Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

2019-08-19 Thread Holger Levsen
Hi Mike,

On Mon, Aug 19, 2019 at 08:00:05PM +, Mike Gabriel wrote:
> I have put together a buster branch for debian-edu-config. At the end of
> this mail find a .diff between buster..master.

cool, thanks for this! (I wont have time for review now though, cccamp
is being too noisy atm.)

> I wasn't sure about the D-I / entropy related changes between 2.10.65 and
> 2.10.67 and if they were actually being targetted for the buster-pu or just
> for stable.
> 
> Please let me know, if "those" entropy commits need to get included or not.

I believe either is fine.

> Once we have agreed on a package version to upload to buster, I will compose
> the buster srm bug report for it.

2.10.65+deb10u1 is good.


-- 
cheers,
Holger

---
   holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C


signature.asc
Description: PGP signature


Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

2019-08-19 Thread Mike Gabriel

Hi Holger, hi Wolfgang,

On  Fr 16 Aug 2019 21:43:05 CEST, Holger Levsen wrote:


Hi Mike,

On Fri, Aug 16, 2019 at 05:43:42PM +,  
mike.gabr...@das-netzwerkteam.de wrote:
I can do that after the weekend. I have put in in my calendar for  
Monday morning.


great, thank you!


I have put together a buster branch for debian-edu-config. At the end  
of this mail find a .diff between buster..master.


I wasn't sure about the D-I / entropy related changes between 2.10.65  
and 2.10.67 and if they were actually being targetted for the  
buster-pu or just for stable.


Please let me know, if "those" entropy commits need to get included or not.

Once we have agreed on a package version to upload to buster, I will  
compose the buster srm bug report for it.


Please give feedback. Thanks!

