Re: gcc-6: please enable PIE hardening flags by default on amd64 ppc64el and s390x

2016-10-09 Thread Niels Thykier 
On Tue, 23 Aug 2016 00:25:30 +0200 Balint Reczey
 wrote:
> Package: gcc-6
> Version: 6.1.1-12
> Severity: wishlist
> Tags: patch
> 
> Dear Matthias,
> 
> As a continuation of the discussions [1][2] on debian-devel I'm
> attaching the simple patch that implements enabling the PIE
> hardening flags for a subset of the architectures.
> 
> I'm open to changing the subset, it matches the set selected in Ubuntu
> as a start, but porters may have different preferences [2].
> 
> I'm continuing with a full archive rebuild to see the amount of packages
> to be updated for the change in the default flags.
> 
> The same patch applies to gcc-5, too, if it does not get removed
> from the archive before the patch is accepted for gcc-6.
> 
> Cheers,
> Balint
> 
> [1] https://lists.debian.org/debian-devel/2016/05/msg00228.html
> [2] https://lists.debian.org/debian-devel/2016/08/msg00324.html
> 

Hi,

As per [1], please enable PIE by default on the following architectures:


 * amd64
 * arm64
 * armel
 * armhf
 * i386
 * mips
 * mips64el
 * mipsel
 * ppc64el
 * s390x

All of these architectures (except amd64+i386 with porter waivers) had
at least 2 porters supporting PIE.

Thanks,
~Niels

[1]
https://lists.debian.org/<2c67a60f-2bbb-2f4e-2ad3-cd9978fb5...@thykier.net>

Re: Enabling PIE by default for Stretch

2016-10-09 Thread Niels Thykier 
Niels Thykier:
> Hi,
> 
> As brought up on the meeting last night, I think we should try to go for
> PIE by default in Stretch on all release architectures!
>  * It is a substantial hardening feature
>  * Upstream has vastly reduced the performance penalty for x86
>  * The majority of all porters believe their release architecture is
>ready for it.
>  * We have sufficient time to solve any issues or revert if it turns out
>to be too problematic.
> 
> [...]
> 
>  * Deadline for major concerns:  Fri, 7th of October 2016.
> 
> [...]
> 
> Thanks,
> ~Niels
> 
> [...]

It appears that there were no major concerns.  I will follow up #835148
and request PIE by default for the following architectures.

 * amd64
 * arm64
 * armel
 * armhf
 * i386
 * mips
 * mips64el
 * mipsel
 * ppc64el
 * s390x

Should you be a porter for an architecture not listed above and want PIE
by default on your architecture, please follow up on #835148 as well (or
a file a new wishlist bug if #835148 is closed when you do it)

NB: The omission of powerpc was intentional as there were no porters
supporting it during the roll-call.

Thanks,
~Niels

Re: Porter roll call for Debian Stretch

2016-10-09 Thread Adam D. Barratt 
On Sun, 2016-10-09 at 21:12 +0300, Adrian Bunk wrote:
> [ adding debian-powerpc ]
> 
> On Sun, Oct 09, 2016 at 06:54:44PM +0200, Moritz Mühlenhoff wrote:
> > Niels Thykier  schrieb:
> > > If I am to support powerpc as a realease architecture for Stretch, I
> > > need to know that there are *active* porters behind it committed to
> > > keeping it in the working.  People who would definitely catch such
> > > issues long before the release.  People who file bugs / submit patches 
> > > etc.
> > 
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832931 is about
> > a powerpc-specific build failure of mariadb in stable. The maintainer
> > said he can't work on it, so if anyone considers himself/herself a
> > powerpc porter, this is something to look it.
> 
> Can you give a hint what exactly should be looked at?

https://buildd.debian.org/status/fetch.php?pkg=mariadb-10.0=powerpc=10.0.27-0%2Bdeb8u1=1473621159

> The bug did not make it clear that there is any problem left at all when 
> I looked at it recently.
> 
> The last message was closing the bug.
> 
> There was a control command reopening the bug without giving any 
> rationale, but the last control command was
>   fixed 832931 10.0.27-1

For unstable, yes. The stable package is still broken.

