Bug#1036306: unblock: ufw/0.36.2-1
On Tue, 23 May 2023, Paul Gevers wrote: > > Bug fixes and translations will not be available in bookworm (I am upstream > > ufw > > and I cut 0.36.2 specifically for bookworm users). > > Please elaborate. It's Full Freeze time. A new upstream needs a lot of > defending to be considered a targeted fix at this stage of the release. Sorry I didn't elaborate more initially. I too misread the timing and thought that due to autopkgtests that the timing was still ok. As mentioned, I am the upstream author for ufw as well as the Debian maintainer for ufw and I had a choice to either cherrypick the changes and apply as patches in a 0.36.1-5 release or to gather them all into a 0.36.2-1 release. I chose the later since I didn't expect there to be a problem. Practically speaking though, it would've been essentially the same. Importantly, ufw had very good coverage via unit tests and functional tests which are both part of the package build. There are additional runtime functional tests that are part of autopkgtests that run on a live system. It migrated to Ubuntu 23.10 and passed its build and autopkgtests too. ufw is also a leaf package and not installed by default or as part of any tasks. Upgrades were manually tested from 0.36.1-4.1 to 0.36.2-1 on bookworm. I'll outline the changes below. ## Upstream ChangeLog: * src/ufw-init-functions: set default policy after loading rules. Thanks to Mauricio Faria de Oliveira. (LP: #1946804) This was already in 0.36.1-2 and I simply pulled it upstream. It was debian/patches/0004-set-default-policy-after-load.patch * doc/ufw.8: - document 'insert' and 'prepend' can't be used to update comments (LP: #1927737) This is new to 0.36.2, but only a documentation change to make existing functionality clearer. I feel this is a useful usability improvement for bookworm users. * src/backend_iptables.py: remove unreachable code (LP: #1927734) This is new to 0.36.2 but a very minor change: https://git.launchpad.net/ufw/commit/?h=release/0.36=dc350c53c9bc8bad8d9cbd810adf53111bcd5c10 This is safe to remove due to this line a few lines before it: https://git.launchpad.net/ufw/tree/src/backend_iptables.py?h=release/0.36=dc350c53c9bc8bad8d9cbd810adf53111bcd5c10#n997 (ie, line 997 is already doing an 'position > len(rules)' check so it is safe to remove the unreachable code in the aforementioned commit). This change could've been omitted for bookworm, but is also harmless. * src/util.py: - properly parse /proc/pid/stat for WSL (LP: #2015645) This is one of the main reasons why I wanted an update for bookworm since I wanted bookworm users on WSL to have a functional ufw. The change is here: https://git.launchpad.net/ufw/commit/?h=release/0.36=55669b732255c224343605272b793ae3fd534557 Unit tests existed for prior behavior and new tests were added for the bug fix. I feel this is an important bug fix for for bookworm users since without it, ufw fails to run on WSL. * src/util.py: - mitigate odd length string with unhexlify (Closes: 1034568) This mitigates a traceback in the case of if a rules file is somehow corrupted. The change is here: https://git.launchpad.net/ufw/commit/?h=release/0.36=751e3aa510a992140f748987221600ee4722ea75 Unit tests existed for prior behavior and new tests were added for the bug fix. I feel this is a useful usability improvement for bookworm users. * src/util.py: - support vrrp protocol (LP: #1996636) This is a technically a new feature, but all it did was add a new protocol to an existing list and so the change is considered safe. Most of the changes are for the man page and unit tests. The change is here: https://git.launchpad.net/ufw/commit/?h=release/0.36=49b50d9ebd4a381af9886fc1bff17191358188fc Unit tests existed for prior behavior and new tests were added for the bug fix. I debated this change as it could've been omitted for bookworm, but the change was obvious and small and added functionality that might be useful to keepalived users on bookworm. * add locales/po/ro.po. Thanks Remus-Gabriel Chelu (Closes: 1034119) This adds the .ro translation that was submitted via the BTS. I verified the translations via Google Translate and also ran 0.36.2-1 through