Bug#1055194: transition: openturns
Dear Release Team, I think this bug can be closed now, as the transition has been done. I am not doing it myself in case I might have missed something... Best, -- Pierre OpenPGP_signature.asc Description: OpenPGP digital signature
Bug#1055194: transition: openturns
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: opentu...@packages.debian.org Control: affects -1 + src:openturns Dear Release Team, I would like to request a transition slot for openturns. It has been accepted to experimental after a SONAME bump as some symbols changed in a not backward-compatible way. It builds correctly. There is only one rdep, persalys, which FTBFS against the new openturns, but the new upstream version of persalys builds correctly in experimental (upstream is the same). I have filled an Important bug anyway, #1055050. The auto-generated Ben file in the transition tracker looks good. Thanks a lot, -- Pierre
Bug#1050537: bookworm-pu: package batik/1.16+dfsg-1+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: ba...@packages.debian.org Control: affects -1 + src:batik Dear Release Team, I would like to propose an upload of batik in the next point release. [ Reason ] CVE-2022-44729 and CVE-2022-44730 have been filed against batik. They are fixed in sid (and soon trixie). I discussed with Security team, they said a DSA is not needed but suggested to fix the CVE in bookworm in a point release. The two CVE are corrected by backporting upstream changes. [ Impact ] The two CVE would remain: ``A malicious SVG can probe user profile / data and send it directly as parameter to a URL.'' and ``A malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure.'' [ Tests ] The rdepss using the classes touched by upstream corrections were rebuilt in a bookworm chroot. No additional tests were made. [ Risks ] Code is quite trivial and it is a direct backport of changes made in version 1.17, currently in sid. Risks due to the changes in the code are quite limited in my opinion, but batik has many rdeps so you might consider the security risks are not important enough to deserve an update in a point release. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in stable [X] the issue is verified as fixed in unstable [ Changes ] Changes are in 7 files and consist in: - Blocking loading external resource by default http://svn.apache.org/viewvc?view=revision=1905049 - Switching to empty whitelist of packages for the class RhinoClassShutter https://svn.apache.org/viewvc?view=revision=1905011 Thanks for your attention, -- Pierre diff -Nru batik-1.16+dfsg/debian/changelog batik-1.16+dfsg/debian/changelog --- batik-1.16+dfsg/debian/changelog2022-10-27 18:27:37.0 +0200 +++ batik-1.16+dfsg/debian/changelog2023-08-24 21:28:00.0 +0200 @@ -1,3 +1,9 @@ +batik (1.16+dfsg-1+deb12u1) bookworm; urgency=medium + + * Fixing CVE-2022-44729 and CVE-2022-44730 + + -- Pierre Gruet Thu, 24 Aug 2023 21:28:00 +0200 + batik (1.16+dfsg-1) unstable; urgency=medium * New upstream version 1.16+dfsg, fixing security issues: diff -Nru batik-1.16+dfsg/debian/patches/CVE-2022-447xx.patch batik-1.16+dfsg/debian/patches/CVE-2022-447xx.patch --- batik-1.16+dfsg/debian/patches/CVE-2022-447xx.patch 1970-01-01 01:00:00.0 +0100 +++ batik-1.16+dfsg/debian/patches/CVE-2022-447xx.patch 2023-08-24 21:27:27.0 +0200 @@ -0,0 +1,208 @@ +Description: fixing CVE-2022-44729 and CVE-2022-44730 + by applying the file changes of upstream commits fixing the CVE +Author: Pierre Gruet +Origin: upstream, https://issues.apache.org/jira/browse/BATIK-1347 and https://issues.apache.org/jira/browse/BATIK-1349 +Forwarded: not-needed +Last-Update: 2023-08-24 + +--- a/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java b/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java +@@ -77,6 +77,9 @@ +ParsedURL docURL){ + // Make sure that the archives comes from the same host + // as the document itself ++if (DATA_PROTOCOL.equals(externalResourceURL.getProtocol())) { ++return; ++} + if (docURL == null) { + se = new SecurityException + (Messages.formatMessage(ERROR_CANNOT_ACCESS_DOCUMENT_URL, +--- a/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java b/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java +@@ -21,6 +21,7 @@ + import org.mozilla.javascript.ClassShutter; + + import java.util.Arrays; ++import java.util.ArrayList; + import java.util.List; + + /** +@@ -30,7 +31,7 @@ + * @version $Id: RhinoClassShutter.java 1904565 2022-10-13 11:05:28Z ssteiner $ + */ + public class RhinoClassShutter implements ClassShutter { +-private static final List WHITELIST = Arrays.asList("java.io.PrintStream", "java.lang.System", "java.net.URL"); ++ public static final List WHITELIST = new ArrayList<>(); + + /* + public RhinoClassShutter() { +@@ -59,56 +60,12 @@ + * Returns whether the given class is visible to scripts. + */ + public boolean visibleToScripts(String fullClassName) { +-if (!WHITELIST.contains(fullClassName) && !fullClassName.endsWith("Permission") && !fullClassName.startsWith("org.")) { +-return false; +-} +- +-// Don't let them mess with script engine's internals. +-if (fullClassName.startsWith("org.mozilla.javascript")) +-return false; +- +-if (fullClassName.startsWith("org.
