Re: Pre-creating Git repos in salsa.d.o/lts-team/packages/ - or not?
Hi Sylvain, thanks for your feedback! as you know one of our goals is to keep the git-history of all {E,L}TS uploads. Some semi-automatic repo creation scripts are in a test phase to ease this process. I have created some repos and imported the last available security versions of packages into that. Sure, if the maintainer of the particular package allows to push security updates of {E,L}TS process, feel free to do it! Just drop the repo and change the link in the VCS. You are right, now the bot "anonymously" creates repos, it will be changed in the next couple of days. Best regards Anton Am Mo., 7. Nov. 2022 um 09:53 Uhr schrieb Sylvain Beucler : > > Hi, > > I see that a few repositories in salsa.d.o/lts-team/packages/ were > created for packages that haven't been claimed yet. > https://salsa.debian.org/lts-team/packages?sort=created_desc > > (I'm not sure who/what did it exactly, there's activity from > "Bot-LTS-package", which may be the 'package-operations' script, then > manual activity from Anton.) > > That means the repo was created and imported before there was a chance > to discuss with the package maintainers whether they want to host the > (E)LTS branch there or at another location (such as, their own salsa repo). > > I think this adds confusion. When I check the "VCS" field in > dla-needed.txt, I assume this is the preferred repository for > development, following an explicit decision from a previous contributor > who worked on the package - not the result of semi-automation. > Thoughts? > > Cheers! > Sylvain >
[SECURITY] [DLA 3179-1] pixman security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian LTS Advisory DLA-3179-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Chris Lamb November 07, 2022 https://wiki.debian.org/LTS - - Package: pixman Version: 0.36.0-1+deb10u1 CVE ID : CVE-2022-44638 Debian Bug : 1023427 It was discovered that there was a potential out-of-bounds write vulnerability in pixman, a pixel-manipulation library used in many Linux graphical applications. For Debian 10 buster, this problem has been fixed in version 0.36.0-1+deb10u1. We recommend that you upgrade your pixman packages. For the detailed security status of pixman please refer to its security tracker page at: https://security-tracker.debian.org/tracker/pixman Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmNo5rIACgkQHpU+J9Qx Hlgs1A//Tonk09hOqb8K9rQ8cZVaQPRlUXjQ1sFDmC8jh4j59KrTIfNUwnWTjqm8 RMnj/ZssF1G0KiRW90Dc5f1JtqZdhMq1fUK1NL0kmwJx0hYC6RE99i880g1BFruK KIFEtvnASVQkL9tLFYKxWr9Dkhg3STkzsoBYR+GaPiLIaK/LgSuQoloMAg8LHN6N rn50MkFQEgzRdtws4lBIeVnVv0zpCXZ0kiWUstxNNtARar0crdxU88Di2lboFp1Z zkvHOL57+7gwpJ7BE4wlS9PPUoER+nB8wAkqjZLZLc/2SxfK1c8iyG/Ixn85WW/i zg+LY4i5TY67w1d2fx1nUDyNJD1SDMPl6qMlnuwgmtF7O1BYhDwhF5ksmkt4/8Vm LFDl8nbX3qBxnixvKI48ZV9i0qnJ9aenb3oDl7H+ikXd8815ZxpyRJqKj0F9v/Fb JdLS39P/iO2BqWXVWzvmMuk91/zNq1G+2m2+qkmFQDICyPjQX1k6k3dQlQHWCmFa g4+PoV6H7X8KrssMToO34Tw88w8i2056cvj4JyGqGWS8HFatajNSnmgjwBY9SelW BGvOLEECUfdFUwYc0K1ztmqYTlINI1jbyOMUSY3MBisHQiihzZirejTYKtQEHjTM bY9k/e39Bbd3PrV8WHIvsM6n/H20Qd/Yo42Lr8UhHF2rtrPtfEw= =ZGY5 -END PGP SIGNATURE-
[SECURITY] [DLA 3181-1] sudo security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian LTS Advisory DLA-3181-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Chris Lamb November 07, 2022 https://wiki.debian.org/LTS - - Package: sudo Version: 1.8.27-1+deb10u4 CVE ID : CVE-2021-23239 It was discovered that there was a information disclosure utility in sudo, a tool used to provide limited superuser privileges to specific users. A local unprivileged user may have been able to perform arbitrary directory-existence tests by exploiting a race condition in sudoedit. For Debian 10 buster, this problem has been fixed in version 1.8.27-1+deb10u4. We recommend that you upgrade your sudo packages. For the detailed security status of sudo please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sudo Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmNo9JkACgkQHpU+J9Qx Hlg1cw//bhuWiJ0azlRhAegLqjrNLxY0qUPMh2DES05q52ATUCrerPXlnEXjRVFb HAsi5Aft7ioXNOoUpwsD/M7Hc09tDlCKaygBa28kasda7Leyem0vcuoSINoyv+W2 UoftHRS5EB5LVbsmcF4eTKZs9t7yCCnSmZxIq5LeHKJHTPEUlhuBKmF/QODKKErL GP2wV1/DyjPVJJW3/DIX529cuFAjTyGVHxLSU9ZQ1xjQulKeYJdD1/a1fz5VlCzQ dlgyiR4o7yyIvGchZnTxGloqZcCpHa126UO1oobLfmjPA2LSRrfOD5IV+eKSTjh0 PpIVKTNmJJAB1FrcFq8lHqxM0KqWVdCE015xxjAW7APXWJTViXLHHyRXJkohPRYn TIP+DsaeQ1mnH8aVqOHMJJ28K7E4YxZDKbQQifZOijEQi9zGl+inM7EhUmgGpZ5I Y+isiX5dKSMgRWhZxNzAWSXcxq44rwjbTr2s0GZqRDpD05fcyFzUb/uk1PVecKwi HkruiQTpKH7aztiNduLvC6Z+oQaNnz27FlzjC/FKhhwNRvrRJMk+Yh3zCfosKCYP GecLBd85VxMec2o4hS5Bercu44jO6AAzTyAeB8LtH+moAQPgrbeKFT0N8cq9ZaGm /zJYEuXJ2OB+FTOCuCdq1OUmPKdYZWJYiMPX5eSanOds0C1SfBo= =sVA6 -END PGP SIGNATURE-
Accepted sudo 1.8.27-1+deb10u4 (source amd64) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 07 Nov 2022 11:58:17 + Source: sudo Binary: sudo sudo-dbgsym sudo-ldap sudo-ldap-dbgsym Architecture: source amd64 Version: 1.8.27-1+deb10u4 Distribution: buster-security Urgency: high Maintainer: Bdale Garbee Changed-By: Chris Lamb Description: sudo - Provide limited super user privileges to specific users sudo-ldap - Provide limited super user privileges to specific users Changes: sudo (1.8.27-1+deb10u4) buster-security; urgency=high . * Non-maintainer upload by the Debian LTS team. * CVE-2021-23239: Prevent an issue where a local unprivileged user may have been able to perform arbitrary directory-existence tests by exploiting a race condition in sudoedit by replacing a user-controlled directory by a symlink to an arbitrary path. Checksums-Sha1: 2ebd76fb1f780148afcb1777b04a154aca8a7f47 1975 sudo_1.8.27-1+deb10u4.dsc 9dd0d21ec02da8a4a8bf86f496c3e909cb6d1636 3293178 sudo_1.8.27.orig.tar.gz 7089f5ea3b16ec0366461a15f6afe318234bdcbe 31832 sudo_1.8.27-1+deb10u4.debian.tar.xz f75e498577f635839746de2ddb9c65d8588498f9 1234124 sudo-dbgsym_1.8.27-1+deb10u4_amd64.deb 258893bd9e12f220b0fc82c90a19725d64155ece 1281396 sudo-ldap-dbgsym_1.8.27-1+deb10u4_amd64.deb 6193b95e602b09fdf9fc7384c7229bfaec37bba0 1282600 sudo-ldap_1.8.27-1+deb10u4_amd64.deb a6c4d9a91ab8aa25b7ffbd72340c73c696fdf4fb 7197 sudo_1.8.27-1+deb10u4_amd64.buildinfo b6c788369262d9c8d402da9c407cb1b534f897a6 1244164 sudo_1.8.27-1+deb10u4_amd64.deb Checksums-Sha256: 5c360201a76f9eba3678831758c6fce797c421b3d6a063bd7d6e36b78209c209 1975 sudo_1.8.27-1+deb10u4.dsc 7beb68b94471ef56d8a1036dbcdc09a7b58a949a68ffce48b83f837dd33e2ec0 3293178 sudo_1.8.27.orig.tar.gz 427851e6293e39c32ac9a50246c1773e12b13eb35307c77e241e546736cb466a 31832 sudo_1.8.27-1+deb10u4.debian.tar.xz 916a4fc36bf05c940e7814adebc6793df7287c09162ed0e054a8e596d73d6669 1234124 sudo-dbgsym_1.8.27-1+deb10u4_amd64.deb 0dc58194c9d0ff11b533272538d4f64ddbcc2db3d1a79d9217e9e027364a0899 1281396 sudo-ldap-dbgsym_1.8.27-1+deb10u4_amd64.deb 1cfbdf908d54c6a1bcbfcf77ca49ecb8d756655a8127fa3615e3dbe0e9a3b650 1282600 sudo-ldap_1.8.27-1+deb10u4_amd64.deb f1abd3eb3ea05403f7e57272d75a0ea250ec506d671b0b5b5644aae139074842 7197 sudo_1.8.27-1+deb10u4_amd64.buildinfo 13eda69ebc37fc94e8a30a2351b218cbb1b57123c81ccd7eb818edfc60f51cc3 1244164 sudo_1.8.27-1+deb10u4_amd64.deb Files: eb599659fc985dfec3cfda1d6778f767 1975 admin optional sudo_1.8.27-1+deb10u4.dsc b5c184b13b6b5de32af630af2fd013fd 3293178 admin optional sudo_1.8.27.orig.tar.gz 09d18b44027dd27eb5fbb042b826366b 31832 admin optional sudo_1.8.27-1+deb10u4.debian.tar.xz 849ab0ae3770015f9972a823cf1baf89 1234124 debug optional sudo-dbgsym_1.8.27-1+deb10u4_amd64.deb ac67b815da1501b38f2d21870afd2a2d 1281396 debug optional sudo-ldap-dbgsym_1.8.27-1+deb10u4_amd64.deb b0123fbc4ac5452b686c7e7c69fd06b3 1282600 admin optional sudo-ldap_1.8.27-1+deb10u4_amd64.deb 5ddc086d9d8b73a0c31e309681777daf 7197 admin optional sudo_1.8.27-1+deb10u4_amd64.buildinfo 83e1dc7f7c79a128ccc8ceefe07413f4 1244164 admin optional sudo_1.8.27-1+deb10u4_amd64.deb -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmNo9F8ACgkQHpU+J9Qx HlgX4xAAjzqj1Foby6YZTCSCpGKaSBsBdODPT7yzBj7avdceyb8FAyYXtdQufY4H jC+OuVU24WkmLrC6ZXVpzl2nZjOK/JouO33qD1KZd8pNcK4sAnWZzpypwgK07RIw r532k+kIUku119BSf9Vmu6n+sLbxW6YBZQvw7rvtSE7r10IdROYkbx05mgeWUf5A HG7aP27gfwUjc+MH0cdYT/7sIH7RGrXrdLKtzNsC6zrjETRuPnybij4xpQMYeBUk yhwpwHmWaZRJZg5tcwO/uj/ku8tn10KG7bmKgfuIi2Ubrtjiif7xo3PywaDVtW0y RGmNZWKwMKYJ91o4ssfcS0nTtm9mqvfHylCqa7V8qbYGrLcyEe2xfeNm//pshsH7 UTLT1RhiVZxb13TjejvdIQPOjb6yLM9jxZ1Rgb/UQmWl6zH/58v0PKHM2p42MX2R 1DFIgzsfuB7MYFhfQbJ7LEr6wEwq4utRpHeDp224IzTI3u98uDNbS1+1MK8RprpY o3b2tOVbCjOVt2g/aCOQ5ENrRPrI3emL/KVEDi+gvzN8/Yxed/NN2TyfYpvyRdZJ ar1XyvaE6U+Yp7h414Q6I9uMmPgSR1lxH0dRWHKNjmgs1E9oYDhUEnswTekW/+UE nWw1oj0y24W2gwCcygMu1wBLYOTYnTLqQ0Ne6bBFxm/ZSI5/1VU= =in1D -END PGP SIGNATURE-
[SECURITY] [DLA 3180-1] python-scciclient security update
- Debian LTS Advisory DLA-3180-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Dominik George November 07, 2022 https://wiki.debian.org/LTS - Package: python-scciclient Version: 0.7.2-2+deb10u1 CVE ID : CVE-2022-2996 Debian Bug : 1018213 It was discovered that scciclient did not verify server TLS certificates when making requests. For Debian 10 buster, this problem has been fixed in version 0.7.2-2+deb10u1. We recommend that you upgrade your python-scciclient packages. For the detailed security status of python-scciclient please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-scciclient Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Accepted python-scciclient 0.7.2-2+deb10u1 (source) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 02 Nov 2022 22:49:26 +0100 Source: python-scciclient Architecture: source Version: 0.7.2-2+deb10u1 Distribution: buster-security Urgency: medium Maintainer: Debian OpenStack Changed-By: Dominik George Closes: 1018213 Changes: python-scciclient (0.7.2-2+deb10u1) buster-security; urgency=medium . * Non-maintainer upload by the LTS Security Team. * Fix CVE-2022-2996: Missing SSL certificate verification (Closes: #1018213) Checksums-Sha1: 019b3311164c180eebe9d7519405d41f7822c325 2221 python-scciclient_0.7.2-2+deb10u1.dsc ff1c240288a269ae6a7400430534204cdfc9966f 49148 python-scciclient_0.7.2.orig.tar.xz cc560ac2989f9ab063c467bfc5aa34909c7728ca 5268 python-scciclient_0.7.2-2+deb10u1.debian.tar.xz 9888ed4b827146240fe28dfdef75a1797e8830ca 10889 python-scciclient_0.7.2-2+deb10u1_amd64.buildinfo Checksums-Sha256: 767b6b386ae956a26defbcdb8ee565c56b473c1346ab538417b7e4ccc6859c21 2221 python-scciclient_0.7.2-2+deb10u1.dsc 256bd00f2fd33b270a98363b1b2b6473d1568efe505dffc1056ae0cdfb7e3bde 49148 python-scciclient_0.7.2.orig.tar.xz b4fa7ec92f2954e19c1c63641efed631f6d087fee939ad3fad8d4107a753652c 5268 python-scciclient_0.7.2-2+deb10u1.debian.tar.xz 58127c0fb104a14145aedcde4a6baee0fb78bd7ae113678191f96a5ccbd4b48a 10889 python-scciclient_0.7.2-2+deb10u1_amd64.buildinfo Files: 7f42e0c7c8e660f6b8aa6defe3b45b05 2221 python optional python-scciclient_0.7.2-2+deb10u1.dsc 5f2603c1f859525356ad4ee4c4a5b6ec 49148 python optional python-scciclient_0.7.2.orig.tar.xz 1b91dddc3524d4b5fea6ea7f55632976 5268 python optional python-scciclient_0.7.2-2+deb10u1.debian.tar.xz 3df96119e94d7c3f0099312c270930c2 10889 python optional python-scciclient_0.7.2-2+deb10u1_amd64.buildinfo -BEGIN PGP SIGNATURE- iKcEARYKAE8WIQSk6zxRYJYchegBkTEK5VTlRg4b3QUCY2jktjEaaHR0cHM6Ly93 d3cuZG9taW5pay1nZW9yZ2UuZGUvZ3BnLXBvbGljeS50eHQuYXNjAAoJEArlVOVG DhvdLC8BAPo+8vpNufIUj+SGTNTYy5EFkCxa9KByRp1q0WdjPS+mAP0fJF70judP U6gTXYpT9PjJ7wfzb0LRzm+TcaT10X8YBQ== =hxS/ -END PGP SIGNATURE-
Accepted pixman 0.36.0-1+deb10u1 (source amd64) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 07 Nov 2022 10:59:27 + Source: pixman Binary: libpixman-1-0 libpixman-1-0-dbgsym libpixman-1-0-udeb libpixman-1-dev Architecture: source amd64 Version: 0.36.0-1+deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian X Strike Force Changed-By: Chris Lamb Description: libpixman-1-0 - pixel-manipulation library for X and cairo libpixman-1-0-udeb - pixel-manipulation library for X and cairo (udeb) libpixman-1-dev - pixel-manipulation library for X and cairo (development files) Closes: 1023427 Changes: pixman (0.36.0-1+deb10u1) buster-security; urgency=high . * Non-maintainer upload by the LTS team. * CVE-2022-44638: Prevent out-of-bounds write (aka heap-based buffer overflow) in the rasterize_edges_8 function due to an integer overflow in pixman_sample_floor_y. (Closes: #1023427) * Add debian/.gitlab-ci.yml. * Refresh debian/patches/test-increase-timeout.diff. Checksums-Sha1: 27bd8c15d68681c9cb2a07e0d2b79fe6fc6c7a7c 2041 pixman_0.36.0-1+deb10u1.dsc 60a931ae924f2a198db28a49b782229b210eaff9 881544 pixman_0.36.0.orig.tar.gz 2edf2ab6b65e6b5fe891bb441a9db399395c0e0f 9641 pixman_0.36.0-1+deb10u1.diff.gz e5505357eea635559ad6329c59478a370778d8b0 1920196 libpixman-1-0-dbgsym_0.36.0-1+deb10u1_amd64.deb 11ae8bbb4298ae5584c8b1706408760ab792cbd5 225572 libpixman-1-0-udeb_0.36.0-1+deb10u1_amd64.udeb 1cf5492d34344a40eae29620e47095710788952c 233960 libpixman-1-0_0.36.0-1+deb10u1_amd64.deb f11064abac0c5d92b3c2afc347927b18b0d25fd9 250800 libpixman-1-dev_0.36.0-1+deb10u1_amd64.deb 3abc5f654a4b59f0bdfd06b6a07c1448c6f8fb43 6547 pixman_0.36.0-1+deb10u1_amd64.buildinfo Checksums-Sha256: 46554fa3845d9ce94299a872ef54ca6326156c43f164ed7ae44990e51ef8a69e 2041 pixman_0.36.0-1+deb10u1.dsc 1ca19c8d4d37682adfbc42741d24977903fec1169b4153ec05bb690d4acf9fae 881544 pixman_0.36.0.orig.tar.gz 8aaa40dc9cb99e647ec14684db0b22d2a3b83e9b07bb614f4e8e31febf8b4016 9641 pixman_0.36.0-1+deb10u1.diff.gz f8c514e4c809362df53cb35a4189e736f5fd76042ab3897ceb8c0aef6ed9b8d7 1920196 libpixman-1-0-dbgsym_0.36.0-1+deb10u1_amd64.deb d652c4b6cf276e738f7fae20cce3bdb8d14ec2a1d10d9b75514c8088efa0be81 225572 libpixman-1-0-udeb_0.36.0-1+deb10u1_amd64.udeb 0d14c2368011255f054f9a72ad53ba7605497a577bef77936f9e6ac4c0abd5ed 233960 libpixman-1-0_0.36.0-1+deb10u1_amd64.deb aa10a43ef62ca7c287630f5fc2b7da71bc652329465a4193592a538107cfa4fd 250800 libpixman-1-dev_0.36.0-1+deb10u1_amd64.deb 5bcc530defeea2bab21a6ff98afdcd51782f1181b814dc4fb3f4efb6a8af0f5e 6547 pixman_0.36.0-1+deb10u1_amd64.buildinfo Files: 10d7fabdfe08e94b21e9acf35d109f03 2041 devel optional pixman_0.36.0-1+deb10u1.dsc 552df0d7fadd07ae3758cc9a057f 881544 devel optional pixman_0.36.0.orig.tar.gz 712a1d178336e02873d618693e8065b4 9641 devel optional pixman_0.36.0-1+deb10u1.diff.gz d78c0e8329ee2d2f5a99098dba3470dd 1920196 debug optional libpixman-1-0-dbgsym_0.36.0-1+deb10u1_amd64.deb 71cd0ff43741ad1e0e621629dc8795d9 225572 debian-installer optional libpixman-1-0-udeb_0.36.0-1+deb10u1_amd64.udeb 9f96fc795b352bffb8b39d684b0fcb56 233960 libs optional libpixman-1-0_0.36.0-1+deb10u1_amd64.deb 2fecb8d79167463ab843ebc2d89caa71 250800 libdevel optional libpixman-1-dev_0.36.0-1+deb10u1_amd64.deb 7f1bcd89ad8af6fa46538c56250a31e5 6547 devel optional pixman_0.36.0-1+deb10u1_amd64.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmNo5ocACgkQHpU+J9Qx HlhNUQ//aUHYKdcG7MmLPWcgkSCgq/FuADWtHL/LJayAN3dghfGAsCtKg1RTicGr I6Q8rMY4j/bpmePFMdqUbqrpjtRjGiPLWFEnFMkfauYLbtT1H110lNyKgX0uXbeS ElVQgI5WCvV2JTNw9bhQHij0ogt+CaPpI3j/vJG1YK2lWgRw0PJqAXnW9zAp9S0d h8VNda0voNd5j2oddMctk94b3POx8FblAdWhxxi420oHC2cTvCd/Z+p9SwNiNW/W jKnNwSkGYHiwgPf2wagF0jusR3WDioCfo0qNkdTggC6uS25YiqnleUrHf+z692K7 l7k44H2YSbRQcyO4EvpBtbnXJgxRTiujYLHmhFOQInNnW6WzAJU/tDuUcu8Nemb6 dwlBq+X5pgSPZwgYLVUuF7LX9sgXn6LuDnsIOWUKTUgANn9B+3D1pRUBrijJZjwr jTVtxGxvQ70F/+A6KTOuZAgCgYSZigJan05xGNZU39lnZfpCqAbG7NgdzASscDjw SnioXErKbQ5hjC6pyAgimxCYMhVgQuTvWKGYoaZK2Zlcq/VYRG5pl1MJB2Wrxnqb W1UVHOdtA2e67aVTgjkR0Ezkm4MxlqwkkRELGKjrrjAPn2SiZqI07l1WFsx/0bwV PKCFNAOioGeg/ugXs8MqbvvnT/bpDsU08tJR4x7+4FDU5sk0KoQ= =5O/Q -END PGP SIGNATURE-
Pre-creating Git repos in salsa.d.o/lts-team/packages/ - or not?
Hi, I see that a few repositories in salsa.d.o/lts-team/packages/ were created for packages that haven't been claimed yet. https://salsa.debian.org/lts-team/packages?sort=created_desc (I'm not sure who/what did it exactly, there's activity from "Bot-LTS-package", which may be the 'package-operations' script, then manual activity from Anton.) That means the repo was created and imported before there was a chance to discuss with the package maintainers whether they want to host the (E)LTS branch there or at another location (such as, their own salsa repo). I think this adds confusion. When I check the "VCS" field in dla-needed.txt, I assume this is the preferred repository for development, following an explicit decision from a previous contributor who worked on the package - not the result of semi-automation. Thoughts? Cheers! Sylvain