Mike

```
[mike@minobo d-e-c (buster)]$ git diff buster..master | cat
diff --git a/debian/changelog b/debian/changelog
index b78cc1b7..c4c58cf2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,59 +1,14 @@
-debian-edu-config (2.10.65+deb10u1) UNRELEASED; urgency=medium
+debian-edu-config (2.10.67) unstable; urgency=medium

   [ Wolfgang Schweer ]
-  * Adjust ltsp-build-client/Debian-custom/001-ltsp-setting. (Closes:  
#928756)
-- Use PXE option 'ipappend 2' for LTSP client boot. This option  
makes sure

-  that all DHCP server information is getting through to LTSP clients.
-  (LTSP used this option before, but switched to 'ipappend 3' during the
-  Buster development cycle to ease setups with ProxyDHCP.)
-  * Adjust share/debian-edu-config/sudo-ldap.conf. (Closes: #929964)
-- Fix sudo-ldap configuration. (The LDAP URI is needed on LDAP clients.)
-  * Set environment variable to deal with Firefox profile. (Closes: #930122)
-This is a workaround for bug #930125, preventing firefox-esr  
startup issues

-if the mozilla profile is on an NFS share).
-- Ship share/debian-edu-config/edu-firefox-nfs with  
NSS_SDB_USE_CACHE="yes"

-  as content. Thanks to Mike Gabriel for spotting the issue and providing
-  this information.
-- Add instructions to cf3/cf.workarounds to link the  
'edu-firefox-nfs' file

-  to appropriate files below '/etc/X11/Xsession.d' and '/etc/profile.d'.
-  * Adjust cf3/cf.homes: Set correct LTSP chroot path. (Closes: #931680)
-- While the reported arch is i686, LTSP uses i386. Set arch accordingly.
-  * Adjust share/debian-edu-config/tools/kerberos-kdc-init. (Closes: #931366)
-- Remove outdated (and now wrong) logging section.
-  * Fix loss of dynamically allocated v4 IP address. (Closes: #933580)
-- Drop etc/network/if-up.d/hostname. This script doesn't work anymore due
-  to changed behaviour of the ifupdown/dhclient/systemd  
combination and now
-  also causes the loss of a dynamically allocated ipv4 IP address  
after 20

-  to 30 minutes after booting.
-- Add code to d/debian-edu-config.postinstall to implement the intended
-  hostname update just after rebooting the system after a change.
-- Adjust Makefile.
-  * Provide Debian Edu RootCA certificate for download. (Closes: #933183)
-- Adjust share/debian-edu-config/tools/create-debian-edu-certs to  
copy the

-  rootCA file to the web server directory at certificate generation time.
-- Adjust cf3/cf.finalize to care for the rootCA file as well.
-- Adjust cf3/cf.workarounds to copy the rootCA file to the web server
-  directory upon main server upgrade.
-  * Add LDAP server certificate to the initial LTSP NBD image.  
(Closes: #932828)

-- etc/ltsp/ltsp-build-client.conf: Don't create the image by default.
-- cf3/edu.cf: Define new class 'ltspimages'.
-- cf3/cf.finalize: Add code to include the LDAP server  
certificate for all

-  possible use cases, to generate the image and to adjust various rights.
-  * Changes to debian-edu-config.fetch-ldap-cert from 2.10.67).
+  * Adjust debian/debian-edu-config.fetch-ldap-cert. (Closes: #934380)
 - Use independent conditions to make sure that the LDAP server  
certificate
-  is only downloaded once for both host and LTSP chroot. (Closes:  
#934380)

+  is only downloaded once for both host and LTSP chroot.
 - Add code to validate the LDAP server certificate in case the Debian Edu
   RootCA certificate is available for download.

   [ Mike Gabriel ]
-  * Changes to debian-edu-config.fetch-ldap-cert (from 2.10.66):
-- Make the script (and with it Debian Edu buster workstations) work in a
-  Debian Edu environment where the main server (TJENER) is still  
on Debian

-  Edu 8 or 9. (Closes: #926933)
-- Retrieve TJENER's PKI server certificate only once per host to improve
-  security. This re-introduces the behaviour of fetch-ldap-cert  
in stretch

-  and earlier. (Closes: #931413).
-  * Changes to debian-edu-config.fetch-ldap-cert (from 2.10.67):
+  * Code review debian-edu-config.fetch-ldap-cert:
 - White-space-only change: Fix broken 

Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

2019-08-16 Thread Holger Levsen
Hi Mike,

On Fri, Aug 16, 2019 at 05:43:42PM +, mike.gabr...@das-netzwerkteam.de 