Bug#1050538: bullseye-pu: package batik/1.12-4+deb11u2
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: ba...@packages.debian.org Control: affects -1 + src:batik Dear Release Team, I would like to propose an upload of batik in the next point release. [ Reason ] CVE-2022-44729 and CVE-2022-44730 have been filed against batik. They are fixed in sid (and soon trixie). I discussed with Security team, they said a DSA is not needed but suggested to fix the CVE in bullseye in a point release. The two CVE are corrected by backporting upstream changes. [ Impact ] The two CVE would remain: ``A malicious SVG can probe user profile / data and send it directly as parameter to a URL.'' and ``A malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure.'' [ Tests ] The rdeps using the classes touched by upstream corrections were rebuilt in a bullseye chroot. No additional tests were made. [ Risks ] Code is quite trivial and it is a direct backport of changes made in version 1.17, currently in sid. Risks due to the changes in the code are quite limited in my opinion, but batik has many rdeps so you might consider the security risks are not important enough to deserve an update in a point release. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in oldstable [X] the issue is verified as fixed in unstable [ Changes ] Changes are in 7 files and consist in: - Blocking loading external resource by default http://svn.apache.org/viewvc?view=revision=1905049 - Switching to empty whitelist of packages for the class RhinoClassShutter https://svn.apache.org/viewvc?view=revision=1905011 Thanks for your attention, -- Pierre diff -Nru batik-1.12/debian/changelog batik-1.12/debian/changelog --- batik-1.12/debian/changelog 2022-10-29 16:22:11.0 +0200 +++ batik-1.12/debian/changelog 2023-08-25 11:07:07.0 +0200 @@ -1,3 +1,10 @@ +batik (1.12-4+deb11u2) bullseye; urgency=medium + + * Team upload. + * Fixing CVE-2022-44729 and CVE-2022-44730 + + -- Pierre Gruet Fri, 25 Aug 2023 11:07:07 +0200 + batik (1.12-4+deb11u1) bullseye-security; urgency=high * Team upload. diff -Nru batik-1.12/debian/patches/CVE-2022-447xx.patch batik-1.12/debian/patches/CVE-2022-447xx.patch --- batik-1.12/debian/patches/CVE-2022-447xx.patch 1970-01-01 01:00:00.0 +0100 +++ batik-1.12/debian/patches/CVE-2022-447xx.patch 2023-08-25 11:06:23.0 +0200 @@ -0,0 +1,199 @@ +Description: fixing CVE-2022-44729 and CVE-2022-44730 + by applying the file changes of upstream commits fixing the CVE +Author: Pierre Gruet +Origin: upstream, https://issues.apache.org/jira/browse/BATIK-1347 and https://issues.apache.org/jira/browse/BATIK-1349 +Forwarded: not-needed +Last-Update: 2023-08-24 + +--- a/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java b/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java +@@ -74,6 +74,9 @@ +ParsedURL docURL){ + // Make sure that the archives comes from the same host + // as the document itself ++if (DATA_PROTOCOL.equals(externalResourceURL.getProtocol())) { ++return; ++} + if (docURL == null) { + se = new SecurityException + (Messages.formatMessage(ERROR_CANNOT_ACCESS_DOCUMENT_URL, +--- a/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java b/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java +@@ -20,6 +20,7 @@ + + import org.mozilla.javascript.ClassShutter; + import java.util.Arrays; ++import java.util.ArrayList; + import java.util.List; + + /** +@@ -29,7 +30,7 @@ + * @version $Id: RhinoClassShutter.java 1733416 2016-03-03 07:07:13Z gadams $ + */ + public class RhinoClassShutter implements ClassShutter { +-private static final List WHITELIST = Arrays.asList("java.io.PrintStream", "java.lang.System", "java.net.URL"); ++ public static final List WHITELIST = new ArrayList<>(); + + /* + public RhinoClassShutter() { +@@ -58,56 +59,12 @@ + * Returns whether the given class is visible to scripts. + */ + public boolean visibleToScripts(String fullClassName) { +-if (fullClassName.startsWith("java.") && !WHITELIST.contains(fullClassName) && !fullClassName.endsWith("Permission")) { +-return false; +-} +- +-// Don't let them mess with script engine's internals. +-if (fullClassName.startsWith("org.mozilla.javascript")) +-return false; +- +-if (fullClassName.startsWith("org.apache.batik.")) { +-
Bug#1042016: transition: coinor-cbc
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: coinor-...@packages.debian.org Control: affects -1 + src:coinor-cbc Dear Release Team, I would like to ask for a transition slot for coinor-cbc. The package has undergone ABI changes for which a SONAME bump was necessary. The new package has been accepted into experimental and builds correctly on all architectures. The auto-generated Ben file on [0] is fine. The reverse dependencies all build correctly against the new library package. Best regards, -- Pierre [0] https://release.debian.org/transitions/html/auto-coinor-cbc.html
