from:"Guido Günther"

Bug#1036914: unblock: librem5-flash-image/0.0.3-1

2023-05-29 Thread Guido Günther

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: librem5-flash-im...@packages.debian.org
Control: affects -1 + src:librem5-flash-image

Please unblock package librem5-flash-image

The tool is used to flash images to Librem 5 phones.

[ Reason ]
This adds support for stable image downloads (rather than
always fetching the latest image to flash to the phone)
hence it seems appropriate to have that in a stable relase.
It also makes downloading a bit more robust by allowing for longer
timeouts.

[ Impact ]
Users will have to manually go out and search for stable images.

[ Tests ]
- Tested flashing manually
- CI tests (that download images) pass upstream in a Debian container

[ Risks ]
Risks should be low as the package is in use on other distros since some
time.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
I apologize for being late here, I simply missed that the version
is outdated. I could have backported the patch but just using the
upstream version (which didn't bring any other features) seemed more
reasonable here.

unblock librem5-flash-image/0.0.3-1
diff --git a/debian/changelog b/debian/changelog
index 2c0f47f..d94dbf9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+librem5-flash-image (0.0.3-1) unstable; urgency=medium
+
+  * New upstream release
+
+ -- Guido Günther   Fri, 24 Feb 2023 17:53:10 +0100
+
 librem5-flash-image (0.0.2-1) unstable; urgency=medium
 
   * New upstream release 0.0.2
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 3d0bb65..b2eeae8 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,4 +1,17 @@
 [DEFAULT]
-debian-branch=debian/master
+debian-branch = debian/master
+debian-tag = debian/%(version)s
+upstream-branch = upstream/latest
+upstream-tag = upstream/%(version)s
+upstream-vcs-tag = v%(version)s
 pristine-tar = True
-upstream-tag = v%(version)s
+
+[tag]
+sign-tags = true
+
+[dch]
+multimaint-merge = True
+
+[import-orig]
+postimport = dch -v%(version)s New upstream release; git add debian/changelog; debcommit
+upstream-vcs-tag = v%(version%~%_)s
diff --git a/scripts/librem5-flash-image b/scripts/librem5-flash-image
index be28869..3896d8c 100755
--- a/scripts/librem5-flash-image
+++ b/scripts/librem5-flash-image
@@ -35,6 +35,12 @@ except ImportError:
 
 from urllib.parse import urljoin
 
+IMAGES = {
+'stable': {
+'url': 'https://storage.puri.sm/librem5/images/',
+}
+}
+
 JENKINS = 'https://arm01.puri.sm'
 BOARD_TYPE = 'librem5r4'
 VALID_PHONE_BOARD_TYPES = ['librem5r2', 'librem5r3', 'librem5r4']
@@ -130,7 +136,8 @@ def resuming_stream(url, expected_size, max_attempts):
 try:
 resp = requests.get(url,
 stream=True,
-headers={'Range': 'bytes={}-'.format(position)}
+headers={'Range': 'bytes={}-'.format(position)},
+timeout=10
 )
 resp.raise_for_status()
 
@@ -145,7 +152,9 @@ def resuming_stream(url, expected_size, max_attempts):
 if position < expected_size:
 raise PrematureEndException()
 return
-except (requests.exceptions.ConnectionError, PrematureEndException):
+except (requests.exceptions.ConnectionError,
+requests.exceptions.Timeout,
+PrematureEndException):
 if i == max_attempts - 1:
 logging.error("Max connection errors reached, aborting")
 raise
@@ -207,7 +216,7 @@ def download_image(url, target, attempts):
 verify_image(target, meta)
 
 
-def find_image(jobname, type, variant, dist):
+def find_image_jenkins(jobname, type, variant, dist):
 server = jenkins.Jenkins(JENKINS)
 logging.info("Looking for {} {} {} image".format(type, variant, dist))
 try:
@@ -219,6 +228,8 @@ def find_image(jobname, type, variant, dist):
 resp = requests.get(build['url'] + '/api/json')
 resp.raise_for_status()
 json = resp.json()
+if json['description'] is None:
+continue
 if (json['description'].startswith(variant + ' ' + type) and
 dist in json['description'] and
 json['result'] == 'SUCCESS'):
@@ -229,6 +240,40 @@ def find_image(jobname, type, variant, dist):
 return found
 
 
+def find_image_stable(board, variant, dist):
+remote = IMAGES['stable']
+logging.info("Looking for {} {} {} image".format(board, variant, dist))
+found = None
+
+path = f"{dist}/latest/{board}/{variant}/"
+url = urljoin(remote['url'], f"{path}/artifact/{IMAGE.format(board)}.xz")
+try:
+resp = requests.head(url, timeout=10)
+if resp.ok:
+

Bug#1030709: bullseye-pu: package libvirt/7.0.0-3+deb11u2

2023-02-24 Thread Guido Günther

Hi,
On Sun, Feb 19, 2023 at 06:47:58PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Mon, 2023-02-06 at 18:08 +0100, Guido Günther wrote:
> > This update fixes the test failures on arm64 that were
> > detected by the 7.0.0-3+deb11u1 build.
> > 
> 
> Thanks; please go ahead.

Uploaded now. Thanks!
 -- Guido

> 
> Regards,
> 
> Adam
>

Bug#1030709: bullseye-pu: package libvirt/7.0.0-3+deb11u2

2023-02-06 Thread Guido Günther

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libv...@packages.debian.org
Control: affects -1 + src:libvirt

This update fixes the test failures on arm64 that were
detected by the 7.0.0-3+deb11u1 build.

[ Impact ]
We can't do any further updates of libvirt in stable (unless we
disable the test suite or specific tests).

[ Risks ]
As this doesn't affect actual code in a binary packages the
risk should be fairly low.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Backport to upstream patches to fix libxl test failures
triggered by newer xen versions.

Cheers,
 -- Guido
diff --git a/debian/changelog b/debian/changelog
index 28579ccd7e..76fb402cbc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libvirt (7.0.0-3+deb11u2) bullseye; urgency=medium
+
+  * [461d540] Fix libxl config test failures.
+Backports two commits from upstream to not fail with newer xen.
+
+ -- Guido Günther   Mon, 06 Feb 2023 17:50:14 +0100
+
 libvirt (7.0.0-3+deb11u1) bullseye; urgency=medium
 