https://git.launchpad.net/qa-regression-testing/tree/scripts/test-ufw.py#n474 which specifically tests that ufw runs under all the different locales. This test script is part of Ubuntu (of which I am also an Ubuntu developer) and doesn't work without modification on bookworm, but I did so and the locale works fine. I felt it important to shepherd the contribution to Debian into bookworm. * add '-h' and show help with no args (LP: #1965462) This change simply add '-h' to the already existing '--help' and 'help' commands and adjusts the parsing to show raise a ValueError which triggers showing the help message instead of just showing a less-than-helpful "not enough args" message like 0.36.1 did. This change is here:
Bug#1036306: unblock: ufw/0.36.2-1
On 2023-05-23 22:01, Paul Gevers wrote: On 23-05-2023 18:56, Gunnar Hjalmarsson wrote: ufw has autopkgtest, so strictly it's not blocked because of the freeze, but because of a piuparts failure. That's not true. We're in Hard Freeze, so ufw qualifies to migrate with passing autopkgtest when it's age is 20 days. However, once those 20 days are over, we're in Full Freeze so it won't migrate. So yes, strictly speaking it's *also* blocked by the freeze. I stand corrected. (And with that I understand wrt ufw why Jamie needs to justify the freeze related unblock request.) As you can see my primary concern is another package, i.e. ibus-pinyin. That package has already been unblocked from freeze: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036225 And missed the ignore-piuparts hint. Thanks for bringing that to our attention, I added that hint. Thanks! (And I understand from your reply that otherwise I should have simply submitted a separate unblock request. Or maybe re-opened the already submitted bug...) From tomorrow on, all packages that haven't migrated need an unblock request or they will not be part of bookworm. Normally we'd spot the piuparts problem and add the ignore hint if it's caused by the adduser issue. Sounds like the release team has it under control, then, so I will stop worrying. :) -- Thanks again! Gunnar
Bug#1036306: unblock: ufw/0.36.2-1
Hi Gunnar, On 23-05-2023 18:56, Gunnar Hjalmarsson wrote: On 2023-05-23 17:31, Paul Gevers wrote: On 19-05-2023 05:33, Jamie Strandboge wrote: Sure. The migration is currently blocked because the upload happened very recently That description is not quite accurate. ufw has autopkgtest, so strictly it's not blocked because of the freeze, but because of a piuparts failure. That's not true. We're in Hard Freeze, so ufw qualifies to migrate with passing autopkgtest when it's age is 20 days. However, once those 20 days are over, we're in Full Freeze so it won't migrate. So yes, strictly speaking it's *also* blocked by the freeze. Maybe you didn't see my reply to Jamie's initial bug, but it was archived: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036306#10 Yes I saw that. People around me (I'm at DebianReunionHamburg) are working to figure out how to fix the piuparts situation, but filing unblock requests *now* is appropriate *if* the upload is a targeted fix (as it should be). The adduser problem is relatively new, so all packages that are 20 days now or tomorrow were piuparts tested before the problem. So all the packages that are blocked by piuparts need our attention via an unblock request anyways, if they need to migrate to bookworm. As you can see my primary concern is another package, i.e. ibus-pinyin. That package has already been unblocked from freeze: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036225 And missed the ignore-piuparts hint. Thanks for bringing that to our attention, I added that hint. But since it hit the very same adduser/piuparts issue as ufw (and probably a bunch of other packages) did, it's still blocked from migration. Not if we add the right hint, which we have in place already for several unblocks. Maybe it was wrong of me to comment on this ufw bug, but the adduser/piuparts situation is special, and I felt it made sense to handle all affected packages together. Sorry, that doesn't scale. We'll handle it per unblock request. Please advice on how uploaders affected by the adduser/piuparts situation should act. From tomorrow on, all packages that haven't migrated need an unblock request or they will not be part of bookworm. Normally we'd spot the piuparts problem and add the ignore hint if it's caused by the adduser issue. Paul OpenPGP_signature Description: OpenPGP digital signature