Bug#1041841: transition: pagmo
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: pa...@packages.debian.org Control: affects -1 + src:pagmo Dear Release Team, I would like to ask for a transition slot for pagmo. libpagmo9 has been accepted in experimental, it builds correctly on all the architectures where it built before, and its only rdep openturns builds successfully against it. The auto-generated Ben file is good. Thanks a lot, Cheers, -- Pierre
Bug#1037542: bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1
Hi Salvatore, Le 15/06/2023 à 07:21, Salvatore Bonaccorso a écrit : Hi Pierre, On Wed, Jun 14, 2023 at 12:01:18AM +0200, Pierre Gruet wrote: [...] diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-02-04 14:24:45.0 +0100 +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-06-13 23:19:59.0 +0200 @@ -1,3 +1,9 @@ +xerial-sqlite-jdbc (3.40.1.0+dfsg-1+deb12u1) bookworm; urgency=medium + + * Using a random UUID for the connection (Fixes CVE-2023-32697 in Bookworm) + + -- Pierre Gruet Tue, 13 Jun 2023 23:19:59 +0200 Can you as well add the Debian bug closer for #1036706 here? Thanks for looking at my diff. I admit I had not considered closing the bug here since it has already been declared as closed by the upload to unstable, I would have issued a BTS command after this proposal hits bookworm. Anyway, thanks for educating me on this. Enclosed is the new source debdiff, everything else in the original message of this bug thread remains unchanged. Regards, Salvatore Best, -- Pierre diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-02-04 14:24:45.0 +0100 +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-06-13 23:19:59.0 +0200 @@ -1,3 +1,10 @@ +xerial-sqlite-jdbc (3.40.1.0+dfsg-1+deb12u1) bookworm; urgency=medium + + * Using a random UUID for the connection (Fixes CVE-2023-32697 in Bookworm, +Closes: #1036706) + + -- Pierre Gruet Tue, 13 Jun 2023 23:19:59 +0200 + xerial-sqlite-jdbc (3.40.1.0+dfsg-1) unstable; urgency=medium * New upstream version 3.40.1.0+dfsg diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch 1970-01-01 01:00:00.0 +0100 +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch 2023-06-13 23:17:23.0 +0200 @@ -0,0 +1,28 @@ +Description: fixing CVE-2023-32697 +Author: Pierre Gruet +Origin: upstream, https://github.com/xerial/sqlite-jdbc/commit/edb4b8adc2447bc04e05b9b908195a4bc7926242 +Bug: https://github.com/xerial/sqlite-jdbc/security/advisories/GHSA-6phf-6h5g-97j2 +Bug-Debian: https://bugs.debian.org/1036706 +Forwarded: not-needed +Applied-Upstream: edb4b8adc2447bc04e05b9b908195a4bc7926242 +Last-Update: 2023-06-13 + +--- a/src/main/java/org/sqlite/SQLiteConnection.java b/src/main/java/org/sqlite/SQLiteConnection.java +@@ -13,6 +13,7 @@ + import java.sql.ResultSet; + import java.sql.SQLException; + import java.util.Properties; ++import java.util.UUID; + import java.util.concurrent.Executor; + import org.sqlite.SQLiteConfig.TransactionMode; + import org.sqlite.core.CoreDatabaseMetaData; +@@ -303,7 +304,7 @@ + } + + String tempFolder = new File(System.getProperty("java.io.tmpdir")).getAbsolutePath(); +-String dbFileName = String.format("sqlite-jdbc-tmp-%d.db", resourceAddr.hashCode()); ++String dbFileName = String.format("sqlite-jdbc-tmp-%s.db", UUID.randomUUID()); + File dbFile = new File(tempFolder, dbFileName); + + if (dbFile.exists()) { diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series 2023-02-02 17:16:53.0 +0100 +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series 2023-06-13 23:10:58.0 +0200 @@ -7,3 +7,4 @@ skip_OSInfoTest.patch tests_without_archunit-junit5_and_some_assertions.patch junit-jupiter-params_artifact.patch +CVE-2023-32697.patch OpenPGP_signature Description: OpenPGP digital signature
Bug#1037542: bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: xerial-sqlite-j...@packages.debian.org Control: affects -1 + src:xerial-sqlite-jdbc Dear Release team, I would like to upload xerial-sqlite-jdbc to stable-proposed-updates. [ Reason ] Grave bug #1036706 has been filled a few days before the release of Bookworm. This is a security bug associated to CVE-2023-32697. Although it has been marked no-dsa by the security team, we exchanged a few emails and our conclusion was the fix of this bug, which amounts to cherry-pick one commit of upstream, should land in Bookworm during a point release. [ Impact ] CVE-2023-32697 would remain. The Debian-packaged reverse dependencies of the package are mainly used in a single-user environment, but possibly it is also used in a network environment by some users for their own programs, and this is where there might be some hazard. [ Tests ] The package was built in a Bookworm chroot and its autopkgtest is passing. [ Risks ] Code is very simple, only 2 lines are changed. Upstream has published it three weeks ago and it has issued new upstream versions since then. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Cherry-picking commit edb4b8adc2447bc04e05b9b908195a4bc7926242 from upstream, which uses a random UUID instead of the hash of some fixed address in order to define the DB file name. Thanks for your help, Best, -- Pierre diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-02-04 14:24:45.0 +0100 +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-06-13 23:19:59.0 +0200 @@ -1,3 +1,9 @@ +xerial-sqlite-jdbc (3.40.1.0+dfsg-1+deb12u1) bookworm; urgency=medium + + * Using a random UUID for the connection (Fixes CVE-2023-32697 in Bookworm) + + -- Pierre Gruet Tue, 13 Jun 2023 23:19:59 +0200 + xerial-sqlite-jdbc (3.40.1.0+dfsg-1) unstable; urgency=medium * New upstream version 3.40.1.0+dfsg diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch 1970-01-01 01:00:00.0 +0100 +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch 2023-06-13 23:17:23.0 +0200 @@ -0,0 +1,28 @@ +Description: fixing CVE-2023-32697 +Author: Pierre Gruet +Origin: upstream, https://github.com/xerial/sqlite-jdbc/commit/edb4b8adc2447bc04e05b9b908195a4bc7926242 +Bug: https://github.com/xerial/sqlite-jdbc/security/advisories/GHSA-6phf-6h5g-97j2 +Bug-Debian: https://bugs.debian.org/1036706 +Forwarded: not-needed +Applied-Upstream: edb4b8adc2447bc04e05b9b908195a4bc7926242 +Last-Update: 2023-06-13 + +--- a/src/main/java/org/sqlite/SQLiteConnection.java b/src/main/java/org/sqlite/SQLiteConnection.java +@@ -13,6 +13,7 @@ + import java.sql.ResultSet; + import java.sql.SQLException; + import java.util.Properties; ++import java.util.UUID; + import java.util.concurrent.Executor; + import org.sqlite.SQLiteConfig.TransactionMode; + import org.sqlite.core.CoreDatabaseMetaData; +@@ -303,7 +304,7 @@ + } + + String tempFolder = new File(System.getProperty("java.io.tmpdir")).getAbsolutePath(); +-String dbFileName = String.format("sqlite-jdbc-tmp-%d.db", resourceAddr.hashCode()); ++String dbFileName = String.format("sqlite-jdbc-tmp-%s.db", UUID.randomUUID()); + File dbFile = new File(tempFolder, dbFileName); + + if (dbFile.exists()) { diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series 2023-02-02 17:16:53.0 +0100 +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series 2023-06-13 23:10:58.0 +0200 @@ -7,3 +7,4 @@ skip_OSInfoTest.patch tests_without_archunit-junit5_and_some_assertions.patch junit-jupiter-params_artifact.patch +CVE-2023-32697.patch
Bug#1035959: unblock: jmol/14.32.83+dfsg-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: j...@packages.debian.org Control: affects -1 + src:jmol Dear Release Team, I would like to ask for an unblock of package jmol. [ Reason ] I fixed RC bug #1035484 which was just a dangling symlink causing piuparts errors. This was done by removing a line in debian/jmol.links. [ Impact ] No impact for the user, only piuparts is affected. [ Tests ] I did no test as I only removed a symlink, of which target has not been in the package for many months. [ Risks ] No risk, as no rdep is using the deleted symlink. [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Other info ] If the unblock is not granted, the users won't notice anything as there would only be a void symlink shipped in the package. I would also be fine with it. Thanks a lot in any case, -- Pierre unblock jmol/14.32.83+dfsg-1 diff -Nru jmol-14.32.83+dfsg/debian/changelog jmol-14.32.83+dfsg/debian/changelog --- jmol-14.32.83+dfsg/debian/changelog 2023-02-02 16:43:13.0 +0100 +++ jmol-14.32.83+dfsg/debian/changelog 2023-05-04 14:24:33.0 +0200 @@ -1,3 +1,10 @@ +jmol (14.32.83+dfsg-2) unstable; urgency=medium + + * Removing symlink to non-existing /usr/share/java/JSpecView.jar +(Closes: #1035484) + + -- Pierre Gruet Thu, 04 May 2023 14:24:33 +0200 + jmol (14.32.83+dfsg-1) unstable; urgency=medium * New upstream version 14.32.83+dfsg diff -Nru jmol-14.32.83+dfsg/debian/jmol.links jmol-14.32.83+dfsg/debian/jmol.links --- jmol-14.32.83+dfsg/debian/jmol.links2022-10-15 22:47:37.0 +0200 +++ jmol-14.32.83+dfsg/debian/jmol.links2023-05-04 14:23:08.0 +0200 @@ -1,6 +1,5 @@ /usr/share/jmol/icon.png/usr/share/pixmaps/jmol-icon.png /usr/share/java/Jmol.jar/usr/share/jmol/Jmol.jar /usr/share/java/JmolData.jar/usr/share/jmol/JmolData.jar -/usr/share/java/JSpecView.jar /usr/share/jmol/JSpecView.jar /usr/share/java/Jvxl.jar/usr/share/jmol/Jvxl.jar /usr/bin/jmol /usr/share/jmol/jmol
Bug#1034757: unblock (pre-approval): scilab/6.1.1+dfsg2-5 libjogl2-java/2.3.2+dfsg-10 gluegen2/2.3.2-9