> buildd.debian.org says that 10.0.27-0+deb8u1 was installed on jessie.[1]

That's an artefact of how builds for suites with "overlays" (i.e. pu /
tpu) are displayed. If one actually looks at the archive:

mariadb-client-10.0 | 10.0.25-0+deb8u1 | stable | powerpc
mariadb-client-10.0 | 10.0.27-0+deb8u1 | stable | amd64, arm64, armel, 
armhf, i386, mips, mipsel, ppc64el, s390x

Regards,

Adam

Re: Porter roll call for Debian Stretch

2016-10-09 Thread Adrian Bunk 
[ adding debian-powerpc ]

On Sun, Oct 09, 2016 at 06:54:44PM +0200, Moritz Mühlenhoff wrote:
> Niels Thykier  schrieb:
> > If I am to support powerpc as a realease architecture for Stretch, I
> > need to know that there are *active* porters behind it committed to
> > keeping it in the working.  People who would definitely catch such
> > issues long before the release.  People who file bugs / submit patches etc.
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832931 is about
> a powerpc-specific build failure of mariadb in stable. The maintainer
> said he can't work on it, so if anyone considers himself/herself a
> powerpc porter, this is something to look it.

Can you give a hint what exactly should be looked at?

The bug did not make it clear that there is any problem left at all when 
I looked at it recently.

The last message was closing the bug.

There was a control command reopening the bug without giving any 
rationale, but the last control command was
  fixed 832931 10.0.27-1

buildd.debian.org says that 10.0.27-0+deb8u1 was installed on jessie.[1]

If there is a problem left somewhere it is well-hidden, and not visible 
immediately when looking at the bug - I thought this was already resolved.

> Cheers,
> Moritz

cu
Adrian

[1] https://buildd.debian.org/status/package.php?p=mariadb-10.0=jessie

-- 

   "Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
   "Only a promise," Lao Er said.
   Pearl S. Buck - Dragon Seed

Re: Porter roll call for Debian Stretch

2016-10-09 Thread Moritz Mühlenhoff 
Niels Thykier  schrieb:
> If I am to support powerpc as a realease architecture for Stretch, I
> need to know that there are *active* porters behind it committed to
> keeping it in the working.  People who would definitely catch such
> issues long before the release.  People who file bugs / submit patches etc.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832931 is about
a powerpc-specific build failure of mariadb in stable. The maintainer
said he can't work on it, so if anyone considers himself/herself a
powerpc porter, this is something to look it.

Cheers,
Moritz

Processed: official DD

2016-10-09 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> # bugs with submitter b...@sandroknauss.de
> submitter 839905 !
Bug #839905 [pkg-kde-tools] pkgkde-symbolshelper: Use of uninitialized value in 
concatenation (.) or string at /usr/bin/pkgkde-symbolshelper line 318.
Changed Bug submitter to 'Sandro Knauß ' from 'Sandro Knauß 
'.
> submitter 832420 !
Bug #832420 [wnpp] ITP: qtwebengine -- Web content engine library for Qt
Changed Bug submitter to 'Sandro Knauß ' from 'Sandro Knauß 
'.
> submitter 832067 !
Bug #832067 [ring] ring: No interaction via system tray in plasma5 (KDE)
Changed Bug submitter to 'Sandro Knauß ' from 'Sandro Knauß 
'.
> submitter 796744 !
Bug #796744 [release.debian.org] jessie-pu: package 
owncloud-client/1.7.0~beta1+really1.6.4+dfsg-1
Changed Bug submitter to 'Sandro Knauß ' from 'Sandro Knauß 
'.
> submitter 695433 !
Bug #695433 [plasma-netbook] [plasma-netbook] screenlock does not work
Changed Bug submitter to 'Sandro Knauß ' from 
'b...@sandroknauss.de'.
> submitter 760412 !
Bug #760412 [kdelibs5-dev] kdelibs5-dev: Hardcoded "Found KDE 4.12" in 
FindKDE4Internal.cmake
Changed Bug submitter to 'Sandro Knauß ' from 'Sandro Knauß 
'.
> submitter 799267 !
Bug #799267 [ubuntu-dev-tools] [ubuntu-dev-tools] Support for overlay in 
mk-sbuild
Changed Bug submitter to 'Sandro Knauß ' from 
'b...@sandroknauss.de'.
> submitter 778864 !
Bug #778864 [kde-baseapps] kde-baseapps: Include necessary patch for ownclouds 
dolphin plugin
Changed Bug submitter to 'Sandro Knauß ' from 'Sandro Knauß 
'.
> submitter 832103 !
Bug #832103 [docker.io] docker.io: Can't run images after upgrading to 
1.11.2~ds1-6
Changed Bug submitter to 'Sandro Knauß ' from 'Sandro Knauß 
'.
> submitter 796774 !
Bug #796774 [gpgsm] [gpgsm] Can't create new certificate
Changed Bug submitter to 'Sandro Knauß ' from 
'b...@sandroknauss.de'.
> submitter 796490 !
Bug #796490 [texlive-latex-base] [texlive-latex-base] pdflatex does not create 
reproducible pdfs with multiple images
Changed Bug submitter to 'Sandro Knauß ' from 
'b...@sandroknauss.de'.
> # bugs with owner b...@sandroknauss.de
> owner 832420 !
Bug #832420 [wnpp] ITP: qtwebengine -- Web content engine library for Qt
Owner changed from "Sandro Knauß"  to Sandro Knauß 
.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
695433: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695433
760412: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760412
778864: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778864
796490: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796490
796744: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796744
796774: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796774
799267: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=799267
832067: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832067
832103: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832103
832420: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832420
839905: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839905
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#813272: marked as done (RM: guile-1.8/1.8.8+1-10)

2016-10-09 Thread Debian Bug Tracking System 
Your message dated Sun, 9 Oct 2016 17:16:41 +0300
with message-id <20161009141641.42jxs5zwmpkey...@bunk.spdns.de>
and subject line guile-1.8 has already been removed from unstable and testing
has caused the Debian Bug report #813272,
regarding RM: guile-1.8/1.8.8+1-10
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
813272: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813272
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
X-Debbugs-Cc: guile-...@packages.debian.org
User: release.debian@packages.debian.org
Usertags: rm


According to the maintainer (and several other people) guile-1.8 should
not be release in Stretch, and it's already too much it ended up in
Jessie.  See #760986

Please remove it from stretch now, it's not being autoremoved because
it's in key_packages (for it's popcon, apparently…).
After the removal #783684 should prevent it's coming back.

A clean solution (according to my tests with dak rm) would be

remove guile-1.8/1.8.8+1-10 lilypond/2.18.2-4.1 denemo/2.0.0-0.1 
songwrite/0.14-10 frescobaldi/2.18.1+ds1-3

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
more about me:  http://mapreri.org  : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
guile-1.8 has already been removed from unstable and testing.

cu
Adrian

-- 

   "Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
   "Only a promise," Lao Er said.
   Pearl S. Buck - Dragon Seed--- End Message ---

Bug#840191: jessie-pu: package gnutls28/3.3.8-6+deb8u4

2016-10-09 Thread Salvatore Bonaccorso 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi Stable Release Managers,

X-Debbugs-CC'ed Andreas Metzler.

gnutls28 in jessie is affected by CVE-2016-7444, GNUTLS-SA-2016-3,
having a flaw in the OCSP certificate check. This was fixed upstream
and included in unstable with 3.5.3-4 but would not warrant a DSA.

Attached is proposed debdiff for jessie. Would it be acceptable for an
upcoming point release?

Regards,
Salvatore
diff -Nru gnutls28-3.3.8/debian/changelog gnutls28-3.3.8/debian/changelog
--- gnutls28-3.3.8/debian/changelog	2015-08-14 18:29:51.0 +0200
+++ gnutls28-3.3.8/debian/changelog	2016-10-09 14:36:18.0 +0200
@@ -1,3 +1,11 @@
+gnutls28 (3.3.8-6+deb8u4) jessie; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2016-7444: Incorrect certificate validation when using OCSP responses
+(GNUTLS-SA-2016-3)
+
+ -- Salvatore Bonaccorso   Sun, 09 Oct 2016 14:36:18 +0200
+
 gnutls28 (3.3.8-6+deb8u3) jessie; urgency=medium
 
   * Pull 50_Handle-zero-length-plaintext-for-VIA-PadLock-functio.patch from
diff -Nru gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch
--- gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch	1970-01-01 01:00:00.0 +0100
+++ gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch	2016-10-09 14:36:18.0 +0200
@@ -0,0 +1,24 @@
+From 964632f37dfdfb914ebc5e49db4fa29af35b1de9 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos 
+Date: Sat, 27 Aug 2016 17:00:22 +0200
+Subject: [PATCH] ocsp: corrected the comparison of the serial size in OCSP
+ response
+
+Previously the OCSP certificate check wouldn't verify the serial length
+and could succeed in cases it shouldn't.
+
+Reported by Stefan Buehler.
+---
+ lib/x509/ocsp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/lib/x509/ocsp.c
 b/lib/x509/ocsp.c
+@@ -1251,6 +1251,7 @@ gnutls_ocsp_resp_check_crt(gnutls_ocsp_r
+ 		gnutls_assert();
+ 		goto cleanup;
+ 	}
++	cserial.size = t;
+ 
+ 	if (rserial.size != cserial.size
+ 	|| memcmp(cserial.data, rserial.data, rserial.size) != 0) {
diff -Nru gnutls28-3.3.8/debian/patches/series gnutls28-3.3.8/debian/patches/series
--- gnutls28-3.3.8/debian/patches/series	2015-08-13 19:52:00.0 +0200
+++ gnutls28-3.3.8/debian/patches/series	2016-10-09 14:36:18.0 +0200
@@ -14,3 +14,4 @@
 51_0001__gnutls_session_sign_algo_enabled-do-not-consider-an.patch
 51_0002_before-falling-back-to-SHA1-as-signature-algorithm-i.patch
 51_0003_tests-added-reproducer-for-the-MD5-acceptance-issue.patch
+52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch

Bug#836795: jessie-pu: package samba/2:4.1.17+dfsg-2+deb8u2

2016-10-09 Thread Jelmer Vernooij 
On Sun, Oct 09, 2016 at 10:34:55AM +0100, Adam D. Barratt wrote:
> On Sun, 2016-10-09 at 00:16 +, Jelmer Vernooij wrote:
> > On Sat, Sep 24, 2016 at 08:14:38PM +0100, Adam D. Barratt wrote:
> > > Control: tags -1 -moreinfo +confirmed
> > > 
> > > On Mon, 2016-09-05 at 20:50 +, Jelmer Vernooij wrote:
> > > > I'd like to update Samba in jessie to 4.2.14+dfsg. Debdiff is attached.
> > > > 
> > > > The 4 Samba releases since 4.2.10 (currently in jessie) only fix
> > > > important bugs, in particular a CVE (CVE-2016-2119) and various
> > > > regressions introduced by the security fixes from 4.2.10.
> > > 
> > > Please go ahead, with the changelog distribution set to "jessie".
> > > 
> > > I'll hopefully be able to find a suitable machine on my work network to
> > > test with, and I assume at least Lars Maes would also be happy to test.
> > 
> > Can I also upload a new minor version of tevent that's required by
> > this version of Samba?
> 
> I'd prefer a separate bug for that, please, as tracking one package
> upload per p-u bug makes things much easier.

Done, submitted as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840188


signature.asc
Description: PGP signature

Bug#836795: jessie-pu: package samba/2:4.1.17+dfsg-2+deb8u2

2016-10-09 Thread Adam D. Barratt 
On Sun, 2016-10-09 at 00:16 +, Jelmer Vernooij wrote:
> On Sat, Sep 24, 2016 at 08:14:38PM +0100, Adam D. Barratt wrote:
> > Control: tags -1 -moreinfo +confirmed
> > 
> > On Mon, 2016-09-05 at 20:50 +, Jelmer Vernooij wrote:
> > > I'd like to update Samba in jessie to 4.2.14+dfsg. Debdiff is attached.
> > > 
> > > The 4 Samba releases since 4.2.10 (currently in jessie) only fix
> > > important bugs, in particular a CVE (CVE-2016-2119) and various
> > > regressions introduced by the security fixes from 4.2.10.
> > 
> > Please go ahead, with the changelog distribution set to "jessie".
> > 
> > I'll hopefully be able to find a suitable machine on my work network to
> > test with, and I assume at least Lars Maes would also be happy to test.
> 
> Can I also upload a new minor version of tevent that's required by
> this version of Samba?

I'd prefer a separate bug for that, please, as tracking one package
upload per p-u bug makes things much easier.

Regards,

Adam

Re: Stretch freeze and the possible future upload of MATE 1.18

2016-10-09 Thread Emilio Pozuelo Monfort 
On 09/10/16 00:22, Mike Gabriel wrote:
> Hi Vlad,
> 
> thanks for taking this initiative of communication. Much appreciated.
> 
> I try to give some answers, Niels may jump in and correct me, if necessary.
> 
> On  Fr 07 Okt 2016 14:51:47 CEST, Vlad Orlov wrote:
> 
>> Hi,
>>
>>> It depends on what the MATE release includes. If it involves a
>>> transition (e.g. ABI / API bumps), then you are looking at 5th of
>>> November as deadline.
>>
>> Hmm... does it mean changes in soname of some library from MATE
>> that will cause package name change? E.g. libmate-desktop-2.so ->
>> libmate-desktop-3.so, then package libmate-desktop-2-17 would have
>> its name changed too.
> 
> Yes. And all packages build-depending on libmate-desktop-dev would require to 
> be
> rebuilt.
> 
> In MATE this is non-criticial as long as only MATE packages B-D on
> libmate-desktop-dev. But if there is any package outside of the Debian MATE
> team's scope, then this gets nasty so close to the freeze.

In theory, that is irrelevant. A library transition is a library transition, and
the transition freeze is on November the 5th. So if you have a library that
bumps the SONAME, then you should do that before that date.

>> Or does something else count as transition? E.g. if some of MATE
>> packages would change dependency from libmateweather to libgweather.
> 
> No. This should be fine.

That's fine indeed. Porting your apps (or even libraries, as long as you don't
break the ABI) from a library to another, e.g. from mateweather to libgweather,
or from libunique to GtkApplication is fine.

>>> Otherwise, I strongly recommend using early/mid-December as the latest
>>> deadline upstream.  That way the MATE packaging has 2-3 weeks to get it
>>> uploaded plus another 2-3 to fix any bugs without any extra hassle.  I
>>> assume here that there is no need for new packages (based on your input
>>> below).
>>
>> Yes, there's no plan to add new packages into MATE.
> 
> Ok. Good.
> 
>> So December means we need to meet soft freeze date (2017-01-05)?
>> That is, if we already handled the transitions.
> 
> By this date, packages have to be landed in testing. So, they have to be
> uploaded to unstable "a couple of days" earlier. With the last freeze for
> jessie, there was 10 days delay for the migration of packages from unstable to
> testing. IIRC.
> 
>> Are new upstream versions allowed into Testing between soft freeze
>> and full freeze (provided that these are only new versions, not new
>> packages)?
> 
> IIRC, this was possible with review by someone from the release team. As the
> MATE upstream team is really careful and minimal with the changes in point
> release, I'd say all potential upstream releases of MATE within one release
> series (i.e. within 1.16 or 1.18) would be good candidates for receiving
> permission to be uploaded.

Review is required after the full freeze (a freeze exception). Between soft
freeze and full freeze, a new version can be uploaded, but beware of the 10 day
migration delay, possible build failures, RC bugs, new dependencies... that
could delay your package migration. So don't upload 10 days before the freeze,
do it with more margin as to allow for any necessary fixes.

So yes, I'd suggest to get everything released and uploaded sometime in
December, to then have a little time to get everything migrated.

Cheers,
Emilio

Re: jessie-ignore for "maintainer address bounces" bugs?

2016-10-09 Thread Emilio Pozuelo Monfort 
On 08/10/16 09:51, Andreas Beckmann wrote:
> On 2016-09-10 10:37, Andreas Beckmann wrote:
>> Hi,
>>
>> would it be OK to tag "maintainer address bounces" bugs as jessie-ignore?
> 
> This would affect about 10 bugs in jessie and a few less in wheezy.

I wouldn't do that to these bugs for now, as I think they should be fixed and
are easy to do so. In any case, we'll review all bugs by the time of the freeze
and will add the tag to those we think need it.

Emilio