Bug#604887: libmysqld-dev should depend on libwrap0

[Serge Hallyn]

Package: libmysqld-dev
Version: 5.1-5.1.49

libmysql is compiled with --with-libwrap0.  The source package depends
upon libwrap0-dev.  However, libmysqld-dev does not seem to depend on
libwrap0, or on anything that does.  Should libwrap0 be added to its
Depends: ?



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#604888: vsftpd should check for full user/groupname ftp

[Serge Hallyn]

Package: vsftpd
Version: 2.3.2-3

The postinst file for vfstpd checks for user and group
name 'ftp', but it actually only checks for names starting
with ftp.  Instead of

if ! getent group | grep -q "^${_USERNAME}"

it should check for

if ! getent group | grep -q "^${_USERNAME}:"

Otherwise it may think that 'ftp' exists when only 'ftpfool'
exists, then fail later when trying to 'chown root:ftp' a
file.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#734810: docker.io busts up cgroups when systemd is running

[Serge Hallyn]

Quoting Tianon Gravi (admwig...@gmail.com):
> I absolutely agree that standardizing all the different methods of mounting
> the cgroups would be a great idea.  Ubuntu currently does this with their
> "cgroup-lite" package (http://packages.ubuntu.com/precise/cgroup-lite),
> which does pretty much exactly what we need.  The only problems with it I
> can see are that it has some weird love/hate relationship with "cgroup-bin"
> that I can't quite figure out.

Hi,

until he unfortunately had to bow out as maintainer, Jon Bernard and
I had been talking about merging cgroup-lite (and sysvinit based
equivalent) back into cgroup-bin.  The idea was that the inherent
racy parts of libcgroup (in particular the reclassification of
programs after they start) would be yanked, leaving a simple startup
and the useful binaries.

> I would be very interested in and willing to maintain such a "cgroup
> mounting" package in Debian if there's interest in it (especially from the
> maintainers of the other packages needing cgroups mounted such as libvirt
> and LXC).  I think the approach taken by "cgroup-lite" is basically exactly
> what we need, and I wonder if Serge Hallyn (who appears to be the most
> active maintainer of the Ubuntu package from
> http://changelogs.ubuntu.com/changelogs/pool/main/c/cgroup-lite/cgroup-lite_1.8/changelog)
> would be amenable to my basing a new Debian package off the work there.

Of course, whatever you need.

For cgroup-lite I really wanted something that would just start as early
and fast as possible, and be stupid enough to not risk breaking any
libvirt or lxc installations.  I just wanted cgroups mounted in time.
Whether you would keep the new package as simple, just adding sysvinit
scripts;  or add some smarts so users can set initial cgroups;  either
way would be useful.

> CC'ing Serge so we can hopefully get some added knowledge. :)
> 
> ♥,
> - Tianon

Note though that my current focus is on cgmanager, and we hope to have
lxc start to use it whenever possible instead of cgroupfs.  Cgmanager
offers a dbus interface for managing cgroups, and its goal is to
allow even unprivileged and nested containers to manage their cgroups,
subject to hierarchical constraints set up by logind and enforced by the
kernel.

thanks,
-serge


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#727762: please don't complain about using "kvm" on the command line

[Serge Hallyn]

FWIW - I don't have a vote, but I personally agree with the original
submitter that kvm should continue indefinately to exist as a command
which says use kvm extensions when available, and use tcg when not.

Consider anyone maintaining a large number of systems.  They can
already use qemu-system-x86 if they want to be able to control
whether or not use kvm extensions (and whether to fail if needed).
/usr/bin/kvm is what people almost always want, is nice and short,
and is a way to "Do What I Mean" without having to customize your
test script for each machine or (if doing it manually) think about
where you are.

I'm only writing this because I assume silence will be taken as everyone
agreeing with the bug status :)  I don't expect the bug status to be
changed, and in the end it's always one script or alias away from being
as I want it  :)


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#689035: fixed upstream

[Serge Hallyn]

Hi,

The new 2.24 upstream package should fix this bug.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#734633: Merge upstream 2.24

[Serge Hallyn]

Package: libcap2
Version: 1:2.22-1.2

Hi,

upstream libcap has released 2.24 at
https://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/libcap-2.24.tar.gz

A trivial debian package based on this is at
http://people.canonical.com/~serge/libcap-2.24.pkg/libcap2_2.24-1.dsc

(extra files
http://people.canonical.com/~serge/libcap-2.24.pkg/libcap2_2.24-1_source.changes

http://people.canonical.com/~serge/libcap-2.24.pkg/libcap2_2.24.orig.tar.gz

http://people.canonical.com/~serge/libcap-2.24.pkg/libcap2_2.24-1.debian.tar.gz
)


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#750480: First patch looks ok

[Serge Hallyn]

Since we are doing proper bounds checking on the snprintf result,
the worst thing that will happen if the size is too small is that
newuidmap and newgidmap will end up failing.  Note that moving
the comment explaining the max size up to the proc_dir_name
declaration would be more helpful.

For the same reason, simply doing

#ifndef PATH_MAX
#define PATH_MAX 512
#endif

would work just as well.

Adding a malloc is simply unjustified.

If Christian does not object I'll apply the patch in a bit to
upstream git.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#750090: Need more information

[Serge Hallyn]

Hi,

Looking at 
http://www.gnu.org/software/gettext/manual/html_node/autopoint-Invocation.html
it does seem that autopoint could be needed to build shadow, since
a AM_GNU_GETTEXT_VERSION does show up in configure.in.

The autopoint dependency is probably usually satisfied due to
a Recommends in gettext, which in turn shadow does build-dep on.
However since it is only a recommends, this won't always be the
case.

Nevertheless, when I dpkg -r autopoint on a wheezy chroot and
build shadow, the package succesfully builds.

Thomas, could you please tell us exactly how the build broke
for you without autopoint?  I.e show us the full build logs.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#750480: [Pkg-shadow-devel] Bug#750480: patch pushed

[Serge Hallyn]

I've pushed the first patch to upstream git.  This should mean it will be
fixed in the next merge into debian.

Thanks!


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#729054: bit more info

[Serge Hallyn]

I hit the same bug under ubuntu 14.04.  The faulting memory location
tends to change a bit (0x8, 0xd8, 0x88), but in this particular run I
got:

Cannot access memory at address 0x88

#0  dispatcher_send_message (dispatcher=0x88,
message_type=message_type@entry=16, 
payload=payload@entry=0x7fffe190) at dispatcher.c:173

(gdb) p *dispatcher
Cannot access memory at address 0x88

(gdb) up
#1  0x7199d0dc in red_dispatcher_add_memslot
(dispatcher=, 
mem_slot=) at red_dispatcher.c:386

This is add, since red_dispatcher_add_memslot is doing

dispatcher_send_message(&dispatcher->dispatcher,
RED_WORKER_MESSAGE_ADD_MEMSLOT,
&payload);

but dispatcher_send_message() is getting dispatcher=0x88.  So how did
&v end up with an invalid address?


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#747082: Please build for arm

[Serge Hallyn]

Package: spice-gtk
Version: 0.23-1

Hi,

I've built spicy from the fedora sources on an armhf host, and the
resulting binary works great.  Could the armhf (and maybe arm64)
architectures be enabled for it?  If you prefer I can try my hand
at a debdiff to make it work, but I figured it'll be faster for the
maintainer.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#689035: libcap2: List of capabilities not in sync with the linux kernel and libc6

[Serge Hallyn]

Package: libcap2
Version: 1:2.22-1.2
Followup-For: Bug #689035
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu raring ubuntu-patch

Dear Maintainer,

In Ubuntu, the attached patch was applied to achieve the following:

  * Add patch (which has been forwarded to the upstream maintainer) to define
new capabilities in most recent kernels.  (LP: #1084000) (Closes: #689035)

This is submitted as an alternative to the previous patch, which uses
the kernel's capability.h to build.  The downside of that patch is that,
for instance, 'capsh --print' still does not know the names of 35 and
36.  With this patch it does.

Thanks for considering the patch.


diff -Nru libcap2-2.22/debian/changelog libcap2-2.22/debian/changelog
diff -Nru libcap2-2.22/debian/control libcap2-2.22/debian/control
--- libcap2-2.22/debian/control 2012-11-26 11:30:29.0 -0600
+++ libcap2-2.22/debian/control 2013-01-18 15:41:48.0 -0600
@@ -1,8 +1,7 @@
 Source: libcap2
 Section: libs
 Priority: optional
-Maintainer: Ubuntu Developers 
-XSBC-Original-Maintainer: Torsten Werner 
+Maintainer: Torsten Werner 
 Standards-Version: 3.9.0
 Build-Depends: debhelper (>= 8.1.3~), indent, libattr1-dev, libpam0g-dev
 Homepage: http://sites.google.com/site/fullycapable/
diff -Nru 
libcap2-2.22/debian/patches/0001-Add-CAP_WAKE_ALARM-and-CAP_BLOCK_SUSPEND-to-capabili.patch
 
libcap2-2.22/debian/patches/0001-Add-CAP_WAKE_ALARM-and-CAP_BLOCK_SUSPEND-to-capabili.patch
--- 
libcap2-2.22/debian/patches/0001-Add-CAP_WAKE_ALARM-and-CAP_BLOCK_SUSPEND-to-capabili.patch
 1969-12-31 18:00:00.0 -0600
+++ 
libcap2-2.22/debian/patches/0001-Add-CAP_WAKE_ALARM-and-CAP_BLOCK_SUSPEND-to-capabili.patch
 2013-01-18 15:34:20.0 -0600
@@ -0,0 +1,34 @@
+From 41ec6f9bdde6998518dd3a8afd8fcc286b81bce3 Mon Sep 17 00:00:00 2001
+From: Serge Hallyn 
+Date: Fri, 18 Jan 2013 15:31:09 -0600
+Subject: [PATCH 1/1] Add CAP_WAKE_ALARM and CAP_BLOCK_SUSPEND to capability.h
+
+Signed-off-by: Serge Hallyn 
+---
+ libcap/include/linux/capability.h | 10 +-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/libcap/include/linux/capability.h 
b/libcap/include/linux/capability.h
+index 4924f2a..57026be 100644
+--- a/libcap/include/linux/capability.h
 b/libcap/include/linux/capability.h
+@@ -360,7 +360,15 @@ struct cpu_vfs_cap_data {
+CAP_SYS_ADMIN is not acceptable anymore. */
+ #define CAP_SYSLOG   34
+ 
+-#define CAP_LAST_CAP CAP_SYSLOG
++/* Allow triggering something that will wake the system */
++
++#define CAP_WAKE_ALARM35
++
++/* Allow preventing system suspends */
++
++#define CAP_BLOCK_SUSPEND36
++
++#define CAP_LAST_CAP CAP_BLOCK_SUSPEND
+ 
+ #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
+ 
+-- 
+1.8.0
+
diff -Nru libcap2-2.22/debian/patches/series libcap2-2.22/debian/patches/series
--- libcap2-2.22/debian/patches/series  2012-07-06 11:53:43.0 -0500
+++ libcap2-2.22/debian/patches/series  2013-01-18 15:34:31.0 -0600
@@ -1,2 +1,3 @@
 0001-fix-Makefiles.patch
 0003-refine-setcap-error-message.patch
+0001-Add-CAP_WAKE_ALARM-and-CAP_BLOCK_SUSPEND-to-capabili.patch


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#649541: Update to version 3.13.1

[Serge Hallyn]

Package: freeimage
Version: 3.10.0-4

Hi,

Ubuntu is using a freeimage package based on 3.13.1 (3.13.1-ubuntu1)
which I noticed is not in Debian.  The package is available at

dget 
https://launchpad.net/ubuntu/maverick/+source/freeimage/3.13.1-0ubuntu1/+files/freeimage_3.13.1-0ubuntu1.dsc

and builds fine for me in pbuilder in debian.

thanks,
-serge



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#688170: [Pkg-libvirt-maintainers] Bug#688167: Bug#688167: libvirt: Please port to libnl-3.x

[Serge Hallyn]

will do.

Quoting Guido Günther (a...@sigxcpu.org):
> block 688167 with 688170
> thanks
> 
> On Thu, Sep 20, 2012 at 03:03:58PM +0200, Michael Biebl wrote:
> > On 20.09.2012 07:28, Guido Günther wrote:
> > 
> > > libvirt already supports libnl3 we just need to coordinate with
> > > libnetcf. It's already on the TODO list.
> > 
> > Should we block #688167 with #688170 or can the packages be switched
> > independently?
> 
> netcf needs to get uploaded first. Serge, could you upload a new netcf
> built against libnl-3 to experimental and add a conflict on 
> 
> libvirt0 (<= 0.10.1-2~)
> 
> I'll then upload a new libvirt.
> Cheers,
>  -- Guido
> 
> ___
> Pkg-libvirt-maintainers mailing list
> pkg-libvirt-maintain...@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-libvirt-maintainers


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#688347: modprobe lense fails on lines split by \

[Serge Hallyn]

Package: augeas-lenses
Version: 0.10.0-1

This was originally reported against Ubuntu as
https://bugs.launchpad.net/ubuntu/+source/augeas/+bug/1054306

The augeas modprobe lens fails on the following file:

# /etc/modprobe.d/iwlwifi.conf
# iwlwifi will dyamically load either iwldvm or iwlmvm depending on the
# microcode file installed on the system. When removing iwlwifi, first
# remove the iwl?vm module and then iwlwifi.
remove iwlwifi \
(/sbin/lsmod | grep -o -e ^iwlmvm -e ^iwldvm -e ^iwlwifi | xargs /sbin/rmmod) \
&& /sbin/modprobe -r mac80211

Removing the '\/ and joining the lines lets it succeed.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#688347: augeas: Debdiff including patch to fix this bug

[Serge Hallyn]

This is a multi-part MIME message sent by reportbug.


--===3400407790400870048==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Package: augeas
Version: 0.10.0-1fakesync1
Followup-For: Bug #688347
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu quantal ubuntu-patch

Dear Maintainer,

In Ubuntu, the attached patch was applied to achieve the following:

  * augeas-split-lines.patch: consolidate 2 commits from upstream to fix
handling of split lines in modprobe.conf (LP: #1054306) (Closes: #688347)

Thanks for considering the patch.


