Bug#1071501: linux-image-6.1.0-21-arm64: Linux NFS client hangs in nfs4_lookup_revalidate

[Richard Kojedzinszky]

Dear Salvatore,

I've already started bisecting. It will take some time. Usually the bug 
appears after a few hours, unfortunately I am not able to trigger it 
faster. So, if the bug appears, I can step forward easily, but if not, 
its hard to decide if it is still present and simply just have not 
occured, or if the current version is a good one. I'll try to do my 
best.


I will also contact linux-nfs mailing list.

As I remember, it started nearly a year ago, when I switched to Debian's 
kernel. I dont know exactly what version was at that time. Howewer, I've 
checked Debian's patches, and I did not find anything related to NFS.


Regards,
Richard


2024-05-20 21:07 időpontban Salvatore Bonaccorso ezt írta:

Hi Richard,

On Mon, May 20, 2024 at 09:27:24AM +, Richard Kojedzinszky wrote:

Package: src:linux
Version: 6.1.90-1
Severity: normal
X-Debbugs-Cc: richard+debian+bugrep...@kojedz.in

Dear Maintainer,

I am running kubernetes on debian, and pods are mounting multiple nfs
shares. I am running dovecot processes in PODs, which receive mails 
from

the internet, and also serves as imap server for clients. I am
monitoring my mail system by sending mails periodically (15 seconds) 
and
also downloading them via imap. I found a few times that some dovecot 
process
stuck in D state, a reboot was always needed to recover from that 
state.


Unfortunately, I was not able to trigger the bug really fast, I dont
really know what operations does dovecot issue and in what order to 
trigger
this behavior. So until I get closer, I've set up a similar, but 
smaller

environment with just a single dovecot process, and it also does the
same work, delivering only test mails locally, and serving them via 
imap
to the monitoring client, storing everything on NFS. Fortunately, this 
also
triggers the bug, after a few hours one of the dovecot processes is 
stuck

in D state. Kernel also shows blocked state:


As you seem in the lucky position to be able to trigger the issue in a
more localized setup, might you:

- try as well more recent kernels from upper suites (6.8.9-1 in
  unstable would be ideal to check if the issue is there as well).
- I did read you cannot trigger with 5.15. If you build 6.1.90 from
  upstream without Debian patches I assume you can trigger the issue
  likewise? If so could you bisect the changes introducing the issue?
  This is a cumbersome process in particular if you need few hours to
  trigger it  So maybe the following point could be done first:
- Can you report the issue to the linux-nfs list, keeping us in the
  loop?

Regards,
Salvatore

Bug#1071556: Acknowledgement (Dvorak keymap not loaded after login)

[Daniel Richard G.]

I've reported this issue to the upstream project at

https://github.com/neutrinolabs/xrdp/issues/3081

Ubuntu's version 0.9.24-4 in 24.04/noble is likewise affected.

Bug#1071556: Dvorak keymap not loaded after login

[Daniel Richard G.]

Package: xrdp
Version: 0.9.24-5
Severity: important

Recently, I have noticed that logging in via a recent version of xrdp,
while using the Dvorak layout on the client, yields a QWERTY layout in
the remote framebuffer after getting past the login dialog. This is
incorrect behavior and has never happened before.

After some digging, I tracked the problem down to this:

https://bugs.debian.org/1063725

It is no longer possible to refer to the Dvorak layout as just "dvorak"
(as when one would run "setxkbmap dvorak"); one must now use either
"us dvorak" or "us(dvorak)". The below edit fixes the issue and allows
me the proper keymap after logging in:

--- /etc/xrdp/xrdp_keyboard.ini.orig
+++ /etc/xrdp/xrdp_keyboard.ini
@@ -86,7 +86,7 @@
 ;  = 
 [default_layouts_map]
 rdp_layout_us=us
-rdp_layout_us_dvorak=dvorak
+rdp_layout_us_dvorak=us(dvorak)
 rdp_layout_us_dvp=us(dvp)
 rdp_layout_dk=dk
 rdp_layout_de=de
@@ -125,7 +125,7 @@
 
 [rdp_layouts_map_mac]
 rdp_layout_us=us
-rdp_layout_us_dvorak=dvorak
+rdp_layout_us_dvorak=us(dvorak)
 rdp_layout_us_dvp=us(dvp)
 rdp_layout_dk=dk
 rdp_layout_de=de


--Daniel

Bug#1071426: logcheck-database: smartd: Match nvme lines too

[Richard Lewis]

On Sun, 19 May 2024 at 05:06, Stefanos Harhalakis  wrote:

> See attached patch for matching NVMe devices too in smartd logs

Thanks - yes i'd noticed that the rules for smartd need an update and
this is on the radar - however, the
update to the names of the .state files i was not aware of!

I think the first part of the patch is  not quite right, per the code
i think it should be:

# from https://sources.debian.org/src/smartmontools/7.4-2/smartd.cpp/#L5829
... Monitoring [[:digit:]]+ ATA/SATA, [[:digit:]]+ SCSI/SAS and
[[:digit:]]+ NVMe devices

It would be really helpful if you could:

1/ send some sample log output logs,

something like:
journalctl -t smartd | awk '{$1=$2=$3=$4="";$5="X";print}' | sort -u

would be helpful

I'm especially unsure about the bits of rules that start "Device:" as
i could not work out what format is expected -- the current rules have
Device: /dev/[^[:space:]]+( \[[_/[:alnum:][:space:]]+\])?( \[SAT\])?
but im not sure if the optional groups are up-to-date, -- i couldnt
find what bit of code determines those.

2/ the attached rules (untested) are what i'm wokring on for smartd -
any testing of these would be great
(I generalised the name of the .state file - again i dont know where
smartd sets this bit, so hard to know what is expected!)
(these are completely untested, so may be completely broken)


smartd.rules
Description: Binary data

Bug#1071377: chkrootkit: File name including a quote mark throws script off

[Richard Lewis]

On Sat, 18 May 2024 at 08:39, Shai Berger  wrote:

> This morning, when chkrootkit made its daily run, I had
> in /tmp a file named: 'חברת חשמל לישראל בע"מ - חשבון דו חודשי.pdf'
> (the single quote marks on the edges are not part of the name, but
> the double quote mark in the middle is)
>
> This caused this output from the script:
>
> """
> Searching for suspect PHP files...  /usr/bin/head: 
> cannot open '/tmp/חברת חשמל לישראל בעמ' for reading: No such file or directory
> /usr/bin/head: cannot open 'חשבון' for reading: No such file or directory
> /usr/bin/head: cannot open 'דו' for reading: No such file or directory
> /usr/bin/head: cannot open 'חודשי.pdf 2>/dev/null | /usr/bin/grep -q ^#!.*php 
> && echo /tmp/חברת' for reading: No such file or directory
> /usr/bin/head: cannot open 'חשמל' for reading: No such file or directory
> /usr/bin/head: cannot open 'לישראל' for reading: No such file or directory
> /usr/bin/head: cannot open 'בעמ - חשבון דו חודשי.pdf' for reading: No such 
> file or directory
> WARNING

Thanks, yes this is probably also bug in upstream as well, but there
are debian-specific patches that make this worse. Will fix.

Patches also welcome - it's patch number 16 in debian/patches that has
the PHP check.

Bug#1071501: linux-image-6.1.0-21-arm64: Linux NFS client hangs in nfs4_lookup_revalidate

[Richard Kojedzinszky]

Package: src:linux
Version: 6.1.90-1
Severity: normal
X-Debbugs-Cc: richard+debian+bugrep...@kojedz.in

Dear Maintainer,

I am running kubernetes on debian, and pods are mounting multiple nfs
shares. I am running dovecot processes in PODs, which receive mails from
the internet, and also serves as imap server for clients. I am
monitoring my mail system by sending mails periodically (15 seconds) and
also downloading them via imap. I found a few times that some dovecot process
stuck in D state, a reboot was always needed to recover from that state.

Unfortunately, I was not able to trigger the bug really fast, I dont
really know what operations does dovecot issue and in what order to trigger
this behavior. So until I get closer, I've set up a similar, but smaller
environment with just a single dovecot process, and it also does the
same work, delivering only test mails locally, and serving them via imap
to the monitoring client, storing everything on NFS. Fortunately, this also
triggers the bug, after a few hours one of the dovecot processes is stuck
in D state. Kernel also shows blocked state:

May 19 12:16:49 k8s-node07 kernel: INFO: task lmtp:665683 blocked for more than 
120 seconds.
May 19 12:16:49 k8s-node07 kernel:   Not tainted 6.1.0-21-arm64 #1 Debian 
6.1.90-1
May 19 12:16:49 k8s-node07 kernel: "echo 0 > 
/proc/sys/kernel/hung_task_timeout_secs" disables this message.
May 19 12:16:49 k8s-node07 kernel: task:lmtpstate:D stack:0 
pid:665683 ppid:2881   flags:0x
May 19 12:16:49 k8s-node07 kernel: Call trace:
May 19 12:16:49 k8s-node07 kernel:  __switch_to+0xf0/0x170
May 19 12:16:49 k8s-node07 kernel:  __schedule+0x340/0x940
May 19 12:16:49 k8s-node07 kernel:  schedule+0x58/0xf0
May 19 12:16:49 k8s-node07 kernel:  __nfs_lookup_revalidate+0x118/0x160 [nfs]
May 19 12:16:49 k8s-node07 kernel:  nfs4_lookup_revalidate+0x20/0x30 [nfs]
May 19 12:16:49 k8s-node07 kernel:  lookup_fast+0x138/0x150
May 19 12:16:49 k8s-node07 kernel:  walk_component+0x30/0x1a0
May 19 12:16:49 k8s-node07 kernel:  path_lookupat+0x80/0x1a4
May 19 12:16:49 k8s-node07 kernel:  filename_lookup+0xb4/0x1b0
May 19 12:16:49 k8s-node07 kernel:  vfs_statx+0x94/0x19c
May 19 12:16:49 k8s-node07 kernel:  vfs_fstatat+0x68/0x90
May 19 12:16:49 k8s-node07 kernel:  __do_sys_newfstatat+0x58/0xa0
May 19 12:16:49 k8s-node07 kernel:  __arm64_sys_newfstatat+0x28/0x34
May 19 12:16:49 k8s-node07 kernel:  invoke_syscall+0x78/0x100
May 19 12:16:49 k8s-node07 kernel:  el0_svc_common.constprop.0+0x4c/0xf4
May 19 12:16:49 k8s-node07 kernel:  do_el0_svc+0x34/0xd0
May 19 12:16:49 k8s-node07 kernel:  el0_svc+0x34/0xd4
May 19 12:16:49 k8s-node07 kernel:  el0t_64_sync_handler+0xf4/0x120
May 19 12:16:49 k8s-node07 kernel:  el0t_64_sync+0x18c/0x190

Or, for another process:

May 20 04:50:01 k8s-node07 kernel: INFO: task imap:8337 blocked for more than 
120 seconds.
May 20 04:50:01 k8s-node07 kernel:   Not tainted 6.1.0-21-arm64 #1 Debian 
6.1.90-1
May 20 04:50:01 k8s-node07 kernel: "echo 0 > 
/proc/sys/kernel/hung_task_timeout_secs" disables this message.
May 20 04:50:01 k8s-node07 kernel: task:imapstate:D stack:0 
pid:8337  ppid:3164   flags:0x
May 20 04:50:01 k8s-node07 kernel: Call trace:
May 20 04:50:01 k8s-node07 kernel:  __switch_to+0xf0/0x170
May 20 04:50:01 k8s-node07 kernel:  __schedule+0x340/0x940
May 20 04:50:01 k8s-node07 kernel:  schedule+0x58/0xf0
May 20 04:50:01 k8s-node07 kernel:  __nfs_lookup_revalidate+0x118/0x160 [nfs]
May 20 04:50:01 k8s-node07 kernel:  nfs4_lookup_revalidate+0x20/0x30 [nfs]
May 20 04:50:01 k8s-node07 kernel:  lookup_fast+0x138/0x150
May 20 04:50:01 k8s-node07 kernel:  walk_component+0x30/0x1a0
May 20 04:50:01 k8s-node07 kernel:  path_lookupat+0x80/0x1a4
May 20 04:50:01 k8s-node07 kernel:  filename_lookup+0xb4/0x1b0
May 20 04:50:01 k8s-node07 kernel:  vfs_statx+0x94/0x19c
May 20 04:50:01 k8s-node07 kernel:  vfs_fstatat+0x68/0x90
May 20 04:50:01 k8s-node07 kernel:  __do_sys_newfstatat+0x58/0xa0
May 20 04:50:01 k8s-node07 kernel:  __arm64_sys_newfstatat+0x28/0x34
May 20 04:50:01 k8s-node07 kernel:  invoke_syscall+0x78/0x100
May 20 04:50:01 k8s-node07 kernel:  el0_svc_common.constprop.0+0x4c/0xf4
May 20 04:50:01 k8s-node07 kernel:  do_el0_svc+0x34/0xd0
May 20 04:50:01 k8s-node07 kernel:  el0_svc+0x34/0xd4
May 20 04:50:01 k8s-node07 kernel:  el0t_64_sync_handler+0xf4/0x120
May 20 04:50:01 k8s-node07 kernel:  el0t_64_sync+0x18c/0x190


Of course the NFS server is running, and other NFS mounts are still
working from the node. Also, this started to happen with Debian's
kernel. Before that, I was compiling my own upstream kernel, version
5.15. With that, I've never experienced such a lockup.

Unfortunately, I dont know, how to go further, how shall I collect more
relevant debugging information.

I expect thet dovecot is just an application, which should not cause any
kernel-side lockups. In my test lab, this specific NFS mount is just
mounted on one machine

Bug#358965: RE: bash: Please support setting terminal title for screen

[Richard Lewis]

On Sun, 4 May 2014 22:33:23 +1000 Scott Leggett  wrote:
> I just spent half an hour figuring out how to get window titles to
> reflect my session in byobu.. and I find the exact patch required is
> already here (thanks Josh).
>
> I guess this is just a +1 for patching skel.bashrc so that ssh-ing into
> machines via byobu does The Right Thing to your terminal emulator's
> window title automatically.
>
> --
> Regards,
> Scott Leggett


The screen manpage explains this, and recommends a slightly different
formulation for escaping  --- might want to use that for consistency:


PROMPT_COMMAND='printf "\033k\033\134"'

Bug#625895: logcheck-database: /etc/logcheck/ignore.d.server/dovecot rule misses unusual Message-Id

[Richard Lewis]

On Fri, 06 May 2011 11:32:03 -0700 Gerald Turner  wrote:

> Hello, I've seen some legitimate mails with unusual Message-Id headers
> that cause logchecks dovecot delivery rule to be bypassed.
>
> Example: … sieve: msgid=<20110422T2108.GA.(stdi.s...@fsing.rootsland.net>: 
> stored mail into mailbox 'Mailing Lists/Debian/debian-devel'

It's a shame no-one replied since 2011.

That doesnt seem to be a valid msgid, so not sure logcheck should be
ignoring it by default. Obviously you can edit / make your own rules
to do so.
So not sure there is anything for debian to do in this one. Perhaps we
should close the bug?

Bug#491127: logcheck: please consider an option which will always check the entire log file

[Richard Lewis]

On Sun, 12 May 2024 at 19:57, Marc Haber  wrote:
>
> On Sun, May 12, 2024 at 06:54:59PM +0100, R Lewis wrote:
> > On Wed, 16 Jul 2008 23:15:51 +0200 Marc Haber
> >  wrote:
> >
> > > It would help with debugging to have an option that causes logcheck to
> > > always look through the entire log file, ie not using logtail.
> >
> > Looking at this old bug from 2008: does the -t option meet this need?
>
> Not quite. Imagine: I have a system running logcheck hourly. At 11:00, I
> get a mail with a log message from 10:55 that is not yet covered by the
> rule. The stamp gets updated to 11:00.
>
> I now fix the rule that should have filtered the message. logcheck -t
> will still only start checking a 11:00, so the test run will not prove
> that the change has actually filtered the message from 10:55.
>
> Does this make the usecase clear?

Does logcheck-test help with that?

Bug#975694: [logcheck-database] stop filtering smartd attribute change events

[Richard Lewis]

control: tags -1 + moreinfo
thanks

On Wed, 25 Nov 2020 13:13:14 +0500 Alex Volkov  wrote:

> IDK how it was in 2006 when this stupid decision was made, but nowadays
> `smartd` has all the needed filtering features in itself, in a case someone
> gets "annoyed" by attribute changes. Yeah, sure, it "can send warning mails",
> but by default only in a case of attribute FAILURE, and some Old-age related
> attributes NEVER fail (like Power-On Hours on WD, which counts down to 1 and
> just sits happily there, never getting to "failing" 0). In such cases at least
> seeing them changing (or not) is useful. Overall, it's not the place for a
> *maintainer* to decide (instead of a user) which events of a third-party
> package are annoying and which are not.

Following up on the above  bug from 2020 -- we need more information
here: what is the issue that you would like fixed?
you can already (even in 2020) add or subtract any rules for logcheck
that you like. smartd has a way to alert you to issues, but
that is nothing to do with logcheck.

in the absence of a clearer statement we would need to close this one.

Bug#862638: logcheck: Please add suricata rules to logcheck

[Richard Lewis]

control: tags -1 moreinfo
control: severity -1 wishlist
thanks

On Mon, 15 May 2017 10:42:03 +0200

> I am very happy with logcheck. It is great working and very usefull. However, 
> it would be nice, if you could add a ruleset for suricata (a successor to the 
> well known snort IDS), so I get alerted, when something fishy is going on.

It's a shame no-one replied to this bug from 2017 - let's change that now.

>In my case logcheck is run every 30 minutes, so I am very fast aware, when an 
>attack is going on. On the other hand, I found no realtime alert option with 
>suricata. Best way, IMO, would be a ruleset for suricata logs, which do alert 
>me by mail (as logcheck normally do).

Unfortunately more information is needed to help this.

Is the request to use logcheck to scan non-log files created by
suricata? you can definitely do that but would need to write your own
rules to ignore things that are not "fishy".
...but i dont think logcheck-database should ship such rules unless
there is clear demand. It looks like suricata can send its own alerts
so not sure this is even needed in 2024?

If there are messages produced by suricata in the journal that
logcheck should be filtering, then we need to know what those are?

(In the absence of more information we would likely close this bug as
unactionable)

Bug#735287: logcheck: invent conditional logging

[Richard Lewis]

On Tue, 14 Jan 2014 13:33:25 +0100 Arne Wichmann  wrote:

> There is one thing I would like to have in logcheck for quite a long time
> already:
>
> Invent a mechanism by which a pattern is only mailed (or not mailed) if
> another pattern was seen a given time before it (or also possibly after
> it).
>
> For example I would like to make reboots invisible on some machines, but I
> do want to see it if the sshd terminates as long as the machine is not
> rebooting.

Hi - It's a shame no-one replied to this bug in 10 years: let's change that now.

The only realistic way i can see this working is to have some kind of
pre-processing of log entries. I'm thinking you would write a
pre-processor that takes each line in the log
and look back in the journal (or syslog) for related lines -- i dont
think we'd want to implement that in logcheck, as it would be a whole
other project to write, but we could allow
the user to do it. There are several reasons to make logcheck
configurable to pre-processing ( - work on this is in progress. watch
this space!).
You can maybe even today do this with post-processing by writing a
'syslog-summary' script - again this would need the user to write
their own code.

(I think the point in the last para is basically solved by using
systemd, which makes it much easier to restart daemons when they
crash)

In the absence of other suggestions, i suggest we implement
configurable pre-processing, leave syslog-summary support in place and
close this bug.

Bug#919866: logcheck: Feature request: wildcards in .logfiles pathnames

[Richard Lewis]

On Sun, 20 Jan 2019 15:50:55 +0530 Charles Atkinson
 wrote:

> Please consider introducing wildcards into the paths in the .logfiles 
> configuration files.  Perhaps similar to the way they are used in logrotate's 
> paths.

> A use case is when using logcheck to check logs from multiple non-Debian 
> systems such as routers, each having a dedicated directory with the last 
> directory being their FQDN.  The router FQDNs follow a fixed pattern.  
> Currently this requires an /etc/logcheck-for-routers/logcheck.logfile.d file 
> for each router.  If .logfiles supported wildcards, a single 
> /etc/logcheck-for-routers/logcheck.logfile.d file could be used for all 
> routers and there would be one less step in the procedures to commission and 
> to decommission a router.

(It's a shame no-one replied since 2019: let's change that now)

You could instead implement this by a script that updates the
.logfiles file before logcheck runs: if you put this into
logcheck.conf it would work, so eg:

echo /var/log/whatever/*.log >
/etc/logcheck-for-routers/logcheck.logfiles.d/routers.logfiles

If that would meet your needs we could close this bug - the code to
read logfiles.list is already over-complicated and adding more
features needs a good reason

Bug#241787: options to seperate hosts and for log compaction would both be nice

[Richard Lewis]

> This bug is nearly 20 years old. (It is a shame no-one replied - the links
> no longer work and there is not enough info recorded to action)
>
> Unless anyone is watching and can proivde more info about what the issue
> is/was then i suggest we close it.

A year later: closing.

logcheck can send reports as gzip'd attachments so perhaps it was even
fixed sometime in the last 20 years.

Bug#302379: dh_installlogcheck installs files as root:root 644, not root:logcheck 640

[Richard Lewis]

On Mon, 24 Aug 2009 08:36:21 -0400
=?iso-8859-1?B?RnLpZOlyaWMgQnJp6HJl?=  wrote:
> On Thu, Mar 31, 2005 at 09:54:34AM -0500, Marc Sherman wrote:
> > I reported a bug on a couple clamav packages (302253, 302254) which
> > noted that in Sarge, logcheck files are supposed to be root:logcheck
> > 640, not root:root 644.  The clamav maintainer replied that he's using
>
> I should note that while the /etc/logcheck/* directories are setgid to
> attempt to fix this discrepancy, this doesn't work, as dpkg will chown()
> the installed files anyway.
>
> I guess there should be a note in README.Maintainer to instruct people
> not to install those files as 640, as tempting as it may be.

Closing this bug because it no longer applies some 15 years later:
- The directory /etc/logcheck is no longer setgid (since bookworm),
- Rules can have any permissions (as long as logcheck can read them).
  (the default is 644 and  root:root (which means harder to delete rules files).
- so no need for dh_logcheck to be patched here

therefore, closing as no more bug. (But feel free to reopen if there
is anything more to do)

Bug#383289: RFE: logtail locking

[Richard Lewis]

On Wed, 16 Aug 2006 05:33:26 -0500 bingo  wrote:

> It would be good if logtail supports locking.

I think we need some more information if this bug is to be action-ed.
logcheck uses logtail2 now (and syslog is not the default):so perhaps
it is not relevant after nearly 20 years (there were other replies
requesting patches in the intervening period, and no-one has provided
them -- so perhaps we should just close this as no longer relevant).

If the issue is that rsyslog might still be writing to the file, when
logtail runs, surely all that might happen is that the same entries
might be re-checked on the next run?
(and I dont think it would be sensible for logtail to try and stop
rsyslog writing while logtail runs)
the journal has a better way to avoid races, using --cursor-file --
logcheck doesnt yet use that (watch this space!) which i think might
also avoid potential race conditions here

Bug#750232: logtail2 should not not print the final log entry if it does not end with "\n"

[Richard Lewis]

On Mon, 2 Jun 2014 10:25:40 -0700 (PDT) Chris Stromsoe  wrote:

> logtail2 does not do any sanity checking on the final line of input to
> make sure that it is complete and "\n" terminated.  If syslog is not set
> to flush on every write, it's possible for consecutive runs of logcheck to
> get a single log entry split in half for each run, resulting in false
> positives from logcheck.

Is this still an issue in 2024? if not we could close this old bug.

If you ran logtail2 on a non-syslog file (which might actually be an
increasingly common usage in a systemd world?), then ignoring a line
without a trailing \n means that last line might never be checked,
which seems far worse than the occasional false-positive. I dont think
i ever saw such false positives with rsyslog, when i used it.

Bug#470997: logcheck: allow running w/o locking

[Richard Lewis]

On Fri, 14 Mar 2008 21:50:17 -0400 =?utf-8?b?RnLDqWTDqXJpYyBCcmnDqHJl?= <

> When testing a checked-out copy of the rulefiles against an old log copy
> and sending the output to stdout, I still have to use sudo because
> logcheck insists on creating a lockfile.  It'd be nice to provide an
> option to skip that part.

This is easy to solve by changing LOCKDIR to point to something you can access.
You presumably are setting a custom configuration file to run as
non-root (since you wont be able to read /etc/logcheck/logcheck.conf
without sudo), and then
that custom config file can change the location to /tmp or wherever.

I think this already works in the version in bookworm, so perhaps we
can close this bug

Bug#470608: work-around for logcheck email charset

[Richard Lewis]

On Sat, 16 May 2020 17:12:42 -0700 Wade Richards  wrote:
> This is regarding Debian bug #47608 "wrong charset in logcheck mail
> (charset=unknown-8bit)"
>
>
> The maintainer has closed this bug as 'wontfix', but if an end-user is
> looking for a work-around, you can add the following to your
> /etc/logcheck.conf file
>
>
> # Additional args to mime-construct for sending email
>
> MIMECONSTRUCTARGS="$MINECONSTRUCTARGS --type 'text/plain;
> charset=UTF-8'"
>
>
> It's an undocumented option, so it may stop working with a future
> version of logcheck, but it works for now.

logcheck also has an option 'MIMEENCODING=' does that solve this issue?

Bug#1033059: logcheck: NEWS advice how to deal with timestamps in different formats

[Richard Lewis]

On Sat, 18 Mar 2023 18:55:25 + Richard Lewis
 wrote:
> On Sat, 18 Mar 2023, 15:12 Holger Levsen,  wrote:
>
> > On Thu, Mar 16, 2023 at 06:00:06PM +, Holger Levsen wrote:
> > > aaah, thanks! I only checked
> > /usr/share/doc/logcheck/NEWS.Debian.gz
> > > but not /usr/share/doc/logcheck-database/NEWS.Debian.gz
> >
> > now that I read it and followed the advice and the very nice
> > sed example there, I can they that it worked flawlessly and was
> > very easy to do. Thank you for that NEWS entry!
> >
> > > so maybe reassign this bug to src:release-notes?
> >
> > this question is still open... though maybe cloning the bug is even
> > better, I'd really appreciated a small pointer to logcheck-database's NEWS
> > file in the NEWS for logcheck...

Think we may as well close this bug, unless anyone objects. bookworm
release-notes cover the issue.
Next big change im planning to document in logcheck's NEWS.Debian to
catch all users - watch this space!

Bug#583600: ignore individual entries but write summaries

[Richard Lewis]

On Fri, 28 May 2010 19:04:17 +0200 Holger Levsen  wrote:

> I often add logcheck ignore rules for security related events (like ssh login
> attemps. etc), cause they are too many and login is protected reasonably
> anyway.
>
> But then I would like to get summaries for some ignored patterns, probably one
> mail per host day.
>
> Do you think thats a reasonable feature request?

This is already possible, maybe that's why no-one replied for 15
years. Simply create a command called syslog-summary and tell logcheck
to use it (via the setting in logcheck.conf)

Think we should close this bug on that basis

it would be better to develop such a summarising programme outside
logcheck as it's a whole other project to work out what to summarise,
and how to present the results - you'd need a lot of flexibility to
please everyone, i suspect. There was packaged version called
syslog-summary some releases ago, but no-one maintained it and it was
removed from Debian. but the code to use it remains in logcheck.

Bug#1070972: epiphany-browser fails to render webpages - blank pages

[richard]

Package: epiphany-browser
Version: 46.0-2
Severity: important
X-Debbugs-Cc: bug.repor...@mail.sheugh.com

Dear Maintainer,

A previously installed debian system** was reconfigured via 
the intallation of debian-12-5 from a dvd. That 'bookworm'
installation was updated to 'trixie' almost immediately, 
and additional packages, including epiphany-browser and 
konquerer browser were installed. 

On opening epiphany browser, as expected, six webpage tabs 
appeared, however the content of the pages was not rendered. 

These pages appeared to be blank. 

Moving the mouse over the pages showed that the webpage links 
were present. I did not explore further. 

A search on the internet suggested that libwebkitgtk might be 
a source of this problem. 

** prior to the reconfiguration I had saved all the packages 
to a folder. 

In that folder I ran 
# sudo dpkg -i ./libwebkitgtk*
 
This reported 
dpkg: warning: downgrading libwebkitgtk-6.0-4:amd64 from 2.44.1-1+b1 to 2.42.5-1

 libwebkitgtk-6.0-4:amd64 depends on libjavascriptcoregtk-6.0-1 (= 2.42.5-1);

I ran 
sudo dpkg -i ./libwebkitgtk* ./libjavascriptcoregtk-6.0-1*

And got 
(Reading database ... 158748 files and directories currently installed.)
Preparing to unpack .../libwebkitgtk-6.0-4_2.42.5-1_amd64.deb ...
Unpacking libwebkitgtk-6.0-4:amd64 (2.42.5-1) over (2.42.5-1) ...
dpkg: warning: downgrading libjavascriptcoregtk-6.0-1:amd64 from 2.44.1-1+b1 to 
2.42.5-1
Preparing to unpack .../libjavascriptcoregtk-6.0-1_2.42.5-1_amd64.deb ...
Unpacking libjavascriptcoregtk-6.0-1:amd64 (2.42.5-1) over (2.44.1-1+b1) ...
Setting up libjavascriptcoregtk-6.0-1:amd64 (2.42.5-1) ...
Setting up libwebkitgtk-6.0-4:amd64 (2.42.5-1) ...
Processing triggers for libc-bin (2.38-7) ...

The pages now appear as they should. 

HTH


*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
 ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?

*** End of the template - remove these template lines ***


-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.7.12-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages epiphany-browser depends on:
hi  dbus-user-session [default-dbus-session-bus]  1.14.10-4+b1
hi  epiphany-browser-data 46.0-2
hi  gsettings-desktop-schemas 46.0-1
hi  iso-codes 4.16.0-1
hi  libadwaita-1-01.5.0-1
hi  libarchive13t64   3.7.2-2
hi  libc6 2.38-7
hi  libcairo2 1.18.0-3+b1
hi  libgck-2-24.2.0-5
hi  libgcr-4-44.2.0-5
hi  libgdk-pixbuf-2.0-0   2.42.10+dfsg-3+b3
hi  libglib2.0-0t64   2.80.1-1
hi  libgmp10  2:6.3.0+dfsg-2+b1
hi  libgranite-7-77.4.0-1+b2
hi  libgraphene-1.0-0 1.10.8-3+b1
hi  libgstreamer1.0-0 1.24.3-1
hi  libgtk-4-14.12.5+ds-6+b1
hi  libhogweed6t643.9.1-2.2
ii  libjavascriptcoregtk-6.0-12.42.5-1
hi  libjson-glib-1.0-01.8.0-2+b1
hi  libnettle8t64 3.9.1-2.2
hi  libpango-1.0-01.52.2+ds-1
hi  libportal-gtk4-1  0.7.1-5+b1
hi  libportal10.7.1-5+b1
hi  libsecret-1-0 0.21.4-1+b1
hi  libsoup-3.0-0 3.4.4-5+b1
hi  libsqlite3-0  3.45.3-1
ii  libwebkitgtk-6.0-42.42.5-1
hi  libxml2   2.9.14+dfsg-1.3+b3

Versions of packages epiphany-browser recommends:
hi  ca-certificates  20240203
hi  evince   46.0-1+b1
hi  yelp 42.2-1+b2

epiphany-browser suggests no packages.

-- no debconf information

Bug#1070717: Acknowledgement (linux-image-6.7.12-amd64: Mediatek mt7921e WiFi fails connecting after hibernation since 6.7.12)

[Richard Rosner]

Addendum: this is the output of dmesg related to mt7921e that shows up
when this happens:

[Th May  9 18:36:50 2024] mt7921e :01:00.0:
firmware: direct-loading firmware mediatek/WIFI_RAM_CODE_MT7922_1.bin
[Th May  9 18:36:50 2024] mt7921e :01:00.0: ASIC
revision: 79220010
[Th May  9 18:36:50 2024] mt7921e :01:00.0:
firmware: direct-loading firmware mediatek/WIFI_MT7922_patch_mcu_1_1_hdr.bin
[Th May  9 18:36:50 2024] mt7921e :01:00.0: HW/SW
Version: 0x8a108a10, Build Time: 20230530123154a
[Th May  9 18:36:50 2024] mt7921e :01:00.0:
firmware: direct-loading firmware mediatek/WIFI_RAM_CODE_MT7922_1.bin
[Th May  9 18:36:50 2024] mt7921e :01:00.0: WM
Firmware Version: 00, Build Time: 20230530123236
[Th May  9 18:36:50 2024] mt7921e :01:00.0:
firmware: direct-loading firmware mediatek/WIFI_RAM_CODE_MT7922_1.bin
[Th May  9 18:36:51 2024] mt7921e :01:00.0 wlp1s0:
renamed from wlan0
[Fr May 10 09:53:01 2024] mt7921e :01:00.0: Message
00020007 (seq 8) timeout
[Fr May 10 09:53:01 2024] mt7921e :01:00.0: PM:
dpm_run_callback(): pci_pm_restore+0x0/0xe0 returns -110
[Fr May 10 09:53:01 2024] mt7921e :01:00.0: PM:
failed to restore async: error -110
[Fr May 10 09:53:01 2024] mt7921e :01:00.0: Failed
to get patch semaphore
[Fr May 10 09:53:01 2024] mt7921e :01:00.0: AMD-Vi:
Event logged [IO_PAGE_FAULT domain=0x000d address=0xffcec680 flags=0x]
[Fr May 10 09:53:04 2024] mt7921e :01:00.0: Message
0010 (seq 6) timeout
[Fr May 10 09:53:04 2024] mt7921e :01:00.0: Failed
to get patch semaphore
[Fr May 10 09:53:07 2024] mt7921e :01:00.0: Message
0010 (seq 7) timeout
[Fr May 10 09:53:07 2024] mt7921e :01:00.0: Failed
to get patch semaphore
[Fr May 10 09:53:10 2024] mt7921e :01:00.0: Message
46ed (seq 8) timeout
[Fr May 10 09:53:10 2024] Modules linked in: snd_usb_audio
snd_usbmidi_lib snd_rawmidi tls uinput ctr ccm rfcomm cmac algif_hash
algif_skcipher af_alg snd_seq_dummy snd_hrtimer snd_seq snd_seq_device
nf_tables typec_displayport qrtr bnep zstd zram tun binfmt_misc
nls_ascii nls_cp437 vfat fat btusb btrtl btintel btbcm btmtk
intel_rapl_msr intel_rapl_common bluetooth evdev joydev
snd_sof_amd_rembrandt snd_sof_amd_acp snd_sof_pci snd_sof_xtensa_dsp
snd_hda_codec_realtek snd_sof sha3_generic snd_hda_codec_generic
jitterentropy_rng mt7921e snd_sof_utils mt7921_common
ledtrig_audio uvcvideo edac_mce_amd mt792x_lib snd_hda_codec_hdmi
snd_soc_core drbg mt76_connac_lib videobuf2_vmalloc uvc kvm_amd
videobuf2_memops ansi_cprng snd_compress snd_hda_intel videobuf2_v4l2
mt76 snd_pcm_dmaengine hid_sensor_als videodev snd_intel_dspcfg
hid_sensor_trigger ecdh_generic snd_intel_sdw_acpi ecc
hid_sensor_iio_common snd_pci_ps kvm mac80211 snd_hda_codec crc16
videobuf2_common industrialio_triggered_buffer kfifo_buf
snd_rpl_pci_acp6x irqbypass
[Fr May 10 09:53:10 2024] mt7921e :01:00.0: AMD-Vi:
Event logged [IO_PAGE_FAULT domain=0x000d address=0xff772a80 flags=0x]
[Fr May 10 09:53:10 2024] Modules linked in: snd_usb_audio
snd_usbmidi_lib snd_rawmidi tls uinput ctr ccm rfcomm cmac algif_hash
algif_skcipher af_alg snd_seq_dummy snd_hrtimer snd_seq snd_seq_device
nf_tables typec_displayport qrtr bnep zstd zram tun binfmt_misc
nls_ascii nls_cp437 vfat fat btusb btrtl btintel btbcm btmtk
intel_rapl_msr intel_rapl_common bluetooth evdev joydev
snd_sof_amd_rembrandt snd_sof_amd_acp snd_sof_pci snd_sof_xtensa_dsp
snd_hda_codec_realtek snd_sof sha3_generic snd_hda_codec_generic
jitterentropy_rng mt7921e snd_sof_utils mt7921_common
ledtrig_audio uvcvideo edac_mce_amd mt792x_lib snd_hda_codec_hdmi
snd_soc_core drbg mt76_connac_lib videobuf2_vmalloc uvc kvm_amd
videobuf2_memops ansi_cprng snd_compress snd_hda_intel videobuf2_v4l2
mt76 snd_pcm_dmaengine hid_sensor_als videodev snd_intel_dspcfg
hid_sensor_trigger ecdh_generic snd_intel_sdw_acpi ecc
hid_sensor_iio_common snd_pci_ps kvm mac80211 snd_hda_codec crc16
videobuf2_common industrialio_triggered_buffer kfifo_buf
snd_rpl_pci_acp6x irqbypass
[Fr May 10 09:53:14 2024] mt7921e :01:00.0: Message
0010 (seq 9) timeout
[Fr May 10 09:53:14 2024] mt7921e :01:00.0: Failed
to get patch semaphore
[Fr May 10 09:53:14 2024] mt7921e :01:00.0: AMD-Vi:
Event logged [IO_PAGE_FAULT domain=0x000d address=0xffd79900 flags=0x]
[Fr May 10 09:53:14 2024] mt7921e :01:00.0: AMD-Vi:
Event logged [IO_PAGE_FAULT domain=0x000d address=0xffd79900 flags=0x]
[Fr May 10 09:53:14 2024] mt7921e :01:00.0: AMD-Vi:
Event logged [IO_PAGE_FAULT domain=0x000d 

Bug#1063900: gstreamer1.0-plugins-good: missing Breaks+Replaces: gstreamer1.0-plugins-ugly (<< 1.23)

[Richard B]

Hello.

Upgrading gstreamer1.0-plugins-ugly to 1.24.3-1 on Trixie didn't produce 
the error that was originally reported.  Here's my output:


   Retrieving bug reports... Done
   Parsing Found/Fixed information... Done
   serious bugs of gstreamer1.0-plugins-good (1.22.10-1 → 1.24.3-1)
   
 b1 - #1063900 - gstreamer1.0-plugins-good: missing
   Breaks+Replaces: gstreamer1.0-plugins-ugly (<< 1.23)
   Merged with: 1063921
   Summary:
 gstreamer1.0-plugins-good(1 bug)
   Are you sure you want to install/upgrade the above packages?
   [Y/n/?/...] y
   Reading changelogs... Done
   ...
   Preparing to unpack .../gstreamer1.0-plugins-good_1.24.3-1_amd64.deb ...
   Unpacking gstreamer1.0-plugins-good:amd64 (1.24.3-1) over
   (1.22.10-1) ...
   Preparing to unpack .../gstreamer1.0-plugins-bad_1.24.3-1_amd64.deb ...
   Unpacking gstreamer1.0-plugins-bad:amd64 (1.24.3-1) over (1.22.10-1) ...
   ...
   Preparing to unpack
   .../04-libgstreamer-plugins-bad1.0-0_1.24.3-1_amd64.deb ...
   Unpacking libgstreamer-plugins-bad1.0-0:amd64 (1.24.3-1) over
   (1.22.10-1) ...
   Preparing to unpack
   .../05-gir1.2-gst-plugins-bad-1.0_1.24.3-1_amd64.deb ...
   Unpacking gir1.2-gst-plugins-bad-1.0:amd64 (1.24.3-1) over
   (1.22.10-1) ...
   ...
   Setting up libgstreamer-plugins-bad1.0-0:amd64 (1.24.3-1) ...
   Setting up gir1.2-gst-plugins-bad-1.0:amd64 (1.24.3-1) ...
   Setting up gstreamer1.0-plugins-good:amd64 (1.24.3-1) ...
   Setting up gstreamer1.0-plugins-bad:amd64 (1.24.3-1) ...
   Processing triggers for libc-bin (2.38-7) ...

I see that the conflicting files mentioned are on my system, but that 
didn't seem to impact my upgrade:


   -rw-r--r-- 1 root root 27K Apr 30 04:18
   /usr/lib/x86_64-linux-gnu/gstreamer-1.0/libgstamrnb.so
   -rw-r--r-- 1 root root 19K Apr 30 04:18
   /usr/lib/x86_64-linux-gnu/gstreamer-1.0/libgstamrwbdec.so
   -rw-r--r-- 1 root root 208 Apr 29 18:15
   /usr/share/gstreamer-1.0/presets/GstAmrnbEnc.prs

gstreamer1.0-plugins-ugly was upgraded to a matching version before 
this.  Here's what dpkg reports:


   ii  gstreamer1.0-plugins-ugly:amd64
   1.24.3-1 amd64    GStreamer plugins
   from the "ugly" set

Best.

Richard

Bug#1049972: Upstream issue

[Richard van der Hoff]

For links, this seems to be 
https://github.com/rdiff-backup/rdiff-backup/issues/616. Apparently it's 
expected behaviour.

