RFC: SQLite3 in Squeeze

[Laszlo Boszormenyi]

Hi Release Team,

There's a problem with SQLite3 3.7.0 in Squeeze.
The version in testing (3.6.23.1-4) was suitable to release. Next major
upstream version (3.7.0) was released, which was uploaded to unstable.
Then freeze happened. The latest release came with problems, like slow
song change with Banshee (reported as #591298 [1]). In that bugreport I
noted that v3.7.0 has a database corruption issue as well and I'm
waiting for v3.7.0.1 to be released. Then I had to travel for some days.
The bad thing is, that Iain Lane was so disappointed with the slow
Banshee song change that he prepared an NMU of SQLite3 with a backported
fix of that slowness. Julien Cristau uploaded his NMU, with high
urgency. Both of them ignored the fact that there's an unfixed database
corruption issue in that NMU. The bad thing is, somehow 3.7.0-1.1
migrated to Squeeze, even if it was not affected by this bug. As 3.7.0.1
was released (fixing an other performance regression and the potential
database corruption), I have uploaded it to unstable and it's ready to
migrate. The problem is, the performance regression hit by Banshee is
still present.

While it would be good to have 3.7.0.1-1 in testing, it's still not
suitable to release because of the latter problem. What should I do? I
don't have package version 3.6.23.1-4 anymore and I don't know when this
bug will be fixed or if it will be easily backportable.

Regards,
Laszlo/GCS
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=591298


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1282067389.3511.266.ca...@julia.gcs.org.hu

Re: RFC: SQLite3 in Squeeze

[Laszlo Boszormenyi]

On Wed, 2010-08-18 at 16:53 +0200, Mehdi Dogguy wrote:
> On 08/18/2010 04:34 PM, Julien Cristau wrote:
> > Sounds like we should go back to 3.6.x in testing and sid.
> 
> If we go that way, we will have to rebuild some packages [1] (red ones).
 I think we should run forward and ship the upcoming v3.7.1 with
Squeeze.

On Wed, 2010-08-18 at 12:57 +0900, Ansgar Burchardt wrote:
> This might also be the cause of failures in the test suite of
> libdbd-sqlite3-perl (#59 [0]):
[...]
> [0] 
 It is, at least it builds with sqlite3 version 3.6.23.1 in the same
environment. On the other hand, I have found a slowness and can
reproduce it with a test case. Contacted upstream and waiting for an
answer.

On Wed, 2010-08-18 at 19:10 +0200, Mike Hommey wrote:
> If only sqlite had a symbols file...
 Will have.

Regards,
Laszlo/GCS


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1282380361.3511.355.ca...@julia.gcs.org.hu

Re: RFC: SQLite3 in Squeeze

[Laszlo Boszormenyi]

Hi Salvatore,

On Wed, 2010-08-25 at 23:30 +0200, Salvatore Bonaccorso wrote:
> Are there plans to the 3.7.2 to be in squeeze?
 Definitely. Version 3.7.2 fixes a database corruption, v3.7.1 fixes a
regression issue and v3.7.0.1 fixes another database corruption.
Thus hereby I ask the release team to allow v3.7.2 into Squeeze. I know,
#591298 [1] is still not fixed, but the previous ones warrant an update.
I don't know when the latter will be fixed; I gave a working test case
to upstream and they said that they are working on it.
Please note that upstream recently fixed a segfault bug[2] and when the
former bug[1] will be fixed, I'll ask for its freeze exception as well.

Regards,
Laszlo/GCS
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=591298
[2] http://www.sqlite.org/src/info/7f2f71cc9e3c39093f09231f44


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1282774874.8165.27.ca...@julia.gcs.org.hu

Re: RFC: SQLite3 in Squeeze

[Laszlo Boszormenyi]

Hi Julien,

On Mon, 2010-08-30 at 11:00 +0200, Julien Cristau wrote:
> On Thu, Aug 26, 2010 at 00:21:14 +0200, Laszlo Boszormenyi wrote:
> > Please note that upstream recently fixed a segfault bug[2] and when the
> > former bug[1] will be fixed, I'll ask for its freeze exception as well.
> > 
> Is there any chance of that happening this week?  We're getting packages
> stuck behind sqlite3 in unstable.
 It's a very good question. I supplied upstream a test case, got a reply
that they are working on it and DRH gave me a Banshee side workaround.
Later, as I couldn't see any progress, pinged them. No answer so
far. :-(
I think v3.7.2-1 should migrate to Squeeze ASAP as it fixes a regression
and two database corruption issues. Also, the lag could be migrated to
Squeeze as well. When 3.7.3 will be released, I'll upload it and ask for
an other unfreeze request. It'll be an important release as well, fixing
at least a segfault and a memory leak among other bugfixes.


Regards,
Laszlo/GCS


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1283182786.8165.49.ca...@julia.gcs.org.hu

RFC: syslog-ng #608791 and future unblock request

[Laszlo Boszormenyi]

Hi Release Team!

There's a bug, #608791 [1] in syslog-ng, which I'd like to fix for
Squeeze. If you ask for automated directory creation then its uid and
gid settings are not working, but set to root:root. The problem is, the
corresponding capabilities are not set for the process before fchown()
calls.

I could solve this with the following patch.
--- syslog-ng-3.1.3.orig/src/misc.c
+++ syslog-ng-3.1.3/src/misc.c
@@ -24,6 +24,7 @@
 #include "misc.h"
 #include "dnscache.h"
 #include "messages.h"
+#include "gprocess.h"
 
 #include 
 #include 
@@ -368,6 +369,7 @@ create_containing_directory(gchar *name,
   struct stat st;
   gint rc;
   gchar *p;
+  cap_t saved_caps;
   
   /* check that the directory exists */
   dirname = g_path_get_dirname(name);
@@ -401,12 +403,16 @@ create_containing_directory(gchar *name,
 {
   if (mkdir(name, dir_mode < 0 ? 0700 : (mode_t) dir_mode) ==
-1)
 return FALSE;
+  saved_caps = g_process_cap_save();
+  g_process_cap_modify(CAP_CHOWN, TRUE);
+  g_process_cap_modify(CAP_FOWNER, TRUE);
   if (dir_uid >= 0)
 chown(name, (uid_t) dir_uid, -1);
   if (dir_gid >= 0)
 chown(name, -1, (gid_t) dir_gid);
   if (dir_mode >= 0)
 chmod(name, (mode_t) dir_mode);
+  g_process_cap_restore(saved_caps);
 }
   *p = '/';
   p = strchr(p + 1, '/');

This way, I've to link pdbtool with libcap, so adding @DEPS_LIBS@ for it
in Makefile.am is also necessary. Upstream support solved it a bit
different.
diff --git a/src/affile.c b/src/affile.c
index b5e1bef..df79029 100644
--- a/src/affile.c
+++ b/src/affile.c
@@ -55,10 +55,20 @@ affile_open_file(gchar *name, gint flags,
   return FALSE;
 }
 
-  if (create_dirs && !create_containing_directory(name, dir_uid,
dir_gid, dir_mode))
-return FALSE;
-
   saved_caps = g_process_cap_save();
+  if (create_dirs)
+{
+  g_process_cap_modify(CAP_CHOWN, TRUE);
+  g_process_cap_modify(CAP_FOWNER, TRUE);
+
+  if (!create_containing_directory(name, dir_uid, dir_gid,
dir_mode))
+   {
+ g_process_cap_restore(saved_caps);
+ return FALSE;
+   }
+  g_process_cap_restore(saved_caps);
+}
+
   if (privileged)
 {
   g_process_cap_modify(CAP_DAC_READ_SEARCH, TRUE);

This way no extra linking is necessary, but the capabilities used for a
slightly more time and even when dir_owner() and dir_group() are not
set. Support ACK that my solution is better even for the extra linking.
The bad news is that we still couldn't get feedback from the real
upstream author of syslog-ng.

If you accept it, which patch should I use and where should I upload?
Can it go for t-p-u or via Sid maybe with priority=medium?

Regards,
Laszlo/GCS
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608791


signature.asc
Description: This is a digitally signed message part

Re: RFC: syslog-ng #608791 and future unblock request

[Laszlo Boszormenyi]

On Sun, 2011-01-30 at 19:53 +0100, Julien Cristau wrote:
> On Sat, Jan 29, 2011 at 18:28:53 +0100, Laszlo Boszormenyi wrote:
> > There's a bug, #608791 [1] in syslog-ng, which I'd like to fix for
> > Squeeze. If you ask for automated directory creation then its uid and
> > gid settings are not working, but set to root:root. The problem is, the
> > corresponding capabilities are not set for the process before fchown()
> > calls.
> 
> It's too late for severity:normal bug fixes at this point, sorry.
 It's set to normal and while it's not rc, I think it's important. Makes
logging and/or log processing impossible if owner and group can not be
set for log directories.

Cheers,
Laszlo/GCS


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1296414925.28241.126.ca...@julia.gcs.org.hu

Bug#611838: unblock: syslog-ng/3.1.3-3

[Laszlo Boszormenyi]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi,

Please unblock syslog-ng 3.1.3-3 which fixes a grave bug with created
directory and unix stream uid/gid are not set correctly. The patches are
created by Zbigniew Krzystolik for PLD Linux and accepted by
upstream[1][2]. They are backported for the version being in Debian.

Thanks,
Laszlo/GCS
[1] 
http://git.balabit.hu/?p=bazsi/syslog-ng-3.2.git;a=commitdiff;h=967b1720c8487f3cbe49292c7e5ed3b871ab2de5
[2] 
http://git.balabit.hu/?p=bazsi/syslog-ng-3.2.git;a=commitdiff;h=abce2bfa9c59b4290609056da590277c1a8e50f9




-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1296671687.3816.108.ca...@julia.gcs.org.hu

intend to remove sqlite package

[Laszlo Boszormenyi]

Hi Release Team,

For a long time, sqlite is not maintained by upstream. It is not even
buildable anymore[1]. I don't want to carry it anymore.
The following packages depends on it:
  kolab-webclient
  sympa
  serendipity
  roundcube-sqlite
  qsf
  phpbb3
  pdns-backend-sqlite
  movabletype-opensource
  lire
  imms-common
  csync2
  beancounter
  bacula-director-sqlite
  ansel1

For example, bacula can drop it and serendipity can switch to sqlite3 as
I see. I need to investigate each package, but first I need the approval
of the Release Team. Is it OK to start it right now or should I wait for
something?

Regards,
Laszlo/GCS
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=618154


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1300217337.22284.17.ca...@julia.gcs.org.hu

Re: intend to remove sqlite package

[Laszlo Boszormenyi]

On Tue, 2011-03-15 at 21:17 +0100, Julien Cristau wrote:
> On Tue, Mar 15, 2011 at 20:28:57 +0100, Laszlo Boszormenyi wrote:
> > I need to investigate each package, but first I need the approval
> > of the Release Team.
> I'm not following.  Why would we need to be involved at this point?
 Not to crash with other transitions; the release team may would like to
save sqlite; it may force other packages to be removed if they have no
sqlite3 possibilities.

OK, sorry for the noise; will file related bugs tomorrow.

Laszlo/GCS


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1300223352.22284.26.ca...@julia.gcs.org.hu

Bug#630251: [Fwd: Bug#630251: patch for proposed updates / rdesktop sometimes fails to transfer files from win2k8]

[Laszlo Boszormenyi]

Hi Adam,

On Mon, 2011-06-13 at 20:48 +0100, Adam D. Barratt wrote:
> On Sun, 2011-06-12 at 20:09 +0200, Andreas Barth wrote:
> > some programms make rdesktop to fail to keep up the directory
> > forwarding to an win 2k8-server. Please see
> > http://sourceforge.net/tracker/?func=detail&aid=2812158&group_id=24366&atid=381349
> > for the bug, the fix is as follows:
> > 
> > --- rdesktop-1.6.0.orig/disk.c  2009-06-19 09:06:27.0 -0400
> > +++ rdesktop-1.6.0/disk.c   2009-06-25 09:40:44.0 -0400
> > @@ -1096,10 +1101,24 @@
> [...]
> 
> This is nearly, but not quite, the same as the corresponding code in the
> current rdesktop package in unstable.  Other than the printf(), the
> difference is that where the proposed fix has:
> 
> > +   out_uint32_le(out, stat_fs.f_blocks);   /* 
> > TotalAllocationUnits */
> > +   out_uint32_le(out, 0);  
> > +   out_uint32_le(out, stat_fs.f_bavail);   /* 
> > CallerAvailableAllocationUnits */
> > +   out_uint32_le(out, 0);  
> 
> the package in unstable has:
> 
> out_uint32_le(out, stat_fs.f_blocks);   /* Total 
> allocation units low */
> out_uint32_le(out, 0);  /* Total allocation units 
> high */
> out_uint32_le(out, stat_fs.f_blocks);   /* Caller 
> allocation units low */
> out_uint32_le(out, 0);  /* Caller allocation units 
> high */
> 
> I've CCed the rdesktop maintainers for any comments they might have.
 IMHO the former one is the correct, the changes in unstable seem to
have a copy&paste bug. stat_fs.f_blocks may has nothing to do with
'caller allocation units low'. Will ask upstream soon.

Laszlo/GCS




-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1308110821.4635.53.ca...@julia.gcs.org.hu

please hint sqlite3 3.5.9-6

[Laszlo Boszormenyi]

Hi Release Team,

Please hint sqlite3 3.5.9-6 into Lenny. The only change is below, fixes
#502370 [1], which was filed as serious. The fix is uploaded on January
21st. Fixes the upgrade problem which may happen if a newer sqlite3
binary would use an old and incompatible version of its library.

--- sqlite3-3.5.9/debian/control2009-02-11 20:15:40.0 +
+++ sqlite3-3.5.9/debian/control2009-02-11 20:15:42.0 +
@@ -22,7 +22,7 @@
 Package: sqlite3
 Section: misc
 Architecture: any
-Depends: ${shlibs:Depends}
+Depends: ${shlibs:Depends}, libsqlite3-0 (= ${binary:Version})
 Suggests: sqlite3-doc
 Description: A command line interface for SQLite 3
  SQLite is a C library that implements an SQL database engine.

Thanks,
Laszlo/GCS
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502370


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

please unblock gradm2 2.1.9-3

[Laszlo Boszormenyi]

Hi Release Team,

 I have uploaded gradm2 2.1.9-3, which turns debconf messages to
README.Debian and NEWS.Debian . Well, just realised that NEWS.Debian is
not installed; but would it be acceptable for Etch? I would like to
upload -4 ofcourse which fixes the NEWS.Debian problem - maybe I should
ask for unblock then?

Regards,
Laszlo/GCS


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: please unblock openoffice.org

[Laszlo Boszormenyi]

On Wed, 2007-03-21 at 00:46 -0700, Steve Langasek wrote:
> $ grep-excuses openoffice.org
> openoffice.org (2.0.4.dfsg.2-5 to 2.0.4.dfsg.2-6)
> Maintainer: Debian OpenOffice Team
> Too young, only 0 of 2 days old
> Not touching package, as requested by freeze (contact debian-release if 
> update is needed)
> Not considered
> Depends: openoffice.org neon26 (not considered)
> 
> 
> Sorry, there's a new upstream version of neon26 in unstable.
 Yup, but that's neon upstream is a security fix as well. It may be
hinted to Etch, but I would lie if I don't say that the NMU (0.26.2-3.1)
contains that security fix as well. Otherwise 0.26.3 fixes Kerberos
authentication (#413194); may be good to have it as well. No other big
changes in 0.26.3 .

> Please
> reupload this package to testing (preferably by way of the testing-security
> queue, with the security team's permission) with a version number >> -5 and
> << -6 (e.g., -5+etch1).
 This would be the easiest way, I admit.

Regards,
Laszlo/GCS


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

proposed sqlite and neon transitions

[Laszlo Boszormenyi]

Hi Release-Team!

 Both transition is big because a lot of packages use them, so they may
not be carried out for Lenny.
About SQLite2, it is rarely supported, but its transition would require
porting packages depending on it to SQLite3. I don't know yet if it's
easy or not, upstreams plan to do it or not. Need more investigations.
Speaking of neon 2.5 to neon 2.6 is close to be OK, but there are know
problems. The most known is OpenOffice.org, which builds with neon 2.6,
but crashes sometimes regarding webdav support. Thus this needs
clarification as well. I will post here if I know more.

 I have question about Sarge/oldstable. I took over maintainership of
rdesktop, which is affected by the libx11-6 1.0.3-7 security fix. Just
as VICE, a Commodore emulator. If I prepare an update for Sarge/Etch,
can I change the maintainer field in both or should it look like that
the old maintainer does the update?

Regards,
Laszlo/GCS


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: proposed sqlite and neon transitions

[Laszlo Boszormenyi]

Hi Steve,

On Tue, 2007-04-24 at 15:14 -0700, Steve Langasek wrote:
> AFAIK, changing the maintainer field as part of an upload to stable or
> oldstable should be acceptable -- [...]
 Moritz seconded this, thanks.

> but libx11-6 1.0.3-7 isn't part of sarge,
> so probably no upload to oldstable is needed for vice on account of this?
 I was contacted by Julien Cristau (jcristau), that he is preparing an
upload of the fixed xfree86 package (may not be the same package that is
affected and/or version). Also it's not only VICE, but rdesktop too
which is affected as well. Moritz said that my uploads should target
oldstable-security even if they are not security fixes, but will be
released together with the xfree86 security fix.

Cheers,
Laszlo/GCS


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: rdesktop update needed in etch

[Laszlo Boszormenyi]

Hi Raphael,

On Thu, 2007-04-26 at 15:21 +0200, Raphael Hertzog wrote:
> http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=rdesktop;dist=stable
> with #418098 and following, rdesktop doesn't work on etch.
 Yes, I know this, may not work for Sarge even when the same security
fix is released for it.

> Given the number of users bitten by this, we really must prepare an update
> for etch. But I haven't seen anything yet. Laszlo, what's up? Please
> prepare a fixed package for stable-proposed-updates.
 Hmmm. Strange, even the fix for Sarge was discussed here, on -project.
Updated package for Etch is already uploaded, only waiting for
ftp-master approval[1]. I have the updated package also for Sarge, but I
wait for the fixed X11 packages to build with.

> PS: BTW, the bug is fixed in sid but the bugs have not been closed. You
> should version-close them properly now.
 First it was a proposed fix only, package uploaded for testing, but not
closed the bug. Then Steve merged the Etch and Sid bugs, and I have left
it as-is. Will version-close somewhen soon.