-- System Information:
Debian Release: wheezy/sid
  APT prefers precise-updates
  APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500, 
'precise'), (100, 'precise-backports')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-31-generic (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

--===3400407790400870048==
Content-Type: text/x-diff; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="augeas_0.10.0-1fakesync1ubuntu1.debdiff"

diff -Nru augeas-0.10.0/debian/changelog augeas-0.10.0/debian/changelog
diff -Nru augeas-0.10.0/debian/patches/augeas-split-lines.patch 
augeas-0.10.0/debian/patches/augeas-split-lines.patch
--- augeas-0.10.0/debian/patches/augeas-split-lines.patch   1969-12-31 
18:00:00.0 -0600
+++ augeas-0.10.0/debian/patches/augeas-split-lines.patch   2012-09-24 
22:55:49.0 -0500
@@ -0,0 +1,60 @@
+Description: Fix modprobe lense to handle lines split by \
+ .
+ This is cherrypicked from upstream, commits c0ff479c and e599fed9.
+Author: Dominic Cleal 
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/netcf/+bug/1054306
+
+Index: augeas-0.10.0/lenses/modprobe.aug
+===
+--- augeas-0.10.0.orig/lenses/modprobe.aug 2012-09-24 22:53:09.0 
-0500
 augeas-0.10.0/lenses/modprobe.aug  2012-09-24 22:53:54.661577143 -0500
+@@ -42,7 +42,7 @@
+ let sto_no_colons = store /[^:# \t\n]+/
+ 
+ (* View: sto_to_eol *)
+-let sto_to_eol = store /[^# \t\n][^#\n]*[^# \t\n]|[^# \t\n]/
++let sto_to_eol = store /(([^# \t\n][^#\n]*[ \t]*[ \t]*\n[ 
\t]*)*([^# \t\n][^#\n]*[^# \t\n]|[^# \t\n])|[^# \t\n])/
+ 
+ (* View: alias *)
+ let alias =
+Index: augeas-0.10.0/lenses/modules.aug
+===
+--- augeas-0.10.0.orig/lenses/modules.aug  2011-11-28 17:51:05.0 
-0600
 augeas-0.10.0/lenses/modules.aug   2012-09-24 22:53:54.661577143 -0500
+@@ -20,8 +20,11 @@
+ (* View: word *)
+ let word = /[^#, \n\t\/]+/
+ 
++(* View: sto_line *)
++let sto_line = store /[^# \t\n].*[^ \t\n]|[^# \t\n]/
++
+ (* View: record *)
+-let record = [ key word . (Util.del_ws_tab . Modprobe.sto_to_eol)? . Util.eol 
]
++let record = [ key word . (Util.del_ws_tab . sto_line)? . Util.eol ]
+ 
+ (* View: lns *)
+ let lns = ( Util.empty | Util.comment | record ) *
+Index: augeas-0.10.0/lenses/tests/test_modprobe.aug
+===
+--- augeas-0.10.0.orig/lenses/tests/test_modprobe.aug  2012-09-24 
22:53:09.0 -0500
 augeas-0.10.0/lenses/tests/test_modprobe.aug   2012-09-24 
22:53:47.921549271 -0500
+@@ -124,3 +124,19 @@
+ { "attr1" = "\"val\"" }
+ { "attr2" = "\"val2 val3\"" }
+   }
++
++(* Support multiline split commands, Ubuntu bug #1054306 *)
++test Modprobe.lns get "# /etc/modprobe.d/iwlwifi.conf
++# iwlwifi will dyamically load either iwldvm or iwlmvm depending on the
++# microcode file installed on the system. When removing iwlwifi, first
++# remove the iwl?vm module and then iwlwifi.
++remove iwlwifi \
++(/sbin/lsmod | grep -o -e ^iwlmvm -e ^iwldvm -e ^iwlwifi | xargs /sbin/rmmod) 
\
++&& /sbin/modprobe -r mac80211\n" =
++  { "#comment" = "/etc/modprobe.d/iwlwifi.conf" }
++  { "#comment" = "iwlwifi will dyamically load either iwldvm or iwlmvm 
depending on the" }
++  { "#comment" = "microcode file installed on the system. When removing 
iwlwifi, first" }
++  { "#comment" = "remove the iwl?vm module and then iwlwifi." }
++  { "remove" = "iwlwifi"
++{ "command" = "(/sbin/lsmod | grep -o -e ^iwlmvm -e ^iwldvm -e ^iwlwifi | 
xargs /sbin/rmmod) \\\n&& /sbin/modprobe -r mac80211" }
++  }
diff -Nru augeas-0.10.0/debian/patches/series 
augeas-0.10.0/debian/patches/series
--- augeas-0.10.0/debian/patches/series 2012-05-20 03:49:39.0 -0500
+++ augeas-0.10.0/debian/patches/series 2012-09-24 22:53:12.0 -0500
@@ -8,3 +8,4 @@
 cpp-linkage.patch
 gnulib-build-out-of-source.patch
 regexp-escape.patch
+augeas-split-lines.patch

--===3400407790400870048==--


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "

Bug#674178: /dev/shm is not set up right in chroot

[Serge Hallyn]

Quoting Roger Leigh (rle...@codelibre.net):
> tags 674178 + pending
> thanks
> 
> On Wed, May 30, 2012 at 01:11:55PM -0500, Serge Hallyn wrote:
> > Here is a debdiff showing the change I was suggesting.  It works under
> > debootstrap.  The !ischroot case is unchanged, as is the case under
> > chroot where /dev is a mounpoint.
> 
> I can't see anything wrong with this after considering all the
> different conditions it could run in, so it's applied in git
> (minor whitespace changes only), and will be in the next upload.

Thanks - however to the bottom of the ubuntu bug (in particular
https://bugs.launchpad.net/launchpad/+bug/974584/comments/20
and
https://bugs.launchpad.net/launchpad/+bug/974584/comments/21
) vorlon has proposed an improved variation.  Thanks and sorry
for the inconvenience.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#660018: libvirt: Missing build dependency for libvirt-bin: libgcrypt11-dev

[Serge Hallyn]

Package: libvirt
Version: 0.9.8-2
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu precise ubuntu-patch

Dear Maintainer,


A user (nutznboltz) discovered that one of the build dependencies
for libvirt is not listed in its build-deps, though it is listed
as a depency of one of libvirt's build-deps.  If that package is
not installed, compilation fails with:

libvirt-0.9.8/./src/libvirt.c:22:20: fatal error: gcrypt.h: No such file or 
directory

See https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/932889 for the
original Ubuntu bug report.

In Ubuntu, the attached patch was applied to achieve the following:

  * debian/control: add libgcrypt11-dev to build-depends (LP: #932889)

Thanks for considering the patch.


-- System Information:
Debian Release: wheezy/sid
  APT prefers precise-updates
  APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500, 
'precise'), (100, 'precise-backports')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-15-generic (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru libvirt-0.9.8/debian/changelog libvirt-0.9.8/debian/changelog
diff -Nru libvirt-0.9.8/debian/control libvirt-0.9.8/debian/control
--- libvirt-0.9.8/debian/control	2012-02-01 12:27:33.0 -0600
+++ libvirt-0.9.8/debian/control	2012-02-15 13:17:01.0 -0600
@@ -17,6 +17,7 @@
  libxen-dev [i386 amd64],
  lvm2 [linux-any],
  open-iscsi-utils,
+ libgcrypt11-dev,
  libparted0-dev (>= 2.2),
  parted (>= 2.2),
  libdevmapper-dev [linux-any],

Bug#681099: gtk-pixbuf: switch to libtiff5-dev

[Serge Hallyn]

Package: gdk-pixbuf
Version: 2.26.1-1
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu quantal ubuntu-patch

Dear Maintainer,

tiff3 is getting set to be replaced by tiff4.  gtk-pixbuf's build-deps will
need to be switched from libtiff4-dev to libtiff5-dev.

*** /tmp/tmpZyzulP/bug_body
In Ubuntu, the attached patch was applied to achieve the following:

  * switch from libtiff4-dev to libtiff5-dev | libtiff-dev to fix nbs.


Thanks for considering the patch.

--===0176840937463659364==
Content-Type: text/x-diff; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="gdk-pixbuf_2.26.1-1ubuntu1.debdiff"

diff -Nru gdk-pixbuf-2.26.1/debian/changelog gdk-pixbuf-2.26.1/debian/changelog
diff -Nru gdk-pixbuf-2.26.1/debian/control gdk-pixbuf-2.26.1/debian/control
--- gdk-pixbuf-2.26.1/debian/control2012-04-16 00:22:09.0 -0500
+++ gdk-pixbuf-2.26.1/debian/control2012-07-10 10:55:55.0 -0500
@@ -6,8 +6,9 @@
 Source: gdk-pixbuf
 Section: libs
 Priority: optional
-Maintainer: Debian GNOME Maintainers 

-Uploaders: Martin Pitt , Michael Biebl 
+Maintainer: Ubuntu Developers 
+XSBC-Original-Maintainer: Debian GNOME Maintainers 

+Uploaders: Debian GNOME Maintainers 
, Michael Biebl 

 Build-Depends: cdbs (>= 0.4.93),
debhelper (>= 8.1.3),
autotools-dev,
@@ -17,7 +18,7 @@
libpng-dev | libpng12-dev,
libjpeg-dev,
libjasper-dev,
-   libtiff4-dev,
+   libtiff5-dev | libtiff-dev,
gobject-introspection (>= 0.9.12-4~),
libgirepository1.0-dev (>= 0.9.3),
gir1.2-glib-2.0,
diff -Nru gdk-pixbuf-2.26.1/debian/control.in 
gdk-pixbuf-2.26.1/debian/control.in
--- gdk-pixbuf-2.26.1/debian/control.in 2012-04-16 00:20:02.0 -0500
+++ gdk-pixbuf-2.26.1/debian/control.in 2012-07-10 10:55:45.0 -0500
@@ -1,7 +1,8 @@
 Source: gdk-pixbuf
 Section: libs
 Priority: optional
-Maintainer: Debian GNOME Maintainers 

+Maintainer: Ubuntu Developers 
+XSBC-Original-Maintainer: Debian GNOME Maintainers 

 Uploaders: @GNOME_TEAM@
 Build-Depends: cdbs (>= 0.4.93),
debhelper (>= 8.1.3),
@@ -12,7 +13,7 @@
libpng-dev | libpng12-dev,
libjpeg-dev,
libjasper-dev,
-   libtiff4-dev,
+   libtiff5-dev | libtiff-dev,
gobject-introspection (>= 0.9.12-4~),
libgirepository1.0-dev (>= 0.9.3),
gir1.2-glib-2.0,



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#681100: emacs23: switch to libtiff5-dev

[Serge Hallyn]

Package: emacs23
Version: 23.4+1-3
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu quantal ubuntu-patch

Dear Maintainer,

tiff3 is getting set to be replaced by tiff4.  emacs23's build-deps will
need to be switched from libtiff4-dev to libtiff5-dev.

*** /tmp/tmpisg1CI/bug_body
In Ubuntu, the attached patch was applied to achieve the following:


  * debian/control.in: use libtiff5-dev in place of libtiff4-dev

Thanks for considering the patch.

--===3199317471975587855==
Content-Type: text/x-diff; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="emacs23_23.4+1-3ubuntu2.debdiff"

diff -Nru emacs23-23.4+1/debian/changelog emacs23-23.4+1/debian/changelog
diff -Nru emacs23-23.4+1/debian/control emacs23-23.4+1/debian/control
--- emacs23-23.4+1/debian/control   2012-05-17 17:19:40.0 -0500
+++ emacs23-23.4+1/debian/control   2012-07-09 15:43:12.0 -0500
@@ -4,7 +4,7 @@
 Maintainer: Ubuntu Developers 
 XSBC-Original-Maintainer: Rob Browning 
 Build-Depends: bsd-mailx | mailx, libncurses5-dev, texinfo, liblockfile-dev, 
librsvg2-dev,
- libgif-dev | libungif4-dev, libtiff4-dev | libtiff-dev, xaw3dg-dev,
+ libgif-dev | libungif4-dev, libtiff5-dev | libtiff-dev, xaw3dg-dev,
  libpng-dev, libjpeg-dev, libm17n-dev, libotf-dev,
  libgpm-dev [linux-any], libdbus-1-dev,
  autoconf, automake, autotools-dev, dpkg-dev (>> 1.10.0), quilt (>= 0.42),
diff -Nru emacs23-23.4+1/debian/control.in emacs23-23.4+1/debian/control.in
--- emacs23-23.4+1/debian/control.in2012-05-17 17:19:40.0 -0500
+++ emacs23-23.4+1/debian/control.in2012-07-09 15:43:04.0 -0500
@@ -4,7 +4,7 @@
 Maintainer: Ubuntu Developers 
 XSBC-Original-Maintainer: Rob Browning 
 Build-Depends: bsd-mailx | mailx, libncurses5-dev, texinfo, liblockfile-dev, 
librsvg2-dev,
- libgif-dev | libungif4-dev, libtiff4-dev | libtiff-dev, xaw3dg-dev,
+ libgif-dev | libungif4-dev, libtiff5-dev | libtiff-dev, xaw3dg-dev,
  libpng-dev, libjpeg-dev, libm17n-dev, libotf-dev,
  libgpm-dev [linux-any], libdbus-1-dev,
  autoconf, automake, autotools-dev, dpkg-dev (>> 1.10.0), quilt (>= 0.42),



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#681132: libgdiplus: Please build-depends on libtiff5-dev | libtiff-dev, change from libtiff4-dev

[Serge Hallyn]

Package: libgdiplus
Version: 2.10-3
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu quantal ubuntu-patch

Dear Maintainer,

tiff3 is getting set to be replaced by tiff4.  libgdiplus's build-deps will
need to be switched from libtiff4-dev to libtiff5-dev.

In Ubuntu, the attached patch was applied to achieve the following:

  * build-deps: use libtiff5-dev | libtiff-dev in place of libtiff4-dev

Thanks for considering the patch.

diff -Nru libgdiplus-2.10/debian/changelog libgdiplus-2.10/debian/changelog
diff -Nru libgdiplus-2.10/debian/control libgdiplus-2.10/debian/control
--- libgdiplus-2.10/debian/control  2012-01-17 18:48:47.0 -0600
+++ libgdiplus-2.10/debian/control  2012-07-10 15:16:23.0 -0500
@@ -1,7 +1,8 @@
 Source: libgdiplus
 Section: libs
 Priority: optional
-Maintainer: Debian Mono Group 
+Maintainer: Ubuntu Developers 
+XSBC-Original-Maintainer: Debian Mono Group 

 Uploaders: Mirco Bauer , Sebastian Dröge 
, Jo Shields 
 Build-Depends: 
  debhelper (>= 7.0.50~), 
@@ -13,7 +14,7 @@
  libxft-dev (>= 2.0), 
  libpng12-dev, 
  libjpeg-dev, 
- libtiff4-dev, 
+ libtiff5-dev | libtiff-dev, 
  libgif-dev, 
  libexif-dev, 
  libcairo2-dev (>= 1.4)




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#682152: manpages are not installed

[Serge Hallyn]

Package: libseccomp
Version: 0.1.0-1

The debian/libseccomp-dev.manpages file lists 'usr/man/man3'.  It needs
to list 'debian/tmp/usr/man/man3'.  As a result no manpages are shipped
with libseccomp-dev.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#682759: vde2: vdeterm does not restore terminal when it returns early in error

[Serge Hallyn]

Package: vde2
Version: 2.3.2-4
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu quantal ubuntu-patch

Dear Maintainer,

vdeterm has a bug which leaves the terminal in a bad state if it exits
too early in error - in particular if it was unable to open its socket.
Simply typing

vdeterm

is sufficient to reproduce (and then verifying by typing into the 
terminal and seeing no echo).

I've also posted this bug upstream at:

http://sourceforge.net/tracker/?func=detail&aid=3548041&group_id=95403&atid=611248

In Ubuntu, the attached patch was applied to achieve the following:

  * vdeterm: don't improperly reset the terminal when exiting too
early (LP: #804647)


Thanks for considering the patch.

diff -u vde2-2.3.2/debian/changelog vde2-2.3.2/debian/changelog
diff -u vde2-2.3.2/debian/patches/series vde2-2.3.2/debian/patches/series
--- vde2-2.3.2/debian/patches/series
+++ vde2-2.3.2/debian/patches/series
@@ -4,0 +5 @@
+vdeterm-terminal-reset
only in patch2:
unchanged:
--- vde2-2.3.2.orig/debian/patches/vdeterm-terminal-reset
+++ vde2-2.3.2/debian/patches/vdeterm-terminal-reset
@@ -0,0 +1,31 @@
+Description: don't reset terminal too early
+Author: Serge Hallyn 
+Forwarded: yes
+
+Index: vde2-2.3.2/src/vdeterm.c
+===
+--- vde2-2.3.2.orig/src/vdeterm.c  2011-11-23 10:41:18.0 -0600
 vde2-2.3.2/src/vdeterm.c   2012-07-24 17:25:52.293126588 -0500
+@@ -20,11 +20,13 @@
+ 
+ char *prompt;
+ static struct termios tiop;
++int termset = 0;
+ 
+ static void cleanup(void)
+ {
+   fprintf(stderr,"\n");
+-  tcsetattr(STDIN_FILENO,TCSAFLUSH,&tiop);
++  if (termset)
++  tcsetattr(STDIN_FILENO,TCSAFLUSH,&tiop);
+ }
+ 
+ static void sig_handler(int sig)
+@@ -135,6 +137,7 @@
+   newtiop.c_lflag &= ~ICANON;
+   newtiop.c_lflag &= ~ECHO;
+   tcsetattr(STDIN_FILENO,TCSAFLUSH,&newtiop);
++  termset = 1;
+   flags = fcntl(fd, F_GETFL);
+   flags |= O_NONBLOCK;
+   fcntl(fd, F_SETFL, flags);


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#628843: [Pkg-shadow-devel] Bug#628843: login: tty hijacking - suggested solution inclusive patch but now solved

[Serge Hallyn]

Hi,

with the stock debian shadow packages, trying the exploit in message #86
gives me:

root@d2:~# su - testme
exit
echo Payload as $(whoami)
testme@d2:~$ exit
logout
root@d2:~# echo Payload as $(whoami)
Payload as root

With this patch on top of 4.1.5, I get

root@d3:~# su - testme
configuration error - unknown item 'FAILLOG_ENAB' (notify administrator)
configuration error - unknown item 'FTMP_FILE' (notify administrator)
exit
echo Payload as $(whoami)
testme@d3:~$ exit
logout


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#691459: proposed (trivial) patch

[Serge Hallyn]

Hi Philipp,

thanks for the bug report.  Your proposal makes sense, here is a debdiff
(against the ubuntu package, but the source file should be identical)
which fixes it for me.  Does it work for you?

diff -u shadow-4.1.5.1/debian/changelog shadow-4.1.5.1/debian/changelog
--- shadow-4.1.5.1/debian/changelog
+++ shadow-4.1.5.1/debian/changelog
@@ -1,3 +1,10 @@
+shadow (1:4.1.5.1-1ubuntu4~userns2pwdir1) raring; urgency=low
+
+  * strdup_static_pwdir: if using the static char* for pw_dir, strdup it so
+pw_free() can be used. (Closes: #691459)
+
+ -- Serge Hallyn   Tue, 05 Mar 2013 12:04:21 -0600
+
 shadow (1:4.1.5.1-1ubuntu4~userns2) raring; urgency=low
 
   * userns/12_userns_selinuxlibs: fix FTBFS (provided debian/rules actually
diff -u shadow-4.1.5.1/debian/patches/series 
shadow-4.1.5.1/debian/patches/series
--- shadow-4.1.5.1/debian/patches/series
+++ shadow-4.1.5.1/debian/patches/series
@@ -33,0 +34,2 @@
+
+strdup_static_pwdir
only in patch2:
unchanged:
--- shadow-4.1.5.1.orig/debian/patches/strdup_static_pwdir
+++ shadow-4.1.5.1/debian/patches/strdup_static_pwdir
@@ -0,0 +1,17 @@
+Description: strdup the static char* temp_pw_dir
+ That way we can continue to use pw_free() without segving.
+Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691459
+
+Index: shadow-4.1.5.1/libmisc/setupenv.c
+===
+--- shadow-4.1.5.1.orig/libmisc/setupenv.c 2013-03-05 12:01:35.126218100 
-0600
 shadow-4.1.5.1/libmisc/setupenv.c  2013-03-05 12:02:31.334217148 -0600
+@@ -228,7 +228,7 @@ void setup_env (struct passwd *info)
+   exit (EXIT_FAILURE);
+   }
+   (void) puts (_("No directory, logging in with HOME=/"));
+-  info->pw_dir = temp_pw_dir;
++  info->pw_dir = strdup(temp_pw_dir);
+   }
+ 
+   /*


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#628843: use pty?

[Serge Hallyn]

Hi,

the last few comments in this bug have suggested there may not be a good
solution for this problem.

As mdeslaur has pointed out in irc, one solution would be to have
interactive su use a new pty for the session.  Not trivial, but
if the idea itself isn't objectionable I wouldn't mind trying a
patch when I find time.

Alternatively, we could simply update the su man page to recommend
su only be used for increasing privilege (becoming root), and recommend
other means for dropping privilege or switching users.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#639936: Don't assume python version 2.6

[Serge Hallyn]

Package: spice-gtk
Version: 0.7-1

Hi,

spice-gtk currently assumes the system is on python 2.6.  I had to change
that as per the debdiff below while syncing to Ubuntu.  Since it'll
eventually need to be tweaked in debian as well, it would be great if it
could be changed now (so as to minimize delta between debian and ubuntu).

thanks,
-serge

===

diff -Nru spice-gtk-0.7/debian/changelog spice-gtk-0.7/debian/changelog
--- spice-gtk-0.7/debian/changelog  2011-08-16 06:32:01.0 -0500
+++ spice-gtk-0.7/debian/changelog  2011-08-31 15:31:57.0 -0500
@@ -1,3 +1,10 @@
+spice-gtk (0.7-3) unstable; urgency=low
+
+  * debian/python-spice-client-gtk.install: don't lock into any particular
+assumptions about python version.
+
+ -- Serge Hallyn   Wed, 31 Aug 2011 15:31:25 -0500
+
 spice-gtk (0.7-2) unstable; urgency=low
 
   * Rename snappy to spicy-snapshot (Closes: #637983)
diff -Nru spice-gtk-0.7/debian/python-spice-client-gtk.install 
spice-gtk-0.7/debian/python-spice-client-gtk.install
--- spice-gtk-0.7/debian/python-spice-client-gtk.install2011-08-15 
11:18:30.0 -0500
+++ spice-gtk-0.7/debian/python-spice-client-gtk.install2011-08-31 
15:31:10.0 -0500
@@ -1 +1 @@
-usr/lib/python2.6/dist-packages/SpiceClientGtk.so
+usr/lib/python*/*-packages/SpiceClientGtk.so



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#726127: libnetcf1: The function ipcalc_netmask in netcf had a bug for any netmask > 24

[Serge Hallyn]

Thanks, I've queried upstream, as the fix doesn't appear to be in git
yet.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#726127: found

[Serge Hallyn]

I see now, I didn't look closely enough.  The very bug you linked told
me it's fixed by commit d340f2dfcd6461c9743dccdabe3b610f5fbc8fe8.  I'll
propose a package with that cherrypicked, thanks.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#726127: libnetcf1 netmask calculation

[Serge Hallyn]

Hi,

the bug is certainly valid, and I pushed a debdiff to solve this 
to http://people.canonical.com/~serge/netcf-wheezy.debdiff, however
as the fix is in sid, we will wait for that fix to migrate to
wheezy.

thanks again,
-serge


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#647953: libvirt: Libvirt logrotate files not installed

[Serge Hallyn]

Package: libvirt
Version: 0.9.6-2
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu precise ubuntu-patch


Version: 0.9.6-2

debian/rules tries to copy the logrotate files from $(CURDIR)/daemon/*,
but the files exist in $(CURDIR)/debian/build/daemon/*.

Also, the /var/log/libvirt/qemu (and such) files are created using
libvirt-bin.dirs, but that means that, if they are empty, they are
removed when we apt-get remove libvirt-bin.  The logrotate files are
not, which then raises errors on subsequent logrotate runs.

*** /tmp/tmpwWRd8m
In Ubuntu, the attached patch was applied to achieve the following:

##  REPLACE THIS WITH ACTUAL INFORMATION -
## Please add all necessary information about why the change needed to go in
## Ubuntu, quote policy, spec or any other background material and why it can
## and should be used in Debian too.  If the patch is composed of multiple
## independent pieces, please send them as separate bug reports.
##  REPLACE THIS WITH ACTUAL INFORMATION -


  * Move creation of /var/log/libvirt/{lxc,uml,qemu} dirs from libvirt-bin.dirs
to libvirt-bin.postinst.  Otherwise after a 'apt-get remove libvirt-bin',
that dir will be removed (if empty) but /etc/logrotate.d/libvirtd will 
still try to rotate it and raise errors. (LP: #886770)
  * debian/rules: Fix a bug in the new logic for installing upstream-supplied
logrotate files.  (LP: #887312)


Thanks for considering the patch.


-- System Information:
Debian Release: wheezy/sid
  APT prefers oneiric-updates
  APT policy: (500, 'oneiric-updates'), (500, 'oneiric-security'), (500, 
'oneiric'), (100, 'oneiric-backports')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-12-generic (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru libvirt-0.9.6/debian/changelog libvirt-0.9.6/debian/changelog
diff -Nru libvirt-0.9.6/debian/libvirt-bin.dirs libvirt-0.9.6/debian/libvirt-bin.dirs
--- libvirt-0.9.6/debian/libvirt-bin.dirs	2011-10-17 12:33:24.0 -0500
+++ libvirt-0.9.6/debian/libvirt-bin.dirs	2011-11-07 12:58:46.0 -0600
@@ -10,6 +10,3 @@
 /var/lib/libvirt/sanlock
 /var/cache/libvirt
 /var/cache/libvirt/qemu
-/var/log/libvirt/qemu
-/var/log/libvirt/uml
-/var/log/libvirt/lxc
diff -Nru libvirt-0.9.6/debian/libvirt-bin.postinst libvirt-0.9.6/debian/libvirt-bin.postinst
--- libvirt-0.9.6/debian/libvirt-bin.postinst	2011-10-17 12:34:49.0 -0500
+++ libvirt-0.9.6/debian/libvirt-bin.postinst	2011-11-07 12:58:36.0 -0600
@@ -116,6 +116,10 @@
 apparmor_parser -r "$profile" || true
 fi
 done
+
+	for dir in qemu uml lxc; do
+	mkdir -p /var/log/libvirt/$dir
+	done
 ;;
 
 abort-upgrade|abort-remove|abort-deconfigure)
diff -Nru libvirt-0.9.6/debian/rules libvirt-0.9.6/debian/rules
--- libvirt-0.9.6/debian/rules	2011-10-31 21:29:48.0 -0500
+++ libvirt-0.9.6/debian/rules	2011-11-07 14:56:53.0 -0600
@@ -93,7 +93,7 @@
 	#dh_installinit --name=libvirt-guests --no-restart-on-upgrade -- defaults 29 71
 
 	for l in $(LOGROTATE); do \
-		cp $(CURDIR)/daemon/$$l.logrotate\
+		cp $(CURDIR)/debian/build/daemon/$$l.logrotate \
debian/libvirt-bin.$$l.logrotate; \
 		dh_installlogrotate --name=$$l; \
 	done

Bug#651033: Please build against libnl instead of libnl3

[Serge Hallyn]

On 12/05/2011 01:19 AM, Guido Günther wrote:

Package: libnetcf1
Version: 0.1.9-1
Severity: wishlist

Hi,
libvirt and netcf use libnl not libnl3 upstream. Therefore current
libnetcf can't be used by libvirt in Debian since this leads to symbol
clashes and therefore crashes.
Since using libnl3 instead of libnl doesn't give any advantage and the
current libnl3 patch isn't upstreamable it would be great if libnetcf
would be built against libnl instead of libnl3.
Cheers,
  -- Guido


-- System Information:
Debian Release: wheezy/sid
   APT prefers testing
   APT policy: (990, 'testing'), (50, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 3.1.0-1-686-pae (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libnetcf1 depends on:
ii  augeas-lenses  0.9.0-1
ii  libaugeas0 0.9.0-1
ii  libc6  2.13-21
ii  libnl3 3.0-2
ii  libxml22.7.8.dfsg-5
ii  libxslt1.1 1.1.26-8

libnetcf1 recommends no packages.

libnetcf1 suggests no packages.

-- no debconf information




Hi,

libvirt in debian actually builds against libnl3.  Would you mind if I 
submit the patch to do so against the debian libvirt package instead?


If you mind, then I'll go ahead and keep netcf built against libnl3 for 
ubuntu and libnl for debian.


thanks,
-serge



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#655310: getty fails when consoles are on devpts

[Serge Hallyn]

Package: util-linux
Version: 2.20.1-1.1

Hi,

lxc guests run getty on /dev/pts/ entries (which are bind mounted onto
/dev/console and /dev/tty{1-4} in the guest).  The latest util-linux
makes some changes (in particular commit
3aa6b68f7e19fa3e1c2bba75bee921a98b7b46af) which cause this to fail, due
to three log_errs() which exit on what are non-fatal errors in this
case.  The recent upstream commit
1593b134ebf596ae7a2b1e73f2dcc8c4e7febddd "agetty: don't use log_err()
for non-fatal errors" fixes two of these.  A third is after a call to
tcsetpgrp.  Both patches are appended here.  With both patches applied,
getty works for me in lxc.

{  patch 1 }
commit 1593b134ebf596ae7a2b1e73f2dcc8c4e7febddd
Author: Karel Zak 
Date:   Thu Dec 8 11:39:05 2011 +0100

agetty: don't use log_err() for non-fatal errors

The TIOCSCTTY ioctl requires that caller is session leader -- so it
depends on initd (or we have to add setsid() to aggety). It seems that the
traditional way is to setup tty in agetty and session in login(1).

It means that all session related things (TIOCSCTTY, vhangup, ...) in the
command agetty should be optional. (Note that vhangup() is called when
--hangup is explicitly specified on command line, so log_err() makes
sense there.)

Reported-by: Andrew Walrond 
Signed-off-by: Karel Zak 

diff --git a/term-utils/agetty.c b/term-utils/agetty.c
index 079a737..3500a8e 100644
--- a/term-utils/agetty.c
+++ b/term-utils/agetty.c
@@ -925,7 +925,7 @@ static void open_tty(char *tty, struct termios *tp, struct 
options *op)
 
if (((tid = tcgetsid(fd)) < 0) || (pid != tid)) {
if (ioctl(fd, TIOCSCTTY, 1) == -1)
-   log_err("/dev/%s: cannot get controlling tty: 
%m", tty);
+   log_warn("/dev/%s: cannot get controlling tty: 
%m", tty);
}
 
if (op->flags & F_HANGUP) {
@@ -950,7 +950,7 @@ static void open_tty(char *tty, struct termios *tp, struct 
options *op)
log_err(_("/dev/%s: cannot open as standard input: 
%m"), tty);
if (((tid = tcgetsid(STDIN_FILENO)) < 0) || (pid != tid)) {
if (ioctl(STDIN_FILENO, TIOCSCTTY, 1) == -1)
-   log_err("/dev/%s: cannot get controlling tty: 
%m", tty);
+   log_warn("/dev/%s: cannot get controlling tty: 
%m", tty);
}
 
} else {
{  patch 2 }
Index: util-linux-2.20.1/term-utils/agetty.c
===
--- util-linux-2.20.1.orig/term-utils/agetty.c  2012-01-10 08:55:42.763054760 
+
+++ util-linux-2.20.1/term-utils/agetty.c   2012-01-10 08:56:36.755053680 
+
@@ -949,7 +949,7 @@
}
 
if (tcsetpgrp(STDIN_FILENO, pid))
-   log_err("/dev/%s: cannot set process group: %m", tty);
+   log_warn("/dev/%s: cannot set process group: %m", tty);
 
/* Get rid of the present outputs. */
close(STDOUT_FILENO);



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#655318: cherrypick upstream patch to fix drawing bugs (and add -dbg pkg)

[Serge Hallyn]

Package: xserver-xorg-video-qxl
Version: 0.0.16-1

Hi,

using certain window managers over spice, we found corrupted
drawables
https://bugs.launchpad.net/ubuntu/+source/xserver-xorg-video-qxl/+bug/913314
and xorg segfaults
https://bugs.launchpad.net/ubuntu/+source/xserver-xorg-video-qxl/+bug/913311
Cherrypicking upstream commit id c77ba9f217093f946a4c6bf6edf9f34b24844d8d
fixes both.  The following patch does that, as well as adding a -dbg
package (which helped track down the needed patch).

