Re: Thunderbird 52.9.0 for LTS?
On 07/07/18 11:44, Carsten Schoenert wrote: > Hello Emilio and Security-Team, > > while preparing the stretch-security package for Thunderbird upstream > has announced just right now via the private driver mailing list to stop > the current automatic updates for 52.9.0 due a critical issue [1] that > can bring in some data loss while working with attachments. So I decided > to open a bug [2] with severity grave against the version of thunderbird > in unstable to prevent the migration to testing for now. > > But this means also we shouldn't deliver version 52.9.0 in any -security > release for now. So I will not upload my prepared packages for > stretch-security as I think Mozilla will provide a fix for the new issue > within the next days. Or there are other objections? Yes, let's postpone this until there is a fix. We don't want to introduce a data corruption bug in a security update. Cheers, Emilio
lbglib-json in Jessie
Hi all, gretl developer here. We found that libglib-json 1.0.2 (which is the version still present in Jessie) is affected by a relatively nasty bug; see commit 1f6668a9534c01523361075dad290c0dc49d7623 in http://ftp.acc.umu.se/pub/GNOME/sources/json-glib/1.0/json-glib-1.0.4.changes I personally was able to get around the problem quite easily by installing on the affected machine the Stretch version (1.2.6), which required just another upgrade (gir1.2-json to 2.0.1). However, since apparently the bug was fixed in 1.0.4, it could be a good idea to upgrade the Jessie version at least to that version. Thanks, --- Riccardo (Jack) Lucchetti Dipartimento di Scienze Economiche e Sociali (DiSES) Università Politecnica delle Marche (formerly known as Università di Ancona) r.lucche...@univpm.it http://www2.econ.univpm.it/servizi/hpp/lucchetti ---
Re: lbglib-json in Jessie
Hi Riccardo, > gretl developer here. We found that libglib-json 1.0.2 (which is the > version still present in Jessie) is affected by a relatively nasty bug […] > I personally was able to get around the problem quite easily by installing > on the affected machine the Stretch version (1.2.6), which required just > another upgrade (gir1.2-json to 2.0.1). I'm being slightly misled by your reference to gir1.2-json there as this is part of glib-json source package - did you typo with the "lib" prefix to "libjson-json"? To clarify/summarise, are you suggesting that we upgrade src:glib-json from 1.0.2 → 1.0.4? Why don't we just cherry-pick the aforementioned patch and apply it to 1.0.2? :) Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Closing wheezy-security for newer uploads
Hi, Since wheezy is no longer LTS, please close it so that no new uploads can happen on wheezy-security on security-master. This can happen now even if the actual archiving takes a bit longer. Thanks, Emilio
Re: lbglib-json in Jessie
On Sun, 8 Jul 2018, Chris Lamb wrote: Hi Riccardo, gretl developer here. We found that libglib-json 1.0.2 (which is the version still present in Jessie) is affected by a relatively nasty bug […] I personally was able to get around the problem quite easily by installing on the affected machine the Stretch version (1.2.6), which required just another upgrade (gir1.2-json to 2.0.1). I'm being slightly misled by your reference to gir1.2-json there as this is part of glib-json source package - did you typo with the "lib" prefix to "libjson-json"? Ah, you're right. I just needed that for the "-dev" package, which I need for building gretl. To clarify/summarise, are you suggesting that we upgrade src:glib-json from 1.0.2 → 1.0.4? Yes (and the dev-package too, of course) Why don't we just cherry-pick the aforementioned patch and apply it to 1.0.2? :) You mean, in my local system? I thought LTS for Jessie ended in 2020, and IMO it'd be nice to fix a package in the official repo. --- Riccardo (Jack) Lucchetti Dipartimento di Scienze Economiche e Sociali (DiSES) Università Politecnica delle Marche (formerly known as Università di Ancona) r.lucche...@univpm.it http://www2.econ.univpm.it/servizi/hpp/lucchetti ---
(E)LTS report for June
Hi, Last month I spent 17h working on the Debian LTS: - security tracker extends support - security tracker check-syntax improvements - firefox-esr 60 (pytoml, cargo) - openjdk-7 update - xen triage - phpmyadmin update (started to look at it but left it to Abhijith who had a lead start) - libgcrypt20 update - mariadb-10.0 update - firefox-esr 52.9.0 I also spent 7h on Extended LTS: - security tracker configuration - openjdk-7 update - frontdesk - security tracker improvements for renamed packages Cheers, Emilio
Re: Closing wheezy-security for newer uploads