Cheers,
Laszlo/GCS
[1] http://ftp-master.debian.org/proposed-updates.html


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

neon26 kerberos auth update

[Laszlo Boszormenyi]

Hi Release Team!

 Unfortunately a fix didn't make it to Etch, I even missed it when
looking over my packages. It's bug #413194 [1], which is an upstream
typo, makes Kerberos authentication fail. It hurts several users, and as
the fix is an one liner, I hope it can be accepted to Etch r1. The diff:
--- neon26-0.26.2/src/ne_auth.c 2007-03-03 07:35:07.0 +0100
+++ ne_auth.c   2007-03-03 07:32:18.0 +0100
@@ -516,7 +516,7 @@
  char *sep, *ptr = strchr(duphdr, ' ');
  int ret;

-if (strncmp(hdr, "Negotiate", ptr - hdr) != 0) {
+if (strncmp(hdr, "Negotiate", ptr - duphdr) != 0) {
  NE_DEBUG(NE_DBG_HTTPAUTH, "gssapi: Not a Negotiate response!\n");
  ne_free(duphdr);
  return NE_ERROR;

 Can I upload an updated neon26 to proposed-updates ? If yes, what would
be the correct Debian version? Reason: it's an NMU -3.1, but as I'm its
maintainer, I would like to make it -4.

Regards,
Laszlo/GCS
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413194


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

binNMU for cryptmount

[Laszlo Boszormenyi]

Hi,

 Please schedule a binNMU for cryptmount on PowerPC. It failed due to a
binutils bug, #421455 .

Thanks,
Laszlo/GCS


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: SRM - cryptmount update to 1.2-3

[Laszlo Boszormenyi]

Hi Martin,

On Sat, 2007-06-09 at 17:50 +0200, Martin Zobel-Helas wrote:
> On Mon Jun 04, 2007 at 18:29:42 +0100, R.Penney wrote:
> > All of these changes represent very minor corrections to the 
> > source-code, but will remove some significant weaknesses in the current 
> > release.
> Could you please send the diff to here, or a link to the diff, so i can
> review it?
 You can get the diff from my corner of web[1]. It contains all changes
at once, but the independent fixes are readable.

Regards,
Laszlo/GCS
[1] http://www.lsc.hu/gcs/cryptmount_1.2-1_to_1.2-3.patch


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SRM] r1 closes after tonights dinstall run

[Laszlo Boszormenyi]

Hi Martin,

On Thu, 2007-06-21 at 15:14 +0200, Martin Zobel-Helas wrote:
> i will most probably not accept any further packages[1] for Debian Etch r1
> after todays^Wtonights dinstall run, unless someone really convinces me
> there is something very important missing. Exception are granted for 
> packages related to D-I or kernel, if not already uploaded.
 What about cryptmount? Diff[1] was provided but I couldn't see any
reply if you allow or disallow its upload.

Regards,
Laszlo/GCS
[1] http://www.lsc.hu/gcs/cryptmount_1.2-1_to_1.2-3.patch


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

please hint cdw

[Laszlo Boszormenyi]

Hi,

 As cdw 0.3.1-2 is in the archive since 27 days, but can't enter into
testing due to removed binaries, please hint it for transition.
Removed binaries are gcdw as the GTK+ frontend removed and thus I didn't
want to keep cdw-common either.

Thanks,
Laszlo/GCS


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

neon transition for Lenny

[Laszlo Boszormenyi]

Hi all who involved,

As Neon 0.27.2 was accepted to the archives, I would like to urge
everyone to use this version instead of the now unsupported 0.25.x and
0.26.y versions.
The biggest targets are OpenOffice.org, which has a RFH (#419523 [1])
filed as Rene is its only real maintainer and Subversion.
Smaller packages affected: bmpx, davfs2, rapidsvn, rpm, sitecopy and
subcommander.
Please ask your upstream if Neon 0.27 support is available or when it
will be available and report back. My plan is to try the newest upstream
versions of affected packages with version 0.27.2; if it does not
compile, try to fix it and provide a patch. Real life says it will
happen next weekend only. :-(

Regards,
Laszlo/GCS
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=419523


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

proposed sqlite3 transition

[Laszlo Boszormenyi]

Hi all,

With the upload of sqlite3 3.5.4 to experimental, I would like to ask
everyone who build
depend on SQLite3, please test it as its inner is changed a lot. Should
be fine for the outer
side, but please read the details[1]. I could compile several packages
against it, but not
being user of those packages, not tested the result. Expect that I will
upload it to unstable in
two weeks time. Well, it fixes a critical bug[2], so sooner would be
better.
Also I would like to propose SQLite (v2) to be removed as being
unmaintained for a long time,
I hope all related packages can be easily ported to SQLite3. What's the
release team
standpoint on this?

Regards,
Laszlo/GCS
[1] http://www.sqlite.org/34to35.html
[2] http://www.sqlite.org/releaselog/3_5_4.html


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: proposed sqlite3 transition

[Laszlo Boszormenyi]

Hi Steve,

On Tue, 2007-12-25 at 20:16 -0800, Steve Langasek wrote:
> On Tue, Dec 25, 2007 at 05:50:08PM +0100, Laszlo Boszormenyi wrote:
> Then you should be addressing debian-devel, not debian-release.
 Thought that devel has big volume and some may miss it or don't even on
devel,
but read project.

> It's impractical to remove sqlite2 from unstable until much of this porting
> work has already been done, and the package won't be removed from testing
> while it still has reverse-dependencies there.
 That's my plan, didn't mean to remove it now. Just a note to the
release team to
know about this.

Regards,
Laszlo/GCS


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

hint for vice/1.22-2

[Laszlo Boszormenyi]

Hi,

Please hint vice 1.22-2 into testing, it's blocked by s390 and sparc. As
none of them in the
archs field for now, it is ready for migration.

Thanks,
Laszlo/GCS


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: hint for vice/1.22-2

[Laszlo Boszormenyi]

Hi Steve,

On Sat, 2008-01-12 at 13:30 -0800, Steve Langasek wrote:
> On Sat, Jan 12, 2008 at 09:26:59PM +0100, Laszlo Boszormenyi wrote:
> That's not how hinting works.
 Thought so, but couldn't get porters to remove the false dependency.

> But that seems unlikely to happen, since you've removed s390 and sparc from
> the architecture list for this package for reasons completely unrelated to
> portability.  If you need help getting action taken regarding a wrong
> dep-wait on a buildd, please ask debian-release -- but don't just decide to
> stop supporting an architecture.
 OK, please remove false liblame-dev dependency from m68k (sparc seems
to be removed
meanwhile).

> s390 may be a different matter since the package has been marked
> "Not-for-us" (grumble) by the buildd maintainer; but the binary still has to
> be removed from unstable to let the package propagate naturally into
> testing.
 So vice can be arch: all, even if s390 says not-for-us, right?

Thanks,
Laszlo/GCS


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: hint for vice/1.22-2

[Laszlo Boszormenyi]

Hi all involved,

On Sun, 2008-01-13 at 12:54 +0100, Philipp Kern wrote:
> Please contact d-release next time to get the issue resolved.
 Will do.

> Not arch:all (architecture independent) but arch:any (as it's
> architecture dependent), but yes.  The s390 porter noted to remove the
> not-for-us.  I also reported a RC bug about this.
 Yes, noted arch:any just after sent my message. Bugreport noted,
answered and fixed.

Sorry for the noise and thanks,
Laszlo/GCS


signature.asc
Description: This is a digitally signed message part

intend to hijack GnuPG

[Laszlo Boszormenyi]

Hi Release Team,

I intend to hijack GnuPG[1], but as it builds an udeb and has priority
important, I ask if the Release Team allow it.
James seems to be MIA more than six months ago:
activity-pgp:[Mon, 22 Oct 2007 23:02:33] "9BF0 93BC 475B ABF8  B6AE A5F6 D7C3 
F131 AB2A 91F5" "<[EMAIL PROTECTED]> archive/latest/102479" "<[EMAIL 
PROTECTED]>"
activity-from:[Wed, 05 Sep 2007 19:44:23] "James Troup <[EMAIL PROTECTED]>" 
"<[EMAIL PROTECTED]> archive/latest/167709" "<[EMAIL PROTECTED]>"

Various people can't reach him[2]. On the other hand, he seems to be
active on Ubuntu[3], he joined to Launchpad security this january at
least. Moritz Muehlenhoff noted[4] that it should be hijacked and get in
shape for Lenny. Thus I have created a preliminary package[5] which
fixes some important bugs and get v1.4.9 to the archive.
Does the Release Team allow this hijack, should I upload it as an NMU
instead or just leave it alone?

Regards,
Laszlo/GCS
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=476418
[2] http://lists.debian.org/debian-devel/2008/04/msg00476.html
[3] https://launchpad.net/~elmo
[4] http://lists.debian.org/debian-devel/2008/04/msg00517.html
[5] dget http://www.routers.hu/gcs/gnupg_1.4.9-1.dsc


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

upload of sqlite3 3.5.8-2

[Laszlo Boszormenyi]

Hi,

Upstream source changed from time to time and I still missed to
re-enable load extension support. It is not part of the core/public API,
still some package may use it. Currently two bugs filed against it, the
severity of the former[1] is serious, the latter[2] shows the diff to
enable it again. I need to specify --enable-load-extension in
DEB_CONFIGURE_EXTRA_FLAGS .
This upload affects the python2.5 transition, but without this upload it
will block the transition (the former bugreport will prevent sqlite3 to
enter Lenny). As the change is minimal and load extension was always
enabled it won't cause any trouble. As the previous upload is fresh, it
won't even make the transition notably slower.
Please allow its upload.

Regards,
Laszlo/GCS
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=478337
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=475084


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

please unblock neon27 0.28.2-4

[Laszlo Boszormenyi]

Hi Release Team,

Please do unblock neon27 0.28.2-4 , it fixes a security issue,
CVE-2008-3746 . It contains other backported fixes from upstream 0.28.3:
- fix ne_set_progress(, NULL, ) to match pre-0.27 behaviour (and not
  crash);
- distinguish the error message for an SSL handshake which fails after
  a client cert was requested;
- proper casts for safe and warning free compilation on LFS archs.

Regards,
Laszlo/GCS


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

unblock request for rdesktop and linux-patch-grsecurity2

[Laszlo Boszormenyi]

Dear Release-Team,

Hereby I'm asking for unblock request for rdesktop 1.6.0-2 and
linux-patch-grsecurity2 2.1.12+2.6.26.2+200808091136-1 .

The rdesktop package is now compiled with IPv6 support which would be
very good to have for reaching Vista boxes and other IPv6 hosts. Its in
Sid for two weeks, no new bug reported. Other changes include removed
obsolete x-dev build dependency, policy 10.1 conformance (don't strip
binaries if nostrip specified in DEB_BUILD_OPTIONS) and update to
Standards-Version 3.8.0 .

About linux-patch-grsecurity2 : It contains an updated patchset for
Lenny 2.6.26 kernels as Moritz recommended. Also updated Japanese
debconf translation.

Regards,
Laszlo/GCS


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

unblock request for sqlite3 3.5.9-5

[Laszlo Boszormenyi]

Hi,

Please unblock sqlite3 3.5.9-5 . This fixes two RC bugs, #488864 [1]
and #500792 [2]. The former is NaN handling on i386, causing divisions
returning incorrect results. The latter is a bug in distinct usage on
indexes.

Regards,
Laszlo/GCS
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=488864
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500792


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

some package questions about freeze

[Laszlo Boszormenyi]

Hi Release Team,

 I have four questions:
- gradm2, contains a wrapper shell script update, to use absolute
  paths instead of relative ones (#307293); can it be pushed into
  Sarge now or when it is ten days old?
- neon, I was asked to remove Siggy from Uploaders (#298370) by
  Jeroen van Wolffelaar; also should I upload it to
  testing-proposed-updates? More importantly I should revert/reopen
  #285591 (but as it is archived, I have no hopes), I just realised
  the last note after closing it with the package update from Joe Orton
  <[EMAIL PROTECTED]> now, that it should be fixed in tla. Thus the bug
  should be reassigned somehow or a new one should be
  reported against tla.
- kernel-patch-grsecurity2, some mistyped things in README.Debian
  (#304974), should I upload it to testing-proposed-updates or wait
  and do more changes before asking for it's Sarge inclusion?
- mozilla-locale-hu, where I missed some updates, a new .xpi is
  available. I would target t-p-u again.

Thanks in advance,
Laszlo/GCS


signature.asc
Description: This is a digitally signed message part

tla package is lagging a bit

[Laszlo Boszormenyi]

Hi,

 The tla package maintainer is a bit hanging with maintaining it. Can
someone follow on it and contact [EMAIL PROTECTED] ? I mean the
following bugs: #247673 and #308104 (policy issue), #289402 (missing
dependency), #289692 (FTBFS on amd64 with gcc-4.0), #292087 (FTBFS
because missing build dependency on time). Last upload was at Jan 8th.
I have already contacted him regarding #285591 (reported against neon,
but seems to be a tla bug as well; see at down).

Regards,
Laszlo/GCS


signature.asc
Description: This is a digitally signed message part

mrtg package problems

[Laszlo Boszormenyi]

Hi,

The mrtg and related packages seems to be orphaned. Shiju p. Nair is
last done an upload at 2004 April the 6th. Since then, there are only
NMUs, like it was NMUed constantly since 2002. The package is a bit
bad shape, would be good if someone look into them; there are even
seven years old bugs, but well, others are only five or three years
old. Is there any better package for this task, so mrtg can be
dropped maybe? But as some bugs have patch included, maybe someone
else can prepare a bugfixing version.
On the other hand, I think 2.11.1-1.1 should be pushed to Sarge.

Regards,
Laszlo/GCS


signature.asc
Description: This is a digitally signed message part

update for kernel-patch-grsecurity2

[Laszlo Boszormenyi]

Hi,

 I need an update for kernel-patch-grsecurity2 (in Sarge currently).
The update would be for the new (security related) kernel versions, as
upstream updated the grsecurity2 patch for that, no other changes done.
Would it be accepted for Sarge?
Also I am not sure how the update should be done in the Debian package:
1) delete the one for 2.6.11.7 and include the one for 2.6.11.9; but it
   means the diff would be _big_.
2) update the .orig.tar.gz, but then I need to change the upstream
   version from 2.1.5 to 2.1.5.1 or something, as the .orig.tar.gz can
   not be changed once in the archives, right? But I would not like to
   make false thinking for the Release Managers that this is a new
   upstream version, as it isn't.

Regards,
Laszlo/GCS


signature.asc
Description: This is a digitally signed message part

Re: update for kernel-patch-grsecurity2

[Laszlo Boszormenyi]

Hi Vorlon,

On Sat, 2005-05-14 at 15:59 -0700, Steve Langasek wrote:
> > The update would be for the new (security related) kernel versions, as
> > upstream updated the grsecurity2 patch for that, no other changes done.
> > Would it be accepted for Sarge?
> 
> What new kernel versions are you referring to?
 The package contains the patch for 2.6.11.7, but the main kernel
version is increased because of recent security problem fix
(CAN-2005-1263) to 2.6.11.9 (2.6.11.8 also fixed a reproducible SMP
crash, incorrect sysfs permissions and a bttv hang). Thus grsecurity2
upstream updated the patch to apply against 2.6.11.9.

> If the only reason for this update is for compatibility with 2.6.11.9, then
> such an update would not be accepted.  We aren't shipping any 2.6.11.x
> kernels with sarge.
 Yes, I know that Sarge won't contain any 2.6.11.x kernels; but users
can download it, and roll their own kernel as the Sarge default 2.6.8 is
getting old and overloaded with all the fixes, security backported.
I thought that grsecurity2 contains a patch for an old kernel version,
which has a known security hole by now; thus we should support users and
update the patch for the most security fixed kernel version as it is
just a security related update and not new upstream release. But I will
accept your final words here.

Regards,
Laszlo/GCS


signature.asc
Description: This is a digitally signed message part

different packages should enter Sarge

[Laszlo Boszormenyi]

Dear RMs,

There are some package that need attention:
1) Please remove metalog from Sarge; I am the
   maintaner of it, and do not feel that it is
   mature enough for the release.
2) Please let neon enter Sarge as it contains only
   changes to control, copyright and changelog expect
   an one liner of source change, which reverts a
   change back to 0.24.7.dfsg-0.2 . I am not a security
   expert, but the addition of OpenSSL_add_all_algorithms()
   to the ne_ssl_context_create() function by me (see #285591)
   was a mistake and may cause a problem. This is seconded by
   upstream, Joe Orton (a RedHat employer); see the bugreport.
3) Updated kernel-patch-grsecurity2 with spelling corrections
   of README.Debain, updated the documentation that one should
   use a vanilla kernel source (see #310577). It _may seems_ to be
   a new release, but it _isn't_. I just also removed the old patches
   which apply to a kernels with security bugs, and updated the diff
   offsets for 2.6.11.11 in the latest release (no changes to the patch
   itself).  The .diff.gz just would have been huge, that's why I had to
   do a seems-to-be-new .orig.tar.gz . I haven't uploaded it until
   it is allowed. Available at http://www.barcikacomp.hu/debian/ .
4) I would like to update gradm2 with a new Czech debconf translation.
   Can I upload it to testing-proposed-updates?

Thanks for your time,
Laszlo/GCS


signature.asc
Description: This is a digitally signed message part

please remove metalog from Sarge

[Laszlo Boszormenyi]

Dear RMs,

 Please hint metalog for removal, as me, its maintainer in Debian
thinks it's in a bad state:
1) has bad configuration for real use (#284557);
2) logdirs created with wrong user/group/permissions (#303033).

Thus it is not good for users, anyone would like to use it has to
correct the logdir permissions, and do a real configuration.

Thanks and regards,
Laszlo/GCS


signature.asc
Description: This is a digitally signed message part

neon transition

[Laszlo Boszormenyi]

Hi release team,

 There's an ongoing neon 0.24.x to 0.25.x transition in Sid. Most of the
packages are updated. There are some drawbacks at the moment:
1) Subversion is hold in the NEW queue since two weeks due to a binary
package rename.
2) Thus even if the rapidsvn transition in done, its upload is waiting
on the new Subversion package.
3) There's no sense to allow neon to Etch until dependant packages are
not ready to enter Etch (Subversion is held, rapidsvn waits on it, etc).
May I ask Vorlon to put the neon Etch transition on hold?
On the other hand, I would like to fix #336491 , but I don't know that
libkrb53 or libkrb5-17-heimdal would be better to depend on. Tried to
find the RedHat/Fedora way, but couldn't find it now.

