23 Thread Niels Thykier
Package: release.debian.org
Severity: normal
Tags: d-i confirmed
User: release.debian@packages.debian.org
Usertags: unblock

Hi,

I am filing an unblock for bind9 as it has a fixed RC bug and
needs a d-i ack.

bind9 (1:9.11.5.P4+dfsg-3) unstable; urgency=medium

  * More fixes to the AppArmor policy for Samba AD DLZ
- allow access to /dev/urandom
- allow locking for dns.keytab
- fix path to smb.conf

 -- Bernhard Schmidt   Mon, 22 Apr 2019 22:31:06 +0200

bind9 (1:9.11.5.P4+dfsg-2) unstable; urgency=medium

  [ Ondřej Surý ]
  * Update d/gbp.conf for Debian Buster

  [ Bernhard Schmidt ]
  * Cherry-Pick upstream commit to prevent dnssec-keymgr from immediately
expiring and deleting old DNSSEC keys when being run for the first
time (Closes: #923984)
  * Update AppArmor policy for Samba AD DLZ
- Add changed default location for named.conf
- Allow read/mmap on some Samba libraries
Thanks to Steven Monai (Closes: #920530)

  [ Andreas Beckmann ]
  * bind9.preinst: cope with ancient conffile named.conf.options
(Closes: #905177)

 -- Bernhard Schmidt   Tue, 02 Apr 2019 21:12:50 +0200


unblock bind9/1:9.11.5.P4+dfsg-3

Thanks,
~Niels
Base version: bind9_1:9.11.5.P4+dfsg-1 from testing
Target version: bind9_1:9.11.5.P4+dfsg-3 from unstable

Hints in place:
==> nthykier
  #2019-04-23
  unblock bind9/1:9.11.5.P4+dfsg-3
==> freeze
  # These udebs need to be put in one of the lists:
  block-udeb bind9

Excuses:

bind9 (1:9.11.5.P4+dfsg-1 to 1:9.11.5.P4+dfsg-3)
Migration status: BLOCKED: Needs an approval (either due to a freeze, the 
source suite or a manual hint)
Maintainer: Debian DNS Team
Too young, only 0 of 2 days old
Updating bind9 fixes old bugs: #905177
Piuparts tested OK - https://piuparts.debian.org/sid/source/b/bind9.html
Required age reduced by 3 days because of autopkgtest
Not touching package due to block-udeb request by freeze (please contact 
the d-i release manager if an update is needed)
Not touching package due to block request by freeze (please contact 
debian-release if update is needed)

Filter applied (not reflected in the diffstat):
  filterdiff -x **/*.po -x **/*.pot

 bind9.preinst   |   10 +
 changelog   |   29 +++
 extras/apparmor.d/usr.sbin.named|   11 +
 gbp.conf|3 
 patches/keymgr-dont-immediately-delete.diff |  217 
 patches/series  |1 
 6 files changed, 267 insertions(+), 4 deletions(-)

gpgv: unknown type of key resource 'trustedkeys.kbx'
gpgv: keyblock resource '/home/nthykier/.gnupg/trustedkeys.kbx': General error
gpgv: Signature made 2019-02-22T17:47:49 UTC
gpgv:using RSA key D6E01EC516A5DFCEF71956D3775079E5B850BC93
gpgv:issuer "be...@debian.org"
gpgv: Can't check signature: No public key
dpkg-source: warning: failed to verify signature on 
/tmp/tmplzeh50h3/bind9_9.11.5.P4+dfsg-1.dsc
gpgv: unknown type of key resource 'trustedkeys.kbx'
gpgv: keyblock resource '/home/nthykier/.gnupg/trustedkeys.kbx': General error
gpgv: Signature made 2019-04-22T21:03:24 UTC
gpgv:using RSA key D6E01EC516A5DFCEF71956D3775079E5B850BC93
gpgv:issuer "be...@debian.org"
gpgv: Can't check signature: No public key
dpkg-source: warning: failed to verify signature on 
/tmp/tmplzeh50h3/bind9_9.11.5.P4+dfsg-3.dsc
diff -Nru bind9-9.11.5.P4+dfsg/debian/bind9.preinst 
bind9-9.11.5.P4+dfsg/debian/bind9.preinst
--- bind9-9.11.5.P4+dfsg/debian/bind9.preinst   2019-02-22 16:54:10.0 
+
+++ bind9-9.11.5.P4+dfsg/debian/bind9.preinst   2019-04-22 20:31:06.0 
+
@@ -20,7 +20,15 @@
theirs=$(md5sum /etc/bind/named.conf.options | sed 's/ .*$//')
mine=56919cbc0d819c9a303a8bdeb306b5f1
if [ "$mine" = "$theirs" ]; then
-   mv /etc/bind/named.conf.options 
/etc/bind/named.conf.options.dpkg-old
+   if [ -n "$(dpkg-query -f '${Conffiles}' -W bind9 | grep 
/etc/bind/named.conf.options)" ]; then
+   # dpkg knows /etc/bind/named.conf.options as a conffile 
(from squeeze or older)
+   # cannot move the outdated file aside to avoid dpkg 
noticing deleted-by-local-admin
+   # therefore edit it in place to make it match the 
to-be-installed version
+   cp -p /etc/bind/named.conf.options 
/etc/bind/named.conf.options.dpkg-old
+   sed -i '26{/^$/d}; 23{/auth-nxdomain no;/d}' 
/etc/bind/named.conf.options
+   else
+   mv /etc/bind/named.conf.options 
/etc/bind/named.conf.options.dpkg-old
+   fi
fi
fi
 ;;
diff -Nru bind9-9.11.5.P4+dfsg/debian/changelog 
bind9-9.11.5.P4+dfsg/debian/changelog
--- bind9-9.11.5.P4+dfsg/debian/changelog   2019-02-22 16:54:10.0 
+
+++ bind9-9.11.5.P4+dfsg/debian/changelog   

Bug#927777: unblock: alsa-utils/1.1.8-2

2019-04-22 Thread Niels Thykier
Package: release.debian.org
Severity: normal
Tags: d-i confirmed
User: release.debian@packages.debian.org
Usertags: unblock

Hi,

I am filing an unblock for alsa-utils as it has a fixed RC bug and
needs a d-i ack.

alsa-utils (1.1.8-2) unstable; urgency=medium

  * Introduce Fix-alsactl-to-restore-config.patch. Don't rely on undocumented
/etc/alsa/state-daemon.conf to start alsa-state.service.  
alsa-restore.service
now will have an error code 99 the first time it runs. But after an reload 
of
the service or just a reboot both services will run smoothly.
[closes: #925455]

 -- Elimar Riesebieter   Sat, 30 Mar 2019 10:18:40 +0100

unblock alsa-utils/1.1.8-2

Thanks,
~Niels
Base version: alsa-utils_1.1.8-1 from testing
Target version: alsa-utils_1.1.8-2 from unstable

Hints in place:
==> freeze
  # These udebs need to be put in one of the lists:
  block-udeb alsa-utils

Excuses:

alsa-utils (1.1.8-1 to 1.1.8-2)
Migration status: BLOCKED: Needs an approval (either due to a freeze, the 
source suite or a manual hint)
Maintainer: Debian ALSA Maintainers
13 days old (needed 5 days)
Updating alsa-utils fixes old bugs: #925455
Piuparts tested OK - 
https://piuparts.debian.org/sid/source/a/alsa-utils.html
Not touching package due to block-udeb request by freeze (please contact 
the d-i release manager if an update is needed)
Not touching package due to block request by freeze (please contact 
debian-release if update is needed)