Bug#1036306: unblock: ufw/0.36.2-1
Hi Paul, On 2023-05-23 17:31, Paul Gevers wrote: On 19-05-2023 05:33, Jamie Strandboge wrote: It seems that adduser 3.133 has caused problems for a lot of packages in sid, including ufw. See: https://piuparts.debian.org/sid/fail/adduser_3.133.log https://piuparts.debian.org/sid/fail/ https://piuparts.debian.org/sid/fail/ufw_0.36.2-1.log https://piuparts.debian.org/sid/fail/... Yes, known, let's not worry about that. Well, I do worry a bit. ufw did not cause adduser to be unremovable, and adduser being unremovable should not affect ufw's migration. Sure. The migration is currently blocked because the upload happened very recently That description is not quite accurate. ufw has autopkgtest, so strictly it's not blocked because of the freeze, but because of a piuparts failure. and tomorrow we'll enter Full Freeze. So the upload happened too late for it to migrate without us unblocking. Maybe you didn't see my reply to Jamie's initial bug, but it was archived: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036306#10 As you can see my primary concern is another package, i.e. ibus-pinyin. That package has already been unblocked from freeze: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036225 But since it hit the very same adduser/piuparts issue as ufw (and probably a bunch of other packages) did, it's still blocked from migration. Maybe it was wrong of me to comment on this ufw bug, but the adduser/piuparts situation is special, and I felt it made sense to handle all affected packages together. Please advice on how uploaders affected by the adduser/piuparts situation should act. -- Rgds, Gunnar Hjalmarsson
Bug#1036306: unblock: ufw/0.36.2-1
Control: tags -1 moreinfo Hi, On 19-05-2023 05:33, Jamie Strandboge wrote: It seems that adduser 3.133 has caused problems for a lot of packages in sid, including ufw. See: https://piuparts.debian.org/sid/fail/adduser_3.133.log https://piuparts.debian.org/sid/fail/ https://piuparts.debian.org/sid/fail/ufw_0.36.2-1.log https://piuparts.debian.org/sid/fail/... Yes, known, let's not worry about that. ufw did not cause adduser to be unremovable, and adduser being unremovable should not affect ufw's migration. Sure. The migration is currently blocked because the upload happened very recently and tomorrow we'll enter Full Freeze. So the upload happened too late for it to migrate without us unblocking. Bug fixes and translations will not be available in bookworm (I am upstream ufw and I cut 0.36.2 specifically for bookworm users). Please elaborate. It's Full Freeze time. A new upstream needs a lot of defending to be considered a targeted fix at this stage of the release. Please read the policy [1] and the FAQ [2]. Paul [1] https://release.debian.org/testing/freeze_policy.html [2] https://release.debian.org/testing/FAQ.html OpenPGP_signature Description: OpenPGP digital signature
Bug#1036306: unblock: ufw/0.36.2-1
I'm kind of 'hijacking' this bug instead of submitting an own. Hope you don't mind, Jamie. :/ I have the very same problem, i.e. piuparts failing due to the latest change in adduser: https://tracker.debian.org/pkg/ibus-pinyin So please add ibus-pinyin to the list of packages which probably need the release team's attention to resolve the adduser/piuparts situation. I don't know how to identify other affected packages, but there is a related email list thread: https://alioth-lists.debian.net/pipermail/piuparts-devel/2023-May/009566.html (And with that I suppose that #1036307, which was mistakenly submitted as a new bug, can be closed.) -- Cheers, Gunnar Hjalmarsson