Control: tags -1 - moreinfo Hi Paul, Le 27/04/2023 à 11:38, Paul Gevers a écrit : Control: tags -1 moreinfo Hi Pierre, On Sun, 23 Apr 2023 17:27:30 +0200 Pierre Gruet wrote: This unblock would lead to new upstream versions (with some packaging work more complex than just refreshing patches) of gluegen2 and libjogl2 shipped into Bookworm, which I trust to be OK as they have only one rdep, king, which works well with them. Are targeted fixes an option? We're well past new upstreams being acceptable [1] unless they are targeted fixes themselves. Thanks for looking at my proposal. I understand well this is not feasible as is. Indeed the fixes I proposed are quite important as they require a new upstream version of 2 packages. Also, working around RC bug #1034752 in src:gluegen2 requires quite a lot of Debian-specific changes. So I now propose to do something simpler, in order to have Scilab be able to start and work plainly except for plotting (which was also the case in Bullseye anyway), fixing RC bug #1033496. In order to get a pre-approval, I only did the change locally (source debdiff attached), will upload to unstable if granted. Below is my proposal: [ Reason ] Currently, the key package scilab/6.1.1+dfsg2-5 in sid/testing does not start since we have openjdk-17 as default Java machine, see grave bug #1033496: it is unusable right now. [ Impact ] If the unblock is not granted, scilab will remain unusable in Bookworm. If it is granted, then it will be working except for plotting. [ Tests ] I changed one line in the source, built it in a clean chroot, installed in on my machine running Bookworm and could use all of Scilab features (plotting aside). [ Risks ] No risk, as we would not change the biinaries but only the shell wrapper that invokes them with the correct environment variables. [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes (did them myself) and I approve them [X] attach debdiffs of the locally built package against the package in testing Paul PS: your message didn't reach our list, which is a bad sign about the size of the changes. That's right...! Best, -- Pierre diff -Nru scilab-6.1.1+dfsg2/debian/changelog scilab-6.1.1+dfsg2/debian/changelog --- scilab-6.1.1+dfsg2/debian/changelog 2023-03-11 16:23:07.0 +0100 +++ scilab-6.1.1+dfsg2/debian/changelog 2023-04-27 12:37:49.0 +0200 @@ -1,3 +1,11 @@ +scilab (6.1.1+dfsg2-6) UNRELEASED; urgency=medium + + * Team upload + * Adding another --add-opens clause to the scilab invocation to avoid the +Exception at GUI start (Closes: #1033496) + + -- Pierre Gruet Thu, 27 Apr 2023 12:37:49 +0200 + scilab (6.1.1+dfsg2-5) unstable; urgency=medium * Team upload diff -Nru scilab-6.1.1+dfsg2/debian/patches/populating_java_options_by_default.patch scilab-6.1.1+dfsg2/debian/patches/populating_java_options_by_default.patch --- scilab-6.1.1+dfsg2/debian/patches/populating_java_options_by_default.patch 2023-03-11 14:13:54.0 +0100 +++ scilab-6.1.1+dfsg2/debian/patches/populating_java_options_by_default.patch 2023-04-27 12:36:03.0 +0200 @@ -14,7 +14,7 @@ +# We initialize _JAVA_OPTIONS so that the right paths are looked into and we +# add the needed --add-opens to work with OpenJDK 17. +if ! echo "${_JAVA_OPTIONS}" | grep -q "java\.library\.path" ; then -+_JAVA_OPTIONS="${_JAVA_OPTIONS} -Djava.library.path=/usr/lib/jni:/usr/lib/scilab --add-opens=java.desktop/sun.awt.X11=ALL-UNNAMED --add-opens=java.desktop/sun.java2d.opengl=ALL-UNNAMED" ++_JAVA_OPTIONS="${_JAVA_OPTIONS} -Djava.library.path=/usr/lib/jni:/usr/lib/scilab --add-opens=java.desktop/sun.awt.X11=ALL-UNNAMED --add-opens=java.desktop/sun.java2d.opengl=ALL-UNNAMED --add-opens=java.desktop/javax.swing.plaf.basic=ALL-UNNAMED" +fi + if test ! -z "$SCIVERBOSE"; then OpenPGP_signature Description: OpenPGP digital signature
Bug#1032855: unblock: scilab/6.1.1+dfsg2-5
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: sci...@packages.debian.org Control: affects -1 + src:scilab Dear Release Team, Could you please unblock the key package scilab/6.1.1+dfsg2-5? [ Reason ] - scilab/6.1.1+dfsg2-4 is absolutely unusable as it cannot even start. - It FTBFS. - It looks for versioned artifacts so it breaks everytime a dependency is updated. [ Impact ] Staying with version 6.1.1+dfsg2-4 does not allow one to use scilab even in the naked CLI flavor. [ Tests ] I installed the version 6.1.1+dfsg2-5 on a Bookworm system: - scilab-cli and scilab-adv-cli work plainly, except for plots (bugs in dependencies); - the GUI scilab does not work. Blockers: bugs in dependency libjogl2-java and others still to investigate, as log messages are terse. [ Risks ] The changes are simple, can be easily grasped through the documented patches I added. scilab has only one reverse dependency which is not a Blends metapackage: cantor-backend-scilab, which is already broken as scilab/6.1.1+dfsg2-4 does not start. [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing unblock scilab/6.1.1+dfsg2-5 Best, -- Pierre diff -Nru scilab-6.1.1+dfsg2/debian/changelog scilab-6.1.1+dfsg2/debian/changelog --- scilab-6.1.1+dfsg2/debian/changelog 2022-08-16 11:55:44.0 +0200 +++ scilab-6.1.1+dfsg2/debian/changelog 2023-03-11 16:23:07.0 +0100 @@ -1,3 +1,25 @@ +scilab (6.1.1+dfsg2-5) unstable; urgency=medium + + * Team upload + * Raising Standards version to 4.6.2 (no change) + * Adding missing dependencies on libfreehep-graphicsio-java and +libfreehep-util-java + * Fixing the FTBFS occurring during the doc build + * Enabling starting with OpenJDK 17 (Closes: #1012099) + * Selecting unversioned jars instead of versioned ones in the configure phase +(Closes: #1030205) + * Refreshing patches + * Removing unneeded older-than versioned dependencies + * Update lintian override info to new format: ++ debian/source/lintian-overrides: line 2, 4 ++ debian/scilab-minimal-bin.lintian-overrides: line 4 + * debian/copyright: use spaces rather than tabs to start continuation lines. + * Update renamed lintian tag names in lintian overrides. + * Set upstream metadata fields: Repository-Browse. + * Fix day-of-week for changelog entry 5.0.3-1. + + -- Pierre Gruet Sat, 11 Mar 2023 16:23:07 +0100 + scilab (6.1.1+dfsg2-4) unstable; urgency=medium * Add patch to disambiguate pause (Closes: #1017283). @@ -1348,7 +1370,7 @@ * Package moved to main since Scilab is free (CeCILL license) * modelicac, intersci and scilab manpages added - -- Sylvestre Ledru Fri, 1 Oct 2008 13:37:08 +0200 + -- Sylvestre Ledru Wed, 01 Oct 2008 13:37:08 +0200 scilab (4.1.2-6) unstable; urgency=low diff -Nru scilab-6.1.1+dfsg2/debian/control scilab-6.1.1+dfsg2/debian/control --- scilab-6.1.1+dfsg2/debian/control 2022-08-16 11:55:44.0 +0200 +++ scilab-6.1.1+dfsg2/debian/control 2023-03-10 23:21:05.0 +0100 @@ -3,38 +3,36 @@ Priority: optional Maintainer: Debian Science Team Uploaders: Julien Puydt -Build-Depends: debhelper-compat (= 13), gfortran, time, - default-jdk, chrpath, ocaml-nox (>= 3.11.2-3), libnum-ocaml-dev, fakeroot, - tcl-dev, tk-dev, libxml2-dev, libpcre3-dev, libcurl4-openssl-dev, - gettext, libreadline-dev, pkg-config, procps, dpkg-dev (>= 1.16.0), +Build-Depends: debhelper-compat (= 13), gfortran, time, default-jdk, chrpath, + ocaml-nox, libnum-ocaml-dev, fakeroot, tcl-dev, tk-dev, libxml2-dev, + libpcre3-dev, libcurl4-openssl-dev, gettext, libreadline-dev, pkg-config, + procps, dpkg-dev, # numerical libraries libblas-dev | librefblas3-dev | libatlas-base-dev, liblapack-dev, - libarpack2-dev (>= 3.0), libeigen3-dev, + libarpack2-dev, libeigen3-dev, # Java deps - default-jre-headless, libflexdock-java (>= 1.2.3), libjogl2-java (>= 2.3.2), - libgl1-mesa-dev, libjrosetta-java (>= 1.0.1), ant, libjgoodies-looks-java, - libskinlf-java, liblucene4.10-java, libactivation-java, libjaxb-java, + default-jre-headless, libflexdock-java, libjogl2-java, libgl1-mesa-dev, + libjrosetta-java, ant, libjgoodies-looks-java, libskinlf-java, + liblucene4.10-java, libactivation-java, libjaxb-java, # graphic - libfreehep-graphics2d-java, libfreehep-graphicsio-java, libfreehep-graphicsio-emf-java, - libfreehep-util-java, + libfreehep-graphics2d-java, libfreehep-graphicsio-java, + libfreehep-graphicsio-emf-java, libfreehep-util-java, # Documentation - libjeuclid-core-java (>= 3.1.3), libbatik-java (>= 1.7), fop (>= 0.95), - javahelp2, libsaxon-java, libavalon-framework-java, docbook-xsl, - libxml-commons-external-java, + libjeuclid-core-java, libbatik-java, fop, javahelp2, libsaxon-java, + libavalon-framework-java, docbook-xsl, libxml-commons-external-java,
Bug#1024675: transition: openturns
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Dear Release Team, I would like to do the transition of openturns due to ABI changes. The new version is in experimental and builds on all relevant architectures. There is one rdep, persalys, which also builds well. The autogenerated ben file is fine. So I am ready to proceed when you tell me. Cheers, -- Pierre Gruet
Bug#1023948: transition: hmat-oss
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Dear Release team, There is a need for a transition of hmat-oss after a change in the ABI. The new package has been uploaded to experimental and can build on all architectures, either on buildds or on porterboxes. Thus I am asking for a transition slot. There are two reverse dependencies, of which I am also the uploader: openturns and persalys. They can also build against the new hmat-oss package. Finally, the Ben file at https://release.debian.org/transitions/html/auto-hmat-oss.html is fine. Cheers, -- Pierre
Bug#1013178: transition: ceres-solver
Hi Emilio, On Tue, 21 Jun 2022 09:49:32 +0200 Emilio Pozuelo Monfort wrote: > [...] > > > All reverse dependencies are building fine at least on amd64 [2]. > > That link doesn't tell me if the rdeps build against the new SONAME. Have you > tested that? If so, go ahead. Thanks for looking at this transition bug. Yes, I can confirm I successfully built the rdeps against the new SONAME a few days ago. So François will go ahead within the upcoming days. > > Cheers, > Emilio > > Best, -- Pierre OpenPGP_signature Description: OpenPGP digital signature