Other packages like davfs2 is told to be ready this week.

Regards,
Laszlo/GCS


signature.asc
Description: This is a digitally signed message part

Re: neon transition

[Laszlo Boszormenyi]

On Wed, 2006-03-08 at 22:13 +0100, Rene Engelhard wrote:
> And you completely didn't inform your fellow maintainers about the plan, [...]
 Not all of you, I really missed OOo. My fault, I have no excuse.
Others were informed, also checked local that they are buildable with
neon 0.25.x .

Regards,
Laszlo/GCS


signature.asc
Description: This is a digitally signed message part

Re: neon transition

[Laszlo Boszormenyi]

On Thu, 2006-03-09 at 08:56 +1100, Aníbal Monsalve Salazar wrote:
> What about all the other packages involved in this transition?
[...]
>   libsvn0
>   subversion
 Done, but waiting in NEW.

>   rapidsvn
 Informed, done, but upload is waiting on Subversion.

>   openoffice.org-core
 Missed, but Rene wrote that he is just uploading it.

>   librpm4
 Done.

>   kdesvn
 Waits for Subversion.

>   kdesdk-misc
 Hmmm? How do you got this? I have never seen it before and could not
see this now even.

>   davfs2
 Informed, Luciano said that package will be ready sometime this week.

>   tla
>   bazaar
 I don't have information on these. If I'm not mistaken, I have sent a
letter, but haven't received any response. I have checked tla and it was
building right with neon 0.25 .

Regards,
Laszlo/GCS


signature.asc
Description: This is a digitally signed message part

Bug#602530: unblock: neon27/0.29.3-3

[Laszlo Boszormenyi]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock neon27 , which fixes #480041 [1] , an SSL cert failure
with the patch that got accepted upstream. It's simple, it repeats
GnuTLS handshake while it needs to be retried:
--- a/src/ne_socket.c
+++ b/src/ne_socket.c
@@ -1789,7 +1789,9 @@
 }
 sock->ops = &iofns_ssl;

-ret = gnutls_handshake(sock->ssl);
+do {
+ret = gnutls_handshake(sock->ssl);
+} while (RETRY_GNUTLS(sock, ret));
 if (ret < 0) {
error_gnutls(sock, ret);
 return NE_SOCK_ERROR;

Thanks,
Laszlo/GCS
[1] http://bugs.debian.org/480041




-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1288976603.23986.75.ca...@julia.gcs.org.hu

Bug#602707: unblock: syslog-ng/3.1.2-2

[Laszlo Boszormenyi]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi,

Please unblock syslog-ng 3.1.2-2 , which fixes an initscript bug[1] on
reload. The diff is small:
--- debian/syslog-ng.init   2010-08-04 21:12:39.0 +0200
+++ debian/syslog-ng.init   2010-11-04 19:15:31.0 +0100
@@ -91,7 +91,7 @@
 if $SYSLOGNG -s $SYSLOGNG_OPTS
 then
   start-stop-daemon --stop --signal 1 --quiet --exec "$SYSLOGNG" \
---pidfile "$PIDFILE" $SYSLOGNG_OPTS
+--pidfile "$PIDFILE"
   RET="$?"
   log_end_msg $RET
   return $RET

Thanks,
Laszlo/GCS
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599276




-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1289134812.23986.192.ca...@julia.gcs.org.hu

RFC: syslog-ng important bugfix release

[Laszlo Boszormenyi]

Hi Release Team,
syslog-ng upstream,

There are some critical bugfixes released as syslog-ng v3.1.3 from
upstream. None of them are reported to our BTS, but the changelog
follows:
test_csvparser: added testcase to cover empty values
LogWriter: set msg_context to NULL in case of the failure path
fixed compilation warning
Limited number of hexadecimal and octal digits interpreted as one
  character
fixed global configuration object possible use after free problem
[logreader] Request a reopen if the FD is stale.
logwriter flush (on exit)
Fixed default permission if the opened file didn't exist
Fixed a typo of octal value encoding
Check in solaris 10 if syslog-ng really running, not just have left it's
  pidfile.
cfg-lex.l: fixed hexadecimal number processing and added \xFF format
  character literals
templates: make it possible to include a literal '$' in the template
LogSource: the window size of source connections was messed up if a new
  connection was established
afinter: fixed possible flow-control problem
config file: accept 3.1 as a config version (or any other similarly well
  formatted value)
fixed program_override() setting
afsql: fix port() option
mark_freq: fixed 100% CPU usage when mark_freq() is changed to 0 during
  a SIGHUP
csvparser: remove the need to explicitly specify an escaping mode

Upstream commits can be checked in their git repository[1].
Would you allow its transition to Squeeze if uploaded or should I
somehow cherry pick the most critical changes and put them as patches to
the v3.1.2 release in testing?

Regards,
Laszlo/GCS
[1] http://git.balabit.hu/?p=bazsi/syslog-ng-3.1.git;a=shortlog


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1290574604.30225.148.ca...@julia.gcs.org.hu

Bug#605494: unblock: syslog-ng/3.1.3-1

[Laszlo Boszormenyi]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi,

Please unblock syslog-ng 3.1.3-1 to Squeeze. It's an important bugfix
only release from upstream. Fixes #603617 which make it able to parse
the configuration file version correctly. Includes the following fixes
as well[1]:
test_csvparser: added testcase to cover empty values
LogWriter: set msg_context to NULL in case of the failure path
fixed compilation warning
Limited number of hexadecimal and octal digits interpreted as one
  character
fixed global configuration object possible use after free problem
[logreader] Request a reopen if the FD is stale.
logwriter flush (on exit)
Fixed default permission if the opened file didn't exist
Fixed a typo of octal value encoding
Check in solaris 10 if syslog-ng really running, not just have left it's
  pidfile.
cfg-lex.l: fixed hexadecimal number processing and added \xFF format
  character literals
templates: make it possible to include a literal '$' in the template
LogSource: the window size of source connections was messed up if a new
  connection was established
afinter: fixed possible flow-control problem
config file: accept 3.1 as a config version (or any other similarly well
  formatted value)
fixed program_override() setting
afsql: fix port() option
mark_freq: fixed 100% CPU usage when mark_freq() is changed to 0 during
  a SIGHUP
csvparser: remove the need to explicitly specify an escaping mode

Regards,
Laszlo/GCS
[1] http://git.balabit.hu/?p=bazsi/syslog-ng-3.1.git;a=shortlog




-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1291136742.14018.120.ca...@julia.gcs.org.hu

Re: Your recent sqlite3 and neon27 uploads

[Laszlo Boszormenyi]

Hi Adam,

On Mon, 2010-12-13 at 21:30 +, Adam D. Barratt wrote:
> I noticed that you've recently uploaded new upstream versions of sqlite3
> and neon27 to unstable.  Were either of these uploads targetted at
> Squeeze?
 Yes, both. The easiest is neon27, which is a clean upload of the
previous one which contained the fixes as backported patches.
About sqlite3: it fixes important bugs like memory leaks[1][2][3][4][5],
a segfault[6], a maybe memory leak[7] and a buffer overread[8] among
others.

Regards,
Laszlo/GCS
[1] http://www.sqlite.org/src/info/a04e42a3fc
[2] http://www.sqlite.org/src/info/860399cc40
[3] http://www.sqlite.org/src/info/d3c95e3a4e
[4] http://www.sqlite.org/src/info/1d17e3dc83
[5] http://www.sqlite.org/src/info/507027b70f
[6] http://www.sqlite.org/src/info/f91471e723
[7] http://www.sqlite.org/src/info/d3c95e3a4e
[8] http://www.sqlite.org/src/info/84194c4195


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1292276931.25794.64.ca...@julia.gcs.org.hu

Re: Your recent sqlite3 and neon27 uploads

[Laszlo Boszormenyi]

Hi Adam,

On Thu, 2010-12-16 at 19:21 +, Adam D. Barratt wrote:
> On Mon, 2010-12-13 at 22:48 +0100, Laszlo Boszormenyi wrote:
[ about neon27 packages ]
> It doesn't *just* contain the fixes which were previously backported
> though, there are code changes included which were not present in
> 0.29.3-3.  From a quick look, I'm not immediately convinced that those
> code changes are RC; the moving of the patches in to the upstream code
> certainly isn't.
There are changes for win32 and Solaris; the changelog says:
Fix possible Solaris linker errors if building static library
Win32: Fix Kerberos authentication support with SSPI (Danil Shopyrin) 
Further fix for SSPI support on Win32 (Danil Shopyrin)

Also fixes the following:
Fix error handling when pulling a request body from an file (thanks to
  Lou Montulli)
Fix ne_request_dispatch() return value for SOCKS proxy failure cases
Tighten SSL cert ID checks to deny a wildcard match against an IP
  address

The latter can be important, but I agree that other OSes fixes are not.

> The bigger issue is that because neon27 calls dh_makeshlibs with -V, the
> shlibs are bumped with every upload even if it's not necessary.
 Will remove that switch.

> Looking forward to hearing your thoughts on where we go from here.
 We've two routes. For the first and very last time, you let neon27 to
go into Squeeze and I won't upload anything during freeze without asking
and confirmation now and ever.
Second, I upload a new neon27 package, with patches that back out all
unrelated changes. In short, I make a v0.29.3 + previously backported
changes from the v0.29.5 tree. If I should go this route, may I name it
0.29.5-1really0.29.3 ?

BTW, I'm subscribed to the list and no need to Cc.
Regards,
Laszlo/GCS


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1292578278.3920.267.ca...@julia.gcs.org.hu

Re: Your recent sqlite3 and neon27 uploads

[Laszlo Boszormenyi]

Hi Adam,

On Fri, 2010-12-17 at 20:10 +, Adam D. Barratt wrote:
> The package descriptions of libneon27{,-gnutls} say "WARNING: THE NEON
> API IS NOT YET STABLE" so removing the versioning entirely might not be
> a good idea; on the basis that there don't appear to have been any
> obvious API changes since the version currently in squeeze, [...]
 This sounds like a very strict warning. The full story continues as:
"The neon API is subject to backwards-incompatible change over minor
versions (0.24.x -> 0.25.x) but is stable across patch releases (0.24.0
-> 0.24.x)."
It's not completely true for a while now. The API changed since 0.24.0
to 0.25.0 and to 0.26.0 ... That's why there were neon24, neon25 and
neon26 packages. As of 0.27.0, the API remained exactly the same to
0.28.0 and 0.29.0 even and still it is as 0.29.5 .

> how about
> something like:
 You mean leave 0.29.5 in the archive as is, but with shlibs as 0.29.3 ?
Like I prepared the package[1] and as debdiff[2] shows?

> The "usual" approach is to re-upload the earlier upstream
> source using a version number such 0.29.5really0.29.3, making the binary
> 0.29.5really0.29.3-1.
 If I'm mistaken with the above, will do it ASAP; but please give me a
day.

Regards,
Laszlo/GCS
[1] dget http://www.routers.hu/gcs/neon27_0.29.5-2.dsc
[2] http://www.routers.hu/gcs/neon27.diff


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1292621489.3920.307.ca...@julia.gcs.org.hu

Re: Your recent sqlite3 and neon27 uploads

[Laszlo Boszormenyi]

On Fri, 2010-12-17 at 22:58 +, Adam D. Barratt wrote:
> Or I might just have confused myself instead *sigh*  If you were
> suggesting uploading 0.29.5-2 with the shlibs change to use 0.29.3 and
> then leaving it in unstable and 0.29.3 in squeeze then yes, that would
> be fine.
 Please give a quick look at the package[1] or review the debdiff[2].

> Adam (who promises to stop replying to himself, at least for tonight)
 No worries and sorry for the delay. I was abroad and later I didn't
feel very good. If you allow this, I'll upload ASAP.

Laszlo/GCS
[1] http://www.routers.hu/gcs/neon27_0.29.5-2.dsc
[2] http://www.routers.hu/gcs/neon27.diff


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1292962436.25876.62.ca...@julia.gcs.org.hu

mozilla security bugs, NMU?

[Laszlo Boszormenyi]

Hi,

 This bug is open for almost two months. As Mozilla version 1.7.13 fixes
several security bugs, please package it. If you don't have time, can I
NMU it?

Thanks,
Laszlo/GCS


signature.asc
Description: This is a digitally signed message part

Re: RFH: PHP unbuildable due conflicting dependencies of apache-dev and apache2-prefork-dev

[Laszlo Boszormenyi]

Hi,

On Sat, 2006-08-19 at 15:53 +0200, Ondrej Sury wrote:
> I was trying to prepare security update of php5 and php4 [...]

> apache-dev depends on libbdb4.4-dev
> apache2-prefork-dev depends on libbdb4.3-dev
> libbdb4.4-dev conflicts with libbdb4.3-dev
> 
> This means that we are not able to upload any php build at all.
> 
> I know that it's not problem of apache2, but of php build system.
 I think _it is_ a problem of Apache2, PHP needs both apache-dev and
apache2-dev to build correctly.

Please Apache2 maintainers build-depend on libdb4.4-dev .

Thanks,
Laszlo/GCS


signature.asc
Description: This is a digitally signed message part

neon26 and .la files

[Laszlo Boszormenyi]

Hi Release Team,

 I ask for a standpoint for #400140 [1] which asks for put back
library .la files into libneon26{,-gnutls-}-dev . They were removed due
to #386652 [2], where the Subversion packaging team asked for their
removal. But #400140 [1] says the upstream Subversion source can not be
compiled without them.
So should I let them back to the packages or not? I don't want to ruin
anything as we are close to Etch. The neon26 packages have big reverse
dependencies like Subversion and Openoffice.org .

Thanks in advance,
Laszlo/GCS
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=400140
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=386652
[3] http://www.debian.org/doc/debian-policy/ch-files.html#s-libraries


signature.asc
Description: This is a digitally signed message part

Permission to upload rdesktop

[Laszlo Boszormenyi]

Hi Release Team,

 I ask for permission to upload the current CVS snapshot of rdesktop to
Sid. Upstream says it is fairly stable, customers already using it
without problems. Also it corrects the sound problems described in
#396339 [1]. There's no other changes expect smartcard support merged
in, but upstream states it doesn't affect other parts of rdesktop.

Regards,
Laszlo/GCS
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=396339


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Please unblock neon26/0.26.2-3.1

[Laszlo Boszormenyi]

On Sat, 2007-01-06 at 01:42 +0100, Marc 'HE' Brockschmidt wrote:
> "Steinar H. Gunderson" <[EMAIL PROTECTED]> writes:
> > +neon26 (0.26.2-3.1) unstable; urgency=high
> 
> Unblocked.
 Well, wanted to discuss this fix with upstream. Don't know if its ok to
reblock it, say until tuesday which is the deadline of response from
upstream.

Regards,
Laszlo/GCS


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Please unblock neon26/0.26.2-3.1

[Laszlo Boszormenyi]

On Sun, 2007-01-07 at 11:32 +0100, Marc 'HE' Brockschmidt wrote:
> Laszlo Boszormenyi <[EMAIL PROTECTED]> writes:
> >  Well, wanted to discuss this fix with upstream. Don't know if its ok to
> > reblock it, say until tuesday which is the deadline of response from
> > upstream.
> 
> Done.
 Took one more day due to maillist problems. But quoting upstream:
"Hi Laszlo, thanks a lot for the report and patch (which looks exactly
right)."
So please unblock it and let it to slip into Etch.

Thanks,
Laszlo/GCS


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

permission to upload a new sqlite3 package

[Laszlo Boszormenyi]

Hi,

I would like to upload sqlite3 3.3.10 to unstable, which is available as
dget http://www.lsc.hu/gcs/deb/sqlite3_3.3.10-1.dsc
Yes, the diff is a bit big as it contains a new API[1]; but fixes a
database corruption issue and contains other important bugfixes. Version
3.3.10 contains even more bugfixes and and important reported one[2].
Meanwhile I also fix a normal title bugreport as well, which makes
possible to use and compile extensions.
Upstream says upgrade is recommended for both release. IMHO it would be
important to get this for etch; even after the ten days delay if we
would like to be extra sure. Thanks for consideration,
Laszlo/GCS
[1] http://www.sqlite.org/capi3ref.html#sqlite3_prepare_v2
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=397531
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=404242


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

permission to upload neon26

[Laszlo Boszormenyi]

Hi,

The diff between 0.26.2-3 and 0.26.2-4 [1] is that a security fix is
applied (accepted the NMU) and the fix of #400140 , which adds .la files
again, but corrected with the power of sed. The latter would make neon26
dependant upstream sources compilable again; fix was proposed by
upstream.
Checked, does not break buildability of deb packages.

Regards,
Laszlo/GCS
[1] dget http://www.lsc.hu/gcs/deb/neon26_0.26.2-4.dsc


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: permission to upload neon26

[Laszlo Boszormenyi]

On Mon, 2007-01-22 at 00:01 +0100, Marc 'HE' Brockschmidt wrote:
> Steve Langasek <[EMAIL PROTECTED]> writes:
> > On Sun, Jan 21, 2007 at 11:21:40PM +0100, Marc 'HE' Brockschmidt wrote:
> >> Well, .la needs to die, but I have to admit that breaking the .la
> >> interface this late in the release cycle was a bad idea. So yes, I think
> >> you should upload this (and would unblock it).
> > What do you mean, "this late"?  The bug was reported before the general
> > freeze started, and the only thing it's reported to break is upstream
> > versions of subversion.
> 
> After a short IRC conversation with vorlon, I'm of his opinion - so
> please do *not* upload the new -4 which is readding the .la files.
 OK. I ask again, as there's a new upstream version[1], which is a
bugfix release only. The first is a security fix, which is available in
the NMU, but with the new upstream version number users can be sure they
have that fix. Also fixes a regression and a parameter handling.
May I upload it to unstable[2]? If yes, would be the .la fix acceptable
with it?

Thanks for consideration,
Laszlo/GCS
[1] http://www.webdav.org/neon/
[2] dget http://www.lsc.hu/gcs/deb/neon26_0.26.3-1.dsc


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

unblock request of kernel-patch-grsecurity2

[Laszlo Boszormenyi]

Hi Release Team,

 Please let kernel-patch-grsecurity2 to testing. It's a new upstream
release (add support of 2.6.19.2 and 2.4.32), but fixes CVE-2007-0257.
I think adding such a kernel patchset won't instabilize Etch in any way.

Thanks,
Laszlo/GCS


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

unblock request of sqlite

[Laszlo Boszormenyi]

Hi Release Team,

 Please let sqlite into Etch, it contains only debconf changes; already
survived ten days in Sid.

Thanks,
Laszlo/GCS


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

binNMU sqlite3 and vice compilation on i386

[Laszlo Boszormenyi]

Hi Release Team!

I got a bugreport against SQLite3 Tcl bindings that it can't be loaded,
see #650961 [1]. Indeed, the line which loads it is missing from its
pkgIndex.tcl file. I've checked and it's missing on all archs, including
kfreebsd-* ones. I've no idea how this happened, but a simple rebuilding
fix this. Please schedule +b1 on all archs.

What's the minimum processor requirements that we support on i386? An
other bugreport, #651246 [2] shows that the murphy buildd compiled a
code which does not run on all x86 CPU. What can I do with this
bugreport?

Regards,
Laszlo/GCS
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650961
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=651246


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1323238794.19746.47.ca...@julia.gcs.org.hu

Re: binNMU sqlite3 and vice compilation on i386

[Laszlo Boszormenyi]

On Wed, 2011-12-07 at 09:29 +0100, Julien Cristau wrote:
> On Wed, Dec  7, 2011 at 07:19:54 +0100, Laszlo Boszormenyi wrote:
> > I got a bugreport against SQLite3 Tcl bindings that it can't be loaded,
> > see #650961 [1]. Indeed, the line which loads it is missing from its
> > pkgIndex.tcl file. I've checked and it's missing on all archs, including
> > kfreebsd-* ones. I've no idea how this happened, but a simple rebuilding
> > fix this. Please schedule +b1 on all archs.
> > 
> I'd prefer to know why it happened before I do that.
 Tried to guess it, but no luck. There were no tcl8.5 upload around that
time. It couldn't be my pbuilder environment as it's missing on all
archs. Thus buildds made the same mistake. The person filed the bug,
confirms that a simple rebuild fixes this issue. Did the rebuild in my
pbuilder environment and it's also fixes the bug.

On Sun, 2011-12-18 at 14:52 +, Adam D. Barratt wrote:
> Ping?
 I'm not at home but in the Alps and my internet possibilities are weak.
Will arrive back on the 30th.

Laszlo/GCS


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1324782867.7517.27.ca...@julia.gcs.org.hu

Bug#664078: transition: tokyocabinet

[Laszlo Boszormenyi]

Hi Julien,

On Sun, 2012-04-29 at 19:05 +0200, Julien Cristau wrote:
> On Wed, Apr 11, 2012 at 08:07:54 +0200, Tobias Frost wrote:
> > seems that bogofilter can be fixed soon, it seems that Steven found an
> > workaround in the sqlite3 library. (See #665363)
> What's up with that?
 The "bug" lies in SQLite3, in commit 2e8ab3cedf [1]. As src/mem1.c
adds malloc_usable_size() to sqlite3MemSize() to get the available
memory to use. On my amd64 system, malloc() calls are rounded up to n*24
bytes and that size may be usable. However as the manpage states:
"Returns  the  number  of  bytes  available in the dynamically
allocated  buffer  ptr,  which  may  be  greater than  the requested
size  (but  is  guaranteed  to  be at least as large, if the request was
successful).  Typically, you  should  store  the  requested allocation
size rather than use this function."

So in general nothing is wrong if you use the size reported by this
function. However when you set MALLOC_CHECK_ to 1 or 2, glibc enforces
the requested size. This is where the problem lies. SQLite3 use the
memory normally, a bit larger size than originally requested but not
more than the maximum available. This is normal and doesn't cause memory
corruption. But when asked via the MALLOC_CHECK_ setting, glibc detects
the difference and issue a warning only (=1) or aborts (=2).
Bogofilter asks for this check in src/tests/t.frame in line 173 and 174.
It may be debatable where to fix this. Do not set glibc malloc
enforcement in Bogofilter or disable this memory use in SQLite3 itself.
Let's go on with the latter.

By the way, attached a small example that demonstrates this problem on
64 bit archs. Compile with 'gcc -o check check.c' and run check with
MALLOC_CHECK_ set to 0 and later set to 2.

Regards,
Laszlo/GCS
[1] http://www.sqlite.org/src/info/2e8ab3cedf
#include 
#include 
#include 
#include 

int main(void)
{
  void *p = NULL;
  size_t size = 7;

  /* allocate a small size of memory and inform the user */
  printf("Size to malloc(): %u\n", size);
  p = malloc(size);
  /* check how much memory we got */
  size = malloc_usable_size(p);
  printf("Size reported by malloc_usable_size(): %u\n", size);
  /* use that memory */
  memset(p, 0x0, size);
  /* we don't need the memory anymore */
  free(p);
  /* just inform the user about the exit */
  printf("Program ends normally.\n");
  return 0;
}

Bug#841638: transition: libcrypto++

[Laszlo Boszormenyi (GCS)]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

I'd like to update libcrypto++ from 5.6.4 to 5.6.5; which is a
semi-transition. Packages I've tried works with both version,
however without binNMUs those will print this:
Symbol `_ZTVN8CryptoPP23FilterWithBufferedInputE' has different size in shared 
object, consider re-linking
Symbol `_ZTVN8CryptoPP10HexEncoderE' has different size in shared object, 
consider re-linking
Symbol `_ZTVN8CryptoPP11ProxyFilterE' has different size in shared object, 
consider re-linking

This matches upstream recommendation[1]:
"maintenance release, recompile of programs recommended"

I know about #841443 [2] and it will be fixed with the new upload.

Regards,
Laszlo/GCS
[1] http://www.cryptopp.com/release565.html
[2] https://bugs.debian.org/841443

Bug#842816: nmu: syslog-ng_3.7.3-3

[Laszlo Boszormenyi (GCS)]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

Hi,

I ask for binNMU of syslog-ng to build with PIE with the new
toolchain. Currently it prevents fixing of syslog-ng-incubator[1] as
it can't link with one of its libraries.

Thanks,
Laszlo/GCS

nmu syslog-ng_3.7.3-3 . ANY . unstable . -m "Recompile static libraries with 
PIE"

[1] https://bugs.debian.org/839454

Bug#846271: transition: ntfs-3g

[Laszlo Boszormenyi (GCS)]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Dear Release Team,

Mini transition of ntfs-3g which changed the library name from
libntfs-3g871 to libntfs-3g872 . These are co-installable and the
new version is in experimental, built on all release architectures.
The affected packages are[1]:
partclone
testdisk
wimlib

All build fine with the new ntfs-3g release as well. Hope this can be
done before the Stretch release.

Kind regards,
Laszlo/GCS
[1] https://release.debian.org/transitions/html/auto-ntfs-3g.html

Bug#846613: transition: gflags

[Laszlo Boszormenyi (GCS)]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Dear Release Team,

Small transition of gflags which changed the library name from
libgflags2v5 to libgflags2.2 . These are co-installable and the
new version is in experimental, built on all release architectures,
except mips* (yet).
The affected packages are[1]:
autofdo
ceres-solver
gnss-sdr
google-glog
rocksdb

All build fine with the new gflags release as well. Hope this can be
done before the Stretch release.

Kind regards,
Laszlo/GCS
[1] https://release.debian.org/transitions/html/auto-gflags.html

Bug#853770: unblock: pyro4

[Laszlo Boszormenyi (GCS)]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock

Hi Release Team,

I don't want to hide that due to my mistake, pyro4 package migrated to
Stretch without the selectors34 dependency of python2-pyro4 even
packaged. It was only partly fixed with importing the selectors module
instead[1] - that fixes the client mode but the multiplexed server
still fails (the user have to change to the threadpool variant).

I see the following solutions:
1) Drop the python2 variant of Pyro4 and only ship the python3 one
   (worst case).
2) Allow the packaged selectors34 module[2] to Stretch (not yet
   uploaded) as it's an one file module.
3) Add the selectors34.py to the pyro4 package, debdiff to the Stretch
   version is attached.
4) Use the upstream commit not to fail with the import, but inform the
   user to switch to the threadpool variant with a RuntimeError[3]
   when using the Python 2 variant.

Which solution would be allowed for Stretch?

Thanks,
Laszlo/GCS
[1] https://bugs.debian.org/852245
[2] dget -x http://www.barcikacomp.hu/gcs/selectors34_1.1.0-1.dsc
[3] https://github.com/irmen/Pyro4/commit/edfdbb2ce4279d929b306d00ac8fb
c6543a0807bdiff -Nru pyro4-4.53/debian/changelog pyro4-4.53/debian/changelog
--- pyro4-4.53/debian/changelog	2017-01-06 12:45:50.0 +
+++ pyro4-4.53/debian/changelog	2017-01-31 16:56:26.0 +
@@ -1,3 +1,20 @@
+pyro4 (4.53-3) unstable; urgency=medium
+
+  * Add selectors34 to Python2 package for proper Python2 compatibility
+(closes: #852245).
+
+ -- Laszlo Boszormenyi (GCS)   Tue, 31 Jan 2017 16:56:26 +
+
+pyro4 (4.53-2) unstable; urgency=medium
+
+  * Rework Python version detection.
+  * Remove requires.txt from the installed files.
+
+  [ Marcin Kulisz  ]
+  * Fix Python2 compatibility (closes: #852245).
+
+ -- Laszlo Boszormenyi (GCS)   Mon, 23 Jan 2017 21:17:56 +
+
 pyro4 (4.53-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru pyro4-4.53/debian/control pyro4-4.53/debian/control
--- pyro4-4.53/debian/control	2017-01-06 12:45:50.0 +
+++ pyro4-4.53/debian/control	2017-01-31 16:56:26.0 +
@@ -33,7 +33,7 @@
 
 Package: python2-pyro4
 Architecture: all
-Depends: python2-serpent (>= 1.16), ${misc:Depends}, ${python:Depends}
+Depends: python2-serpent (>= 1.16), python-six, ${misc:Depends}, ${python:Depends}
 Conflicts: python3-pyro4
 Replaces: python3-pyro4
 Suggests: pyro4-doc, pyro4
diff -Nru pyro4-4.53/debian/copyright pyro4-4.53/debian/copyright
--- pyro4-4.53/debian/copyright	2013-07-10 18:22:45.0 +
+++ pyro4-4.53/debian/copyright	2017-01-31 16:56:26.0 +
@@ -25,6 +25,54 @@
  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  SOFTWARE.
 
+Files: debian/selectors34.py
+Copyright: Copyright (C) 2015- Berker Peksag 
+License: PSFL-2
+ 1. This LICENSE AGREEMENT is between the Python Software Foundation
+ ("PSF"), and the Individual or Organization ("Licensee") accessing and
+ otherwise using this software ("Python") in source or binary form and
+ its associated documentation.
+ .
+ 2. Subject to the terms and conditions of this License Agreement, PSF hereby
+ grants Licensee a nonexclusive, royalty-free, world-wide license to reproduce,
+ analyze, test, perform and/or display publicly, prepare derivative works,
+ distribute, and otherwise use Python alone or in any derivative version,
+ provided, however, that PSF's License Agreement and PSF's notice of copyright,
+ i.e., "Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009,
+ 2010, 2011 Python Software Foundation; All Rights Reserved" are retained in
+ Python alone or in any derivative version prepared by Licensee.
+ .
+ 3. In the event Licensee prepares a derivative work that is based on
+ or incorporates Python or any part thereof, and wants to make
+ the derivative work available to others as provided herein, then
+ Licensee hereby agrees to include in any such work a brief summary of
+ the changes made to Python.
+ .
+ 4. PSF is making Python available to Licensee on an "AS IS"
+ basis.  PSF MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR
+ IMPLIED.  BY WAY OF EXAMPLE, BUT NOT LIMITATION, PSF MAKES NO AND
+ DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS
+ FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON WILL NOT
+ INFRINGE ANY THIRD PARTY RIGHTS.
+ .
+ 5. PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON
+ FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS
+ A RESULT OF MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON,
+ OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF.
+ .
+ 6. This License Agreement will automatically terminate upon a material
+ breach of its terms and conditions.
+ .
+ 7. Nothing in this License Agreement shall be deemed to create any
+ relationship of agency, partnership, or join

Bug#815260: transition: libpgm

[Laszlo Boszormenyi (GCS)]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

A small transition of libpgm, its soname changed from 5.1 to 5.2 which
is already in experimental.

Affected packages are:
libxs
zeromq
zeromq3

Library packages are co-installable and can be a smooth transition.
However libxs and zeromq need sourceful uploads. The latter is not a
problem as I'm its maintainer.
The former, libxs package seems to be an abandoned one. Upstream no
longer exists, last maintainer upload[1] was in 2012 and NMUed in 2013.
The zeromq{,3} uploads will be handled by me. Of course, I can further
NMU libxs if needed or provide patch for maintainer upload.

Cheers,
Laszlo/GCS
[1] https://packages.qa.debian.org/libx/libxs/news/20120613T174733Z.htm
l

Bug#819528: transition: angular.js

[Laszlo Boszormenyi (GCS)]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

I don't know if the Release Team follows JavaScript library
transitions or not. But I think it's better to be aware of
angular.js (libjs-angularjs) 1.3 (in Sid) to 1.5 (in experimental)
transition. I have noted the affected package maintainers.
Giving links on the migration issues[1][2]. The packages that may
need update:
glances
grafana-data
node-sprintf-js
nqp
owncloud-music
owncloud-tasks

The owncloud modules may not be relevant as owncloud is going to be
removed from the archive. Reason is that upstream gone hostile[3] and
don't want the software in distributions.

Regards,
Laszlo/GCS
[1] https://docs.angularjs.org/guide/migration#migrating-from-1-3-to-1-
4
[2] https://docs.angularjs.org/guide/migration#migrating-from-1-4-to-1-
5
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816376

Bug#819530: transition: icu

[Laszlo Boszormenyi (GCS)]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

ICU has a new major upstream release, supporting several new things
that I would like to see in Stretch:
- CLDR[1] 28 [2] and 29 [3] support,
- Unicode 8.0.0 [4] support.

As it affects the system from Boost C++ libraries (several packages
build depends on it) to LibreOffice, it's not uploaded to experimental
even. But my local build tests on amd64 shows that Boost 1.58 could be
built and transiently some packages that build depends on Boost.
The biggest one is LibreOffice which could be built of course. In
short, I compiled ICU 57.1 and installed it -> compiled and installed
Boost 1.58 -> successfully compiled LibreOffice 5.1.2~RC1.
May I proceed with the upload, targeting experimental first?

Regards,
Laszlo/GCS
[1] http://cldr.unicode.org/index
[2] http://cldr.unicode.org/index/downloads/cldr-28
[3] http://cldr.unicode.org/index/downloads/cldr-29
[4] http://www.unicode.org/versions/Unicode8.0.0/#Summary

Bug#819529: transition: libcrypto++

[Laszlo Boszormenyi (GCS)]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

I'd like to do the libcrypto++ 5.6.1 to 5.6.3 transition. The latter is
already in experimental. Affected package maintainers are noted,
waiting for feedback. For the time being, I've rebuilt all affected
packages on amd64:
amule
armory
clementine
murasaki
pycryptopp
synergy
tegrarcm (non-free)

All built successfully and as the libcrypto++ libraries are
co-installable, binNMUs can be enough.

Cheers,
Laszlo/GCS

Bug#821440: transition: ntfs-3g

[Laszlo Boszormenyi (GCS)]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

ntfs-3g previously used a virtual library[1] that caused problems with
packages depending on it. I've created a normal, binNMU safe library
package which currently sits in experimental.
Tested the affected packages:
- partclone
- testdisk
- wimlib

All three build fine and seem to be correct with the new ntfs-3g
package. May I upload the it with the new upstream release to Sid?
Mentioned packages will need to be binNMUed.

Cheers,
Laszlo/GCS
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=79

Bug#835443: jessie-pu: package sqlite3/3.8.7.1-1+deb8u2

[Laszlo Boszormenyi (GCS)]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi Release Team,

There's a vulnerability in SQLite3 [1] which was fixed in Sid and
Stretch, but not yet in Jessie. Security Team decided it's a minor
issue and doesn't warrant a DSA.

An other issue, a segfault is fixed as well on heavy 'SAVEPOINT'
usage[2][3], which affects Django.

Proposed patch is attached.