wrote:
> I can do that after the weekend. I have put in in my calendar for Monday 
> morning.

great, thank you!


-- 
cheers,
Holger

---
   holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C


signature.asc
Description: PGP signature


Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

2019-08-16 Thread mike . gabriel
Hi Holger,

Am Freitag, 16. August 2019 schrieb Holger Levsen:
> On Fri, Aug 16, 2019 at 12:25:49PM +0200, Wolfgang Schweer wrote:
> > Sure, but this has already been fixed (somehow) in d-e-c 2.10.66. So if 
> > the stable release team disagrees w/ 2.10.67, d-e-c 2.10.66 might be a 
> > fallback option.
> 
> right. so back to my original question:
> 
> however/anyway, I'm not sure we can get this past the release team for the 
> stable point release. we might. 
> 
> would someone else (Mike?) be willing to file a SRM bug for 
> debian-edu-config_2.10.65+deb10u1? (or 2.10.66~ or 2.10.67~???)
> 
> 
> -- 
> cheers,
>   Holger
> 

I can do that after the weekend. I have put in in my calendar for Monday 
morning.

Mike

-- 
Gesendet von meinem Fairphone2 (powered by Sailfish OS).

Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

2019-08-16 Thread Holger Levsen
On Fri, Aug 16, 2019 at 12:25:49PM +0200, Wolfgang Schweer wrote:
> Sure, but this has already been fixed (somehow) in d-e-c 2.10.66. So if 
> the stable release team disagrees w/ 2.10.67, d-e-c 2.10.66 might be a 
> fallback option.

right. so back to my original question:

however/anyway, I'm not sure we can get this past the release team for the 
stable point release. we might. 

would someone else (Mike?) be willing to file a SRM bug for 
debian-edu-config_2.10.65+deb10u1? (or 2.10.66~ or 2.10.67~???)


-- 
cheers,
Holger

---
   holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C


signature.asc
Description: PGP signature


Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

2019-08-16 Thread Wolfgang Schweer
Hi Mike,

thanks for the fast reply.

On Fri, Aug 16, 2019 at 10:10:27AM +, Mike Gabriel wrote:
> > Another improvement of the fetch-ldap-cert script shipped with d-e-c
> > 2.10.67 is the use of independent conditions for host and LTSP chroot
> > (instead of the global condition introduced with commit f8f436e); but
> > then the drawback caused by this change for LTSP chroots has also been
> > dealt with via d-e-c 2.10.66 fixes.
> > 
> > Mike, please comment.
> 
> Futhermore, we now entirely fixed backwards compatibility (new Debian Edu
> clients running against old Debian Edu TJENERs). This was the main flaw of
> the original Debian 10.0 implementation. You can't use Debian Edu 10 clients
> on a network running on a TJENER from 9.x or 8.x.
> While investigating this, Petter pointed us to the security flaw of always
> updating the LDAP server certificate on clients. Only deploying the LDAP
> server cert once protects the user against password sniffing, if someone
> malign takes over the network.

Sure, but this has already been fixed (somehow) in d-e-c 2.10.66. So if 
the stable release team disagrees w/ 2.10.67, d-e-c 2.10.66 might be a 
fallback option.

> Thus, fetch-ldap-cert must get into buster IMHO, it's a rewrite and it now
> is easy to read,

Sure, you improved it quite a lot :)

Wolfgang


signature.asc
Description: PGP signature


Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

2019-08-16 Thread Mike Gabriel

Hi Wolfgang, hi Holger,

On  Fr 16 Aug 2019 11:41:56 CEST, Wolfgang Schweer wrote:


On Thu, Aug 15, 2019 at 03:54:54PM +, Holger Levsen wrote:

On Thu, Aug 15, 2019 at 02:38:33PM +, Debian FTP Masters wrote:
> Source: debian-edu-config
> Version: 2.10.67
[...]
>debian-edu-config.fetch-ldap-cert:
>  - Fully inline-document fetch-ldap-cert script.

this is really great

>  - White-space-only change: Fix broken and inconsistent indentations.

looking at the debdiff between in whats in stable and this it seems this
is mostly not visible because its basically/almost a rewrite anyway:

$ debdiff debian-edu-config_2.10.65.dsc  
debian-edu-config_2.10.67.dsc|diffstat

 Makefile |2
 cf3/cf.finalize 
  |   52 +

 cf3/cf.homes |2
 cf3/cf.workarounds   |   16
 cf3/edu.cf   |1