Bug#1010553: Providing information on the result of the transition
Hi, Although the tracker page [0] indicates ``?!'' for all architectures of all involved packages except plastimatch, I inform you that everything went well: all builds succeeded. This is not true for plastimatch, but no big issue as a RM request (for unstable) has recently been filed for this package. Thanks for your help for the transition, Best regards, -- Pierre [0] https://release.debian.org/transitions/html/auto-dlib.html OpenPGP_signature Description: OpenPGP digital signature
Bug#1010553: transition: dlib
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Dear Release team, I would like to request a transition slot for dlib, which has been accepted in experimental and builds well inside. I changed the name of the binary lib package after an ABI breakage. The automatic ben file at https://release.debian.org/transitions/html/auto-dlib.html looks good. Three reverse dependencies: - seer - plastimatch - openturns All of them build fine against the new package, so binNMU will be enough for the three of them. Best regards, -- Pierre
Bug#1009835: transition: hmat-oss
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Dear Release team, I would like to request a transition slot for hmat-oss. This would be a tiny transition with only 1 reverse dependency. The reason is upstream changed the interface quite a lot recently. The version I would like to upload to unstable has cleared NEW. The automatic ben file looks good. The reverse dependency: * openturns ftbfs with the new library, but (as it is team-maintained by Debian Science team, of which I am a member) I have uploaded a fixed version of it to experimental, and it builds fine. A bug with severity important has been filed. I am ready to start transitioning when you tell me. openturns is also part of other ongoing transitions, it will comply with all of them. Best regards, -- Pierre
Bug#1009298: transition: biojava-live
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Dear Release team, I would like to request a transition slot for biojava-live. This would be a small transition with 4 reverse-dependencies. The reason is upstream changed the interface quite a lot between versions 1.7.* and 1.9.5, which has just been accepted in experimental through NEW. The automatic ben file at https://release.debian.org/transitions/html/auto-biojava-live.html should be changed to the below one, as it fails to track two packages. The four reverse dependencies: * alien-hunter * artemis * logol * mauve-aligner ftbfs with the new library, but (as they are team-maintained by Debian med team, of which I am a member) I have uploaded fixed versions of all of them to experimental, and they build fine. Bugs with severity important have been filed for the four of them. I am ready to start transitioning all the packages when you tell me. Ben file: title = "biojava-live"; is_affected = .depends ~ "libbiojava1.7-java" | .depends ~ "libbiojava1.9-java" | .depends ~ "libbiojava-java"; is_good = .depends ~ "libbiojava1.9-java"; is_bad = .depends ~ "libbiojava1.7-java"; Best regards, -- Pierre
Bug#998200: transition: bibutils
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Dear Release Team, I am preparing the transition from libbibutils7 to libbibutils8, which is in experimental and builds well. This change is needed as the ABI has encountered many changes by upstream. Ben file: title = "bibutils"; is_affected = .depends ~ "libbibutils7" | .depends ~ "libbibutils8"; is_good = .depends ~ "libbibutils8"; is_bad = .depends ~ "libbibutils7"; The auto-transitioner page [1] is fine. Here are the results of the test builds of the 5 reverse dependencies: * bibutils build OK in experimental (same source package as libbibutils8) * haskell-hs-bibutils build OK, binNMU needed for the dependencies list of libghc-hs-bibutils-dev * haskell-pandoc-citeproc build OK * haskell-blogliteratelybuild OK * haskell-hakyllbuild OK Best regards, Pierre [1] https://release.debian.org/transitions/html/auto-bibutils.html
Bug#993406: bullseye-pu: package king/2.23.161103+dfsg1-4
