Bug#1036306: unblock: ufw/0.36.2-1

[Jamie Strandboge]

On Tue, 23 May 2023, Paul Gevers wrote:

> > Bug fixes and translations will not be available in bookworm (I am upstream 
> > ufw
> > and I cut 0.36.2 specifically for bookworm users).
> 
> Please elaborate. It's Full Freeze time. A new upstream needs a lot of
> defending to be considered a targeted fix at this stage of the release.

Sorry I didn't elaborate more initially. I too misread the timing and
thought that due to autopkgtests that the timing was still ok.

As mentioned, I am the upstream author for ufw as well as the Debian
maintainer for ufw and I had a choice to either cherrypick the changes
and apply as patches in a 0.36.1-5 release or to gather them all into a
0.36.2-1 release. I chose the later since I didn't expect there to be a
problem. Practically speaking though, it would've been essentially the
same.

Importantly, ufw had very good coverage via unit tests and functional
tests which are both part of the package build. There are additional
runtime functional tests that are part of autopkgtests that run on a
live system. It migrated to Ubuntu 23.10 and passed its build and
autopkgtests too.

ufw is also a leaf package and not installed by default or as part of
any tasks. Upgrades were manually tested from 0.36.1-4.1 to 0.36.2-1 on
bookworm.

I'll outline the changes below.

## Upstream ChangeLog:

* src/ufw-init-functions: set default policy after loading rules. Thanks to
  Mauricio Faria de Oliveira. (LP: #1946804)

This was already in 0.36.1-2 and I simply pulled it upstream. It was
debian/patches/0004-set-default-policy-after-load.patch


* doc/ufw.8:
  - document 'insert' and 'prepend' can't be used to update comments
(LP: #1927737)

This is new to 0.36.2, but only a documentation change to make existing
functionality clearer. I feel this is a useful usability improvement for
bookworm users.


* src/backend_iptables.py: remove unreachable code (LP: #1927734)

This is new to 0.36.2 but a very minor change:
https://git.launchpad.net/ufw/commit/?h=release/0.36=dc350c53c9bc8bad8d9cbd810adf53111bcd5c10

This is safe to remove due to this line a few lines before it:
https://git.launchpad.net/ufw/tree/src/backend_iptables.py?h=release/0.36=dc350c53c9bc8bad8d9cbd810adf53111bcd5c10#n997

(ie, line 997 is already doing an 'position > len(rules)' check so it is
safe to remove the unreachable code in the aforementioned commit). This
change could've been omitted for bookworm, but is also harmless.


* src/util.py:
  - properly parse /proc/pid/stat for WSL (LP: #2015645)

This is one of the main reasons why I wanted an update for bookworm
since I wanted bookworm users on WSL to have a functional ufw. The
change is here:
https://git.launchpad.net/ufw/commit/?h=release/0.36=55669b732255c224343605272b793ae3fd534557

Unit tests existed for prior behavior and new tests were added for the
bug fix. I feel this is an important bug fix for for bookworm users
since without it, ufw fails to run on WSL.


* src/util.py:
  - mitigate odd length string with unhexlify (Closes: 1034568)

This mitigates a traceback in the case of if a rules file is somehow
corrupted. The change is here:
https://git.launchpad.net/ufw/commit/?h=release/0.36=751e3aa510a992140f748987221600ee4722ea75

Unit tests existed for prior behavior and new tests were added for the
bug fix. I feel this is a useful usability improvement for bookworm
users.


* src/util.py:
  - support vrrp protocol (LP: #1996636)

This is a technically a new feature, but all it did was add a new
protocol to an existing list and so the change is considered safe. Most
of the changes are for the man page and unit tests. The change is here:
https://git.launchpad.net/ufw/commit/?h=release/0.36=49b50d9ebd4a381af9886fc1bff17191358188fc

Unit tests existed for prior behavior and new tests were added for the
bug fix. I debated this change as it could've been omitted for bookworm,
but the change was obvious and small and added functionality that might
be useful to keepalived users on bookworm.


* add locales/po/ro.po. Thanks Remus-Gabriel Chelu (Closes: 1034119)

This adds the .ro translation that was submitted via the BTS. I verified
the translations via Google Translate and also ran 0.36.2-1 through
https://git.launchpad.net/qa-regression-testing/tree/scripts/test-ufw.py#n474
which specifically tests that ufw runs under all the different locales.
This test script is part of Ubuntu (of which I am also an Ubuntu
developer) and doesn't work without modification on bookworm, but I did
so and the locale works fine. I felt it important to shepherd the
contribution to Debian into bookworm.


* add '-h' and show help with no args (LP: #1965462)

This change simply add '-h' to the already existing '--help' and 'help'
commands and adjusts the parsing to show raise a ValueError which
triggers showing the help message instead of just showing a
less-than-helpful "not enough args" message like 0.36.1 did. This change
is here:

Bug#1036306: unblock: ufw/0.36.2-1

[Gunnar Hjalmarsson]

On 2023-05-23 22:01, Paul Gevers wrote:

On 23-05-2023 18:56, Gunnar Hjalmarsson wrote:

ufw has autopkgtest, so strictly it's not blocked because of the
freeze, but because of a piuparts failure.


That's not true. We're in Hard Freeze, so ufw qualifies to migrate
with passing autopkgtest when it's age is 20 days. However, once
those 20 days are over, we're in Full Freeze so it won't migrate. So
yes, strictly speaking it's *also* blocked by the freeze.


I stand corrected. (And with that I understand wrt ufw why Jamie needs 
to justify the freeze related unblock request.)



As you can see my primary concern is another package, i.e.
ibus-pinyin. That package has already been unblocked from freeze:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036225


And missed the ignore-piuparts hint. Thanks for bringing that to our
attention, I added that hint.


Thanks! (And I understand from your reply that otherwise I should have
simply submitted a separate unblock request. Or maybe re-opened the 
already submitted bug...)



From tomorrow on, all packages that haven't migrated need an unblock
request or they will not be part of bookworm. Normally we'd spot the
piuparts problem and add the ignore hint if it's caused by the
adduser issue.


Sounds like the release team has it under control, then, so I will stop 
worrying. :)


--
Thanks again!

Gunnar

Bug#1036306: unblock: ufw/0.36.2-1

[Paul Gevers]

Hi Gunnar,

On 23-05-2023 18:56, Gunnar Hjalmarsson wrote:

On 2023-05-23 17:31, Paul Gevers wrote:

On 19-05-2023 05:33, Jamie Strandboge wrote:
Sure. The migration is currently blocked because the upload happened 
very recently


That description is not quite accurate. ufw has autopkgtest, so strictly 
it's not blocked because of the freeze, but because of a piuparts failure.


That's not true. We're in Hard Freeze, so ufw qualifies to migrate with 
passing autopkgtest when it's age is 20 days. However, once those 20 
days are over, we're in Full Freeze so it won't migrate. So yes, 
strictly speaking it's *also* blocked by the freeze.



Maybe you didn't see my reply to Jamie's initial bug, but it was archived:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036306#10


Yes I saw that. People around me (I'm at DebianReunionHamburg) are 
working to figure out how to fix the piuparts situation, but filing 
unblock requests *now* is appropriate *if* the upload is a targeted fix 
(as it should be). The adduser problem is relatively new, so all 
packages that are 20 days now or tomorrow were piuparts tested before 
the problem. So all the packages that are blocked by piuparts need our 
attention via an unblock request anyways, if they need to migrate to 
bookworm.


As you can see my primary concern is another package, i.e. ibus-pinyin. 
That package has already been unblocked from freeze:


https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036225


And missed the ignore-piuparts hint. Thanks for bringing that to our 
attention, I added that hint.


But since it hit the very same adduser/piuparts issue as ufw (and 
probably a bunch of other packages) did, it's still blocked from migration.


Not if we add the right hint, which we have in place already for several 
unblocks.


Maybe it was wrong of me to comment on this ufw bug, but the 
adduser/piuparts situation is special, and I felt it made sense to 
handle all affected packages together.


Sorry, that doesn't scale. We'll handle it per unblock request.

Please advice on how uploaders affected by the adduser/piuparts 
situation should act.


From tomorrow on, all packages that haven't migrated need an unblock 
request or they will not be part of bookworm. Normally we'd spot the 
piuparts problem and add the ignore hint if it's caused by the adduser 
issue.


Paul


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1036306: unblock: ufw/0.36.2-1

[Gunnar Hjalmarsson]

Hi Paul,

On 2023-05-23 17:31, Paul Gevers wrote:

On 19-05-2023 05:33, Jamie Strandboge wrote:
It seems that adduser 3.133 has caused problems for a lot of packages 
in sid, including ufw. See:


https://piuparts.debian.org/sid/fail/adduser_3.133.log
https://piuparts.debian.org/sid/fail/
https://piuparts.debian.org/sid/fail/ufw_0.36.2-1.log
https://piuparts.debian.org/sid/fail/...


Yes, known, let's not worry about that.


Well, I do worry a bit.

ufw did not cause adduser to be unremovable, and adduser being 
unremovable

should not affect ufw's migration.


Sure. The migration is currently blocked because the upload happened 
very recently


That description is not quite accurate. ufw has autopkgtest, so strictly 
it's not blocked because of the freeze, but because of a piuparts failure.


and tomorrow we'll enter Full Freeze. So the upload 
happened too late for it to migrate without us unblocking.


Maybe you didn't see my reply to Jamie's initial bug, but it was archived:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036306#10

As you can see my primary concern is another package, i.e. ibus-pinyin. 
That package has already been unblocked from freeze:


https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036225

But since it hit the very same adduser/piuparts issue as ufw (and 
probably a bunch of other packages) did, it's still blocked from migration.



Maybe it was wrong of me to comment on this ufw bug, but the 
adduser/piuparts situation is special, and I felt it made sense to 
handle all affected packages together.


Please advice on how uploaders affected by the adduser/piuparts 
situation should act.


--
Rgds,
Gunnar Hjalmarsson

Bug#1036306: unblock: ufw/0.36.2-1

[Paul Gevers]

Control: tags -1 moreinfo

Hi,

On 19-05-2023 05:33, Jamie Strandboge wrote:

It seems that adduser 3.133 has caused problems for a lot of packages in sid,
including ufw. See:

https://piuparts.debian.org/sid/fail/adduser_3.133.log
https://piuparts.debian.org/sid/fail/
https://piuparts.debian.org/sid/fail/ufw_0.36.2-1.log
https://piuparts.debian.org/sid/fail/...


Yes, known, let's not worry about that.


ufw did not cause adduser to be unremovable, and adduser being unremovable
should not affect ufw's migration.


Sure. The migration is currently blocked because the upload happened 
very recently and tomorrow we'll enter Full Freeze. So the upload 
happened too late for it to migrate without us unblocking.



Bug fixes and translations will not be available in bookworm (I am upstream ufw
and I cut 0.36.2 specifically for bookworm users).


Please elaborate. It's Full Freeze time. A new upstream needs a lot of 
defending to be considered a targeted fix at this stage of the release. 
Please read the policy [1] and the FAQ [2].


Paul

[1] https://release.debian.org/testing/freeze_policy.html
[2] https://release.debian.org/testing/FAQ.html


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1036306: unblock: ufw/0.36.2-1

[Gunnar Hjalmarsson]

I'm kind of 'hijacking' this bug instead of submitting an own. Hope you 
don't mind, Jamie. :/


I have the very same problem, i.e. piuparts failing due to the latest 
change in adduser:


https://tracker.debian.org/pkg/ibus-pinyin

So please add ibus-pinyin to the list of packages which probably need 
the release team's attention to resolve the adduser/piuparts situation.


I don't know how to identify other affected packages, but there is a 
related email list thread:


https://alioth-lists.debian.net/pipermail/piuparts-devel/2023-May/009566.html

(And with that I suppose that #1036307, which was mistakenly submitted 
as a new bug, can be closed.)


--
Cheers,
Gunnar Hjalmarsson

Bug#1036306: unblock: ufw/0.36.2-1

[Jamie Strandboge]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package ufw

It seems that adduser 3.133 has caused problems for a lot of packages in sid,
including ufw. See:

https://piuparts.debian.org/sid/fail/adduser_3.133.log
https://piuparts.debian.org/sid/fail/
https://piuparts.debian.org/sid/fail/ufw_0.36.2-1.log
https://piuparts.debian.org/sid/fail/...

In the case of ufw, it ships a logrotate file and logrotate gets installed,
which pulls in adduser, but adduser can't be removed and piuparts fails:

0m18.6s DEBUG: Starting command: ['chroot', 
'/srv/piuparts.debian.org/tmp/tmpwv4fmpa7', 'apt-get', 'install', '-y', 
'logrotate']
0m19.9s DUMP:
  Reading package lists...
  Building dependency tree...
  Reading state information...
  The following additional packages will be installed:
adduser cron cron-daemon-common libpopt0 sensible-utils
...
m20.2s ERROR: Command failed (status=1): ['chroot', 
'/srv/piuparts.debian.org/tmp/tmpwv4fmpa7', 'dpkg', '--purge', 'adduser', 
'cron', 'cron-daemon-common', 'libpopt0:amd64', 'logrotate', 'sensible-utils']
  dpkg: error processing package adduser (--purge):
   this is a protected package; it should not be removed
...