Bug#1070717: linux-image-6.7.12-amd64: Mediatek mt7921e WiFi fails connecting after hibernation since 6.7.12

[Richard Rosner]

uot; operation="open" class="file"
profile="libreoffice-soffice"
name="/sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service/app.slice/app-gnome-org.kde.dolphin-6145.scope/memory.max"
pid=6388 comm=433120436F6D70696C657254687265 requested_mask="r"
denied_mask="r" fsuid=1000 ouid=1000
[  435.827462] kauditd_printk_skb: 23 callbacks suppressed
[  435.827471] audit: type=1400 audit(1715094303.003:543):
apparmor="ALLOWED" operation="open" class="file"
profile="libreoffice-soffice"
name="/sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service/app.slice/app-gnome-org.kde.dolphin-6145.scope/memory.max"
pid=6388 comm=433120436F6D70696C657254687265 requested_mask="r"
denied_mask="r" fsuid=1000 ouid=1000
[  438.120605] audit: type=1400 audit(1715094305.295:544):
apparmor="ALLOWED" operation="open" class="file"
profile="libreoffice-soffice"
name="/home/richard/.config/LanguageTool/LibreOffice/LanguageTool.log"
pid=6388 comm="soffice.bin" requested_mask="ac" denied_mask="ac"
fsuid=1000 ouid=1000
[  438.120658] audit: type=1400 audit(1715094305.295:545):
apparmor="ALLOWED" operation="file_perm" class="file"
profile="libreoffice-soffice"
name="/home/richard/.config/LanguageTool/LibreOffice/LanguageTool.log"
pid=6388 comm="soffice.bin" requested_mask="w" denied_mask="w"
fsuid=1000 ouid=1000
[  804.953714] i2c_hid_acpi i2c-FRMW0003:00: i2c_hid_get_input:
incomplete report (7/65535)
[ 1121.046255] usb 1-4.1: reset full-speed USB device number 7 using
xhci_hcd
[ 1121.265790] usb 1-4.1: reset full-speed USB device number 7 using
xhci_hcd
[ 2531.546014] usb 1-2.1: new high-speed USB device number 9 using xhci_hcd
[ 2531.683091] usb 1-2.1: New USB device found, idVendor=32ac,
idProduct=0010, bcdDevice= 0.02
[ 2531.683100] usb 1-2.1: New USB device strings: Mfr=1, Product=2,
SerialNumber=0
[ 2531.683104] usb 1-2.1: Product: Audio Expansion Card
[ 2531.683107] usb 1-2.1: Manufacturer: Framework
[ 2531.742937] input: Framework Audio Expansion Card Consumer Control as
/devices/pci:00/:00:08.1/:c1:00.3/usb1/1-2/1-2.1/1-2.1:1.2/0003:32AC:0010.0008/input/input18
[ 2531.802301] hid-generic 0003:32AC:0010.0008: input,hidraw7: USB HID
v1.11 Device [Framework Audio Expansion Card] on usb-:c1:00.3-2.1/input2
[ 2532.064766] usbcore: registered new interface driver snd-usb-audio
[ 2532.085724] input: Framework Audio Expansion Card Consumer Control as
/devices/pci:00/:00:08.1/:c1:00.3/usb1/1-2/1-2.1/1-2.1:1.2/0003:32AC:0010.0009/input/input19
[ 2532.142241] hid-generic 0003:32AC:0010.0009: input,hidraw7: USB HID
v1.11 Device [Framework Audio Expansion Card] on usb-:c1:00.3-2.1/input2
[ 2540.147902] MediaPD~oder #1[62983]: segfault at 60 ip
7fe017d0b2dd sp 7fe038ffce20 error 4 in
libLLVM-16.so.1[7fe01520+6d26000] likely on CPU 15 (core 7, socket 0)
[ 2540.147919] Code: fe eb 02 31 c0 48 89 44 24 10 4d 85 f6 4c 89 74 24
40 48 89 6c 24 38 74 0a 4c 89 f7 e8 3c 7f 32 fe eb 02 31 c0 48 8b 54 24
48 <48> 8b 6a 60 48 85 ed 0f 84 a8 00 00 00 0f b6 4c 24 0f 41 88 cd 49
[ 2578.200646] MediaPD~oder #1[64518]: segfault at 60 ip
7fe016b0b2dd sp 7fe03a367e20 error 4 in
libLLVM-16.so.1[7fe01400+6d26000] likely on CPU 5 (core 2, socket 0)
[ 2578.200671] Code: fe eb 02 31 c0 48 89 44 24 10 4d 85 f6 4c 89 74 24
40 48 89 6c 24 38 74 0a 4c 89 f7 e8 3c 7f 32 fe eb 02 31 c0 48 8b 54 24
48 <48> 8b 6a 60 48 85 ed 0f 84 a8 00 00 00 0f b6 4c 24 0f 41 88 cd 49
[ 2959.977573] MediaPD~oder #1[81449]: segfault at 60 ip
7fe01750b2dd sp 7fe03a367e20 error 4 in
libLLVM-16.so.1[7fe014a0+6d26000] likely on CPU 2 (core 1, socket 0)
[ 2959.977598] Code: fe eb 02 31 c0 48 89 44 24 10 4d 85 f6 4c 89 74 24
40 48 89 6c 24 38 74 0a 4c 89 f7 e8 3c 7f 32 fe eb 02 31 c0 48 8b 54 24
48 <48> 8b 6a 60 48 85 ed 0f 84 a8 00 00 00 0f b6 4c 24 0f 41 88 cd 49
[ 2974.055589] MediaPD~oder #2[81490]: segfault at 60 ip
7fe012f0b2dd sp 7fe038efce20 error 4 in
libLLVM-16.so.1[7fe01040+6d26000] likely on CPU 8 (core 4, socket 0)
[ 2974.055603] Code: fe eb 02 31 c0 48 89 44 24 10 4d 85 f6 4c 89 74 24
40 48 89 6c 24 38 74 0a 4c 89 f7 e8 3c 7f 32 fe eb 02 31 c0 48 8b 54 24
48 <48> 8b 6a 60 48 85 ed 0f 84 a8 00 00 00 0f b6 4c 24 0f 41 88 cd 49
[ 3208.859075] audit: type=1400 audit(1715097075.994:546):
apparmor="DENIED" operation="open" class="file"
profile="torbrowser_firefox"
name="/usr/local/lib/x86_64-linux-gnu/libEGL.so.1.0.0" pid=87874
comm="glxtest" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 3208.861128] audit: type=1400 audit(1715097075.994:547):
apparmor="DENIED" operation="open" class=&quo

Bug#1070671: Please include static library builds in libharfbuzz-dev

[Daniel Richard G.]

Package: libharfbuzz-dev
Version: 8.3.0-2+b1

It is customary for -dev packages to provide static archive libraries in
addition to the bare .so files for shared-library linking. The current
version of libharfbuzz-dev only provides the latter, and thus does not
allow applications to statically link the libraries.

I understand that GObject introspection requires a shared-library build,
but this functionality is often not needed. In particular, the Chromium
browser consumes harfbuzz and harfbuzz-subset, and does perfectly well
without introspection support. I recently ran into a situation on the
Ubuntu side of things where the lack of a static-linking option caused
some difficulty in supporting Chromium on 22.04/jammy:

https://bugs.launchpad.net/bugs/2064821

My solution was to produce a modified harfbuzz package that provides
(only) static libraries:


https://launchpad.net/~xtradeb/+archive/ubuntu/deps/+sourcepub/16120809/+listing-archive-extra

Needless to say, it would be preferable if the official packages
supported static linking from the get-go.

Bug#1070669: Please include a static library build in libdav1d-dev

[Daniel Richard G.]

Package: libdav1d-dev
Version: 1.4.1-1

It is customary for -dev packages to provide a static archive library in
addition to the bare .so file for shared-library linking. The current
version of libdav1d-dev only provides the latter, and thus does not
allow applications to statically link the library.

Bug#1070483: btrfs root volume being mounted as ro upon boot

[Richard Rosner]

Package: installation-reports

Severity: important


Boot method: USB stick
Image version:
https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-12.5.0-amd64-gnome.iso
Date: 19.04.2024

Machine: Framework 16
Processor: AMD Ryzen 7 7840HS w/ Radeon 780M Graphics
Memory: 2 x 16 GB Crucial DDR5 5600MHz
Partitions: from lsblk:

NAME  MAJ:MIN RM  SIZE RO TYPE 
MOUNTPOINTS
zram0 252:0    0  8,2G  0 disk 
[SWAP]
nvme0n1   259:0    0  3,6T  0 disk
├─nvme0n1p1   259:1    0    2G  0 part 
/boot/efi
├─nvme0n1p2   259:2    0   35G  0 part
│ └─luks-  253:1    0 35G  0 crypt [SWAP]
└─nvme0n1p3  259:3    0  3,6T  0 part
  └─luks-   253:0    0 3,6T  0 crypt
/home
/

Output of lspci -knn (or lspci -nn):

00:00.0 Host bridge [0600]: Advanced Micro Devices, Inc. [AMD] Device
[1022:14e8]
    Subsystem: Framework Computer Inc. Device [f111:0005]
00:00.2 IOMMU [0806]: Advanced Micro Devices, Inc. [AMD] Device [1022:14e9]
    Subsystem: Framework Computer Inc. Device [f111:0005]
00:01.0 Host bridge [0600]: Advanced Micro Devices, Inc. [AMD] Device
[1022:14ea]
00:02.0 Host bridge [0600]: Advanced Micro Devices, Inc. [AMD] Device
[1022:14ea]
00:02.2 PCI bridge [0604]: Advanced Micro Devices, Inc. [AMD] Device
[1022:14ee]
    Subsystem: Advanced Micro Devices, Inc. [AMD] Device [1022:1453]
    Kernel driver in use: pcieport
00:02.4 PCI bridge [0604]: Advanced Micro Devices, Inc. [AMD] Device
[1022:14ee]
    Subsystem: Advanced Micro Devices, Inc. [AMD] Device [1022:1453]
    Kernel driver in use: pcieport
00:03.0 Host bridge [0600]: Advanced Micro Devices, Inc. [AMD] Device
[1022:14ea]
00:03.1 PCI bridge [0604]: Advanced Micro Devices, Inc. [AMD] Family 19h
USB4/Thunderbolt PCIe tunnel [1022:14ef]
    Subsystem: Advanced Micro Devices, Inc. [AMD] Device [1022:1453]
    Kernel driver in use: pcieport
00:04.0 Host bridge [0600]: Advanced Micro Devices, Inc. [AMD] Device
[1022:14ea]
00:04.1 PCI bridge [0604]: Advanced Micro Devices, Inc. [AMD] Family 19h
USB4/Thunderbolt PCIe tunnel [1022:14ef]
    Subsystem: Advanced Micro Devices, Inc. [AMD] Device [1022:1453]
    Kernel driver in use: pcieport
00:08.0 Host bridge [0600]: Advanced Micro Devices, Inc. [AMD] Device
[1022:14ea]
00:08.1 PCI bridge [0604]: Advanced Micro Devices, Inc. [AMD] Device
[1022:14eb]
    Subsystem: Device [0005:f111]
    Kernel driver in use: pcieport
00:08.2 PCI bridge [0604]: Advanced Micro Devices, Inc. [AMD] Device
[1022:14eb]
    Subsystem: Device [0005:f111]
    Kernel driver in use: pcieport
00:08.3 PCI bridge [0604]: Advanced Micro Devices, Inc. [AMD] Device
[1022:14eb]
pcilib: Error reading /sys/bus/pci/devices/:00:08.3/label: Operation
not permitted
    Subsystem: Device [0005:f111]
    Kernel driver in use: pcieport
00:14.0 SMBus [0c05]: Advanced Micro Devices, Inc. [AMD] FCH SMBus
Controller [1022:790b] (rev 71)
    Subsystem: Framework Computer Inc. Device [f111:0005]
    Kernel driver in use: piix4_smbus
    Kernel modules: i2c_piix4, sp5100_tco
00:14.3 ISA bridge [0601]: Advanced Micro Devices, Inc. [AMD] FCH LPC
Bridge [1022:790e] (rev 51)
    Subsystem: Framework Computer Inc. Device [f111:0005]
00:18.0 Host bridge [0600]: Advanced Micro Devices, Inc. [AMD] Device
[1022:14f0]
00:18.1 Host bridge [0600]: Advanced Micro Devices, Inc. [AMD] Device
[1022:14f1]
00:18.2 Host bridge [0600]: Advanced Micro Devices, Inc. [AMD] Device
[1022:14f2]
00:18.3 Host bridge [0600]: Advanced Micro Devices, Inc. [AMD] Device
[1022:14f3]
    Kernel driver in use: k10temp
    Kernel modules: k10temp
00:18.4 Host bridge [0600]: Advanced Micro Devices, Inc. [AMD] Device
[1022:14f4]
00:18.5 Host bridge [0600]: Advanced Micro Devices, Inc. [AMD] Device
[1022:14f5]
00:18.6 Host bridge [0600]: Advanced Micro Devices, Inc. [AMD] Device
[1022:14f6]
00:18.7 Host bridge [0600]: Advanced Micro Devices, Inc. [AMD] Device
[1022:14f7]
01:00.0 Network controller [0280]: MEDIATEK Corp. MT7922 802.11ax PCI
Express Wireless Network Adapter [14c3:0616]
    Subsystem: MEDIATEK Corp. Device [14c3:e616]
    Kernel driver in use: mt7921e
    Kernel modules: mt7921e
02:00.0 Non-Volatile memory controller [0108]: Sandisk Corp WD Black
SN850X NVMe SSD [15b7:5030] (rev 01)
    Subsystem: Sandisk Corp WD Black SN850X NVMe SSD [15b7:5030]
    Kernel driver in use: nvme
    Kernel modules: nvme
c1:00.0 VGA compatible controller [0300]: Advanced Micro Devices, Inc.
[AMD/ATI] Phoenix1 [1002:15bf] (rev c2)
    Subsystem: Framework Computer Inc. Device [f111:0005]
    Kernel driver in use: amdgpu
    Kernel modules: amdgpu
c1:00.1 Audio device [0403]: Advanced Micro Devices, Inc. [AMD/ATI]
Rembrandt Radeon High Definition Audio Controller [1002:1640]
    Subsystem: Framework Computer Inc. Device [f111:0005]

Bug#1070281: logcheck: becomes less and less usable because of user-level logs

[Richard Lewis]

On Fri, 3 May 2024, 12:44 Francesco Potortì,  wrote:

>
> > One cure would be to have logcheck ignore user-level messages, and only
> care about system-level ones.  Is that possible?
> >
> >maybe it is possible - how do you define "system-level message"?
>
> Those created by root-owned processes, that would be a good start.  I
> definitely care about Sshd messages, much less about Gvfsd ones, and even
> less by those generated by Telegram running over Snapd.  For some reason,
> the problem has vastly increased after the advent of systemctl.



The options seem to be

1.you make a local rule that ignores all messages from known culprets  --
so you might jusy want to do a version of
"^timestamp hostname (Telegram|gvfsd)". This works today, but does need you
to know what you want to ignore


2.you tell logcheck to.not check the journal at all - also possoble today:
simply remove "journal" from the file in /etc/logcheck/logcheck.logfiles.d
(i dont know if this is that helpful!)

3. i have work in progress to allow you to tell logcheck to only check a
subset of the journal by passif  arguments to journalctl. Looking at the
journalctl.man-page:
 --unit ssh.service will only show messages from ssh
eg --system might exclude things  like telegram (untested!)
eg --priority might also be helpful
eg _UID=0 might select only things run by root (but that would probably
exclude things run by special users like apache)
eg --priority might also help?

This needs a small change in logcheck to make JOURNALCTL_OPTS settable from
the config file - this is WiP already! (logcheck currently hardcoded this
to an empty array)

other thoughts:
- we could definitely make logcheck only report the first N lines. I can
broadly see how to implement this. you can almost do this today by making a
"syslog-summary" script!

Bug#1070436: autopkgtest-virt-schroot: error when using 'unshare --net' even though schroot allows this

[Richard Lewis]

control: close 1070436
thanks

On Sun, 5 May 2024, 19:10 Jochen Sprickerhof,  wrote:

> Hi Richard,
>
> * Richard Lewis  [2024-05-05 11:32]:
> >If i try and run tests that use 'unshare --net' with a
> >schroot backend they fail inside autopkgtest even though
> >this works in the schroot being used.
> >
> >This works fine in a 'plain schroot' (I expect i allowed
> >the calling user to run the schroot as root in the schroot
> >in /etc/schroot):
> >
> > $ schroot --chroot chroot:unstable-amd64-sbuild --directory / --user
> root -- unshare --net --map-root-user ls
> > bin  boot  build  dev  etc  home  lib  lib64  media  mnt  opt  proc
> root  run  sbin  srv  sys  tmp  usr  var
>
> I can't reproduce this. Testing in a fresh debvm:
>
> $ debvm-create --size=2G --release=stable -- \
>  --include=sbuild,schroot,debootstrap,autopkgtest \
>  --hook-dir=/usr/share/mmdebstrap/hooks/useradd
> $ debvm-run
> # echo "inside debvm"
> # sbuild-createchroot unstable /srv/chroot/unstable-amd64-sbuild \
>  http://deb.debian.org/debian
> # sbuild-adduser user
> # su - user
> $ schroot --chroot chroot:unstable-amd64-sbuild --directory / --user root
> -- unshare --net --map-root-user ls
> unshare: unshare failed: Operation not permitted
>
> Do you have any idea why it works for you?
>

im so sorry - this was just a complete user error by me.

 the issue is the --map-root-user, i thought absolutely sure i was using
that with plain schroot, but it turns out i was completely misreading what
i was running, and apparently copied the command and output from separate
places.


as you say, if i omit map-root-user then it works with both schroot and
autopkgtest. and if i include map-root-user then both fail.


Over all I think using unshare --map-root-user in
>
autopkgtest-virt-schroot is not supported and I don't think there is a
> way around that except using a different autopkgtest backend.


thanks - this is fair enough.

thanks for the response. and sorry for the noise

Bug#1070440: mesa-va-drivers: vaapi cannot find target for triple amdgcn

[Richard]

Package: mesa-va-drivers
Version: 24.0.6-1+b1
Severity: important

Dear Maintainer,
I'm not sure if this is the right package to report this issue to, as there
recently have been many package updates due to the time_t transition. But mpv,
VLC and Firefox are no longer able to access VA-API while ffmpeg shows stranger
behavior. I can't say for sure when this breakage happened since Firefox is
gracefully falling back to software decoding and I rarely use mpv or VLC, which
just fail to start (even though mpv has the option hwdec=auto-safe set which
should cause the same behavior as in Firefox.

mpv gives this quite ominous error message:

Cannot load libcuda.so.1
Cannot find target for triple amdgcn-- Unable to find target for this triple
(no targets are registered)
Segmentation fault

That it can't load anything Nvidia related is no surprise, I'm on an AMD Ryzen
7 7840HS without any dGPU. Firmware is installed directly from kerne.org as the
one in Debians repos is way too old.

VLC goes into a little more detail:

libva info: VA-API version 1.20.0
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/radeonsi_drv_video.so
libva info: Found init function __vaDriverInit_1_20
Cannot find target for triple amdgcn-- Unable to find target for this triple
(no targets are registered)
Segmentation fault

Firefox is even more verbose:

[RDD 9113: MediaSupervisor #1]: D/FFmpegVideo FFVPX:
FFmpegVideoDecoder::FFmpegVideoDecoder MIME video/av1 Codec ID 226
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX: Initialising VA-API FFmpeg
decoder
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX:   codec av1 : Alliance for
Open Media AV1
libva info: VA-API version 1.20.0
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/radeonsi_drv_video.so
libva info: Found init function __vaDriverInit_1_20
libva info: va_openDriver() returns 0
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX:
FFmpegVideoDecoder::GetAcceleratedFormats()
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX:   Profile
H264ConstrainedBaseline:
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX: codec h264 format nv12
3 12
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX: codec h264 format nv12
3 12
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX: codec h264 format p010le
3 15
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX:   Profile H264Main:
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX: codec h264 format nv12
3 12
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX: codec h264 format nv12
3 12
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX: codec h264 format p010le
3 15
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX:   Profile H264High:
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX: codec h264 format nv12
3 12
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX: codec h264 format nv12
3 12
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX: codec h264 format p010le
3 15
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX:   Profile VP9Profile0:
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX: codec vp9 format nv12
3 12
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX:   Profile VP9Profile2:
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX: codec vp9 format p010le
3 15
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX: vp9 target pixel format
is not supported!
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX:   Profile AV1Profile0:
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX: codec av1 format nv12
3 12
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX: codec av1 format p010le
3 15
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX: codec av1 format nv12
3 12
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX: codec av1 format p010le
3 15
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX:   Supported accelerated
formats:
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX:   h264
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX:   vp9
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX:   av1
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX:   VA-API FFmpeg init
successful
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX: FFmpegDataDecoder: shutdown
[RDD 9113: MediaSupervisor #1]: D/FFmpegVideo FFVPX:
FFmpegVideoDecoder::FFmpegVideoDecoder MIME video/av1 Codec ID 226
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX: Initialising VA-API FFmpeg
decoder
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX:   Format av1 is accelerated
[RDD 9113: MediaPDecoder #1]: D/FFmpegVideo FFVPX:   codec av1 : Alliance for
Open Media AV1
[AVHWDeviceContext @ 0x7f5a31931340] Format 0x3231564e -> nv12.
[AVHWDeviceContext @ 0x7f5a31931340] Format 0x30313050 -> p010le.
[AVHWDeviceContext @ 0x7f5a31931340] Format 0x36313050 -> unknown.
[AVHWDeviceContext @ 0x7f5a31931340] Format 0x30323449 -> yuv420p.
[AVHWDeviceContext @ 0x7f5a31931340] Format 0x32315659 -> 

Bug#1070436: autopkgtest-virt-schroot: error when using 'unshare --net' even though schroot allows this

[Richard Lewis]

Package: autopkgtest
Version: 5.28
Severity: normal
X-Debbugs-Cc: richard.lewis.deb...@googlemail.com

Dear Maintainer,

If i try and run tests that use 'unshare --net' with a
schroot backend they fail inside autopkgtest even though
this works in the schroot being used.