   [ Guido Günther ]
diff --git a/debian/patches/backport/tests-Fix-libxlxml2domconfigtest-with-latest-xen.patch b/debian/patches/backport/tests-Fix-libxlxml2domconfigtest-with-latest-xen.patch
new file mode 100644
index 00..b30cd52dc1
--- /dev/null
+++ b/debian/patches/backport/tests-Fix-libxlxml2domconfigtest-with-latest-xen.patch
@@ -0,0 +1,235 @@
+From: Cole Robinson 
+Date: Thu, 27 Oct 2022 08:51:25 -0400
+Subject: tests: Fix libxlxml2domconfigtest with latest xen
+
+shadow_memkb is populated from a libxl API call, and the value can
+change. For example:
+https://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=2c992810854a15b41be920519ce83a4a328d5168
+
+Mock libxl_get_required_shadow_memory to give consistent output
+
+Reviewed-by: Michal Privoznik 
+Signed-off-by: Cole Robinson 
+(cherry picked from commit 72d4709ab901dd3699d342f15ca3aff9bffddf96)
+---
+ tests/libxlmock.c| 11 +++
+ tests/libxlxml2domconfigdata/basic-hvm.json  |  2 +-
+ tests/libxlxml2domconfigdata/basic-pv.json   |  2 +-
+ tests/libxlxml2domconfigdata/basic-pvh.json  |  2 +-
+ tests/libxlxml2domconfigdata/cpu-shares-hvm.json |  2 +-
+ tests/libxlxml2domconfigdata/fullvirt-acpi-slic.json |  2 +-
+ tests/libxlxml2domconfigdata/fullvirt-cpuid-legacy-nest.json |  2 +-
+ tests/libxlxml2domconfigdata/fullvirt-cpuid.json |  2 +-
+ tests/libxlxml2domconfigdata/max-eventchannels-hvm.json  |  2 +-
+ tests/libxlxml2domconfigdata/max-gntframes-hvm.json  |  2 +-
+ tests/libxlxml2domconfigdata/moredevs-hvm.json   |  2 +-
+ tests/libxlxml2domconfigdata/multiple-ip.json|  2 +-
+ tests/libxlxml2domconfigdata/variable-clock-hvm.json |  2 +-
+ tests/libxlxml2domconfigdata/vnuma-hvm-legacy-nest.json  |  2 +-
+ tests/libxlxml2domconfigdata/vnuma-hvm.json  |  2 +-
+ 15 files changed, 25 insertions(+), 14 deletions(-)
+
+diff --git a/tests/libxlmock.c b/tests/libxlmock.c
+index a36ca13..644b8ef 100644
+--- a/tests/libxlmock.c
 b/tests/libxlmock.c
+@@ -95,6 +95,17 @@ VIR_MOCK_STUB_RET_ARGS(bind,
+const struct sockaddr *, addr,
+socklen_t, addrlen)
+ 
++VIR_MOCK_IMPL_RET_ARGS(libxl_get_required_shadow_memory,
++   unsigned long,
++   unsigned long, maxmem_kb,
++   unsigned int, smp_cpus)
++{
++/* silence gcc warning about unused function */
++if (0)
++real_libxl_get_required_shadow_memory(maxmem_kb, smp_cpus);
++return 1234;
++}
++
+ VIR_MOCK_IMPL_RET_ARGS(__xstat, int,
+int, ver,
+const char *, path,
+diff --git a/tests/libxlxml2domconfigdata/basic-hvm.json b/tests/libxlxml2domconfigdata/basic-hvm.json
+index 87f8cb7..d308754 100644
+--- a/tests/libxlxml2domconfigdata/basic-hvm.json
 b/tests/libxlxml2domconfigdata/basic-hvm.json
+@@ -15,7 +15,7 @@
+ "max_memkb": 1048576,
+ "target_memkb": 1048576,
+ "video_memkb": 8192,
+-"shadow_memkb": 12288,
++"shadow_memkb": 1234,
+ "device_model_version": "qemu_xen",
+ "device_model": "/bin/true",
+ "sched_params": {
+diff --git a/tests/libxlxml2domconfigdata/basic-pv.json b/tests/libxlxml2domconfigdata/basic-pv.json
+index b71c3b0..32d188f 100644
+--- a/tests/libxlxml2domconfigdata/basic-pv.json
 b/tests/libxlxml2domconfigdata/basic-pv.json
+@@ -14,7 +14,7 @@
+ ],
+ "max_memkb&q

Bug#1024805: bullseye-pu: package libvirt/7.0.0-3+deb11u1

2023-02-06 Thread Guido Günther

Hi Adam,
On Sat, Feb 04, 2023 at 06:00:49PM +, Adam D. Barratt wrote:
> Hi Guido,
> 
> On Wed, 2022-12-14 at 20:00 +0100, Guido Günther wrote:
> > Hi,
> > On Mon, Dec 12, 2022 at 06:39:42PM +, Adam D. Barratt wrote:
> > > On Sun, 2022-12-11 at 16:24 +0100, Guido Günther wrote:
> > > > Hi Adam,
> > > > On Wed, Dec 07, 2022 at 08:22:41PM +, Adam D. Barratt wrote:
> > > > > Control: tags -1 + confirmed
> > > > > 
> > > > > On Fri, 2022-11-25 at 15:19 +0100, Guido Günther wrote:
> > > > > > Fix lxc container reboots and shutdown (#983871, #991773).
> > > > > > 
> > > > > 
> > > > > Please go ahead.
> > > > 
> > > > Uploaded now, thanks!
> > > 
> > > Unfortunately the build fails on both arm64 and armhf while running
> > > the
> > > test suite. Each has been tried a couple of times, for a total of
> > > four
> > > different buildds across three hosters between them.
> > 
> > Thanks for letting me know! I'll have a look (I assume that the
> > current
> > version in stable will fail the same way).
> > 
> 
> Did you have any luck with this?

I think so. I'll open a bug with the debdiff against release.debian.org.
Cheers,
 -- Guido

> 
> Regards,
> 
> Adam
>

Bug#1024805: bullseye-pu: package libvirt/7.0.0-3+deb11u1

2022-12-14 Thread Guido Günther

Hi,
On Mon, Dec 12, 2022 at 06:39:42PM +, Adam D. Barratt wrote:
> On Sun, 2022-12-11 at 16:24 +0100, Guido Günther wrote:
> > Hi Adam,
> > On Wed, Dec 07, 2022 at 08:22:41PM +, Adam D. Barratt wrote:
> > > Control: tags -1 + confirmed
> > > 
> > > On Fri, 2022-11-25 at 15:19 +0100, Guido Günther wrote:
> > > > Fix lxc container reboots and shutdown (#983871, #991773).
> > > > 
> > > 
> > > Please go ahead.
> > 
> > Uploaded now, thanks!
> 
> Unfortunately the build fails on both arm64 and armhf while running the
> test suite. Each has been tried a couple of times, for a total of four
> different buildds across three hosters between them.

Thanks for letting me know! I'll have a look (I assume that the current
version in stable will fail the same way).

Cheers,
 -- Guido

> 
> In each case the failure looks the same:
> 
> 
>  94/167 libxlxml2domconfigtest  FAIL   0.17s (exit
> status 1)
> 
> --- command ---
> 21:04:12 abs_top_srcdir='/<>' LC_ALL='C'
> abs_srcdir='/<>/tests' LIBVIRT_AUTOSTART='0'
> G_DEBUG='fatal-warnings'
> abs_top_builddir='/<>/debian/build'
> abs_builddir='/<>/debian/build/tests'
> VIR_TEST_EXPENSIVE='1'
> /<>/debian/build/tests/libxlxml2domconfigtest
> --- stderr ---
> TEST: libxlxml2domconfigtest
>  1) LibXL XML-2-JSON basic-
> pv ... 
> Offset 349
> Expect [8192]
> Actual [6144]
>   .
> .. FAILED
>  2) LibXL XML-2-JSON basic-
> hvm... 
> Offset 382
> Expect [12288]
> Actual [8192]
>   .
> .. FAILED
>  3) LibXL XML-2-JSON basic-
> pvh... 
> Offset 351
> Expect [8192]
> Actual [6144]
>   .
> .. FAILED
>  4) LibXL XML-2-JSON cpu-shares-
> hvm   ... 
> Offset 382
> Expect [12288]
> Actual [8192]
>   .
> .. FAILED
>  5) LibXL XML-2-JSON variable-clock-
> hvm   ... 
> Offset 382
> Expect [12288]
> Actual [8192]
>   .
> .. FAILED
>  6) LibXL XML-2-JSON moredevs-
> hvm ... 
> Offset 435
> Expect [12288]
> Actual [8192]
>   .
> .. FAILED
>  7) LibXL XML-2-JSON multiple-
> ip  ... 
> Offset 349
> Expect [8192]
> Actual [6144]
>   .
> .. FAILED
>  8) LibXL XML-2-JSON vnuma-
> hvm... 
> Offset 413
> Expect [4336]
> Actual [0240]
>   .
> .. FAILED
>  9) LibXL XML-2-JSON fullvirt-
> cpuid   ... 
> Offset 307
> Expect [5656]
> Actual [3340]
>   .
> .. FAILED
> 10) LibXL XML-2-JSON fullvirt-acpi-
> slic   ... 
> Offset 307
> Expect [5656]
> Actual [3340]
>   .
> .. FAILED
> 11) LibXL XML-2-JSON max-gntframes-
> hvm... 
> Offset 382
> Expect [12288]
> Actual [8192]
>   .
> .. FAILED
> 12) LibXL XML-2-JSON max-eventchannels-
> hvm... 
> Offset 382
> Expect [12288]
> Actual [8192]
>   .
> .. FAILED
> Some tests failed. Run them using:
> VIR_TEST_DEBUG=1 VIR_TEST_RANGE=1-12
> /<>/debian/build/tests/libxlxml2domconfigtest
> ---
> 
> Regards,
> 
> Adam
>

Bug#1024805: bullseye-pu: package libvirt/7.0.0-3+deb11u1

2022-12-11 Thread Guido Günther

Hi Adam,
On Wed, Dec 07, 2022 at 08:22:41PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Fri, 2022-11-25 at 15:19 +0100, Guido Günther wrote:
> > Fix lxc container reboots and shutdown (#983871, #991773).
> > 
> 
> Please go ahead.

Uploaded now, thanks!
 -- Guido

> 
> Regards,
> 
> Adam
>

Bug#1024805: bullseye-pu: package libvirt/7.0.0-3+deb11u1

2022-11-25 Thread Guido Günther

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
Fix lxc container reboots and shutdown (#983871, #991773).

[ Tests ]
On top of reports that the issues are fixed I tested that libvirt's main
use case qemu is still functional.

[ Risks ]
The cgroup code is used by other bits of libvirt as well (like qemu)
but see above. The change also introduces a intermittent (but harmless)
log message

  Nov 25 15:01:55 honk libvirtd[1761464]: unable to open 
'/sys/fs/cgroup/machine.slice/machine*scope/': No such file or directory

on shutdown. Given the risks of changing more code I'd consider
that the lesser evil.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The code is a backport of upstream commits.

Cheers,
 -- Guido
diff --git a/debian/changelog b/debian/changelog
index 5b82057454..28579ccd7e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+libvirt (7.0.0-3+deb11u1) bullseye; urgency=medium
+
+  [ Guido Günther ]
+  * [eb0956b] d/salsa-ci: Switch to bullseye
+  * [dfcaecc] d/gbp.conf: Switch to bullseye
+  * [7decb27] vircgroup: Fix virCgroupKillRecursive() wrt nested controllers.
+Thanks to Dio Putra (Closes: #983871)
+
+  [ Joachim Falk ]
+  * [fcfceec] lxc: Fix reboot command
+(Closes: #991773)
+
+ -- Guido Günther   Thu, 24 Nov 2022 21:59:50 +0100
+
 libvirt (7.0.0-3) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 83b38b3bdb..b474d29e6f 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,6 +1,6 @@
 [DEFAULT]
 upstream-branch = upstream/latest
-debian-branch = debian/master
+debian-branch = debian/bullseye
 pristine-tar = True
 upstream-signatures = on
 
diff --git 
a/debian/patches/backport/Fix-reboot-command-for-LXC-containers.patch 
b/debian/patches/backport/Fix-reboot-command-for-LXC-containers.patch
new file mode 100644
index 00..82db391755
--- /dev/null
+++ b/debian/patches/backport/Fix-reboot-command-for-LXC-containers.patch
@@ -0,0 +1,92 @@
+From: Joachim Falk 
+Date: Thu, 2 Dec 2021 19:56:07 +0100
+Subject: Fix reboot command for LXC containers (Closes: #991773)
+
+The virNetDaemonQuit(dmn) command in virLXCControllerSignalChildIO triggers an
+early close of all clients of lxc_controller. Here, libvirtd itself is a client
+of this controller, and the client connection is used to notify libvirtd if a
+reboot of the container is required. However, the client connection was closed
+before such a status could be sent to libvirtd. To fix this bug, we will
+immediately send the reboot or shutdown status of the container to libvirtd, 
and
+only after client disconnect will we trigger virNetDaemonQuit (Closes: 
#991773).
+
+Fixes: https://gitlab.com/libvirt/libvirt/-/issues/237
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991773
+Signed-off-by: Joachim Falk 
+Reviewed-by: Michal Privoznik 
+
+(cherry picked from commit 93c47e2c39521aba760486f0238458ef1a37490c)
+
+In order to cleanly apply to libvirt 7.0.0, this patch needed some minor
+adjustments, e.g., "virNetDaemon *dmn" vs "virNetDaemonPtr dmn" in libvirt 
7.0.0.
+---
+ src/lxc/lxc_controller.c | 18 +++---
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+Index: libvirt/src/lxc/lxc_controller.c
+===
+--- libvirt.orig/src/lxc/lxc_controller.c
 libvirt/src/lxc/lxc_controller.c
+@@ -897,8 +897,10 @@ static void virLXCControllerClientCloseH
+ virLXCControllerPtr ctrl = virNetServerClientGetPrivateData(client);
+ 
+ VIR_DEBUG("Client %p has closed", client);
+-if (ctrl->client == client)
++if (ctrl->client == client) {
+ ctrl->client = NULL;
++VIR_DEBUG("Client has gone away");
++}
+ if (ctrl->inShutdown) {
+ VIR_DEBUG("Arm timer to quit event loop");
+ virEventUpdateTimeout(ctrl->timerShutdown, 0);
+@@ -1009,8 +1011,11 @@ static int lxcControllerClearCapabilitie
+ static bool wantReboot;
+ static virMutex lock = VIR_MUTEX_INITIALIZER;
+ 
++static int
++virLXCControllerEventSendExit(virLXCController *ctrl,
++  int exitstatus);
+ 
+-static void virLXCControllerSignalChildIO(virNetDaemonPtr dmn,
++static void virLXCControllerSignalChildIO(virNetDaemonPtr dmn G_GNUC_UNUSED,
+   siginfo_t *info G_GNUC_UNUSED,
+   void *opaque)
+ {
+@@ -1021,7 +1026,6 @@ static void virLXCControllerSignalChildI
+ ret = waitpid(-1, , WNOHANG);
+ VIR_DEBUG("Got sig child %d vs %lld", ret, (long long)ctrl->initpid);
+ if (ret == ctrl->initpid) {
+-

Bug#990719: unblock: tracker-miners/2.3.5-2.1

2021-07-05 Thread Guido Günther

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: pkg-gnome-maintain...@lists.alioth.debian.org

Please unblock package tracker-miners

[ Reason ]
The filesystem miner crashes repeatedly on (at least) arm64 and linux
5.11 or later kernels. See #983637.

Due to a missing syscall whitelist of the miner's sandbox the filesystem
tracker crashes repeatedly on startup.  This doesn't happen on bullseye
amd64 and linux 5.10 but can be reproduced on amd64 and (at least)
kernel 5.11 or later.

[ Impact ]
Makes the miner unusable but also drains the battery quickly since
systemd restarts the miner unconditionally and endlessly. This is
especially bad if core files are enabled since the writing of those
over and over drains battery even quicker.

[ Tests ]
Whether the service is up can be checked via

   systemctl start --user tracker-miner-fs.service

[ Risks ]
The proposed fix is a backport of an upstream fix so
the risk seems minimal. Theoretically allowing more
syscalls in the sandbox could open a security hole.

unblock tracker-miners/2.3.5-2.1
diff --git a/debian/changelog b/debian/changelog
index 353d69ddf..4fa33a6bd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+tracker-miners (2.3.5-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * libtracker-miners-common: Add newstatat/statat64 syscalls.
+Backport upstream commit b3fdbaf to avoid constant crashes every 2s.
+Thanks Julian Andres Klode for forwarding this initially.
+(Closes: #983637)
+
+ -- Guido Günther   Mon, 05 Jul 2021 12:40:50 +0200
+
 tracker-miners (2.3.5-2) unstable; urgency=medium
 
   * Make the 'audio' tests non-fatal on powerpc and sparc64 as well
diff --git a/debian/patches/libtracker-miners-common-Add-newstatat-statat64-syscalls.patch b/debian/patches/libtracker-miners-common-Add-newstatat-statat64-syscalls.patch
new file mode 100644
index 0..832386d2c
--- /dev/null
+++ b/debian/patches/libtracker-miners-common-Add-newstatat-statat64-syscalls.patch
@@ -0,0 +1,24 @@
+From: Carlos Garnacho 
+Date: Sun, 25 Oct 2020 15:37:13 +0100
+Subject: libtracker-miners-common: Add newstatat/statat64 syscalls
+
+These are done in recent glib versions, should be observed here.
+
+(cherry picked from commit b3fdbaf1ab23ce7191ace6db79575dfce5f90881)
+---
+ src/libtracker-miners-common/tracker-seccomp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libtracker-miners-common/tracker-seccomp.c b/src/libtracker-miners-common/tracker-seccomp.c
+index c0327eb..01887e8 100644
+--- a/src/libtracker-miners-common/tracker-seccomp.c
 b/src/libtracker-miners-common/tracker-seccomp.c
+@@ -91,6 +91,8 @@ tracker_seccomp_init (void)
+ 	/* Basic filesystem access */
+ 	ALLOW_RULE (fstat);
+ 	ALLOW_RULE (fstat64);
++	ALLOW_RULE (fstatat64);
++	ALLOW_RULE (newfstatat);
+ 	ALLOW_RULE (stat);
+ 	ALLOW_RULE (stat64);
+ 	ALLOW_RULE (statfs);
diff --git a/debian/patches/series b/debian/patches/series
index a9bd2953d..f56af3a1f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,4 @@ prefer_systemd_activation.patch
 dont_start_for_root.patch
 Don-t-immediately-restart-tracker-extract-on-SIGSYS.patch
 debian/Revert-build-Include-libdir-in-rpath.patch
+libtracker-miners-common-Add-newstatat-statat64-syscalls.patch

Bug#982949: Please allow libvirt-python 7.0.0 into bullseye

2021-02-18 Thread Guido Günther

Hi Paul,
On Wed, Feb 17, 2021 at 10:55:14PM +0100, Paul Gevers wrote:
> Hi Bernd,
> 
> On 17-02-2021 22:30, Bernd Zeimetz wrote:
> > On Wed, 2021-02-17 at 18:37 +0100, Paul Gevers wrote:
> >> libvirt-python is a key package.
> > 
> > and it should match libvirt. Having libvirt-python 6.x and libvirt 7.0
> > is (imho, ymmv...) much worse than an completely (from us) untested
> > libvirt-python.
> 
> I understood from the request that it's an option to patch 6.x. Because,
> if Guido believes it really should match, than why did he file an
> unblock request? We're only in the soft freeze right now, only *new*

I don't think I marked it as unblock request. I used "allow" here to
indicate that i'm not entirely sure if the scope is still o.k.
Sorry if it was confusing.

> packages are blocked and we age packages a bit more, so technically
> there's nothing to unblock at this moment. Currently it's still the
> maintainers call what's right for bullseye. We, as the release team, ask
> for targeted fixes. If you consider this out-of-sync to be an issue of
> its' own, than please, align with Guido and I have good faith that
> you'll do the best in Debian interest, keeping our guidelines in the
> freeze policy [1] into account. I suggest to really not wait to long,

Uploaded now.

Cheers,
 -- Guido

> because after the hard freeze starts, this indeed requires an unblock
> from us. If the package (whichever option you choose) can migrate before
> that, that would be great.
> 
> Paul
> 
> [1] https://release.debian.org/bullseye/freeze_policy.html#soft
>

Bug#982949: Please allow libvirt-python 7.0.0 into bullseye

2021-02-16 Thread Guido Günther

Package: release.debian.org
Severity: wishlist

Hi,

#982695 made me aware i totally forgot to update libvirt-python with
recent libvirt before the freeze, hence the build failure. I've
prepared 7.0.0-1 in experimental a couple of days ago and it would be
great to have that version in bullseye since it matches the libvirt
version. The diff is a bit larger due to the introduction of type hints
etc upstream

   http://honk.sigxcpu.org/tmp/7.0.0-1.diff

Would that be o.k. to upload to sid to fix #982695? Otherwise I'll look
at fixing just the build failure on top of 6.1.0-1.

Cheers,
 -- Guido



-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'testing-debug'), (500, 'unstable'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf, arm64

Kernel: Linux 5.10.0-2-amd64 (SMP w/4 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#944294: buster-pu: package libvirt-daemon/5.0.0-4

2020-01-12 Thread Guido Günther

Hi,
On Sat, Jan 11, 2020 at 02:31:47PM +, Adam D. Barratt wrote:
> On Sat, 2020-01-11 at 11:33 +0100, Guido Günther wrote:
> > Hi,
> > On Fri, Jan 10, 2020 at 10:10:30PM +0100, Michal Arbet wrote:
> > > Hi Guido,
> > > 
> > > Please, do you please now when will be new updated version in
> > > buster-updated ?
> > 
> > Needs an ack from the release team to be uploaded.
> 
> Sorry about that, it's been a busy few weeks.
> 
> +libvirt (5.0.0-4+deb10u1) buster; urgency=medium
> +
> +  [ Tobias Wolter ]
> +  * [711f612] apparmor: Allow one to run pygrup
> 
> I think that wants to be "pygrub"?

fixed.

> 
> Please go ahead.

uploaded now, thanks!
 -- Guido

> 
> Regards,
> 
> Adam
>

Bug#944294: buster-pu: package libvirt-daemon/5.0.0-4

2020-01-11 Thread Guido Günther

Hi,
On Fri, Jan 10, 2020 at 10:10:30PM +0100, Michal Arbet wrote:
> Hi Guido,
> 
> Please, do you please now when will be new updated version in
> buster-updated ?

Needs an ack from the release team to be uploaded.
 -- Guido

> 
> Thank you,
> Michal Arbet (kevko)
> 
> st 25. 12. 2019 v 16:42 odesílatel Guido Günther  napsal:
> 
> > Hi,
> > On Thu, Dec 05, 2019 at 02:56:17PM +0100, Michal Arbet wrote:
> > > Hi guido,
> > >
> > > Thank you very much for including my patches .
> > > I only want to ask one question, why you removed patch which is adding
> > test
> > > for remove cpu features osxsave and ospke ?
> > > In my previous debdiff it was included ->
> > >
> > https://libvirt.org/git/?p=libvirt.git;a=commit;h=b51bfa70554f4bc43cbd6841b78d67b391909184
> >
> > Mostly to make the debdiff as small as possible since there's another
> > test dropping the flags which does the trick for buster I assume.
> >
> > Cheers,
> >  -- Guido
> >
> >
> > >
> > > Thanks,
> > > Michal Arbet ( kevko )
> > >
> > >
> > > čt 5. 12. 2019 v 13:59 odesílatel Guido Günther 
> > napsal:
> > >
> > > > Hi,
> > > > On Thu, Dec 05, 2019 at 12:56:17PM +0100, Michal Arbet wrote:
> > > > > Hi,
> > > > >
> > > > > Debdiff is empty.
> > > > > Please, could you resend ?
> > > >
> > > > odd, where did that go. Updated one attached.
> > > >  -- Guido
> > > >
> > > > >
> > > > > Thanks,
> > > > > Michal Arbet ( kevko )
> > > > >
> > > > > čt 5. 12. 2019 v 1:01 odesílatel Guido Günther 
> > napsal:
> > > > >
> > > > > > Hi,
> > > > > > On Wed, Nov 27, 2019 at 05:52:33PM +0100, Guido Günther wrote:
> > > > > > > Hi,
> > > > > > > On Wed, Nov 27, 2019 at 04:17:13PM +, Adam D. Barratt wrote:
> > > > > > > > Control: tags -1 -confirmed +moreinfo
> > > > > > > >
> > > > > > > > Hi,
> > > > > > > >
> > > > > > > > On 2019-11-27 16:07, Guido Günther wrote:
> > > > > > > > > Hi Adam,
> > > > > > > > > On Wed, Nov 27, 2019 at 01:21:40PM +, Adam D. Barratt
> > wrote:
> > > > > > > > > > Control: tags -1 + confirmed
> > > > > > > > > >
> > > > > > > > > > On 2019-11-27 13:05, Michal Arbet wrote:
> > > > > > > > > > > I've added a patch from upstream ( sid already included
> > it
> > > > in new
> > > > > > > > > > > version ).
> > > > > > > > > > > Check current debdiff in attachment.
> > > > > > > > > >
> > > > > > > > > > That looks OK, assuming it's been build- and
> > runtime-tested on
> > > > a
> > > > > > > > > > buster
> > > > > > > > > > system.
> > > > > > > > >
> > > > > > > > > It would be nice to coordinate such things with the package
> > > > > > > > > maintainers. I've had question's regarding these patches
> > which
> > > > > > weren't
> > > > > > > > > answered yet:
> > > > > > > > >
> > > > > > > > >
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944248#26
> > > > > > > >
> > > > > > > > Apologies for that, we tend to assume that people making such
> > > > requests
> > > > > > > > either work on the package or have had that co-ordination
> > > > discussion
> > > > > > > > already.
> > > > > > > >
> > > > > > > > In this case I'll put the request on hold until we hear back.
> > > > > > >
> > > > > > > Thanks.I intend to look at the particular issue and fold it into
> > the
> > > > > > > update with
> > > > > > >
> > > > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939036
> > > > > > >
> > > > > > > which is still pending.
> > > > > >
> > > > > > Attached is the debdiff with #933036 included as well. O.k. to
> > upload
> > > > to
> > > > > > stable-p-u?
> > > > > > Cheers,
> > > > > >  -- Guido
> > > > > >
> > > > > > >  -- Guido
> > > > > > >
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > >
> > > > > > > > Adam
> > > > > > > >
> > > > > >
> > > >
> >

Bug#944294: buster-pu: package libvirt-daemon/5.0.0-4

2019-12-25 Thread Guido Günther

Hi,
On Thu, Dec 05, 2019 at 02:56:17PM +0100, Michal Arbet wrote:
> Hi guido,
> 
> Thank you very much for including my patches .
> I only want to ask one question, why you removed patch which is adding test
> for remove cpu features osxsave and ospke ?
> In my previous debdiff it was included ->
> https://libvirt.org/git/?p=libvirt.git;a=commit;h=b51bfa70554f4bc43cbd6841b78d67b391909184

Mostly to make the debdiff as small as possible since there's another
test dropping the flags which does the trick for buster I assume.

Cheers,
 -- Guido


> 
> Thanks,
> Michal Arbet ( kevko )
> 
> 
> čt 5. 12. 2019 v 13:59 odesílatel Guido Günther  napsal:
> 
> > Hi,
> > On Thu, Dec 05, 2019 at 12:56:17PM +0100, Michal Arbet wrote:
> > > Hi,
> > >
> > > Debdiff is empty.
> > > Please, could you resend ?
> >
> > odd, where did that go. Updated one attached.
> >  -- Guido
> >
> > >
> > > Thanks,
> > > Michal Arbet ( kevko )
> > >
> > > čt 5. 12. 2019 v 1:01 odesílatel Guido Günther  napsal:
> > >
> > > > Hi,
> > > > On Wed, Nov 27, 2019 at 05:52:33PM +0100, Guido Günther wrote:
> > > > > Hi,
> > > > > On Wed, Nov 27, 2019 at 04:17:13PM +, Adam D. Barratt wrote:
> > > > > > Control: tags -1 -confirmed +moreinfo
> > > > > >
> > > > > > Hi,
> > > > > >
> > > > > > On 2019-11-27 16:07, Guido Günther wrote:
> > > > > > > Hi Adam,
> > > > > > > On Wed, Nov 27, 2019 at 01:21:40PM +, Adam D. Barratt wrote:
> > > > > > > > Control: tags -1 + confirmed
> > > > > > > >
> > > > > > > > On 2019-11-27 13:05, Michal Arbet wrote:
> > > > > > > > > I've added a patch from upstream ( sid already included it
> > in new
> > > > > > > > > version ).
> > > > > > > > > Check current debdiff in attachment.
> > > > > > > >
> > > > > > > > That looks OK, assuming it's been build- and runtime-tested on
> > a
> > > > > > > > buster
> > > > > > > > system.
> > > > > > >
> > > > > > > It would be nice to coordinate such things with the package
> > > > > > > maintainers. I've had question's regarding these patches which
> > > > weren't
> > > > > > > answered yet:
> > > > > > >
> > > > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944248#26
> > > > > >
> > > > > > Apologies for that, we tend to assume that people making such
> > requests
> > > > > > either work on the package or have had that co-ordination
> > discussion
> > > > > > already.
> > > > > >
> > > > > > In this case I'll put the request on hold until we hear back.
> > > > >
> > > > > Thanks.I intend to look at the particular issue and fold it into the
> > > > > update with
> > > > >
> > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939036
> > > > >
> > > > > which is still pending.
> > > >
> > > > Attached is the debdiff with #933036 included as well. O.k. to upload
> > to
> > > > stable-p-u?
> > > > Cheers,
> > > >  -- Guido
> > > >
> > > > >  -- Guido
> > > > >
> > > > > >
> > > > > > Regards,
> > > > > >
> > > > > > Adam
> > > > > >
> > > >
> >

Bug#944294: buster-pu: package libvirt-daemon/5.0.0-4

2019-12-05 Thread Guido Günther

Hi,
On Thu, Dec 05, 2019 at 12:56:17PM +0100, Michal Arbet wrote:
> Hi,
> 
> Debdiff is empty.
> Please, could you resend ?

odd, where did that go. Updated one attached.
 -- Guido

> 
> Thanks,
> Michal Arbet ( kevko )
> 
> čt 5. 12. 2019 v 1:01 odesílatel Guido Günther  napsal:
> 
> > Hi,
> > On Wed, Nov 27, 2019 at 05:52:33PM +0100, Guido Günther wrote:
> > > Hi,
> > > On Wed, Nov 27, 2019 at 04:17:13PM +, Adam D. Barratt wrote:
> > > > Control: tags -1 -confirmed +moreinfo
> > > >
> > > > Hi,
> > > >
> > > > On 2019-11-27 16:07, Guido Günther wrote:
> > > > > Hi Adam,
> > > > > On Wed, Nov 27, 2019 at 01:21:40PM +, Adam D. Barratt wrote:
> > > > > > Control: tags -1 + confirmed
> > > > > >
> > > > > > On 2019-11-27 13:05, Michal Arbet wrote:
> > > > > > > I've added a patch from upstream ( sid already included it in new
> > > > > > > version ).
> > > > > > > Check current debdiff in attachment.
> > > > > >
> > > > > > That looks OK, assuming it's been build- and runtime-tested on a
> > > > > > buster
> > > > > > system.
> > > > >
> > > > > It would be nice to coordinate such things with the package
> > > > > maintainers. I've had question's regarding these patches which
> > weren't
> > > > > answered yet:
> > > > >
> > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944248#26
> > > >
> > > > Apologies for that, we tend to assume that people making such requests
> > > > either work on the package or have had that co-ordination discussion
> > > > already.
> > > >
> > > > In this case I'll put the request on hold until we hear back.
> > >
> > > Thanks.I intend to look at the particular issue and fold it into the
> > > update with
> > >
> > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939036
> > >
> > > which is still pending.
> >
> > Attached is the debdiff with #933036 included as well. O.k. to upload to
> > stable-p-u?
> > Cheers,
> >  -- Guido
> >
> > >  -- Guido
> > >
> > > >
> > > > Regards,
> > > >
> > > > Adam
> > > >
> >
diff --git a/debian/changelog b/debian/changelog
index 5618e49bd1..3f69690532 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+libvirt (5.0.0-4+deb10u1) buster; urgency=medium
+
+  [ Tobias Wolter ]
+  * [711f612] apparmor: Allow one to run pygrup
+
+  [ Guido Günther ]
+  * [3bcbf56] Don't render osxsave, ospke into QEMU comman line.
+This helps newer QEMU with some configs generated by virt-install.
+Thanks to Michal Arbet for digging out the patches (Closes: #944248)
+
+ -- Guido Günther   Thu, 05 Dec 2019 00:22:14 +0100
+
 libvirt (5.0.0-4) unstable; urgency=medium
 
   * [0fdc2af] Fix multiple CVEs related to privilege escalations on R/O
diff --git a/debian/patches/apparmor-Allow-run-pygrup.patch b/debian/patches/apparmor-Allow-run-pygrup.patch
new file mode 100644
index 00..5678aad517
--- /dev/null
+++ b/debian/patches/apparmor-Allow-run-pygrup.patch
@@ -0,0 +1,20 @@
+From: Tobias Wolter 
+Date: Wed, 21 Aug 2019 10:27:05 +0200
+Subject: apparmor: Allow run pygrup
+
+---
+ src/security/apparmor/usr.sbin.libvirtd | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmor/usr.sbin.libvirtd
+index c7c52c6..477788e 100644
+--- a/src/security/apparmor/usr.sbin.libvirtd
 b/src/security/apparmor/usr.sbin.libvirtd
+@@ -85,6 +85,7 @@
+   /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
+   /usr/{lib,lib64}/xen/bin/* Ux,
+   /usr/lib/xen-*/bin/libxl-save-helper PUx,
++  /usr/lib/xen-*/bin/pygrub PUx,
+ 
+   # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
+   # read and run an ebtables script.
diff --git a/debian/patches/qemu-Drop-qemuFeatureNoEffect.patch b/debian/patches/qemu-Drop-qemuFeatureNoEffect.patch
new file mode 100644
index 00..3890d9646e
--- /dev/null
+++ b/debian/patches/qemu-Drop-qemuFeatureNoEffect.patch
@@ -0,0 +1,88 @@
+From: Jiri Denemark 
+Date: Thu, 6 Jun 2019 14:39:52 +0200
+Subject: qemu: Drop qemuFeatureNoEffect
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+We already have virQEMUCapsCPUFilterFeatures for filtering features
+which QEMU does not know about. Let's move osxsave and ospke from
+qemuFeatureNoEffect there.
+
+Signed-off-by: Jiri Denemark 
+Revie

Bug#944294: buster-pu: package libvirt-daemon/5.0.0-4

2019-12-04 Thread Guido Günther

Hi,
On Wed, Nov 27, 2019 at 05:52:33PM +0100, Guido Günther wrote:
> Hi,
> On Wed, Nov 27, 2019 at 04:17:13PM +, Adam D. Barratt wrote:
> > Control: tags -1 -confirmed +moreinfo
> > 
> > Hi,
> > 
> > On 2019-11-27 16:07, Guido Günther wrote:
> > > Hi Adam,
> > > On Wed, Nov 27, 2019 at 01:21:40PM +, Adam D. Barratt wrote:
> > > > Control: tags -1 + confirmed
> > > > 
> > > > On 2019-11-27 13:05, Michal Arbet wrote:
> > > > > I've added a patch from upstream ( sid already included it in new
> > > > > version ).
> > > > > Check current debdiff in attachment.
> > > > 
> > > > That looks OK, assuming it's been build- and runtime-tested on a
> > > > buster
> > > > system.
> > > 
> > > It would be nice to coordinate such things with the package
> > > maintainers. I've had question's regarding these patches which weren't
> > > answered yet:
> > > 
> > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944248#26
> > 
> > Apologies for that, we tend to assume that people making such requests
> > either work on the package or have had that co-ordination discussion
> > already.
> > 
> > In this case I'll put the request on hold until we hear back.
> 
> Thanks.I intend to look at the particular issue and fold it into the
> update with
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939036
> 
> which is still pending.

Attached is the debdiff with #933036 included as well. O.k. to upload to
stable-p-u?
Cheers,
 -- Guido

>  -- Guido
> 
> > 
> > Regards,
> > 
> > Adam
> >

Bug#944294: buster-pu: package libvirt-daemon/5.0.0-4

2019-11-27 Thread Guido Günther

Hi,
On Wed, Nov 27, 2019 at 04:17:13PM +, Adam D. Barratt wrote:
> Control: tags -1 -confirmed +moreinfo
> 
> Hi,
> 
> On 2019-11-27 16:07, Guido Günther wrote:
> > Hi Adam,
> > On Wed, Nov 27, 2019 at 01:21:40PM +, Adam D. Barratt wrote:
> > > Control: tags -1 + confirmed
> > > 
> > > On 2019-11-27 13:05, Michal Arbet wrote:
> > > > I've added a patch from upstream ( sid already included it in new
> > > > version ).
> > > > Check current debdiff in attachment.
> > > 
> > > That looks OK, assuming it's been build- and runtime-tested on a
> > > buster
> > > system.
> > 
> > It would be nice to coordinate such things with the package
> > maintainers. I've had question's regarding these patches which weren't
> > answered yet:
> > 
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944248#26
> 
> Apologies for that, we tend to assume that people making such requests
> either work on the package or have had that co-ordination discussion
> already.
> 
> In this case I'll put the request on hold until we hear back.

Thanks.I intend to look at the particular issue and fold it into the
update with

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939036

which is still pending.
 -- Guido

> 
> Regards,
> 
> Adam
>

Bug#944294: buster-pu: package libvirt-daemon/5.0.0-4

2019-11-27 Thread Guido Günther

Hi Adam,
On Wed, Nov 27, 2019 at 01:21:40PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On 2019-11-27 13:05, Michal Arbet wrote:
> > I've added a patch from upstream ( sid already included it in new
> > version ).
> > Check current debdiff in attachment.
> 
> That looks OK, assuming it's been build- and runtime-tested on a buster
> system.

It would be nice to coordinate such things with the package
maintainers. I've had question's regarding these patches which weren't
answered yet:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944248#26

Cheers,
 -- Guido

> 
> Regards,
> 
> Adam

Bug#939036: buster-pu: package libvirt/5.0.0-4+deb10u1

2019-08-31 Thread Guido Günther

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Hi,
i'd like to update libvirt in pu adding a single new apparmor rule to
allow pygrub which helps xen based setups. Debdiff is attached.
Cheers,
 -- Guido

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), 
(1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf

Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index 5618e49bd1..29d4aeb690 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+libvirt (5.0.0-4+deb10u1) buster; urgency=medium
+
+  [ Tobias Wolter ]
+  * [711f612] apparmor: Allow to run pygrup
+(Closes: #931768)
+
+ -- Guido Günther   Sat, 31 Aug 2019 13:38:31 +0200
+
 libvirt (5.0.0-4) unstable; urgency=medium
 
   * [0fdc2af] Fix multiple CVEs related to privilege escalations on R/O
diff --git a/debian/patches/apparmor-Allow-run-pygrup.patch b/debian/patches/apparmor-Allow-run-pygrup.patch
new file mode 100644
index 00..5678aad517
--- /dev/null
+++ b/debian/patches/apparmor-Allow-run-pygrup.patch
@@ -0,0 +1,20 @@
+From: Tobias Wolter 
+Date: Wed, 21 Aug 2019 10:27:05 +0200
+Subject: apparmor: Allow run pygrup
+
+---
+ src/security/apparmor/usr.sbin.libvirtd | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmor/usr.sbin.libvirtd
+index c7c52c6..477788e 100644
+--- a/src/security/apparmor/usr.sbin.libvirtd
 b/src/security/apparmor/usr.sbin.libvirtd
+@@ -85,6 +85,7 @@
+   /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
+   /usr/{lib,lib64}/xen/bin/* Ux,
+   /usr/lib/xen-*/bin/libxl-save-helper PUx,
++  /usr/lib/xen-*/bin/pygrub PUx,
+ 
+   # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
+   # read and run an ebtables script.
diff --git a/debian/patches/series b/debian/patches/series
index 3d1d86906d..1d298fab6e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -34,3 +34,4 @@ security/api-disallow-virDomainManagedSaveDefineXML-on-read-only-c.patch
 security/api-disallow-virConnectGetDomainCapabilities-on-read-only.patch
 security/api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch
 Include-etc-pki-qemu-in-apparmor.patch
+apparmor-Allow-run-pygrup.patch

Bug#930867: unblock: libvirt/5.0.0-4

2019-06-22 Thread Guido Günther

Hi,
On Sat, Jun 22, 2019 at 03:03:47PM +0200, Salvatore Bonaccorso wrote:
> Hi,
> 
> On Fri, Jun 21, 2019 at 05:38:59PM +0200, Guido Günther wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian@packages.debian.org
> > Usertags: unblock
> > 
> > Please unblock package libvirt
> > 
> > It fixes 4 CVEs and adds an apparmor rule to make the life of people
> > using spice with certificates easier.
> > Cheers,
> >  -- Guido
> > 
> > unblock libvirt/5.0.0-4
> 
> For reference, debdiff between version in testing and unstable
> attached.

thanks for fixing my oversight. I meant to attach it.
 -- Guido

> 
> Regards,
> Salvatore

> diff -Nru libvirt-5.0.0/debian/changelog libvirt-5.0.0/debian/changelog
> --- libvirt-5.0.0/debian/changelog2019-05-22 12:31:08.0 +0200
> +++ libvirt-5.0.0/debian/changelog2019-06-17 19:05:40.0 +0200
> @@ -1,3 +1,19 @@
> +libvirt (5.0.0-4) unstable; urgency=medium
> +
> +  * [0fdc2af] Fix multiple CVEs related to privilege escalations on R/O
> +connections.
> +- CVE-2019-10161:
> +  CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch
> +- CVE-2019-10166:
> +  api-disallow-virDomainManagedSaveDefineXML-on-read-only-c.patch
> +- CVE-2019-10167:
> +  api-disallow-virConnectGetDomainCapabilities-on-read-only.patch
> +- CVE-2019-10168:
> +  api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch
> +  * Include /etc/pki/qemu in apparmor (Closes: #930100)
> +
> + -- Guido Günther   Mon, 17 Jun 2019 19:05:40 +0200
> +
>  libvirt (5.0.0-3) unstable; urgency=medium
>  
>[ Guido Günther ]
> diff -Nru libvirt-5.0.0/debian/patches/Include-etc-pki-qemu-in-apparmor.patch 
> libvirt-5.0.0/debian/patches/Include-etc-pki-qemu-in-apparmor.patch
> --- libvirt-5.0.0/debian/patches/Include-etc-pki-qemu-in-apparmor.patch   
> 1970-01-01 01:00:00.0 +0100
> +++ libvirt-5.0.0/debian/patches/Include-etc-pki-qemu-in-apparmor.patch   
> 2019-06-17 19:05:40.0 +0200
> @@ -0,0 +1,26 @@
> +From: Sam Hartman 
> +Date: Tue, 18 Jun 2019 09:02:09 -0400
> +Subject: Include /etc/pki/qemu in apparmor
> +
> +We already permit /etc/pki/libvirt-{spice,vnc} to be read in the
> +apparmor profile.  However the default tls directory in qemu.conf that
> +we ship is /etc/pki/qemu.  So permit that as well.
> +
> +Closes: #930100
> +---
> + src/security/apparmor/libvirt-qemu | 2 ++
> + 1 file changed, 2 insertions(+)
> +
> +diff --git a/src/security/apparmor/libvirt-qemu 
> b/src/security/apparmor/libvirt-qemu
> +index eaa5167..0659cda 100644
> +--- a/src/security/apparmor/libvirt-qemu
>  b/src/security/apparmor/libvirt-qemu
> +@@ -93,6 +93,8 @@
> +   /etc/pki/CA/* r,
> +   /etc/pki/libvirt{,-spice,-vnc}/ r,
> +   /etc/pki/libvirt{,-spice,-vnc}/** r,
> ++  /etc/pki/qemu/ r,
> ++  /etc/pki/qemu/** r,
> + 
> +   # the various binaries
> +   /usr/bin/kvm rmix,
> diff -Nru 
> libvirt-5.0.0/debian/patches/security/CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch
>  
> libvirt-5.0.0/debian/patches/security/CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch
> --- 
> libvirt-5.0.0/debian/patches/security/CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch
>  1970-01-01 01:00:00.0 +0100
> +++ 
> libvirt-5.0.0/debian/patches/security/CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch
>  2019-06-17 19:05:40.0 +0200
> @@ -0,0 +1,79 @@
> +From: =?utf-8?q?Guido_G=C3=BCnther?= 
> +Date: Mon, 17 Jun 2019 18:20:15 +0200
> +Subject: CVE-2019-10161: api: disallow virDomainSaveImageGetXMLDesc on
> + read-only connections
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset="utf-8"
> +Content-Transfer-Encoding: 8bit
> +
> +This is a backport of
> +
> +The virDomainSaveImageGetXMLDesc API is taking a path parameter,
> +which can point to any path on the system. This file will then be
> +read and parsed by libvirtd running with root privileges.
> +
> +Forbid it on read-only connections.
> +
> +Fixes: CVE-2019-10161
> +Reported-by: Matthias Gerstner 
> +Signed-off-by: Ján Tomko 
> +---
> + src/libvirt-domain.c | 9 ++---
> + src/qemu/qemu_driver.c   | 2 +-
> + src/remote/remote_protocol.x | 3 +--
> + 3 files changed, 4 insertions(+), 10 deletions(-)
> +
> +diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
> +index 9aca54a..6a5fff9 100644
> +--- a/src/libvirt-domain.c
>  b/src/libvirt-domain.c
> +@@ -1073,8 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn, const char 
> *from, const char *dxml,

Bug#930867: unblock: libvirt/5.0.0-4

2019-06-21 Thread Guido Günther

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package libvirt

It fixes 4 CVEs and adds an apparmor rule to make the life of people
using spice with certificates easier.
Cheers,
 -- Guido

unblock libvirt/5.0.0-4

-- System Information:
Debian Release: 10.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), 
(1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf

Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#930408: stretch-pu: package libvirt/3.0.0-4+deb9u4

2019-06-12 Thread Guido Günther

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi
this updates libvirt's cpu map to make addressing

CVE-2018-3639, CVE-2017-5753, CVE-2017-5715, CVE-2018-12126,
CVE-2018-12127, CVE-2018-12130, CVE-2019-11091

easier for our users by supporting the md-clear, ssbd, spec-ctrl and
ibpb CPU features when picking CPU models without having to fall back to
host-passthrough. See

   
https://www.berrange.com/posts/2018/06/29/cpu-model-configuration-for-qemu-kvm-on-x86-hosts/

for details on how this works in libvirt.
Cheers,
 -- Guido


-- System Information:
Debian Release: 10.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), 
(1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf

Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index 198e75dcfe..04b7242746 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+libvirt (3.0.0-4+deb9u4) stretch; urgency=medium
+
+  * cpu_map: Define md-clear CPUID bit.
+CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
+  * Add spec-ctrl and ibpb CPU features and ibrs CPU models.
+CVE-2017-5753, CVE-2017-5715
+  * Add ssbd CPU feature.
+CVE-2018-3639
+
+ -- Guido Günther   Wed, 12 Jun 2019 10:13:38 +0200
+
 libvirt (3.0.0-4+deb9u3) stretch-security; urgency=high
 