Emilio Pozuelo Monfort writes: > Since wheezy is no longer LTS, please close it so that no new uploads can > happen > on wheezy-security on security-master. This can happen now even if the actual > archiving takes a bit longer. Done: update suite set accept_source_uploads = false, accept_binary_uploads = false where codename = 'wheezy'; UPDATE 1 Ansgar
Re: Closing wheezy-security for newer uploads
On 08/07/18 13:35, Ansgar Burchardt wrote: > Emilio Pozuelo Monfort writes: >> Since wheezy is no longer LTS, please close it so that no new uploads can >> happen >> on wheezy-security on security-master. This can happen now even if the actual >> archiving takes a bit longer. > > Done: > > update suite set accept_source_uploads = false, > accept_binary_uploads = false where codename = 'wheezy'; > UPDATE 1 Thanks! Emilio
Re: lbglib-json in Jessie
Riccardo, > Ah, you're right. I just needed that for the "-dev" package, which I need > for building gretl. > > > To clarify/summarise, are you suggesting that we upgrade src:glib-json > > from 1.0.2 → 1.0.4? > > Yes (and the dev-package too, of course) I think there is some confusion here or something at least worth clarifying so we are sure we are talking about the same thing - when a package is updated/uploaded in Debian, the entire source package is updated. In other words, one can't just update the -dev package anyway. > > Why don't we just cherry-pick the aforementioned patch and apply it to > > 1.0.2? :) > > You mean, in my local system? No, I mean apply this patch to an updated version of 1.0.2 and upload that to jessie rather than introduce all the other changes that make up the diff between this version and 1.0.4. (Does this issue have a bug in the Debian BTS?) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Re: lbglib-json in Jessie
On Sun, 8 Jul 2018, Chris Lamb wrote: Riccardo, Ah, you're right. I just needed that for the "-dev" package, which I need for building gretl. To clarify/summarise, are you suggesting that we upgrade src:glib-json from 1.0.2 → 1.0.4? Yes (and the dev-package too, of course) I think there is some confusion here or something at least worth clarifying so we are sure we are talking about the same thing - when a package is updated/uploaded in Debian, the entire source package is updated. In other words, one can't just update the -dev package anyway. Yes, I'm aware of that. Why don't we just cherry-pick the aforementioned patch and apply it to 1.0.2? :) You mean, in my local system? No, I mean apply this patch to an updated version of 1.0.2 and upload that to jessie rather than introduce all the other changes that make up the diff between this version and 1.0.4. I'm a bit reluctant to do this, as I've never done this before and I'd probably spend a long time doing something that would need to be revised by somebody competent anyway. Sorry. (Does this issue have a bug in the Debian BTS?) Hm, I don't think so. Should I file a bug report? --- Riccardo (Jack) Lucchetti Dipartimento di Scienze Economiche e Sociali (DiSES) Università Politecnica delle Marche (formerly known as Università di Ancona) r.lucche...@univpm.it http://www2.econ.univpm.it/servizi/hpp/lucchetti ---
Re: lbglib-json in Jessie
Riccardo, > >> Ah, you're right. I just needed that for the "-dev" package, which I need > >> for building gretl. > >> > >>> To clarify/summarise, are you suggesting that we upgrade src:glib-json > >>> from 1.0.2 → 1.0.4? > >> > >> Yes (and the dev-package too, of course) > > > > I think there is some confusion here or something at least worth > > clarifying so we are sure we are talking about the same thing - > > when a package is updated/uploaded in Debian, the entire source > > package is updated. In other words, one can't just update the -dev > > package anyway. > > Yes, I'm aware of that. ... then it is unclear / misleading why you are referencing the "glib- json" source package and then mentioning the -dev binary package (with a "too") as if they are separate concerns. > >>> Why don't we just cherry-pick the aforementioned patch and apply it to > >>> 1.0.2? :) > >> > >> You mean, in my local system? > > > > No, I mean apply this patch to an updated version of 1.0.2 and > > upload that to jessie [..] > > I'm a bit reluctant to do this, as I've never done this before You have misread what I wrote. I am not asking you to do that locally or otherwise. I am asking why we (LTS) don't apply that commit and upload it to jessie. > Hm, I don't think so. Should I file a bug report? Yes. (Issues in Debian should almost always have a bug report, at least so we can track the versions affected.) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Re: Advice for building tomcat8 on jessie?
On Thu, Jul 05, 2018 at 09:40:40AM -0400, Roberto C. Sánchez wrote: > On Tue, Jul 03, 2018 at 11:40:05PM +0200, Emmanuel Bourg wrote: > > Le 30/06/2018 à 20:09, Roberto C. Sánchez a écrit : > > > > > I would very much appreciate your guidance on this so that I can get > > > tomcat8 in jessie updated. > > > > Hi Roberto, > > > > Thank a lot for helping with the Tomcat maintenance. The error probably > > comes from an expired test certificate or a change in OpenSSL. Try > > building the package locally without pbuilder and inspect the test logs > > generated in the output directory. You should get a good indication of > > the cause of this error. Note that you can build the package and run > > only one test by adding -Dtest.name=**/TestWebSocketFrameClientSSL* > > after the "ant test" invocation in debian/rules. That should speed up > > your investigations. > > > Hi Emmanuel, > > The SSL certificate expiration was exactly the problem. I have updated > them from the latest available in the upstream sources and am presently > running another build. > It turns out that build ended up failing. (I meant to ping back as soon as it had completed, but I did not get around to it.) I tried a build of the current version (8.0.14-1+deb8u11) with test SSL certificates updated from upstream, and that build failed as well. A total of 12 unit tests failed. This makes me wonder if I am missing something. I can understand the SSL certificate expiry preventing a rebuild of the package. But I cannot understand how the build would fail otherwise. I will dig into the test failures tonight, but I would appreciate any thoughts on what might be going wrong. Regards, -Roberto -- Roberto C. Sánchez
Re: lbglib-json in Jessie
Apologies for butting in, but maybe I can clarify a little. (I'm a co-developer of gretl with Riccardo.) The upstream software in question is called json-glib, and the Debian packages are libjson-glib*. (The names have gone a little adrift up-thread.) We use json-glib in gretl and are concerned that the version supplied with Debian Jessie (namely, 1.0.2) has a significant bug that was fixed in version 1.0.4. The latter is just a patch-level update so it seems to me Jessie might reasonably offer an update to 1.0.4. However, if the preferred policy is minimal change, then (as Charles Lamb suggested) the release of a revised version of libjson-glib 1.0.2 for Jessie with the key fix cherry-picked would be fine by us. In that case (maybe I'm repeating what's up-thread), the relevant patch can be found as Attachment 293136 at https://bugzilla.gnome.org/show_bug.cgi?id=741824 -- Allin Cottrell Department of Economics Wake Forest University
Re: lbglib-json in Jessie
On Sun, 8 Jul 2018, Allin Cottrell wrote: However, if the preferred policy is minimal change, then (as Charles Lamb suggested) the release of a revised version of libjson-glib 1.0.2 for Jessie with the key fix cherry-picked would be fine by us. In that case (maybe I'm repeating what's up-thread), the relevant patch can be found as Attachment 293136 at https://bugzilla.gnome.org/show_bug.cgi?id=741824 Sorry, Chris Lamb, not Charles, was the author of the suggestion I mentioned. And I commented on names going slightly adrift... Allin Cottrell
Re: Advice for building tomcat8 on jessie?
On Sun, Jul 08, 2018 at 04:18:31PM -0400, Roberto C. Sánchez wrote: > On Thu, Jul 05, 2018 at 09:40:40AM -0400, Roberto C. Sánchez wrote: > > On Tue, Jul 03, 2018 at 11:40:05PM +0200, Emmanuel Bourg wrote: > > > Le 30/06/2018 à 20:09, Roberto C. Sánchez a écrit : > > > > > > > I would very much appreciate your guidance on this so that I can get > > > > tomcat8 in jessie updated. > > > > > > Hi Roberto, > > > > > > Thank a lot for helping with the Tomcat maintenance. The error probably > > > comes from an expired test certificate or a change in OpenSSL. Try > > > building the package locally without pbuilder and inspect the test logs > > > generated in the output directory. You should get a good indication of > > > the cause of this error. Note that you can build the package and run > > > only one test by adding -Dtest.name=**/TestWebSocketFrameClientSSL* > > > after the "ant test" invocation in debian/rules. That should speed up > > > your investigations. > > > > > Hi Emmanuel, > > > > The SSL certificate expiration was exactly the problem. I have updated > > them from the latest available in the upstream sources and am presently > > running another build. > > > It turns out that build ended up failing. (I meant to ping back as soon > as it had completed, but I did not get around to it.) I tried a build > of the current version (8.0.14-1+deb8u11) with test SSL certificates > updated from upstream, and that build failed as well. A total of 12 > unit tests failed. > > This makes me wonder if I am missing something. I can understand the > SSL certificate expiry preventing a rebuild of the package. But I > cannot understand how the build would fail otherwise. I will dig into > the test failures tonight, but I would appreciate any thoughts on what > might be going wrong. Hello Roberto, If you're still running into build failures, I would be interested in taking a look. Could you push your branch to Salsa when you have a chance? Cheers, tony signature.asc Description: PGP signature
