Bug#987084: unblock: wordpress/5.7.1+dfsg1-1
For the Security Team, unblocking 5.7.1 is the preferred option as it will make supporting WP for the entire bullseye lifecycle much easier. If the Release Team thinks it's too late at this point for such an unblock, we'd favor going with 5.6.3 instead. Cheers, -- Seb
Bug#934356: stretch-pu: package mitmproxy/0.18.2-6
I've tried a bunch of things, essentially reusing my older
pbuilder-based build setup (as opposed to the newer sbuild-based one),
to no avail: I keep getting those extra upper-bound versioned
dependencies in the resulting package.
At this point I see two options:
- build a +deb9u2 that uses debian/pydist-overrides to prevent the
insertion of those extra versioned dependencies (see attached
patch); with that one, the resulting dsc debdiff is minimal:
$ debdiff mitmproxy_0.18.2-6_all.deb mitmproxy_0.18.2-6+deb9u2_all.deb
[seb hulk]
File lists identical (after any substitutions)
Control files: lines which differ (wdiff format)
Version: [-0.18.2-6-] {+0.18.2-6+deb9u2+}
- give up on fixing #934356 in the upcoming point release
What do you think ?
Cheers,
--
Seb
diff --git a/debian/changelog b/debian/changelog
index 4fcb7218..a714bb37 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+mitmproxy (0.18.2-6+deb9u2) stretch; urgency=medium
+
+ * Prevent insertion of unwanted upper-bound versioned dependencies
+
+ -- Sebastien Delafond Wed, 28 Aug 2019 13:04:01 +0200
+
mitmproxy (0.18.2-6+deb9u1) stretch; urgency=medium
* Blacklist tests that require internet access (Closes: #934033)
diff --git a/debian/pydist-overrides b/debian/pydist-overrides
index 144dfb3a..49405aa3 100644
--- a/debian/pydist-overrides
+++ b/debian/pydist-overrides
@@ -1 +1,5 @@
brotlipy python-brotli
+cryptography python-cryptography (>= 1.3)
+flask python-flask (>= 0.10.1)
+pyasn1 python-pyasn1 (>= 0.1.9)
+six python-six (>= 1.10)
Bug#934356: stretch-pu: package mitmproxy/0.18.2-6
On 26/08 17:42, Adam D. Barratt wrote:
> Our tooling has highlighted a dependency issue. I've not had chance to
> check if it already existed in the earlier package, but:
>
> unsat-dependency: python-cryptography (< 1.6)
>
> stretch has python-cryptography 1.7.1
This is a regression somewhere in the build process; 0.18.2-6 in stretch
currently has (sorted alphabetically for easier reading):
Depends:
python-backports.ssl-match-hostname,
python-blinker (<< 1.5),
python-brotli (>= 0.5.1),
python-certifi,
python-click,
python-configargparse (>= 0.10),
python-construct (>= 2.5.2),
python-cryptography (>= 1.3),
python-cssutils (<< 1.1),
python-flask (>= 0.10.1),
python-h2 (>= 2.4.1),
python-hpack,
python-html2text (>= 2016.1.8),
python-hyperframe (<< 5),
python-jsbeautifier (>= 1.6.3),
python-lxml (>= 3.5.0),
python-openssl (>= 16.0),
python-passlib (>= 1.6.5),
python-pil (>= 3.2),
python-pyasn1 (>= 0.1.9),
python-pyparsing (>= 2.1.3),
python-pyperclip,
python-requests (>= 2.9.1),
python-six (>= 1.10),
python-tornado (>= 4.3),
python-typing
python-urwid (>= 1.3.1),
python-watchdog (>= 0.8.3),
python:any (<< 2.8),
python:any (>= 2.7.5-5~),
0.18.2-6+deb9u1 has:
Depends:
python-backports.ssl-match-hostname,
python-blinker (<< 1.5),
python-brotli (>= 0.5.1),
python-certifi,
python-click,
python-configargparse (>= 0.10),
python-construct (>= 2.5.2),
python-cryptography (<< 1.6),
python-cryptography (>= 1.3),
python-cssutils (<< 1.1),
python-flask (<< 0.12),
python-flask (>= 0.10.1),
python-h2 (>= 2.4.1),
python-hpack,
python-html2text (>= 2016.1.8),
python-hyperframe (<< 5),
python-jsbeautifier (>= 1.6.3),
python-lxml (>= 3.5.0),
python-openssl (>= 16.0),
python-passlib (>= 1.6.5),
python-pil (>= 3.2),
python-pyasn1 (<< 0.2),
python-pyasn1 (>= 0.1.9),
python-pyparsing (>= 2.1.3),
python-pyperclip,
python-requests (>= 2.9.1),
python-six (<< 1.11),
python-six (>= 1.10),
python-tornado (>= 4.3),
python-typing
python-urwid (>= 1.3.1),
python-watchdog (>= 0.8.3),
python:any (<< 2.8),
python:any (>= 2.7.5-5~),
At this point I'm not sure what part of the build chain is adding back
all the "python foo (<< .n.m)" (obviously during the expansion of
${python:Depends}, and by looking at setup.py), even though python-foo
is already explicitly listed in debian/control's Depends field.
Even more confusing to me right now is that the whole point of 0.18.2-6
was indeed to *remove* all those upper-bound dependencies:
- https://bugs.debian.org/848562
-
https://salsa.debian.org/debian/mitmproxy/commit/4c238cb3549b9bf5e7b01a9c287eb2428a7134d2
And obviously at the time it worked, because 0.18.6-2 is indeed
"correct".
Cheers,
--
Seb
Bug#901036: no rm
Actually, that won't be possible: dam rm shows libspring-java among other rdeps. We'll just stick with the EOL in debian-security-support. Cheers, --Seb
Bug#897613: RM: redmine/3.0~20140825-8~deb8u4
On May/03, Adam D. Barratt wrote: > There's a few r-deps. Walking the tree gives us: > > - redmine-plugin-pretend > - redmine-plugin-recaptcha > - redmine-recaptcha > > I assume the intent is that those also be removed. That is correct, sorry for not mentioning the r-deps initially. Cheers, --Seb
Bug#882274: stretch-pu: package nova/2:14.0.0-4 - using uwsgi-plugin-python for nova-placement-api
On Dec/09, Adam D. Barratt wrote: > For the record, reviewing the diff of the -security upload, I notice > that the change actually adds *two* runtime dependencies - the second, > which was not mentioned in this pre-approval request, nor included in > the proposed diff, being python-pastescript. I figured python-pastescript had also been approved; I should have verified this myself instead of assuming so... Cheers, --Seb
Bug#856539: updating sitesummary in stable+oldtable due to regression introduced with apache update (Re: Bug#856539: jessie-pu: package sitesummary/0.1.17+deb8u2)
On Mar/18, Holger Levsen wrote: > I've done all this now. > > Will you write and send the DSA? I guess the text should basically > just be something like what we wrote in debian/changelog: > > * Adjust sitesummary-upload to use CRLF (\r\n) line endings to be compliant > with apache 2.4.25 security fixes for HTTP requests. (Closes: #852623). Will do, thanks a lot for the upload. Cheers, --Seb
Bug#856539: updating sitesummary in stable+oldtable due to regression introduced with apache update (Re: Bug#856539: jessie-pu: package sitesummary/0.1.17+deb8u2)
On Mar/10, Sébastien Delafond wrote: > I meant a debdiff specifically targetting jessie-security. Please > change jessie to jessie-security, set severity to high, and upload to > security-master (no source-only upload). Hi Petter, are you still planning to upload this ? Cheers, --Seb
Bug#856539: updating sitesummary in stable+oldtable due to regression introduced with apache update (Re: Bug#856539: jessie-pu: package sitesummary/0.1.17+deb8u2)
On Mar/10, Petter Reinholdtsen wrote: > The debdiff for jessie is in bts already. I meant a debdiff specifically targetting jessie-security. Please change jessie to jessie-security, set severity to high, and upload to security-master (no source-only upload). Cheers, --Seb
Bug#856539: updating sitesummary in stable+oldtable due to regression introduced with apache update (Re: Bug#856539: jessie-pu: package sitesummary/0.1.17+deb8u2)
On Mar/09, Holger Levsen wrote: > Dear security team, > > On Thu, Mar 09, 2017 at 07:20:40PM +, Adam D. Barratt wrote: > > On Thu, 2017-03-02 at 09:50 +, Holger Levsen wrote: > > > On Thu, Mar 02, 2017 at 09:12:34AM +0100, Petter Reinholdtsen wrote: > > > > Usertags: pu > > > > > > > > The sitesummary package in stable is affected by one RC bug causing all > > > > clients to fail to submit data to the collector, and thus breaking the > > > > service SiteSummary is supposed to provide (collect data about > > > > machines). The problem is triggered by the recent update of Apache. > > > [...] > > > > I would like to update the stable version of sitesummary to fix this > > > > bug. It affect Debian Edu, but also all other users of SiteSummary in > > > > Jessie. Are you OK with me uploading a package with this change? How > > > > quickly is it possible to get this change into Jessie? > > > > > > (this would normally take severeal weeks or months, until the next jessie > > > point release will happen, which AFAIK is not yet planned. IOW: date is > > > unknown.) > > > > > > as this regression was introduced by DSA-3796, wouldnt it be appropriate > > > to > > > update sitesummary via jessie-security as well? > > > > Have either of you asked the Security Team about that? > > no, we haven't yet. > > So, #852623 is about sitesummary being broken due to the fix for CVE-2016-8743 > and while #852623 has been fixed in sid and stretch, we would also like to fix > #852623 in sitesummary in jessie and stable. > > So at first, we thought to go via proposed-updates, but as you can see Adam > suggested to go via stable-security (and LTS I supose) - what do you think? > > Going via security would be much nicer as this would fix this in the real > world much sooner…! Sure, we can do that. Send us a debdiff and we can take it from there. Cheers, --Seb signature.asc Description: PGP signature
Bug#855216: unblock: singularity-container/2.2-2
Dear Release Managers, the Security Team has reviewed the diff related to this security problem, and we support the unblock request. Cheers, --Seb
Bug#689137: unblock: minbif/1:1.0.5+git20120508-2.1
Hi David, thanks a lot for the NMU and the associated unblock request, while I was away :) Cheers, --Seb On Sep/29, David Prévot wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package minbif It fixes a serious mess of the “directory replaced by symlink”-kind. unblock minbif/1:1.0.5+git20120508-2.1 Thanks in advance, regards. David -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.5-trunk-amd64 (SMP w/1 CPU core) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -Nru minbif-1.0.5+git20120508/debian/changelog minbif-1.0.5+git20120508/debian/changelog --- minbif-1.0.5+git20120508/debian/changelog 2012-08-19 06:39:44.0 -0400 +++ minbif-1.0.5+git20120508/debian/changelog 2012-09-26 15:46:19.0 -0400 @@ -1,3 +1,11 @@ +minbif (1:1.0.5+git20120508-2.1) unstable; urgency=low + + * Non-maintainer upload. + * debian/minbif.postinst: Fix directory to symlink upgrade in postinst. +(Closes: #687660) + + -- David Prévot taf...@debian.org Wed, 26 Sep 2012 15:46:12 -0400 + minbif (1:1.0.5+git20120508-2) unstable; urgency=low * Re-enable caca so user icons can be displayed; it should not have been diff -Nru minbif-1.0.5+git20120508/debian/minbif.postinst minbif-1.0.5+git20120508/debian/minbif.postinst --- minbif-1.0.5+git20120508/debian/minbif.postinst 1969-12-31 20:00:00.0 -0400 +++ minbif-1.0.5+git20120508/debian/minbif.postinst 2012-09-26 15:43:15.0 -0400 @@ -0,0 +1,14 @@ +#!/bin/sh +set -e + +# Replace documentation directory with symlink +docdir=/usr/share/doc/minbif +if [ -d $docdir ] [ ! -L $docdir ]; then +if rmdir $docdir 2/dev/null; then +ln -sf minbif-common $docdir +fi +fi + +#DEBHELPER# + +exit 0 -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121001084116.gc2...@frisco.mine.nu