(it also updates the maintainer which you obviously do not want for
the debian package, sorry about that.)

thanks,
-serge

= Debdiff: =
diff -Nru xserver-xorg-video-qxl-0.0.16/debian/changelog 
xserver-xorg-video-qxl-0.0.16/debian/changelog
--- xserver-xorg-video-qxl-0.0.16/debian/changelog  2011-11-12 
00:16:28.0 +0100
+++ xserver-xorg-video-qxl-0.0.16/debian/changelog  2012-01-10 
11:34:59.0 +0100
@@ -1,3 +1,15 @@
+xserver-xorg-video-qxl (0.0.16-1ubuntu2) precise; urgency=low
+
+  * add translate-the-access-region.patch.
+
+ -- Serge Hallyn   Tue, 10 Jan 2012 11:34:13 +0100
+
+xserver-xorg-video-qxl (0.0.16-1ubuntu1) precise; urgency=low
+
+  * Add a debug package.
+
+ -- Serge Hallyn   Tue, 10 Jan 2012 11:28:58 +0100
+
 xserver-xorg-video-qxl (0.0.16-1) unstable; urgency=low
 
   [ Liang Guo ]
diff -Nru xserver-xorg-video-qxl-0.0.16/debian/control 
xserver-xorg-video-qxl-0.0.16/debian/control
--- xserver-xorg-video-qxl-0.0.16/debian/control2011-09-17 
15:45:28.0 +0200
+++ xserver-xorg-video-qxl-0.0.16/debian/control2012-01-10 
11:29:21.0 +0100
@@ -1,7 +1,8 @@
 Source: xserver-xorg-video-qxl
 Section: x11
 Priority: optional
-Maintainer: Debian X Strike Force 
+Maintainer: Ubuntu Developers 
+XSBC-Original-Maintainer: Debian X Strike Force 
 Uploaders: Liang Guo , Cyril Brulebois 

 Build-Depends:
  debhelper (>= 8),
@@ -39,3 +40,17 @@
  http://www.X.org>
  .
  This package is built from the X.org xf86-video-qxl driver module.
+
+Package: xserver-xorg-video-qxl-dbg
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, xserver-xorg-video-qxl (= 
${binary:Version})
+Section: debug
+Description: X.Org X server -- QXL display driver
+ This package provides the driver for QXL video device, i.e. if Linux is 
+ running inside a RedHat Enterprise Virtualization (RHEV) environment, or
+ other SPICE-compatible KVM/Qemu emulator. 
+ .
+ More information about X.Org can be found at:
+ http://www.X.org>
+ .
+ This package contains the debugging symbols
diff -Nru xserver-xorg-video-qxl-0.0.16/debian/patches/series 
xserver-xorg-video-qxl-0.0.16/debian/patches/series
--- xserver-xorg-video-qxl-0.0.16/debian/patches/series 1970-01-01 
01:00:00.0 +0100
+++ xserver-xorg-video-qxl-0.0.16/debian/patches/series 2012-01-10 
11:34:09.0 +0100
@@ -0,0 +1 @@
+translate-the-access-region.patch
diff -Nru 
xserver-xorg-video-qxl-0.0.16/debian/patches/translate-the-access-region.patch 
xserver-xorg-video-qxl-0.0.16/debian/patches/translate-the-access-region.patch
--- 
xserver-xorg-video-qxl-0.0.16/debian/patches/translate-the-access-region.patch  
1970-01-01 01:00:00.0 +0100
+++ 
xserver-xorg-video-qxl-0.0.16/debian/patches/translate-the-access-region.patch  
2012-01-10 11:34:00.0 +0100
@@ -0,0 +1,48 @@
+commit c77ba9f217093f946a4c6bf6edf9f34b24844d8d
+Author: Søren Sandmann 
+Date:   Fri Oct 28 12:56:30 2011 -0400
+
+Translate the access region according to the drawable offset.
+
+The driver code expects to be given coordinates relative to the
+offscreen pixmap.
+
+diff --git a/src/uxa/uxa.c b/src/uxa/uxa.c
+index 83e06cc..9d02e34 100644
+--- a/src/uxa/uxa.c
 b/src/uxa/uxa.c
+@@ -143,19 +143,19 @@ Bool uxa_prepare_access(DrawablePtr pDrawable, RegionPtr 
region, uxa_access_t ac
+ {
+   ScreenPtr pScreen = pDrawable->pScreen;
+   uxa_screen_t *uxa_screen = uxa_get_screen(pScreen);
+-  PixmapPtr pPixmap = uxa_get_drawable_pixmap(pDrawable);
+-  Bool offscreen = uxa_pixmap_is_offscreen(pPixmap);
++  int xoff, yoff;
++  PixmapPtr pPixmap = uxa_get_offscreen_pixmap(pDrawable, &xoff, &yoff);
+   BoxRec box;
+   RegionRec region_rec;
+   Bool result;
+ 
+-  if (!offscreen)
++  if (!pPixmap)
+   return TRUE;
+ 
+   box.x1 = 0;
+   box.y1 = 0;
+-  box.x2 = pPixmap->drawable.width;
+-  box.y2 = pPixmap->drawable.height;
++  box.x2 = pDrawable->width;
++  box.y2 = pDrawable->height;
+   
+   REGION_INIT (pScreen, ®ion_rec, &box, 1);
+   if (!region)
+@@ -168,7 +168,8 @@ Bool uxa_prepare_access(DrawablePtr pDrawable, RegionPtr 
region, uxa_access_t ac
+*/
+   REGION_INTERSECT (pScreen, region, region, ®ion_rec);
+ #endif
+-  
++  REGION_TRANSLATE (pScreen, region, xoff, yoff);
++
+   result = TRUE;
+ 
+   if (uxa_scr

Bug#652823: add ncftool.1 manpage

[Serge Hallyn]

Package: netcf
Version: 0.1.9-2

I've sent the following manpage upstream for comments.  Depending
on the feedback, add it to the netcf package.

.TH NCFTOOL 1 "December 20, 2011"
.SH NAME
ncftool \- Network configuration tool
.SH SYNOPSIS
.B ncftool [options]
.SH DESCRIPTION
ncftool is a command line utility to configure networking.
.SH OPTIONS
.TP
.B list [\-\-macs] [\-\-all] [\-\-inactive]
List the currently configured toplevel network interfaces

.br
.BR [\-\-macs]
show MAC addresses
.br
.BR [\-\-all]
show all (up & down) interfaces
.br
.BR [\-\-inactive]
show only inactive (down) interfaces
.TP
.B dumpxml [\-\-mac] [\-\-live] 
Dump the XML description of an interface

.br
.BR [\-\-mac]
interpret the name as MAC address
.br
.BR [\-\-life]
include information about the live interface
.br
.BR 
the name of the interface
.TP
.B define 
Define - define an interface from an XML file

.br
.BR 
file containing the XML description of the interface
.TP
.B undefine 
Remove the configuration of an interface

.br
.BR 
the name of the interface
.TP
.B ifup 
Bring up an interface

.br
.BR 
the name of the interface
.TP
.B ifdown 
Bring down an interface

.br
.BR 
the name of the interface
.TP
.B change-begin
Mark the beginning of a set of revertible network config changes
.TP
.B change-commit
Commit (makes permanent) of a set of network config changes
.TP
.B change-rollback
Rollback (revert) a set of network config changes
.TP
.B help []
List all commands or print details about one command

.br
.BR 
If specified, list help about the listed command.  Otherwise list all commands.
.TP
.B quit
Exit the program
.TP
.SH SEE ALSO
.BR interfaces (5)
.SH AUTHOR
Serge Hallyn 



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#674178: /dev/shm is not set up right in chroot

[Serge Hallyn]

Quoting Roger Leigh (rle...@codelibre.net):
> On Wed, May 23, 2012 at 12:02:15PM -0500, Serge Hallyn wrote:
> > Quoting Roger Leigh (rle...@codelibre.net):
> > > On Wed, May 23, 2012 at 10:47:26AM -0500, Serge Hallyn wrote:
> > > > Package: sysvinit
> > > > Version: 2.88dsf-24
> > > > 
> > > > If you do:
> > > > 
> > > > debootstrap sid sid
> > > > chroot sid dpkg -i /var/cache/apt/acrchives/initscripts*.deb
> > > > 
> > > > you will be left with a mount on sid/run/shm
> > > > 
> > > > The related Ubuntu bug is 
> > > > https://bugs.launchpad.net/launchpad/+bug/974584 .
> > > > 
> > > > A debdiff proposed (but not yet pushed) to fix this in Ubuntu follows.
> > > 
> > > Could you possibly try with -25 (in experimental).  I fixed a bug with
> > 
> > I'm only seeing -24 right now, will re-check in a bit.
> > 
> > (http://packages.debian.org/experimental/sysvinit)
> 
> Hmm, looks like the upload went wrong last night; it was not accepted
> for some reason.  I've reuploaded--it's definitely passed through the
> upload queue.  In the meantime, you can also get the packages here:
> http://people.debian.org/~rleigh
> (It's now also in incoming, 
> http://incoming.debian.org/sysvinit_2.88dsf-25.dsc)

Thanks.  That one did NOT result in a leftover mount on $chroot/run/shm,
however i got:

Installing new version of config file /etc/default/rcS ...
Installing new version of config file /etc/default/tmpfs ...
Installing new version of config file /etc/network/if-up.d/mountnfs ...
dpkg: error processing initscripts (--install):
subprocess installed post-installation script returned error exit status 1
dpkg: dependency problems prevent configuration of sysvinit:
sysvinit depends on initscripts (>= 2.88dsf-13.3); however:
Package initscripts is not configured yet.
dpkg: error processing sysvinit (--install):
dependency problems - leaving unconfigured
Errors were encountered while processing:
initscripts
sysvinit

More importantly (this is the root of the problem I started looking into for
containers) it leaves the /dev/shm directory.  Since a chroot doesn't usually
have a separate /dev, that means that on the next entering of the chroot (or
startup of the container) you'll have the devshm tmpfs mounted at /run/shm,
and an empty separate directory at /dev/shm.

> > > /run/shm handling last night, though it was related to size
> > > determination rather than chroot handling it's not impossible that it's
> > > related.
> > > 
> > > WRT the patch, if ischroot is behaving incorrectly, then the ischroot
> > > utility needs updating.
> > 
> > Ok - as I said in the Ubuntu bug I do suspect we don't want that part
> > in there.  I'm not sure whether 'chroot dpkg -i *.deb' without
> > mounting /proc is meant to be supported.
> 
> In practice, /proc is required.  There's too much that needs it; just
> look at the usage in maintainer scripts--they rely in it without
> checking for its presence.
> 
> The mounting and unmounting of /proc is a good workaround, and it's
> something that the ischroot tool /might/ be best doing, especially
> since it's relying on it being present.  However, whether this
> should be done basically depends on whether using a chroot without
> /proc being mounted is supported.  I would think "no" is the answer,
> to be honest.  IIRC debootstrap mounts /proc automatically, and all
> the chroot usage on Debian e.g. build and user chroots either have
> /proc mounted in fstab, or use schroot to set up the chroot
> automatically.

Ok, I'm happy to drop that - all I *really* wanted was for debootstrap
to work, and as you say it mounts /proc.

-serge



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#674178: /dev/shm is not set up right in chroot

[Serge Hallyn]

Quoting Roger Leigh (rle...@codelibre.net):
> > > Hmm, looks like the upload went wrong last night; it was not accepted
> > > for some reason.  I've reuploaded--it's definitely passed through the
> > > upload queue.  In the meantime, you can also get the packages here:
> > > http://people.debian.org/~rleigh
> > > (It's now also in incoming, 
> > > http://incoming.debian.org/sysvinit_2.88dsf-25.dsc)
> > 
> > Thanks.  That one did NOT result in a leftover mount on $chroot/run/shm,
> > however i got:
> > 
> > Installing new version of config file /etc/default/rcS ...
> > Installing new version of config file /etc/default/tmpfs ...
> > Installing new version of config file /etc/network/if-up.d/mountnfs ...
> > dpkg: error processing initscripts (--install):
> > subprocess installed post-installation script returned error exit status 1
> > dpkg: dependency problems prevent configuration of sysvinit:
> > sysvinit depends on initscripts (>= 2.88dsf-13.3); however:
> > Package initscripts is not configured yet.
> > dpkg: error processing sysvinit (--install):
> > dependency problems - leaving unconfigured
> > Errors were encountered while processing:
> > initscripts
> > sysvinit
> 
> What went wrong with the initscripts postinst configure?  Would it
> be possible to find out where the failure occurred?

Oh, I'm not sure what happened - the sid version didn't do it.  Sure, I
can dig into exactly what happened.  (It takes about an hour every time
to set up the victim VM, I may not get to it until monday)

> > More importantly (this is the root of the problem I started looking into for
> > containers) it leaves the /dev/shm directory.  Since a chroot doesn't 
> > usually
> > have a separate /dev, that means that on the next entering of the chroot (or
> > startup of the container) you'll have the devshm tmpfs mounted at /run/shm,
> > and an empty separate directory at /dev/shm.
> 
> I think this is deliberate.  We're a bit stuck here.  Consider that
> it's quite common to bind mount the host /dev into the chroot; mucking

Oh dear.  So then possible scenarios include:

1. simple old host upgrading:  /run/shm doesn't exist, /dev/shm is a mounted 
dir.

2. new host upgrading without having rebooted after (1): /run/shm is mounted 
dir, /dev/shm is bind mount of /run/shm.

3. new host upgrading: /run/shm is mounted dir, /dev/shm is symlink.

4. old chroot on old host upgrading with bind mounted /dev:  /run/shm doesn't 
yet exist, /dev/shm is mounted dir

5. new chroot on old host upgrading with bind mounted /dev:  /run/shm exists, 
/dev/shm is separate mounted dir

and more...

But,

> around deleting this directory could seriously break the host system.
>
> IIRC this is a deliberate choice.  I'm not sure it's the right choice
> for newly bootstrapped or installed systems though--we should be
> creating a symlink in this case, and I'll be happy to change that
> logic if possible, but for upgrades of chroots it's really not a good
> plan.

Ok, so how about the following:  the block of code which now reads:

=
if ischroot; then
# Symlink /var/run from /run
# Note var/run is relative
if compat_link /var/run /run; then
# Symlink /var/lock from /run/lock
# Note that it's really /var/run/lock
compat_link /var/lock /run/lock

# Symlink /dev/shm from /run/shm
# Note that it's really /var/run/shm
compat_link /dev/shm /run/shm
fi
# Host system, not a chroot.
else
=

First, note that during debootstrap, at 'compat_link /var/run /run'
/run and /run/lock already exist.  So how about if we create /run/shm
(if it doesn't yet exist), and symlink /dev/shm from /run/shm only
if /dev/shm doesn't yet exist?  We don't change the !isroot case.
So it would look like:

=
if ischroot; then
# Symlink /var/run from /run
# Note var/run is relative
if compat_link /var/run /run; then
# Symlink /var/lock from /run/lock
# Note that it's really /var/run/lock
compat_link /var/lock /run/lock

# Symlink /dev/shm from /run/shm
# Note that it's really /var/run/shm
[ ! -d /run/shm ] && mkdir /run/shm
if [ ! mountpoint -q /dev ]; then
[ ! -d /dev/shm ] && compat_link /run/shm /dev/shm
else
compat_link /dev/shm /run/shm
fi
fi
# Host system, not a chroot.
else
=

So if the chroot has /dev/ bind-mounted from the host, assume they
always will, and will want /run/shm as a symlink to /dev/shm.

Otherwise if /dev/shm exists, leave it alone, because we're definately
not in debootstrap.

Otherwise, assume /dev and /run won't get cleaned up at 'shutdown'
(chroot exit) so set up *exactly* what we want to see as the en

Bug#674178: /dev/shm is not set up right in chroot

[Serge Hallyn]

Here is a debdiff showing the change I was suggesting.  It works under
debootstrap.  The !ischroot case is unchanged, as is the case under
chroot where /dev is a mounpoint.

diff -u sysvinit-2.88dsf/debian/changelog sysvinit-2.88dsf/debian/changelog
--- sysvinit-2.88dsf/debian/changelog
+++ sysvinit-2.88dsf/debian/changelog
@@ -1,3 +1,12 @@
+sysvinit (2.88dsf-13.10ubuntu12) quantal; urgency=low
+
+  * initscripts.postinst: if /dev is not a separate partition and we're in a
+chroot, then create /run/shm and make /dev/shm a symbolic link to it, as
+we would expect to find in a upgraded and rebooted running system.
+(LP: #974584) (Closes: #674178)
+
+ -- Serge Hallyn   Wed, 30 May 2012 12:17:37 -0500
+
 sysvinit (2.88dsf-13.10ubuntu11) precise; urgency=low
 
   * Only try to move links in /etc/rc{0,6}.d that match "S0*".  LP: #941867.
diff -u sysvinit-2.88dsf/debian/initscripts.postinst 
sysvinit-2.88dsf/debian/initscripts.postinst
--- sysvinit-2.88dsf/debian/initscripts.postinst
+++ sysvinit-2.88dsf/debian/initscripts.postinst
@@ -255,7 +255,12 @@
 
# Symlink /dev/shm from /run/shm
# Note that it's really /var/run/shm
-   compat_link /dev/shm /run/shm
+if ! mountpoint -q /dev ; then
+[ ! -d /run/shm ] && mkdir -p /run/shm
+[ ! -d /dev/shm ] && compat_link /run/shm /dev/shm
+else
+compat_link /dev/shm /run/shm
+fi
fi
 # Host system, not a chroot.
 else



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#673041: dialog: rename button does not work with -nook

[Serge Hallyn]

Package: dialog
Version: 1.1-20120215-1
Severity: important
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu quantal ubuntu-patch

Dear Maintainer,

If I do

dialog --clear --nook --inputmenu "a" 20 50 10 "Username:" "a"

then the rename button does not work - it exits immediately rather than
letting me rename the field contents.  With the following patch, thanks
to Lebedev Vadim, it is fixed.

*** /tmp/tmpGdzkvU/bug_body
In Ubuntu, the attached patch was applied to achieve the following:

  [ Lebedev Vadim ]
  * debian/patches/bug_fix_333909: fix -rename and -nook button together.
(LP: #333909)

Thanks for considering the patch.

diff -Nru dialog-1.1-20120215/debian/patches/bug_fix_333909 
dialog-1.1-20120215/debian/patches/bug_fix_333909
--- dialog-1.1-20120215/debian/patches/bug_fix_333909   1969-12-31 
18:00:00.0 -0600
+++ dialog-1.1-20120215/debian/patches/bug_fix_333909   2012-05-15 
11:41:24.0 -0500
@@ -0,0 +1,20 @@
+Description: correct mapping of button-codes with --nook option
+Author: Lebedev Vadim 
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/dialog/+bug/333909
+Reviewed-By: Serge Hallyn 
+Last-Update: <15-05-2012>
+
+--- dialog-1.1-20111020.orig/menubox.c
 dialog-1.1-20111020/menubox.c
+@@ -686,7 +686,10 @@ dlg_menu(const char *title,
+FALSE, width);
+   break;
+   case DLGK_ENTER:
+-  result = dlg_enter_buttoncode(button);
++if (is_inputmenu)
++   result = dlg_ok_buttoncode(button);
++else
++   result = dlg_enter_buttoncode(button);
+ 
+   /*
+* If dlg_menu() is called from dialog_menu(), we want to
diff -Nru dialog-1.1-20120215/debian/patches/series 
dialog-1.1-20120215/debian/patches/series
--- dialog-1.1-20120215/debian/patches/series   1969-12-31 18:00:00.0 
-0600
+++ dialog-1.1-20120215/debian/patches/series   2012-05-15 11:41:03.0 
-0500
@@ -0,0 +1 @@
+bug_fix_333909



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#668186: Hang with unaccelerated qemu

[Serge Hallyn]

Package: qemu-kvm
Version: 1.0+dfsg-9

wget http://people.canonical.com/~jamie/libvirt/qatest.tar.bz2
tar jxf qatest.tar.bzw
cd qatest
kvm -no-kvm -m 128 -monitor stdio -vnc :0 -vga cirrus -usb -drive 
file=qatest.img,if=none,id=drive-ide0-0-0,format=raw -device 
ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1

wait a minute, type into the monitor.  It will be frozen.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#668186: Acknowledgement (Hang with unaccelerated qemu)

[Serge Hallyn]

Sorry, meant to say the original Ubuntu bug report is at
https://bugs.launchpad.net/debian/+source/qemu-kvm/+bug/975240

A git bisect of upstream showed ce967e2f33861b0e17753f97fa4527b5943c94b6
to be the fix, but it's not simple to cherrypick.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#674178: /dev/shm is not set up right in chroot

[Serge Hallyn]

Package: sysvinit
Version: 2.88dsf-24

If you do:

debootstrap sid sid
chroot sid dpkg -i /var/cache/apt/acrchives/initscripts*.deb

you will be left with a mount on sid/run/shm

The related Ubuntu bug is https://bugs.launchpad.net/launchpad/+bug/974584 .

A debdiff proposed (but not yet pushed) to fix this in Ubuntu follows.

thanks,
-serge

diff -u sysvinit-2.88dsf/debian/changelog sysvinit-2.88dsf/debian/changelog
--- sysvinit-2.88dsf/debian/changelog
+++ sysvinit-2.88dsf/debian/changelog
@@ -1,3 +1,13 @@
+sysvinit (2.88dsf-13.10ubuntu12) quantal; urgency=low
+
+  * debian/initscripts.postinst:  (LP: #974584)
+- mkdir /run/shm if it doesn't exist in a chroot
+- fix order of compat_link arguments for /run transition.  we want the
+  symlink INTO /run.  The reason the /run/lock symlink seemed to be created
+  correctly is that it has already been created by someone else.
+
+ -- Serge Hallyn   Fri, 18 May 2012 21:21:29 +
+
 sysvinit (2.88dsf-13.10ubuntu11) precise; urgency=low
 
   * Only try to move links in /etc/rc{0,6}.d that match "S0*".  LP: #941867.
diff -u sysvinit-2.88dsf/debian/initscripts.postinst 
sysvinit-2.88dsf/debian/initscripts.postinst
--- sysvinit-2.88dsf/debian/initscripts.postinst
+++ sysvinit-2.88dsf/debian/initscripts.postinst
@@ -18,6 +18,23 @@
 
 umask 022
 
+# ischroot fails if /proc is not mounted - which it won't be with
+# debootstrap.
+myischroot ()
+{
+local ret=0
+local mounted=0
+if [ ! -d /proc/1 ]; then
+mounted=1
+# failure to mount /proc, return 2 as ischroot would for nonroot
+mount -t proc proc /proc || return 2
+fi
+ischroot
+ret=$?
+[ $mounted -eq 1 ] && umount /proc
+return $ret
+}
+
 # If the device/inode are the same, a bind mount already exists or the
 # transition is complete, so set up is not required.  Otherwise bind
 # mount $SRC on $DEST.
@@ -245,17 +262,18 @@
 # sysadmin should, if they care, move the old locations to the new
 # locations and create compatibilty symlinks at their convenience
 # following the upgrade.
-if ischroot; then
+if myischroot; then
# Symlink /var/run from /run
 # Note var/run is relative
if compat_link /var/run /run; then
# Symlink /var/lock from /run/lock
# Note that it's really /var/run/lock
-   compat_link /var/lock /run/lock
+   compat_link /run/lock /var/lock
 
+   mkdir -p /run/shm
# Symlink /dev/shm from /run/shm
# Note that it's really /var/run/shm
-   compat_link /dev/shm /run/shm
+   compat_link /run/shm /dev/shm
fi
 # Host system, not a chroot.
 else



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#674178: /dev/shm is not set up right in chroot

[Serge Hallyn]

Quoting Roger Leigh (rle...@codelibre.net):
> On Wed, May 23, 2012 at 10:47:26AM -0500, Serge Hallyn wrote:
> > Package: sysvinit
> > Version: 2.88dsf-24
> > 
> > If you do:
> > 
> > debootstrap sid sid
> > chroot sid dpkg -i /var/cache/apt/acrchives/initscripts*.deb
> > 
> > you will be left with a mount on sid/run/shm
> > 
> > The related Ubuntu bug is https://bugs.launchpad.net/launchpad/+bug/974584 .
> > 
> > A debdiff proposed (but not yet pushed) to fix this in Ubuntu follows.
> 
> Could you possibly try with -25 (in experimental).  I fixed a bug with

I'm only seeing -24 right now, will re-check in a bit.

(http://packages.debian.org/experimental/sysvinit)

> /run/shm handling last night, though it was related to size
> determination rather than chroot handling it's not impossible that it's
> related.
> 
> WRT the patch, if ischroot is behaving incorrectly, then the ischroot
> utility needs updating.

Ok - as I said in the Ubuntu bug I do suspect we don't want that part
in there.  I'm not sure whether 'chroot dpkg -i *.deb' without
mounting /proc is meant to be supported.

> Working around this in an individual package
> is incorrect, unless there's a non-obvious reason I missed in this
> specific case.

No specific reason.

> Given that /run/shm should be handled identically to /run, and
> /run/lock, I think it's more important to work out why it's
> behaving differently than the other two.  I assume that the other
> two are not being mounted?

Correct.  Only /run/shm.

I'll try -25 when I see it, thanks.

-serge



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#677124: lxc-netstat broken in debian

[Serge Hallyn]

Package: lxc
Version: 0.8.0~rc1-4

Hi,

the debian-specific patch to lxc-netstat (07-lxc-netstat.patch)
has two errors breaking it:  it tells getopt that --exec takes a
required argument, and it assigns the container name which used
to be $name to $lxc_name, but continues to use it as $name.

The patch below was applied in ubuntu to fix it.

Description: Fix two errors in lxc-netstat
 s/lxc_name/name/
 --exec does not require an argument
Author: Serge Hallyn 
Forwarded: yes
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1011739

Index: lxc-0.8.0~rc1/src/lxc/lxc-netstat.in
===
--- lxc-0.8.0~rc1.orig/src/lxc/lxc-netstat.in   2012-06-11 17:34:27.0 
+
+++ lxc-0.8.0~rc1/src/lxc/lxc-netstat.in2012-06-11 17:50:31.774178554 
+
@@ -19,7 +19,7 @@
 }
 
 shortoptions='hn:'
-longoptions='help,name:,exec:'
+longoptions='help,name:,exec'
 
 getopt=$(getopt -o $shortoptions --longoptions  $longoptions -- "$@")
 if [ $? != 0 ]; then
@@ -39,7 +39,7 @@
;;
-n|--name)
shift
-   lxc_name=$1
+   name=$1
shift
;;
--exec)



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#795328: Thank you

[Serge Hallyn]

Sorry I somehow didn't see this bug when it first came by.  There is an
upstream fix for it which I'll push asap.

Bug#824391: [Pkg-shadow-devel] Bug#824391: please add ttySAC* to securetty

[Serge Hallyn]

Seems reasonable to me.

Bug#824519: [pkg-lxc-devel] Bug#824519: lxc: After CPU hotplug, cores remain idle under LXC

[Serge Hallyn]

Yup, this is a known shortcoming of cpusets in the legacy hierarchy.  If you
use the unified hierarchy, the cores can be automatically re-inserted when
they come back up, however the unified hierarchy brings other problems which
we're not entirely ready to deal with yet.

For now, if you do a lot of hotplugging, you'll either need to not use
the cpuset controller (use lxc.cgroup.use to control this), or you can
use an external daemon to continually re-balance the containers among
cpus, as lxd does.

Bug#806004: cgmanager: FTBFS when built with dpkg-buildpackage -A (No such file or directory)

[Serge Hallyn]

Quoting Santiago Vila (sanv...@unex.es):
> > cp: cannot create regular file 
> > '/<>/debian/libpam-cgm/usr/share/pam-configs/cgm': No such 
> > file or directory
> > debian/rules:25: recipe for target 'override_dh_install' failed
> 
> This happens because we are creating only arch-independent packages,
> so debian/libpam-cgm does not exist, as it belongs to libpam-cgm
> which is Arch: any.
> 
> 
> The attached patch might fix this problem, as it renames current
> override_dh_install to override_dh_auto_install (where file moving in
> debian/tmp is better placed), but moves commands for the libpam-cgm
> package to a new target called override_dh_install-arch, which will
> only work when creating arch-dependent packages.

Thanks, it looks good to me, and everything builds right with it.
Would you like to do an NMU with this patch?

> Thanks.

> --- a/debian/rules
> +++ b/debian/rules
> @@ -21,18 +21,21 @@ override_dh_auto_configure:
>  override_dh_makeshlibs:
>   dh_makeshlibs -- -c4
>  
> -override_dh_install:
> +override_dh_auto_install:
> + dh_auto_install
>   mkdir -p $(CURDIR)/debian/tmp/lib/$(DEB_HOST_MULTIARCH)
>   mv $(CURDIR)/debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libcgmanager.so.* 
> \
>   $(CURDIR)/debian/tmp/lib/$(DEB_HOST_MULTIARCH)/
> - cp $(CURDIR)/debian/pam-cgm.config \
> - $(CURDIR)/debian/libpam-cgm/usr/share/pam-configs/cgm
>   for i in 
> $(CURDIR)/debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libcgmanager.so ; do \
>   dest=$$(readlink $$i) ; \
>   rm -f $$i ; \
>   ln -s /lib/$(DEB_HOST_MULTIARCH)/$$dest $$i ; \
>   done
> +
> +override_dh_install-arch:
>   dh_install
> + cp $(CURDIR)/debian/pam-cgm.config \
> + $(CURDIR)/debian/libpam-cgm/usr/share/pam-configs/cgm
>  
>  override_dh_installinit:
>   dh_systemd_enable -pcgmanager --name=cgmanager

Bug#754910: ITP: cgmanager

[Serge Hallyn]

Package: wnpp
Version: N/A; reported 2014-07-15
Severity: wishlist
Owner: Serge Hallyn 

Package name: cgmanager
Version: 0.27
Upstream author: cgmanager 
License: GPL-2, LGPL-2.1+
Programming Lang: C
URL: http://cgmanager.linuxcontainers.org/
Description: Central cgroup manager daemon
 cgmanager provides a central cgroup manager daemon and a
 per-namespace manager proxy, allowing users and programs
 to administrate cgroups through D-Bus requests.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#754910: cgmanager: two different maintainers

[Serge Hallyn]

> Serge and I can work out later on how to collaborate on cgmanager
> packaging in Debian.

Note that the newer version is needed by systemd-shim to allow
non-systemd users to use logind.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#754910: cgmanager_0.20-1_amd64.changes REJECTED

[Serge Hallyn]

> My experience with upstream trying to do Debian packaging isn't great.
> Often, they only care about a single package, know it's upstream source,
> but don't perform well on the packaging side. I don't think what you've
> wrote above is a good point of argumentation.

Uh, thanks.

Anyway, I'll be posting a new 0.28 release later today, based upon which
Daniel will post a new package, with himself listed as maintainer.  We'll
proceed from there.

thanks,
-serge


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#755990: cgmanager: fails to start cgmanager and reports [ ok ]

[Serge Hallyn]

Thanks!  Cgmanager was not expecting

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534964

It'll need to handle the case where the memory cgroup is not mountable.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#754910: cgmanager_0.20-1_amd64.changes REJECTED

[Serge Hallyn]

Quoting Daniel Baumann (daniel.baum...@progress-technologies.net):
> Serge Hallyn 
> > Anyway, I'll be posting a new 0.28 release later today, based upon
> > which Daniel will post a new package, with himself listed as
> > maintainer.  We'll proceed from there.
> 
> seems these words are not worth anything.

According to my logs it was last wednesday (in your evening) that you said you
would push the package.  I expected it to be pushed on Friday.  I pinged
you again on monday or tuesday, you only said it would come soon.  Meanwhile
people running non-systemd experimental systems were blocked.

> instead, Serge uploaded a new version (through Steve) yesterday, and
> ftp-master (eventhough being kept in the loop on all mails in
> #754910) just happily accepted that right away.
> 
> i spend quite some time on this package, all in vain. hope at least
> you're happy with the way you treat people, because i'm not.

I didn't want to push it, but felt I had no choice.  There was no
*technical* reason not to - there were fewer problems with my package,
and even when I asked you in irc for any advantage of your package over
mine, you listed none.  You want to maintain this package, but it
seems clear you don't have the time to do it justice - so why?


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#755990: cgmanager: fails to start cgmanager and reports [ ok ]

[Serge Hallyn]

Right, the fallout however is that we have memory in /proc/cgroups, but
you cannot mount the memory cgroup without telling the kernel to allow
that by for instance adding

GRUB_CMDLINE_LINUX="cgroup_enable=memory" 

to /etc/default/grub.

My plan is to have cgmanager ignore failure to mount cgroups which are
not premounted.  (I have a working patch;  unfortunately since my
testcases mostly use the memory cgroup it is harder to test :)


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#754910: cgmanager_0.20-1_amd64.changes REJECTED

[Serge Hallyn]

Quoting Thomas Goirand (z...@debian.org):
> Then, reading #754910, it looked like Serge was about to work with
> Daniel, but finally, didn't. No sign of this change in #754910, which is
> at least surprising. It's also very surprising to see the package just

As Daniel said we had an agreement.  He was going to push the package.  He
failed to do that, causing over a week's delay in straightening out the
non-systemd-upgrade mess.  But instead of dropping in on that thread and
apologizing, he's complaining here.