This works fine in a 'plain schroot' (I expect i allowed
the calling user to run the schroot as root in the schroot
in /etc/schroot):

 $ schroot --chroot chroot:unstable-amd64-sbuild --directory / --user root -- 
unshare --net --map-root-user ls
 bin  boot  build  dev  etc  home  lib  lib64  media  mnt  opt  proc  root  run 
 sbin  srv  sys  tmp  usr  var

But if i have an autopkgtest with eg a debian/tests/control with

 Test-Command: unshare --map-root-user --net ./debian/tests/foo
 Depends: @
 Features: test-name=foo
 Restrictions: needs-root

then even adding '--user root' doesnt work:

 $ /usr/bin/autopkgtest package.changes --user root -- schroot 
unstable-amd64-sbuild
 
i get errors like

 unshare: unshare failed: Operation not permitted

Same if i put the unshare call inside the test
What am I doing wrong?




-- System Information:
Debian Release: 12.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-17-amd64 (SMP w/1 CPU thread; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages autopkgtest depends on:
ii  apt-utils   2.6.1
ii  libdpkg-perl1.21.22
ii  procps  2:4.0.2-3
ii  python3 3.11.2-1+b1
ii  python3-debian  0.1.49

Versions of packages autopkgtest recommends:
ii  autodep8  0.28
ii  fakeroot  1.31-1.2

Versions of packages autopkgtest suggests:
pn  docker.io
pn  fakemachine  
ii  lxc  1:5.0.2-1+deb12u2
pn  lxd  
pn  ovmf 
pn  ovmf-ia32
pn  podman   
ii  python3-distro-info  1.5+deb12u1
pn  qemu-efi-aarch64 
pn  qemu-efi-arm 
pn  qemu-system  
ii  qemu-utils   1:7.2+dfsg-7+deb12u5
ii  schroot  1.6.13-3+b2
ii  util-linux   2.38.1-5+deb12u1
pn  vmdb2
pn  zerofree 

-- no debconf information

Bug#1070281: logcheck: becomes less and less usable because of user-level logs

[Richard Lewis]

control: reassign -1 logcheck-database
thanks
(this is mostly about logcheck-database)

On Fri, 3 May 2024, 09:39 Francesco Potortì,  wrote:

>
>
> Starting maybe a couple years ago, logcheck spits an amount of stuff that
> has now become unamnageable.


logcheck-database was mostly dormant sround that time. im hoping to improve
that, but it is a big task and needs some wider improvements. So: please
bear with it!


While in the beginning logs were relevant to the system, which is what I
> want, now any bug in a user-level daemon writing info to the syslog or to
> the systemsctl thing makes havoc.


i sympathise


 however:
- a bug in a daemon should ideally be reported and fixed in the daemon
- this may include logging "too much" -- i would suggest discussing with
upstream as they may be open to improvements
- you didnt give any examples so not sure how anyone can help you



I had many email tens of megabytes long.


(there's already a request to split the report if it is long)

  In the last month, reports have been completely useless to me as they are
> filled with useless things and I am busy adding local rules to remove them
>
> Now I have reached a point where its usefulness is negative: I spend more
> time adding rules than it is worth for me getting the info.
>

i sympathise - but writing local rules is always going to be needed. i
think we can do much better than what we have, but realistically it is hard
to do in this way.


If.you wanted to chamge the world, get upstream authors to agree some
standard where messges are easier to identify as routine and then logcheck
could more easily ignore that.   i wont hold my breath for thay



> One cure would be to have logcheck ignore user-level messages, and only
> care about system-level ones.  Is that possible?
>

maybe it is possible - how do you define "system-level message"?

Bug#1070152: chkrootkit: duplicate line from ifpromisc

[Richard Lewis]

On Thu, 2 May 2024, 03:45 Vincent Lefevre,  wrote:

> On 2024-05-01 19:05:06 +0100, Richard Lewis wrote:
> > I agree that you should be able to filter out duplicate lines. And i
> think
> > this is possible with a  custom filter.
>
> Yes, but "sed" may not be the best tool for that. With sed, removing
> lines containing only the usual network managers is easier.
>

you dont have to use sed, you can set anything. id use awk or sort.
but then you dont know if things have disappeared.



> > I dont think it should be the default - most chkrootkit users have a more
> > static network setup,
>
> If they have a static network setup, why hiding the interface name?
>

i believe this was because if you have multiple interfaces they may not
have static names (in the days where these were eth0 vs eth1 ) and because
eg dhcpcd was set up to listen on eth0 and wlan0 even if eth0 wasnt used.
maybe some of these assumptions are out of date?

Doing that makes the output more confusing, and the replacement of
> an interface by another one would not be detected.
>
> > and the alert shows something has changed. For laptops where
> > networking is more dynamic it's hard to design something that works
> > for everyone without also hiding information for other people.
>
> But are lines containing *only* the usual network managers suspicious?


no, but it is suspicious is anything changed.

Please also see the manpage which tells you how to use -s to remove these
lines. The config file can easily be used to use -s each time.

Bug#1015201: logcheck: Update patterns, here: rsyslogd

[Richard Lewis]

lOn Mon, 29 Apr 2024, 14:19 Helge Kreutzmann,  wrote:

> Am Sat, Apr 27, 2024 at 07:11:40PM +0100 schrieb Richard Lewis:
> > On Sun, 17 Jul 2022 17:28:11 +0100 Richard Lewis
> >  wrote:
>
> > Hi Helge. Apologies no-one has replied to this bug report for 2 years
> > and that this response isnt going to be what you want!
>
> Thanks for taking care of it anyhow, I noticed that it is not worth
> reporting improvements to logcheck proper.
>

i hope to convince you otherwise! pleae report issues again!

>
> > debian usually doesnt add rules to filter startup messages as it tends
> > to add a lot of rules
>
> Indeed, startup rules are quite helpful, because then I see what was
> *different* during startup, i.e. if something got wrong.


totally agree

For servers,
> this is not very useful, but for workstatins it is. Btw., the current
> rules also deal with startup:
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: imklog [0-9.]+, log source =
> /proc/kmsg started.$
>

i think that practice and theory have diverged here! or possibly this
is/was produced when logs are rotated.

Bug#1070152: chkrootkit: duplicate line from ifpromisc

[Richard Lewis]

On Wed, 1 May 2024, 00:57 Vincent Lefevre,  wrote:

> On 2024-05-01 01:29:10 +0200, Vincent Lefevre wrote:
> > For instance, /var/log/chkrootkit/log.expected contains
> >
> > WARNING: Output from ifpromisc:
> > lo: not promisc and no packet sniffer sockets
> > : PACKET
> SNIFFER([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID})
> >
> > But /var/log/chkrootkit/log.today currently has a duplicate line:
> >
> > WARNING: Output from ifpromisc:
> > lo: not promisc and no packet sniffer sockets
> > : PACKET
> SNIFFER([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID})
> > : PACKET
> SNIFFER([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID})
> >
> > which has the effect to generate an alert.
>
> This is actually due to the filter in /etc/chkrootkit/chkrootkit.conf,
> which obfuscates the output.
>
> The unfiltered output:
>
> lo: not promisc and no packet sniffer sockets
> eth0: PACKET SNIFFER(/usr/sbin/NetworkManager[1261])
> wlp0s20f3: PACKET SNIFFER(/usr/sbin/NetworkManager[1261],
> /usr/sbin/wpa_supplicant[1263])
>
> But for a laptop, there is not always an Ethernet cable plugged in.
>
> IMHO, known packet sniffers should be filtered out.
>

I agree that you should be able to filter out duplicate lines. And i think
this is possible with a  custom filter.


I dont think it should be the default - most chkrootkit users have a more
static network setup, and the alert shows something has changed. For
laptops where networking is more dynamic it's hard to design something that
works for everyone without also hiding information for other people.

I think the defaults need to be conservative, while allowing people to hide
what they want.

Maybe the best solution is to provide more docs/examples about how to hide
duplicate lines.

Bug#1068161: Video playback regression

[Daniel Richard G.]

Hi Andres,

On Tue, 2024 Apr 30 02:42-04:00, Andres Salomon wrote:
> Please let me know if this is still broken with chromium 124.

I'm happy to report that the issue appears to be resolved in the current
124.0.6367.78-1~deb12u1. (I did not test 124.0.6367.60.)

Some additional info that I meant to send in earlier:

* I was able to work around the problem in 123 with "--use-gl=egl".
  Even now, with 124, I get "MESA: error: Out of instructions"
  messages on the terminal when this flag is removed (but video now
  works either way).

* The video adapter is listed as a "VGA compatible controller [0300]:
  Intel Corporation Mobile 945GM/GMS, 943/940GML Express Integrated
  Graphics Controller [8086:27a2]", on a Lenovo ThinkPad.

* This is a different and much older bug, but I've observed that some
  Web sites show visual artifacts in chromium on this particular system,
  and --use-gl=egl also cleared those up. I think the issue may be that
  the driver for this specific hardware is buggy, and affected users are
  better off using the alternate GL implementation. (I can provide more
  details if this is of interest.)

Bug#1070109: fakechroot: apt crashes inside fakechroot

[Richard Ulrich]

Package: fakechroot
Version: 2.20.1+ds-17
Severity: important
X-Debbugs-Cc: ri...@paraeasy.ch

Dear Maintainer,

We use fakechroot for building a live OS that starts out with debootstrap. This 
worked fine for a while, but started to fail last week. Now apt crashes when it 
ties to download anything:
https://github.com/AminaBank/livedeb/blob/master/Dockerfile#L85
 => ERROR [stage-8  4/30] RUN fakechroot chroot ROOTFS apt-get update  && 
fakechroot chroot ROOTFS a  1.2s 
--  
   
 > [stage-8  4/30] RUN fakechroot chroot ROOTFS apt-get update  && fakechroot 
 > chroot ROOTFS apt-get -y dist-upgrade  && fakechroot chroot ROOTFS apt-get 
 > install -y --no-install-recommends curldosfstools electrum fdisk 
 >   firefox-esr fonts-freefont-ttf  fonts-noto-mono keepassxc  
 >  libgl1  libglib2.0-0libykpiv2   minicom mousepad
 > mtools  openssh-client  p7zip-full pcscdpython3-pyqt5   
 > systemd-resolvedsystemd-timesyncd   thunar-archive-plugin   
 > xarchiver xfce4 xfce4-terminal  xinit   xserver-xorg
 > yubikey-manager:
#9 0.613 Reading package lists...
#9 1.059 E: Method http has died unexpectedly!
#9 1.059 E: Sub-process http received a segmentation fault.
#9 1.059 E: Method /usr/lib/apt/methods/http did not start correctly
#9 1.059 E: Failed to fetch 
http://deb.debian.org/debian/dists/bookworm/InRelease  
#9 1.059 E: Some index files failed to download. They have been ignored, or old 
ones used instead.

I don't know where the problem really lies, but when I buil an older version, 
where fakechroot was not used, then it builds just fine:
https://github.com/AminaBank/livedeb/blob/b38de278e45f0175f5d9c5fc39716a4e31eda6c3/Dockerfile#L37
 

The first version that uses fakechroot generates a slightly different error 
messages, but also at about the same place:
https://github.com/AminaBank/livedeb/blob/e22eda84c67643da13d46cb56a24e1eb47fdbfcd/Dockerfile#L57
Step 11/50 : RUN fakechroot chroot ROOTFS apt-get update
 ---> Running in 9f203eea9b98
*** stack smashing detected ***: terminated
Aborted (core dumped)
The command '/bin/sh -c fakechroot chroot ROOTFS apt-get update' returned a 
non-zero code: 134

I am reporting this from my trixie system, but the same happens on bookworm 
systems, and bookworm is used inside the relevant Docker container.

-- System Information:
Debian Release: bookworm/trixie/sid
  APT prefers testing
  APT policy: (500, 'testing'), (100, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.6.15-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=de_CH.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_CH:de
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages fakechroot depends on:
ii  binutils   2.42-4
ii  libfakechroot  2.20.1+ds-17

fakechroot recommends no packages.

fakechroot suggests no packages.

-- no debconf information

Bug#409444: logcheck: ignore "last line repeated $n times" if prevline matched

[Richard Lewis]

On Sat, 03 Feb 2007 10:29:38 +0100 Jonas Koelker  wrote:

> I (think I) want to see how many times the messages I care about are
> repeated.  This means I can't ignore "last line repeated $n times"
> messages (obviously).  But since those can also occur after messages
> that are ignored, I can't _not_ ignore them either.  So, I lose.
>

rsyslog has disabled the "feature" which produces this message, see
https://www.rsyslog.com/doc/configuration/action/rsconf1_repeatedmsgreduction.html

so this bug from 2007 can, i think, be closed.

Bug#690608: logcheck-database: consider to add ignore.d.server/rrdcached

[Richard Lewis]

On Tue, 16 Oct 2012 03:14:20 +0200 Sebastian Steinhuber
 wrote:

> Dear Maintainer,
> to drop (slightly boring) messages from the package rrdcached of the
> form:
> Oct 15 22:59:29 dds rrdcached[12045]: flushing old values
>
> I added a file named ignore.d.server/rrdcached, containing the line:
>
> ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rrdcached\[[0-9]+\]: flushing
> old values$

Hi Sebastian,
over a decade ago you reported the above bug against
logcheck-database: im sorry no-one replied before today!

Is this rule still valid?  im thinking things may have moved on, and
wondering if the bug is still valid.

Bug#442244: [Logcheck-devel] Bug#442244: logcheck-database: should include the filters from cyrus-imapd-2.2

[Richard Lewis]

On Fri, 14 Sep 2007 14:06:58 +0200 martin f krafft  wrote:
> also sprach Alex Prinsier  [2007.09.14.1344 
> +0200]:
> > Please copy over the filters from cyrus-imapd-2.2. I'm running
> > logcheck on a loghost, which doesn't run cyrus itself. There might
> > be a better alternative to copying the file, but anyhow it should
> > be in logcheck-database.

> logcheck is not designed to be run on a loghost, really. I know it
> would be nice, but it's not the general use case. You'll fare best
> if you copy the file over, or simply install the cyrus-imapd-2.2
> package on the loghost and disable all services.
>

I am tempted to  close this bug from 2007:
- No-one has objected to the above two paragraphs since 2007, over a decade ago
- The design of logcheck is that rules can be installed by packages
and logcheck-database should not duplicate that, and it would risk
file conflicts and out of date files.
- People who want to run logcheck on a "loghost" can copy the rules -
for example from sources.debian.org or salsa.debian.org

HOWEVER:  maybe this bug has value as it suggests that the logcheck
ignore.d.serve/cyrus rules should actually be deleted:

apt-file search cyrus | grep logcheck
cyrus-common: /etc/logcheck/ignore.d.server/cyrus-imapd
cyrus-common: /etc/logcheck/violations.ignore.d/cyrus-common
cyrus-common: /etc/logcheck/violations.ignore.d/cyrus-imapd
logcheck-database: /etc/logcheck/ignore.d.server/cyrus

Bug#588312: [Logcheck-devel] Bug#588312: logcheck-database: updated rules for many packages

[Richard Lewis]

Closing this bug from 2010 (14 years ago!) -- the then-maintainer
found that most of the suggestions were either already present or
should not actually be added, for various reasons.

A requested was made to resubmit as more independent bugs - if that
was done, we dont need this bug, and if not that suggests there is no
interest in proceeding.

Either way, the best thing seems to be to close this bug. Please
reopen with updated rules, if needd


On Thu, 08 Jul 2010 13:58:47 +0200 Hannes von Haugwitz
 wrote:
> Hi,
>
> Like Gerfried said, please file different bug reports for different
> packages the next time.
>
> Some comments about your rule suggestions:
>
> Radosław Antoniuk wrote:
> >> #dkimproxy
> >> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dkimproxy.out\[[0-9]+\]: connect from 
> >> .*$
> >> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dkimproxy.out\[[0-9]+\]: DKIM signing - 
> >> signed; .*$
> >> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dkimproxy.out\[[0-9]+\]: DKIM signing - 
> >> skipped; .*$
> >
> > No rules at all.
> >
> >
> > Jul  7 12:39:21 hosting dkimproxy.out[1508]: DKIM signing - skipped;
> > message-id=,
> > from=
> > Jul  7 12:39:21 hosting dkimproxy.out[1508]: DKIM signing - signed;
> > message-id=,
> > from=
> > Jul  7 12:39:21 hosting dkimproxy.out[1508]: connect from 127.0.0.1
> >
>
> I don't see the need of wildchar .* here.
>
> >
> >> #ssh
> >> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: error writing 
> >> /proc/self/oom_adj: Operation not permitted$
> >
> > Not there.
> >
>
> Looks like an error for me, maybe #555625?
>
> >> #ntp
> >> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync status 
> >> change 4001
> >
> > No config at all
> >
>
> This message shouldn't occur anymore (see #498992).
>
> >
> >> #syslog-ng
> >> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ syslog-ng\[[0-9]+\]: Log statistics;.*$
> >> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ syslog-ng\[[0-9]+\]: Configuration 
> >> reload request received, reloading configuration;$
> >
> >
> > syslog-ng[31823]: Log statistics; processed='destination(d_error)=3',
> > processed='destination(d_messages)=298',
> > processed='src.internal(s_src#1)=90',
> > stamp='src.internal(s_src#1)=1278499023',
> > processed='destination(d_syslog)=90', processed='center(received)=0',
> > processed='destination(d_xconsole)=3',
> > processed='destination(d_newscrit)=0',
> > processed='destination(d_auth)=1452',
> > processed='destination(d_daemon)=1',
> > processed='global(payload_reallocs)=0',

Bug#511483: logcheck-database: please add rules for rkhunter

[Richard Lewis]

package: logcheck-database

# think it's reasonable to add rkhunter rules - although the ones in
this bug need updates
severity 511483 normal
tags 511481 - wontfix

Bug#592365: logcheck: ignore rules for transmission-daemon

[Richard Lewis]

On Tue, 10 Aug 2010 10:28:54 +1000 Nemo  wrote:

> > ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ 
> > transmission-daemon\[[[:digit:]]+\]: Saved 
> > "/var/lib/transmission-daemon/info/.*" \(bencode.c:1651\)$
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ transmission-daemon\[[0-9]+\]: .* DHT 
> > announce .*\(tr-dht.c:(669|637)\)$

Hi Nemo, in 14 years ago you reported a bug against logcheck-database
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=592365 -

I believe you suggested that the above be added to logcheck.

It;s a shame no-one ever replied to you - let me at least try now:

Are these rules still needed for transmission-daemon? I imagine there
may have been several changes to message formats since then.

Bug#1015201: logcheck: Update patterns, here: rsyslogd

[Richard Lewis]

On Sun, 17 Jul 2022 17:28:11 +0100 Richard Lewis
 wrote:
> > The pattern for rsyslogd can be improved. Please add the following
> > line:
> >
> > imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' \(fd 3\) from 
> > systemd.  \[v8.2206.0\]
> >
> > You might want to generalize the fd (on my system it is always fd 3,
> > but I don't know if this is general) and possibly the version number;
> > ideally this would remain in sync to whatever is in testing.
>
> I have the following rules in etc/logcheck/ignore.d.server/local-rsyslog
>
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ systemd\[1\]: rsyslog\.service:
> Sent signal SIGHUP to main process [0-9]+ \(rsyslogd\) on client
> request\.$
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd\[[0-9]+\]: \[origin
> software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+"
> x-info="https://www.rsyslog.com"\] rsyslogd was HUPed$
>
> so you might like to add those too. (i believe these are caused by
> logrotate via /usr/lib/rsyslog/rsyslog-rotate , the latter being part
> of rsyslog). they are relevant to bullseye systems

Hi Helge. Apologies no-one has replied to this bug report for 2 years
and that this response isnt going to be what you want!

The rules for rsyslog are actually provided by rsyslog not
logcheck-database so this bug should be against rsyslog --
however, im not sure rsyslog produces those messages about HUP any
more so maybe it should be closed rather than reassigned?

I do see the one about the unix socket but
a) i wonder if that's a bug rather that should be hidden?
b) I also think i only see it  "startup" (ie only produced when the
system boots / service starts):
debian usually doesnt add rules to filter startup messages as it tends
to add a lot of rules

(apologies if i am wrong on this - i dont usually have rsyslog
installed, but ve been running it in a container for testing some
upcoming changes to logcheck and
i don't see either of the messages above despite running for several days).

Bug#532719: [Logcheck-devel] Bug#532719: additional sample

[Richard Lewis]

On Tue, 16 Jun 2009 11:27:57 -0700 Russ Allbery  wrote:
> chrysn  writes:

> touch /etc/default/locale will also make these go away with no behavior
> changes.  In my experience, it happens on systems upgraded from older
> versions of Debian but not with new installs.  I think this is more a
> bug or misconfiguration than something that logcheck really should be
> filtering out.

For the reason given above in 2009 im closing this bug asking to
filter a message about a missing locale:
debian installs a locale by defuault and not having one is unusual: if
the file disappeared most people
would want to know about it, so logcheck should be reporting it.

people who want to have a system without a locale set (assuming that
is even still possible - and why not just set it to C?)
can of course add a local rule to filter the message, but i see no
case for hiding this message by default.

Therefore, closing this bug.

If there's some case im missing, it can be reopened of couse

Bug#510472: logcheck-database: pam_unix messages could be ignored.

[Richard Lewis]

On Tue, 18 Aug 2009 20:24:31 -0400
=?iso-8859-1?B?RnLpZOlyaWMgQnJp6HJl?=  wrote:
> On Fri, Jan 02, 2009 at 10:21:51AM +0100, Jan Evert van Grootheest wrote:
> > Package: logcheck-database
> > Version: 1.2.68
> >
> > It has now started to spam the logs with lots of
> > Jan  2 09:22:57 sisko sshd[28511]: pam_unix(sshd:auth): authentication 
> > failure; logname= uid=0 euid=0 tty=ssh ruser= 
> > rhost=host92-22-static.38-79-b.business.telecomitalia.it  user=root
>
> This is a duplicate of #70, which was fixed a while ago.  (The fix
> was actually part of 1.2.64, so I'm assuming you filed this report from
> a different machine.)
>
> > And on another system the same is happening for imapd.
>
> Are we talking about cyrus-imapd-2.2?  Could you provide an example?

This bug is from 2009, and has been tagged moreinfo for much of that
time: i fear the world has moved on:
- logcheck-database filters messages from pam for successful login
- most people would want to know about authentication failures,
especially since root is not allowed to ssh in by default these days
- those that get too many authentication failures can and should add
their local rule, but i dont see a case to filter such methods by
default
- there isnt really anything actionable in this report anyway

Therefore: closing it - anyone is feel free to reopen!

Bug#590684: [logcheck-database] rules for rsyslog

[Richard Lewis]

On Mon, 02 Aug 2010 10:29:03 +0200 Hannes von Haugwitz
 wrote:

> > ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rsyslogd: \[origin
> > software="rsyslogd" swVersion="3.18.6" x-pid="[[:digit:]]+"
> > x-info="http://www.rsyslog.com"\] restart$
>
> Daemon restart messages are willingly not included in logcheck-database.
>
> So I tag this bug as wontfix.

I think we can actually close this bug 14-year old bug: rsyslog
provides its own rules for logcheck and those rules do cover the
startup message (which has changed since the report).

Bug#1069777: initramfs-tools: Bug/feature request: better handling of /etc/crypttab not ending in new line character

[Richard Rosner]

Package: initramfs-tools
Version: 0.142
Severity: wishlist

Dear Maintainer,
I'm not sure if this is a bug that should be fixed or a feature request for
better error handling. I noticed by accident, that when /etc/crypttab
ends in
the line of the last entry and not a new line character,
update-initramfs just
ignores the last line and says it couldn't find that device in
/etc/crypttab.
Either the tool should be able to just handle this rather simple case or at
least give a proper error message. Or whatever would make it more
obvious for
the user what actually the error is as the existing error message is quite
misleading.

Best
Richard

Bug#1069697: lintian: debian-changelog-line-too-short CVEs

[Richard Lewis]

On Tue, 23 Apr 2024, 00:12 Thorsten Glaser,  wrote:

> P: openjdk-8-doc: debian-changelog-line-too-short CVEs
> [usr/share/doc/openjdk-8-doc/changelog.Debian.gz:4]
>
> The changelog in question is:
>
>   * New upstream release
>   * CVEs
> - CVE-2024-21011
> - CVE-2024-21085
> - CVE-2024-21068
> - CVE-2024-21094
>   * Security fixes
> […]
>
> I find this a little opinionated anyway, but here not quite
> appropriate as the changelog “line” spans more than a physical
> line. Maybe, if you won’t consider the space until the next
> /^  \* / a “line”, then at least exclude itemisations from that tag?
>


would it make a difference if the somewhat ambiguous line "CVEs" was
changed to "Fixes the following CVEs:" ?

Bug#1052714: firmware-amd-graphics: Missing firmware for AMD Radeon RX 7000 series cards

[Richard]

I'd also like to support this. The current firmware-amd-graphics is getting
close to being a year old. While of course the Stable branch won't get
up-to-date firmware as that's not the point of firmware, I don't see a
reason at least sid or an experimental branch shouldn't be kept more
up-to-date. And I don't really see a reason why that shouldn't be the case
for testing and stable-updates or stable-backports too.

E.g., a Ryzen 7040's iGPU can't be handled by the 06/2023 firmware package,
it will complain that "amdgpu/gc_11_0_1_me" couldn't be loaded. With at
least the 09/2023 firmware that's not an issue anymore.

Greetings,
Richard

Bug#885414: base-files: lack of quoting in shell variable expansions in /etc/profile

[Richard Lewis]

On Thu, 18 Apr 2024, 23:18 Santiago Vila,  wrote:

> El 18/4/24 a las 22:17, Richard Lewis escribió:
> >>> '^[a-zA-Z0-9_][a-zA-Z0-9._-]*\.sh$'
> >>
> >> Hi. I confirm that this is appropriate for what we distribute:
> >
> > What about local scripts added by users (which this change might
> > prevent loading): perhaps a NEWS.Debian entry would suffice?
>
> Are there any guidelines about when NEWS.Debian should be used
> and when the Release Notes?
>
> (I'd like to avoid spamming the users with non-important information)
>

i may well be missing something, but I think:
-  policy is entirely silent on this (i may well be missing something here!)
-  devref has:
<
https://www.debian.org/doc/manuals/developers-reference/best-pkging-practices.en.html#supplementing-changelogs-with-news-debian-files
>
which says "This is the preferred means to let the user know about
significant changes in a package." and "Only update them if you have
something particularly newsworthy that user should know about."
- release notes has very little -
https://salsa.debian.org/ddp-team/release-notes/-/blob/master/README.md
which says "The Release Notes contain important information for people
updating from the previous version of Debian, particularly for less
experienced users."

fwiw my understanding is that release-notes should be used less often, than
NEWS.Debian because
- it only covers stable-to-stable upgrades (i doubt many unstable users
read it at all - certainly at the moment i don't think there is any single
post-bookworm content)
- release-notes will only be ready once, on stable upgrades, whereas
NEWS.Debian might be more useful for people tracking unstable (personally i
would hope everything in release-notes is covered in NEWS.Debian for that
reason!)
- release-notes is meant to be understandable by less experienced
non-technical "users" (all documentation should of course aim for that, in
theory)
- NEWS.Debian is "opt-in": if you install apt-listchanges you'll see
NEWS.Debian, but that package isnt installed by the default. Even fewer
users will read the changelog (although apt-listchanges can email that as
well)

(i dont think people would take a radically different view, but i may be
mistaken!)

i think in both cases, what gets included is a matter of judgement  --- my
personal view is that this change is not quite important enough (in terms
of likely impact) for release-notes, but i would also happily help draft
text for release-notes or drop the issue entirely: i dont feel strongly
about this, i just happened to spot this bug

Bug#885414: base-files: lack of quoting in shell variable expansions in /etc/profile

[Richard Lewis]

> >'^[a-zA-Z0-9_][a-zA-Z0-9._-]*\.sh$'
>
> Hi. I confirm that this is appropriate for what we distribute:

What about local scripts added by users (which this change might
prevent loading): perhaps a NEWS.Debian entry would suffice?

Bug#1068775: sbuild-qemu: fails to work, if piuparts is requested, but not installed on the host

[Richard Lewis]

On Fri, 12 Apr 2024, 19:00 Johannes Schauer Marin Rodrigues, <
jo...@debian.org> wrote:

> Hi Francesco,
>
> Quoting Francesco Poli (wintermute) (2024-04-11 00:13:51)
> >
> >   sbuild --dist unstable --purge-build=never --purge-deps=never
> --chroot-mode=autopkgtest --autopkgtest-virt-server=qemu
> --autopkgtest-virt-server-opt --overlay-dir=/dev/shm
> --autopkgtest-virt-server-opt --qemu-architecture=x86_64
> --autopkgtest-virt-server-opt --ram-size=2048 --autopkgtest-virt-server-opt
> --cpus=2 --autopkgtest-virt-server-opt --boot=efi
> --autopkgtest-virt-server-opt
> /home/$USER/.cache/sbuild/unstable-autopkgtest-amd64.img
> --bd-uninstallable-explainer apt
> > Error reading configuration: PIUPARTS binary 'piuparts' does not exist
> or is not executable at /usr/share/perl5/Sbuild/Conf.pm line 76.
> >
> >



> > However, I thought that setting $run_piuparts = 1 in ~/.sbuildrc caused
> > piuparts to be run inside the virtual machine guest system, not on the
> > host system!
>
> What made you think that? Is the error message above not clear enough? Do
> you
> think it should be improved to make things clearer? Do you have
> suggestions for
> a message that would've better explained that piuparts needs to be
> installed on
> the host system?
>

Adding a data point, i would also like the error message to be clearer - i
know that once you understand how sbuild and piuparts work it becomes
"obvious" that piuparts needs to be run from the host -- but this is not at
all clear for new users: would be great if the documentation and errors
could clearly distinguish between which things inside/outside the chroot


This particular error message could be improved in at least 3 ways:
1. "Error reading configuration" -- suggests it couldnt parse the config
file, which doesnt seem to be the case here (suggest either dropping this
from the error message or saying more clearly what the issue is)

2. "PIUPARTS binary 'piuparts' does not exist or is not executable"

not sure why the capitials and repetition?  just say more directly what the
issue is: eg : "Error: piuparts not found (it needs to be installed on the
host)"

3.  "at /usr/share/perl5/Sbuild/Conf.pm line 76." -- not sure this
implementation detail is helpful for a user -- it makes it look a bug
rather than a message for the user: could it be dropped from the error
message or hidden behind a "debug"/"verbose" setting?


thanks for working on sbuild, it's really great.

Bug#970021: Seeking a small group to package Apache Arrow (was: Bug#970021: RFP: apache-arrow -- cross-language development platform for in-memory analytics)

[Richard Duivenvoorde]

On 3/25/24 7:17 PM, Julian Gilbey wrote:

So this is a plea for anyone looking for something really helpful to
do: it would be great to have a group of developers finally package
this!  There was some initial work done (see the RFP bug report for
details: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970021),
but that is fairly old now.  As Apache Arrow supports numerous
languages, it may well benefit from having a group of developers with
different areas of expertise to build it.  (Or perhaps it would make
more sense to split the upstream source into a collection of different
Debian source packages for the different supported languages.  I don't
know.)  Unfortunately I don't have the capacity to devote any time to
it myself.

Thanks in advance for anyone who can step forward for this!


As someone from the Debian-GIS community, I would also be very interested in 
this!

The Apache Arrow C++ library is one of the dependencies to make GDAL/OGR able 
to read/write (geo)parquet files, a data format with a lot traction in the geo 
community [0]. Thereby making it possible for QGIS to handle those (on Debian).

[0] 
https://cloudnativegeo.org/blog/2023/09/duckdb-the-indispensable-geospatial-tool-you-didnt-know-you-were-missing/

Regards,

Richard Duivenvoorde

Bug#1068161: Video playback regression

[Daniel Richard G.]

Package: chromium
Version: 123.0.6312.86-1~deb12u1
Severity: important

Video playback worked fine in the previous version,
122.0.6261.128-1~deb12u1

In the current version, when I attempt to play a video, the visual
portion is completed whited out. The playback controls are present,
playback position advances, audio can be heard, but the video is just a
solid, constant white (regardless of the site's background color).

During playback, the following pair of error messages are printed
repeatedly to the terminal:

[179003:179003:0331/180459.326096:ERROR:raster_decoder.cc(2407)] 
[.RenderCompositor-0x38dc004ddc00]GL ERROR :GL_INVALID_OPERATION : 
glWritePixelsYUV: Failed to upload pixels to dest shared image

[179003:179003:0331/180459.385907:ERROR:shared_image_representation.cc(478)] 
Attempt to read from an uninitialized SharedImage. Initialized region: (0, 0, 
0, 0) Size: (544, 360)

I have downloaded the previous 122.0.6261.128-1~deb12u1 package, and
run it to confirm that it can still play video correctly. In fact, I
have 122 and 123 running side by side, with one working and the other
spewing errors.


--Daniel

Bug#1066903: libgnt: please drop runtime dependencies

[Richard Laager]

This sounds reasonable to. It looks like you beat me to this with an 
NMU. Thanks!


On 2024-03-15 04:08, Gianfranco Costamagna wrote:

Package: libgnt
Version: 2.14.4-1.1
Severity: serious
Tags: patch

Hello, I found some runtime dependencies, such as removed libglib2.0-0 
breaking every 32bit build except i386 due to

time64_t transition.
Please update, remove them, let debhelper evaluate them via shlibs:Depends.

Also I added libxml2-dev build-dependency, looks like the support was 
not enabled.


before:
Run-time dependency glib-2.0 found: YES 2.79.3
Run-time dependency gobject-2.0 found: YES 2.79.3
Run-time dependency gmodule-2.0 found: YES 2.79.3
Did not find CMake 'cmake'
Found CMake: NO
Run-time dependency libxml-2.0 found: NO (tried pkgconfig and cmake)

Now:
Found pkg-config: YES (/usr/bin/pkg-config) 1.8.1
Run-time dependency glib-2.0 found: YES 2.79.3
Run-time dependency gobject-2.0 found: YES 2.79.3
Run-time dependency gmodule-2.0 found: YES 2.79.3
Run-time dependency libxml-2.0 found: YES 2.9.14


Also dpkg shows correct dependencies now:
Package: libgnt0t64
[...]
Depends: libc6 (>= 2.38), libglib2.0-0t64 (>= 2.75.3), libncursesw6 (>= 
6), libtinfo6 (>= 6), libxml2 (>= 2.7.4)

Breaks: finch (<< 2.14.1), libgnt0 (<< 2.14.4-1.2)
Replaces: finch (<< 2.14.1), libgnt0
Provides: libgnt0 (= 2.14.4-1.2)
[...]

Thanks for considering the patch.

*** /tmp/tmpkfjro47y/libgnt_2.14.4-1.1ubuntu1.debdiff
diff -Nru libgnt-2.14.4/debian/control libgnt-2.14.4/debian/control
--- libgnt-2.14.4/debian/control    2024-03-08 06:22:50.0 +0100
+++ libgnt-2.14.4/debian/control    2024-03-15 09:59:05.0 +0100
@@ -1,6 +1,7 @@
     libglib2.0-dev,
     libglib2.0-doc,
     libncurses-dev,
+   libxml2-dev,
     meson,
  Build-Depends-Indep: gtk-doc-tools,
  Homepage: https://keep.imfreedom.org/libgnt/libgnt
@@ -18,10 +18,7 @@
  Package: libgnt0t64
  Provides: ${t64:Provides}
  Architecture: any
-Depends: libglib2.0-0,
- libncursesw6,
- libxml2,
- ${misc:Depends},
+Depends: ${misc:Depends},
   ${shlibs:Depends},
  Breaks: libgnt0 (<< ${source:Version}), finch (<< 2.14.1),
  Replaces: libgnt0, finch (<< 2.14.1),




--
Richard



OpenPGP_signature.asc
Description: OpenPGP digital signature

Bug#1066817: input-remapper-gtk: Syntax errors at installation

[Richard]

Package: input-remapper-gtk
Version: 2.0.1-1
Severity: minor

Dear Maintainer,
this is a really minor issue, but upon finishing installation (from
terminal),
I'm greeted by this error message:

Notices:
  /usr/lib/python3/dist-packages/inputremapper/gui/controller.py:304:
SyntaxWarning: invalid escape sequence '\d'
  match = re.search(" copy *\d*$", name)

/usr/lib/python3/dist-packages/inputremapper/gui/messages/message_data.py:45:
SyntaxWarning: invalid escape sequence '\d'
  all_matches = list(re.finditer("(\d+, )+", string))

It doesn't seem to be affecting anything, but maybe issues would only be
appearing in special circumstances.


-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (990, 'testing'), (50, 'experimental'), (50, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.6.15-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE
not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages input-remapper-gtk depends on:
ii  gir1.2-glib-2.01.78.1-15
ii  gir1.2-gtk-3.0 3.24.41-1
ii  gir1.2-gtksource-4 4.8.4-5+b1
ii  input-remapper-daemon  2.0.1-1
ii  python33.11.6-1
ii  python3-inputremapper  2.0.1-1

input-remapper-gtk recommends no packages.

input-remapper-gtk suggests no packages.

-- no debconf information

Bug#1066081: ntpsec: ntpd reports error about missing /var/log/ntpsec

[Richard Laager]

(Replying via mobile, so non-Debian address.)

It should be reasonably possible to convert this to .d style. I will have to 
dig into this to fully consider all the implications, especially around 
handling upgrades. I think part of the issue here is that ntpd logs there by 
default. That is, you don’t turn on logging. I’m not sure if there is a way to 
turn off logging. But I have to check.

I want to maintain the same posture we have now:

- No logs by default. Most people don’t use them, so this is pointless I/O.
- People can enable logs reasonably easily.
- Installing ntpviz automatically enables logs.

For upgrades, I can use the presence or absence of the directory for most of 
the handling. I do need to think through what happens / what to do if someone 
has customized any of the other log settings.

-- 
Richard

Bug#1066081: ntpsec: ntpd reports error about missing /var/log/ntpsec

[Richard Laager]

Control: reopen -1

On 2024-03-12 11:10, MOESSBAUER, Felix wrote:

On Tue, 2024-03-12 at 10:33 -0500, Richard Laager wrote:

This is intentional. The logging is optional and whether the
directory
exists controls this.


Hi Richard,

that's a quite uncommon interface. Is this at least documented
somewhere?


ntp.conf


Also the "error" should be downgraded to a "warning" at
least.


Didn't I do that?

commit b06f1d8177a9b0a2593947a2ebefcb43e94ac281
Author: Santiago Vila 
Date:   Sun Dec 24 15:36:25 2023 -0600

Downgrade missing stats dir log severity

The Debian package does not create /var/log/ntpsec by default.  The
admin  is directed (by a comment in ntp.conf) to create it if and only
if they want logging.  However, upstream ntpsec logs an error message
if the log directory does not exist.

Closes: 1049424
Signed-off-by: Richard Laager 
[The commit message / patch description is my wording.]



One advantage of that is the ntpsec-ntpviz package can create that
directory to enable logging, which is required for ntpviz to be
useful.
Otherwise, it would have to edit the config file, which is riskier.


Well... for that conf.d style configs are usually used.


Yeah. ntpsec supports those _now_. (I don't know that it did at the 
time.) So maybe that's a better answer.


--
Richard



OpenPGP_signature.asc
Description: OpenPGP digital signature

Bug#1066079: RFS: ddclient/3.11.2-1 -- address updating utility for dynamic DNS services

[Richard Hansen]

Package: sponsorship-requests
Severity: normal

Dear mentors,

I am looking for a sponsor for my package "ddclient":

 * Package name : ddclient
   Version  : 3.11.2-1
   Upstream contact : https://github.com/ddclient/ddclient
 * URL  : https://ddclient.net
 * License  : GPL-2.0+, Artistic or GPL-1+, Apache-2.0
 * Vcs  : https://salsa.debian.org/debian/ddclient
   Section  : net

The source builds the following binary packages:

  ddclient - address updating utility for dynamic DNS services

To access further information about this package, please visit the 
following URL:


  https://mentors.debian.net/package/ddclient/

Alternatively, you can download the package with 'dget' using this command:

  dget -x 
https://mentors.debian.net/debian/pool/main/d/ddclient/ddclient_3.11.2-1.dsc


Changes since the last upload:

 ddclient (3.11.2-1) unstable; urgency=medium
 .
   * Add curl build dependency to enable the -curl argument
   * Suggest curl
   * Bump Standards-Version to 4.6.2 (no changes needed)
   * gbp.conf: Rename branches and tags to match current convention
   * gbp.conf: Set upstream-vcs-tag (for import-orig)
   * New upstream version 3.11.2
   * Refresh patches
   * Update dependencies
   * Use dh_installchangelogs to install ChangeLog.md
   * debian/copyright: Set Upstream-Contact to project URL
   * debian/copyright: Update copyright year for debian/*

Regards,


OpenPGP_signature.asc
Description: OpenPGP digital signature

Bug#1060023: Acknowledgement (ITP: keyd -- Keyboard key remapping daemon for Linux)

[Richard Hansen]

Request for sponsorship (RFS): bug #1066022


OpenPGP_signature.asc
Description: OpenPGP digital signature

Bug#1066022: RFS: keyd/2.4.3-1 [ITP] -- keyboard key remapping daemon

[Richard Hansen]

Package: sponsorship-requests
Severity: wishlist

Dear mentors,

I am looking for a sponsor for my package "keyd":

 * Package name : keyd
   Version  : 2.4.3-1
   Upstream contact : Raheman Vaiya 
 * URL  : https://github.com/rvaiya/keyd
 * License  : Expat
 * Vcs  : https://salsa.debian.org/rhansen/keyd
   Section  : utils

The source builds the following binary packages:

  keyd - keyboard key remapping daemon
  keyd-application-mapper - keyboard key remapping daemon - 
application-specific remapper


To access further information about this package, please visit the 
following URL:


  https://mentors.debian.net/package/keyd/

Alternatively, you can download the package with 'dget' using this command:

  dget -x 
https://mentors.debian.net/debian/pool/main/k/keyd/keyd_2.4.3-1.dsc


Changes for the initial release:

 keyd (2.4.3-1) unstable; urgency=medium
 .
   * Initial debianization. (Closes: #1060023)

Regards,
Richard


OpenPGP_signature.asc
Description: OpenPGP digital signature

Bug#1058451: ntpsec: FTBFS [Hurd] change Build-Depends: systemd to [linux-any]

[Richard Laager]

I think, but am not sure, that this is now functionally a duplicate of 
#1060506. That one tells me to change it from systemd to systemd-dev 
because:


Since systemd_253-2 [1], these two pkgconfig files have been split
into a separate package named systemd-dev. This package is arch:all,
so even available on non-Linux architectures, which will simplify
the installation of upstream provided service files / udev rules.

I have made that change. If that is NOT sufficient, please let me know 
and I'll adjust again.


--
Richard


OpenPGP_signature.asc
Description: OpenPGP digital signature

Bug#1064025: ntpsec does not sync to server if "iburst" is missing

[Richard Laager]

I agree that the description, as provided, would be a bug.

However, I cannot reproduce this.

Can you provide your ntp.conf file, in full, please?
--
Richard



OpenPGP_signature.asc
Description: OpenPGP digital signature

Bug#1061731: fwupd: Failed to load daemon: failed to load engine: Failed to load config: Key file does not have group “redfish”

[Richard B]

Hello.

I can confirm that upgrading fwupd and libfwupd2 on Trixie to 1.9.14-1 
and installing the package maintainer's version of /etc/fwupd/fwupd.conf 
allowed the fwupd status to start:


   sudo apt upgrade
   Reading package lists... Done
   Building dependency tree... Done
   Reading state information... Done
   Calculating upgrade... Done
   The following packages will be upgraded:
  fwupd libfwupd2
   2 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
   Need to get 0 B/3,833 kB of archives.
   After this operation, 54.3 kB of additional disk space will be used.
   Do you want to continue? [Y/n] y
   Retrieving bug reports... Done
   Parsing Found/Fixed information... Done
   serious bugs of fwupd (1.9.11-1 → 1.9.14-1) 
 b1 - #1061731 - fwupd: Failed to load daemon: failed to load
   engine: Failed to load config: Key file does not have group “redfish”
   Summary:
 fwupd(1 bug)
   Are you sure you want to install/upgrade the above packages?
   [Y/n/?/...] y
   Reading changelogs... Done
   ...
   Configuration file '/etc/fwupd/fwupd.conf'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
  D : show the differences between the versions
  Z : start a shell to examine the situation
 The default action is to keep your current version.
   *** fwupd.conf (Y/I/N/O/D/Z) [default=N] ? y
   Installing new version of config file /etc/fwupd/fwupd.conf ...
   fwupd-offline-update.service is a disabled or a static unit not
   running, not starting it.
   fwupd-refresh.service is a disabled or a static unit not running,
   not starting it.
   fwupd.service is a disabled or a static unit not running, not
   starting it.
   Processing triggers for libc-bin (2.37-15) ...
   Processing triggers for man-db (2.12.0-3) ...
   Processing triggers for dbus (1.14.10-4) ...
   Processing triggers for hicolor-icon-theme (0.17-2) ...

   systemctl status fwupd
   ○ fwupd.service - Firmware update daemon
 Loaded: loaded (/usr/lib/systemd/system/fwupd.service; static)
 Active: inactive (dead)
   Docs: https://fwupd.org/

   sudo systemctl start fwupd

   systemctl status fwupd
   ● fwupd.service - Firmware update daemon
 Loaded: loaded (/usr/lib/systemd/system/fwupd.service; static)
 Active: active (running) since Thu 2024-03-07 16:37:27 CST; 3s ago
   Docs: https://fwupd.org/
   Main PID: 22184 (fwupd)
  Tasks: 7 (limit: 18110)
 Memory: 23.7M (peak: 108.7M)
    CPU: 988ms
 CGroup: /system.slice/fwupd.service
 └─22184 /usr/libexec/fwupd/fwupd

I kept fwupd at 1.9.11-1 since this bug was reported, but the new 
version seems to be in the clear.


Best.

Richard

Bug#1065567: timedatectl does not recognize ntpsec

[Richard Laager]

If I'm understanding this correctly, I just need to install a file with 
the contents "ntpsec.service" to 
/usr/lib/systemd/ntp-units.d/50-ntpsec.list. That's easy enough to do.


--
Richard



OpenPGP_signature.asc
Description: OpenPGP digital signature

Bug#1065434: spice-vdagent: Automatic window resize not working XFCE and MATE desktops (Cinnamon works correctly)

[Richard Maher]

Package: spice-vdagent
Version: 0.22.1-4+b1
Severity: important
X-Debbugs-Cc: po42st+deb12...@gmail.com

Dear Maintainer,

* What led up to the situation?
Installed Debian Bookworm 12.5 XFCE VM within Debian 12.4 + Proxmox 8.1.4 XFCE
workstation. On the VM installed spice-vdagent. Noticed that the Debian VM's
desktop would not automatically resize to the client screen size on boot or to
the client window size if running in a window after rebooting VM. Checked
settings of client machines Virtual Machine Viewer 11. Auto resize is set.
Checked spice-vdagent was running on the VM with "sudo systemctl status spice-
vdagent", it was. Checked that the copy and paste between the client OS and VM
was functional. It was.

* What exactly did you do (or not do) that was effective (or ineffective)?
Opened the VM XFCE display settings from the graphical XFCE desktop. Noticed
that a VM window resize or switch to full screen was being picked up by the VM
display settings manager but was not being selected and activated
automatically. The pictoral "Virtual-1" window representation would change
shape however the display settings "Resolution" drop down box would become
blank. On selecting the "Resolution" drop down box, the display window setting
required is shown at the very top of the list with an asterix (*) against it.
Selecting this option and then apply correctly resizes the desktop resolution
to match the VM window size. However this behavior should be automatic and not
require user intervention.

The issue was googled. Indication that the issue was affecting MATE but not
Cinnamon desktops was found. MATE and Cinnamon desktops were also installed
into a cloned instance of the VM to test. This was confirmed. Cinnamon works
correctly and auto resizes. MATE does not and also was found to not take on the
settings into the Display manager unlike XFCE.

The affected test VM was updated to Trixie and the same tests carried out
again. The same behaviour was found as with Bookworm 12.5.

The logs available for spice-vdagent were searched for within the Gnome Logs
application. Errors were found with each resizing the VM display window:

14:06:31 spice-vdagent:error message: Cannot invoke method; proxy is for
the well-known name without an owner, and proxy was constructed with the
G_DBUS_PROXY_FLAGS_DO_NOT_AUTO_START flag
14:06:31 spice-vdagent:error message: Cannot invoke method; proxy is for
the well-known name without an owner, and proxy was constructed with the
G_DBUS_PROXY_FLAGS_DO_NOT_AUTO_START flag
14:06:31 spice-vdagent: display: failed to call GetCurrentState from mutter
over DBUS
14:06:31 spice-vdagent:error message: Cannot invoke method; proxy is for
the well-known name without an owner, and proxy was constructed with the
G_DBUS_PROXY_FLAGS_DO_NOT_AUTO_START flag
14:06:31 spice-vdagent: display: failed to call GetCurrentState from mutter
over DBUS

* What was the outcome of this action?
Automatic window resize not working XFCE and MATE desktops (Cinnamon works
correctly)

* What outcome did you expect instead?

Automatic window resizing.


-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.6.15-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages spice-vdagent depends on:
ii  init-system-helpers  1.66
ii  libasound2   1.2.10-3
ii  libc62.37-15
ii  libdbus-1-3  1.14.10-4
ii  libdrm2  2.4.120-2
ii  libglib2.0-0 2.78.4-1
ii  libgtk-3-0   3.24.41-1
ii  libpciaccess00.17-3
ii  libsystemd0  255.3-2
ii  libx11-6 2:1.8.7-1
ii  libxinerama1 2:1.1.4-3
ii  libxrandr2   2:1.5.2-2+b1

spice-vdagent recommends no packages.

spice-vdagent suggests no packages.

-- no debconf information

Bug#1056137: systemd: downgrading systemd packages kills off the desktop environment

[Richard Lewis]

On Wed, 28 Feb 2024 18:37:41 +0100 Michael Biebl  wrote:

> On Fri, 17 Nov 2023 14:40:05 +0100 Christoph Anton Mitterer
>  wrote:
> > Package: systemd
> > Version: 255~rc2-1

> > Because of #1056135 I was downgradin systemd/udev packages to 254.5-1.
> > While apt was still running, this causes the whole desktop environment
> > (I use cinnamon) to be killed (and all processes in it ;-) ).


> My guess is, that the failures you encountered are due to the following
> change in v255:
>
> """
>  Service Manager:
>
>  * The way services are spawned has been overhauled.

I couldnt follow the bit i deleted, and this maybe jumping to
conclusions: are there any implications for upgrading to/after 255
within a desktop environment?
should something be said in the release-notes?

Bug#1064395: logcheck: rsyslog produces two timestamp formats in latest version

[Richard Lewis]

On Mon, 26 Feb 2024, 13:03 Michael Biebl,  wrote:

> Hi
>
> On Thu, 22 Feb 2024 19:01:05 +0000 Richard Lewis
>  wrote:
> > On Thu, 22 Feb 2024, 10:15 Ralf Schlatterbeck,  wrote:
> >
> > > On Wed, Feb 21, 2024 at 02:52:33PM +0100, Ralf Schlatterbeck wrote:
> > > >
> > > > I forgot to mention:
> > > > There is an upstream (rsyslog) bug-report at
> > > > https://github.com/rsyslog/rsyslog/issues/5332
> > >
> > > Upstream has decided that it is not a bug and that both timestamp
> > > formats are valid RFC 3339 (I've checked, the grammar explicitly
> defines
> > > the sub-seconds part of the timestamp as optional). See link above.
> > > They also think, logcheck should cope with both formats.
> > >
> > > So I guess that logcheck should be prepared to receive both kinds of
> > > timestamps, the 32-byte version and the 25-byte version (without the
> > > subseconds timestamp).
> > >
> >
> > what is the default, and does logcheck cope with that? there's a limit to
> > how much to suport out of the box - especially as rsyslog is no longer
> the
> > default.
>
> Just to clarify: It is correct that rsyslog is no longer installed by
> default. That said, I would still consider rsyslog the default syslog
> daemon in Debian. Packages that depend on system-log-daemon typically do
> this via a "Depends: rsyslog | system-log-daemon"
>

thanks - agree logcheck should cope with a default rsyslog output. ... i
just dont know what that default output is: does the below mean the
subseconds are now always present?

or: what regexp should logcheck use as prefix?



As for this specific issue, Ralf has found a way to make ensure that
> remote syslog messages also carry a subseconds timestamp by explicitly
> specifying the format when forwarding the messages [2]
>
> Michael
>
> [1]
>
> https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.36/administration-guide/ts-format
> [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064385#29
>

Bug#1064574: file-roller: 7zip can't handle encrypted archives with encrypted file names

[Richard]

Package: file-roller
Version: 43.1-1
Severity: important

Dear Maintainer,
it seems the version of file-roller is partially broken, possibly due to the
fact that it still lists p7zip-full as dependency and not the new 7zip
package
and thus might be missing some adaptation. Maybe some behavior of the 7z
interface has changed, I can't tell. I can only tell that file-roller is
incapable of opening and extracting encrypted 7zip archives that have their
file names encrypted as well. The 7z CLI from the 7zip package can do so
with
no issues, so it seems to be an issue with file-roller. At least, I think
it was
capable of handling this kind of archives before p7zip was replaced by 7zip.

The issue shows itself in the form that when trying to open such a file with
file-roller, it doesn't ask for a password, but only shows an empty screen.
You
can select "extract", but it will fail with a message that the extraction
couldn't be performed. Sadly, I have yet to be able to collect any kind of
logs.


-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (990, 'testing'), (50, 'experimental'), (50, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.6.15-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE
not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages file-roller depends on:
ii  7zip [p7zip-full]23.01+dfsg-8
ii  bzip21.0.8-5+b2
ii  dconf-gsettings-backend [gsettings-backend]  0.40.0-4+b1
ii  libarchive13 3.7.2-1
ii  libc62.37-15
ii  libcairo21.18.0-1+b1
ii  libgdk-pixbuf-2.0-0  2.42.10+dfsg-3+b1
ii  libglib2.0-0 2.78.4-1
ii  libgtk-3-0   3.24.41-1
ii  libhandy-1-0 1.8.3-1
ii  libjson-glib-1.0-0   1.8.0-2
ii  libnautilus-extension4   45.2.1-4
ii  libpango-1.0-0   1.51.0+ds-4
ii  p7zip-full   16.02+transitional.1

Versions of packages file-roller recommends:
ii  gvfs  1.53.90-2
ii  yelp  42.2-1+b1

Versions of packages file-roller suggests:
ii  arj  3.10.22-26
ii  lhasa [lha]  0.4.0-1+b1
ii  lzip 1.24-1
ii  lzop 1.04-2
pn  ncompress
ii  rpm2cpio 4.18.2+dfsg-1
pn  rzip 
pn  sharutils
ii  squashfs-tools   1:4.6.1-1
ii  unace1.2b-23
ii  unalz0.65-9
ii  unar 1.10.7+ds1+really1.10.1-2+b3
ii  unzip6.0-28
ii  xz-utils [lzma]  5.4.5-0.3
ii  zip  3.0-13
pn  zoo  

-- no debconf information

Bug#1064395: logcheck: rsyslog produces two timestamp formats in latest version

[Richard Lewis]

On Thu, 22 Feb 2024, 10:15 Ralf Schlatterbeck,  wrote:

> On Wed, Feb 21, 2024 at 02:52:33PM +0100, Ralf Schlatterbeck wrote:
> >
> > I forgot to mention:
> > There is an upstream (rsyslog) bug-report at
> > https://github.com/rsyslog/rsyslog/issues/5332
>
> Upstream has decided that it is not a bug and that both timestamp
> formats are valid RFC 3339 (I've checked, the grammar explicitly defines
> the sub-seconds part of the timestamp as optional). See link above.
> They also think, logcheck should cope with both formats.
>
> So I guess that logcheck should be prepared to receive both kinds of
> timestamps, the 32-byte version and the 25-byte version (without the
> subseconds timestamp).
>

what is the default, and does logcheck cope with that? there's a limit to
how much to suport out of the box - especially as rsyslog is no longer the
default.

if you configure a logger to produce a certain format it's not unreasonable
to also have to edit logcheck rules accordingly

But a longer-term solution is perhaps to allow easier customisation of
rules via "macros"/variables --- a proof-of-concept for this is in
progress, but not.yet ready for testing

Bug#959867: ifup kills dhclient on if-up.d script failure

[Daniel Richard G.]

I was recently bitten by this as well.

It was particularly bad in my case: on a headless server, with the
network connection being my only way in---and the problem was not with
the main Ethernet interface, but with a separate WireGuard one that I
was not using (both marked as "auto").

The eno1 interface got a DHCP connection without issue. But the wg0
config had a post-up routing-setup bug that I'd missed in earlier
testing. As the syslog excerpt below shows, the failure to bring up wg0
caused *all* of the "Raise network interfaces" task to be walked back.
And as this only killed dhclient and left eno1 configured, I thought all
was fine... until the system dropped off the network twelve hours later.

(It's also clear that dhclient was killed uncleanly, because the next
time it runs, you get a "Removed stale PID file" message.)

The "FIB table does not exist" error is where things start to go wrong:

2024-02-05T22:19:06.343712-05:00 darkstar systemd[1]: Starting 
networking.service - Raise network interfaces...
2024-02-05T22:19:06.377118-05:00 darkstar dhclient[620]: Internet Systems 
Consortium DHCP Client 4.4.3-P1
2024-02-05T22:19:06.377147-05:00 darkstar ifup[620]: Internet Systems 
Consortium DHCP Client 4.4.3-P1
2024-02-05T22:19:06.377154-05:00 darkstar ifup[620]: Copyright 2004-2022 
Internet Systems Consortium.
2024-02-05T22:19:06.377159-05:00 darkstar ifup[620]: All rights reserved.
2024-02-05T22:19:06.377164-05:00 darkstar ifup[620]: For info, please visit 
https://www.isc.org/software/dhcp/
2024-02-05T22:19:06.377178-05:00 darkstar dhclient[620]: Copyright 
2004-2022 Internet Systems Consortium.
2024-02-05T22:19:06.377190-05:00 darkstar dhclient[620]: All rights 
reserved.
2024-02-05T22:19:06.377201-05:00 darkstar dhclient[620]: For info, please 
visit https://www.isc.org/software/dhcp/
2024-02-05T22:19:06.377213-05:00 darkstar dhclient[620]: 
2024-02-05T22:19:06.675691-05:00 darkstar dhclient[620]: Listening on 
LPF/eno1/XX:XX:XX:XX:XX:XX
2024-02-05T22:19:06.675765-05:00 darkstar ifup[620]: Listening on 
LPF/eno1/XX:XX:XX:XX:XX:XX
2024-02-05T22:19:06.675783-05:00 darkstar ifup[620]: Sending on   
LPF/eno1/XX:XX:XX:XX:XX:XX
2024-02-05T22:19:06.675796-05:00 darkstar ifup[620]: Sending on   
Socket/fallback
2024-02-05T22:19:06.675831-05:00 darkstar dhclient[620]: Sending on   
LPF/eno1/XX:XX:XX:XX:XX:XX
2024-02-05T22:19:06.675863-05:00 darkstar dhclient[620]: Sending on   
Socket/fallback
2024-02-05T22:19:06.675919-05:00 darkstar dhclient[620]: DHCPREQUEST for 
192.168.1.2 on eno1 to 255.255.255.255 port 67
2024-02-05T22:19:06.675956-05:00 darkstar ifup[620]: DHCPREQUEST for 
192.168.1.2 on eno1 to 255.255.255.255 port 67
2024-02-05T22:19:09.219179-05:00 darkstar kernel: [6.436538] e1000e 
:00:1f.6 eno1: NIC Link is Up 1000 Mbps Full Duplex, Flow Control: Rx/Tx
2024-02-05T22:19:09.219201-05:00 darkstar kernel: [6.436674] IPv6: 
ADDRCONF(NETDEV_CHANGE): eno1: link becomes ready
2024-02-05T22:19:11.467192-05:00 darkstar dhclient[620]: DHCPREQUEST for 
192.168.1.2 on eno1 to 255.255.255.255 port 67
2024-02-05T22:19:11.467252-05:00 darkstar ifup[620]: DHCPREQUEST for 
192.168.1.2 on eno1 to 255.255.255.255 port 67
2024-02-05T22:19:11.470106-05:00 darkstar dhclient[620]: DHCPACK of 
192.168.1.2 from 192.168.1.1
2024-02-05T22:19:11.470172-05:00 darkstar ifup[620]: DHCPACK of 192.168.1.2 
from 192.168.1.1
2024-02-05T22:19:11.509438-05:00 darkstar dhclient[620]: bound to 
192.168.1.2 -- renewal in 21284 seconds.
2024-02-05T22:19:11.509497-05:00 darkstar ifup[620]: bound to 192.168.1.2 
-- renewal in 21284 seconds.
2024-02-05T22:19:11.575017-05:00 darkstar kernel: [8.793246] wireguard: 
WireGuard 1.0.0 loaded. See www.wireguard.com for information.
2024-02-05T22:19:11.575027-05:00 darkstar kernel: [8.793252] wireguard: 
Copyright (C) 2015-2019 Jason A. Donenfeld . All Rights 
Reserved.
2024-02-05T22:19:11.589364-05:00 darkstar ifup[689]: Error: ipv4: FIB table 
does not exist.
2024-02-05T22:19:11.589373-05:00 darkstar ifup[689]: Flush terminated
2024-02-05T22:19:11.589765-05:00 darkstar ifup[583]: ifup: failed to bring 
up wg0
2024-02-05T22:19:11.599118-05:00 darkstar systemd[1]: networking.service: 
Main process exited, code=exited, status=1/FAILURE
2024-02-05T22:19:11.663575-05:00 darkstar systemd[1]: networking.service: 
Failed with result 'exit-code'.
2024-02-05T22:19:11.664060-05:00 darkstar systemd[1]: Failed to start 
networking.service - Raise network interfaces.
2024-02-05T22:19:11.664996-05:00 darkstar systemd[1]: Reached target 
network.target - Network.
2024-02-05T22:19:11.665371-05:00 darkstar systemd[1]: Reached target 
network-online.target - Network is Online.

Bug#1061599: gnome-online-accounts: cannot login to Nextcloud 26.0.7 since 3.49.0-1 - http 405 method not allowed

[Richard B. Kreckel]

On 2/5/24 00:08, Jeremy Bícha wrote:

I do not believe your issue is the same since you are still able to
log in to your NextCloud, but the original bug poster is not.


Okay.


Yes, I believe it is expected that updating GNOME Online Accounts to
3.49 will require reauthenticating. Authentication is now handled in
the user's regular web browser instead of a webkitgtk dialog which
makes login more reliable and should be more resilient to
authentication changes from upstream providers.


I was looking for information like this pointing out the 
incompatibility. (The changelog does mention that authentication for 
Google & Microsoft now uses the web browser, but nothing about nextCloud 
etc.)



It is not expected that everything will work if you try to share
configuration between different operating system versions. Sorry.


:(   Ouch! This is so frustrating.

  -richy.
--
Richard B. Kreckel
<https://in.terlu.de/~kreckel/>

Bug#1061599: gnome-online-accounts: cannot login to Nextcloud 26.0.7 since 3.49.0-1 - http 405 method not allowed

[Richard B. Kreckel]

Confirmed: Same problem here for nextCloud and for google accounts.

Gnome files says "Unable to access usern...@googlemail.com Invalid 
credentials for usern...@googlemail.com".
Same for nextCloud accounts. goa-daemon says 
"/org/gnome/OnlineAccounts/Accounts/account_1706819076_1: Setting 
AttentionNeeded to TRUE
 because EnsureCredentials() failed with: Invalid password with 
username “username” (goa-error-quark, 4): Authentication failed (goa-e

rror-quark, 4)

I can remove the accounts and re-add them. But then they don't work with 
gnome-online-accounts 3.46.0-1 (Debian stable machine where same home 
dir is mounted). There, I can remove them and re-add them. But changing 
to 3.49.0-1 from testing all starts over again.


Seems like compatibility broke badly.

Bug#1060023: Acknowledgement (ITP: keyd -- Keyboard key remapping daemon for Linux)

[Richard Hansen]

I have been uploading drafts of the new keyd package to:

  https://mentors.debian.net/package/keyd/

Any feedback would be appreciated.


OpenPGP_signature.asc
Description: OpenPGP digital signature

Bug#1031956: ausweisapp2: App starts hidden in the background on gnome-shell + appindicator

[Richard]

Am Mi., 17. Jan. 2024 um 17:08 Uhr schrieb John Paul Adrian Glaubitz <
glaub...@physik.fu-berlin.de>:

> > This is exactly what it's supposed to mean. Packages distributed by
> Debian are obviously required
> > to not be broken when they hit stable. Otherwise an update wouldn't be
> accepted to  be sent to stable.
>
> The package is not broken. It works as intended by the upstream
> developers. It does not say anywhere
> that AusweisApp is supposed to work on a non-Qt system.
>

This is just not how anything works. Besides the fact that after Gnome was
made because people didn't like Qt's licensing and after a while they both
added compatibility for each others software - there basically isn't such
thing as a "non-Qt system". A non-Qt system would be a system with no Qt
dependencies available. But you'll probably never find any distro where
this is the case. That's why any package will always work with any DE, no
matter if it was build with GTK, Qt or something else. Sure, with Wayland
needing to be supported by the DEs instead of a  generic server, it can
happen that some minor things need to be harmonized, e.g. communicating a
sensible cursor size to Qt apps in a Gnome DE, but that's it. There's
absolutely nothing that makes Qt apps Plasma only or GTK apps Gnome only.

>
> > And since neither Debian with KDE nor Debian with Gnome is a separate
> distribution, obviously a
> > package is supposed to work with both.
>
> Sorry, but that's just non-sense. If an upstream project does not support
> GNOME, it will not
> support GNOME on Debian either. Again, you are barking up the wrong tree
> here.
>

Again, not how anything works.

>
> > That's why all KDE packages will pull in all necessary dependencies
> required to run in Gnome (or
> > any other DE offered by Debian) and vice versa. If any package would be
> allowed in stable in a
> > theoretical future where it only supports Wayland and not X while not
> all available DEs would
> > be supporting Wayland would be very questionable. And that's just
> another version of this exact problem.
>
> It's simply not possible to support every possible use cases. You just
> have to accept that.
>
Obviously not. But every use case supported by Debian itself must be
supported by the packages. With DEs it's not like with CPU architectures
where you can simply choose not to compile a package for a specific
architecture. Besides the fact that even that's not relevant. Even
AusweisApp is being compiled for pretty much any architecture supported by
debian, simply because there's nothing preventing it. That's at least true
for anything in the main repo. The only exception I know of is Steam, but
that's only shipped in contrib (and used to be non-free). So yes, every use
case supported by Debian stable in the main repo must be supported by every
package in that branch. Everything else wouldn't make any sense after all.

The real software world is not perfect.
>
> > > The limitations around GNOME support are an upstream issue and not
> related to packaging which
> > > is what I am doing. Claiming that a particular issue that is not a
> serious bug must be fixed
> > > before the next release is something that I would call entitlement. If
> you have figured out
> > > how to fix this particular problem, you are free to send a patch to me
> or upstream. That's
> > > how it works with community-maintained software.
> >
> > It's obviously serious since it literally renders the software unusable
> for some users. If you
> > have a different opinion, you should really re-read the severity levels'
> definitions:
> > https://www.debian.org/Bugs/Developer#severities
> > important: a bug which has a major effect on the usability of a package,
> without rendering it
> > completely unusable to everyone.
> > This is literally what this is.
>
> And you're still missing the point that the issue you are seeing here is
> not a limitation of Debian
> but of the upstream software you are using. You are blaming me for
> something that I am not responsible
> for.
>
> I am neither the upstream developer of GNOME nor of Qt or the AusweisApp.
> I am the person who is
> maintaining AusweisApp in Debian. And I am shipping the software as it is
> provided by upstream.
>
> If upstream doesn't support usecase X, I am not the person to be blamed.
>
You really should look up how "Maintainer" was defined when the concept was
introduced: https://www.debian.org/vote/2007/vote_003
One of the points: unfixed bugs may lead to the Maintainers key removal
from the Debian Maintainers keyring, effectively revoking their status of
being a Maintainer.


> > > Neither me nor the upstream maintainer are actually getting paid to
> provide this application
> > > on Linux or on Debian, so it's perfectly fine that we get to decide
> how we spend our free
> > > time.
> >
> > Nobody said otherwise. But literally with a bug this severe v2 can't and
> shouldn't be accepted
> > into stable with Trixie. And if nobody fixes it, it's 

Bug#1031956: TrayIcon

[Richard]

Hi,
I'm sorry, but you must have misread the bug report. Nobody's talking about
autostart. When the app is opened, be it from its desktop icon or from a
terminal, in Gnome with an extension enabled to enable a tray for icons of
apps running the background, AusweisApp does add its icon to the tray
(though not actually showing an icon, so there's just an empty button). But
that's it. If it was wokring as supposed, its icon would also be added to
Gnome's dock and usually - if the app doesn't have an option enabled to
start as a background app - obviously the apps UI is supposed to open up.
Both last things don't happen. Also, from the tray icon, you can only close
the app. There's no option to toggle the window (or whatever programs call
that option). This is the whole issue, rendering the app completely
unusable for all users meeting the aforementioned criteria.

Yes, if you start it with --show, you get the UI. But if you close it, it
closes to tray with no option to get it back. And no, by no means it's
supposed to be a deamon that only shows its UI when it's used for
authentication. That's not how the Windows version works, not the Android
version and most likely no version of AusweisApp. So why should the Linux
app? Otherwise you wouldn't be able to change settings, e.g. to connect to
a smartphone to act as a card reader.

When it comes to Qt apps that act as expected, I honestly don't use that
many Qt apps - or I just can't tell if an app uses Qt or something
completely different. VLC kinda works as expected - you can have it start
only showing a tray icon and do what you like from there. But VLC is dirt
old - I was not yet able to get VLC 4 to work on Linux. KeePassXC is based
on Qt 5 and certainly works as expected. I think Telegram desktop may be
written with Qt, that's definetely working as expected. Also, I'm using a
syncing app for a cloud service based on Owncloud (or Nextcloud), the Linux
Client is based on the Owncloud Linux client, which also is based on Qt5,
also working with a tray icon as expected.
Other than that, I don't really know that many Qt based apps, even less
that can make use of a tray icon, and then less that are already based on
Qt 6, independent of their use of tray icons.

Richard

Am Mi., 17. Jan. 2024 um 15:24 Uhr schrieb A. Klitzing :

> Hi there,
>
> the AusweisApp has no autostart option on Linux. Did you add the
> AusweisApp to autostart by yourself? Why is it expected that the app
> should be in foreground if the systems starts? It is a service
> application like a "daemon" that waits until a users click on a
> eID-link in the browser. As a work-around you can add "--show" to
> cmdline option to start in foreground.
>
> The app uses Qt for the TrayIcon. We can show "Open" on Linux like we
> do for macOS if you like. You can see in Qt doc [2] the possible
> activation reason. Currently we use "Trigger" to show up the UI. This
> works for me on KDE. I tried Gnome on Debian right now and it requires
> a double-click. This looks like a bug in Qt or not documented
> behaviour. Do you know a Qt app with QSystemTrayIcon that works like
> you expected? So I can look into that.
>
> Best regards
> André
>
>
> [1]
> https://github.com/Governikus/AusweisApp/blob/master/src/ui/qml/TrayIcon.cpp#L112
> [2] https://doc.qt.io/qt-6/qsystemtrayicon.html#ActivationReason-enum
>
> --
> To unsubscribe, send mail to 1031956-unsubscr...@bugs.debian.org.
>

Bug#1031956: ausweisapp2: App starts hidden in the background on gnome-shell + appindicator

[Richard]

Am Di., 16. Jan. 2024 um 20:41 Uhr schrieb John Paul Adrian Glaubitz <
glaub...@physik.fu-berlin.de>:

> > Who says I am? I am running testing. Also, getting security updates
> from unstable is actually
> > recommended behavior, so the stuff around "FrankenDebian" is
> contradicting itself.
>
> There is no version 2.0.x in Debian stable nor stable-backports yet, so
> unless you built the
> package yourself from the unstable sources or installed the Flatpak
> version, you created a
> "FrankenDebian".
>
To be quoting myself:  *I am running testing**. AKA Trixie. *So no, there's
no FrankenDebian at work.

>
> And, no, the wiki page regarding "FrankenDebian" is not contradicting
> itself because security
> updates are provided through debian-security. These updates are built to
> target Debian stable,
> so it's perfectly fine to install them without risking to break anything.
>
It is not contradicting itself page-wide, but wiki-wide. This is the Wiki
entry for Debian Testing, where it literally recommends to do what the
"FrankenDebian" Wiki page recommends not to do:
https://wiki.debian.org/DebianTesting

*It is a good idea to install security updates from unstable since they
take extra time to reach testing and the security team only releases
updates to unstable.*

> > Entitled? Well that's rich. The point of the whole bug reporting system
> is exactly what we
> > are doing here. So yes, if you are unwilling to maintain the
> package, which will always
> > include getting bug reports if things don't behave as intended, then
> don't do it.
>
> Not really. If someone steps up to maintain something, it doesn't
> automatically mean they
> are responsible for supporting all possible configurations that exist
> within Debian which
> is what you are asking for. The package works perfectly fine on KDE which
> is what I am using
> myself.
>
This is exactly what it's supposed to mean. Packages distributed by Debian
are obviously required to not be broken when they hit stable. Otherwise an
update wouldn't be accepted to  be sent to stable. And since neither Debian
with KDE nor Debian with Gnome is a separate distribution, obviously a
package is supposed to work with both. That's why all KDE packages will
pull in all necessary dependencies required to run in Gnome (or any other
DE offered by Debian) and vice versa. If any package would be allowed in
stable in a theoretical future where it only supports Wayland and not X
while not all available DEs would be supporting Wayland would be very
questionable. And that's just another version of this exact problem.

>
> The limitations around GNOME support are an upstream issue and not related
> to packaging which
> is what I am doing. Claiming that a particular issue that is not a serious
> bug must be fixed
> before the next release is something that I would call entitlement. If you
> have figured out
> how to fix this particular problem, you are free to send a patch to me or
> upstream. That's
> how it works with community-maintained software.
>

It's obviously serious since it literally renders the software unusable for
some users. If you have a different opinion, you should really re-read the
severity levels' definitions:
https://www.debian.org/Bugs/Developer#severities
*important: a bug which has a major effect on the usability of a package,
without rendering it completely unusable to everyone.*
This is literally what this is.

>
> Neither me nor the upstream maintainer are actually getting paid to
> provide this application
> on Linux or on Debian, so it's perfectly fine that we get to decide how we
> spend our free
> time.
>
Nobody said otherwise. But literally with a bug this severe v2 can't and
shouldn't be accepted into stable with Trixie. And if nobody fixes it, it's
questionable how long this package will be accepted to stay in the repos at
all.

Bug#1031956: ausweisapp2: App starts hidden in the background on gnome-shell + appindicator

[Richard]

Am Mo., 15. Jan. 2024 um 21:38 Uhr schrieb John Paul Adrian Glaubitz <
glaub...@physik.fu-berlin.de>:

> On Mon, 2024-01-15 at 19:29 +0100, Richard wrote:
> > I second this report. The app did use to work actually, but recently -
> not sure with
> > transitioning to ausweisapp with v2.0 or later, this breaks for me too.
>
> What breaks? Please be more specific!
>
I mean the exact same behavior. App starts, it has an entry in the tray,
but no icon, also none in the Gnome dock and no window is opening,

>
> > This renders the app completely unusable, at least using Gnome, which
> should justify a
> > severity of important. It's quite irrelevant if the app is a Gnome, Gt
> or whatever app.
>
> It is actually quite relevant because it is up to the upstream developer
> which configurations
> they support and which not. There is an endless number of Linux
> distributions and desktop
> environments, so it's naturally impossible to support all of them.
>

Sure, but it's part of Debian's repository. And if it's supposed to stay
that way, something needs to be fixed. And for all I know this app doesn't
have an official Linux version. The website calls it a community version.
So whoever feels responsible, the person maintaining it in the Debian
repositories and keeping it there or the person that ported the app (not
even sure if the official app uses Qt). But the current state needs to be
resolved at least by the time Trixie hits stable. Sure, it wouldn't be the
best solution to dropp the app altogether, but having the app only on paper
for many users isn't one either.

>
> > Sure, the newer version right now is only available in testing and sid
> (tested both, same
> > result).
>
> Errm, you shouldn't be installing packages from unstable on a stable
> system [1].
>
Who says I am? I am running testing. Also, getting security updates from
unstable is actually recommended behavior, so the stuff around
"FrankenDebian" is contradicting itself.

>
> > But that just makes it more important that this is sorted out before
> this package is made
> > available in stable or stable-backports. Especially since running it as
> Flatpak would
> > probably render half the app unusable since the communication with the
> browser would
> > probably not work.
>
> FWIW, I am merely packaging the software for Debian. I am not the upstream
> developer. If
> you have problems with the software itself which is not related to
> packaging, you should
> direct your bug reports upstream.
>
> Unfortunately though, upstream actually does not officially support Linux,
> so they don't
> really care if it breaks. Thus, if you are really so annoyed by the
> software not working
> on your particular system, I am happy to request a removal of the package
> from the Debian
> archive mirrors so that I don't have to bother with such entitled bug
> reports anymore.
>
Entitled? Well that's rich. The point of the whole bug reporting system is
exactly what we are doing here. So yes, if you are unwilling to maintain
the package, which will always include getting bug reports if things don't
behave as intended, then don't do it.

Bug#1060917: postfix-mysql broken in 3.7.9, results in unsupported dictionary type

[Richard Rosner]

Package: postfix-mysql
Version: 3.7.9-0+deb12u1
Severity: grave
Justification: renders package unusable

Dear Maintainer,

With the update in stable-updates, this package seems to be no longer working. 
removing it and going back to 3.7.6 solves the issue. This is what it writes to 
journal:

Jan 16 14:58:32 mail postfix/smtpd[14969]: error: unsupported dictionary type: 
mysql
Jan 16 14:58:32 mail postfix/smtpd[14969]: connect from localhost[127.0.0.1]
Jan 16 14:58:32 mail postfix/trivial-rewrite[14972]: error: unsupported 
dictionary type: mysql
Jan 16 14:58:32 mail postfix/trivial-rewrite[14972]: warning: 
mysql:/etc/postfix/mysql-forwards.cf is unavailable. unsupported dictionary 
type: mysql
Jan 16 14:58:32 mail postfix/trivial-rewrite[14972]: warning: 
virtual_alias_domains: mysql:/etc/postfix/mysql-forwards.cf: table lookup 
problem
Jan 16 14:58:32 mail postfix/trivial-rewrite[14972]: warning: 
mysql:/etc/postfix/mysql-forwards.cf is unavailable. unsupported dictionary 
type: mysql
Jan 16 14:58:32 mail postfix/trivial-rewrite[14972]: warning: 
virtual_alias_domains: mysql:/etc/postfix/mysql-forwards.cf: table lookup 
problem
Jan 16 14:58:32 mail postfix/smtpd[14969]: warning: 
mysql:/etc/postfix/mysql-forwards.cf is unavailable. unsupported dictionary 
type: mysql
Jan 16 14:58:32 mail postfix/smtpd[14969]: warning: 
mysql:/etc/postfix/mysql-forwards.cf lookup error for "recei...@domain.de"
Jan 16 14:58:32 mail postfix/smtpd[14969]: NOQUEUE: reject: RCPT from 
localhost[127.0.0.1]: 451 4.3.0 : Temporary lookup 
failure; from= to= proto=ESMTP 
helo=

So it simply stops providing the mysql support it was made for, which renders 
postfix itself unusable unless you where to move away from mysql.


-- System Information:
Debian Release: 12.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-16-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages postfix-mysql depends on:
ii  libc62.36-9+deb12u3
ii  libmariadb3  1:10.11.4-1~deb12u1
ih  postfix  3.7.9-0+deb12u1

postfix-mysql recommends no packages.

postfix-mysql suggests no packages.

-- no debconf information

Bug#1031956: ausweisapp2: App starts hidden in the background on gnome-shell + appindicator

[Richard]

I second this report. The app did use to work actually, but recently - not
sure with transitioning to ausweisapp with v2.0 or later, this breaks for
me too. This renders the app completely unusable, at least using Gnome,
which should justify a severity of important. It's quite irrelevant if the
app is a Gnome, Gt or whatever app. Like any app, if it's included in
Debian it should not be broken beyond usability. Sure, the newer version
right now is only available in testing and sid (tested both, same result).
But that just makes it more important that this is sorted out before this
package is made available in stable or stable-backports. Especially since
running it as Flatpak would probably render half the app unusable since the
communication with the browser would probably not work.

Bug#1060459: scalpel: Scalpel not working on Apple Silicon

[Golden G. Richard III]

Package: scalpel
Version: 1.60-10
Severity: grave
Tags: patch
Justification: renders package unusable
X-Debbugs-Cc: goldenrich...@gmail.com

Dear Maintainer,

   * What led up to the situation?

I am the author of Scalpel.  Execution of Scalpel 1.60 (the version
that is currently in the scalpel package on Debian et al) fails
completely on VMs hosted on Apple Silicon because of some
long-standing memory corruption bugs.  It may also work incorrectly on
other platforms.

   * What exactly did you do (or not do) that was effective (or
 ineffective)?

I have placed updated source distros for Scalpel 1.60 as well as the
newer (and more powerful) Scalpel 2.02 on GitHub via
https://github.com/nolaforensix/scalpel-1.60 and
https://github.com/nolaforensix/scalpel-2.02.  My recommendation is to
rebuild the 1.60 package from the updated source and also consdering
adding 2.02.

   * What was the outcome of this action?

Scalpel is broken and I fixed it :)

   * What outcome did you expect instead?

N/A?


-- System Information:
Distributor ID: Kali
Description:Kali GNU/Linux Rolling
Release:2023.4
Codename:   kali-rolling
Architecture: x86_64

Kernel: Linux 6.5.0-kali3-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages scalpel depends on:
ii  libc6  2.37-12

scalpel recommends no packages.

scalpel suggests no packages.

-- no debconf information

Bug#1024683: Interest to participate

[Richard Liebig]

Hello! 
 
