Re: security.d.o packages for etch built on sarge
Marcin Owsiany wrote: I know this is not critical priority, but I've been waiting for over two weeks now for any response on that. Anyone? The mips buildd has been fixed, the r1 etch release with a bin-NMUed package should appear soon. Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: security.d.o packages for etch built on sarge
On Wed, Jul 18, 2007 at 01:35:41PM +0100, Marcin Owsiany wrote: On Fri, Jul 13, 2007 at 12:08:35PM +0100, Marcin Owsiany wrote: On Mon, Jul 02, 2007 at 07:27:13PM +0200, Moritz Muehlenhoff wrote: Marcin Owsiany wrote: Why I haven't realized you're talking about my package up till now is a mystery to me. I'll check this ASAP. Indeed, it looks like I used wrong pbuilder tarball to build this one :-( Security team: this just needs a rebuild, but how exactly should I fix this? Can I do a bin-nmu so that other architectures don't need a rebuild? Or should I just prepare 1:1.7~rc2-1etch2 as a new revision and upload that? A binNMU has been done, a package is available at http://debian.netcologne.de/debian/pool/main/e/ekg/ekg_1.7~rc2-1etch1+b1_i386.deb It will also be part of the immediate stable point update. As far as I can see, it has not been uploaded to etch-security, which means it will only become available after the next point release. Can we do anything to speed this up? Sorry to bug you all, but is there any hope? Can I help? I know this is not critical priority, but I've been waiting for over two weeks now for any response on that. Anyone? -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 signature.asc Description: Digital signature
Re: security.d.o packages for etch built on sarge
On Sun, Jul 01, 2007 at 01:30:25PM +0200, Karol Lewandowski wrote: However, blender security update is wrong on both arches. According to http://packages.debian.org/stable/graphics/blender package version is 2.42a-7, while security archive has 2.37a-1.1etch1. [EMAIL PROTECTED]:~$ wget -qO- http://security.debian.org/debian-security/dists/etch/updates/main/binary-amd64/Packages.bz2 | bzip2 -d | egrep -A6 'Package: blender' Package: blender Priority: optional Section: graphics Installed-Size: 11148 Maintainer: Masayuki Hatta (mhatta) [EMAIL PROTECTED] Architecture: amd64 Version: 2.37a-1.1etch1 Any comments on blender issue? To state precisely -- why security archive has lower package version than release? Thanks. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: security.d.o packages for etch built on sarge
Hello Karol, On Thu, Jul 05, 2007 at 11:02:02PM +0200, Karol Lewandowski wrote: On Sun, Jul 01, 2007 at 01:30:25PM +0200, Karol Lewandowski wrote: However, blender security update is wrong on both arches. According to http://packages.debian.org/stable/graphics/blender package version is 2.42a-7, while security archive has 2.37a-1.1etch1. [...] Any comments on blender issue? To state precisely -- why security archive has lower package version than release? 2.37a-1.1etch1 has been uploaded by the Debian testing security team[0] via testing-security to Etch when it was still Testing. This became necessary when a fixed blender package couldn't quickly migrate the normal way from Unstable due to build errors. In fact, it took over four more months before an updated blender package could finally propagate via the normal way. When Etch became Stable it included the blender version present in Testing at that time (2.42a-7), which was/is greater than the version at s.d.o. As this old version at s.d.o causes no harm (unless some user applies some weird pinning) my best guess is that simply nobody bothered to actually remove it. Cheers, Flo - speaking solely from a Blender maintainer's POV [0] http://secure-testing-master.debian.net/DTSA/DTSA-29-1.html signature.asc Description: Digital signature
Re: security.d.o packages for etch built on sarge
On Sat, Jun 30, 2007 at 08:32:20PM -0600, Jan Hetges wrote: On Sun, Jul 01, 2007 at 02:39:37AM +0100, Steve Kemp wrote: On Sun Jul 01, 2007 at 00:59:24 +0200, Karol Lewandowski wrote: On Mon, Jun 25, 2007 at 02:56:07PM +0200, karol wrote: It looks like etch's security updates were built on sarge. python2.3 isn't available in etch making ekg's security update uninstallable. I would be _very_ happy to hear _any_ comment on that. I'll probably ask debian-devel if I won't get any answer in next few days. Etch security updates *should* be built upon Etch. Sarge updates *should* be built upon Sarge. Anything else is liable to break and is a bug which should be fixed with an update. I've checked the build-logs I've got access to (all except i386) and they seem fine. is it just i386 you see this behavior upon? Do other people see this too, or is it a potentially broken system you're installing upon (I have to ask; some people still have mixed sources.lists files..) i just tried on a pretty fresh etch install (i386), error message is spanish, but i think understandable: Los siguientes paquetes tienen dependencias incumplidas: ekg: Depende: python2.3 (= 2.3) pero no es instalable E: Paquetes rotos so maybe someone should file grave? against ekg? Why I haven't realized you're talking about my package up till now is a mystery to me. I'll check this ASAP. -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 signature.asc Description: Digital signature
Re: security.d.o packages for etch built on sarge
On Mon, Jul 02, 2007 at 10:19:25AM +0100, Marcin Owsiany wrote: On Sat, Jun 30, 2007 at 08:32:20PM -0600, Jan Hetges wrote: On Sun, Jul 01, 2007 at 02:39:37AM +0100, Steve Kemp wrote: On Sun Jul 01, 2007 at 00:59:24 +0200, Karol Lewandowski wrote: On Mon, Jun 25, 2007 at 02:56:07PM +0200, karol wrote: It looks like etch's security updates were built on sarge. python2.3 isn't available in etch making ekg's security update uninstallable. I would be _very_ happy to hear _any_ comment on that. I'll probably ask debian-devel if I won't get any answer in next few days. Etch security updates *should* be built upon Etch. Sarge updates *should* be built upon Sarge. Anything else is liable to break and is a bug which should be fixed with an update. I've checked the build-logs I've got access to (all except i386) and they seem fine. is it just i386 you see this behavior upon? Do other people see this too, or is it a potentially broken system you're installing upon (I have to ask; some people still have mixed sources.lists files..) i just tried on a pretty fresh etch install (i386), error message is spanish, but i think understandable: Los siguientes paquetes tienen dependencias incumplidas: ekg: Depende: python2.3 (= 2.3) pero no es instalable E: Paquetes rotos so maybe someone should file grave? against ekg? Why I haven't realized you're talking about my package up till now is a mystery to me. I'll check this ASAP. Indeed, it looks like I used wrong pbuilder tarball to build this one :-( Security team: this just needs a rebuild, but how exactly should I fix this? Can I do a bin-nmu so that other architectures don't need a rebuild? Or should I just prepare 1:1.7~rc2-1etch2 as a new revision and upload that? Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: security.d.o packages for etch built on sarge
I just built ekg 1:1.7~rc2-1etch2 which corrects the misbuilt 1:1.7~rc2-1etch1. I double-checked that the changes from 1:1.7~rc2-1 are minimal. It is available as http://marcin.owsiany.pl/tmp/2007-07-02-ekg-1.7~rc2-1etch2.tgz so a member of the security team can either upload it directly, or let me know and I will do it. If you'd rather have it built diferrently, please let me know. -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 signature.asc Description: Digital signature
Re: security.d.o packages for etch built on sarge
Marcin Owsiany wrote: Why I haven't realized you're talking about my package up till now is a mystery to me. I'll check this ASAP. Indeed, it looks like I used wrong pbuilder tarball to build this one :-( Security team: this just needs a rebuild, but how exactly should I fix this? Can I do a bin-nmu so that other architectures don't need a rebuild? Or should I just prepare 1:1.7~rc2-1etch2 as a new revision and upload that? A binNMU has been done, a package is available at http://debian.netcologne.de/debian/pool/main/e/ekg/ekg_1.7~rc2-1etch1+b1_i386.deb It will also be part of the immediate stable point update. Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: security.d.o packages for etch built on sarge
I've checked the build-logs I've got access to (all except i386) and they seem fine. is it just i386 you see this behavior upon? Do other people see this too, or is it a potentially broken system you're installing upon (I have to ask; some people still have mixed sources.lists files..) the package is just fine on amd64, and built on etch, definitely. -- Bernd Zeimetz [EMAIL PROTECTED] http://bzed.de/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: security.d.o packages for etch built on sarge
On Sun, Jul 01, 2007 at 02:39:37AM +0100, Steve Kemp wrote: On Sun Jul 01, 2007 at 00:59:24 +0200, Karol Lewandowski wrote: On Mon, Jun 25, 2007 at 02:56:07PM +0200, karol wrote: It looks like etch's security updates were built on sarge. python2.3 isn't available in etch making ekg's security update uninstallable. I would be _very_ happy to hear _any_ comment on that. I'll probably ask debian-devel if I won't get any answer in next few days. Etch security updates *should* be built upon Etch. Sarge updates *should* be built upon Sarge. Anything else is liable to break and is a bug which should be fixed with an update. I've checked the build-logs I've got access to (all except i386) and they seem fine. is it just i386 you see this behavior upon? Do other people see this too, or is it a potentially broken system you're installing upon (I have to ask; some people still have mixed sources.lists files..) Yes, i386 is broken. amd64 is ok: [EMAIL PROTECTED]:~$ wget -qO- http://security.debian.org/debian-security/dists/etch/updates/main/binary-amd64/Packages.bz2 | bzip2 -d | egrep -A7 'Package: ekg' Package: ekg Priority: optional Section: net Installed-Size: 812 Maintainer: Marcin Owsiany [EMAIL PROTECTED] Architecture: amd64 Version: 1:1.7~rc2-1etch1 Depends: libaspell15 (= 0.60), libc6 (= 2.3.5-1), libgadu3 (= 1:1.7~rc2), libgsm1 (= 1.0.10), libjpeg62, libncurses5 (= 5.4-5), libssl0.9.8 (= 0.9.8c-1), python2.4 (= 2.3.90), zlib1g (= 1:1.2.1) i386 has broken deps: [EMAIL PROTECTED]:~$ wget -qO- http://security.debian.org/debian-security/dists/etch/updates/main/binary-i386/Packages.bz2 | bzip2 -d | egrep -A7 'Package: ekg' Package: ekg Priority: optional Section: net Installed-Size: 740 Maintainer: Marcin Owsiany [EMAIL PROTECTED] Architecture: i386 Version: 1:1.7~rc2-1etch1 Depends: libaspell15 (= 0.60), libc6 (= 2.3.2.ds1-21), libgadu3 (= 1:1.7~rc2), libgsm1 (= 1.0.10), libjpeg62, libncurses5 (= 5.4-1), libssl0.9.7, python2.3 (= 2.3), zlib1g (= 1:1.2.1) However, blender security update is wrong on both arches. According to http://packages.debian.org/stable/graphics/blender package version is 2.42a-7, while security archive has 2.37a-1.1etch1. [EMAIL PROTECTED]:~$ wget -qO- http://security.debian.org/debian-security/dists/etch/updates/main/binary-amd64/Packages.bz2 | bzip2 -d | egrep -A6 'Package: blender' Package: blender Priority: optional Section: graphics Installed-Size: 11148 Maintainer: Masayuki Hatta (mhatta) [EMAIL PROTECTED] Architecture: amd64 Version: 2.37a-1.1etch1 Thanks (and sorry for private reply Steve, I've subscribed to debian-security recently). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: security.d.o packages for etch built on sarge
On Mon, Jun 25, 2007 at 02:56:07PM +0200, karol wrote: It looks like etch's security updates were built on sarge. python2.3 isn't available in etch making ekg's security update uninstallable. I would be _very_ happy to hear _any_ comment on that. I'll probably ask debian-devel if I won't get any answer in next few days. Thanks. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: security.d.o packages for etch built on sarge
On Sun Jul 01, 2007 at 00:59:24 +0200, Karol Lewandowski wrote: On Mon, Jun 25, 2007 at 02:56:07PM +0200, karol wrote: It looks like etch's security updates were built on sarge. python2.3 isn't available in etch making ekg's security update uninstallable. I would be _very_ happy to hear _any_ comment on that. I'll probably ask debian-devel if I won't get any answer in next few days. Etch security updates *should* be built upon Etch. Sarge updates *should* be built upon Sarge. Anything else is liable to break and is a bug which should be fixed with an update. I've checked the build-logs I've got access to (all except i386) and they seem fine. is it just i386 you see this behavior upon? Do other people see this too, or is it a potentially broken system you're installing upon (I have to ask; some people still have mixed sources.lists files..) Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: security.d.o packages for etch built on sarge
On Sun, Jul 01, 2007 at 02:39:37AM +0100, Steve Kemp wrote: On Sun Jul 01, 2007 at 00:59:24 +0200, Karol Lewandowski wrote: On Mon, Jun 25, 2007 at 02:56:07PM +0200, karol wrote: It looks like etch's security updates were built on sarge. python2.3 isn't available in etch making ekg's security update uninstallable. I would be _very_ happy to hear _any_ comment on that. I'll probably ask debian-devel if I won't get any answer in next few days. Etch security updates *should* be built upon Etch. Sarge updates *should* be built upon Sarge. Anything else is liable to break and is a bug which should be fixed with an update. I've checked the build-logs I've got access to (all except i386) and they seem fine. is it just i386 you see this behavior upon? Do other people see this too, or is it a potentially broken system you're installing upon (I have to ask; some people still have mixed sources.lists files..) i just tried on a pretty fresh etch install (i386), error message is spanish, but i think understandable: Los siguientes paquetes tienen dependencias incumplidas: ekg: Depende: python2.3 (= 2.3) pero no es instalable E: Paquetes rotos so maybe someone should file grave? against ekg? cheers --Jan signature.asc Description: Digital signature
security.d.o packages for etch built on sarge
Having this in /etc/apt/sources.list deb http://ftp.de.debian.org/debian etch main contrib non-free deb http://security.debian.org/ etch/updates main contrib non-free deb cdrom:[Debian GNU/Linux 4.0 r0 _Etch_ - Official i386 CD Binary-1 20070407-11:55]/ etch contrib main I'm unable to install security update for ekg, namely ekg version 1:1.7~rc2-1etch1: [EMAIL PROTECTED]:~# apt-cache policy ekg ekg: Installed: 1:1.7~rc2-1 Candidate: 1:1.7~rc2-1etch1 Version table: 1:1.7~rc2-1etch1 0 500 http://security.debian.org etch/updates/main Packages *** 1:1.7~rc2-1 0 500 http://ftp.de.debian.org etch/main Packages 100 /var/lib/dpkg/status Installing results in broken packages: [EMAIL PROTECTED]:~# apt-get install ekg Reading package lists... Done Building dependency tree... Done Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. Since you only requested a single operation it is extremely likely that the package is simply not installable and a bug report against that package should be filed. The following information may help to resolve the situation: The following packages have unmet dependencies. ekg: Depends: python2.3 (= 2.3) but it is not installable E: Broken packages Looking at package deps shows differences, see filtered output of apt-cache showpkg ekg security.d.o | etch 4.0r0 --+-- 1:1.7~rc2-1etch1 | 1:1.7~rc2-1 --+-- libc6 (2 2.3.2.ds1-21)| libc6 (2 2.3.6-6) libncurses5 (2 5.4-1) | libncurses5 (2 5.4-5) libssl0.9.7 (0 (null))| libssl0.9.8 (2 0.9.8b-1) python2.3 (2 2.3) | python2.4 (2 2.3.90) libglib2.0-0 (2 2.6.0)| libglib2.0-0 (2 2.10.0) It looks like etch's security updates were built on sarge. python2.3 isn't available in etch making ekg's security update uninstallable. Additionaly: [EMAIL PROTECTED]:~# apt-cache showpkg python2.3 Package: python2.3 Versions: Reverse Depends: ekg,python2.3 2.3 dia-libs,python2.3 2.3 blender,python2.3 2.3 python,python2.3 2.3.2-6 python,python2.3 2.3.5-14 Dependencies: Provides: Reverse Provides: [EMAIL PROTECTED]:~# apt-cache policy blender blender: Installed: (none) Candidate: 2.42a-7 Version table: 2.42a-7 0 500 http://ftp.de.debian.org etch/main Packages 2.37a-1.1etch1 0 500 http://security.debian.org etch/updates/main Packages Looks like sarge's blender security update somehow made into etch's Packages list. (I might be totally wrong, too. ;) (Please CC me) Thanks. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]