Bug#1036306: unblock: ufw/0.36.2-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package ufw It seems that adduser 3.133 has caused problems for a lot of packages in sid, including ufw. See: https://piuparts.debian.org/sid/fail/adduser_3.133.log https://piuparts.debian.org/sid/fail/ https://piuparts.debian.org/sid/fail/ufw_0.36.2-1.log https://piuparts.debian.org/sid/fail/... In the case of ufw, it ships a logrotate file and logrotate gets installed, which pulls in adduser, but adduser can't be removed and piuparts fails: 0m18.6s DEBUG: Starting command: ['chroot', '/srv/piuparts.debian.org/tmp/tmpwv4fmpa7', 'apt-get', 'install', '-y', 'logrotate'] 0m19.9s DUMP: Reading package lists... Building dependency tree... Reading state information... The following additional packages will be installed: adduser cron cron-daemon-common libpopt0 sensible-utils ... m20.2s ERROR: Command failed (status=1): ['chroot', '/srv/piuparts.debian.org/tmp/tmpwv4fmpa7', 'dpkg', '--purge', 'adduser', 'cron', 'cron-daemon-common', 'libpopt0:amd64', 'logrotate', 'sensible-utils'] dpkg: error processing package adduser (--purge): this is a protected package; it should not be removed ... As mentioned, there seem to be several packages in this state. ufw has shipped a logrotate file for years and this isn't new to ufw 0.36.2-1. [ Reason ] ufw did not cause adduser to be unremovable, and adduser being unremovable should not affect ufw's migration. [ Impact ] Bug fixes and translations will not be available in bookworm (I am upstream ufw and I cut 0.36.2 specifically for bookworm users). [ Tests ] Build tests (unit and functional) and autopkgtests pass. [ Risks ] Leaf package. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock ufw/0.36.2-1 diff -Nru ufw-0.36.1/ChangeLog ufw-0.36.2/ChangeLog --- ufw-0.36.1/ChangeLog2021-09-18 20:29:52.0 -0500 +++ ufw-0.36.2/ChangeLog2023-05-18 08:45:35.0 -0500 @@ -1,3 +1,23 @@ +ufw (0.36.2) RELEASED; urgency=medium + + * src/ufw-init-functions: set default policy after loading rules. Thanks to +Mauricio Faria de Oliveira. (LP: #1946804) + * doc/ufw.8: +- document 'insert' and 'prepend' can't be used to update comments + (LP: #1927737) + * src/backend_iptables.py: remove unreachable code (LP: #1927734) + * src/util.py: +- properly parse /proc/pid/stat for WSL (LP: #2015645) +- mitigate odd length string with unhexlify (Closes: 1034568) +- support vrrp protocol (LP: #1996636) + * add locales/po/ro.po. Thanks Remus-Gabriel Chelu (Closes: 1034119) + * add '-h' and show help with no args (LP: #1965462) + * src/backend.py: add get_rules_ipv4() and get_rules_ipv6() (LP: #1951018) + * tests/check-requirements: update for python 3.10+ + * tests/root: normalize 'ACCEPT {all,tcp}' and 'ACCEPT N' for newer systems + + -- Jamie Strandboge Thu, 18 May 2023 08:45:30 -0500 + ufw (0.36.1) RELEASED; urgency=medium * snap packaging updates: diff -Nru ufw-0.36.1/debian/changelog ufw-0.36.2/debian/changelog --- ufw-0.36.1/debian/changelog 2022-10-15 05:54:27.0 -0500 +++ ufw-0.36.2/debian/changelog 2023-05-18 09:03:07.0 -0500 @@ -1,3 +1,30 @@ +ufw (0.36.2-1) unstable; urgency=medium + + * New upstream release (LP: #1946804, LP: #1927737, LP: #1927734, +LP: #2015645, LP: #1996636, LP: #1965462, LP: #1951018, Closes: 1034568, +Closes: 1034119). Drop the following (included upstream): +- 0002-fix-copyright.patch +- 0003-python3-versions.patch +- 0004-set-default-policy-after-load.patch + * Remaining changes: +- 0001-optimize-boot.patch + * add new debian/po/ro.po. Thanks Remus-Gabriel Chelu (Closes: 1033758) + * debian/control: +- Breaks with iptables-persistent and netfilter-persistent. When ufw is + installed, it is not enabled by default, so it doesn't interfere with + other firewall software (until it is enabled). In contrast, + iptables-persistent and netfilter-persistent install enabled, which + interferes with ufw. Add a breaks on these to avoid them being + co-installed with ufw (and causing problems for users). +- use Python-Version instead of XB-Python-Version +- remove Depends on obsolete lsb-base + * ufw.lintian-overrides: +- update for breaks-without-version iptables-persistent and + netfilter-persistent +- update for newer lintian + + -- Jamie Strandboge Thu, 18 May 2023 14:03:07 + + ufw (0.36.1-4.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru ufw-0.36.1/debian/control ufw-0.36.2/debian/control --- ufw-0.36.1/debian/control 2021-09-19 00:46:12.0 -0500 +++ ufw-0.36.2/debian/control 2023-05-16 09:37:21.0 -0500 @@ -13,7 +13,7 @@ po-debconf, python3 (>= 3.2), python3-distutils -Standards-Version: