Bug#950716: transition: ruby2.7

[Daniel Leidert]

Am Montag, den 02.03.2020, 15:01 -0300 schrieb Lucas Kanashiro:
> On 02/03/2020 08:35, Graham Inggs wrote:
> > Hi Lucas
> > 
> > I notice kamailio and klayout still appear red in the Debian tracker
> > [1], but went green in Ubuntu [2].
> > 
> > Do you have any ideas?  Do we miss something in Debian?
> 
> Since we basically have the same version in Debian and Ubuntu I believe
> the only difference is that in Ubuntu we already have Ruby 2.7 as the
> only default, in Debian it is just in experimental. So when we upload
> version 1:2.7~0 to unstable they should get green as in Ubuntu.

Can yóu please schedule a rebuild of facter too? At least three FTBFS reports
are caused by factor only providing the Ruby2.5 library (#952024, #952022,
#952070). I cannot upload the fixed packages. If this is not the right place,
please let me know.

Regarding this issue: should the ben file include sources build-depending on
ruby-all-dev?

$ reverse-depends -lb ruby-all-dev
broccoli-ruby
facter
gem2deb
libprelude
ruby-ffi
ruby-pgplot
rubygems-integration
sonic-pi
uwsgi
xapian-bindings

Regards, Daniel


signature.asc
Description: This is a digitally signed message part

Bug#951209: transition: libgusb

[Laurent Bigonville]

On Tue, 3 Mar 2020 20:19:12 +0100 Julien Cristau  
wrote:

> On Wed, Feb 12, 2020 at 03:24:42PM +0100, Laurent Bigonville wrote:
> > libgusb is carrying in debian a patch[0] to revert/fix an after the 
fact

> > change that was done upstream in the versioning of the symbols.
> >
> > I don't think we should/can carry this patch forever and due to the 
fact
> > that the number of reverse-dependencies is quite limited, I was 
planning

> > to simply drop it, but that would require to binNMU them to be
> > certain they are using the correct version of the symbol.
> >
> IMO we should keep compatibility with the old version until the next
> upstream SONAME bump. That might mean keeping this patch, or something
> different, if we can add properly versioned aliases for the affected
> symbols?

I'm not exactly sure how to do that TBH

FTR, a more persistent link to the file was talking about in my initial 
mail 
https://salsa.debian.org/debian/libgusb/-/blob/80d3862872ff72b9cf10c90959973baf9755c7e9/debian/patches/revert-versioning.patch

Bug#950795: buster-pu: package puma/3.12.0-2

[Daniel Leidert]

Am Dienstag, den 03.03.2020, 20:37 + schrieb Adam D. Barratt:
> On Thu, 2020-02-06 at 17:33 +0100, Daniel Leidert wrote:
> > The proposed update will fix CVE-2019-16770 (#946312) for Buster
> > users. The security team marked the issue no-dsa and asked to
> > schedule the fix via the next point release. The debdiff is attached.
> > The patch to fix the CVE has been taken from upstream's Git
> > repository.
> 
> +puma (3.12.0-2+deb10u1) buster-security; urgency=medium
> 
> Just "buster" for p-u, please.

Yes I already saw it. I prepared the upload first for security. But they asked
me to do the upload via p-u. I'll fix this.

> +Subject: Merge pull request from GHSA-7xx3-m584-x994
> +
> +could monopolize a thread. Previously, this could make a DoS attack more
> +severe.
> 
> Is there a missing line (or at least words) before "could monopolize"
> there?

No. This is the original commit message I kept from upstream. 

> In any case, please go ahead (with the fixed distribution).

Thanks.

Regards, Daniel


signature.asc
Description: This is a digitally signed message part

Bug#953005: buster-pu: package serverspec-runner/1.2.2-1+deb10u1

[Adam D. Barratt]

Control: tags -1 -moreinfo +confirmed

On Tue, 2020-03-03 at 20:43 +0100, Daniel Leidert wrote:
> Package: release.debian.org
> Followup-For: Bug #953005
> 
> Sorry. Now it should be.
> 

Thanks, please go ahead.

Regards,

Adam

Processed: Re: Bug#950795: buster-pu: package puma/3.12.0-2

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #950795 [release.debian.org] buster-pu: package puma/3.12.0-2
Added tag(s) confirmed.

-- 
950795: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950795
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#950795: buster-pu: package puma/3.12.0-2

[Adam D. Barratt]

Control: tags -1 + confirmed

On Thu, 2020-02-06 at 17:33 +0100, Daniel Leidert wrote:
> The proposed update will fix CVE-2019-16770 (#946312) for Buster
> users. The security team marked the issue no-dsa and asked to
> schedule the fix via the next point release. The debdiff is attached.
> The patch to fix the CVE has been taken from upstream's Git
> repository.

+puma (3.12.0-2+deb10u1) buster-security; urgency=medium

Just "buster" for p-u, please.

+Subject: Merge pull request from GHSA-7xx3-m584-x994
+
+could monopolize a thread. Previously, this could make a DoS attack more
+severe.

Is there a missing line (or at least words) before "could monopolize"
there?

In any case, please go ahead (with the fixed distribution).

Regards,

Adam

Processed: Re: Bug#953005: buster-pu: package serverspec-runner/1.2.2-1+deb10u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 -moreinfo +confirmed
Bug #953005 [release.debian.org] buster-pu: package 
serverspec-runner/1.2.2-1+deb10u1
Removed tag(s) moreinfo.
Bug #953005 [release.debian.org] buster-pu: package 
serverspec-runner/1.2.2-1+deb10u1
Added tag(s) confirmed.

-- 
953005: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953005
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#953005: buster-pu: package serverspec-runner/1.2.2-1+deb10u1

[Daniel Leidert]

Package: release.debian.org
Followup-For: Bug #953005

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Sorry. Now it should be.


- -- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.3.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAl5es1gACgkQS80FZ8KW
0F0jvw//Wp6PT3t3pNC8alsKBju7IbOwPFgBRKhe2LsG27JMWvYu/6VIzfay5K1Q
FaTVGv+nYHLvf+NXUq/zymzRX/3CYOqbtmze07VCsBP6/jMzVFMmhIDEKhPyawzJ
c5AXnsqOX/hiAstInS3ma9dJgMXUPTl/gh77G4YfprtKkwiIHdSOo9aderf7z5KY
uFTDdeuuXuGmRa/68rCmhtvO1BCJkGxN5AA88TTYVaJj9AxI7m2h3xVKcM7sqVGH
v8G0mhkKuc7NLD9Vnbv4hUlXpLSe4oc3yRQT4VDubN3y9a5NV3bZZUoxtjHg0MTj
po+h18br9huPqRCoZmzSlRNZX5Sxm5nvDWOq2cxFazk4/lMrBUtDsJogL7lUFtdZ
V+NyliM+/fOSP2TsGUlh4cmZY+wSAnZ7+jR6+oy+YSZJnubLGNo0KrPvZglfqgPi
FAiobAN/qicxGANYoiWeOpYvwSBB5W4OAV7et0SbL1t0f6/I8yEH+4SPgFOuqegY
ldhRPeqQ/d8zuhtDfxLlKYp6coSgmoh04HoG0ijjDN1eUkyZjvjNEcPJSC4j95+c
9fcn8s5DsKN1swljMwRFdUJrVBmjwCw6+PBheu24nDUnPa7dFESP31FUD6kflaW+
QK23ZRjHdDRhvbtnWyKXD5W//5diCWVNyfLI2Q/Zr3b7qc3iKDk=
=ZiIa
-END PGP SIGNATURE-
diff -Nru serverspec-runner-1.2.2/debian/changelog 
serverspec-runner-1.2.2/debian/changelog
--- serverspec-runner-1.2.2/debian/changelog2016-09-15 12:48:17.0 
+0200
+++ serverspec-runner-1.2.2/debian/changelog2020-03-02 23:41:24.0 
+0100
@@ -1,3 +1,11 @@
+serverspec-runner (1.2.2-1+deb10u1) buster; urgency=medium
+
+  * d/patches/fix-yaml-load-document-missing: Add patch.
+- Support Ruby 2.5 and replace YAML.load_documents (closes: #939645).
+  * d/patches/series: Add new patch.
+
+ -- Daniel Leidert   Mon, 02 Mar 2020 23:41:24 +0100
+
 serverspec-runner (1.2.2-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru serverspec-runner-1.2.2/debian/patches/fix-yaml-load-document-missing 
serverspec-runner-1.2.2/debian/patches/fix-yaml-load-document-missing
--- serverspec-runner-1.2.2/debian/patches/fix-yaml-load-document-missing   
1970-01-01 01:00:00.0 +0100
+++ serverspec-runner-1.2.2/debian/patches/fix-yaml-load-document-missing   
2020-03-02 23:41:24.0 +0100
@@ -0,0 +1,19 @@
+From: hiracy 
+Date: Fri, 16 Nov 2018 19:43:15 +0900
+Acked-By: Daniel Leidert 
+Origin: 
https://github.com/hiracy/serverspec-runner/commit/c459787defe1b08bbe46a5acf0ea07039fe44f61.patch
+Bug-Debian: https://bugs.debian.org/939645
+Description: [PATCH] Support ruby 2.5 over
+  Use YAML.load_stream instead of YAML.load_documents.
+
+--- a/Rakefile
 b/Rakefile
+@@ -165,7 +165,7 @@
+   end
+ 
+   File.open(ENV['scenario'] || "#{ENV['specroot']}/scenario.yml") do |f|
+-YAML.load_documents(f).each_with_index do |data, idx|
++YAML.load_stream(f).each_with_index do |data, idx|
+   if idx == 0
+ scenarios = data
+   else
diff -Nru serverspec-runner-1.2.2/debian/patches/series 
serverspec-runner-1.2.2/debian/patches/series
--- serverspec-runner-1.2.2/debian/patches/series   2016-09-01 
13:13:41.0 +0200
+++ serverspec-runner-1.2.2/debian/patches/series   2020-03-02 
23:41:24.0 +0100
@@ -1 +1,2 @@
 fix-path-issue
+fix-yaml-load-document-missing

Bug#951209: transition: libgusb

[Julien Cristau]

On Wed, Feb 12, 2020 at 03:24:42PM +0100, Laurent Bigonville wrote:
> libgusb is carrying in debian a patch[0] to revert/fix an after the fact
> change that was done upstream in the versioning of the symbols.
> 
> I don't think we should/can carry this patch forever and due to the fact
> that the number of reverse-dependencies is quite limited, I was planning
> to simply drop it, but that would require to binNMU them to be
> certain they are using the correct version of the symbol.
> 
IMO we should keep compatibility with the old version until the next
upstream SONAME bump.  That might mean keeping this patch, or something
different, if we can add properly versioned aliases for the affected
symbols?

Cheers,
Julien

Bug#952586: buster-pu: package backuppc/3.3.2-2

[Adam D. Barratt]

Control: tags -1 + confirmed

On Wed, 2020-02-26 at 12:26 +, Jonathan Wiltshire wrote:
> I'd like to fix an important bug in backuppc which prevents
> `systemd reload backuppc.service` from failing. As a result of this
> bug backuppc has to be restarted for systemd's supervision to be
> reset, which interrupts ongoing jobs.
> 

Please go ahead.

Regards,

Adam

Processed: Re: Bug#952586: buster-pu: package backuppc/3.3.2-2

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #952586 [release.debian.org] buster-pu: package backuppc/3.3.2-2
Added tag(s) confirmed.

-- 
952586: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952586
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#952441: buster-pu: package user-mode-linux/4.19-1um-1+b1

[Adam D. Barratt]

Control: tags -1 -moreinfo +confirmed

On Wed, 2020-02-26 at 11:02 +0100, Santiago R.R. wrote:
> Control: fixed 951329 user-mode-linux/5.4-1um-2
> 
> El 25/02/20 a las 21:05, Adam D. Barratt escribió:
> > Control: tags -1 + moreinfo
> > 
> > On Mon, 2020-02-24 at 14:49 +0100, Santiago R.R. wrote:
> > > I would like to upload user-mode-linux to buster to fix this
> > > FTBFS:
> > > https://bugs.debian.org/951329. Ritesh Raj Sarraf (rrs) has
> > > already
> > > given his ACK.
> > > 
> > 
> > The metadata for that bug suggests that it affects the package in
> > unstable, and is not currently fixed there. Is that correct?
> > 
> > If it is, the issue should be fixed in unstable first. If not, the
> > bug
> > report should have an appropriate "fixed" version added, indicating
> > the
> > earliest upload that's unaffected.
> 
> Hi Adam,
> 
> Thanks! I forgot clarifying that this didn't affect unstable.
> Hopefully
> the above control command fix that.
> 
> Also, I realised the changelog did not describe how the bug was
> fixed.
> 

Thanks, please go ahead.

Regards,

Adam

Processed: Re: Bug#952441: buster-pu: package user-mode-linux/4.19-1um-1+b1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 -moreinfo +confirmed
Bug #952441 [release.debian.org] buster-pu: package 
user-mode-linux/4.19-1um-1+b1
Removed tag(s) moreinfo.
Bug #952441 [release.debian.org] buster-pu: package 
user-mode-linux/4.19-1um-1+b1
Added tag(s) confirmed.

-- 
952441: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952441
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#952785: buster-pu: package dojo/1.15.0+dfsg1-1+deb10u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Mon, 2020-03-02 at 11:28 +0100, Xavier wrote:
> Le 01/03/2020 à 22:52, Andreas Beckmann a écrit :
> > > +#CVE-2019-10785.patch
> > 
> > The patch is commented in the series file and thus does not get
> > applied.
> > 
> > Andreas
> 
> Sorry for this  error. Here is the real patch.
> 

Thanks, please go ahead.

Regards,

Adam

Processed: Re: Bug#952785: buster-pu: package dojo/1.15.0+dfsg1-1+deb10u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #952785 [release.debian.org] buster-pu: package dojo/1.15.0+dfsg1-1+deb10u1
Added tag(s) confirmed.

-- 
952785: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952785
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#952960: buster-pu: package ruby-factory-girl-rails/4.7.0-1+deb10u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 +confirmed -moreinfo
Bug #952960 [release.debian.org] buster-pu: package 
ruby-factory-girl-rails/4.7.0-1+deb10u1
Added tag(s) confirmed.
Bug #952960 [release.debian.org] buster-pu: package 
ruby-factory-girl-rails/4.7.0-1+deb10u1
Removed tag(s) moreinfo.

-- 
952960: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952960
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#952960: buster-pu: package ruby-factory-girl-rails/4.7.0-1+deb10u1

[Adam D. Barratt]

Control: tags -1 +confirmed -moreinfo

On Mon, 2020-03-02 at 18:59 +0100, Daniel Leidert wrote:
> Package: release.debian.org
> Followup-For: Bug #952960
> 
> I've uploaded the fix to unstable and updated the diff (Vcs* fields
> changed, see attached).
> 

Thanks, please go ahead.

Regards,

Adam

Bug#953005: buster-pu: package serverspec-runner/1.2.2-1+deb10u1

[Adam D. Barratt]

Control: tags -1 + moreinfo

On Tue, 2020-03-03 at 01:00 +0100, Daniel Leidert wrote:
> This update is to fix #939645 [1]. The debdiff is attached.

Apparently not. :-)

Regards,

Adam

Processed: Re: Bug#953005: buster-pu: package serverspec-runner/1.2.2-1+deb10u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + moreinfo
Bug #953005 [release.debian.org] buster-pu: package 
serverspec-runner/1.2.2-1+deb10u1
Added tag(s) moreinfo.

-- 
953005: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953005
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#953029: RM: node-nodedbi/1.0.13+dfsg-1

[Xavier Guimard]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm

Hi,

node-nodedbi is incompatible with Node.js ≥ 12 (#953028). I'd like to
see it removed from testing (only) to permit Node.js 12 migration.

Cheers,
Xavier

Bug#953024: transition: zita-convolver

[Dennis Braun]

Yes, all should work fine.
Bug fixes for jconvolver and zita-bls1 are waiting in experimental.

Am 03.03.20 um 14:15 schrieb Emilio Pozuelo Monfort:
> On 03/03/2020 13:19, Dennis Braun wrote:
>> Package: release.debian.org
>> Severity: normal
>> User: release.debian@packages.debian.org
>> Usertags: transition
>>
>> With zita-convolver 4.0.3 the library name changes from libzita-convolver3 to
>> libzita-convolver4.
>>
>> Affected packages:
>>
>> guitarix
>> ir.lv2
>> jconvolver
>> pulseeffects
>> x42-plugins
>> zita-bls1
>> zita-convolver
> Do these build fine against the new zita-convolver?
>
> Emilio




signature.asc
Description: OpenPGP digital signature

Bug#953024: transition: zita-convolver

[Emilio Pozuelo Monfort]

On 03/03/2020 13:19, Dennis Braun wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: transition
> 
> With zita-convolver 4.0.3 the library name changes from libzita-convolver3 to
> libzita-convolver4.
> 
> Affected packages:
> 
> guitarix
> ir.lv2
> jconvolver
> pulseeffects
> x42-plugins
> zita-bls1
> zita-convolver

Do these build fine against the new zita-convolver?

Emilio

Bug#953024: transition: zita-convolver

[Dennis Braun]

s/library name/package name of the library/g



signature.asc
Description: OpenPGP digital signature

Bug#953024: transition: zita-convolver

[Dennis Braun]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

With zita-convolver 4.0.3 the library name changes from libzita-convolver3 to
libzita-convolver4.

Affected packages:

guitarix
ir.lv2
jconvolver
pulseeffects
x42-plugins
zita-bls1
zita-convolver

See: https://release.debian.org/transitions/html/auto-zita-convolver.html

Ben file:

title = "zita-convolver";
is_affected = .build-depends ~ /libzita-convolver-dev/ | .build-depends-indep ~
/libzita-convolver-dev/;
is_affected = .depends ~ "libzita-convolver3" | .depends ~ "libzita-
convolver4";
is_good = .depends ~ "libzita-convolver4";
is_bad = .depends ~ "libzita-convolver3";



-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.4.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled