Bug#791837: jessie-pu: package monkeysphere/0.37-2

Wed, 08 Jul 2015 12:34:15 -0700 

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu

On some systems, #778833 appears to be repeatable and reliable, though
i do not control any systems like that.  I tried to fix it in 0.37-2,
and called for testing before the release of jessie, but heard no
feedback.  After the release of jessie, I found out that i had failed
to actually apply the patch in question, which means that it didn't
fix things for people who have machines that exhibit #778833.  0.37-3
does apparently fix things for those people.

Furthermore, the sshd_config settings suggested by
monkeysphere-authentication diagnostics can be improved for the
version of sshd in jesse, as noted upstream and in 0.37-3 (in
testing/unstable).

The debdiff between 0.37-2 and 0.37-3 (attached here) should improve
the situation for users of monkeysphere on jessie.  Is it OK to upload
0.37-3 as 0.37-2+deb8u1?  or should i more narrowly-target just
#778833 (a clear bug that prevents package installation on some
platforms) and leave jessie monkeysphere-authentication diagnostics
with subpotimal sshd_config suggestions?

Sorry for this hassle.

Regards,

        --dkg

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.0.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru monkeysphere-0.37/debian/changelog monkeysphere-0.37/debian/changelog
--- monkeysphere-0.37/debian/changelog	2014-11-27 15:01:49.000000000 -0500
+++ monkeysphere-0.37/debian/changelog	2015-05-06 23:30:56.000000000 -0400
@@ -1,3 +1,14 @@
+monkeysphere (0.37-3) unstable; urgency=medium
+
+  * actually patch log() to consume all stdin when not given a message
+    argument (apparently the fix in 0.37-2 did not get properly applied)
+    (Closes: #778833)
+  * also from usptream: improve monkeysphere-authentication diagnostic
+    checks.
+  * wrap-and-sort for a cleaner debian/
+
+ -- Daniel Kahn Gillmor <d...@fifthhorseman.net>  Wed, 06 May 2015 23:14:57 -0400
+
 monkeysphere (0.37-2) unstable; urgency=medium
 
   * patch from upstream: log() should consume all stdin when not given a
diff -Nru monkeysphere-0.37/debian/control monkeysphere-0.37/debian/control
--- monkeysphere-0.37/debian/control	2014-11-27 15:01:33.000000000 -0500
+++ monkeysphere-0.37/debian/control	2015-05-06 23:30:02.000000000 -0400
@@ -3,33 +3,29 @@
 Priority: extra
 Maintainer: Jameson Rollins <jroll...@finestructure.net>
 Uploaders: Daniel Kahn Gillmor <d...@fifthhorseman.net>
-Build-Depends: debhelper (>= 9~),
- cpio,
- socat,
- openssh-server,
- gnupg (>= 1.4.10),
- libcrypt-openssl-rsa-perl,
- libdigest-sha-perl,
- lockfile-progs | procmail,
- openssl,
- bash (>= 3.2)
+Build-Depends: bash (>= 3.2),
+               cpio,
+               debhelper (>= 9~),
+               gnupg (>= 1.4.10),
+               libcrypt-openssl-rsa-perl,
+               libdigest-sha-perl,
+               lockfile-progs | procmail,
+               openssh-server,
+               openssl,
+               socat
 Standards-Version: 3.9.6
 Homepage: http://web.monkeysphere.info/
 Vcs-Git: git://git.monkeysphere.info/monkeysphere
 
 Package: monkeysphere
 Architecture: all
-Depends:
- gnupg (>= 1.4.10),
- libcrypt-openssl-rsa-perl,
- libdigest-sha-perl,
- lockfile-progs | procmail,
- adduser,
- ${misc:Depends}
-Recommends: netcat | socat,
- ssh-askpass,
- cron,
- openssh-client
+Depends: adduser,
+         gnupg (>= 1.4.10),
+         libcrypt-openssl-rsa-perl,
+         libdigest-sha-perl,
+         lockfile-progs | procmail,
+         ${misc:Depends}
+Recommends: cron, netcat | socat, openssh-client, ssh-askpass
 Suggests: monkeysphere-validation-agent
 Enhances: openssh-client, openssh-server
 Description: leverage the OpenPGP web of trust for SSH and TLS authentication
@@ -40,6 +36,6 @@
  for users to get validated host keys, and for hosts to authenticate
  users.  Current monkeysphere SSH tools are designed to integrate
  with the OpenSSH implementation of the Secure Shell protocol.
- . 
+ .
  Monkeysphere can also be used by a validation agent to validate TLS
  connections (e.g. https).
diff -Nru monkeysphere-0.37/debian/monkeysphere.dirs monkeysphere-0.37/debian/monkeysphere.dirs
--- monkeysphere-0.37/debian/monkeysphere.dirs	2014-11-27 14:51:28.000000000 -0500
+++ monkeysphere-0.37/debian/monkeysphere.dirs	2015-05-06 23:30:02.000000000 -0400
@@ -1,12 +1,12 @@
-var/lib/monkeysphere
+etc/X11
+etc/X11/Xsession.d
+etc/monkeysphere
 usr/bin
 usr/sbin
 usr/share
-usr/share/monkeysphere
 usr/share/man
 usr/share/man/man1
 usr/share/man/man7
 usr/share/man/man8
-etc/monkeysphere
-etc/X11
-etc/X11/Xsession.d
+usr/share/monkeysphere
+var/lib/monkeysphere
diff -Nru monkeysphere-0.37/debian/patches/0001-Always-consume-stdin-when-log-is-called-without-a-me.patch monkeysphere-0.37/debian/patches/0001-Always-consume-stdin-when-log-is-called-without-a-me.patch
--- monkeysphere-0.37/debian/patches/0001-Always-consume-stdin-when-log-is-called-without-a-me.patch	1969-12-31 19:00:00.000000000 -0500
+++ monkeysphere-0.37/debian/patches/0001-Always-consume-stdin-when-log-is-called-without-a-me.patch	2015-05-06 23:11:50.000000000 -0400
@@ -0,0 +1,56 @@
+From e7b1fd672161872c874cb2b28a7277ead47e4f0a Mon Sep 17 00:00:00 2001
+From: Daniel Kahn Gillmor <d...@fifthhorseman.net>
+Date: Wed, 26 Nov 2014 19:35:24 -0500
+Subject: [PATCH 1/2] Always consume stdin when log is called without a message
+ argument
+
+See the discussion about this in https://bugs.debian.org/635711
+
+I'm hoping this will resolve the intermittent SIGPIPEs plaguing
+monkeysphere's postinst.
+
+I'm still unable to reproduce the problem.  If people who can
+reproduce the problem could try this patch and report back if it fixes
+things for them, that would be great.
+---
+ src/share/common | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/share/common b/src/share/common
+index e377ff3..2ea097e 100755
+--- a/src/share/common
++++ b/src/share/common
+@@ -38,6 +38,7 @@ log() {
+     local output
+     local alllevels
+     local found=
++    local written=
+ 
+     # don't include SILENT in alllevels: it's handled separately
+     # list in decreasing verbosity (all caps).
+@@ -50,6 +51,9 @@ log() {
+ 
+     # just go ahead and return if the log level is silent
+     if [ "$LOG_LEVEL" = 'SILENT' ] ; then
++        if [ ! "$2" ] ; then
++            cat >/dev/null
++        fi
+ 	return
+     fi
+ 
+@@ -81,8 +85,12 @@ log() {
+ 	    else
+ 		cat
+ 	    fi | sed 's/^/'"${LOG_PREFIX}"'/' >&2
++            written=true
+ 	fi
+     done
++    if [ "$written" != 'true' -a ! "$1" ]; then
++        cat >/dev/null
++    fi
+ }
+ 
+ # run command as monkeysphere user
+-- 
+2.1.4
+
diff -Nru monkeysphere-0.37/debian/patches/0001-consume-stdin-on-log.patch monkeysphere-0.37/debian/patches/0001-consume-stdin-on-log.patch
--- monkeysphere-0.37/debian/patches/0001-consume-stdin-on-log.patch	2014-11-27 14:52:29.000000000 -0500
+++ monkeysphere-0.37/debian/patches/0001-consume-stdin-on-log.patch	1969-12-31 19:00:00.000000000 -0500
@@ -1,50 +0,0 @@
-commit e7b1fd672161872c874cb2b28a7277ead47e4f0a
-Author: Daniel Kahn Gillmor <d...@fifthhorseman.net>
-Date:   Wed Nov 26 19:35:24 2014 -0500
-
-    Always consume stdin when log is called without a message argument
-    
-    See the discussion about this in https://bugs.debian.org/635711
-    
-    I'm hoping this will resolve the intermittent SIGPIPEs plaguing
-    monkeysphere's postinst.
-    
-    I'm still unable to reproduce the problem.  If people who can
-    reproduce the problem could try this patch and report back if it fixes
-    things for them, that would be great.
-
-diff --git a/src/share/common b/src/share/common
-index e377ff3..2ea097e 100755
---- a/src/share/common
-+++ b/src/share/common
-@@ -38,6 +38,7 @@ log() {
-     local output
-     local alllevels
-     local found=
-+    local written=
- 
-     # don't include SILENT in alllevels: it's handled separately
-     # list in decreasing verbosity (all caps).
-@@ -50,6 +51,9 @@ log() {
- 
-     # just go ahead and return if the log level is silent
-     if [ "$LOG_LEVEL" = 'SILENT' ] ; then
-+        if [ ! "$2" ] ; then
-+            cat >/dev/null
-+        fi
- 	return
-     fi
- 
-@@ -81,8 +85,12 @@ log() {
- 	    else
- 		cat
- 	    fi | sed 's/^/'"${LOG_PREFIX}"'/' >&2
-+            written=true
- 	fi
-     done
-+    if [ "$written" != 'true' -a ! "$1" ]; then
-+        cat >/dev/null
-+    fi
- }
- 
- # run command as monkeysphere user
diff -Nru monkeysphere-0.37/debian/patches/0002-fix-diagnostic-check-and-recommendation-for-good-aut.patch monkeysphere-0.37/debian/patches/0002-fix-diagnostic-check-and-recommendation-for-good-aut.patch
--- monkeysphere-0.37/debian/patches/0002-fix-diagnostic-check-and-recommendation-for-good-aut.patch	1969-12-31 19:00:00.000000000 -0500
+++ monkeysphere-0.37/debian/patches/0002-fix-diagnostic-check-and-recommendation-for-good-aut.patch	2015-05-06 23:11:50.000000000 -0400
@@ -0,0 +1,29 @@
+From 321b5dca3604699a1abd8e60cfcf196b005f60c7 Mon Sep 17 00:00:00 2001
+From: Daniel Kahn Gillmor <d...@fifthhorseman.net>
+Date: Tue, 5 May 2015 12:11:00 -0400
+Subject: [PATCH 2/2] fix diagnostic check and recommendation for good
+ authorizedkeysfile in sshd_config
+
+---
+ src/share/ma/diagnostics | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/share/ma/diagnostics b/src/share/ma/diagnostics
+index abf207e..a59244a 100644
+--- a/src/share/ma/diagnostics
++++ b/src/share/ma/diagnostics
+@@ -122,9 +122,9 @@ echo "Checking for Monkeysphere-enabled public-key authentication for users ..."
+ # Ensure that User ID authentication is enabled:
+ if echo "AuthorizedKeysFile foo bar" | /usr/sbin/sshd -t -f /dev/stdin; then
+     # OpenSSH >= 6.0, multiple authorized_keys file supported
+-    if ! grep -q "^AuthorizedKeysFile[[:space:]]\+.*[[:space:]]\*${SYSDATADIR}/authorized_keys/%u$" "$sshd_config"; then
++    if ! grep -q "^AuthorizedKeysFile[[:space:]]\+.*[[:space:]]*${SYSDATADIR}/authorized_keys/%u$" "$sshd_config"; then
+         echo "! $sshd_config does not point to monkeysphere authorized keys."
+-        echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 ${SYSDATADIR}/authorized_keys/%u'"
++        echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys2 ${SYSDATADIR}/authorized_keys/%u'"
+         problemsfound=$(($problemsfound+1))
+     fi
+     if [ "$RAW_AUTHORIZED_KEYS" != none ]; then
+-- 
+2.1.4
+
diff -Nru monkeysphere-0.37/debian/patches/series monkeysphere-0.37/debian/patches/series
--- monkeysphere-0.37/debian/patches/series	1969-12-31 19:00:00.000000000 -0500
+++ monkeysphere-0.37/debian/patches/series	2015-05-06 23:13:51.000000000 -0400
@@ -0,0 +1,2 @@
+0001-Always-consume-stdin-when-log-is-called-without-a-me.patch
+0002-fix-diagnostic-check-and-recommendation-for-good-aut.patch

Reply via email to