I would be willing to help out with packaging helix, seeing as it is really 
useful editor and I want to use in some debian systems on which cargo would not 
be a great route to install it.
 
Therefore I would like to offer my help with packaging some of its dependencies 
and maybe the main package as well. I would need some guidance on how to 
proceed, seeing as in the salsa there are a lot of dependencies still out 
necessary to be packaged.
 
Where could I start? Is there are any low-hanging fruit depency which could be 
a great target for me? 
 
I have registered an account with the Salsa gitlab and am waiting on approval 
for it.
 
Kind regards,
 
Richard

Bug#1060023: ITP: keyd -- Keyboard key remapping daemon for Linux

[Richard Hansen]

Package: wnpp
Severity: wishlist
Owner: Richard Hansen 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: keyd
  Version : 2.4.3
  Upstream Contact: Raheman Vaiya 
* URL : https://github.com/rvaiya/keyd
* License : Expat
  Programming Lang: C
  Description : Keyboard key remapping daemon for Linux

keyd is a system-wide key remapping daemon which supports features like
layering, oneshot modifiers, and macros. In its most basic form it can be used
to define a custom key layout that persists across display server boundaries
(e.g wayland/X/tty).


Why I'm packaging this: I converted my Chromebook to a normal laptop running
Debian, and use keyd to work around the device's limited keyboard (no Home, End,
PageUp, PageDown, or Del keys, among others).

Unlike tools like xmodmap, keyd works at a low level (via Linux kernel
interfaces evdev and uinput), so it works with X11, Wayland, and VTs without
needing any environment-specific support.  As far as I know, no existing Debian
package provides similar low-level functionality.

keyd's feature set overlaps with kmonad (https://github.com/kmonad/kmonad) which
also merits packaging.  I'm packaging keyd instead of kmonad because keyd is
considerably simpler, and I'm unfamiliar with the Haskell ecosystem (kmonad is
written in Haskell).

I am not a DD or DM, so I would like some team or DD to volunteer to co-maintain
and sponsor uploads.  I'm not sure which team would be the best match;
suggestions would be appreciated.  Maybe the input method team
(https://wiki.debian.org/Teams/IMEPackagingTeam) would be interested; I'll ping
them if nobody has an alternative suggestion.

Bug#1059854: libdrm2: New upstream available for libdrm

[Richard Ayotte]

Package: libdrm2
Version: 2.4.117-1
Severity: wishlist
X-Debbugs-Cc: r...@ayottesoftware.com

Dear Maintainer,

A new upstream version of available for the libdrm2 package is available and 
needed to run Hyprland.

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.6.8-rt-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_CA:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libdrm2 depends on:
ii  libc6  2.38-2
ii  libdrm-common  2.4.117-1

libdrm2 recommends no packages.

libdrm2 suggests no packages.

-- no debconf information

Bug#1059769: chkrootkit-daily : filtering out empty lines to prevent unnecessary empty alert emails.

[Richard Lewis]

On Sun, 31 Dec 2023 at 17:30, Franck Richter  wrote:


> Currently chkrootkit-daily send me emails even if I ignore all false 
> positives using chkrootkit.ignore.
> Because chkrootkit outputs empty lines that cannot be excluded via 
> chkrootkit.ignore.

I havn't checked this, but: i think you can exclude blank lines using
chkrootkit.ignore - just add "^$" in there?

> It can be solved by adding to the filter in /etc/chkrootkit/chkrootkit.conf
>   -e '/^$/d'
>
> ie replacing:
> FILTER="sed -re 's![[:alnum:]]+: PACKET 
> SNIFFER\(((/lib/systemd/systemd-networkd|(/usr)?/sbin/(dhclient|dhcpc?d[0-9]*|wpa_supplicant|NetworkManager))\[[0-9]+\](,
>  )?)+\)!: PACKET 
> SNIFFER\([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID}\)!'
>  -e 's/(! [[:alnum:]+-]+)\s+[0-9]+/\1 {PID}/'"
> by
> FILTER="sed -e '/^$/d' -re 's![[:alnum:]]+: PACKET 
> SNIFFER\(((/lib/systemd/systemd-networkd|(/usr)?/sbin/(dhclient|dhcpc?d[0-9]*|wpa_supplicant|NetworkManager))\[[0-9]+\](,
>  )?)+\)!: PACKET 
> SNIFFER\([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID}\)!'
>  -e 's/(! [[:alnum:]+-]+)\s+[0-9]+/\1 {PID}/'"
>
> Would it make sense to put that in default chkrootkit.conf ?

hmm. I'm not sure it would!  The blank line there to separate output
from different tests, getting rid of it makes the output harder to
read, which doesnt seem like a good default.  (There's of course
nothing wrong with you adding that to your systems, if you prefer it
--- but im not sure it's the best as a default for everyone)

I'd instead look at using:
- DIFF_MODE - then (whatever your other settings) you'd only see the
report once, until something changes
- RUN_DAILY_OPTS
a) including a -q which should suppress the blank line entirely.
b) you might be able to use -e or -s options - these are used by
chkrootkit and if all files are ignored that way, then no
'WARNING+list+blank line' would be produced tat all, whereas the
chkrootkit.ignore and other filtering are only done at the end
- tbh id also investigate why these files are being shipped by debian
at all, especially .gitignore looks like a mistake!

Bug#1057302: Bug#1057234: sbuild: Generates weird messages in /var/log/syslog

[Richard Lewis]

On Sun, 3 Dec 2023 00:06:23 +0100 =?UTF-8?B?UHJldcOfZSwgSGlsbWFy?=
 wrote:
> On 02.12.2023 08:30, Johannes Schauer Marin Rodrigues wrote:
> > Quoting Hilmar Preusse (2023-12-01 23:10:36)
>
> Hi,
>
> >> I run sbuild as following:
> >>
> >> sbuild --no-run-lintian --arch-all --dist=sid *.dsc -d 
> >> unstable-amd64-sbuild
> >>
> >> , where unstable-amd64-sbuild references a chroot. Updating the chroot is 
> >> done:
> >>
> >> sudo sbuild-update -udcar unstable-amd64-sbuild
> >>
> >> Both commands generate weird messages in /var/log/syslog like this:
> >>
> >> 2023-12-01T09:36:52.230653+01:00 haka2 schroot[3182]: [unstable-
> >> amd64-sbuild-327cf8c2-30d1-4469-aa7b-9bc3653dbc45 chroot] (root->root) 
> >> Running
> >> command: "perl -e #012use strict;#012
> >> use warnings;#012use POSIX;#012

> > it may also be an issue with schroot, no? I do not think sbuild at any point
> > tells schroot to write anything to syslog.

I think this is done by the calls to debug, eg here:

https://salsa.debian.org/debian/sbuild/-/blob/main/lib/Sbuild/Chroot.pm?ref_type=heads#L811
debug("Running command: ", join(" ", @$command), "\n");

debug() is defined at
https://salsa.debian.org/debian/sbuild/-/blob/main/lib/Sbuild.pm?ref_type=heads#L336

to print to STDERR, which systemd will then connect to the journal (i
don't know how this last bit works, i think
it happens from schroot  - but the lines to write are generated by sbuild)

Bug#1058451: ntpsec: FTBFS [Hurd] change Build-Depends: systemd to [linux-any]

[Richard Laager]

On 2023-12-26 22:02, Martin-Éric Racine wrote:

On Wed, Dec 27, 2023 at 5:54 AM Richard Laager  wrote:


On 2023-12-26 21:43, Martin-Éric Racine wrote:

Looking at the diff for the Hurd port


What Hurd port?


https://deb.debian.org/debian-ports/pool-hurd-i386/main/n/ntp/


That is the wrong package (ntp vs ntpsec). That is not in any way 
relevant to this conversation.


--
Richard



OpenPGP_signature.asc
Description: OpenPGP digital signature

Bug#1058451: ntpsec: FTBFS [Hurd] change Build-Depends: systemd to [linux-any]

[Richard Laager]

On 2023-12-26 21:43, Martin-Éric Racine wrote:

Looking at the diff for the Hurd port


What Hurd port?

--
Richard



OpenPGP_signature.asc
Description: OpenPGP digital signature

Bug#1058451: ntpsec: FTBFS [Hurd] change Build-Depends: systemd to [linux-any]

[Richard Laager]

On 2023-12-26 02:38, Martin-Éric Racine wrote:

On Mon, Dec 25, 2023 at 12:20 AM Richard Laager  wrote:

If past me was correct, without systemd at build-time, waf will not
install the systemd units. Then we will end up with other failures in
debian/rules or from the .install files.


Not installing them on platforms where systemd has not been ported is
the correct action.


Agreed. My point was that additional work would be required, during the 
package building process, to not blow up when those files are missing 
from `waf install`.



It built enough to have ntpdate.
bin:ntpdate is just a transitional package to transition uses of the old 
src:ntp's bin:ntpdate to src:ntpsec's bin:ntpsec-ntpdate. It is 
Architecture: all, which is why it is available on Hurd.


In ntpsec, the ntpdate executable is just a thin wrapper around ntpdig, 
which ships in the bin:ntpsec-ntpdig package (formerly, it was in 
bin:ntpsec-ntpdate). While ntpdig is Python, so it doesn't actually 
require compilation, it is presumably going to require some build steps 
happen.



ifeq (hurd, $(DEB_HOST_ARCH_OS))
  # hurd does not provided the system calls needed for ntpd to work.
  exit 1
endif

I see a couple of ways forward here:

A) I properly indicate this package does not support HURD.

 I think I would just replace the "Architecture: any" with
 "Architecture: linux-any" on binary packages in debian/control, but
 I would love confirmation on that.


Which is what this bug requested


I'm confused.

What you asked for was for me to limit "Build-Depends: systemd" to 
[linux-any]. What I said here was that I'd limit all the built binary 
packages to [linux-any], dropping any claims of support for HURD.


The rest of your email reads to me like you think this package should 
support HURD to some degree. But here you are agreeing with the choice 
that it should not support HURD _at all_.


I'm fine with dropping support for HURD entirely. I think that would be 
more honest than the current state of affairs where the build just fails.


But if ntpdig is something that would be useful on HURD, I suppose it 
would be nice if we could figure out how to make bin:ntpsec-ntpdig (and 
some other packages) build for HURD.


If you are interested in HURD support, could you start with the attached 
patch to ntpsec, try to build it, and see what happens?


--
Richard
diff --git a/debian/control b/debian/control
index a33a26ecb..2b1bc2a18 100644
--- a/debian/control
+++ b/debian/control
@@ -18,7 +18,7 @@
python3,
python3-dev,
python3-gps,
-   systemd,
+   systemd [linux-any],
xsltproc,
xz-utils,
 Build-Conflicts: libavahi-compat-libdnssd-dev,
@@ -31,7 +31,7 @@
 Homepage: https://www.ntpsec.org
 
 Package: ntpsec
-Architecture: any
+Architecture: [linux-any]
 Pre-Depends: ${misc:Pre-Depends},
 Depends: adduser,
  netbase,
diff --git a/debian/rules b/debian/rules
index dc23970f5..ff816974d 100755
--- a/debian/rules
+++ b/debian/rules
@@ -12,10 +12,6 @@
 	dh $@ --with apache2,python3
 
 override_dh_auto_configure:
-ifeq (hurd, $(DEB_HOST_ARCH_OS))
-	# hurd does not provided the system calls needed for ntpd to work.
-	exit 1
-endif
 	# Only build with refclocks NOT slated for removal.  See also
 	# debian/patches/update-refclock-docs.patch.  However, if the reason
 	# for deprecation is only "two digit years", I *am* keeping it.


OpenPGP_signature.asc
Description: OpenPGP digital signature

Bug#1058451: ntpsec: FTBFS [Hurd] change Build-Depends: systemd to [linux-any]

[Richard Laager]

On 2023-12-12 04:52, Martin-Éric Racine wrote:

Build-Depends: systemd must be changed to systemd [linux-any], since systemd 
has not been powerted to non-Linux platforms.


I suspect that change would be necessary, but not sufficient.

In commit 7f969a0ecab4ef3ab50defd4fe9d7e7a47817dbe, I wrote:
  Build-Depend on systemd

  This is required for the pkg-config file, so that waf will detect
  systemd and install the systemd units.

If past me was correct, without systemd at build-time, waf will not 
install the systemd units. Then we will end up with other failures in 
debian/rules or from the .install files.


HURD is the only non-Linux platform that Debian supports these days, 
right? kFreeBSD is gone, IIRC.


The ntpsec package (like ntp before it, IIRC) does not build on HURD 
anyway. From debian/rules:


ifeq (hurd, $(DEB_HOST_ARCH_OS))
# hurd does not provided the system calls needed for ntpd to work.
exit 1
endif

I see a couple of ways forward here:

A) I properly indicate this package does not support HURD.

   I think I would just replace the "Architecture: any" with
   "Architecture: linux-any" on binary packages in debian/control, but
   I would love confirmation on that.

B) Someone who cares about HURD figures out how much of this package can
   reasonably be expected to work and submits a patch.

--
Richard


OpenPGP_signature.asc
Description: OpenPGP digital signature

Bug#1058511: ntpsec: FTBFS: mv: cannot stat 'debian/tmp/lib/systemd/system/ntpd.service': No such file or directory

[Richard Laager]

Control: fixed 1.2.2+dfsg1-3

This looks to be the same as #1052664.

--
Richard



OpenPGP_signature.asc
Description: OpenPGP digital signature

Bug#1058961: ntpsec: postinst should check for user:group before adding them

[Richard Laager]

On 2023-12-18 16:15, Bob Proulx wrote:

Package: ntpsec
Version: 1.2.2+dfsg1-3
Severity: normal
Tags: patch

Every time the ntpsec package upgrades it attempts to unconditionally
add the ntpsec user and group as per the following postinst snippet.

addgroup --system --quiet ntpsec
adduser --system --quiet --ingroup ntpsec \
--no-create-home --home /nonexistent ntpsec

This logs errors because the user and group already exists.


For the record, the "logs" here is critical. These errors show up in the 
logs, not on stdout. This is why I have never noticed this behavior 
until now (whether in ntpsec or just generally, having used adduser for 
years).



Please test for the existence of those groups before creating them as
other packages such as apt and others do.  Adding the following "if"
and "getent" checking fixes this using the same method the apt package
and others do.

 if ! getent passwd ntpsec > /dev/null; then
addgroup --system --quiet ntpsec
 fi
 if ! getent group ntpsec > /dev/null; then
adduser --system --quiet --ingroup ntpsec \
--no-create-home --home /nonexistent ntpsec
 fi


Those getent checks have passwd & group swapped, but otherwise, yes, 
that's what we want. I'll upload a fix shortly. Thanks!


--
Richard



OpenPGP_signature.asc
Description: OpenPGP digital signature

Bug#1059273: missing path /var/lib/ntp/drift-tmp in apparmor.d/usr.sbin.ntpd

[Richard Laager]

On 2023-12-22 05:32, Stefan Bauer wrote:

Apparmor denies creation of /var/lib/ntp/drift-tmp.


Where are you getting /var/lib/ntp/drift from?

The ntpsec package in Debian has (from when both ntp and ntpsec existed 
in Debian) everything namespaced under "ntpsec". It uses 
/var/lib/ntpsec/ntp.drift in the default config file.


Maybe you have something different set. What does "grep driftfile 
/etc/ntpsec/ntp.conf" say?


--
Richard

Bug#1057570: libgnt: FTBFS: error: invalid use of incomplete typedef ‘PANEL’ {aka ‘struct panel’}

[Richard Laager]

On 2023-12-20 09:57, Sven Joachim wrote:

I have not tested it myself, but these errors should be fixed in libgnt
2.14.4 which has been released upstream the other day.  See
https://keep.imfreedom.org/libgnt/libgnt/rev/2da723f790d6, which
explicitly mentions this bug.


Thanks for letting me know!

--
Richard

Bug#1058755: logcheck: Email not report log lines

[Richard Lewis]

control: close -1
thanks

On Tue, 19 Dec 2023, 08:39 Stefano Callegari, 
wrote:

>
>

> > The logs lines there are, but after the header I see many blank lines: I
> > use mutt in a full screen console (more than 50 lines) and I need to
> press
> > page down for 16 times before reach the first line of logs (in the last
> one
> > email).
> >




> May be the problem is related with irqbalance.
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1058886
> https://bugs.launchpad.net/ubuntu/+source/irqbalance/+bug/2046470
> https://ubuntuforums.org/showthread.php?t=2493441=14169790
>
>
that loooks quite likely to be it - although trailing space does get
removed, it looks like the lines end with lots of dashes.

You can filter these lines like any other, and setting SORTUNIQ reduces
duplication (a bit)


> > If you think, close the bug.
>

thanks - yes the output looks normal. the "output" is actually on stderr so
to save it, use ... 2>&1 or similar.

Bug#1058755: logcheck: Email not report log lines

[Richard Lewis]

On Sun, 17 Dec 2023 at 19:03, Stefano Callegari
 wrote:
> Il Fri, Dec 15, 2023 at 11:31:18PM +0000, Richard Lewis scrisse:
> > On Fri, 15 Dec 2023 at 16:06, Stefano Callegari
> >  wrote:
> >
> > > from few days the email from cron are empty, there is only the header.txt.
> >
> > > /etc/logcheck <-bash> # su -s /bin/bash -c "/usr/sbin/logcheck -l 
> > > /var/log/syslog" logcheck
> > >
> > > the email has the log lines. Without the -l option, still empty.
> >
> > Seems like it isnt checking the syslog -- what is in the files in
> > /etc/logcheck/logcheck.logfiles.d/  and logcheck.conf ?
>

> ~ <-bash> # ls /etc/logcheck/logcheck.logfiles.d/
> journal.logfiles  syslog.logfiles

[snip] -- everything you posted looked fine and standard to me: it
should be checking both syslog and the journal as expected

The only other thing you didn't include is a check of the permissions:
there was a change in bookworm - i doubt that
this is the issue, but for completeness:

the directory /etc/logcheck should be owned by logcheck:logcheck and
permissions: drwxr-x---
the contents should all be root:root and usual permissions, ie
-rw-r--r-- (with subdirectories drwxr-xr-x)

(as long permissions allow logcheck to read everything, it should all be fine)

> > I suggest also using the -d option -- should say what it is doing in
> > great detail (pipe to file or through less)
>
> I've tried! Many and many of lines, never ending, it seems a loop. I had to 
> do a ^C.

Interesting - that definitely shouldnt happen, and '-d' shouldn't be
doing anything 'extra' to cause that (is it definitely a loop or just
looking like one because if your log contains lines that dont match
any rules (will be reported in the email), logcheck has to check every
single rules file, and -d will tell you the results before and after
each rule file it uses: so it should look like it's printing the same
output many times. to minimise the output, you can run once without
-d, then do a 'logger foo' to ensure there's at lease one new line in
the log and then re-run with -d)

The only potential for a loop that i can immediately think of would be
if you had some kind of symlink loop in the rules directory - do you
have any symlinks in the ignore.d.server or similar dirs (check with
ls -laR)

i didnt think that could happen, i've no idea if logcheck would cope
with that or not

Can you provide the start of the -d output /enough to understand what
the loop is?  Otherwise, the start of the output should say what files
it was checking, unfortunately, if there's an issue sending the issue,
it likely wont be obvious until the very end.

the only other thing i can think of is a disk space issue (i could
imaging bad things happening if /tmp was full, or wherever the mta
stores the email - /var or similar)

(you could email it to me if you want to avoid it appearing in the
public bts - up to you: i wouldnt expect there to be anything too
sensitive in the logs, but i suppose we cant rule that out).

Bug#1058755: logcheck: Email not report log lines

[Richard Lewis]

On Fri, 15 Dec 2023 at 16:06, Stefano Callegari
 wrote:

> from few days the email from cron are empty, there is only the header.txt.

> /etc/logcheck <-bash> # su -s /bin/bash -c "/usr/sbin/logcheck -l 
> /var/log/syslog" logcheck
>
> the email has the log lines. Without the -l option, still empty.

Seems like it isnt checking the syslog -- what is in the files in
/etc/logcheck/logcheck.logfiles.d/  and logcheck.conf ?

Are you using systemd?

I suggest also using the -d option -- should say what it is doing in
great detail (pipe to file or through less)


> /etc/logcheck/header.txt [Errno 13] Permesso negato: 
> '/etc/logcheck/header.txt'
> /etc/logcheck/logcheck.conf [Errno 13] Permesso negato: 
> '/etc/logcheck/logcheck.conf'
> /etc/logcheck/logcheck.logfiles [Errno 13] Permesso negato: 
> '/etc/logcheck/logcheck.logfiles'
> /etc/logcheck/logcheck.logfiles.d/journal.logfiles [Errno 13] Permesso 
> negato: '/etc/logcheck/logcheck.logfiles.d/journal.logfiles'
> /etc/logcheck/logcheck.logfiles.d/syslog.logfiles [Errno 13] Permesso negato: 
> '/etc/logcheck/logcheck.logfiles.d/syslog.logfiles'
>
> -- no debconf information
>