As mentioned, there seem to be several packages in this state. ufw has shipped
a logrotate file for years and this isn't new to ufw 0.36.2-1. 

[ Reason ]
ufw did not cause adduser to be unremovable, and adduser being unremovable
should not affect ufw's migration.

[ Impact ]
Bug fixes and translations will not be available in bookworm (I am upstream ufw
and I cut 0.36.2 specifically for bookworm users).

[ Tests ]
Build tests (unit and functional) and autopkgtests pass.

[ Risks ]
Leaf package.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing


unblock ufw/0.36.2-1
diff -Nru ufw-0.36.1/ChangeLog ufw-0.36.2/ChangeLog
--- ufw-0.36.1/ChangeLog2021-09-18 20:29:52.0 -0500
+++ ufw-0.36.2/ChangeLog2023-05-18 08:45:35.0 -0500
@@ -1,3 +1,23 @@
+ufw (0.36.2) RELEASED; urgency=medium
+
+  * src/ufw-init-functions: set default policy after loading rules. Thanks to
+Mauricio Faria de Oliveira. (LP: #1946804)
+  * doc/ufw.8:
+- document 'insert' and 'prepend' can't be used to update comments
+  (LP: #1927737)
+  * src/backend_iptables.py: remove unreachable code (LP: #1927734)
+  * src/util.py:
+- properly parse /proc/pid/stat for WSL (LP: #2015645)
+- mitigate odd length string with unhexlify (Closes: 1034568)
+- support vrrp protocol (LP: #1996636)
+  * add locales/po/ro.po. Thanks Remus-Gabriel Chelu (Closes: 1034119)
+  * add '-h' and show help with no args (LP: #1965462)
+  * src/backend.py: add get_rules_ipv4() and get_rules_ipv6() (LP: #1951018)
+  * tests/check-requirements: update for python 3.10+
+  * tests/root: normalize 'ACCEPT {all,tcp}' and 'ACCEPT N' for newer systems
+
+ -- Jamie Strandboge   Thu, 18 May 2023 08:45:30 -0500
+
 ufw (0.36.1) RELEASED; urgency=medium
 
   * snap packaging updates:
diff -Nru ufw-0.36.1/debian/changelog ufw-0.36.2/debian/changelog
--- ufw-0.36.1/debian/changelog 2022-10-15 05:54:27.0 -0500
+++ ufw-0.36.2/debian/changelog 2023-05-18 09:03:07.0 -0500
@@ -1,3 +1,30 @@
+ufw (0.36.2-1) unstable; urgency=medium
+
+  * New upstream release (LP: #1946804, LP: #1927737, LP: #1927734,
+LP: #2015645, LP: #1996636, LP: #1965462, LP: #1951018, Closes: 1034568,
+Closes: 1034119). Drop the following (included upstream):
+- 0002-fix-copyright.patch
+- 0003-python3-versions.patch
+- 0004-set-default-policy-after-load.patch
+  * Remaining changes:
+- 0001-optimize-boot.patch
+  * add new debian/po/ro.po. Thanks Remus-Gabriel Chelu (Closes: 1033758)
+  * debian/control:
+- Breaks with iptables-persistent and netfilter-persistent. When ufw is
+  installed, it is not enabled by default, so it doesn't interfere with
+  other firewall software (until it is enabled). In contrast,
+  iptables-persistent and netfilter-persistent install enabled, which
+  interferes with ufw. Add a breaks on these to avoid them being
+  co-installed with ufw (and causing problems for users).
+- use Python-Version instead of XB-Python-Version
+- remove Depends on obsolete lsb-base
+  * ufw.lintian-overrides:
+- update for breaks-without-version iptables-persistent and
+  netfilter-persistent
+- update for newer lintian
+
+ -- Jamie Strandboge   Thu, 18 May 2023 14:03:07 +
+
 ufw (0.36.1-4.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru ufw-0.36.1/debian/control ufw-0.36.2/debian/control
--- ufw-0.36.1/debian/control   2021-09-19 00:46:12.0 -0500
+++ ufw-0.36.2/debian/control   2023-05-16 09:37:21.0 -0500
@@ -13,7 +13,7 @@
  po-debconf,
  python3 (>= 3.2),
  python3-distutils
-Standards-Version: