Bug#1087931: bookworm-pu: package criu/3.17.1-2+deb12u1

2024-11-20 Thread Florian Weimer
* Salvatore Bonaccorso: > Hi Florian, > > On Wed, Nov 20, 2024 at 02:05:46PM +0100, Florian Weimer wrote: >> * Salvatore Bonaccorso: >> >> > [ Changes ] >> > Quoting the upsream commit is likely the best to explain the changes: >> > >> &g

Bug#1087931: bookworm-pu: package criu/3.17.1-2+deb12u1

2024-11-20 Thread Florian Weimer
ee using clone*() syscalls, > | don't use exec*() (!) syscalls, so rseq gets inherited > | in the kernel and rseq configuration remains the same > | for all children processes. There's are further commit you should consider picking up: commit 089345f77a34d1bc7ef146d650636afcd3cdda

Re: Bug#975016: Python 2 / OpenJDK 15 support state for Bullseye

2020-11-18 Thread Florian Weimer
* Matthias Klose: > As background: OpenJDK 12 can only be built with 11, 13 with 12, 14 with 13, > 15 > with 14, 16 with 15. Only having 11 in bullseye would make backports more > "interesting". All recent OpenJDK releases can be built by themselves, right? That's good enough for backports, I t

Re: Arch qualification for buster: call for DSA, Security, toolchain concerns

2020-08-04 Thread Florian Weimer
* Florian Weimer: >> * Concern for mips, mips64el, mipsel and ppc64el: no upstream support >>in GCC >>(Raised by the GCC maintainer; carried over from stretch) > > I'm surprised to read this. ppc64el features prominently in the > toolchain work I do (th

Re: Arch qualification for buster: call for DSA, Security, toolchain concerns

2020-07-08 Thread Florian Weimer
* Paul Gevers: > * Concern for armel and armhf: only secondary upstream support in GCC >(Raised by the GCC maintainer; carried over from stretch and buster) glibc upstream lately has trouble finding qualified persons to implement security fixes for the 32-bit Arm architecture. > * Concern

Re: Should qpdf depend on gnutls?

2020-04-09 Thread Florian Weimer
* Jay Berkenbilt: > I'm about to release qpdf 10. Someone contributed an openssl crypto > provider. Do you think I should build with the qpdf packages for > debian with 1) only gnutls, 2) only openssl, or 3) both gnutls and > openssl? Option 3 allows users to select at runtime but makes qpdf > dep

Bug#928143: unblock: glibc/2.28-9

2019-04-29 Thread Florian Weimer
* Aurelien Jarno: > - Fix for memusagestat's Makefile related code, which has no impact on > the generated code. Sorry, I screwed that one up and had to revert it upstream for the 2.28 branch. I don't think the bug introduced by this commit matters for Debian at present, but it will cause prob

Re: Glibc 2.28 breaks collation for PostgreSQL (and others?)

2019-03-25 Thread Florian Weimer
* Christoph Berg: > with the update to glibc 2.28, collation aka sort ordering is > changing: > > $ echo $LANG > de_DE.utf8 > $ (echo 'a-a'; echo 'a a'; echo 'a+a'; echo 'aa') | sort > > stretch: > aa > a a > a-a > a+a > > buster: > a a > a+a > a-a > aa > > A vast number of locales

Re: Arm ports build machines (was Re: Arch qualification for buster: call for DSA, Security, toolchain concerns)

2018-06-29 Thread Florian Weimer
* Luke Kenneth Casson Leighton: > that is not a surprise to hear: the massive thrashing caused by the > linker phase not being possible to be RAM-resident will be absolutely > hammering the drives beyond reasonable wear-and-tear limits. which is > why i'm recommending people try "-Wl,--no-keep-m

Re: Arch qualification for buster: call for DSA, Security, toolchain concerns

2018-06-28 Thread Florian Weimer
* Niels Thykier: > armel/armhf: > > > * Undesirable to keep the hardware running beyond 2020. armhf VM >support uncertain. (DSA) >- Source: [DSA Sprint report] Fedora is facing an issue running armhf under virtualization on arm64:

Re: [release-notes/stretch] Release notes sign-off from the security team

2017-05-01 Thread Florian Weimer
* Julien Cristau: > On Mon, Apr 3, 2017 at 20:43:08 +0200, Florian Weimer wrote: > >> * Niels Thykier: >> >> > There is a security team related item in the release checklist where we >> > need input from the you[1]: >> > >> > Items are:

Re: [release-notes/stretch] Release notes sign-off from the security team

2017-04-03 Thread Florian Weimer
* Niels Thykier: > There is a security team related item in the release checklist where we > need input from the you[1]: > > Items are: > * release-notes: Security Team signoff for lower supported packages > > Please review the release notes and file bugs for the missing items (if > any) and let

Re: Enabling PIE by default for Stretch

2016-09-30 Thread Florian Weimer
* Niels Thykier: > Florian Weimer: >> * Niels Thykier: >> >>> [...] >> >> Do you think that PIE-by-default makes BIND_NOW-by-default >> unnecessary? >> >> (The argument is that with PIE, it is much more difficult to get a >> control

Re: Enabling PIE by default for Stretch

2016-09-30 Thread Florian Weimer
* Niels Thykier: > As brought up on the meeting last night, I think we should try to go for > PIE by default in Stretch on all release architectures! > * It is a substantial hardening feature > * Upstream has vastly reduced the performance penalty for x86 > * The majority of all porters believe

Re: [Stretch] Status for architecture qualification

2016-06-19 Thread Florian Weimer
> In other words, i don't think a s390x box will ever just die. I'm sure “death” encompasses all events which might lead Debian to lose access to relevant hardware. It's not just about faults with a piece of equipment.

Re: [Stretch] Status for architecture qualification

2016-06-19 Thread Florian Weimer
* Lennart Sorensen: > There are a lot of 32bit powerpc chips still going into embedded systems > being built today. They are not going away anytime soon. Do they implement the ISA required by the existing Debian port?

Bug#824872: jessie-pu: package nspr/2:4.12-2+deb8u1

2016-05-29 Thread Florian Weimer
* Guido Günther: > Note that the only (as to my understanding) serious regression has been > pointed out by Florian as well: > > https://lists.debian.org/debian-lts/2015/11/msg00037.html > https://bugzilla.redhat.com/show_bug.cgi?id=1260698 > > and it's unclear if this part of the ABI. Th

Removal of docker.io from jessie

2015-03-22 Thread Florian Weimer
The security team has concerns that docker.io cannot be maintained in jessie. I asked upstream about the Go version commitment (we cannot rebase to Go 1.4 or later in jessie because it could break user code): (Not sure if this li

Re: [SRM] krb5 changelog missing CVE

2012-01-04 Thread Florian Weimer
* Philipp Kern: > On Wed, Jan 04, 2012 at 07:48:27AM +0100, Florian Weimer wrote: >> * Adam D. Barratt: >> > Apologies if I'm missing something, but if the packages are already in >> > the queue on security-master, wouldn't it be simpler (and possibly more >

Re: [SRM] krb5 changelog missing CVE

2012-01-03 Thread Florian Weimer
* Adam D. Barratt: > Apologies if I'm missing something, but if the packages are already in > the queue on security-master, wouldn't it be simpler (and possibly more > logical) to release them from there? Hmmm, looking at the tracker, > maybe because they're "just" DoS issues? Yes, and we'd have

Re: [SRM] krb5 changelog missing CVE

2012-01-03 Thread Florian Weimer
* Adam D. Barratt: > On Tue, 2012-01-03 at 20:09 +0100, Florian Weimer wrote: >> * Sam Hartman: >> >> > Florian Weimer noticed that the krb5 changelog in squeeze was missing a >> > CVE that was fixed in the patch applied. >> > He proposes to make a new

Re: [SRM] krb5 changelog missing CVE

2012-01-03 Thread Florian Weimer
* Sam Hartman: >>>>>> "Florian" == Florian Weimer writes: > > Florian> * Sam Hartman: > >> Florian Weimer noticed that the krb5 changelog in squeeze was > >> missing a CVE that was fixed in the patch applied. He proposes >

Re: [SRM] krb5 changelog missing CVE

2012-01-03 Thread Florian Weimer
* Sam Hartman: > Florian Weimer noticed that the krb5 changelog in squeeze was missing a > CVE that was fixed in the patch applied. > He proposes to make a new upload that corrects the changelog so that > people who track security issues from the changelog will find the fix: Sorry,

Re: Bug#645881: critical update 29 available

2011-12-11 Thread Florian Weimer
* Matthias Klose: > On 12/11/2011 01:07 PM, Holger Levsen wrote: >> Hi, >> >> On Sonntag, 11. Dezember 2011, Philipp Kern wrote: >>> sorry, but I'd rather like to have an announcement that it has a bug, >> >> me too, for all the reasons Philipp noted. >> >> It's also trivial to download the fix

Re: Bug#645881: critical update 29 available

2011-12-11 Thread Florian Weimer
* Philipp Kern: > sun-java6 is sadly still a very high profile package. I won't go and > break all those installations which force sun-java6 over openjdk-6 > locally, either in unattended installations or through other means. It's really unfortunate that most of those installations seem to need

Re: Bug#645881: critical update 29 available

2011-12-01 Thread Florian Weimer
* Moritz Mühlenhoff: > Florian, what's the status of openjdk6 for stable/oldstable? I've released the pending update for squeeze. lenny will eventually follow, and so will the pending updates for squeeze, but judging by my past performance, it will take a while. If someone else wants to work on

Re: Bug#645881: critical update 29 available

2011-10-21 Thread Florian Weimer
* Moritz Muehlenhoff: > As for stable/oldstable: I noticed that Red Hat provided packages for > update 29 for RHEL 4 (RHEL 5 onwards use OpenJDK): > http://lwn.net/Articles/463919/ If anyone remembers the rationale behind the DLJ, perhaps they can check if the current BCL matches our needs, too?

Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc

2011-06-16 Thread Florian Weimer
* Dominic Hargreaves: >> > Okay, then we should release a DSA for it, so that the breakage is >> > more easily blamed on this particular change, and that it's less >> > confusing if we have to issue follow-up DSAs. Perhaps late May or >> > early June would be a convenient release date? >> >> Was

Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc

2011-04-30 Thread Florian Weimer
* Adam D. Barratt: > I do share Florian's concern about the potential breakage as a result of > the change. Do we have any idea how many packages in {old,}stable would > be affected and to what degree? Particularly in the case of oldstable, > with its four month update cycle, fixing packages bro

Re: PostgreSQL security update

2011-02-01 Thread Florian Weimer
* Martin Pitt: > Florian Weimer [2011-02-01 23:36 +0100]: >> You've confused the versions, I'm afraid. > > Erk, sorry. That was just in the email, though. >> >> For lenny, we need an 8.3 update. > > http://people.debian.org/~mpitt/psql/lenny/ has 8.3

Re: PostgreSQL security update

2011-02-01 Thread Florian Weimer
* Martin Pitt: > PostgreSQL just announced new microreleases which fix one security > issue and several bugs. Details at > > http://www.postgresql.org/about/news.1289 > > I already uploaded 8.4.7 and 9.0.3 to unstable with the fixes. > > I prepared a lenny update in [1] which is ready for upload

Re: OpenJDK / default JDK for squeeze / issues on mips / open security issues for lenny

2011-01-19 Thread Florian Weimer
* tony mancill: > On 01/14/2011 11:46 AM, Florian Weimer wrote: >> * tony mancill: >> >>> As per Section 5.8.5 of the Developer's Reference, I'd like to get >>> confirmation from the Security Team that they are anticipating and >>> approve of

Re: OpenJDK / default JDK for squeeze / issues on mips / open security issues for lenny

2011-01-16 Thread Florian Weimer
* Florian Weimer: > AFAICT, Debian is actually shipping IcedTea releases, but those are > re-rebranded as IcedTea. Sorry, "re-rebranded as OpenJDK". -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe"

Re: OpenJDK / default JDK for squeeze / issues on mips / open security issues for lenny

2011-01-16 Thread Florian Weimer
* Torsten Werner: > Hi, > > On Sun, Jan 16, 2011 at 11:09 AM, Julien Cristau wrote: >> How does that follow?  These kinds of updates are sort of allowed for >> sun-java6 because it's non-free so there's no choice.  That does not >> apply to openjdk, as far as I know. > > I think that openjdk is n

Re: OpenJDK / default JDK for squeeze / issues on mips / open security issues for lenny

2011-01-16 Thread Florian Weimer
* Matthias Klose: > get the files from testing/unstable && touch debian/control.in && > debian/rules debian/control I end up with this: mkdir -p /tmp/buildd/openjdk-6-6b18-1.8.3/build/plugin/icedteanp && \ cd /tmp/buildd/openjdk-6-6b18-1.8.3/build/plugin/icedteanp && \ x86_64-lin

Re: OpenJDK / default JDK for squeeze / issues on mips / open security issues for lenny

2011-01-14 Thread Florian Weimer
* tony mancill: > As per Section 5.8.5 of the Developer's Reference, I'd like to get > confirmation from the Security Team that they are anticipating and > approve of the upload of the new source version. (My apologies if this > has already been covered; I joined the thread already in progress.)

squeeze upload for eglibc due to DSA-2122-2

2011-01-11 Thread Florian Weimer
I would like to make an upload of eglibc to address DSA-2122-2 (the first round of patches for the $ORIGIN/LD_AUDIT issue does not cover all corner cases, unfortunately). The changes match those in 2.7-18lenny7, which are based almost verbatim on the upstream patches (except for whitespace changes

Re: Bug#604016: Please support 3w-sas controllers

2010-12-23 Thread Florian Weimer
* Adam D. Barratt: > On Wed, 2010-12-01 at 16:12 +0000, Florian Weimer wrote: >> * Julien Cristau: >> >> > On Mon, Nov 22, 2010 at 12:11:43 +0100, Giuseppe Iuculano wrote: >> > >> >> Release Team, >> >> >> >> Would this be a

Re: Bug#604016: Please support 3w-sas controllers

2010-12-01 Thread Florian Weimer
rt tomorrow, using the hardware in question. -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.o

Re: New PostgreSQL security/bug fix releases: 8.4.5, 8.3.12 [CVE-2010-3433]

2010-10-06 Thread Florian Weimer
* Martin Pitt: > Please let me know how to proceeed with the security update. Please upload the lenny part to security-master. -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists

Re: possible xorg-server update in lenny?

2010-09-19 Thread Florian Weimer
* Julien Cristau: > I've got a few changes queued up for xorg-server in lenny, and was > wondering if it's worth uploading them at some point soonish. I guess I > could add the fix for CVE-2009-1573 (a minor bug in xvfb-run). Yes, please do. Thanks for taking care of these bugs. -- To UNSUBS

Re: OpenJDK / default JDK for squeeze / issues on mips / open security issues for lenny

2010-08-15 Thread Florian Weimer
* Philipp Kern: > Florian, > > On 08/08/2010 11:21 AM, Florian Weimer wrote: >> Cool, it's based on OpenJDK 6b18. However, we can't upload it as-is >> because the version number is greater than the one in testing. >> > > apart from the fact that

Re: OpenJDK / default JDK for squeeze / issues on mips / open security issues for lenny

2010-08-08 Thread Florian Weimer
* Matthias Klose: > Or does everybody see openjdk as an alibi for Debian to build things > and then use the sun-java packages from non-free? I know folks who use it in production, admittedly with compiler excludes to work around some C2 bugs. > For those who are interested in an openjdk-6 update

Minor update request for /proposed-updates/stable.html

2010-04-11 Thread Florian Weimer
Hi, in , would you please change the reference to security-tracker.debian.*net* to security-tracker.debian.*org*? Thanks, Florian -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble

Re: GCC 4.4 run-time license and non-GPLv3 compilers

2009-11-22 Thread Florian Weimer
* Matthias Klose: > On 21.11.2009 06:20, Florian Weimer wrote: >> * Steve Langasek: >> >>> It's been suggested to me that it might help Debian move forward on this >>> issue if I provide some background on why Canonical has chosen to not regard >>&

Re: GCC 4.4 run-time license and non-GPLv3 compilers

2009-11-21 Thread Florian Weimer
* Steve Langasek: > It's been suggested to me that it might help Debian move forward on this > issue if I provide some background on why Canonical has chosen to not regard > this issue as critical for Ubuntu. My personal impression is that Debian does not view this issue as critical, either. Swi

Re: open issues with the hppa port

2009-10-09 Thread Florian Weimer
* Carlos O'Donell: > The nptl enabled hppa libc packages are in experimental. > e.g. > apt-get -t experimental install libc6 Out of curiosity, does this version support cross-process mutexes? -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". T

Re: Bug#548126: pu: package opensaml2/2.0-2+lenny1

2009-10-07 Thread Florian Weimer
* Florian Weimer: > Right. Please upload opensaml2 first (after sending in a source > debdiff for review), and then wait with uploading shibboleth-sp2 until > we tell you it's okay to do so. It's now possible to upload shibboleth-sp2 to security-master. Thanks for your a

Re: Bug#548126: pu: package opensaml2/2.0-2+lenny1

2009-10-07 Thread Florian Weimer
* Faidon Liambotis: > Florian Weimer wrote: >> Right. Please upload opensaml2 first (after sending in a source >> debdiff for review), and then wait with uploading shibboleth-sp2 until >> we tell you it's okay to do so. > OK, will do. How should we handle the fact

Re: Bug#548126: pu: package opensaml2/2.0-2+lenny1

2009-10-06 Thread Florian Weimer
* Faidon Liambotis: >> Please note that this fix is in a header file in a function that's >> inlined, so after this update is accepted (assuming it's accepted), >> shibboleth-sp2 in stable will need to be rebuilt against the new version >> of opensaml2. I understand that this can be done via the

Re: New PostgreSQL microreleases -- -updates or -security?

2009-09-13 Thread Florian Weimer
* Martin Pitt: > My gut feeling is that it should go through s-p-u (Debian), and > -proposed (Ubuntu) and be copied to -updates after some time of > testing. After conferring with Tom Lane from upstream, I lean towards releasing a DSA. Please contact security@ when you've got packages which you

Re: Status of Haskell in unstable/testing

2009-08-28 Thread Florian Weimer
* Luk Claes: > Florian Weimer wrote: >> * Luk Claes: >> >>> The most important issues seems to be that ghc6 FTBFS on ia64 [1]. >> >> Is ia64 a registerized build (if this GHC-ism is still relevant)? > > You apparently did not include the footnot

Re: Status of Haskell in unstable/testing

2009-08-28 Thread Florian Weimer
* Luk Claes: > The most important issues seems to be that ghc6 FTBFS on ia64 [1]. Is ia64 a registerized build (if this GHC-ism is still relevant)? -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Advice; want to upload new onak package to stable

2009-05-29 Thread Florian Weimer
* Jonathan McDowell: > I'd like to upload a new onak package to stable to fix #520117 by > rebuilding against db4.5 instead of db4.6 - I'm hitting what seems to be > #510270 in db4.6. Shouldn't this be fixed in db4.6 instead? -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org

Re: BIND 1:9.5.1.dfsg.P2-1 for stable

2009-04-29 Thread Florian Weimer
* Florian Weimer: > Hi, > > I'd like to upload 1:9.5.1.dfsg.P2-1 to stable-proposed-updates (as > 1:9.5.1.dfsg.P2-1+lenny1) to fix a bug in DLV processing. We can then > point users to this version if they use dlv.isc.org and experience > resolution failures for .gov:

BIND 1:9.5.1.dfsg.P2-1 for stable

2009-04-29 Thread Florian Weimer
Hi, I'd like to upload 1:9.5.1.dfsg.P2-1 to stable-proposed-updates (as 1:9.5.1.dfsg.P2-1+lenny1) to fix a bug in DLV processing. We can then point users to this version if they use dlv.isc.org and experience resolution failures for .gov:

Re: Bug#503992: Request of authorisation for an upload of Snort in stable to fix 503992

2009-03-22 Thread Florian Weimer
* Javier Fernández-Sanguino Peña: >> It's probably a security bug on its own, so it probably should go >> through the DSA process, even though the bug was introduced through >> t-p-u before the lenny release. > > Since Neil answered already I uploaded the packages to stable using the patch > I sen

Re: Request of authorisation for an upload of Snort in stable to fix 503992

2009-03-22 Thread Florian Weimer
* Luk Claes: >> I would like to make an upload to stable to fix bug 503992 of Snort. Basicly, >> this bug was introduced with the patch for a security vulnerability but >> introduced a sigsegv due to an improper call to a function. This error kills >> the Snort IDS as soon as it receives fragmente

Re: Whoos with GnuTLS and md5-signed certificates

2009-02-24 Thread Florian Weimer
* Florian Weimer: > Would those who have an interest in this topic please test the patch > in > > <http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=97;bug=514807;mbox=yes> > > and report if it improves things for them? Thanks. For the record, it's very likely that w

Re: Whoos with GnuTLS and md5-signed certificates

2009-02-16 Thread Florian Weimer
Would those who have an interest in this topic please test the patch in and report if it improves things for them? Thanks. -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscri

Re: Whoos with GnuTLS and md5-signed certificates

2009-02-14 Thread Florian Weimer
* Bastian Blank: > GnuTLS stopped accepting MD5 as a proper signature type for certificates > just two weeks before the release. While I don't question the decision > themself, MD5 is broken since 4 years, I question the timing. GNUTLS has rejected RSA-MD5 signatures in X.509 certificate chains s

Screw-up: typo3-src 4.2.4-1 accepted into testing-security

2009-01-26 Thread Florian Weimer
Hi, I've accidentally ACCEPTed typo3-src version 4.2.4-1 into the testing security archive because it was still in the queue unexpectedly. I don't know what the impact is because the same version migrated to testing today anyway, it seems. In any case, I hope you can address this in some way. S

Re: Pre-approval for apt 0.7.21: "Valid-Until" feature and proxy changes

2009-01-15 Thread Florian Weimer
* Eugene V. Lyubimkin: > Florian Weimer wrote: >> And if Valid-Until is only checked against the real-time clock, the >> attacker can still feed bad data over NTP, so it's not even a complete >> defense. 8-( > > However, it seems there is no better solution, or i

Re: Pre-approval for apt 0.7.21: "Valid-Until" feature and proxy changes

2009-01-15 Thread Florian Weimer
* Moritz Muehlenhoff: >> And there is also the option of including it in the first point release, >> after a month or two of testing in unstable. > > Since the replay attack isn't exactly grave, it could just as well be added > into 5.0.1 oder 5.0.2 once it has gotten some testing. And if Valid-U

Re: Bug#508256: please remove twiki from lenny

2008-12-21 Thread Florian Weimer
* Dominic Hargreaves: > I'm disappointed that the code execution isn't hasn't been addressed > (in testing or stable) but upstream do provide a trivial patch for > the version of twiki we have in Debian. If I was to NMU this (I've > already applied it manually on my system) would this mitigate the

Re: Pre-approval for shadow 1:4.1.1-6

2008-11-14 Thread Florian Weimer
* Nicolas François: > Release Managers, Security Team: > Do you want 505071 to be fixed also for Lenny? Do you mean "etch" instead of "lenny"? We'd probably release a DSA once there's a patch which has some track record, but as far as I can tell, the issue has not been fully analyzed yet. You g

Re: freeze exception for cacao-oj6

2008-09-10 Thread Florian Weimer
* Matthias Klose: > - s390: rebuilt by hand on raptor/unstable without problems. >Bastian pointed to #479952 as a possible reason. would it >be possible to do a test-rebuild on the machine which is >used security updates? I think we can apply a real security patch to all the Sun-base

Re: freeze exception for cacao-oj6

2008-08-29 Thread Florian Weimer
* Matthias Klose: >> Well, you know that there is a T2000 available and if the security team >> needs a faster buildd they have to ask. > > the estimate is wrong. I what sense? I quoted the actual build time on lebrun. Is spontini really faster than that? > the openjdk-6 package runs the tests

Re: freeze exception for cacao-oj6

2008-08-24 Thread Florian Weimer
* Luk Claes: > Matthias Klose wrote: >> proposing a freeze exception for cacao-oj6 for testing. cacao-oj6 is a >> copy of the openjdk-6 package with the cacao sources >> included. Compared to openjdk-6 on architectures without the Hotspot >> JIT support, cacao-oj6 (including a JIT) is a much faste

Re: OpenJDK for lenny

2008-07-28 Thread Florian Weimer
* Matthias Klose: > So, we are late with OpenJDK for lenny. I still think lenny would > benefit from having OpenJDK. I'm proposing the following steps, > realizing that not all of them probably can be realized. Is there upstream security support for OpenJDK 6? I'm asking because the DLJ stuff us

Re: [alpha, hppa] GCC-4.3 as the default compilers for lenny?

2008-03-23 Thread Florian Weimer
* Pierre Habouzit: >> Isn't it risky for partial upgrades from etch ? Shouldn't we wait for >> lenny+1 to revert this ? > > I second that, please don't revert the patch until lenny+1. FWIW I > believe the release team as a whole wanted the patch to be kept as well, > but I'll let the other membe

mipsel packages file borken

2007-12-29 Thread Florian Weimer
$ wget http://ftp.us.debian.org/debian/dists/etch/main/binary-mipsel/Packages.bz2 $ bzcat Packages.bz2 | grep '^[^ ][^:]*$' 133270:ides a wizard that helps you 133274:eror is the file manager for the K Desktop Environment. $ Something has been garbled. Other architectures do not suffer from thi

Re: [Pkg-db-devel] Bin-NMUs for radiusd-livingston, libtabe; db4.5

2007-10-22 Thread Florian Weimer
* Steve Langasek: >> If you can tell me how to do this without downloading dozens of MB of >> data, I'll do it. > > Well, it would've been easier if the addition of db4.5 symbol versions had > been accompanied by a shlibs bump, Yeah, but this was a bug I tried to fix. 8-/ > but something like th

Re: [Pkg-db-devel] Bin-NMUs for radiusd-livingston, libtabe; db4.5

2007-10-15 Thread Florian Weimer
* Bastian Blank: > On Mon, Oct 15, 2007 at 03:11:20PM +0200, Florian Weimer wrote: >> Would you please schedule bin-NMUs for radiusd-livingston and libtabe on >> all architectures? >> >> (There might be more packages affected on other architectures, but I >

Bin-NMUs for radiusd-livingston, libtabe; db4.5

2007-10-15 Thread Florian Weimer
libdb4.5 introduced symbol versioning in version 4.5.20-3. Some packages still link against the old version: Searching for db_ in ./radiusd-livingston_2.1-15_amd64.deb/usr/sbin/builddbm: 15: 421 FUNCGLOBAL DEFAULT UND __db_ndbm_open 22: 207 FUNC

Re: Please migrate db4.3 4.3.29-10 to testing

2007-09-16 Thread Florian Weimer
* Steve Langasek: >> The bug is fixed in version 4.3.29-10. Could you please bump the urgency >> so that this rectified soon? Thanks. > > Bumping the urgency won't change the fact that the package failed to build > on the hppa autobuilder. This has been an going problem since version 4.3.29-1 a

Please migrate db4.3 4.3.29-10 to testing

2007-09-16 Thread Florian Weimer
db4.3 4.3.29-9 went into testing despite an RC bug (#442297). The bug is fixed in version 4.3.29-10. Could you please bump the urgency so that this rectified soon? Thanks. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: NMU for rlwrap to etch-proposed-updates (for etch r1)

2007-05-27 Thread Florian Weimer
* Steve Langasek: > On Fri, May 25, 2007 at 07:30:36PM +0200, Florian Weimer wrote: >> I'd like to do a sourceful (i.e. non-binary-only) NMU of rlwrap for >> etch r1, so that the package gets rebuilt on all architectures. >> Queing binary NMUs is apparently not enough

NMU for rlwrap to etch-proposed-updates (for etch r1)

2007-05-25 Thread Florian Weimer
I'd like to do a sourceful (i.e. non-binary-only) NMU of rlwrap for etch r1, so that the package gets rebuilt on all architectures. Queing binary NMUs is apparently not enough to fix this issue. Would that be acceptable? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscri

Please unblock debsecan 0.4.7

2007-03-15 Thread Florian Weimer
Compared to the version in testing, debsecan 0.4.7 offers translation updates and the following bug fix. TIA, Florian Fri Mar 2 22:00:56 CET 2007 Florian Weimer <[EMAIL PROTECTED]> * Migrate /var/lib/debsecan away from root permissions unconditionally. diff -rN -u old-debian/

Re: Bug#408929: Fwd: Processed: Re: Bug#408929: emacs21: crash on spam

2007-02-05 Thread Florian Weimer
* Moritz Muehlenhoff: > glibc 2.3.4 introduced more secure heap management, which renders several > code injection attacks moot. I think these additional checks have already been bypassed. Shall I dig up a reference? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe

Unblock or remove xml2rfc

2007-02-02 Thread Florian Weimer
The IETF Secretariat will soon reject Internet-Drafts formatted using the etch's version of xml2rfc (because of an outdated boilerplate). The new upstream version in unstable should generate acceptable drafts. Unfortunately, the diff is quite large. If it's not possible to accept the new upstream

BIND 8 deprecation for the release notes

2007-01-10 Thread Florian Weimer
I recommend to add a note urging people to switch to BIND 9 (possibly mentioning "check-names ignore", which is one of the larger hurdles IIRC). The main reason is this bug: CVE-2006-0527 (BIND 4 (BIND4) and BIND 8 (BIND8), if used as a target forwarder, ...) - bind 1:8.4.7-1 (low)

Re: Solving the linux-2.6 firmware issue

2007-01-08 Thread Florian Weimer
* Bastian Blank: > Not possible without another large round of testing. Our infrastracture > currently expects that the upstream part of the version remains > the same through the whole cycle. This information is for example used > to find all patches. Uhm, why can't you do a simple full upload j

Please unblock debsecan

2007-01-06 Thread Florian Weimer
Hi, Compared to 0.4.3, debsecan 0.4.3.3 contains a few translation updates (and no more seem to be forthcoming). Please unblock. Thanks, Florian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Solving the linux-2.6 firmware issue

2007-01-05 Thread Florian Weimer
* Frederik Schueler: > As we need to upload a new orig.tar.gz file, we need to rename the > source package. Huh? Non sequitur. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: mailman 2.1.5-8sarge3: screwup between security and maintainer upload

2006-09-07 Thread Florian Weimer
* Martin Schulze: > Imho, it's more useful to upload 2.1.5-8sarge4 and only bump the > version number to get the new version built for all architectures into > the archive. While you are at it, you could also include this patch: Revision: 8001 http://svn.sourceforge.net/mailman/?rev=80

Re: Preparing the next Release

2006-08-30 Thread Florian Weimer
* Martin Schulze: > When there is no cups for amd64 in the release, it does not matter > whether it FTBFS on amd64 or not, for example. I believe that such FTBFS bugs are already deemed "important"; they are not release-critical. A lot of porters who file FTBFS bugs disagree, but this doesn't ma

Re: Secure APT Key Management

2006-07-26 Thread Florian Weimer
* Martin Schulze: > I'd really love to see this feature properly implemented. The only approach which is known to work is static keys for stable releases and stable security updates. The keys can be stored off-line or on-line, at the discretion of the respective teams. So far, we have botched a

Re: Time to kick xdelta out of testing?

2006-01-24 Thread Florian Weimer
* Russ Allbery: > Is this bug fixed in xdelta 2.0? xdelta 2 is a completely different beast. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: current blockers?

2005-11-14 Thread Florian Weimer
* Nathanael Nerode: > * removal of non-free docs etc. from all packages IIRC, the release goal is to release without GNU FDL documentation only, not to remove all non-free documentation. At least I'm not aware of a coordinated effort in that direction. -- To UNSUBSCRIBE, email to [EMAIL PROTE

Re: libstdc++ configuratrion

2005-11-14 Thread Florian Weimer
* Matthias Klose: >> Does it change the internal representation of std::string, or some >> other template instantiation provided by libstdc++? > > I don't see a change to the internal representation of std::string, > I'm forwarding this upstream. std::string seems to be fine because the instance

Re: libstdc++ configuratrion

2005-11-08 Thread Florian Weimer
* Matthias Klose: > The change does not have an effect on symbols exported from > libstdc++, but it does have an effect on symbols exported by > libraries which use containers (using an allocator) from the > template headers. Does it change the internal representation of std::string, or some othe

Re: bug 284925

2005-11-06 Thread Florian Weimer
* Thomas Bushnell: > What is expected of me with respect to bug 284925? I would like to > close it; a DSA was given for the version in stable, it refers to > woody only, etc, something like that. I don't understand the details, > but I'd like to close it. What should I do? You should acknowled

Re: testing security status (post kde)

2005-11-06 Thread Florian Weimer
* Steve Langasek: > Heh. Would it be worth posting summaries of the unfixed RC security bugs > somewhere from time to time, to try to get more people involved with NMUing > them? Or are most of these not RC security bugs at this point? There is

Re: Statement(s) on libssl situation desired

2005-10-17 Thread Florian Weimer
* Nathanael Nerode: > Note the following apparent facts: > * libssl0.9.7 and libssl0.9.8, if linked in the same binary, will cause > unpredictable failure due to symbol conflicts. > * This could be fixed if libssl0.9.8 had versioned symbols, which it doesn't > yet. Are you sure? I think it's n

Re: Resignation as Debian Release Manager

2005-10-03 Thread Florian Weimer
* Branden Robinson: > On Fri, Sep 23, 2005 at 12:10:00AM +0100, Colin Watson wrote: >> I hereby tender my resignation as Debian Release Manager. > > Thanks for your outstanding service, Colin. Reinventing the team > mid-release was not easy, but you and Steve didn't flinch from it and did a > gre

Re: wanna-build only knows about older versions?

2005-07-05 Thread Florian Weimer
* Steve Langasek: > Of course security support is essential for released architectures, I don't think this is the case. Apparently, we have successfully without security support, therefore it cannot be "essential". It's desirable, sure, but essential? Certainly not. -- To UNSUBSCRIBE, email

Re: release policy changes

2005-06-09 Thread Florian Weimer
* Andreas Barth: >> Wouldn't it be sufficient to defer to generic policy on this one? PIC >> library/DSO support is mostly a C/C++-specific domain, and not >> everything that Debian ships is written in C/C++ or some scripting >> language. > > Do we have such a policy available? Policy section 10

Re: release policy changes

2005-06-09 Thread Florian Weimer
* Andreas Barth: > One addition I would like very much to see is: > A library that is included in a package in Debian must be linked to > dynamically; for static-only executables like sash also static linking > to that other library package is accepted. Importing and using the > source code of

  1   2   >