 debian/changelog
  |   96 +++

 debian/control   |2
 debian/debian-edu-config.fetch-ldap-cert
  |  283 --

 debian/debian-edu-config.postinst|   14
 etc/ltsp/ltsp-build-client.conf  |2
 etc/network/if-up.d/hostname
  |   43 -
 share/debian-edu-config/d-i/finish-install  
  |   31 -

 share/debian-edu-config/edu-firefox-nfs  |1
 share/debian-edu-config/sudo-ldap.conf   |1
 share/debian-edu-config/tools/create-debian-edu-certs|2
 share/debian-edu-config/tools/kerberos-kdc-init  |5
 share/ltsp/plugins/ltsp-build-client/Debian-custom/001-ltsp-settings |4
 17 files changed, 418 insertions(+), 139 deletions(-)

(so maybe it would have been wiser not to mention the white-space  
only changes,

as the release team really dislikes them.)\




however/anyway, I'm not sure we can get this past the release team for
the stable point release. we might. we think all these changes are
useful/needed for stable, right?


Useful, yes; but IMO we could get along for Buster without the
fetch-ldap-cert related changes introduced in d-e-c 2.10.67 in case the
stable release team dislikes these.


Disagreeing here.

The fetch-ldap-cert changes are security related and get things right  
about the rootCA handling in Debian Edu buster.


The white-space changes are awkward to review, but the readability of  
the script is much better now (as indentation is now correct + all the  
comments).


(And: we, that is Holger, have/has got other d-e-c changes into a  
stable-pu, as we don't affect other software packages).



Among improved checks for a lot of possible failures, the rewrite has
the benefit of validating the LDAP server certificate against the Debian
Edu rootCA one (the version shipped with d-e-c 2.10.66 did this against
the bundle-crt certificate). Both are downloaded from www.intern, as
opposed to the LDAP server cert that is fetched from the LDAP server
itself. The bundle certificate contains the Debian Edu rootCA
certificate and the multipurpose server certificate (as a chain). This
server certificate is used for all configured Debian Edu server
services, included the LDAP service. While using the single Debian Edu
rootCA certificate for validation is the better way to go, the bundle
certificate can be used as well.


Yes. Thanks for pointing this out!!! It is the much better / cleaner /  
expected-by-admins approach.



Another improvement of the fetch-ldap-cert script shipped with d-e-c
2.10.67 is the use of independent conditions for host and LTSP chroot
(instead of the global condition introduced with commit f8f436e); but
then the drawback caused by this change for LTSP chroots has also been
dealt with via d-e-c 2.10.66 fixes.

Mike, please comment.


Futhermore, we now entirely fixed backwards compatibility (new Debian  
Edu clients running against old Debian Edu TJENERs). This was the main  
flaw of the original Debian 10.0 implementation. You can't use Debian  
Edu 10 clients on a network running on a TJENER from 9.x or 8.x.
While investigating this, Petter pointed us to the security flaw of  
always updating the LDAP server certificate on clients. Only deploying  
the LDAP server cert once protects the user against password sniffing,  
if someone malign takes over the network.


Thus, fetch-ldap-cert must get into buster IMHO, it's a rewrite and it  
now is easy to read,

Mike

--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG 

Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

2019-08-16 Thread Wolfgang Schweer
On Thu, Aug 15, 2019 at 03:54:54PM +, Holger Levsen wrote:
> On Thu, Aug 15, 2019 at 02:38:33PM +, Debian FTP Masters wrote:
> > Source: debian-edu-config
> > Version: 2.10.67
> [...]
> >debian-edu-config.fetch-ldap-cert:
> >  - Fully inline-document fetch-ldap-cert script.
> 
> this is really great
> 
> >  - White-space-only change: Fix broken and inconsistent indentations.
>  
> looking at the debdiff between in whats in stable and this it seems this
> is mostly not visible because its basically/almost a rewrite anyway:
> 
> $ debdiff debian-edu-config_2.10.65.dsc debian-edu-config_2.10.67.dsc|diffstat
>  Makefile |2 
>  cf3/cf.finalize  |   52 +
>  cf3/cf.homes |2 
>  cf3/cf.workarounds   |   16 
>  cf3/edu.cf   |1 
>  debian/changelog |   96 
> +++
>  debian/control   |2 
>  debian/debian-edu-config.fetch-ldap-cert |  283 
> --
>  debian/debian-edu-config.postinst|   14 
>  etc/ltsp/ltsp-build-client.conf  |2 
>  etc/network/if-up.d/hostname |   43 -
>  share/debian-edu-config/d-i/finish-install   |   31 -
>  share/debian-edu-config/edu-firefox-nfs  |1 
>  share/debian-edu-config/sudo-ldap.conf   |1 
>  share/debian-edu-config/tools/create-debian-edu-certs|2 
>  share/debian-edu-config/tools/kerberos-kdc-init  |5 
>  share/ltsp/plugins/ltsp-build-client/Debian-custom/001-ltsp-settings |4 
>  17 files changed, 418 insertions(+), 139 deletions(-)
> 
> (so maybe it would have been wiser not to mention the white-space only 
> changes,
> as the release team really dislikes them.)\
> 

> however/anyway, I'm not sure we can get this past the release team for 
> the stable point release. we might. we think all these changes are 
> useful/needed for stable, right?

Useful, yes; but IMO we could get along for Buster without the 
fetch-ldap-cert related changes introduced in d-e-c 2.10.67 in case the 
stable release team dislikes these.

Among improved checks for a lot of possible failures, the rewrite has 
the benefit of validating the LDAP server certificate against the Debian 
Edu rootCA one (the version shipped with d-e-c 2.10.66 did this against 
the bundle-crt certificate). Both are downloaded from www.intern, as 
opposed to the LDAP server cert that is fetched from the LDAP server 
itself. The bundle certificate contains the Debian Edu rootCA 
certificate and the multipurpose server certificate (as a chain). This 
server certificate is used for all configured Debian Edu server 
services, included the LDAP service. While using the single Debian Edu 
rootCA certificate for validation is the better way to go, the bundle 
certificate can be used as well.

Another improvement of the fetch-ldap-cert script shipped with d-e-c 
2.10.67 is the use of independent conditions for host and LTSP chroot 
(instead of the global condition introduced with commit f8f436e); but 
then the drawback caused by this change for LTSP chroots has also been 
dealt with via d-e-c 2.10.66 fixes.

Mike, please comment.

Wolfgang


signature.asc
Description: PGP signature


Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

2019-08-15 Thread Holger Levsen
Hi,

On Thu, Aug 15, 2019 at 02:38:33PM +, Debian FTP Masters wrote:
> Source: debian-edu-config
> Version: 2.10.67
[...]
>debian-edu-config.fetch-ldap-cert:
>  - Fully inline-document fetch-ldap-cert script.

this is really great

>  - White-space-only change: Fix broken and inconsistent indentations.
 
looking at the debdiff between in whats in stable and this it seems this
is mostly not visible because its basically/almost a rewrite anyway:

$ debdiff debian-edu-config_2.10.65.dsc debian-edu-config_2.10.67.dsc|diffstat
 Makefile |2 
 cf3/cf.finalize  |   52 +
 cf3/cf.homes |2 
 cf3/cf.workarounds   |   16 
 cf3/edu.cf   |1 
 debian/changelog |   96 +++
 debian/control   |2 
 debian/debian-edu-config.fetch-ldap-cert |  283 
--
 debian/debian-edu-config.postinst|   14 
 etc/ltsp/ltsp-build-client.conf  |2 
 etc/network/if-up.d/hostname |   43 -
 share/debian-edu-config/d-i/finish-install   |   31 -
 share/debian-edu-config/edu-firefox-nfs  |1 
 share/debian-edu-config/sudo-ldap.conf   |1 
 share/debian-edu-config/tools/create-debian-edu-certs|2 
 share/debian-edu-config/tools/kerberos-kdc-init  |5 
 share/ltsp/plugins/ltsp-build-client/Debian-custom/001-ltsp-settings |4 
 17 files changed, 418 insertions(+), 139 deletions(-)

(so maybe it would have been wiser not to mention the white-space only changes,
as the release team really dislikes them.)\

however/anyway, I'm not sure we can get this past the release team for the 
stable point
release. we might. we think all these changes are useful/needed for stable, 
right?

would someone else (Mike?) be willing to file a SRM bug for 
debian-edu-config_2.10.65~deb10u1?


-- 
cheers,
Holger

---
   holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C


signature.asc
Description: PGP signature


debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

2019-08-15 Thread Debian FTP Masters



Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Thu, 15 Aug 2019 16:20:50 +0200
Source: debian-edu-config
Architecture: source
Version: 2.10.67
Distribution: unstable
Urgency: medium
Maintainer: Debian Edu Developers 
Changed-By: Holger Levsen 
Closes: 934380
Changes:
 debian-edu-config (2.10.67) unstable; urgency=medium
 .
   [ Wolfgang Schweer ]
   * Adjust debian/debian-edu-config.fetch-ldap-cert. (Closes: #934380)
 - Use independent conditions to make sure that the LDAP server certificate
   is only downloaded once for both host and LTSP chroot.
 - Add code to validate the LDAP server certificate in case the Debian Edu
   RootCA certificate is available for download.
 .
   [ Mike Gabriel ]
   * Code review debian-edu-config.fetch-ldap-cert:
 - White-space-only change: Fix broken and inconsistent indentations.
 - Fully inline-document fetch-ldap-cert script.
 - Add "-f" option to all curl calls that don't have it set so far.
   This assures that curl bails out with a non-zero exit code, if anything
   goes wrong while retrieving certificate files.
 - Also report a successful certificate verification if we verified the
   LDAP server certificate using the Debian Edu RootCA.
 - Really check that the LDAP server uses a certificate issued by the
   "Debian Edu RootCA", not just by (some) "RootCA".
 - Add 2x FIXME about BUNDLECRT file removal from host and from LTSP 
chroots.
 - LTSP chroot certificate copying: only log those actions, if they are
   actually about to happen..
 - Silence curl stderr and gnutls-cli stdout+stderr.
 - Certificate retrieval: Fix upgrade path for RootCA deployment. Re-run
   CERTFILE (and ROOTCACRT retrieval) until we have both on the client.
   This will lead to repetitive downloads of the CERTFILE on system boot.
   To get rid of this, people must upgrade their TJENERs from Debian Edu
   10.0 to 10.1. Then it will stop. This hack is necessary to assure
   distribution of the RootCA to all clients that don't have it, yet.
 - Detach dependency of ROOTCACRT chroot copying and BUNDLECRT chroot
   copying from chroot copying of the CERTFILE. The chroot may have the
   CERTFILE, but not the ROOTCACRT, yet. This assures a smooth upgrade
   path from Debian Edu 10.0 to Debian Edu 10.1.
 - Do a simple validity check if a directory under /opt/ltsp really is
   a chroot (and e.g. not the SquashFS images' directory).
Checksums-Sha1:
 3bd8da91b4e9c3dbdf61e357dcd12b0516398229 1918 debian-edu-config_2.10.67.dsc
 a54a2cfe07829975ee8a258e0afd44dbc9987531 344664 
debian-edu-config_2.10.67.tar.xz
 87e735f6f2a8996b3852873742505b4e7515de69 5276 
debian-edu-config_2.10.67_source.buildinfo
Checksums-Sha256:
 3b45bbe47a91000f13d4420d98a047f46b41e4b2758aa58b8bfe9235ddd94d41 1918 
debian-edu-config_2.10.67.dsc
 7fd13aeeae687972269ad4a60dba3bb4671cd12d5e519965432d1774af28c76e 344664 
debian-edu-config_2.10.67.tar.xz
 8df1a4f64d14c95622890593615d0675168ebd0c5590221940a6c820fc47b18b 5276 
debian-edu-config_2.10.67_source.buildinfo
Files:
 a842b5853927c469bee3ce05a7878108 1918 misc optional 
debian-edu-config_2.10.67.dsc
 eed77fc54f4b09e828205c5a336ba81c 344664 misc optional 
debian-edu-config_2.10.67.tar.xz
 376de7c334d73b18d454c847e2de0acd 5276 misc optional 
debian-edu-config_2.10.67_source.buildinfo

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAl1VaooACgkQCRq4Vgaa
qhwnfQ/9Hw8QTdPD2t/qa3Af00eXx93Lxmtd2Fin6cMfMPkJxAaxZuGPS/eCp7Da
kedNOU2zrERFZfCIARyj2qRuGhqKFA6PQUWGdEcSVX/+wj9OACNpQSwYnwrLVkGo
hIIhZ7soNLYoLU78x4ouZ+LD5x7aVh3sy/7DJqQN4utdiwi/VHPMQl7g8mQefbEW
w0DeeM0wp+rAabb+2Rr1P1Fo25pC5M7daet+GFniM/c2wRZ6A1KalTYyJKt7J4n3
bS9kmEmrjcYNtun8O3O6h15Asd762N7hYsMDiBMmy5zgyLW+27hToLAJg74VYnwu
nL0mLRUykZcdyguAtLd0A8VZew/HEOrb9oQRBB+Fp0yntFxyUvAWd7UEvUjUtQjf
NVjvMIEOd2A3yjri1SiuGUyTZkphmbYAeE3spB1/9AvtWGOV3lLTL3I5/F8VcGDW
IvWbMvOojOy6Ulm7d2j28z2wTg7ECM4LWxFFkwuvDHc1a3fVEA5fNOw3k8IfABPZ
QZhoLOJTcDgdz0dHPMpf2Qw1eoNhYL5Xidg+cwIgDS8OZyPKxgwsWgAls9mvgXwd
KYOHVjLJ7yr1cQrYEt+JN1NAdWlisox36+KYbkKFMGnMDrR2leYtJEqN/ICh+kDM
mBYwyHuOSfnTbXefykmncbcEppulNs/N6vhqMwZRirgq7CsRo0A=
=QqbT
-END PGP SIGNATURE-


Thank you for your contribution to Debian.