Thanks for considering,
Laszlo/GCS
[1] https://security-tracker.debian.org/tracker/CVE-2016-6153
[2] http://bugs.debian.org/835205
[3] https://www.sqlite.org/src/info/c4b9c611diff -Nru sqlite3-3.8.7.1/debian/changelog sqlite3-3.8.7.1/debian/changelog
--- sqlite3-3.8.7.1/debian/changelog	2015-05-02 07:59:48.0 +
+++ sqlite3-3.8.7.1/debian/changelog	2016-08-25 16:10:24.0 +
@@ -1,3 +1,11 @@
+sqlite3 (3.8.7.1-1+deb8u2) jessie; urgency=medium
+
+  * Fix CVE-2016-6153 , Tempdir Selection Vulnerability.
+  * Backport fix for segfault following heavy SAVEPOINT usage
+(closes: #835205).
+
+ -- Laszlo Boszormenyi (GCS)   Thu, 25 Aug 2016 16:10:24 +
+
 sqlite3 (3.8.7.1-1+deb8u1) jessie-security; urgency=high
 
   * Fix CVE-2015-3414 , use of uninitialized memory when parsing collation
diff -Nru sqlite3-3.8.7.1/debian/patches/45-CVE-2016-6153_part1.patch sqlite3-3.8.7.1/debian/patches/45-CVE-2016-6153_part1.patch
--- sqlite3-3.8.7.1/debian/patches/45-CVE-2016-6153_part1.patch	1970-01-01 00:00:00.0 +
+++ sqlite3-3.8.7.1/debian/patches/45-CVE-2016-6153_part1.patch	2016-08-25 16:10:24.0 +
@@ -0,0 +1,31 @@
+Index: sqlite3/src/os_unix.c
+==
+--- sqlite3/src/os_unix.c
 sqlite3/src/os_unix.c
+@@ -5423,10 +5423,10 @@ static const char *unixTempFileDir(void)
+ if( zDir==0 ) continue;
+ if( osStat(zDir, &buf) ) continue;
+ if( !S_ISDIR(buf.st_mode) ) continue;
+-if( osAccess(zDir, 07) ) continue;
+-break;
++if( osAccess(zDir, 03) ) continue;
++return zDir;
+   }
+-  return zDir;
++  return 0;
+ }
+ 
+ /*
+@@ -5446,10 +5446,11 @@ static int unixGetTempname(int nBuf, cha
+   ** using the io-error infrastructure to test that SQLite handles this
+   ** function failing. 
+   */
++  zBuf[0] = 0;
+   SimulateIOError( return SQLITE_IOERR );
+ 
+   zDir = unixTempFileDir();
+-  if( zDir==0 ) zDir = ".";
++  if( zDir==0 ) return SQLITE_IOERR_GETTEMPPATH;
+ 
+   /* Check that the output buffer is large enough for the temporary file 
+   ** name. If it is not, return SQLITE_ERROR.
diff -Nru sqlite3-3.8.7.1/debian/patches/46-CVE-2016-6153_part2.patch sqlite3-3.8.7.1/debian/patches/46-CVE-2016-6153_part2.patch
--- sqlite3-3.8.7.1/debian/patches/46-CVE-2016-6153_part2.patch	1970-01-01 00:00:00.0 +
+++ sqlite3-3.8.7.1/debian/patches/46-CVE-2016-6153_part2.patch	2016-08-25 16:10:24.0 +
@@ -0,0 +1,13 @@
+Index: sqlite3/src/os_unix.c
+==
+--- sqlite3/src/os_unix.c
 sqlite3/src/os_unix.c
+@@ -5419,7 +5419,7 @@ static const char *unixTempFileDir(void)
+   azDirs[0] = sqlite3_temp_directory;
+   if( !azDirs[1] ) azDirs[1] = getenv("SQLITE_TMPDIR");
+   if( !azDirs[2] ) azDirs[2] = getenv("TMPDIR");
+-  for(i=0; i=sizeof(azDirs)/sizeof(azDirs[0]) ) break;
++zDir = azDirs[i++];
+   }
+   return 0;
+ }
diff -Nru sqlite3-3.8.7.1/debian/patches/50-fix_in-memory_journal.patch sqlite3-3.8.7.1/debian/patches/50-fix_in-memory_journal.patch
--- sqlite3-3.8.7.1/debian/patches/50-fix_in-memory_journal.patch	1970-01-01 00:00:00.0 +
+++ sqlite3-3.8.7.1/debian/patches/50-fix_in-memory_journal.patch	2016-08-25 16:10:24.0 +
@@ -0,0 +1,29 @@
+Index: sqlite3/src/memjournal.c
+==
+--- sqlite3/src/memjournal.c
 sqlite3/src/memjournal.c
+@@ -77,6 +77,7 @@ static int memjrnlRead(
+ 
+   /* SQLite never tries to read past the end of a rollback journal file */
+   assert( iOfst+iAmt<=p->endpoint.iOffset );
++  assert( p->readpoint.iOffset==0 || p->readpoint.pChunk!=0 );
+ 
+   if( p->readpoint.iOffset!=iOfst || iOfst==0 ){
+ sqlite3_int64 iOff = 0;
+@@ -88,6 +89,7 @@ static int memjrnlRead(
+ }
+   }else{
+ pChunk = p->readpoint.pChunk;
++assert( pChunk!=0 );
+   }
+ 
+   iChunkOffset = (int)(iOfst%JOURNAL_CHUNKSIZE);
+@@ -99,7 +101,7 @@ static int memjrnlRead(
+ nRead -= iSpace;
+ iChunkOffset = 0;
+   } while( nRead>=0 && (pChunk=pChunk->pNext)!=0 && nRead>0 );
+-  p->readpoint.iOffset = iOfst+iAmt;
++  p->readpoint.iOffset = pChunk ? iOfst+iAmt : 0;
+   p->readpoint.pChunk = pChunk;
+ 
+   return SQLITE_OK;
diff -Nru sqlite3-3.8.7.1/debian/patches/series sqlite3-3.8.7.1/debian/patches/series
--- sqlite3-3.8.7.1/debian/patches/series	2015-05-02 07:59:48.0 +
+++ sqlite

Bug#835444: jessie-pu: package ovirt-guest-agent/1.0.10.2.dfsg-2+deb8u1

[Laszlo Boszormenyi (GCS)]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi Release Team,

There are two stupid bugs in ovirt-guest-agent which affects Jessie.
Both fixed in Sid + Stretch.

First is that its daemon is not started with the initscript[1]. Reason
is: it checks for executable bit on the daemon, but it's installed
without that. chmod a+x added to d/rules.

Second is that the logging is not working if daemon is started with
systemd as its log directory is not owned by the ovirtagent user[2].
To be extra safe, the chown was added to postinst.

Proposed patch is attached.

Thanks for considering,
Laszlo/GCS
[1] http://bugs.debian.org/782005
[2] http://bugs.debian.org/811481diff -Nru ovirt-guest-agent-1.0.10.2.dfsg/debian/changelog ovirt-guest-agent-1.0.10.2.dfsg/debian/changelog
--- ovirt-guest-agent-1.0.10.2.dfsg/debian/changelog	2015-02-14 11:33:40.0 +
+++ ovirt-guest-agent-1.0.10.2.dfsg/debian/changelog	2016-08-20 10:34:30.0 +
@@ -1,3 +1,10 @@
+ovirt-guest-agent (1.0.10.2.dfsg-2+deb8u1) jessie; urgency=medium
+
+  * Install ovirt-guest-agent.py executable (closes: #782005).
+  * Change owner of log directory to ovirtagent in postinst (closes: #811481).
+
+ -- Laszlo Boszormenyi (GCS)   Sat, 20 Aug 2016 10:34:30 +
+
 ovirt-guest-agent (1.0.10.2.dfsg-2) unstable; urgency=low
 
   * Rework useradd logic not to fail if gid 175 already present
diff -Nru ovirt-guest-agent-1.0.10.2.dfsg/debian/postinst ovirt-guest-agent-1.0.10.2.dfsg/debian/postinst
--- ovirt-guest-agent-1.0.10.2.dfsg/debian/postinst	2015-02-14 09:57:18.0 +
+++ ovirt-guest-agent-1.0.10.2.dfsg/debian/postinst	2016-08-20 10:34:30.0 +
@@ -12,4 +12,8 @@
 	udevadm settle
 fi
 
+chown ovirtagent:ovirtagent /var/log/ovirt-guest-agent
+[ -f /var/log/ovirt-guest-agent/ovirt-guest-agent.log ] && \
+chown ovirtagent:ovirtagent /var/log/ovirt-guest-agent/ovirt-guest-agent.log
+
 #DEBHELPER#
diff -Nru ovirt-guest-agent-1.0.10.2.dfsg/debian/rules ovirt-guest-agent-1.0.10.2.dfsg/debian/rules
--- ovirt-guest-agent-1.0.10.2.dfsg/debian/rules	2014-08-10 17:37:53.0 +
+++ ovirt-guest-agent-1.0.10.2.dfsg/debian/rules	2016-08-20 10:34:30.0 +
@@ -8,13 +8,20 @@
 export DH_OPTIONS
 #DEB_DH_INSTALLINIT_ARGS := --upstart-only
 
+PKGDIR=$(CURDIR)/debian/ovirt-guest-agent
+
 override_dh_auto_configure:
 	dh_auto_configure -- --without-sso
 
+override_dh_auto_install:
+	dh_auto_install
+	chmod a+x $(PKGDIR)/usr/share/ovirt-guest-agent/ovirt-guest-agent.py
+
 override_dh_installudev:
 	dh_installudev --priority 55
 
 %:
 	dh $@  --with autoreconf,python2
 
-.PHONY: override_dh_auto_configure override_dh_installudev
+.PHONY: override_dh_auto_configure override_dh_auto_install \
+	override_dh_installudev

Bug#836010: nmu: libodb_2.4.0-1

[Laszlo Boszormenyi (GCS)]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

Hi,

odb depends on GCC plugin loading. Uploaded a new package version,
which started to use GCC 6.2 as it's being the default compiler.
Previously it used GCC 5.1 and to prevent any problems, libodb* need
a rebuild with GCC 6 as well. First libodb itself (if I'm correct with
the syntax of britney):
nmu libodb_2.4.0-1 . ANY . unstable . -m "Rebuild with GCC 6"

When it's done, the following packages need to be rebuilt as well:
nmu libodb-boost_2.4.0-1 . ANY . unstable . -m "Rebuild with GCC 6"
nmu libodb-mysql_2.4.0-2 . ANY . unstable . -m "Rebuild with GCC 6"
nmu libodb-pgsql_2.4.0-1 . ANY . unstable . -m "Rebuild with GCC 6"
nmu libodb-qt_2.4.0-2 . ANY . unstable . -m "Rebuild with GCC 6"
nmu libodb-sqlite_2.4.0-1 . ANY . unstable . -m "Rebuild with GCC 6"

Thanks,
Laszlo/GCS

Bug#836787: jessie-pu: package pypdf2/1.23+git20141008-1+deb8u1

[Laszlo Boszormenyi (GCS)]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi Release Team,

A PyPDF2 user found a DoS, an infinite loop[1]. It has a reproducer
even. This affects Jessie as well (the Sid update is just uploaded).
Upstream fix is simple[2] and the Security Team noted this as no-dsa,
but can be updated via a Jessie PU.

Proposed patch is attached.

Thanks for considering,
Laszlo/GCS
[1] https://github.com/mstamy2/PyPDF2/issues/184
[2] 
https://github.com/mstamy2/PyPDF2/commit/4fc7f9d14adb2a9b890aea2616955ec54229f48cdiff -Nru pypdf2-1.23+git20141008/debian/changelog pypdf2-1.23+git20141008/debian/changelog
--- pypdf2-1.23+git20141008/debian/changelog	2014-10-25 21:00:12.0 +
+++ pypdf2-1.23+git20141008/debian/changelog	2016-09-05 17:50:32.0 +
@@ -1,3 +1,10 @@
+pypdf2 (1.23+git20141008-1+deb8u1) jessie; urgency=medium
+
+  * Backport fix 'prevent infinite loop in readObject() function' to prevent
+DoS from upstream Git tree.
+
+ -- Laszlo Boszormenyi (GCS)   Mon, 05 Sep 2016 17:46:41 +
+
 pypdf2 (1.23+git20141008-1) unstable; urgency=low
 
   * Upstream snapshot with various bug fixes.
diff -Nru pypdf2-1.23+git20141008/debian/patches/Prevent_infinite_loop_in_readObject.patch pypdf2-1.23+git20141008/debian/patches/Prevent_infinite_loop_in_readObject.patch
--- pypdf2-1.23+git20141008/debian/patches/Prevent_infinite_loop_in_readObject.patch	1970-01-01 00:00:00.0 +
+++ pypdf2-1.23+git20141008/debian/patches/Prevent_infinite_loop_in_readObject.patch	2016-09-05 17:49:22.0 +
@@ -0,0 +1,25 @@
+From 48193975e5a0e48ebbb68217f8533ad2bfbdede2 Mon Sep 17 00:00:00 2001
+From: Henri Salo 
+Date: Tue, 18 Aug 2015 13:42:22 +0300
+Subject: [PATCH] Prevent infinite loop in readObject() function. Patch by
+ dhudson1. Closes mstamy2/PyPDF2#184
+
+---
+ PyPDF2/generic.py | 4 
+ 1 file changed, 4 insertions(+)
+
+diff --git a/PyPDF2/generic.py b/PyPDF2/generic.py
+index df1e028..657612a 100644
+--- a/PyPDF2/generic.py
 b/PyPDF2/generic.py
+@@ -82,6 +82,10 @@ def readObject(stream, pdf):
+ # comment
+ while tok not in (b_('\r'), b_('\n')):
+ tok = stream.read(1)
++# Prevents an infinite loop by raising an error if the stream is at
++# the EOF
++if len(tok) <= 0:
++raise PdfStreamError("File ended unexpectedly.")
+ tok = readNonWhitespace(stream)
+ stream.seek(-1, 1)
+ return readObject(stream, pdf)
diff -Nru pypdf2-1.23+git20141008/debian/patches/series pypdf2-1.23+git20141008/debian/patches/series
--- pypdf2-1.23+git20141008/debian/patches/series	1970-01-01 00:00:00.0 +
+++ pypdf2-1.23+git20141008/debian/patches/series	2016-09-05 17:50:00.0 +
@@ -0,0 +1 @@
+Prevent_infinite_loop_in_readObject.patch

Bug#912853: transition: icu

[Laszlo Boszormenyi (GCS)]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Hi RMs,

I'd like to upload ICU 63.1 which was recently released for Buster.
The packaging already bootstrapped with icu-le-hb (Layout Engine using
the HarfBuzz library) in experimental.
Rebuilding of dependent packages are in progress. I can report the
following so far.
Level 1
widelands FTBFS, but I've a patch.

Level 2
boost1.63 FTBFS due to an unrelated, Pyhon 3.7 problem probably
related to the already reported case in #902921 [1].
I think it's going to be removed thus didn't investigated further.

hfst-ospell FTBFS and while I've a patch, it's already fixed in its
new, 0.5.1 release.

mozjs60 FTBFS due to an unrelated problem, confirmed in a clean Sid
environment as well.

nodejs FTBFS on x86 only and while I've a patch it will still fail to
build due to its test suite problems already reported in #902512 [2].

openttd FTBFS on x86 only and upstream has a patch that can be
backported easily.

Other packages are in build testing. I don't expect too much problems
and fixing build failures are quite easy.

This has to be done with the Boost 1.67 transition which is already
scheduled. I don't think this would delay that too much as my testing
is done with the ICU transitioned boost1.67 package and boost-defaults
set to it.
It seems more and more applications start to use it as their ICU
dependency for Unicode 11.0 support including Firefox and Chromium
browser.
Would be nice if Buster can be shipped with this ICU release.

Regards,
Laszlo/GCS
[1] https://bugs.debian.org/902921
[2] https://bugs.debian.org/902512

Bug#918308: transition: botan

[Laszlo Boszormenyi (GCS)]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Hi RMs,

It's a small transition with only three packages: biboumi,
libqtshadowsocks and qtcreator. All three build fine with
this botan release as well.
It is also needed for proper upstream support for building botan
for armel/armhf on arm64 machines[1].

Thanks,
Laszlo/GCS
[1] https://bugs.debian.org/916970

Bug#877640: stretch-pu: package sqlite3/3.16.2-5+deb9u1

[Laszlo Boszormenyi (GCS)]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi SRMs,

I'd like to fix CVE-2017-10989 in SQLite3 for Stretch, which is a
heap-based buffer over-read via undersized RTree blobs.
It's considered remotely exploitable, still marked as no-DSA by the
Security Team. Still, worth fixing via the point update, proposed patch
is attached.

Thanks for considering,
Laszlo/GCSdiff -Nru sqlite3-3.16.2/debian/changelog sqlite3-3.16.2/debian/changelog
--- sqlite3-3.16.2/debian/changelog	2017-06-08 22:07:42.0 +
+++ sqlite3-3.16.2/debian/changelog	2017-10-03 16:13:44.0 +
@@ -1,3 +1,10 @@
+sqlite3 (3.16.2-5+deb9u1) stretch; urgency=medium
+
+  * Fix CVE-2017-10989 , heap-based buffer over-read via undersized RTree 
+blobs (closes: #867618).
+
+ -- Laszlo Boszormenyi (GCS)   Tue, 03 Oct 2017 16:13:44 +
+
 sqlite3 (3.16.2-5) unstable; urgency=medium
 
   * Backport fix for corruption due to REPLACE in an auto-vacuumed database.
diff -Nru sqlite3-3.16.2/debian/patches/51-CVE-2017-10989.patch sqlite3-3.16.2/debian/patches/51-CVE-2017-10989.patch
--- sqlite3-3.16.2/debian/patches/51-CVE-2017-10989.patch	1970-01-01 00:00:00.0 +
+++ sqlite3-3.16.2/debian/patches/51-CVE-2017-10989.patch	2017-10-03 16:13:44.0 +
@@ -0,0 +1,47 @@
+Index: sqlite3/ext/rtree/rtree.c
+==
+--- sqlite3/ext/rtree/rtree.c
 sqlite3/ext/rtree/rtree.c
+@@ -3207,10 +3207,14 @@
+ pRtree->zDb, pRtree->zName
+ );
+ rc = getIntFromStmt(db, zSql, &pRtree->iNodeSize);
+ if( rc!=SQLITE_OK ){
+   *pzErr = sqlite3_mprintf("%s", sqlite3_errmsg(db));
++}else if( pRtree->iNodeSize<(512-64) ){
++  rc = SQLITE_CORRUPT;
++  *pzErr = sqlite3_mprintf("undersize RTree blobs in \"%q_node\"",
++   pRtree->zName);
+ }
+   }
+ 
+   sqlite3_free(zSql);
+   return rc;
+
+Index: sqlite3/ext/rtree/rtreeA.test
+==
+--- sqlite3/ext/rtree/rtreeA.test
 sqlite3/ext/rtree/rtreeA.test
+@@ -213,8 +213,21 @@
+ } {}
+ do_corruption_tests rtreeA-6.1 {
+   1   "DELETE FROM t1 WHERE rowid = 5"
+   2   "UPDATE t1 SET x1=x1+1, x2=x2+1"
+ }
++
++#-
++# Truncated blobs in the _node table.
++#
++create_t1
++populate_t1
++sqlite3 db test.db
++do_execsql_test rtreeA-7.100 { 
++  UPDATE t1_node SET data=x'' WHERE rowid=1;
++} {}
++do_catchsql_test rtreeA-7.110 {
++  SELECT * FROM t1 WHERE x1>0 AND x1<100 AND x2>0 AND x2<100;
++} {1 {undersize RTree blobs in "t1_node"}}
+ 
+ 
+ finish_test
+
diff -Nru sqlite3-3.16.2/debian/patches/series sqlite3-3.16.2/debian/patches/series
--- sqlite3-3.16.2/debian/patches/series	2017-06-08 22:07:42.0 +
+++ sqlite3-3.16.2/debian/patches/series	2017-10-03 16:13:44.0 +
@@ -13,3 +13,4 @@
 42-JSON-2_2.patch
 43-JSON-3.patch
 50-REPLACE_corruption_fix.patch
+51-CVE-2017-10989.patch

Bug#877639: jessie-pu: package sqlite3/3.8.7.1-1+deb8u3

[Laszlo Boszormenyi (GCS)]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi SRMs,

I'd like to fix CVE-2017-10989 in SQLite3 for Jessie, which is a
heap-based buffer over-read via undersized RTree blobs.
It's considered remotely exploitable, still marked as no-DSA by the
Security Team. Still, worth fixing via the point update, proposed patch
is attached.

Thanks for considering,
Laszlo/GCSdiff -Nru sqlite3-3.8.7.1/debian/changelog sqlite3-3.8.7.1/debian/changelog
--- sqlite3-3.8.7.1/debian/changelog	2016-08-25 16:10:24.0 +
+++ sqlite3-3.8.7.1/debian/changelog	2017-10-03 16:13:42.0 +
@@ -1,3 +1,10 @@
+sqlite3 (3.8.7.1-1+deb8u3) jessie; urgency=medium
+
+  * Fix CVE-2017-10989 , heap-based buffer over-read via undersized RTree
+blobs (closes: #867618).
+
+ -- Laszlo Boszormenyi (GCS)   Tue, 03 Oct 2017 16:13:42 +
+
 sqlite3 (3.8.7.1-1+deb8u2) jessie; urgency=medium
 
   * Fix CVE-2016-6153 , Tempdir Selection Vulnerability.
diff -Nru sqlite3-3.8.7.1/debian/patches/51-CVE-2017-10989.patch sqlite3-3.8.7.1/debian/patches/51-CVE-2017-10989.patch
--- sqlite3-3.8.7.1/debian/patches/51-CVE-2017-10989.patch	1970-01-01 00:00:00.0 +
+++ sqlite3-3.8.7.1/debian/patches/51-CVE-2017-10989.patch	2017-10-03 16:13:42.0 +
@@ -0,0 +1,47 @@
+Index: sqlite3/ext/rtree/rtree.c
+==
+--- sqlite3/ext/rtree/rtree.c
 sqlite3/ext/rtree/rtree.c
+@@ -3131,10 +3131,14 @@
+ pRtree->zDb, pRtree->zName
+ );
+ rc = getIntFromStmt(db, zSql, &pRtree->iNodeSize);
+ if( rc!=SQLITE_OK ){
+   *pzErr = sqlite3_mprintf("%s", sqlite3_errmsg(db));
++}else if( pRtree->iNodeSize<(512-64) ){
++  rc = SQLITE_CORRUPT;
++  *pzErr = sqlite3_mprintf("undersize RTree blobs in \"%q_node\"",
++   pRtree->zName);
+ }
+   }
+ 
+   sqlite3_free(zSql);
+   return rc;
+
+Index: sqlite3/ext/rtree/rtreeA.test
+==
+--- sqlite3/ext/rtree/rtreeA.test
 sqlite3/ext/rtree/rtreeA.test
+@@ -213,8 +213,21 @@
+ } {}
+ do_corruption_tests rtreeA-6.1 {
+   1   "DELETE FROM t1 WHERE rowid = 5"
+   2   "UPDATE t1 SET x1=x1+1, x2=x2+1"
+ }
++
++#-
++# Truncated blobs in the _node table.
++#
++create_t1
++populate_t1
++sqlite3 db test.db
++do_execsql_test rtreeA-7.100 { 
++  UPDATE t1_node SET data=x'' WHERE rowid=1;
++} {}
++do_catchsql_test rtreeA-7.110 {
++  SELECT * FROM t1 WHERE x1>0 AND x1<100 AND x2>0 AND x2<100;
++} {1 {undersize RTree blobs in "t1_node"}}
+ 
+ 
+ finish_test
+
diff -Nru sqlite3-3.8.7.1/debian/patches/series sqlite3-3.8.7.1/debian/patches/series
--- sqlite3-3.8.7.1/debian/patches/series	2016-08-25 16:10:24.0 +
+++ sqlite3-3.8.7.1/debian/patches/series	2017-10-03 16:13:42.0 +
@@ -13,3 +13,4 @@
 46-CVE-2016-6153_part2.patch
 47-CVE-2016-6153_part3.patch
 50-fix_in-memory_journal.patch
+51-CVE-2017-10989.patch

Bug#926002: unblock: zeromq3/4.3.1-4

[Laszlo Boszormenyi (GCS)]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi Release Team,

Unfortunately upstream of zeromq3 broke GSSAPI detection[1] in the
configure phase. It went undetected and now zeromq3 for Buster doesn't
have GSSAPI support and this is a regression since Stretch.

Luca Boccassi who is not just our fellow DD but also upstream fixed it
with a small patch. Full debdiff is attached. Please let it migrate to
Buster and have the same functionality available that's in Stretch.

Thanks for consideration,
Laszlo/GCS
[1] https://bugs.debian.org/925914
diff -Nru zeromq3-4.3.1/debian/changelog zeromq3-4.3.1/debian/changelog
--- zeromq3-4.3.1/debian/changelog	2019-01-26 12:49:45.0 +
+++ zeromq3-4.3.1/debian/changelog	2019-03-28 16:37:09.0 +
@@ -1,3 +1,10 @@
+zeromq3 (4.3.1-4) unstable; urgency=medium
+
+  [ Luca Boccassi  ]
+  * Fix GSSAPI support build (closes: #925914).
+
+ -- Laszlo Boszormenyi (GCS)   Thu, 28 Mar 2019 16:37:09 +
+
 zeromq3 (4.3.1-3) unstable; urgency=medium
 
   [ Luca Boccassi  ]
diff -Nru zeromq3-4.3.1/debian/patches/gssapi_pkgconfig.patch zeromq3-4.3.1/debian/patches/gssapi_pkgconfig.patch
--- zeromq3-4.3.1/debian/patches/gssapi_pkgconfig.patch	1970-01-01 00:00:00.0 +
+++ zeromq3-4.3.1/debian/patches/gssapi_pkgconfig.patch	2019-03-28 16:37:09.0 +
@@ -0,0 +1,30 @@
+Author: Luca Boccassi 
+Description: gssapi pkg-config check in configure.ac does not work
+ correctly enable the definition in platform.hpp so that the
+ gssapi support is actually built in if requested and available.
+Origin: https://github.com/zeromq/libzmq/pull/3361
+--- a/configure.ac
 b/configure.ac
+@@ -472,16 +472,20 @@
+ # conditionally require libgssapi_krb5
+ if test "x$require_libgssapi_krb5_ext" != "xno"; then
+ PKG_CHECK_MODULES([gssapi_krb5], [krb5-gssapi], [
++have_gssapi_library="yes"
+ PKGCFG_NAMES_PRIVATE="$PKGCFG_NAMES_PRIVATE krb5-gssapi"
+ ], [
+ AC_CHECK_HEADERS(gssapi/gssapi_generic.h)
+ AC_SEARCH_LIBS([gss_init_sec_context], [gssapi_krb5 gssapi],
+-AC_DEFINE(HAVE_LIBGSSAPI_KRB5, [1], [Enabled GSSAPI security]),
++have_gssapi_library="yes",
+ AC_MSG_ERROR(libgssapi_krb5 is needed for GSSAPI security))
+ PKGCFG_LIBS_PRIVATE="$PKGCFG_LIBS_PRIVATE -lgssapi_krb5"
+ ])
+ fi
+-AM_CONDITIONAL(BUILD_GSSAPI, test "x$require_libgssapi_krb5_ext" != "xno")
++if test "x$have_gssapi_library" = "xyes"; then
++AC_DEFINE(HAVE_LIBGSSAPI_KRB5, [1], [Enabled GSSAPI security])
++fi
++AM_CONDITIONAL(BUILD_GSSAPI, test "x$have_gssapi_library" = "xyes")
+ 
+ # Select curve encryption library, defaults to tweetnacl
+ # To use libsodium instead, use --with-libsodium (must be installed)
diff -Nru zeromq3-4.3.1/debian/patches/series zeromq3-4.3.1/debian/patches/series
--- zeromq3-4.3.1/debian/patches/series	2019-01-26 12:49:45.0 +
+++ zeromq3-4.3.1/debian/patches/series	2019-03-28 16:37:09.0 +
@@ -3,3 +3,4 @@
 test_hardcoded_ipc_path.patch
 ppc64_atomic_intrinsics.patch
 test_pair_ipc_hurd.patch
+gssapi_pkgconfig.patch

Bug#926889: unblock: graphviz/2.40.1-6

[Laszlo Boszormenyi (GCS)]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi Release Team,

Please unblock graphviz which fixes a vulnerability,
CVE-2018-10196 [1].
The debdiff which is attached contains some extra self-tests over the
fix.

Thanks for consideration,
Laszlo/GCS
[1] https://bugs.debian.org/898841
diff -Nru graphviz-2.40.1/debian/changelog graphviz-2.40.1/debian/changelog
--- graphviz-2.40.1/debian/changelog	2018-10-03 15:04:59.0 +
+++ graphviz-2.40.1/debian/changelog	2019-04-08 15:51:00.0 +
@@ -1,3 +1,10 @@
+graphviz (2.40.1-6) unstable; urgency=high
+
+  * Fix CVE-2018-10196: NULL pointer dereference in rebuild_vlists()
+(closes: #898841).
+
+ -- Laszlo Boszormenyi (GCS)   Mon, 08 Apr 2019 15:51:00 +
+
 graphviz (2.40.1-5) unstable; urgency=medium
 
   * Patch upstream _gv.so symlink creation (closes: #905209).
diff -Nru graphviz-2.40.1/debian/patches/CVE-2018-10196.patch graphviz-2.40.1/debian/patches/CVE-2018-10196.patch
--- graphviz-2.40.1/debian/patches/CVE-2018-10196.patch	1970-01-01 00:00:00.0 +
+++ graphviz-2.40.1/debian/patches/CVE-2018-10196.patch	2019-04-08 15:51:00.0 +
@@ -0,0 +1,605 @@
+diff --git a/configure.ac b/configure.ac
+index b0762993c299fcd3d9040aec19d99425132b42f2..6f743e9d23e072301bd94f58b3fb865fee804f0e 100644
+--- a/configure.ac
 b/configure.ac
+@@ -3363,6 +3363,7 @@ AC_CONFIG_FILES(Makefile
+   tests/unit_tests/lib/common/Makefile
+   tests/regression_tests/Makefile
+   tests/regression_tests/shapes/Makefile
++	tests/regression_tests/vuln/Makefile
+ 	share/Makefile
+ 	share/examples/Makefile
+ 	share/gui/Makefile
+diff --git a/lib/dotgen/conc.c b/lib/dotgen/conc.c
+index dd13e936bf25d17d8baa5b3b9e089cff35c502fe..f7307d23b3ff9151b283c9b045892a80c0d6c055 100644
+--- a/lib/dotgen/conc.c
 b/lib/dotgen/conc.c
+@@ -159,7 +159,11 @@ static void rebuild_vlists(graph_t * g)
+ 
+ for (r = GD_minrank(g); r <= GD_maxrank(g); r++) {
+ 	lead = GD_rankleader(g)[r];
+-	if (GD_rank(dot_root(g))[r].v[ND_order(lead)] != lead) {
++	if (lead == NULL) {
++		agerr(AGERR, "rebuiltd_vlists: lead is null for rank %d\n", r);
++		longjmp(jbuf, 1);
++	}
++	else if (GD_rank(dot_root(g))[r].v[ND_order(lead)] != lead) {
+ 	agerr(AGERR, "rebuiltd_vlists: rank lead %s not in order %d of rank %d\n", 
+ 		agnameof(lead), ND_order(lead), r);
+ 	longjmp(jbuf, 1);
+diff --git a/tests/regression_tests/Makefile.am b/tests/regression_tests/Makefile.am
+index c375449ad3f30834eb10b19a6174977354d41230..c472181c13387de9c579f533e17d1a749fb0b534 100644
+--- a/tests/regression_tests/Makefile.am
 b/tests/regression_tests/Makefile.am
+@@ -1 +1 @@
+-SUBDIRS = shapes
++SUBDIRS = shapes vuln
+diff --git a/tests/regression_tests/vuln/Makefile.am b/tests/regression_tests/vuln/Makefile.am
+new file mode 100644
+index ..e58fc3cde6384a581914f92edcacd815f4738e80
+--- /dev/null
 b/tests/regression_tests/vuln/Makefile.am
+@@ -0,0 +1,2 @@
++check test rtest:
++	python vuln.py
+diff --git a/tests/regression_tests/vuln/input/nullderefrebuildlist.dot b/tests/regression_tests/vuln/input/nullderefrebuildlist.dot
+new file mode 100644
+index ..31a15a1dad27aa8a34bd47b297eb02bfdf1a6f9c
+--- /dev/null
 b/tests/regression_tests/vuln/input/nullderefrebuildlist.dot
+@@ -0,0 +1,55 @@
++digraph G {
++graph [concentrate=true];
++
++routine1;
++routine2;
++
++rfontsize=9;
++nodesep="0.4";
++ranksep="0.4";
++node [fontname=Arial, fontsize=9, shape=box];
++subgraph clustere3ffa58211d69e3db000538bf02fa1d0 { 
++label = "DriveCom Z";
++Ie3ffa58211d69e3db000538bf02fa1d0 [label="", shape=circle, style=filled, color=black, width=.2];
++Se3ffa4bf11d69e3db000538bf02fa1d0 [label="Idle"];
++Se3ffa7b011d69e3db000538bf02fa1d0 [label="Disabled"];
++subgraph clustere3ffa77611d69e3db000538bf02fa1d0 { 
++label = "Active";
++Ie3ffa77611d69e3db000538bf02fa1d0 [label="", shape=circle, style=filled, color=black, width=.2];
++Se3€fa84b11d69e3db000538bf02fa1d0 [label="Undefined"];
++Se3ffa60811d69e3db000538bf02fa1d0 [label="Wait Switch On Inhibit"];
++Se3ffa87211d69e3db000538bf02fa1d0 [label="Switch On Inhibit"];
++Se3ffa65611d69e3db000538bf02fa1d0 [label="Wait Ready To Switch On"];
++Se3ffa61c11d69e3db000538bf02fa1d0 [label="Ready To Switch On"];
++Se3ffa53211d69e3db000538bf02fa1d0 [label="Wait Switched On"];
++Se3ffa8ac11d69e3db000538bf02fa1d0 [label="Switched On"];
++Se3ffa83711d69e3db000538bf02fa1d0 [label="Wait Operation Enabled"];
++Se3ffa81011d69e3db000538bf02fa1d0 

Bug#895935: jessie-pu: package patch/2.7.5-1+deb8u1

[Laszlo Boszormenyi (GCS)]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi OSRMs,

I'd like to fix CVE-2018-1000156 in patch for Jessie, which is an
arbitrary command execution in ed-style patches.
While it might be used for remote compromise, it would need a setup to
accept patches unconditionally. But then an attacker has an easy path
already to insert vulnerable code to source files or JavaScript
injection to HTML pages, etc. Hence it doesn't warrant a DSA on its
own, but would be good to fix in a point release.

Thanks for considering,
Laszlo/GCSdiff -Nru patch-2.7.5/debian/changelog patch-2.7.5/debian/changelog
--- patch-2.7.5/debian/changelog	2015-03-07 06:38:30.0 +
+++ patch-2.7.5/debian/changelog	2018-04-16 20:48:14.0 +
@@ -1,3 +1,10 @@
+patch (2.7.5-1+deb8u1) jessie; urgency=medium
+
+  * Fix CVE-2018-1000156: arbitrary command execution in ed-style patches
+(closes: #894993).
+
+ -- Laszlo Boszormenyi (GCS)   Mon, 16 Apr 2018 20:48:14 +
+
 patch (2.7.5-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru patch-2.7.5/debian/control patch-2.7.5/debian/control
--- patch-2.7.5/debian/control	2015-03-07 06:33:14.0 +
+++ patch-2.7.5/debian/control	2018-04-16 20:48:14.0 +
@@ -2,7 +2,7 @@
 Section: vcs
 Priority: standard
 Maintainer: Laszlo Boszormenyi (GCS) 
-Build-Depends: debhelper (>= 7), ed
+Build-Depends: debhelper (>= 7), ed, autoconf, automake
 Standards-Version: 3.9.6
 Homepage: http://savannah.gnu.org/projects/patch/
 Vcs-Git: git://git.debian.org/collab-maint/patch.git
diff -Nru patch-2.7.5/debian/patches/Fix_arbitrary_command_execution_in_ed-style_patches.patch patch-2.7.5/debian/patches/Fix_arbitrary_command_execution_in_ed-style_patches.patch
--- patch-2.7.5/debian/patches/Fix_arbitrary_command_execution_in_ed-style_patches.patch	1970-01-01 00:00:00.0 +
+++ patch-2.7.5/debian/patches/Fix_arbitrary_command_execution_in_ed-style_patches.patch	2018-04-16 20:48:14.0 +
@@ -0,0 +1,237 @@
+From 123eaff0d5d1aebe128295959435b9ca5909c26d Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher 
+Date: Fri, 6 Apr 2018 12:14:49 +0200
+Subject: Fix arbitrary command execution in ed-style patches
+ (CVE-2018-1000156)
+
+* src/pch.c (do_ed_script): Write ed script to a temporary file instead
+of piping it to ed: this will cause ed to abort on invalid commands
+instead of rejecting them and carrying on.
+* tests/ed-style: New test case.
+* tests/Makefile.am (TESTS): Add test case.
+---
+ src/pch.c | 91 ---
+ tests/Makefile.am |  1 +
+ tests/ed-style| 41 +
+ 3 files changed, 108 insertions(+), 25 deletions(-)
+ create mode 100644 tests/ed-style
+
+diff --git a/src/pch.c b/src/pch.c
+index 0c5cc26..4fd5a05 100644
+--- a/src/pch.c
 b/src/pch.c
+@@ -33,6 +33,7 @@
+ # include 
+ #endif
+ #include 
++#include 
+ 
+ #define INITHUNKMAX 125			/* initial dynamic allocation size */
+ 
+@@ -2387,22 +2387,28 @@ do_ed_script (char const *inname, char c
+ static char const editor_program[] = EDITOR_PROGRAM;
+ 
+ file_offset beginning_of_this_line;
+-FILE *pipefp = 0;
+ size_t chars_read;
++FILE *tmpfp = 0;
++char const *tmpname;
++int tmpfd;
++pid_t pid;
++
++if (! dry_run && ! skip_rest_of_patch)
++  {
++	/* Write ed script to a temporary file.  This causes ed to abort on
++	   invalid commands such as when line numbers or ranges exceed the
++	   number of available lines.  When ed reads from a pipe, it rejects
++	   invalid commands and treats the next line as a new command, which
++	   can lead to arbitrary command execution.  */
++
++	tmpfd = make_tempfile (&tmpname, 'e', NULL, O_RDWR | O_BINARY, 0);
++	if (tmpfd == -1)
++	  pfatal ("Can't create temporary file %s", quotearg (tmpname));
++	tmpfp = fdopen (tmpfd, "w+b");
++	if (! tmpfp)
++	  pfatal ("Can't open stream for file %s", quotearg (tmpname));
++  }
+ 
+-if (! dry_run && ! skip_rest_of_patch) {
+-	int exclusive = *outname_needs_removal ? 0 : O_EXCL;
+-	assert (! inerrno);
+-	*outname_needs_removal = true;
+-	copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
+-	sprintf (buf, "%s %s%s", editor_program,
+-		 verbosity == VERBOSE ? "" : "- ",
+-		 outname);
+-	fflush (stdout);
+-	pipefp = popen(buf, binary_transput ? "wb" : "w");
+-	if (!pipefp)
+-	  pfatal ("Can't open pipe to %s", quotearg (buf));
+-}
+ for (;;) {
+ 	char ed_command_letter;
+ 	beginning_of_this_line = file_tell (pfp);
+@@ -2413,14 +2418,14 @@ do_ed_script (char const *inname, char const *outname,
+ 	}
+ 	ed_command_letter = get_ed_command_letter (buf);
+ 	if (ed_command_letter) {
+-	if (pipefp)
+-		if (! fwrite (buf, sizeof *buf, ch

Bug#895936: stretch-pu: package patch/2.7.5-1+deb9u1

[Laszlo Boszormenyi (GCS)]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi SRMs,

I'd like to fix CVE-2018-1000156 in patch for Stretch, which is an
arbitrary command execution in ed-style patches.
While it might be used for remote compromise, it would need a setup to
accept patches unconditionally. But then an attacker has an easy path
already to insert vulnerable code to source files or JavaScript
injection to HTML pages, etc. Hence it doesn't warrant a DSA on its
own, but would be good to fix in a point release.

Thanks for considering,
Laszlo/GCSdiff -Nru patch-2.7.5/debian/changelog patch-2.7.5/debian/changelog
--- patch-2.7.5/debian/changelog	2015-03-07 06:38:30.0 +
+++ patch-2.7.5/debian/changelog	2018-04-16 20:48:43.0 +
@@ -1,3 +1,10 @@
+patch (2.7.5-1+deb9u1) stretch; urgency=medium
+
+  * Fix CVE-2018-1000156: arbitrary command execution in ed-style patches
+(closes: #894993).
+
+ -- Laszlo Boszormenyi (GCS)   Mon, 16 Apr 2018 20:48:43 +
+
 patch (2.7.5-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru patch-2.7.5/debian/patches/Fix_arbitrary_command_execution_in_ed-style_patches.patch patch-2.7.5/debian/patches/Fix_arbitrary_command_execution_in_ed-style_patches.patch
--- patch-2.7.5/debian/patches/Fix_arbitrary_command_execution_in_ed-style_patches.patch	1970-01-01 00:00:00.0 +
+++ patch-2.7.5/debian/patches/Fix_arbitrary_command_execution_in_ed-style_patches.patch	2018-04-16 20:48:43.0 +
@@ -0,0 +1,237 @@
+From 123eaff0d5d1aebe128295959435b9ca5909c26d Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher 
+Date: Fri, 6 Apr 2018 12:14:49 +0200
+Subject: Fix arbitrary command execution in ed-style patches
+ (CVE-2018-1000156)
+
+* src/pch.c (do_ed_script): Write ed script to a temporary file instead
+of piping it to ed: this will cause ed to abort on invalid commands
+instead of rejecting them and carrying on.
+* tests/ed-style: New test case.
+* tests/Makefile.am (TESTS): Add test case.
+---
+ src/pch.c | 91 ---
+ tests/Makefile.am |  1 +
+ tests/ed-style| 41 +
+ 3 files changed, 108 insertions(+), 25 deletions(-)
+ create mode 100644 tests/ed-style
+
+diff --git a/src/pch.c b/src/pch.c
+index 0c5cc26..4fd5a05 100644
+--- a/src/pch.c
 b/src/pch.c
+@@ -33,6 +33,7 @@
+ # include 
+ #endif
+ #include 
++#include 
+ 
+ #define INITHUNKMAX 125			/* initial dynamic allocation size */
+ 
+@@ -2387,22 +2387,28 @@ do_ed_script (char const *inname, char c
+ static char const editor_program[] = EDITOR_PROGRAM;
+ 
+ file_offset beginning_of_this_line;
+-FILE *pipefp = 0;
+ size_t chars_read;
++FILE *tmpfp = 0;
++char const *tmpname;
++int tmpfd;
++pid_t pid;
++
++if (! dry_run && ! skip_rest_of_patch)
++  {
++	/* Write ed script to a temporary file.  This causes ed to abort on
++	   invalid commands such as when line numbers or ranges exceed the
++	   number of available lines.  When ed reads from a pipe, it rejects
++	   invalid commands and treats the next line as a new command, which
++	   can lead to arbitrary command execution.  */
++
++	tmpfd = make_tempfile (&tmpname, 'e', NULL, O_RDWR | O_BINARY, 0);
++	if (tmpfd == -1)
++	  pfatal ("Can't create temporary file %s", quotearg (tmpname));
++	tmpfp = fdopen (tmpfd, "w+b");
++	if (! tmpfp)
++	  pfatal ("Can't open stream for file %s", quotearg (tmpname));
++  }
+ 
+-if (! dry_run && ! skip_rest_of_patch) {
+-	int exclusive = *outname_needs_removal ? 0 : O_EXCL;
+-	assert (! inerrno);
+-	*outname_needs_removal = true;
+-	copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
+-	sprintf (buf, "%s %s%s", editor_program,
+-		 verbosity == VERBOSE ? "" : "- ",
+-		 outname);
+-	fflush (stdout);
+-	pipefp = popen(buf, binary_transput ? "wb" : "w");
+-	if (!pipefp)
+-	  pfatal ("Can't open pipe to %s", quotearg (buf));
+-}
+ for (;;) {
+ 	char ed_command_letter;
+ 	beginning_of_this_line = file_tell (pfp);
+@@ -2413,14 +2418,14 @@ do_ed_script (char const *inname, char const *outname,
+ 	}
+ 	ed_command_letter = get_ed_command_letter (buf);
+ 	if (ed_command_letter) {
+-	if (pipefp)
+-		if (! fwrite (buf, sizeof *buf, chars_read, pipefp))
++	if (tmpfp)
++		if (! fwrite (buf, sizeof *buf, chars_read, tmpfp))
+ 		write_fatal ();
+ 	if (ed_command_letter != 'd' && ed_command_letter != 's') {
+ 	p_pass_comments_through = true;
+ 		while ((chars_read = get_line ()) != 0) {
+-		if (pipefp)
+-			if (! fwrite (buf, sizeof *buf, chars_read, pipefp))
++		if (tmpfp)
++			if (! fwrite (buf, sizeof *buf, chars_read, tmpfp))
+ 			write_fatal ();
+ 		if (chars_read == 2  &&  strEQ (bu

Bug#897165: transition: botan

[Laszlo Boszormenyi (GCS)]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Dear Release Team,

A small, incremental transition of botan 2.4 -> 2.6 as the dependent
packages are only biboumi and qtcreator. Both build fine with it.

Two things to note. For sixteen days it's still doesn't scheduled to
build on armhf, but I don't think it would have any problem. Then it
failed to build on armel due to an unrelated problem. I've already
requested a give-back just in case.

Regards,
Laszlo/GCS

Bug#811207: transition: libcutl

[Laszlo Boszormenyi (GCS)]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Mini-transition of libcutl. It has 1.8 soname in Sid and 1.9 in
experimental, but I plan to upload soname 1.10 version. May I upload
it directly to Sid or should I target experimental first?
The only affected binary is odb which can be binNMUed. Libraries are
co-installable.

Ben file:

title = "libcutl;
is_affected = .depends ~ "libcutl-1.8" | .depends ~ "libcutl-1.9" | .depends ~ 
"libcutl-1.10";
is_good = .depends ~ "libcutl-1.10";
is_bad = .depends ~ "libcutl-1.8" | .depends ~ "libcutl-1.9";

Bug#692797: unblock: python-greenlet/0.3.1-2.1

[Laszlo Boszormenyi (GCS)]

Hi Adam,

On Wed, 2012-12-19 at 19:55 +, Adam D. Barratt wrote:
> On Sat, 2012-11-24 at 13:34 +, Adam D. Barratt wrote:
> > On Fri, 2012-11-09 at 23:08 +0100, Jelmer Vernooij wrote:
> > > On Fri, 2012-11-09 at 06:08 +, Adam D. Barratt wrote:
> > > > It also itself FTBFS on a few architectures - see
> > > > https://buildd.debian.org/status/package.php?p=python-greenlet&suite=wheezy
> > > >  ; armel and mips{,el} are regressions from the current testing package.
> > > > 
> > > Thanks, I should've noticed that but hadn't. This is quite surprising
> > > too, I don't see anything in the NMU that might be the cause of this. 
> > 
> > I suspect the issue was already there - see #665890, which is also fixed
> > in sid already.
> 
> Laszlo, any chance of a fixed version?
 The good is that upstream uses git, I could check the individual
commits. The bad is that the places where it FTBFS are assembly codes.
Upstream reworked that parts with the relevant C code as well. So it's
not easy, I'd say impossible for me to backport those changes. I don't
speak ARM nor Sparc ASM at least.
 Would it be acceptable to let 0.4.0-1 migrate to Wheezy? It fixes all
the problems, in the archive since August without any problem. Last, but
not least it fixes several packaging problems as well.

Laszlo/GCS


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1356130240.15123.958.camel@julia

Re: Uploading new s3ql to testing-proposed-updates

[Laszlo Boszormenyi (GCS)]

Hi Nikolaus,

On Sun, 2013-02-24 at 18:41 -0800, Nikolaus Rath wrote:
> I'd like to upload a new version of S3QL to testing-proposed-updates to
> fix bug #701350. Unstable already contains a newer upstream release
> (1.12), so I cannot upload there.
[...]
> The necessary patch is one line (adding fflush() in the right place).
 While it's not tagged RC, it is as it can causes data-loss as I read.
It means it must be fixed in Wheezy. It'll be accepted IMHO as the fix
is one liner. The proposed patch looks fine for me.

> May I upload this to testing-proposed-updates?
 It's not my task to allow or disallow uploads to t-p-u. There's a team
in Debian, called Release Managers[1]. They need to ACK it, as Wheezy in
deep freeze now. Will check the rules in the afternoon.
Did you ask on debian-project@ ?

Cheers,
Laszlo/GCS
[1] http://wiki.debian.org/Teams/ReleaseTeam


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1361772825.14479.178.camel@julia

Bug#702195: unblock: syslog-ng/3.3.5-3

[Laszlo Boszormenyi (GCS)]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: freeze-exception
thanks

Hi Release Team,

There are several important, RC bugfix over syslog-ng/3.3.5-2 in Wheezy.

First is virtual console differences between Linux and kFreeBSD[1]. It's
tty10 on the former and ttyva on the latter. Without fixing #697042 ,
syslog-ng would flood kFreeBSD logs with:
Error opening file for writing; filename='/dev/tty10', error='Operation not 
supported (45)'

The default syslog-ng configuration used wrong path for mail related
logs, as noted in #692056 [2].

Don't use symlinked systemd configuration files, as noted in
#690067 [3]. This caused all short of problems as dpkg doesn't support
it.

Last but not least the one which affects the DSA team is #702131 [4].
The fix is to handle EINVAL as well for eventfd2 errors.

The fixes are small and usually one liners. Debdiff is attached.

Thanks,
Laszlo/GCS
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697042
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692056
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690067
[4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702131
diff -Nru syslog-ng-3.3.5/debian/changelog syslog-ng-3.3.5/debian/changelog
--- syslog-ng-3.3.5/debian/changelog	2012-05-13 00:47:21.0 +0200
+++ syslog-ng-3.3.5/debian/changelog	2013-03-03 19:22:00.0 +0100
@@ -1,3 +1,22 @@
+syslog-ng (3.3.5-3) testing-proposed-updates; urgency=low
+
+  [ Gergely Nagy  ]
+  * Don't mark systemd symlinks in /etc as conffiles.
+  * Instead of installing systemd service file symlinks, install a
+conffile, that includes the real service file (closes: #690067).
+  * Do not forcibly remove the systemd service files, that code is not
+needed anymore.
+  * Use the standard /var/log/mail.{info,err,warn} location for the various
+mail-related logs (closes: #692056).
+  * Use /dev/ttyva on kFreeBSD as the target of the d_console_all
+    destination (closes: #697042).
+
+  [ Laszlo Boszormenyi (GCS) ]
+  * Fix ivykis fallback on eventfd2 errors with the addition of
+ivykis_fallback_fix.patch (closes: #702131).
+
+ -- Laszlo Boszormenyi (GCS)   Sun, 03 Mar 2013 17:57:00 +0100
+
 syslog-ng (3.3.5-2) unstable; urgency=low
 
   [ Gergely Nagy  ]
diff -Nru syslog-ng-3.3.5/debian/patches/ivykis_fallback_fix.patch syslog-ng-3.3.5/debian/patches/ivykis_fallback_fix.patch
--- syslog-ng-3.3.5/debian/patches/ivykis_fallback_fix.patch	1970-01-01 01:00:00.0 +0100
+++ syslog-ng-3.3.5/debian/patches/ivykis_fallback_fix.patch	2013-03-03 17:53:25.0 +0100
@@ -0,0 +1,31 @@
+Description: make ivykis properly fallback on eventfd2 errors
+ The Linux glibc eventfd() wrapper function (around the SYS_eventfd{,2}
+ system calls) returns EINVAL if it is given a nonzero flags argument
+ and SYS_eventfd2 (which is the variant of SYS_eventfd that takes a flags
+ argument) isn't implemented, while iv_event_raw was expecting to get
+ either ENOSYS or success.
+ .
+ Instead of falling back on SYS_eventfd by calling the eventfd() wrapper
+ again with a zero flags argument and then setting the O_NONBLOCK and
+ O_CLOEXEC flags by hand, disable use of eventfd on systems that have
+ SYS_eventfd but not SYS_eventfd2 as a minimally invasive fix for the
+ stable branches.
+ Taken from: https://github.com/buytenh/ivykis/commit/89f67f97477aeba24aebfc58ae1a17e5bea69724.patch
+Author: Lennert Buytenhek 
+Bug-Debian: http://bugs.debian.org/702131
+Forwarded: not-needed
+Last-Update: 2012-12-09
+
+---
+
+--- syslog-ng-3.3.5.orig/lib/ivykis/modules/iv_event_raw.c
 syslog-ng-3.3.5/lib/ivykis/modules/iv_event_raw.c
+@@ -91,7 +91,7 @@ int iv_event_raw_register(struct iv_even
+ 
+ 		ret = eventfd2(0, EFD_NONBLOCK | EFD_CLOEXEC);
+ 		if (ret < 0) {
+-			if (errno != ENOSYS) {
++			if (errno != ENOSYS && errno != EINVAL) {
+ perror("eventfd2");
+ return -1;
+ 			}
diff -Nru syslog-ng-3.3.5/debian/patches/series syslog-ng-3.3.5/debian/patches/series
--- syslog-ng-3.3.5/debian/patches/series	2012-05-03 10:25:19.0 +0200
+++ syslog-ng-3.3.5/debian/patches/series	2013-03-03 17:48:08.0 +0100
@@ -1 +1,2 @@
 no_make_in_debian.patch
+ivykis_fallback_fix.patch
diff -Nru syslog-ng-3.3.5/debian/rules syslog-ng-3.3.5/debian/rules
--- syslog-ng-3.3.5/debian/rules	2012-05-13 00:49:52.0 +0200
+++ syslog-ng-3.3.5/debian/rules	2013-03-03 18:52:18.0 +0100
@@ -26,7 +26,7 @@
 # to it.
 ##
 ifneq (,$(filter debug,$(DEB_BUILD_OPTIONS)))
-	EXTRA_CONFIGURE_OPTS += --enable-debug
+EXTRA_CONFIGURE_OPTS += --enable-debug
 endif
 
 DEFAULT_MODULES = affile,afprog,afsocket,afuser,afsql,basicfuncs,csvparser,dbparser,syslogformat
@@ -129,10 +129,6 @@
 override_dh_auto_install:
 	dh_auto_install
 	${MAKE} -C debian/build-tree/lib/ivykis install DESTDIR=$(CURDIR)/debian/tmp
-	ln -sf /lib/systemd/system/syslog-ng.service \
-	   debian/syslog-ng-c

Bug#702195: symlink conffiles are not supported, causing problems for dpkg on upgrade/removal and incorrect debsums reports

[Laszlo Boszormenyi (GCS)]

On Tue, 2013-03-05 at 21:05 +0100, Michael Biebl wrote:
> On 03.03.2013 22:53, Michael Biebl wrote:
> > 
> > Seeing the poor handling of symlinked conffiles, I'm wondering if we
> > should also remove them for the other affected packages, which do that:
[...]
> After a closer look, all those packages do *not* mark the symlinks as
> conffiles, so are not affected by this problem. So I wouldn't suggest
> any changes at this stage of the release.
> As for syslog-ng-core, I think the simplest solution for wheezy is to
> add the symlinks back to the package
> /etc/systemd/system/syslog.service
> /etc/systemd/system/multi-user.target.wants/syslog-ng.service
> but does *not* mark them as conffiles.
> + the usual cleanup of the existing conffiles via preinst.
 The first iteration is ready to check[1]. I don't recall previous
conffiles, but on purge the files are removed.

Laszlo/GCS
[1] dget -x http://www.barcikacomp.hu/gcs/syslog-ng_3.3.5-3.dsc


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1362521428.18324.27.camel@julia

Bug#702195: symlink conffiles are not supported, causing problems for dpkg on upgrade/removal and incorrect debsums reports

[Laszlo Boszormenyi (GCS)]

On Wed, 2013-03-06 at 13:17 +0100, Michael Biebl wrote:
> 1/ as you no longer mark the symlinks as conffiles, the cleanup in
> syslog-ng-core.postrm is not necessary.
 Removed.

> 2/ you need to remove the existing conffile symlinks in
> syslog-ng-core.preinst so dpkg converts it to non-conffiles on upgrades
 Remove those in preinst.

> 3/ please drop the line
> ExecStartPre=/bin/systemctl stop systemd-kmsg-syslogd.service
> from syslog-ng.service. The systemd-kmsg-syslogd.service service has
> been removed a long time ago and future versions of systemd will
> generate an error if you stop a non-existing service. Gergely told he
> had this change in his Git repo already.
 Line removed, added other fixes from the Git repo.

Please re-check it from:
dget -x http://www.barcikacomp.hu/gcs/syslog-ng_3.3.5-3.dsc


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1362591911.18324.32.camel@julia

Re: RFC: plan to NMU python-greenlet for Wheezy

[Laszlo Boszormenyi (GCS)]

On Mon, 2012-10-08 at 14:02 +0200, Mehdi Dogguy wrote:
> On 13/09/2012 14:42, Mehdi Dogguy wrote:
> > On 25/08/12 16:34, Laszlo Boszormenyi (GCS) wrote:
> >> I plan to take over of python-eventlet . It has a FTBFS bug[1] in Wheezy
> >> due to the bug in python-greenlet [2]. It is fixed, but not migrated to
> >> testing due to an other RC bug[3]. Tried to reach its maintainer, Örjan,
> >> but no success yet. As he is MIA for two hundred days, I plan to do an
> >> NMU targeting wheezy-proposed-updates.
> > The debdiff looks okay, but what about #650293?
> Ping?
 My fault, I was ill and it's just better. Will test it on i386 today or
tomorrow.
Just for the record, Örjan is available since then.

Laszlo/GCS


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1349711092.11633.222.camel@julia

Re: RFC: plan to NMU python-greenlet for Wheezy

[Laszlo Boszormenyi (GCS)]

On Thu, 2012-09-13 at 14:42 +0200, Mehdi Dogguy wrote:
> On 25/08/12 16:34, Laszlo Boszormenyi (GCS) wrote:
> > I plan to take over of python-eventlet . It has a FTBFS bug[1] in Wheezy
> > due to the bug in python-greenlet [2]. It is fixed, but not migrated to
> > testing due to an other RC bug[3]. Tried to reach its maintainer, Örjan,
> > but no success yet. As he is MIA for two hundred days, I plan to do an
> > NMU targeting wheezy-proposed-updates.
> >
> > Would the Release Team let me to do this? The debdiff is attached.
> 
> The debdiff looks okay, but what about #650293?
 Installed a Wheezy/i386 system and indeed, #650293 affects Wheezy.
However, with the proposed debdiff python-greenlet fixes both bugs. The
segmentation faults on i386 and python-eventlet will be buildable again.

Örjan, do you allow me to add myself as the maintainer while you will
remain as well and do a normal upload targeting Wheezy?

Laszlo/GCS


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1349806252.11633.227.camel@julia

Bug#682172: unblock: couchdb/1.2.0-2

[Laszlo Boszormenyi (GCS)]

On Thu, 2012-10-11 at 23:18 +0200, Julien Cristau wrote:
[ about CouchDB storing its PID file as root ]
> Ping.  Is this getting fixed?
 Upstream knows about this issue, promised a fix which won't be easy as
I can remember. Now they are busy with releasing 1.3.0 and a bugfix
branch of 1.2.0 . Don't know exactly if it's included, but will ping
them.

Laszlo/GCS


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1350019343.25403.12.camel@julia

Bug#682172: unblock: couchdb/1.2.0-2

[Laszlo Boszormenyi (GCS)]

On Mon, 2012-11-12 at 21:28 +, Adam D. Barratt wrote:
> On Fri, 2012-10-12 at 05:22 +0000, Laszlo Boszormenyi (GCS) wrote:
> > On Thu, 2012-10-11 at 23:18 +0200, Julien Cristau wrote:
> > [ about CouchDB storing its PID file as root ]
> > > Ping.  Is this getting fixed?
> >  Upstream knows about this issue, promised a fix which won't be easy as
> > I can remember. Now they are busy with releasing 1.3.0 and a bugfix
> > branch of 1.2.0 . Don't know exactly if it's included, but will ping
> > them.
> 
> Any news on that?
 Nope. :( Upstream is still busy on how 1.3.0 should be released. I
don't get any answer as of yet.

Asking about upload permission of -3 targeting Wheezy with the attached
changes.
Fixes four RC bugs. The first one is that couchdb needs some time to
stop. Added three seconds wait time to stop in initscript and to postrm
(the latter comes from Ubuntu). Otherwise couchdb can't be restarted and
can't be purged.
The rundir is now created with the help of 'install', only if it doesn't
existed before.
Last, but not least the logrotate configuration is fixed. Now creates
and rotates logfiles as couchdb.

Regards,
Laszlo/GCS
diff -Nur couchdb-1.2.0-1/debian/changelog couchdb-1.2.0-3/debian/changelog
--- couchdb-1.2.0-1/debian/changelog	2012-06-29 20:31:16.0 +0200
+++ couchdb-1.2.0-3/debian/changelog	2012-11-18 21:11:08.0 +0100
@@ -1,3 +1,22 @@
+couchdb (1.2.0-3) unstable; urgency=low
+
+  * Rework couchdb own run directory (updates: #652172).
+  * Wait a bit for complete stop of service (closes: #692295).
+  * Use couchdb user for logrotate (closes: #652172).
+
+  [ Jason Gerard DeRose ]
+  * Added a short sleep delay in couchdb.postrm so couchdb is more likely to
+have actually terminated by the time we `deluser couchdb`, which is needed
+for `sudo apt-get purge couchdb` to work when couchdb is running
+
+ -- Laszlo Boszormenyi (GCS)   Sun, 18 Nov 2012 12:24:24 +0100
+
+couchdb (1.2.0-2) unstable; urgency=low
+
+  * Make couchdb user own its run directory (closes: #681549).
+
+ -- Laszlo Boszormenyi (GCS)   Thu, 19 Jul 2012 20:13:25 +0200
+
 couchdb (1.2.0-1) unstable; urgency=low
 
   * New major upstream release (closes: #672141).
diff -Nur couchdb-1.2.0-1/debian/patches/couchdb_own_rundir.patch couchdb-1.2.0-3/debian/patches/couchdb_own_rundir.patch
--- couchdb-1.2.0-1/debian/patches/couchdb_own_rundir.patch	1970-01-01 01:00:00.0 +0100
+++ couchdb-1.2.0-3/debian/patches/couchdb_own_rundir.patch	2012-11-18 21:32:47.696128156 +0100
@@ -0,0 +1,20 @@
+Description: Initscript creates RUN_DIR , make sure it's owned by couchdb
+ Use install to make COUCHDB_USER own the RUN_DIR being created.
+Author: Laszlo Boszormenyi (GCS) 
+Bug-Debian: http://bugs.debian.org/681549
+Last-Update: 2012-11-18
+
+---
+
+--- couchdb-1.2.0.orig/etc/init/couchdb.tpl.in
 couchdb-1.2.0/etc/init/couchdb.tpl.in
+@@ -83,7 +83,8 @@ run_command () {
+ start_couchdb () {
+ # Start Apache CouchDB as a background process.
+ 
+-mkdir -p "$RUN_DIR"
++test -e "$RUN_DIR" || \
++install -m 755 -o "$COUCHDB_USER" -g "$COUCHDB_USER" -d "$RUN_DIR"
+ command="$COUCHDB -b"
+ if test -n "$COUCHDB_STDOUT_FILE"; then
+ command="$command -o $COUCHDB_STDOUT_FILE"
diff -Nur couchdb-1.2.0-1/debian/patches/logrotate_as_couchdb.patch couchdb-1.2.0-3/debian/patches/logrotate_as_couchdb.patch
--- couchdb-1.2.0-1/debian/patches/logrotate_as_couchdb.patch	1970-01-01 01:00:00.0 +0100
+++ couchdb-1.2.0-3/debian/patches/logrotate_as_couchdb.patch	2012-11-18 21:31:42.084124771 +0100
@@ -0,0 +1,16 @@
+Description: Use logrotate as couchdb user
+ Use su and create to make logfiles owned by couchdb
+Author: Laszlo Boszormenyi (GCS) 
+Bug-Debian: http://bugs.debian.org/652172
+Last-Update: 2012-11-18
+---
+
+--- couchdb-1.2.0.orig/etc/logrotate.d/couchdb.tpl.in
 couchdb-1.2.0/etc/logrotate.d/couchdb.tpl.in
+@@ -6,4 +6,6 @@
+compress
+notifempty
+missingok
++   su couchdb couchdb
++   create 0640 couchdb couchdb
+ }
diff -Nur couchdb-1.2.0-1/debian/patches/series couchdb-1.2.0-3/debian/patches/series
--- couchdb-1.2.0-1/debian/patches/series	2011-11-27 09:19:17.0 +0100
+++ couchdb-1.2.0-3/debian/patches/series	2012-11-18 21:16:56.0 +0100
@@ -1 +1,4 @@
 force-reload.patch
+couchdb_own_rundir.patch
+logrotate_as_couchdb.patch
+wait_for_couchdb_stop.patch
diff -Nur couchdb-1.2.0-1/debian/patches/wait_for_couchdb_stop.patch couchdb-1.2.0-3/debian/patches/wait_for_couchdb_stop.patch
--- couchdb-1.2.0-1/debian/patches/wait_for_couchdb_stop.patch	1970-01-01 01:00:00.0 +0100
+++ couchdb-1.2.0-3/debian/patches/wait_for_couchdb_stop.patch	2012-11-18 21:20:05.0 +0100
@@ -0,0 +1,17 @@
+Description: Wait three seconds to let couchdb really st

Bug#682172: unblock: couchdb/1.2.0-2

[Laszlo Boszormenyi (GCS)]

On Mon, 2012-11-19 at 01:56 +0100, Michael Biebl wrote:
> On 18.11.2012 21:42, Laszlo Boszormenyi (GCS) wrote:
> > Fixes four RC bugs. The first one is that couchdb needs some time to
> > stop. Added three seconds wait time to stop in initscript and to postrm
> > (the latter comes from Ubuntu). Otherwise couchdb can't be restarted and
> > can't be purged.
> 
> Such sleeps are really icky.
> Who says 3 seconds are enough?
> That entirely depends on your hardware and in what situation your system
> is in (load, etc).
> 
> If "couchdb -d", which is used on stop, does not block until the server
> has been safely shutdown, then this needs to be fixed, properly.
 Agree. That's an other thing upstream should fix. However I don't think
that would happen soon, at least not for Wheezy. I'll ask about it.
Until then this sleep may fixes the majority (maybe all) of the
problems.

Laszlo/GCS


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1353287914.15123.279.camel@julia

Bug#682172: unblock: couchdb/1.2.0-2

[Laszlo Boszormenyi (GCS)]

On Mon, 2012-11-19 at 11:07 +0100, Julien Cristau wrote:
> On Mon, Nov 19, 2012 at 01:18:34 +0000, Laszlo Boszormenyi (GCS) wrote:
> >  Agree. That's an other thing upstream should fix. However I don't think
> > that would happen soon, at least not for Wheezy. I'll ask about it.
> > Until then this sleep may fixes the majority (maybe all) of the
> > problems.
> > 
> Why can't this be fixed in your init script if upstream won't fix it in
> time?
 Touché! First I thought it's not possible. 'couchdb -d' sends a signal
to the running process that it should stop. It returns immediately and
doesn't wait until it completely ends. Then found 'couchdb -s' which
display the status of the daemon. While it's not my initscript, I've
changed that to wait until the status is running.
Changes between the current Wheezy version and the planned 1.2.0-3
upload is attached.
In short, it fixes four RC bugs:
- now properly create a couchdb owned rundir,
- wait for complete stop of the daemon, and this allows to:
  - purge the package properly,
  - restart the service without failing,
- logrotate will properly own the rotated files.

Hope it's now ready to go and will have the promise to be unblocked when
its time comes.

Regards,
Laszlo/GCS
diff -Nur couchdb-1.2.0-1/debian/changelog couchdb-1.2.0-3/debian/changelog
--- couchdb-1.2.0-1/debian/changelog	2012-06-29 20:31:16.0 +0200
+++ couchdb-1.2.0-3/debian/changelog	2012-11-20 21:36:00.0 +0100
@@ -1,3 +1,17 @@
+couchdb (1.2.0-3) unstable; urgency=low
+
+  * Rework couchdb own run directory (updates: #681549).
+  * Wait until complete stop of service (closes: #692295).
+  * Use couchdb user for logrotate (closes: #652172).
+
+ -- Laszlo Boszormenyi (GCS)   Sun, 18 Nov 2012 12:24:24 +0100
+
+couchdb (1.2.0-2) unstable; urgency=low
+
+  * Make couchdb user own its run directory (closes: #681549).
+
+ -- Laszlo Boszormenyi (GCS)   Thu, 19 Jul 2012 20:13:25 +0200
+
 couchdb (1.2.0-1) unstable; urgency=low
 
   * New major upstream release (closes: #672141).
diff -Nur couchdb-1.2.0-1/debian/patches/couchdb_own_rundir.patch couchdb-1.2.0-3/debian/patches/couchdb_own_rundir.patch
--- couchdb-1.2.0-1/debian/patches/couchdb_own_rundir.patch	1970-01-01 01:00:00.0 +0100
+++ couchdb-1.2.0-3/debian/patches/couchdb_own_rundir.patch	2012-11-18 21:32:47.0 +0100
@@ -0,0 +1,20 @@
+Description: Initscript creates RUN_DIR , make sure it's owned by couchdb
+ Use install to make COUCHDB_USER own the RUN_DIR being created.
+Author: Laszlo Boszormenyi (GCS) 
+Bug-Debian: http://bugs.debian.org/681549
+Last-Update: 2012-11-18
+
+---
+
+--- couchdb-1.2.0.orig/etc/init/couchdb.tpl.in
 couchdb-1.2.0/etc/init/couchdb.tpl.in
+@@ -83,7 +83,8 @@ run_command () {
+ start_couchdb () {
+ # Start Apache CouchDB as a background process.
+ 
+-mkdir -p "$RUN_DIR"
++test -e "$RUN_DIR" || \
++install -m 755 -o "$COUCHDB_USER" -g "$COUCHDB_USER" -d "$RUN_DIR"
+ command="$COUCHDB -b"
+ if test -n "$COUCHDB_STDOUT_FILE"; then
+ command="$command -o $COUCHDB_STDOUT_FILE"
diff -Nur couchdb-1.2.0-1/debian/patches/logrotate_as_couchdb.patch couchdb-1.2.0-3/debian/patches/logrotate_as_couchdb.patch
--- couchdb-1.2.0-1/debian/patches/logrotate_as_couchdb.patch	1970-01-01 01:00:00.0 +0100
+++ couchdb-1.2.0-3/debian/patches/logrotate_as_couchdb.patch	2012-11-18 21:31:42.0 +0100
@@ -0,0 +1,16 @@
+Description: Use logrotate as couchdb user
+ Use su and create to make logfiles owned by couchdb
+Author: Laszlo Boszormenyi (GCS) 
+Bug-Debian: http://bugs.debian.org/652172
+Last-Update: 2012-11-18
+---
+
+--- couchdb-1.2.0.orig/etc/logrotate.d/couchdb.tpl.in
 couchdb-1.2.0/etc/logrotate.d/couchdb.tpl.in
+@@ -6,4 +6,6 @@
+compress
+notifempty
+missingok
++   su couchdb couchdb
++   create 0640 couchdb couchdb
+ }
diff -Nur couchdb-1.2.0-1/debian/patches/series couchdb-1.2.0-3/debian/patches/series
--- couchdb-1.2.0-1/debian/patches/series	2011-11-27 09:19:17.0 +0100
+++ couchdb-1.2.0-3/debian/patches/series	2012-11-20 21:35:33.0 +0100
@@ -1 +1,4 @@
 force-reload.patch
+couchdb_own_rundir.patch
+logrotate_as_couchdb.patch
+wait_for_couchdb_stop.patch
diff -Nur couchdb-1.2.0-1/debian/patches/wait_for_couchdb_stop.patch couchdb-1.2.0-3/debian/patches/wait_for_couchdb_stop.patch
--- couchdb-1.2.0-1/debian/patches/wait_for_couchdb_stop.patch	1970-01-01 01:00:00.0 +0100
+++ couchdb-1.2.0-3/debian/patches/wait_for_couchdb_stop.patch	2012-11-20 21:52:18.0 +0100
@@ -0,0 +1,20 @@
+Description: Wait for complete stop of CouchDB
+ Check if CouchDB is already stopped and wait for a second if not before
+ checking again.
+ .
+Author: Laszlo Boszormenyi (GCS) 
+Bug-Debian: http://bugs.debian.org/692295
+

Bug#682172: unblock: couchdb/1.2.0-2

[Laszlo Boszormenyi (GCS)]

On Wed, 2012-11-21 at 19:36 +0100, Julien Cristau wrote:
> On Tue, Nov 20, 2012 at 21:17:21 +0000, Laszlo Boszormenyi (GCS) wrote:
> Thanks, I think that should be acceptable.
 OK, -3 will be uploaded if you nod on the s/couchdb/$COUCHDB/ change.
See below.

> > - logrotate will properly own the rotated files.
> > 
> OK, I guess.  Though why is the dir owned by couchdb in the first place
> instead of root?
 It's common for daemons to own their logdir and logfiles, even weird
owners do exist. See Apache2, its logdir is root:adm /var/log/apache2/ ,
for Exim it's Debian-exim:adm /var/log/exim4/ . But for the former, see
MongoDB: mongodb:mongodb /var/log/mongodb/ ,
MySQL: mysql:adm /var/log/mysql/ , Redis: redis:redis /var/log/redis/ .
CouchDB uses the same, its logdir is couchdb:couchdb /var/log/couchdb/ ,
can't give you a special reason for that.

> > +--- couchdb-1.2.0.orig/etc/init/couchdb.tpl.in
> >  couchdb-1.2.0/etc/init/couchdb.tpl.in
> > +@@ -102,6 +102,8 @@ stop_couchdb () {
> > + # Stop the running Apache CouchDB process.
> > + 
> > + run_command "$COUCHDB -d" > /dev/null
> > ++while [ $(couchdb -s 2>/dev/null | grep -c process) -eq 1 ]; \
> > ++do echo -n .; sleep 1; done;
> > + }
> > + 
> > + display_status () {
> 
> Slightly weird to use $COUCHDB everywhere except in this one place where
> you write couchdb.
 Tested on the CLI, then copied late in the evening. Will be:
++while [ $($COUCHDB -s 2>/dev/null | grep -c process) -eq 1 ]; \
++do echo -n .; sleep 1; done;

Is it okay to upload -3 with the discussed changes?

Cheers,
Laszlo/GCS


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1353530389.15123.335.camel@julia