I have enough to do that when I can delegate something to someone else I'm
happy and thankful to them.  Last week I was hoping that would be the
situation here.  Alas.

-serge


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#754910: cgmanager_0.20-1_amd64.changes REJECTED

[Serge Hallyn]

Quoting Martin Steigerwald (mar...@lichtvoll.de):
> Am Freitag, 25. Juli 2014, 18:23:38 schrieb Serge Hallyn:
> > Quoting Thomas Goirand (z...@debian.org):
> > > Then, reading #754910, it looked like Serge was about to work with
> > > Daniel, but finally, didn't. No sign of this change in #754910, which is
> > > at least surprising. It's also very surprising to see the package just
> > 
> > As Daniel said we had an agreement.  He was going to push the package.  He
> > failed to do that, causing over a week's delay in straightening out the
> > non-systemd-upgrade mess.  But instead of dropping in on that thread and
> > apologizing, he's complaining here.
> 
> My experience is that is usually does not work expecting someone else to 
> apologize, before having apologized oneself for the part of the behavior that 
> contributed to the undesirable outcome.
> 
> > I have enough to do that when I can delegate something to someone else I'm
> > happy and thankful to them.  Last week I was hoping that would be the
> > situation here.  Alas.
> 
> Please talk to one another assuming everyone had good intentions.
> 
> Daniel who maintains a ton of packages started to orphan them (see debian-
> devel-changes). 
> 
> I bet thats not the intended outcome.
> 
> To me this conflict does not appear to be unsolvable. Please try to resolve 
> it.
> 
> A good step would be if one side starts to say "I am sorry" for some of their 
> behavior that could have been rude. Usually both sides have their share in a 
> conflict.

I *am* sorry that some of dba's time was likely wasted, especially since
it's obvious he has a shortage of it, maintaining quite a few packages.
For the same reason I fail to see how having one less package to
maintain could be anything but a relief.

The bug messages on orphan bugs say something along the lines of "not worth
it".  If you're purely maintaining those packages to help out, and you feel
it is a strain time-wise, then how could not having to maintain another
package make you feel it's "not worth it".


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#756072: Failed mounting memory onto /run/cgmanager/fs/memory: No such file or directory

[Serge Hallyn]

Hi - this was a warning, however does cgmanager actually run now?

I can remove the warning if that's preferable, but if cgmanager is not
starting then something worse is going on.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#756080: probably harmless

[Serge Hallyn]

Hi,

thanks for filing this bug report.  It's probably harmless, but I'm not 100%
sure of that, so will leave the report open for investigation.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#756076: needs implementation in systemd-shim

[Serge Hallyn]

Thanks, indeed this needs to be implemented, and assuming noone beats me to
it I intend to do so.

reassign 756076 systemd-shim


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#787502: [Pkg-shadow-devel] Bug#787502: uidmap: newgidmap man page synopsis wrong

[Serge Hallyn]

Thanks - I've fixed that in the upstream git tree.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#760281: Not fixed

[Serge Hallyn]

Quoting Andrew Shadura (and...@shadura.me):
> Hello,
> 
> On Wed, 10 Dec 2014 20:43:57 -0600 John Goerzen 
> wrote:
> > I have a Jessie system running XFCE, just dist-upgraded yet again
> > today, and I'm still seeing this same issue.  I am willing to do
> > whatever I can to help.  systemd-shim is installed and I am booting
> > with sysvinit.
> 
> I have installed XFCE as the second DE yesterday and also bumped into
> this issue.

Indeed, the jessie version is frozen so this is not fixed there.  With
the sid version it should be fixed.  Please do let me know if you have
this issue with 0.35-1.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#760281: Not fixed

[Serge Hallyn]

Quoting Andrew Shadura (and...@shadura.me):
> Well, I'm running sid. It could happen that a version from testing was
> installed, but I'm not sure. One more question: is by any chance a
> reboot mandatory for this to work? I'd like to avoid that as much as I
> can for various reasons.

No a reboot should not be necessary.  Just to be clear, could you
describe exactly what symptoms you are seeing, and give the version
numbers of cgmanager and systemd-shim?


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#767468: [cgmanager] RE: cgmanager: Prevents clean umounts and breaks unrelated software (autofs, e2fsprogs)

[Serge Hallyn]

Thanks.  Can you show /proc/self/mountinfo?

cgmanager has made it so it can receive umount events from host ns,
but my guess is / in host ns is still private so it doesn't send
them.  So cgmanager will need to umount everything it doesn't need
at startup, or not create a private mount namespace.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#777649: cgmanager security update for jessie

[Serge Hallyn]

Package: release.debian.org
Usertags: jessie-pu

A security issue was found in cgmanager, allowing root-owned privileged
containers to fully administer cgroups on the host.  Two other issues
were found which allow cgmanager to be crashed by unprivileged users.
These have all been fixed in sid. The debdiff below, against the current
jessie package, fixes them for jessie.

debdiff:

diff -Nru cgmanager-0.33/debian/changelog cgmanager-0.33/debian/changelog
--- cgmanager-0.33/debian/changelog 2014-10-13 18:35:43.0 -0500
+++ cgmanager-0.33/debian/changelog 2015-01-26 09:15:49.0 -0600
@@ -1,3 +1,16 @@
+cgmanager (0.33-3) testing; urgency=medium
+
+  * SECURITY UPDATE: Cross-cgroup resource control bypass.
+- debian/patches/0003-make-sure-to-check-cgroup-hierarchy.patch, modify
+  cgmanager.c to verify that requests are allowed under the caller's
+  cgroup.
+- CVE-2014-1425
+  * 0004-chown-stop-cgmanager-crash-on-chown-of-bad-file.patch and
+0005-prevent-some-cgmanager-asserts.patch: prevent cgmanager
+crashing on unhandled asserts or dbus error (LP: #1407787)
+
+ -- Serge Hallyn   Mon, 26 Jan 2015 09:12:02 -0600
+
 cgmanager (0.33-2) unstable; urgency=medium
 
   * Cherrypick two upstream patches to ensure that 'movepid all' continues
diff -Nru 
cgmanager-0.33/debian/patches/0003-make-sure-to-check-cgroup-hierarchy.patch 
cgmanager-0.33/debian/patches/0003-make-sure-to-check-cgroup-hierarchy.patch
--- 
cgmanager-0.33/debian/patches/0003-make-sure-to-check-cgroup-hierarchy.patch
1969-12-31 18:00:00.0 -0600
+++ 
cgmanager-0.33/debian/patches/0003-make-sure-to-check-cgroup-hierarchy.patch
2015-01-26 09:15:58.0 -0600
@@ -0,0 +1,201 @@
+From 6267916d4ea939794e0583cd8b08bd0b9594a6e2 Mon Sep 17 00:00:00 2001
+From: Serge Hallyn 
+Date: Wed, 26 Nov 2014 01:00:10 -0600
+Subject: [PATCH 1/1] make sure to check cgroup hierarchy
+
+Some cases weren't doing that, although at least those were still
+checking for proper ownership.
+
+Signed-off-by: Serge Hallyn 
+---
+ cgmanager.c |   85 

+ 1 file changed, 80 insertions(+), 5 deletions(-)
+
+Index: cgmanager-0.33/cgmanager.c
+===
+--- cgmanager-0.33.orig/cgmanager.c
 cgmanager-0.33/cgmanager.c
+@@ -558,13 +558,20 @@ next:
+ int get_value_main(void *parent, const char *controller, const char *cgroup,
+   const char *key, struct ucred p, struct ucred r, char **value)
+ {
+-  char path[MAXPATHLEN];
++  char pcgpath[MAXPATHLEN], path[MAXPATHLEN];
+ 
+   if (!sane_cgroup(cgroup)) {
+   nih_error("%s: unsafe cgroup", __func__);
+   return -1;
+   }
+ 
++  // Get p's current cgroup in pcgpath
++  if (!compute_pid_cgroup(p.pid, controller, "", pcgpath, NULL)) {
++  nih_error("%s: Could not determine the proxy's cgroup for %s",
++  __func__, controller);
++  return -1;
++  }
++
+   if (!compute_pid_cgroup(r.pid, controller, cgroup, path, NULL)) {
+   nih_error("%s: Could not determine the requested cgroup 
(%s:%s)",
+ __func__, controller, cgroup);
+@@ -577,6 +584,14 @@ int get_value_main(void *parent, const c
+   return -1;
+   }
+ 
++  // Make sure target cgroup is under proxy's
++  int plen = strlen(pcgpath);
++  if (strncmp(pcgpath, path, plen) != 0) {
++  nih_error("%s: target cgroup is not below r (%d)'s", __func__,
++  r.pid);
++  return -1;
++  }
++
+   /* append the filename */
+   if (strlen(path) + strlen(key) + 2 > MAXPATHLEN) {
+   nih_error("%s: filename too long for cgroup %s key %s", 
__func__, path, key);
+@@ -608,19 +623,34 @@ int set_value_main(const char *controlle
+   struct ucred r)
+ 
+ {
+-  char path[MAXPATHLEN];
++  char pcgpath[MAXPATHLEN], path[MAXPATHLEN];
+ 
+   if (!sane_cgroup(cgroup)) {
+   nih_error("%s: unsafe cgroup", __func__);
+   return -1;
+   }
+ 
++  // Get p's current cgroup in pcgpath
++  if (!compute_pid_cgroup(p.pid, controller, "", pcgpath, NULL)) {
++  nih_error("%s: Could not determine the proxy's cgroup for %s",
++  __func__, controller);
++  return -1;
++  }
++
+   if (!compute_pid_cgroup(r.pid, controller, cgroup, path, NULL)) {
+   nih_error("%s: Could not determine the requested cgroup 
(%s:%s)",
+ __func__, controller, cgroup);
+   return -1;
+   }
+ 
++  // Make sure target cgroup is under proxy's
++  int plen = strlen(pcgpath);
++  if (strncmp(pcgpath

Bug#777649: cgmanager security update for jessie

[Serge Hallyn]

Quoting Niels Thykier (ni...@thykier.net):
> Control: tags -1 moreinfo
> 
> On 2015-02-11 05:36, Serge Hallyn wrote:
> > Package: release.debian.org
> > Usertags: jessie-pu
> > 
> > A security issue was found in cgmanager, allowing root-owned privileged
> > containers to fully administer cgroups on the host.  Two other issues
> > were found which allow cgmanager to be crashed by unprivileged users.
> > These have all been fixed in sid. The debdiff below, against the current
> > jessie package, fixes them for jessie.
> > 
> > debdiff:
> > 
> > [...]
> > + 
> > ++  // Make sure target cgroup is under proxy's
> > ++  int plen = strlen(pcgpath);
> > ++  if (strncmp(pcgpath, path, plen) != 0) {
> > ++  nih_error("%s: target cgroup is not below r (%d)'s", __func__,
> > ++  r.pid);
> > ++  return -1;
> > ++  }
> > ++
> > [...]
> 
> Hi,
> 
> Is this truly a sufficient test?  The above only tests that pcgpath is a
> prefix of path.  I do not know exactly what these paths are, so I have
> to ask.
> 
> Consider:
> 
>   pcgpath = "root"
>   pcpgpath = "root-acually-not-really"
>   plen = strlen(pcgpath) (= 4)
> 
> So if only the first plen characters match, they will be considered
> equal.  If you know, cases like this cannot happen, then it is fine.  I
> just wanted to double check.

Thanks, I appreciate the extra set of eyes.

The situation is that the task making the request (or proxying the request)
is supposed to be locked under its current cgroup, say /a/b/c.  It's making
a request pertaining to some cgroup X.  We want to make sure that X is
under /a/b/c.  Hence the path prefix test.

thanks,
-serge


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#760281: Not fixed

[Serge Hallyn]

git://github.com/cgmanager/cgmanager should have a complete fix for this
bug.  I want to test in several scenarios before pushing a package with
those changes.  Anyone who wants to test for themselves can build the
package with the last two patches from the git tree pushed.

After further testing I will release 0.36 upstream and 0.36-1 to sid.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#767468: [cgmanager] RE: cgmanager: Prevents clean umounts and breaks unrelated software (autofs, e2fsprogs)

[Serge Hallyn]

git://github.com/cgmanager/cgmanager should have a complete fix for this
bug.  I want to test in several scenarios before pushing a package with
those changes.  Anyone who wants to test for themselves can build the
package with the last two patches from the git tree pushed.

After further testing I will release 0.36 upstream and 0.36-1 to sid.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#777649: cgmanager security update for jessie

[Serge Hallyn]

Quoting Niels Thykier (ni...@thykier.net):
> Ok, are we guaranteed that pcgpath ends with the path separator?  Consider:

No in fact I think we're guaranteed it won't.

>   "/foo/bar"
>   "/foo/bar2/somewhere-else"
> 
> Unless the path separator is included in the end (i.e. it always uses
> "/foo/bar/" instead of "/foo/bar"), then it might still be possible to
> by-pass the prefix test.

Indeed it will, thanks!  I'm going to write a patch which commonizes
the checks and takes care of this case.  I'll get it into the next
release and send a patch for jessie tonight or tomorrow.

Note that ownership checks still apply, so the task in /foo/bar
could only affect /foo/bar2  if it owns /foo/bar2.  Or if it is
root, but root in a privileged container will be locked under
/lxc/$container.  So this should be less urgent than the larger
fix already addressed.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#777649: cgmanager security update for jessie

[Serge Hallyn]

Here is a new debdiff.  (tested in its original upstream version
in v0.36)   Maybe it would've been easier to squash the two patches,
but this way it's easier to tell whether the patches match what is
upstream.

diff -Nru cgmanager-0.33/debian/changelog cgmanager-0.33/debian/changelog
--- cgmanager-0.33/debian/changelog 2014-10-13 18:35:43.0 -0500
+++ cgmanager-0.33/debian/changelog 2015-02-11 22:28:11.0 -0600
@@ -1,3 +1,18 @@
+cgmanager (0.33-3) testing; urgency=medium
+
+  * SECURITY UPDATE: Cross-cgroup resource control bypass.
+- debian/patches/0003-make-sure-to-check-cgroup-hierarchy.patch, modify
+  cgmanager.c to verify that requests are allowed under the caller's
+  cgroup.
+- CVE-2014-1425
+  * 0004-chown-stop-cgmanager-crash-on-chown-of-bad-file.patch and
+0005-prevent-some-cgmanager-asserts.patch: prevent cgmanager
+crashing on unhandled asserts or dbus error (LP: #1407787)
+  * 0006-fix-subdirectory-check: further fix to the previous patch for
+CVE-2014-1425.
+
+ -- Serge Hallyn   Mon, 26 Jan 2015 09:12:02 -0600
+
 cgmanager (0.33-2) unstable; urgency=medium
 
   * Cherrypick two upstream patches to ensure that 'movepid all' continues
diff -Nru 
cgmanager-0.33/debian/patches/0003-make-sure-to-check-cgroup-hierarchy.patch 
cgmanager-0.33/debian/patches/0003-make-sure-to-check-cgroup-hierarchy.patch
--- 
cgmanager-0.33/debian/patches/0003-make-sure-to-check-cgroup-hierarchy.patch
1969-12-31 18:00:00.0 -0600
+++ 
cgmanager-0.33/debian/patches/0003-make-sure-to-check-cgroup-hierarchy.patch
2015-01-26 09:15:58.0 -0600
@@ -0,0 +1,201 @@
+From 6267916d4ea939794e0583cd8b08bd0b9594a6e2 Mon Sep 17 00:00:00 2001
+From: Serge Hallyn 
+Date: Wed, 26 Nov 2014 01:00:10 -0600
+Subject: [PATCH 1/1] make sure to check cgroup hierarchy
+
+Some cases weren't doing that, although at least those were still
+checking for proper ownership.
+
+Signed-off-by: Serge Hallyn 
+---
+ cgmanager.c |   85 

+ 1 file changed, 80 insertions(+), 5 deletions(-)
+
+Index: cgmanager-0.33/cgmanager.c
+===
+--- cgmanager-0.33.orig/cgmanager.c
 cgmanager-0.33/cgmanager.c
+@@ -558,13 +558,20 @@ next:
+ int get_value_main(void *parent, const char *controller, const char *cgroup,
+   const char *key, struct ucred p, struct ucred r, char **value)
+ {
+-  char path[MAXPATHLEN];
++  char pcgpath[MAXPATHLEN], path[MAXPATHLEN];
+ 
+   if (!sane_cgroup(cgroup)) {
+   nih_error("%s: unsafe cgroup", __func__);
+   return -1;
+   }
+ 
++  // Get p's current cgroup in pcgpath
++  if (!compute_pid_cgroup(p.pid, controller, "", pcgpath, NULL)) {
++  nih_error("%s: Could not determine the proxy's cgroup for %s",
++  __func__, controller);
++  return -1;
++  }
++
+   if (!compute_pid_cgroup(r.pid, controller, cgroup, path, NULL)) {
+   nih_error("%s: Could not determine the requested cgroup 
(%s:%s)",
+ __func__, controller, cgroup);
+@@ -577,6 +584,14 @@ int get_value_main(void *parent, const c
+   return -1;
+   }
+ 
++  // Make sure target cgroup is under proxy's
++  int plen = strlen(pcgpath);
++  if (strncmp(pcgpath, path, plen) != 0) {
++  nih_error("%s: target cgroup is not below r (%d)'s", __func__,
++  r.pid);
++  return -1;
++  }
++
+   /* append the filename */
+   if (strlen(path) + strlen(key) + 2 > MAXPATHLEN) {
+   nih_error("%s: filename too long for cgroup %s key %s", 
__func__, path, key);
+@@ -608,19 +623,34 @@ int set_value_main(const char *controlle
+   struct ucred r)
+ 
+ {
+-  char path[MAXPATHLEN];
++  char pcgpath[MAXPATHLEN], path[MAXPATHLEN];
+ 
+   if (!sane_cgroup(cgroup)) {
+   nih_error("%s: unsafe cgroup", __func__);
+   return -1;
+   }
+ 
++  // Get p's current cgroup in pcgpath
++  if (!compute_pid_cgroup(p.pid, controller, "", pcgpath, NULL)) {
++  nih_error("%s: Could not determine the proxy's cgroup for %s",
++  __func__, controller);
++  return -1;
++  }
++
+   if (!compute_pid_cgroup(r.pid, controller, cgroup, path, NULL)) {
+   nih_error("%s: Could not determine the requested cgroup 
(%s:%s)",
+ __func__, controller, cgroup);
+   return -1;
+   }
+ 
++  // Make sure target cgroup is under proxy's
++  int plen = strlen(pcgpath);
++  if (strncmp(pcgpath, path, plen) != 0) {
++  nih_error("%s: target cgroup i

Bug#777649: cgmanager security update for jessie

[Serge Hallyn]

Quoting Niels Thykier (ni...@thykier.net):
> Control: tags -1 confirmed moreinfo
> 
> On 2015-02-12 05:32, Serge Hallyn wrote:
> > Here is a new debdiff.  (tested in its original upstream version
> > in v0.36)   Maybe it would've been easier to squash the two patches,
> > but this way it's easier to tell whether the patches match what is
> > upstream.
> > 
> > [...]
> 
> Ack, looks better.  :)  Please add the (missing parts of this) patch to
> unstable first

That is now in sid,

> and then upload the target fixes into testing with
> version 0.33-2+deb8u1.

Sorry, I'm not sure what you mean.  I don't actually have upload rights.
Should I ask someone to sponsor such a package, or just post the debdiff
here?  (It could be the same as the last debdiff I posted, with the version
number changed, or I could squash the two patches as I mentioned before)

> Please remove the moreinfo tag once the above have been done.

thanks,
-serge


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#757348: systemd: with SysV init, can no longer suspend and shutdown from lightdm

[Serge Hallyn]

Thanks for the report, Vincent.  I see the cause of the bug.  The fix is
now upstream, and I'll get it into sid asap.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#776469: more info

[Serge Hallyn]

Thanks for reporting this bug.  I tried to reproduce it using
up and down vlans (defined in /etc/network/interfaces), but
wasn't able to reproduce it.  I didn't try with ipv6 though.

You're running the experimental libnetcf with jessie.  Could
you tell us which libvirt version you are running?  What does
'sudo ncftool list' show?  Are your vlans defined in
/etc/network/interfaces or did you define them some other way?

I wonder whether it could be related to
https://bugzilla.redhat.com/show_bug.cgi?id=1185850


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#773421: more info

[Serge Hallyn]

Hi,

thanks for filing this bug.  I just tried to reproduce it, but cgmanager
did start fine for me under sysvinit-core.  Note that cgmanager leaves
no cgroup mounts on the host, but you can interact with it using cgm or
dbus-send.

sudo cgm create all user
sudo cgm chown all user 1000 1000
cgm movepid all serge $$
cat /proc/self/cgroup

I did verify that lxc doesn't work this way, but that is because the
lxc package in debian is built without cgmanager support.  Presumably
if you rebuild your lxc package after doing
sed -s 's/disable-cgmanager/enable-cgmanager/' debian/rules
it should work.

Or you can simply install cgroupfs-mount, or course.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#768406: fixed/

[Serge Hallyn]

I'm not sure why I haven't gotten any emails about this discussion in all this
time.  However (due to an independent report on github) this problem *should*
be fixed as of 0.34-1.  cgmanager now remounts / in its private ns as MS_SLAVE,
not MS_PRIVATE, so the umount from the host should propagate into cgmanager's
namespace.

If that does not suffice, we can add an option to cgmanager (and maybe even
make it default) to not unshare a private namespace.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#767468: fixed?

[Serge Hallyn]

Hi,

I'm sorry, somehow I wasn't getting emails about these.

This issue should be fixed in cgmangaer as of 0.34-1.  It now
remounts / MS_SLAVE instead of MS_PRIVATE.  This should allow
the umounts from the host to propagate into the cgmanager's
namespace.

If this does not suffice, we could add a switch to cgmanager
to not create a private namespace.  The effect would be that
/run/cgmanager/fs would be visible on the host, which really
isn't that big a deal.

Another possibility would be for cgmanager to actually
walk through its list of mounts and unmount anything it
doesn't need.  That could be more fragile, so the no-private-mntns
option is probably the better route.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#780519: tomcat7 build failure

[Serge Hallyn]

Quoting Miguel Landaeta (nomad...@debian.org):
> On Thu, Mar 19, 2015 at 02:48:32PM +0000, Serge Hallyn wrote:
> > Hi,
> > 
> > when I try to build tomcat7 from source on a jessie host, I get several
> > test failures.  One of the test output files is attached - I'm afraid I
> > have no idea how to read this.  Can anyone explain what's actually broken?
> > 
> 
> Hi Serge,
> 
> I think nobody has researched yet what's this bug about but we are
> already aware of it and we are tracking it on #780519.

Ah, thanks!  (I'd searched bug failed to find that bug)


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#779171: numactl: numa_node_of_cpu returns warning when cpu_index > 79

[Serge Hallyn]

Package: numactl
Version: 2.0.10-1
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu vivid ubuntu-patch

Dear Maintainer,

In Ubuntu, the attached patch was applied to fix the warning.
It is cherrypicked from upstream git.

  * cherrypick add-check-for-return-value-of-node-to-cpus.patch from
upstream to fix warning when cpu_index > 79 (LP: #1358835)


Thanks for considering the patch.


-- System Information:
Debian Release: jessie/sid
  APT prefers utopic-updates
  APT policy: (500, 'utopic-updates'), (500, 'utopic-security'), (500, 
'utopic'), (100, 'utopic-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-30-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -u numactl-2.0.10/debian/changelog numactl-2.0.10/debian/changelog
only in patch2:
unchanged:
--- numactl-2.0.10.orig/debian/patches/add-check-for-return-value-of-node-to-cpus.patch
+++ numactl-2.0.10/debian/patches/add-check-for-return-value-of-node-to-cpus.patch
@@ -0,0 +1,49 @@
+commit 32075635db57c3d5efe12f8fb569af857e01ccad
+Author: Petr Holasek 
+Date:   Wed Jan 14 09:53:47 2015 +0100
+
+libnuma: add check for return value of numa_node_to_cpus
+
+When numa_node_to_cpu() has been called on machine with non-contiguous
+nodes, it returned the first node which wasn't present on machine.
+Now, return code is checked and code skips over non-existing nodes to
+the right one.
+
+Also, caching of numa_node_to_cpus_v2() result while non-zero error had
+been returned was disabled.
+
+Signed-off-by: Petr Holasek 
+
+Tested by Cliff Wickman (on attica.sgi.com)
+
+diff --git a/libnuma.c b/libnuma.c
+index 91425ae..8d7bf13 100644
+--- a/libnuma.c
 b/libnuma.c
+@@ -1382,8 +1382,12 @@ numa_node_to_cpus_v2(int node, struct bitmask *buffer)
+ 		if (mask != buffer)
+ 			numa_bitmask_free(mask);
+ 	} else {
+-		node_cpu_mask_v2[node] = mask;
+-	} 
++		/* we don't want to cache faulty result */
++		if (!err)
++			node_cpu_mask_v2[node] = mask;
++		else
++			numa_bitmask_free(mask);
++	}
+ 	return err; 
+ }
+ __asm__(".symver numa_node_to_cpus_v2,numa_node_to_cpus@@libnuma_1.2");
+@@ -1405,7 +1409,10 @@ int numa_node_of_cpu(int cpu)
+ 	bmp = numa_bitmask_alloc(ncpus);
+ 	nnodes = numa_max_node();
+ 	for (node = 0; node <= nnodes; node++){
+-		numa_node_to_cpus_v2_int(node, bmp);
++		if (numa_node_to_cpus_v2_int(node, bmp) < 0) {
++			/* It's possible for the node to not exist */
++			continue;
++		}
+ 		if (numa_bitmask_isbitset(bmp, cpu)){
+ 			ret = node;
+ 			goto end;

Bug#778950: [Pkg-shadow-devel] Bug#778950: shadow: CVE-2013-4235 symbolic link race condition

[Serge Hallyn]

So it seems like the most robust way to handle this would be to at the top
of remove_tree do something like:

fd = open(root);
ret = fstat(fd, &sb);
if (S_ISLNK(fd))
return -1; // or unlink it, but warning the admin seems best
DIR = fopendir(fd);

Is there another approach?


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#797663: moreinfo

[Serge Hallyn]

Hi,

Could you show your /etc/init.d/cgmanager and /etc/init.d/cgproxy
files?  The version i get in a new sid install contain:

# Default-Start:2 3 4 5

Is either cgmanager or cgproxy in fact running?

Thanks.

Bug#801316: netcf: ncftool fails when 'source-directory' directive is used in /etc/network/interfaces

[Serge Hallyn]

Hi,

There is a new netcf package version 0.2.8-1, but looking at the code
I don't expect that to help.

I think the source-directory directive is simply un-implemented.  So
someone would have to write the patch to src/drv_debian.c to implement
it.

Bug#801316: please test

[Serge Hallyn]

Actually, apparently augeas has in fact learned about source
directory, so netcf may benefit from that.  Could you please
test the 0.2.8-1 package and report whether that works?

thanks!

Bug#801316: netcf: ncftool fails when 'source-directory' directive is used in /etc/network/interfaces

[Serge Hallyn]

Thanks, I'll try to reproduce this (though won't be back until next week)
Could you please show the contents of /etc/nework/interfaces.d and
output of 'ifconfig -a' ?

Bug#801981: [Pkg-shadow-devel] Bug#801981: pwconv: keeps some lines that should be deleted from /etc/shadow

[Serge Hallyn]

Hi,

So when I use deluser I don't have this problem.  When I use vipw,
i get a warning:

You have modified /etc/passwd.
You may need to modify /etc/shadow for consistency.

and actually none of the test users are deleted for me.

No comments around the code spitting out that comment, so I have
to assume it's somewhat intentional.

So this certainly doesn't seem like a bug in the package to me.
However a feature request against github.com/shadow-maint/shadow
would be appropriate.

-serge

Bug#801981: [Pkg-shadow-devel] Bug#801981: pwconv: keeps some lines that should be deleted from /etc/shadow

[Serge Hallyn]

Ah, right you are.  As you said in your first email.  Easily
reproduced here - thanks.

Bug#778287: [Pkg-shadow-devel] Bug#778287: NMU diff

[Serge Hallyn]

Hm, interesting.  Note that here userdel -f tells me it couldn't
delete the user, but it does delete it (but doesn't kill the
active login).  Looking at the code I guess there are a few steps
which should be skipped.

I'll apply this patch upstream at github.com/shadow-maint/shadow.

thanks,
-serge

Quoting Bastian Blank (bastian.bl...@credativ.de):
> Attached is the NMU diff.
> 
> Bastian
> 
> -- 
> Bastian Blank
> Berater
> Telefon: +49 2161 / 4643-194
> E-Mail: bastian.bl...@credativ.de
> credativ GmbH, HRB Mönchengladbach 12080, USt-ID-Nummer: DE204566209
> Hohenzollernstr. 133, 41061 Mönchengladbach
> Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer

> diff -Nru shadow-4.2/debian/changelog shadow-4.2/debian/changelog
> --- shadow-4.2/debian/changelog   2014-11-19 20:59:09.0 +
> +++ shadow-4.2/debian/changelog   2015-11-12 14:33:56.0 +
> @@ -1,3 +1,10 @@
> +shadow (1:4.2-3.1) unstable; urgency=medium
> +
> +  * Non-maintainer upload.
> +  * Fix error handling in busy user detection. (Closes: #778287)
> +
> + -- Bastian Blank   Thu, 12 Nov 2015 14:33:33 
> +
> +
>  shadow (1:4.2-3) unstable; urgency=low
>  
>* Enforce hardened builds to workaround cdbs sometimes not building
> diff -Nru shadow-4.2/debian/patches/1020_fix_user_busy_errors 
> shadow-4.2/debian/patches/1020_fix_user_busy_errors
> --- shadow-4.2/debian/patches/1020_fix_user_busy_errors   1970-01-01 
> 00:00:00.0 +
> +++ shadow-4.2/debian/patches/1020_fix_user_busy_errors   2015-11-12 
> 14:24:49.0 +
> @@ -0,0 +1,38 @@
> +Description: Fix user_busy to not leave subuid open in case of error.
> +Author: William Grant 
> +Bug: https://bugs.launchpad.net/ubuntu/vivid/+source/shadow/+bug/1436937
> +
> +Index: shadow-4.2/libmisc/user_busy.c
> +===
> +--- shadow-4.2.orig/libmisc/user_busy.c
>  shadow-4.2/libmisc/user_busy.c
> +@@ -175,6 +175,9 @@ static int user_busy_processes (const ch
> + if (stat ("/", &sbroot) != 0) {
> + perror ("stat (\"/\")");
> + (void) closedir (proc);
> ++#ifdef ENABLE_SUBIDS
> ++sub_uid_close();
> ++#endif  /* ENABLE_SUBIDS */
> + return 0;
> + }
> + 
> +@@ -212,6 +215,9 @@ static int user_busy_processes (const ch
> + 
> + if (check_status (name, tmp_d_name, uid) != 0) {
> + (void) closedir (proc);
> ++#ifdef ENABLE_SUBIDS
> ++sub_uid_close();
> ++#endif  /* ENABLE_SUBIDS */
> + fprintf (stderr,
> +  _("%s: user %s is currently used by process 
> %d\n"),
> +  Prog, name, pid);
> +@@ -232,6 +238,9 @@ static int user_busy_processes (const ch
> + }
> + if (check_status (name, task_path+6, uid) != 0) 
> {
> + (void) closedir (proc);
> ++#ifdef ENABLE_SUBIDS
> ++sub_uid_close();
> ++#endif  /* ENABLE_SUBIDS */
> + fprintf (stderr,
> +  _("%s: user %s is currently 
> used by process %d\n"),
> +  Prog, name, pid);
> diff -Nru shadow-4.2/debian/patches/series shadow-4.2/debian/patches/series
> --- shadow-4.2/debian/patches/series  2014-11-19 20:48:40.0 +
> +++ shadow-4.2/debian/patches/series  2015-11-12 14:24:49.0 +
> @@ -34,3 +34,4 @@
>  #userns/16_add-argument-sanity-checking.patch
>  1000_configure_userns
>  1010_vietnamese_translation
> +1020_fix_user_busy_errors

> ___
> Pkg-shadow-devel mailing list
> pkg-shadow-de...@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-shadow-devel

Bug#790894: please push

[Serge Hallyn]

Hi,

a new package with this patch is not yet in the archive.  Can you
please push one soon?

Thanks.

Bug#759203: thanks

[Serge Hallyn]

Thanks for submitting this bug.  The fix should be in 0.32-1 which should
be uploaded soon.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#761389: breaks shutdown when switching from systemd-sysv to sysvinit-core

[Serge Hallyn]

Quoting Michael Biebl (bi...@debian.org):

Hi Michael,

> Looking at v215, it seems as if starting cgmanager as part of the
> installation messes up the running systemd state. When triggering
> reboot, (i.e. poking /dev/initctl), I get the following:
> 
> Incoming traffic on systemd-initctl.socket
> Trying to enqueue job systemd-initctl.service/start/replace
> Installed new job systemd-initctl.service/start as 371
> Enqueued job systemd-initctl.service/start as 371
> systemd-initctl.socket changed listening -> running
> Sent message type=signal sender=n/a destination=n/a 
> object=/org/freedesktop/systemd1/unit/systemd_2dinitctl_2esocket 
> interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=754 
> reply_cookie=0 error=n/a
> Sent message type=signal sender=n/a destination=n/a 
> object=/org/freedesktop/systemd1/unit/systemd_2dinitctl_2esocket 
> interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=755 
> reply_cookie=0 error=n/a
> Sent message type=signal sender=n/a destination=n/a 
> object=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager 
> member=JobNew cookie=756 reply_cookie=0 error=n/a
> Received SIGCHLD from PID 1979 (shutdown).
> Child 1979 (shutdown) died (code=exited, status=0/SUCCESS)
> ^[[1;31mFailed to create cgroup : No such file or directory^[[0m
> About to execute: /lib/systemd/systemd-initctl
> Forked /lib/systemd/systemd-initctl as 1980
> systemd-initctl.service changed dead -> running
> Job systemd-initctl.service/start finished, result=done
> Sent message type=signal sender=n/a destination=n/a 
> object=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager 
> member=JobRemoved cookie=757 reply_cookie=0 error=n/a
> ^[[1;31mFailed to create cgroup : No such file or directory^[[0m
> Failed to realize cgroups for queued unit user.slice: No such file or 
> directory
> ^[[1;31mFailed to create cgroup : No such file or directory^[[0m
> Failed to realize cgroups for queued unit cgmanager.service: No such file or 
> directory

At this point, systemd-shim is installed, right?  Has it diverted
/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service already?
Would that be the actual core of the problem?  If so, should systemd-shim
recognize that pid 1 is systemd and refuse to run?


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#761389: breaks shutdown when switching from systemd-sysv to sysvinit-core

[Serge Hallyn]

Quoting Michael Biebl (bi...@debian.org):
> Hi Serge,
> 
> Am 13.09.2014 um 17:06 schrieb Serge Hallyn:
> > At this point, systemd-shim is installed, right?  Has it diverted
> > /usr/share/dbus-1/system-services/org.freedesktop.systemd1.service already?
> > Would that be the actual core of the problem?  If so, should systemd-shim
> > recognize that pid 1 is systemd and refuse to run?
> 
> as I wrote in my follow-up email, the problem can be reduced down to
> simply installing the cgmanager package while systemd v215 is the active
> PID 1.

Hm, cgmanager running shouldn't be interering with systemd.  It won't
manage any cgroups unless asked to, and since all the controllers are
already mounted by systemd, it won't install any release-agents.

Of course not running cgmanager by default under systemd was the goal
anyway, but I'd definately like it to be an option.  So I'll do some
testing to see what's going on - but fixing this bug shouldn't wait
on that.

> The postinst of cgmanager uses invoke-rc.d to start the cgmanager

Hm, cgmanager doesn't ship a postinst, so this is done automatically.

> service. Invoke-rc.d on the other hand doesn't care that the native
> .service file is shipped as disabled.

Drat.  So what is the right way to "really" disable it by default when
installed under systemd?

> As a result, the cgmanager daemon is started. That alone is sufficient
> to break systemd. systemd-shim is not involved here.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#755977: Processed: reassign 755977 to cgmanager

[Serge Hallyn]

thanks for filing this bug.  I appreciate but reject your point of view.  To
elaborate:

Currently the cgmanager sytemd unit is installed inactive, so by default it
will not interfere with systemd.  The user needs to specifically enable it.

When cgmanager finds that cgroups have been pre-mounted (by systemd or someone
else) it does not install release agents, so it does not interfere with the
previous mounter's administration of the cgroups.

When systemd-shim is not installed, cgmanager does nothing that will create
or destroy login sessions or scopes.  That's left entirely up to systemd.

The only way cgmanager will generally be used is to create sub-cgroups either
of /lxc or of a user's login session.  The actual configuration of cgroups
done by systemd will not be interfered with (apart from impact of /lxc,
which could be an interesting issue but in no way justifies a Conflicts)

When systemd becomes feature-full enough to satisfy the needs of lxc, I'll
definitely seek to implement a systemd backend so that cgmanager can be
considered conflicting with systemd.  We can also hope that cgroup namespaces
will make it upstream and obviate the need for cgmanager.  For now that's not
an option.

In the meantime, I'm going to claim that just because I run systemd on my
laptop does not mean that I cede full control of cgroups to systemd.  You
may use them if you insist and I won't even get in the way, but you may
not co-opt them entirely.

What you are basically asking for is that any software which needs the
features offered by cgmanager should be not installable alongside systemd.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#759745: done?

[Serge Hallyn]

Hi,

As far as I understand it, this bug should be fixed.  If anyone does
still encounter it, please respond and let us know.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#762608: haproxy: service haproxy stop returns 4 if haproxy was already not running.

[Serge Hallyn]

Package: haproxy
Version: 1.5.4-1
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu utopic ubuntu-patch

Dear Maintainer,

pacemaker was running haproxy.  haproxy was killed by oom.  pacemaker
tries to stop then start haproxy, but fails because stop failed with 4
rather than exiting with 0.  Since haproxy was in fact stopped after
the 'service haproxy stop' call, 0 should be returned rather than 4
(by my reading of http://www.debian.org/doc/debian-policy/ch-opersys.html)

*** /tmp/tmpykD9sX/bug_body

In Ubuntu, the attached patch was applied to achieve the following:

  * haproxy.init: return 0 on stop if haproxy was not running.  (LP: #1038139)


Thanks for considering the patch.


-- System Information:
Debian Release: jessie/sid
  APT prefers utopic-updates
  APT policy: (500, 'utopic-updates'), (500, 'utopic-security'), (500, 
'utopic'), (100, 'utopic-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-16-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Description: check whether haproxy is running before killing it
 If 'service haproxy stop' is called when haproxy is already not
 running, then stop currently returns 4.  This patch will make it
 return 0, since 'stop' had the expected end result (haproxy is stopped)
Author: ariel-cafelug
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/1038139

diff -Nru haproxy-1.5.4/debian/haproxy.init haproxy-1.5.4/debian/haproxy.init
--- haproxy-1.5.4/debian/haproxy.init	2014-09-02 12:26:00.0 -0500
+++ haproxy-1.5.4/debian/haproxy.init	2014-09-23 12:06:14.0 -0500
@@ -60,7 +60,9 @@
 		return 0
 	fi
 	for pid in $(cat $PIDFILE) ; do
-		/bin/kill $pid || return 4
+if kill -0 $pid 2>/dev/null; then
+		/bin/kill $pid || return 4
+fi
 	done
 	rm -f $PIDFILE
 	return 0

Bug#746747: package fails to build without this

[Serge Hallyn]

Please apply the debdiff which Daniel kindly provided.  Without it,
ipxe now fails to build in jessie.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#764991: cgmanager: dbus-related assertion failure

[Serge Hallyn]

Thanks for submitting this bug.  Could you show what the output is of:

sudo /sbin/cgmanager -m name=systemd --debug

as well as

dpkg -l | egrep -e '(init|upstart|systemd)'


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#764991: cgmanager: dbus-related assertion failure

[Serge Hallyn]

Quoting Nicolas Schier (nico...@hjem.rpa.no):
> Dear Serge,
> 
> > Thanks for submitting this bug.  Could you show what the output is 
> > of:
> > 
> > sudo /sbin/cgmanager -m name=systemd --debug
> 
> cgmanager:cgmanager.c:1379: Assertion failed in main: server != NULL

Drat.  Would you mind trying

sudo strace -f /sbin/cgmanager -m name=systemd --debug


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#769433: [serge.hal...@ubuntu.com: trivial patch for manpage]

[Serge Hallyn]

Package: secure-delete
Version: 3.1.6
Severity: minor

Dear maintainer,

Several bugs were reported against the ubuntu package for spelling
mistakes in the manpages.  These have been fixed in Ubuntu with the
following patch:

Index: secure-delete-3.1/sfill.1
===
--- secure-delete-3.1.orig/sfill.1
+++ secure-delete-3.1/sfill.1
@@ -14,7 +14,7 @@ sfill \- secure free disk and inode spac
 .SH DESCRIPTION
 .I sfill
 is designed to delete data which lies on available diskspace on mediums
-in a secure manner which can not be recovered by thiefs, law enforcement
+in a secure manner which can not be recovered by thieves, law enforcement
 or other threats.
 The wipe algorithm is based on the paper "Secure Deletion of Data from
 Magnetic and Solid-State Memory" presented at the 6th Usenix Security
@@ -39,7 +39,7 @@ process of sfill goes like this:
 .PP
 afterwards as many temporary files as possible are generated to wipe the
 free inode space. After no more temporary files can be created, they are
-removed and sfill is finnished.
+removed and sfill is finished.
 .PP
 
 .SH COMMANDLINE OPTIONS
Index: secure-delete-3.1/smem.1
===
--- secure-delete-3.1.orig/smem.1
+++ secure-delete-3.1/smem.1
@@ -14,11 +14,11 @@ sdmem \- secure memory wiper (secure_del
 .SH DESCRIPTION
 .I sdmem
 is designed to delete data which may lie still in your memory (RAM)
-in a secure manner which can not be recovered by thiefs, law enforcement
+in a secure manner which can not be recovered by thieves, law enforcement
 or other threats.
 Note that with the new SDRAMs, data will not wither away but will be kept
 static - it is easy to extract the necessary information!
-The wipe algorythm is based on the paper "Secure Deletion of Data from
+The wipe algorithm is based on the paper "Secure Deletion of Data from
 Magnetic and Solid-State Memory" presented at the 6th Usenix Security
 Symposium by Peter Gutmann, one of the leading civilian cryptographers.
 .PP
Index: secure-delete-3.1/srm.1
===
--- secure-delete-3.1.orig/srm.1
+++ secure-delete-3.1/srm.1
@@ -14,7 +14,7 @@ srm \- secure remove (secure_deletion to
 .SH DESCRIPTION
 .I srm 
 is designed to delete data on mediums in a secure manner which can not be
-recovered by thiefs, law enforcement or other threats.
+recovered by thieves, law enforcement or other threats.
 The wipe algorythm is based on the paper "Secure Deletion of Data from
 Magnetic and Solid-State Memory" presented at the 6th Usenix Security
 Symposium by Peter Gutmann, one of the leading civilian cryptographers.
Index: secure-delete-3.1/sswap.1
===
--- secure-delete-3.1.orig/sswap.1
+++ secure-delete-3.1/sswap.1
@@ -14,7 +14,7 @@ sswap \- secure swap wiper (secure_delet
 .SH DESCRIPTION
 .I sswap
 is designed to delete data which may lie still on your swapspace
-in a secure manner which can not be recovered by thiefs, law enforcement
+in a secure manner which can not be recovered by thieves, law enforcement
 or other threats.
 The wipe algorythm is based on the paper "Secure Deletion of Data from
 Magnetic and Solid-State Memory" presented at the 6th Usenix Security


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#815936: do not set notimeout

[Serge Hallyn]

Package: sc
Version: 7.16-4
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu xenial ubuntu-patch

Dear Maintainer,

sc breaks with ncurses 6 because it sets notimeout, causing getch not to wait 
for input.
multi-character commands like 'ir' are completely broken by this.  The solution 
is to
not set notimeout.  Setting it before was simply ignored by curses, which is 
why we did
not see breakage

In Ubuntu, the attached patch was applied to fix sc:

  * lex.c: do not set notimeout (LP: #1549665)

Thanks for considering the patch.


-- System Information:
Debian Release: stretch/sid
  APT prefers xenial-updates
  APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 'xenial')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.4.0-7-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru sc-7.16/debian/patches/nonotimeout.patch 
sc-7.16/debian/patches/nonotimeout.patch
--- sc-7.16/debian/patches/nonotimeout.patch1969-12-31 16:00:00.0 
-0800
+++ sc-7.16/debian/patches/nonotimeout.patch2016-02-25 14:42:37.0 
-0800
@@ -0,0 +1,35 @@
+Description; do not set notimeout
+ It causes getch to immediately return -1, triggering the warning
+ "Weird character, decimal -1", and stops multi-character commands
+ like 'ir' from working.  This was not a problem before because
+ curses was wrongly ignoring it (see
+ http://invisible-island.net/ncurses/NEWS.html#t20151128)
+Author: Serge Hallyn 
+Forwarded: yes
+
+Index: sc-7.16/lex.c
+===
+--- sc-7.16.orig/lex.c
 sc-7.16/lex.c
+@@ -650,21 +650,18 @@ void
+ initkbd()
+ {
+ keypad(stdscr, TRUE);
+-notimeout(stdscr,TRUE);
+ }
+ 
+ void
+ kbd_again()
+ {
+ keypad(stdscr, TRUE);
+-notimeout(stdscr,TRUE);
+ }
+ 
+ void
+ resetkbd()
+ {
+ keypad(stdscr, FALSE);
+-notimeout(stdscr, FALSE);
+ }
+ 
+ int
diff -Nru sc-7.16/debian/patches/series sc-7.16/debian/patches/series
--- sc-7.16/debian/patches/series   2014-05-18 13:00:54.0 -0700
+++ sc-7.16/debian/patches/series   2016-02-25 14:39:24.0 -0800
@@ -2,3 +2,4 @@
 call_function_not_take_its_address
 Upstream-changes-from-old-versions
 function_definitions
+nonotimeout.patch

Bug#817971: [Pkg-shadow-devel] Bug#817971: shadow: binaries depend on the SHELL variable of the builder

[Serge Hallyn]

Quoting Niels Thykier (ni...@thykier.net):
> Serge Hallyn:
> > Hi,
> > 
> > thanks for reporting this.  It seems to me 'sh' would indeed seem a
> > more usual choice for debian.  So long as the package build succeeds
> > that way, let's go that route?
> > 
> 
> Wfm. :)
> 
> Do you want a new patch or are you fine with refitting the existing?

I've applied it to the 4.3 candidate at 
http://mentors.debian.net/debian/pool/main/s/shadow/shadow_4.3-1.dsc

I may push a packaging git tree to github to make this more reliable /
less likely to get lost.

Bug#817971: [Pkg-shadow-devel] Bug#817971: shadow: binaries depend on the SHELL variable of the builder

[Serge Hallyn]

Hi,

thanks for reporting this.  It seems to me 'sh' would indeed seem a
more usual choice for debian.  So long as the package build succeeds
that way, let's go that route?

Bug#816760: libvirt0: Launching a VM with flavor with huge pages: NUMA node binding are not supported by this QEMU

[Serge Hallyn]

Hi,

hugepages don't appear to be the problem here.  The root problem is that
you are requesting numa bindings (see the note in
https://libvirt.org/formatdomain.html#elementsMemory)
Debian cannot yet be built with numa support (see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758189)