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu [ Reason ] The package got a bug report (#992092, "contains a file with a non-free "disparaging to Sun" license") with severity "serious" on August 11th. The bug is linked to 12 icons, in the source package and that appear in the GUI, that have a non-free license. Those icons have been present for a very long time, presumably in jessie or even before. The fix was uploaded to unstable on August 26th in version 2.23.161103+dfsg2-1 which is about to migrate to testing. [ Impact ] If the update is not approved, the user will have a software that is definitely usable but with non-free icons in the GUI. [ Tests ] - The proposed package was successfully built in a bullseye chroot; - I installed it on my machine running bullseye and I saw all the DFSG-free icons were successfully showing up. I tested a good part of the software functionalities and everything looks nice. [ Risks ] Nothing (build-)depends on king, so I guess the risks are extremely low. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] - I have repacked without the non-free icons and included DFSG-free replacement icons created by me. - inkscape is used to convert my .svg icons to .png that can be used by the software. - d/rules and a patch have been updated to ensure the new icons can be included at build time. - I added copyright information about the new DFSG-free icons in d.copyright. [ Other info ] Thank you for your help on this. Best, -- Pierre Gruet diff -Nru king-2.23.161103+dfsg1/debian/changelog king-2.23.161103+dfsg2/debian/changelog --- king-2.23.161103+dfsg1/debian/changelog 2020-12-04 15:54:20.0 +0100 +++ king-2.23.161103+dfsg2/debian/changelog 2021-08-26 22:31:48.0 +0200 @@ -1,3 +1,23 @@ +king (2.23.161103+dfsg2-1~deb11u1) bullseye; urgency=medium + + * Team upload. + * Rebuild for bullseye, reverting changes of version 2.23.161103+dfsg2-1 that +were not linked to bug #992092 + + -- Pierre Gruet Thu, 26 Aug 2021 22:31:48 +0200 + +king (2.23.161103+dfsg2-1) unstable; urgency=medium + + * Team upload. + * New upstream version 2.23.161103+dfsg2 + * Using new DFSG-free icons instead of the non-free ones (Closes: #992092) + * Raising Standards version to 4.6.0 (no change) + * Refreshing d/copyright + * Adding keywords in the debian/king.desktop file + * Marking Debian-specific patches as "Forwarded: not-needed" + + -- Pierre Gruet Thu, 26 Aug 2021 16:26:48 +0200 + king (2.23.161103+dfsg1-4) unstable; urgency=medium * Standards-Version: 4.5.1 (routine-update) diff -Nru king-2.23.161103+dfsg1/debian/control king-2.23.161103+dfsg2/debian/control --- king-2.23.161103+dfsg1/debian/control 2020-12-04 15:54:20.0 +0100 +++ king-2.23.161103+dfsg2/debian/control 2021-08-26 22:28:58.0 +0200 @@ -7,6 +7,7 @@ default-jdk, javahelper, ant, + inkscape, libitext-java, libjogl2-java Standards-Version: 4.5.1 diff -Nru king-2.23.161103+dfsg1/debian/copyright king-2.23.161103+dfsg2/debian/copyright --- king-2.23.161103+dfsg1/debian/copyright 2020-12-04 15:54:20.0 +0100 +++ king-2.23.161103+dfsg2/debian/copyright 2021-08-26 22:30:20.0 +0200 @@ -18,6 +18,10 @@ king*/doc/work/format-kinemage.pdf king*/1.x_src */buildnum.props +king/doc/LICENSE-SUN +king/resource/king/images/LICENSE +king/resource/king/images/*16.gif +king/resource/king/images/*24.gif Files: * Copyright: 2002-2011 Ian W. Davis , @@ -70,3 +74,433 @@ On Debian systems the complete text of the Apache-2.0 license can be found at `/usr/share/common-licenses/Apache-2.0`. +Files: debian/icons/* +Copyright: 2021 Pierre Gruet +License: CC-BY-SA-4.0 + CC Attribution-ShareAlike http://creativecommons.org/licenses/by-sa/4.0/ + . + Attribution-ShareAlike 4.0 International + . + === + . + Creative Commons Corporation ("Creative Commons") is not a law firm and + does not provide legal services or legal advice. Distribution of + Creative Commons public licenses does not create a lawyer-client or + other relationship. Creative Commons makes its licenses and related + information available on an "as-is" basis. Creative Commons gives no + warranties regarding its licenses, any material licensed under their + terms and conditions, or any related information. Creative Commons + disclaims all liability for damages resulting from their use to the +
Bug#958662: transition: bibutils
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Dear Release Team, I am preparing the transition from libbibutils6 to libbibutils7, which is in experimental and builds well. This change is needed as the ABI has encountered many changes by upstream. Ben file: title = "bibutils"; is_affected = .depends ~ "libbibutils6" | .depends ~ "libbibutils7"; is_good = .depends ~ "libbibutils7"; is_bad = .depends ~ "libbibutils6"; The auto-transitioner page [1] is fine. Here are the results of the test builds of the 5 reverse dependencies: * bibutils build OK in experimental (same source package as libbibutils7) * haskell-hs-bibutils FTBFS, but can be fixed with a simple patch * haskell-pandoc-citeproc build OK * haskell-blogliteratelybuild OK * haskell-hakyllbuild OK I will now be filing a blocking bug for haskell-hs-bibutils. Best regards, Pierre [1] https://release.debian.org/transitions/html/auto-bibutils.html