Filter applied (not reflected in the diffstat):
  filterdiff -x **/*.po -x **/*.pot

 changelog   |   10 ++
 patches/Fix-alsactl-to-restore-config.patch |   46 
 patches/series  |1 
 3 files changed, 57 insertions(+)

gpgv: unknown type of key resource 'trustedkeys.kbx'
gpgv: keyblock resource '/home/nthykier/.gnupg/trustedkeys.kbx': General error
gpgv: Signature made 2019-02-11T12:43:26 UTC
gpgv:using RSA key E8175486C02929837C286A1625502F6FCBE3CB04
gpgv:issuer "jo...@mallach.net"
gpgv: Can't check signature: No public key
dpkg-source: warning: failed to verify signature on 
/tmp/tmpy1szi6bf/alsa-utils_1.1.8-1.dsc
gpgv: unknown type of key resource 'trustedkeys.kbx'
gpgv: keyblock resource '/home/nthykier/.gnupg/trustedkeys.kbx': General error
gpgv: Signature made 2019-04-09T16:08:42 UTC
gpgv:using RSA key D1E1316E93A760A8104D85FABB3A68018649AA06
gpgv: Can't check signature: No public key
dpkg-source: warning: failed to verify signature on 
/tmp/tmpy1szi6bf/alsa-utils_1.1.8-2.dsc
diff -Nru alsa-utils-1.1.8/debian/changelog alsa-utils-1.1.8/debian/changelog
--- alsa-utils-1.1.8/debian/changelog   2019-01-27 18:55:15.0 +
+++ alsa-utils-1.1.8/debian/changelog   2019-03-30 09:18:40.0 +
@@ -1,3 +1,13 @@
+alsa-utils (1.1.8-2) unstable; urgency=medium
+
+  * Introduce Fix-alsactl-to-restore-config.patch. Don't rely on undocumented
+/etc/alsa/state-daemon.conf to start alsa-state.service.  
alsa-restore.service
+now will have an error code 99 the first time it runs. But after an reload 
of
+the service or just a reboot both services will run smoothly.
+[closes: #925455]
+
+ -- Elimar Riesebieter   Sat, 30 Mar 2019 10:18:40 +0100
+
 alsa-utils (1.1.8-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru alsa-utils-1.1.8/debian/patches/Fix-alsactl-to-restore-config.patch 
alsa-utils-1.1.8/debian/patches/Fix-alsactl-to-restore-config.patch
--- alsa-utils-1.1.8/debian/patches/Fix-alsactl-to-restore-config.patch 
1970-01-01 00:00:00.0 +
+++ alsa-utils-1.1.8/debian/patches/Fix-alsactl-to-restore-config.patch 
2019-03-30 09:18:40.0 +
@@ -0,0 +1,46 @@
+From 6198e81500938a1e0f5e9d8f58c4e45dec2ee6b3 Mon Sep 17 00:00:00 2001
+From: Elimar Riesebieter 
+Date: Sat, 30 Mar 2019 10:07:46 +0100
+Subject: [PATCH] Fix-alsactl-to-restore-config.
+
+---
+ alsactl/alsa-restore.service.in | 2 +-
+ alsactl/alsa-state.service.in   | 5 +++--
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/alsactl/alsa-restore.service.in b/alsactl/alsa-restore.service.in
+index 38ffea7..74b9290 100644
+--- a/alsactl/alsa-restore.service.in
 b/alsactl/alsa-restore.service.in
+@@ -8,7 +8,7 @@ Description=Save/Restore Sound Card State
+ Documentation=man:alsactl(1)
+ ConditionPathExists=!@daemonswitch@
+ ConditionPathExistsGlob=/dev/snd/control*
+-ConditionPathExists=@asoundrcfile@
++After=alsa-state.service
+ 
+ [Service]
+ Type=oneshot
+diff --git a/alsactl/alsa-state.service.in b/alsactl/alsa-state.service.in
+index a3c6e49..f631cc3 100644
+--- a/alsactl/alsa-state.service.in
 b/alsactl/alsa-state.service.in
+@@ -1,4 +1,4 @@
+-#
++
+ # Note that two different ALSA card state management schemes exist and they
+ # can be switched using a file exist check - /etc/alsa/state-daemon.conf .
+ #
+@@ -6,7 +6,8 @@
+ [Unit]
+ Description=Manage Sound Card 

Bug#883872: Bug#927383: unblock: bitlbee/3.6-1.1

2019-04-22 Thread Niels Thykier
Andreas Tille:
> Control: tags -1 - moreinfo
> 
> Hi Niels,
> 
> On Fri, Apr 19, 2019 at 06:05:00AM +, Niels Thykier wrote:
> [...]
>  
>> If the incomplete d/copyright also applies to testing, then it will need
>> a fix via testing-proposed-updates.  The bug metadata does not have any
>> found version, so it is not clear to me if the issue existing before the
>> new upstream version in sid or that version introduced the issue.
> 
> I think the patch also applies to version in testing.  I've now
> uploaded to testing-proposed-updates - debdiff attached.
> 
> [...]
> 
> Kind regards
> 
>   Andreas.
> 

Approved the tpu upload, thanks.
~Niels



Bug#927732: unblock: variety/0.7.1-2 (pre-approval)

2019-04-21 Thread Niels Thykier
Control: tags -1 moreinfo confirmed

James Lu:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Dear Release Team,
> 
> Please consider unblocking variety 0.7.1-2. I've backported a couple of
> fixes from the newest upstream version, which fix a couple of subtle but
> annoying bugs. The changelog is as follows:
> 
> variety (0.7.1-2) unstable; urgency=medium
> 
>   * Backport bugfixes from Variety 0.7.2:
> - fix-crash-on-help-version.patch: Don't forward --help or --version to
>   running Variety instances, as this causes it to crash.
> - fix-spurious-error-when-analyzing-gifs.patch: Fix spurious
>   FileNotFoundError when analyzing GIFs inside a wallpaper folder
> 
>  -- James Lu   Sun, 21 Apr 2019 19:10:58 -0700
> 
> The debdiff is attached.
> 
> Best,
> James
> 

Hi James,

Please go ahead with this upload and remove the moreinfo tag when it is
in unstable and ready to be unblocked.

Thanks,
~Niels



Bug#926888: unblock: wget/1.20.1-1.1

2019-04-21 Thread Niels Thykier
On Fri, 12 Apr 2019 07:54:00 + Niels Thykier  wrote:
> Control: tags -1 d-i confirmed
> 
> Salvatore Bonaccorso:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian@packages.debian.org
> > Usertags: unblock
> > 
> > Hi,
> > 
> > Please unblock package wget
> > 
> > It fixes CVE-2019-5953, #926389 a buffer overflow vulnerability in the
> > handling of Internationalized Resource Identifiers (IRI), it was
> > adressed as well in DSA-4425-1 for stretch.
> > 
> > Attached is the debdiff between 1.20.1-1 and 1.20.1-1.1.
> > 
> > unblock wget/1.20.1-1.1
> > 
> > Regards,
> > Salvatore
> > 
> 
> Hi,
> 
> OK from here; Cc'ing KiBi for a d-i ack.
> 
> Thanks,
> ~Niels
> 
> 

Gentle ping on this unblock request for a CVE fix in wget.

Thanks,
~Niels



Bug#927476: lintian: Please add --onlyrun examples

2019-04-21 Thread Niels Thykier
Chris Lamb:
> [...]
> Niels Thykier wrote:
> 
>> We already examples in Lintian::Tutorial::TestSuite
>> (doc/tutorial/Lintian/Tutorial/TestSuite.pod).
> […]
> 
> Agreed, although I was actually following t/bin/runtests --help here,
> not the POD documentation. Thus, both need to be updated? (Cloned bug)
> 
>> have not been updated to reflect the "recent" changes to the test suite
> 
> Presumably you are referring to the requirement (?) to first call t/
> bin/build-test-packages first (which I thought about when away from
> the keyboard last night).
> 

Not only that, but all the examples of how to only run a particular test
does not seem to match what you were using (the examples were from
before the test suite got restructured).

> If so, I think it's a really bizarre user interface that does not warn
> you specifically when these are missing so I have retitled this bug
> to match.
> 
> (I think I've just hit another bug in the tag extraction process which
> I will file after this mail...)
> 
> Thanks.
> 
> 
> Best wishes,
> 

Thanks,
~Niels



Bug#927259: release.debian.org: unblock request: nheko

2019-04-20 Thread Niels Thykier
Control: tags -1 moreinfo confirmed

Hubert Chathi:
> Package: release.debian.org
> Severity: normal
> 
> Hello release team.
> 
> I would like to upload a new version of nheko to fix #926671.  It is an
> "important" bug (though in reality, it could be argued that it is
> "serious", as Matrix will be bumping the default room version soon,
> which will cause the bug to manifest much more commonly, making the
> program less usable).
> 
> The fix is to apply a small patch from upstream.  Attached is a debdiff.
> 
> In addition to the above issue, I would like to also include fixes for
> the following bugs, which are not included in the attached debdiff, but
> are fairly trivial:
> 
> - #926659 - incorrectly named file (debian/README.sources instead of
>   debian/README.source) -- has an obvious fix
> - #926680 - a working directory is not properly cleaned up if the build
>   fails -- I would just add the working directory to the list of files
>   that are "rm -rf"-ed in override_dh_auto_clean.
> 
> [...]
> 

Hi,

Please go ahead with the upload including the two extra changes you
mentioned above and remove the moreinfo tag when it is in unstable and
ready to be unblocked.

For future reference: We generally prefer seeing the debdiff before
approving the changes.  Had the two extra changes not been obvious from
your description, then it would have been necessary for me to ask you
for the full debdiff.  Please make it easier for us by always including
the changes you want us to consider (modulo filterdiff of auto-generated
files).

Thanks,
~Niels



Bug#927476: lintian: Please add --onlyrun examples

2019-04-20 Thread Niels Thykier
Chris Lamb:
> Package: lintian
> Version: 2.12.0
> Severity: wishlist
> X-Debbugs-CC: Felix Lechner 
> 
> Hi,
> 
> I'm currently really failing to understand how --onlyrun works. For
> example:
> 
>   $ t/bin/runtests 
> --onlyrun=test:control-file-rules-requires-root-binary-targets
> 
> ... does not run any tests.
> 
> I'm sure I'm just calling it wrong and, to be clear, this bug report
> is not about this issue but rather could you please add some concrete
> examples to the manual page for each selector type (script, tag, etc.)
> 
> 
> Best wishes,
> 

We already examples in Lintian::Tutorial::TestSuite
(doc/tutorial/Lintian/Tutorial/TestSuite.pod).  However, I suspect they
have not been updated to reflect the "recent" changes to the test suite
and its runner.  I guess Lintian::Tutorial::WritingTests is equally out
of date.

Note: I am fine with removing those POD documents if we now prefer to
keep this documentation elsewhere.  However, if they remain, they should
be updated to reflect the reality.

Thanks,
~Niels



Bug#927434: unblock: network-manager-applet/1.8.20-1.1 (pre-approval)

2019-04-20 Thread Niels Thykier
Control: tags -1 confirmed moreinfo

Boyuan Yang:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> X-Debbugs-CC: bi...@debian.org pkg-utopia-maintain...@lists.alioth.debian.org
> 
> This is a pre-approval for NMU that would fix https://bugs.debian.org/926328 .
> 
> The one-liner patch is taken from commits in upstream git trunk.
> 
> I haven't make any upload yet. Michael, please let me know if this
> patch looks okay for you. I can open a Merge Request for this NMU on
> Salsa if necessary.
> 
> The full debdiff is pasted here.
> 
> --
> Thanks,
> Boyuan Yang
> 
> [...]
> 

Hi,

>From a release team PoV, the change looks fine.

Please remove the moreinfo tag when the upload is in sid and ready to be
unblocked.

Thanks,
~Niels



Bug#927435: upgrade-reports: Buster upgrade: had to re-create unbound certs/keys

2019-04-20 Thread Niels Thykier
clone 927435 -1
reassign 927435 unbound
retitle 927435 unbound: Small control keys makes it fail to start
severity 927435 important
reassign -1 release-notes
retitle -1 release-notes: Document how to handle openssls new defaults
thanks

John Eikenberry:
> Package: upgrade-reports
> Severity: normal
> 
> After upgrading to buster, unbound-control would fail to run with this error..
> 
> error: Error setting up SSL_CTX client cert
> 139765110753216:error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key 
> too small:../ssl/ssl_rsa.c:310:
> 
> To fix this I had to regenerate the certs and keys by removing the old ones 
> and
> running unbound-control-setup, then restarting unbound. This fixed the issue.
> 
> $ cd /etc/unbound/
> $ sudo rm *.key *.pem
> $ sudo unbound-control-setup
> $ sudo systemctl restart unbound
> 
> Note that with unbound-control broken, that broke `systemctl reload unbound` 
> as
> it depends on unbound-control.
> 
> [...]
> 

Hi John,

Thanks for filing this bug.

I have split it into two bugs:

 * One for unbound in case there is something in unbound that need to
   change (e.g. key generation instructions or/and a NEWS entry to
   notify upgraders of potential issues and how to resolve it)

 * One for the release-notes because the stricter defaults in OpenSSL
   affects multiple programs (I have seen similar issues from e.g.
   wpa_supplicant). At this point, we should probably document the
   knobs involved[1].


Thanks,
~Niels

[1] I believe the alternative is to update /etc/ssl/openssl.cnf, finding
"""
[system_default_sect]
...
CipherString = DEFAULT@SECLEVEL=2
"""

And change that SECLEVEL=2 to SECLEVEL=1.  Obviously, this has
system-wide effects and reduces the minimum key size for all things that
do not set their own CipherString (e.g. webservers have configuration to
do that and wpa_supplicant overrides the new default as well as most
WiFi have small keys).



Bug#927383: unblock: bitlbee/3.6-1.1

2019-04-19 Thread Niels Thykier
Control: tags -1 moreinfo

Andreas Tille:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package bitlbee
> 
> 
>   * Non-maintainer upload.
>   * Apply patch to d/copyright provided by Jochen Sprickerhof
> 
> 
> 
> unblock bitlbee/3.6-1.1
> 
> [...]
> 

Hi,

Relative to testing, this request also includes a new upstream version
with a lot of unrelated changes, which is a risk we are not ready to take.

If the incomplete d/copyright also applies to testing, then it will need
a fix via testing-proposed-updates.  The bug metadata does not have any
found version, so it is not clear to me if the issue existing before the
new upstream version in sid or that version introduced the issue.

Thanks,
~Niels



Bug#921599: [debian-mysql] Bug#921599: mariadb-10.3: always connects to localhost ignoring host entry in option file

2019-04-18 Thread Niels Thykier
On Tue, 2 Apr 2019 09:41:25 +0300 =?UTF-8?B?T3R0byBLZWvDpGzDpGluZW4=?=
 wrote:
> OK, so current MariaDB 10.3.13 we have in Debian contains MariaDB
> Connector C 3.0.9
> 
> mariadb-10.3$ grep -rF 'SET(CPACK_PACKAGE_VERSION_' libmariadb/CMakeLists.txt
> SET(CPACK_PACKAGE_VERSION_MAJOR 3)
> SET(CPACK_PACKAGE_VERSION_MINOR 0)
> SET(CPACK_PACKAGE_VERSION_PATCH 9)
> 
> This has been fixed upstream in MariaDB Connector C 3.0.10:
> https://github.com/MariaDB/mariadb-connector-c/pull/101
> 
> MariaDB 10.3.14 release preparations are in progress, so this can be
> fixed soon via the new upstream release:
> https://mariadb.com/kb/en/library/mariadb-10314-release-notes/
> 
> 

Hi,

Gentle ping on this. :)

Thanks,
~Niels



Bug#926853: unblock: openssh/1:7.9p1-10

2019-04-18 Thread Niels Thykier
Control: tags -1 confirmed d-i

Colin Watson:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock openssh 1:7.9p1-10; as discussed recently on
> debian-devel, this reverts an upstream change in 7.8 that causes
> problems for certain iptables configurations as well as for VMware.
> 
> unblock openssh/1:7.9p1-10
> 


Hi,

Ok and unblocked from a release team PoV, but it needs a d-i ack due to
its udeb.  CC'ing kibi for that part (and quoting the diff in full for him).

Thanks,
~Niels


> diff -Nru openssh-7.9p1/debian/.git-dpm openssh-7.9p1/debian/.git-dpm
> --- openssh-7.9p1/debian/.git-dpm 2019-03-01 10:57:53.0 +0100
> +++ openssh-7.9p1/debian/.git-dpm 2019-04-08 11:51:26.0 +0200
> @@ -1,6 +1,6 @@
>  # see git-dpm(1) from git-dpm package
> -7a3fa37583d4abf128f7f4c6eb1e7ffc90115eab
> -7a3fa37583d4abf128f7f4c6eb1e7ffc90115eab
> +6b56cd57db9061296231f14d537f1ebaf25e8877
> +6b56cd57db9061296231f14d537f1ebaf25e8877
>  3d246f10429fc9a37b98eabef94fe8dc7c61002b
>  3d246f10429fc9a37b98eabef94fe8dc7c61002b
>  openssh_7.9p1.orig.tar.gz
> diff -Nru openssh-7.9p1/debian/README.Debian 
> openssh-7.9p1/debian/README.Debian
> --- openssh-7.9p1/debian/README.Debian2019-03-01 10:57:52.0 
> +0100
> +++ openssh-7.9p1/debian/README.Debian2019-04-08 11:56:59.0 
> +0200
> @@ -270,6 +270,26 @@
>  
>https://bugs.launchpad.net/bugs/1674330
>  
> +IPQoS defaults reverted to pre-7.8 values
> +-
> +
> +OpenSSH 7.8 changed the default IPQoS settings to use DSCP AF21 for
> +interactive traffic and CS1 for bulk.  This caused some problems with other
> +software ("iptables -m tos" and VMware), so Debian's OpenSSH reverts this
> +change for the time being.
> +
> +This is *temporary*, and we expect to come back into sync with upstream
> +OpenSSH once those other issues have been fixed.  If you want to restore the
> +upstream default, add this to ssh_config and sshd_config:
> +
> +  IPQoS af21 cs1
> +
> +For further discussion, see:
> +
> +  https://bugs.debian.org/923879
> +  https://bugs.debian.org/926229
> +  https://bugs.launchpad.net/1822370
> +
>  -- 
>  Matthew Vernon 
>  Colin Watson 
> diff -Nru openssh-7.9p1/debian/changelog openssh-7.9p1/debian/changelog
> --- openssh-7.9p1/debian/changelog2019-03-01 13:23:36.0 +0100
> +++ openssh-7.9p1/debian/changelog2019-04-08 12:13:04.0 +0200
> @@ -1,3 +1,11 @@
> +openssh (1:7.9p1-10) unstable; urgency=medium
> +
> +  * Temporarily revert IPQoS defaults to pre-7.8 values until issues with
> +"iptables -m tos" and VMware have been fixed (closes: #923879, #926229;
> +LP: #1822370).
> +
> + -- Colin Watson   Mon, 08 Apr 2019 11:13:04 +0100
> +
>  openssh (1:7.9p1-9) unstable; urgency=medium
>  
>* Apply upstream patch to make scp handle shell-style brace expansions
> diff -Nru openssh-7.9p1/debian/patches/revert-ipqos-defaults.patch 
> openssh-7.9p1/debian/patches/revert-ipqos-defaults.patch
> --- openssh-7.9p1/debian/patches/revert-ipqos-defaults.patch  1970-01-01 
> 01:00:00.0 +0100
> +++ openssh-7.9p1/debian/patches/revert-ipqos-defaults.patch  2019-04-08 
> 11:51:26.0 +0200
> @@ -0,0 +1,93 @@
> +From 6b56cd57db9061296231f14d537f1ebaf25e8877 Mon Sep 17 00:00:00 2001
> +From: Colin Watson 
> +Date: Mon, 8 Apr 2019 10:46:29 +0100
> +Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP
> + AF21 for"
> +
> +This reverts commit 5ee8448ad7c306f05a9f56769f95336a8269f379.
> +
> +The IPQoS default changes have some unfortunate interactions with
> +iptables (see https://bugs.debian.org/923880) and VMware, so I'm
> +temporarily reverting them until those have been fixed.
> +
> +Bug-Debian: https://bugs.debian.org/923879
> +Bug-Debian: https://bugs.debian.org/926229
> +Bug-Ubuntu: https://bugs.launchpad.net/1822370
> +Last-Update: 2019-04-08
> +
> +Patch-Name: revert-ipqos-defaults.patch
> +---
> + readconf.c| 4 ++--
> + servconf.c| 4 ++--
> + ssh_config.5  | 6 ++
> + sshd_config.5 | 6 ++
> + 4 files changed, 8 insertions(+), 12 deletions(-)
> +
> +diff --git a/readconf.c b/readconf.c
> +index 661b8bf40..6d046f063 100644
> +--- a/readconf.c
>  b/readconf.c
> +@@ -2133,9 +2133,9 @@ fill_default_options(Options * options)
> + if (options->visual_host_key == -1)
> + options->visual_host_key = 0;
> + if (options->ip_qos_interactive == -1)
> +-options->ip_qos_interactive = IPTOS_DSCP_AF21;
> ++options->ip_qos_interactive = IPTOS_LOWDELAY;
> + if (options->ip_qos_bulk == -1)
> +-options->ip_qos_bulk = IPTOS_DSCP_CS1;
> ++options->ip_qos_bulk = IPTOS_THROUGHPUT;
> + if (options->request_tty == -1)
> + options->request_tty = REQUEST_TTY_AUTO;
> + if (options->proxy_use_fdpass == -1)
> +diff --git a/servconf.c b/servconf.c
> +index 

Bug#927298: unblock: ebtables/2.0.10.4+snapshot20181205-3

2019-04-18 Thread Niels Thykier
Control: tags -1 moreinfo confirmed

Alberto Molina Coballes:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package ebtables
> 
> A serious bug was opened on ebtables and arptables regarding an issue
> with usr merged systems. This patch solves this issue.
> 
> The debdiff also includes a previous minor commit including salsa CI files, 
> if you
> consider this must not be included, please let me know.
> 
> unblock ebtables/2.0.10.4+snapshot20181205-3
> 
> Thanks
> 


Please go ahead with the upload/changes as-is and remove the moreinfo
tag when it is ready to be unblocked.

Thanks,
~Niels



Bug#927299: unblock: arptables/0.0.4+snapshot20181021-4

2019-04-18 Thread Niels Thykier
Control: tags -1 moreinfo confirmed

Alberto Molina Coballes:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package arptables
> 
> A serious bug was opened on ebtables and arptables regarding an issue
> with usr merged systems. This patch solves this issue.
> 
> The debdiff also includes a previous minor commit including salsa CI files, 
> if you
> consider this must not be included, please let me know.
> 
> unblock arptables/0.0.4+snapshot20181021-4
> 
> Thanks
> 

Please go ahead with the upload/changes as-is and remove the moreinfo
tag when it is ready to be unblocked.

Thanks,
~Niels



Bug#926872: evolution: Spaces in mail view disappeared with recent updates

2019-04-17 Thread Niels Thykier
Control: tags -1 moreinfo unreproducible

Hi Boyuan Yang,

Dominique provided the following message to your bug.  However, I am
sure if you have seen it (you were not listed as an explicit CC and the
BTS does not CC submitters by default).

On Wed, 17 Apr 2019 10:06:22 +0200 Dominique Dumont  wrote:
> On Thu, 11 Apr 2019 11:22:46 -0400 Boyuan Yang  wrote:
> > A screenshot is provided with the email here. I'm not sure if it can be
> > reproduced by you, but at least this issues appears on all my machines
> > running Debian Sid.
> 
> I'm using evolution 3.30.5-1 and cannot reproduce this bug.
> 
> Could you check that the mail source does contain the missing white spaces ?
> 
> Could you reproduce this bug with different font settings ?
> 
> All the best
> 
> 

Thanks,
~Niels



Bug#926392: licensecheck chokes on long lines

2019-04-17 Thread Niels Thykier
On Thu, 04 Apr 2019 18:13:43 +0200 Jonas Smedegaard  wrote:
> control: tag -1 confirmed
> 
> Quoting Sandro Mani (2019-04-04 13:36:28)
> > $ wget 
> > https://files.pythonhosted.org/packages/source/x/xonsh/xonsh-0.8.12.tar.gz
> > $ tar xf xonsh-0.8.12.tar.gz
> > $ licensecheck xonsh-0.8.12/xonsh/parser_table.py
> > 
> > => Licensecheck hangs eating cpu cycles (the file has lines with 33k and 
> > 71k characters).
> 
> Indeed. Thanks for reporting!
> 
>  - Jonas
> 
> -- 
>  * Jonas Smedegaard - idealist & Internet-arkitekt
>  * Tlf.: +45 40843136  Website: http://dr.jones.dk/
> 
>  [x] quote me freely  [ ] ask before reusing  [ ] keep private

Hi,

I have been digging in the code (admittedly using the master branch of
the libregexp-pattern-license-perl and licensecheck rather than the
packages) and basically, it is a DOS from suboptimal regex.

I traced it down to getting stuck on the python_2 "grant_license".  This
regex expands to (manually reformatted with /x for readability):

"""
m!
(?^:
(?:
(?: (?:[Ll]icensed|[Rr]eleased) [ ] under|(?:according [ ] to|as
[ ] governed [ ] by|under) [ ] the [ ] (?:conditions|terms)
[ ] of)(?:(?:[Tt]he [ ] )?Python-2.0

  | (?:[Tt]he [ ])?Python(?: [ ] [Ll]icense)? [ ] 2.0
  | (?:[Tt]he [ ])?Python-2.0
  | (?:[Tt]he [ ])?Python [ ] Software [ ]
Foundation(?: [ ] [Ll]icense)? [ ] version [ ] 2
  | (?:[Tt]he [ ])?python2
  | (?:[Tt]he [ ])?Python-2
  | (?:[Tt]he [ ])?PSF-2
  | (?:[Tt]he [ ])?Python(?: [ ] [Ll]icense)? [ ] Version [ ] 2
  | (?:[Tt]he [ ])?PYTHON [ ] SOFTWARE [ ] FOUNDATION [ ] LICENSE [
] VERSION [ ] 2
  | (?:[Tt]he [ ])?python-license-2.0)
  | (?:\W*\S+\W*)PSF [ ] is [ ] making [ ] Python [ ] available [ ]
to [ ] Licensee

)

)
!x
"""

The problem is the *last* alternative, namely:

"""
  (?:\W*\S+\W*)PSF [ ] is [ ] making [ ] [...]
"""


That \W*\S+\W* (known as ${BB} in the libregexp-pattern-license-perl
code) is stirring up hell. Basically, perl wants to find the *longest*
match and will spent stupid amount of time in this "trivial" regex
enumerating exponentially many "non-matches" ([1] strikes again).

Simply removing ${BB} will make the code continue past the python_2 test
relatively fast.   For the python_2 case, I think that the phrase "PSF
is making Python available to Licensee" would be sufficient enough to
consider it a match (i.e. ${BB} is redundant) - though it will change
behaviour on an anchored match (I hope this is not a problem).


Though it then gets stuck in the next regex "cube" (from
@L_type_unversioned) and that is as far down the rabbit hole I ventured
in terms of regex getting stuck (note that "cube" indirectly uses the
$BB regex too).

Thanks,
~Niels

[1] https://swtch.com/~rsc/regexp/regexp1.html



Bug#927220: lintian: Please detect and warn about libs exporting common symbols

2019-04-16 Thread Niels Thykier
Package: lintian
Version: 2.9.1
Severity: wishlist

Hi,

We discovered that libqb was accidentially exporting symbols such as
strlcat and strlcpy, which are implemented in libbsd.

Packages should *not* export strlcpy (or other common symbols) simply
because they happen to use an embeeded compat version of the symbol.

Possible solutions:

 * use symbol hiding to hide the symbol (e.g. 
"""__attribute__((visibility("hidden")))""" )

 * Build-Depend on or/and add the proper defines to expose the symbol
   (and thereby avoid using the embedded version).


Thanks,
~Niels



Bug#905772: [Pkg-libvirt-maintainers] Bug#905772: libvirtd upgrade broken stretch->buster

2019-04-16 Thread Niels Thykier
On Mon, 15 Apr 2019 22:27:57 +0200 Guido =?iso-8859-1?Q?G=FCnther?=
 wrote:
> Hi,
> On Mon, Apr 15, 2019 at 10:18:18PM +0200, Michael Biebl wrote:
> > Hi Sam
> > 
> > Am 15.04.2019 um 20:38 schrieb Sam Hartman:
> > > control: severity -1 serious
> > > 
> > > justification: libvirtd upgrades from stretch to buster break causing
> > > apt to fail and requiring the admin to get the systemd units into a
> > > consistent state before things can continue
> > > 
> > > 
> > > Unfortunately based on discussion so far this is a complex bug to fix.
> > > Ubuntu's solution is to drop the sysv scripts and to drop  Also= lines
> > > in some of the units.
> > > 
> > > The systemd maintainers proposed that dropping Also as well as some
> > > changes to move toward dh_systemd_start being used even when sysvinit
> > > scripts are present would help this situation.  Unfortunately it at
> > > least doesn't look like those changes are in debhelper for buster.
> > > Systemd folks, do you have any suggestions  on how to approach this for
> > > buster?
> > 
> > Using debhelper compat level 12, you are able to completely decouple
> > dh_installinit and dh_installsystemd which would give you the ability to
> > implement what you want afaics.
> 
> So let's move libvirt from 8 to 12 for stretch? I'm all for it but it'll
> be a couple of days until I can set time aside for this.
> cheers,
>  -- Guido
> 
> [...]
Hi,

I think we should keep libvirt at compat 8 in general for now and then
leave a full bump to compat 12 for bullseye.  The reason here being that
the compat changes documented in debhelper(7) amounts to 3-4 screens
worth of changes across all of debhelper's tools.

Instead, we can do a mixed compat setup, where the package remains at
compat 8 in general but we force selected tools to run in compat 12.  I
have made a PoC of that in
https://salsa.debian.org/libvirt-team/libvirt/merge_requests/21/diffs

Note that change set is only meant as inspiration; I have not tried to
understand the problem nor the solution fully (nor have I tested that it
actually still builds).

Thanks,
~Niels



Bug#927199: unblock: gnome-shell/3.30.2-6

2019-04-16 Thread Niels Thykier
Control: tags -1 moreinfo

intrigeri:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package gnome-shell.
> 
> Changes are:
> 
> 1. Vcs-Git, gbp.conf: point to the correct, Buster-specific, branches.
> 
> 2. Avoid test failures on buildd environments where HOME, XDG_RUNTIME_DIR 
> might
>be invalid. This allows the tests to run a bit further on s390x. The 
> package
>still FTBFS there but as Simon McVittie wrote, "The remaining test failures
>on s390x look to me more like a bug in mozjs60 or gjs than a bug in
>gnome-shell" — which I guess is #927081.
> 
> 3. Add missing French layouts to on screen keyboard (Closes: #926452)
> 
>Due to a bug in the code that generates on screen keyboard layouts, the
>French layout ends up being generated from the French-Canadian layout 
> (which
>is qwerty rather than azerty). This is a regression compared to Stretch.
> 
>Fixed by cherry-picking the relevant upstream (3.32.0) commit.
> 
> 4. Fix on screen keyboard language's menu closing the keyboard (Closes: 
> #926453)
> 
>GNOME Shell 3.30's on screen keyboard now offers a menu that allows 
> selecting
>among the supported keyboard layouts. But moving the pointer over this menu
>closes the keyboard. This is a regression from Stretch, where that menu did
>not exist yet.
> 
>Fixed by cherry-picking the relevant upstream (3.32.0) commits.
> 
> unblock gnome-shell/3.30.2-6
> 

There is a bug in d/clean.  The "debian/home" line is a directory and
therefore needs a trailing slash (otherwise, dh_clean will refuse to
remove it - see "man dh_clean").

Otherwise, it looks fine.

Thanks,
~Niels



Bug#927189: unblock: docker.io/18.09.1+dfsg1-5+b10

2019-04-15 Thread Niels Thykier
Control: tags -1 moreinfo confirmed

Arnaud Rebillout:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package docker.io.
> 
> unblock docker.io/18.09.1+dfsg1-5+b10
> 
> I'd like to fix #925224 [1] for buster. The fix is trivial, and allows
> the docker's debootstrap script to work again when it queries
> security.debian.org, by following redirections. Please see bug for
> more details.
> 
> I attached a source debdiff as mentioned in buster freeze policy [2].
> 
> Sorry for the inconvenience,
> 
> Thanks!
> 
>   Arnaud
> 
> [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925224
> [2] https://release.debian.org/buster/freeze_policy.html.
> 
> [...]
> 

Please go ahead with the upload and remove the moreinfo tag when it is
ready to be unblocked.

Thanks,
~Niels



Bug#927183: [pre-approval] unblock: debiancontributors/0.7.8-1

2019-04-15 Thread Niels Thykier
Control: tags -1 moreinfo cionfirmed

Daniele Tricoli:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Hello!
> 
> This is a pre-approval to unblock package debiancontributors 0.7.8-1
> 
> debiancontributors is a package used internally by our infra team and this
> upload would fix some simple but important bugs, in particular:
> 
> https://salsa.debian.org/python-team/modules/python-debiancontributors/commit/51adfafa4ee8cb58fc4d651ec99b6f46a83f02d5
> 
> https://salsa.debian.org/python-team/modules/python-debiancontributors/commit/b41908ea65e6a550438f90339c29ea2a3feda718
> 
> The first one (workaround for #801506) is the most important one:
> python-requests can't support (for now) 100-Continue response.
> 
> The debdiff against the package in testing is attached. Thanks for considering
> this pre-approval.
> 
> unblock debiancontributors/0.7.8-1
> 
> [...]
> 

Please go ahead with the upload and remove the moreinfo tag when the
upload is ready to be unblocked.

For future reference: Please avoid generic code-style
rewrite/refactoring during freezes (and instead deploy it after the
freeze).  In the particular instance, it was manageable to review but
most of the was "noise" due to that refactoring - this in turn increases
the risk that the proposal is rejected.

Thanks,
~Niels



Bug#927156: unblock: parted/3.2-25

2019-04-15 Thread Niels Thykier
Control: tags -1 confirmed d-i

Colin Watson:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock parted 3.2-25: there was an arithmetic error in its
> handling of extended partitions, which was often in practice masked by
> higher-level tools but could be triggered in some circumstances such as
> by gnome-disks, leading to disturbing results like apparently-vanishing
> partitions.  The patch is pretty clear if you look at a little more
> context: one branch of an if/else block multiplied by the device's
> sector size while the other didn't, which was obviously wrong.
> 
> [...]
> 
> unblock parted/3.2-25
> 

Approved from a RT PoV; CC'ing KiBi for a d-i review.

Thanks,
~Niels



Bug#927111: unblock: wpa/2:2.7+git20190128+0c1e29f-4

2019-04-15 Thread Niels Thykier
Control: tags -1 d-i confirmed

Andrej Shadura:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock the package wpa.
> 
> This upload fixes a security vulnerability in WPA3-Personal and EAP (#926801):
> 
>  - CVE-2019-9494: SAE cache attack against ECC groups (VU#871675)
>  - CVE-2019-9495: EAP-pwd cache attack against ECC groups
>  - CVE-2019-9496: SAE confirm missing state validation
>  - CVE-2019-9497: EAP-pwd server not checking for reflection attack
>  - CVE-2019-9498: EAP-pwd server missing commit validation for scalar/element
>  - CVE-2019-9499: EAP-pwd peer missing commit validation for scalar/element
> 
> For more details on the vulnerability itself, see:
>  - https://w1.fi/security/2019-1/
>  - https://w1.fi/security/2019-2/
>  - https://w1.fi/security/2019-3/
>  - https://w1.fi/security/2019-4/
> 
> Since the patches are quite big, you can check them here:
>  - 
> https://salsa.debian.org/debian/wpa/tree/debian/master/debian/patches/2019-sae-eap
>  - 
> https://sources.debian.org/src/wpa/2:2.7+git20190128+0c1e29f-4/debian/patches/2019-sae-eap/
> 
> Erroneously not mentioned in the changelog, this upload also declares a 
> correct
> build dependency on libnl-3-dev.
> 
> unblock wpa/2:2.7+git20190128+0c1e29f-4
> 

Hi,

Thanks for filing this unblock.  From a RT PoV it looks fine and I have
Cc'ed KiBi for a d-i ack before accepting it fully.

Thanks,
~Niels



Bug#925936: release.debian.org: Would v4l-utils 1.16.5 match unblocking criteria?

2019-04-14 Thread Niels Thykier
Control: tags -1 moreinfo confirmed

Gregor Jasny:
> Control: tags -1 - moreinfo
> 
> Hello,
> 
> A new patch turned up and I decided to only cherry-pick the three most
> important patches from the stable-1.16 tree.
> 
> Debdiff is attached.
> 
> If you agree on the changes I will upload via unstable.
> 
> Thanks,
> Gregor

Hi Gregor,

Please go ahead with this patch and remove the moreinfo tag once it has
been fixed.

Please note that you may want to inform upstream of the following
possible bug:

"""
+-  parms->fname = fname;
++  parms->fname = strdup(fname);
++  if (!parms->fname) {
++  dvb_logerr(_("fname calloc: %s"), strerror(errno));
++  return -errno;
++  }
++
"""

Please note that *any* call to a library function (e.g. strerror or _,
which I presume is gettext, or dvb_logerr which sounds like it will do
IO operations) may alter errno.  I.e. the errno returned may no longer
be from the failing strdup.

AFAICT, this is a consistent issue through out the diff and therefore
not really a regression:

"""
+   if (xioctl(fd, FE_GET_PROPERTY, _prop) == -1) {
+   dvb_perror("FE_GET_PROPERTY");
+-  dvb_v5_free(parms);
+   close(fd);
+   return -errno;
+   }
"""

Which is why I am ok with accepting it as it is.  For reference, the
solution is to store "errno" in a local variable immediately after the
failing call.

Thanks,
~Niels



Bug#926556: unblock: yubikey-personalization/1.19.3-3

2019-04-14 Thread Niels Thykier
Control: tags -1 moreinfo confirmed

Nicolas Braud-Santoni:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package yubikey-personalization
> 
> In version 1.19.3-1, I introduced a bug w.r.t. udev rules handling,
> resulting in users being unable to use the software (see #924787);
> as such, I deemed the bug serious, and bumped its severity accordingly.
> 
> The latest upload reverses that change, and split the udev rules to a new 
> binary
> packages (libyubikey-udev) so other packages may Depend or Recommend it.
> 
> 
> Best,
> 
>   nicoo
> 
> unblock yubikey-personalization/1.19.3-3
> 
> [...]
> 

Hi Nicolas,

I cannot see these changes in unstable, so we cannot unblock them (nor
do I see them NEW).  Please upload this and remove the moreinfo tag once
it is in unstable and ready for unblocking.

Thanks,
~Niels



Bug#909750: applications tries to write to /usr/* directories via libfontconfig1

2019-04-13 Thread Niels Thykier
Vincas Dargis:
> On 2019-04-13 12:50, Niels Thykier wrote:
>> What is the status of this bug? AFAICT, we have *some* fixes from
>> upstream but Chris's mail implies that the bug is not completely fixed.
> 
> This bug disappeared from my logs long time ago, at least haven't seen
> any application reproducing it so far.

Interestingly, Chris (just Cc'ed) claims to have reproduced it about a
week ago with libfontconfig1:amd64 using strace and to my knowledge
libfontconfig1 hasn't changed for months in sid/buster.

@Chris: Just to confirm: Do you still see the issue?

Thanks,
~Niels



Bug#927007: libopenblas-base: Disable TLS (thread-local storage) to work around #903514

2019-04-13 Thread Niels Thykier
Source: openblas
Severity: serious
User: release.debian@packages.debian.org
Usertags: buster-is-blocker

Hi,

Please disable the usage of TLS (thread-local storage) to work around
#903514 (deadlocks in glibc with TLS) for now.

Thanks,
~Niels



Bug#910964: libprotobuf17 might need Breaks: libprotobuf10

2019-04-13 Thread Niels Thykier
On Wed, 3 Apr 2019 00:04:43 +0200 Andreas Beckmann  wrote:
> [...]
> 
> What's the point in having a cruft package (libprotobuf10) installable
> in buster, if it has been shown that this allows partial upgrades (yes,
> partial upgrades *are* supported) that reproducibly cause failures?
> The cruft package itself does not cause harm. It's the combination with
> other packages that's problematic. There is an easy solution to prevent
> all these (see Subject), without imposing any limitation on buster.
> 
> While it is possible to add the Breaks to libarcus3 instead, is this
> sufficient to prevent *all* failure cases? Which package will be the
> next to be touched to prevent mixture errors?
> 
> There is no point in touching Build-Depends, as we can't build against
> this cruft in sid.
> 
> Andreas
> 
> 

Hi,

>From a release team PoV, we would very much like to see this be fixed
with a Breaks as well.
> Hi Pirate,
> 
> On Sat, Oct 20, 2018 at 10:39 AM Pirate Praveen
>  wrote:
>> On Mon, 15 Oct 2018 16:26:23 +0300 Adrian Bunk  wrote:
>> > When it has been observed that ending up with both libprotobuf10 and
>> > libprotobuf17 in a binary will not work, then this should be expressed
>> > through the package dependencies.
>  ... of the binaries that need to be compiled with the same ProtoBuf version.
> 
>> Are you planning to upload this fix? Testing migration is currently
>> blocked by this rc bug and there is a delay caused by autopkgtest failure.
>  Let's break it to parts.
> 1) Can libprotobuf10 and libprotobuf17 installed together and
> independent packages working correctly with these libraries? Yes,
> these are possible. I don't see the need to break the old
> libprotobuf10 package.
> 


While libprotobuf10 and libprotobuf17 *can* be installed together,
nothing in buster should rely on libprotobuf10 any longer.  Indeed,
libprotobuf10 is not even in buster any longer.

> [...]
>> > That would avoid a couple of potential problems in situations like
>> > stretch->buster upgrades or for testing users.
>  Breaking libprotobuf10 would cause more problems. All ProtoBuf
> related packages would need to migrate once and together. Cause
> problem with any local compiled program for libprotobuf10.
> 

This may have been an issue at that time, but it no longer is (as
libprotobuf10 is not in testing anymore).


On the flip side, having libprotobuf10 remain on some systems during
upgrades will spell trouble for us later.  Each release, we see a number
of upgrade issues related to old, long obsolete packages that were
removed releases ago.  Lets ensure libprotobuf10 does not become one of
them for bullseye or later.

Thanks,
~Niels



Bug#909750: applications tries to write to /usr/* directories via libfontconfig1

2019-04-13 Thread Niels Thykier
On Sat, 6 Apr 2019 16:38:13 +0200 Chris Hofstaedtler 
wrote:
> * Thierry fa...@linux.ibm.com  [190406 14:35]:
> > > >The only occurrence I'm seeing on my system is:
> > > >
> > > >openat(AT_FDCWD, "/usr/lib/firefox/fonts/.uuid.TMP-EWjEq0", 
> > > >O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, 0600) = -1 EACCES (Permission denied)
> > > 
> > > Now it's the only occurrence for me, too.
> > > 
> > 
> > With current packages I don't see any more issues of openat()
> > EACESS(...) when tracing firefox-bin
> 
> With libfontconfig1:amd64 2.13.1-2:
> 
> $ strace -o '| grep -w EACCES' /usr/lib/firefox-esr/firefox-bin
> openat(AT_FDCWD, "/usr/lib/firefox-esr/fonts/.uuid.TMP-pZnI7N", 
> O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, 0600) = -1 EACCES (Permission denied)
> 
> C.
> 

Hi,

What is the status of this bug? AFAICT, we have *some* fixes from
upstream but Chris's mail implies that the bug is not completely fixed.

Related, upstream closed their side of the bug a few days ago with the note:

"""
uuid related code has been gone in git. this should be improved. closing.
"""

(Not sure if that means they committed some recent changes to fix this).

Thanks,
~Niels



Bug#901148: Debian Bug#901148: timidity: upgrading to 2.14.0-2 broke sound in KDE plasma

2019-04-13 Thread Niels Thykier
Hi Bastien,

Could you have a look at this bug (in particular) the mail below.

The bug has been tagged buster-ignore, but we would still like a more
user-friendly solution (even if just in the form of a NEWS entry, so
upgrading people are not caught unaware).

Thanks,
~Niels

On Sun, 7 Apr 2019 09:33:34 +0200 Wolfgang Silbermayr
 wrote:
> Having been hit by this on Buseter Testing before, I did some
> investigation. Here are my findings:
> 
> Conditions for this bug to appear are:
> 
>* timidity-daemon is installed
>* timidity service (from the timidity-daemon package) is enabled or
>  timidity gets started by hand
>* No midi device is provided by the kernel
> 
> Only if all of these these conditions are fulfilled at the same time,
> this comes into effect.
> 
> A quick test on Stretch with the timidity service enabled did not reveal
> the bug. However, timidity was not running after boot, and I didn't find
> the reason why. After starting it by hand, pulseaudio got unusable, just
> like it does on Buster. So my guess is that the bug was actually present
> in Stretch, it just did not show due to timidity not starting properly
> at boot.
> 
> A removal of timidity-daemon on affected systems is sufficient. It is
> set to "Suggests" instead of "Recommends" with timidity as of 2.14.0-8,
> so the majority of people who install games or music programs that pull
> in timidity will no longer be affected.
> 
> People who will be affected are those that got timidity-daemon installed
> in Stretch by the "Recommends" dep, and then upgraded to Buster. Even an
> apt autoremove will keep timidity-daemon installed.
> 
> One way to escape this bug is to have a midi device available in the
> system, which can also be snd_virmidi. But I don't consider this a clean
> solution, because it will probably interfere for people who have real
> midi hardware.
> 
> What other options do we have? Simply keep it as-is and document it in
> the the upgrade manual? Or do we have some mechanism available that
> would remove timidity-daemon if it was installed automatically? Any
> other ideas?
> 
> 



Bug#926876: unblock: chiark-utils/6.0.4

2019-04-12 Thread Niels Thykier
Control: tags -1 moreinfo confirmed

Ian Jackson:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package chiark-utils
> 
> chiark-utils is a portmanteau of different utiliies.  I am proposing
> to fix two bugs.  Each bug is RC for the corresponding utility in the
> sense that the utility is dangerous or useless without the fix.  (The
> bugs are not IMO RC for the package as a whole, although I think the
> dangerous one is "important".)
> 
> 1. fishdescriptor has a bug which makes it not work on amd64 and could
> cause malfunctions or even UB in the target process.  #926858
> 
> 2. sync-accounts uses an ancient deprecated perl syntax and is
> entirely rejected by current versions of perl.  #865985
> 
> Below is the source diff.  Assuming the unblock is granted I will
> finalise the changelog entry for 6.0.4 and do a dgit push-source
> to do a source-only upload.
> 
> (For my records: diff was generated from current master on chiark, ie
>  0caba95b1c3f211fa3defcff017dde1374b3caa6)
> 
> 
> unblock chiark-utils/6.0.4
> 
> [...]
> 

Please go ahead with the upload and remove the moreinfo tag when it is
ready to be unblocked.

Thanks,
~Niels



Bug#926888: unblock: wget/1.20.1-1.1

2019-04-12 Thread Niels Thykier
Control: tags -1 d-i confirmed

Salvatore Bonaccorso:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Hi,
> 
> Please unblock package wget
> 
> It fixes CVE-2019-5953, #926389 a buffer overflow vulnerability in the
> handling of Internationalized Resource Identifiers (IRI), it was
> adressed as well in DSA-4425-1 for stretch.
> 
> Attached is the debdiff between 1.20.1-1 and 1.20.1-1.1.
> 
> unblock wget/1.20.1-1.1
> 
> Regards,
> Salvatore
> 

Hi,

OK from here; Cc'ing KiBi for a d-i ack.

Thanks,
~Niels



Bug#926658: gnuplot: free(): double free detected in tcache 2

2019-04-08 Thread Niels Thykier
Source: gnuplot
Version: 5.2.6+dfsg1-1
Severity: important

Hi,

After upgrading lindsay.d.o to buster, we see errors when trying to
generate graphs of the tags.  While trying to create a minimal
reproducer I tripped a double free bug in gnuplot.

The following steps were done to reproduce the issue:

"""
$ unzip test-files.zip
$ cd test-files
test-files$ gdb -args gnuplot call.gp
[...]
(gdb) run
Starting program: /usr/bin/gnuplot call.gpi
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Plotting $tag statistics...
"./tags.gpi" line 27: undefined variable: date_min

free(): double free detected in tcache 2

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50  ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x778c6535 in __GI_abort () at abort.c:79
#2  0x7791d778 in __libc_message (action=action@entry=do_abort, 
fmt=fmt@entry=0x77a2828d "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3  0x77923e6a in malloc_printerr (str=str@entry=0x77a29f58 
"free(): double free detected in tcache 2") at malloc.c:5341
#4  0x7792594d in _int_free (av=0x77a5fc40 , 
p=0x556eb250, have_lock=) at malloc.c:4193
#5  0x5558d71d in gpfree_string (a=0x556e9828) at 
.././../../src/eval.c:423
#6  0x5558dbcb in gpfree_string (a=) at 
.././../../src/eval.c:422
#7  gpfree_array (a=a@entry=0x556e9860) at .././../../src/eval.c:446
#8  0x555be5a7 in lf_pop () at .././../../src/misc.c:515
#9  0x555bebad in load_file_error () at .././../../src/misc.c:626
#10 0x5556e8e5 in main (argc=2, argv=0x7fffe178) at 
.././../../src/plot.c:555
(gdb) quit
"""

Note: The test files *are* invalid - the common.gpi file should define
some variables but it does not (e.g. date_min).  Nonetheless, gnuplot
should not trip a double-free regardless of whether the input is valid
or not.

Relevant versions of gnuplot used for reproducing this:

"""
$ dpkg -l | grep gnuplot
ii  gnuplot-data 5.2.6+dfsg1-1   
all  Command-line driven interactive plotting program. Data-files
ii  gnuplot-nox  5.2.6+dfsg1-1   
amd64Command-line driven interactive plotting program. No-X package
ii  gnuplot-nox-dbgsym   5.2.6+dfsg1-1   
amd64debug symbols for gnuplot-nox
"""

Thanks,
~Niels



Bug#926543: lintian: Deadlock in source-copyright check on source:khronos-opencl-man/1.0~svn33624-4

2019-04-08 Thread Niels Thykier
Niels Thykier:
> Niels Thykier:
>> Niels Thykier:
>>> Package: lintian
>>> Version: 2.9.1
>>> Severity: important
>>>
>>> Hi,
>>>
>>> Discovered in the archive-wide run on lindsay.d.o; lintian does not
>>> terminate when run on khronos-opencl-man/1.0~svn33624-4 (source).
>>>
>>> Thanks,
>>> ~Niels
>>>
>>
>> For reference, I used the following command line to confirm it on lindsay:
>>
>> lintian -EvIL +pedantic -j2 -ddd \
>>   /srv/mirrors/debian/pool/main/k/khronos-opencl-man/*33624*.{deb,dsc}
>>
>> I.e. I ran it with source and binaries available (didn't check of the
>> source alone was enough to trigger the issue..
>>
>> Thanks,
>> ~Niels
>>
> 
> The source package is enough to reproduce it but I cannot reproduce it
> on buster.  It has to be stretch or older; this implies that the
> underlying issue might have been fixed in a dependency (presumably
> IPC::Run).
> 
> Thanks,
> ~Niels
> 

lindsay.debian.org has been upgraded to buster but the problem still
persist.  I reproduced it today with 2.12.0 (git checkout).

Thanks,
~Niels



  1   2   3   4   5   6   7   8   9   10   >