   * gbp: switch branch to stretch
diff --git 
a/debian/patches/cpu-add-amd-ssbd-and-amd-no-ssb-CPU-features-CVE-2018-363.patch
 
b/debian/patches/cpu-add-amd-ssbd-and-amd-no-ssb-CPU-features-CVE-2018-363.patch
new file mode 100644
index 00..048477b45f
--- /dev/null
+++ 
b/debian/patches/cpu-add-amd-ssbd-and-amd-no-ssb-CPU-features-CVE-2018-363.patch
@@ -0,0 +1,59 @@
+From: =?utf-8?b?IkRhbmllbCBQLiBCZXJyYW5nw6ki?= 
+Date: Thu, 14 Jun 2018 11:12:59 +0100
+Subject: cpu: add 'amd-ssbd' and 'amd-no-ssb' CPU features (CVE-2018-3639)
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+AMD x86 CPUs have two separate ways to mitigate the Speculative Store
+Bypass hardware flaw. In current processors only non-architectural MSRs
+are available, and so hypervisors must expose a virtualized MSR and CPU
+flag "virt-ssbd" (CPUID Function 8000_0008, EBX[25]=1).
+
+In future processors AMD will provide an architectural MSR, indicated by
+existance of the CPUID Function 8000_0008, EBX[24]=1, to which QEMU has
+given the name "amd-ssbd".
+
+The "amd-ssbd" flag should be used in preference to "virt-ssbd", if it
+is available, since it provides improved performance. For virtual
+machine configuration, both should be exposed when available, to allow
+for maximal guest OS compatibility as not all guests yet support both.
+
+If future processes are not vulnerable to the flaw, this will be
+indicated by the existance of CPUID Function 8000_0008, EBX[26]=1,
+to which QEMU has given the name "amd-no-ssb".
+
+See also 124441_AMD64_SpeculativeStoreBypassDisable_Whitepaper_final.pdf
+from:
+
+  https://bugzilla.kernel.org/show_bug.cgi?id=199889
+
+Note that neither amd-ssbd or amd-no-ssb will be reported by the kernel
+in /proc/cpuinfo. It knows about these CPUID bits and does the right thing,
+but doesn't report their existance as distinct flags in /proc/cpuinfo.
+
+Signed-off-by: Daniel P. Berrangé 
+---
+ src/cpu/cpu_map.xml | 6 ++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml
+index 61542cf..2f109e4 100644
+--- a/src/cpu/cpu_map.xml
 b/src/cpu/cpu_map.xml
+@@ -424,9 +424,15 @@
+ 
+   
+ 
++
++  
++
+ 
+   
+ 
++
++  
++
+ 
+ 
+ 
diff --git 
a/debian/patches/cpu-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch 
b/debian/patches/cpu-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch
new file mode 100644
index 00..f57eed9cfb
--- /dev/null
+++ b/debian/patches/cpu-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch
@@ -0,0 +1,31 @@
+From: =?utf-8?b?IkRhbmllbCBQLiBCZXJyYW5nw6ki?= 
+Date: Mon, 21 May 2018 23:05:07 +0100
+Subject: cpu: define the 'ssbd' CPUID feature bit (CVE-2018-3639)
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+New microcode introduces the "Speculative Store Bypass Disable"
+CPUID feature bit. This needs to be exposed to guest OS to allow
+them to protect against CVE-2018-3639.
+
+Signed-off-by: Daniel P. Berrangé 
+Reviewed-by: Jiri Denemark 
+---
+ src/cpu/cpu_map.xml | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff

Bug#926583: unblock: virt-viewer/7.0-2

2019-04-07 Thread Guido Günther

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package virt-viewer

This removes a dangling alternative and drops a superfluous build-dep.

unblock virt-viewer/7.0-2

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), 
(1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf

Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index a9c7ec7..91e20c9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+virt-viewer (7.0-2) unstable; urgency=medium
+
+  [ Andreas Beckmann ]
+  * [b6ce527] Remove obsolete /usr/bin/spice-xpi-client alternative on
+upgrades. (Closes: #915030)
+
+  [ Guido Günther ]
+  * [1a38fe4] Drop useless autotools-dev build-dep
+
+ -- Guido Günther   Fri, 05 Apr 2019 10:04:04 +0200
+
 virt-viewer (7.0-1) unstable; urgency=medium
 
   * [62b4ac8] New upstream version 7.0
diff --git a/debian/control b/debian/control
index 231e39e..87635e5 100644
--- a/debian/control
+++ b/debian/control
@@ -12,7 +12,6 @@ Build-Depends:
  libxml2-dev,
  libglib2.0-dev (>= 2.38),
  libgtk-3-dev (>= 3.10),
- autotools-dev,
  automake,
  libffi-dev,
  libtool,
diff --git a/debian/postinst b/debian/postinst
new file mode 100644
index 000..b1a5276
--- /dev/null
+++ b/debian/postinst
@@ -0,0 +1,10 @@
+#!/bin/sh
+set -e
+
+# remove obsolete alternative from stretch
+if [ "$1" = "configure" ] ; then
+update-alternatives --remove spice-xpi-client \
+  /usr/bin/spice-xpi-client-remote-viewer
+fi
+
+#DEBHELPER#

Bug#926581: unblock: git-buildpackage/0.9.14

2019-04-07 Thread Guido Günther

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package git-buildpackage

  [ Michael Prokop ]
  * [4142928] docs: update examples for pristine-tar usage, requiring commit
action
(Closes: #919677)

  [ Roberto C. Sánchez ]
  * [d3f67c8] docs: Fix typo

  [ Guido Günther ]
  * [3e3458f] setup.py: Move version parser into setup.py.
This makes sure it ends up in the sdist tarball.

  [ Gabriel Filion ]
  * [34b9da1] Disable PGP signatures when retrieving list of commits
(Closes: #923087)

  [ Simon McVittie ]
  * [74669f0] Dep3Patch: Ignore MIME headers.
Otherwise, if we import a patch containing non-ASCII characters exported
by `gbp pq export` or `git format-patch` using DEP-3 syntax, we'd
misinterpret these fields as semantically significant and copy them into
pseudo-headers, causing them to be duplicated in the commit's long
description. (Closes: #924478)

The first two are doc updates to make things look better in buster while
the last two fix rather important issues when processing lists of signed
commits or patches with non-ascii characters. The setup.py modification
helps people interacting with pypi.

Cheers,
 -- Guido

unblock git-buildpackage/0.9.14

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), 
(1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf

Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index 583ac6a7..466ff853 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,31 @@
+git-buildpackage (0.9.14) unstable; urgency=medium
+
+  [ Michael Prokop ]
+  * [4142928] docs: update examples for pristine-tar usage, requiring commit
+action
+(Closes: #919677)
+
+  [ Roberto C. Sánchez ]
+  * [d3f67c8] docs: Fix typo
+
+  [ Gabriel Filion ]
+  * [34b9da1] Disable PGP signatures when retrieving list of commits
+(Closes: #923087)
+
+  [ Guido Günther ]
+  * [3e3458f] setup.py: Move version parser into setup.py.
+This makes sure it ends up in the sdist tarball.
+
+  [ Simon McVittie ]
+  * [74669f0] Dep3Patch: Ignore MIME headers.
+Otherwise, if we import a patch containing non-ASCII characters exported
+by `gbp pq export` or `git format-patch` using DEP-3 syntax, we'd
+misinterpret these fields as semantically significant and copy them into
+pseudo-headers, causing them to be duplicated in the commit's long
+description. (Closes: #924478)
+
+ -- Guido Günther   Thu, 21 Mar 2019 10:33:34 +0100
+
 git-buildpackage (0.9.13) unstable; urgency=medium
 
   [ Guido Günther ]
diff --git a/docs/chapters/patches.xml b/docs/chapters/patches.xml
index cb026c1b..aaf60299 100644
--- a/docs/chapters/patches.xml
+++ b/docs/chapters/patches.xml
@@ -9,7 +9,7 @@
   
 
   
-The basic idea is that patches are imported from you
+The basic idea is that patches are imported from your
  to a patch-queue branch with one patch file
 in debian/patches/ becoming one commit on the
 the patch-queue branch.  The created branch will be named after
diff --git a/docs/manpages/gbp-pristine-tar.xml b/docs/manpages/gbp-pristine-tar.xml
index 93a1db3d..eb74a31e 100644
--- a/docs/manpages/gbp-pristine-tar.xml
+++ b/docs/manpages/gbp-pristine-tar.xml
@@ -84,11 +84,11 @@
 EXAMPLES
 Add pristine-tar commits for an upstream tarball:
 
-   ../upstream-tarball-0.1.tar.gz
+   commit ../upstream-tarball-0.1.tar.gz
 Same as above with an additional
 tarball ../upstream-tarball-foo-0.1.tar.gz:
 
-   --component-tarball=foo ../upstream-tarball-0.1.tar.gz
+   --component-tarball=foo commit ../upstream-tarball-0.1.tar.gz
 
   
 
diff --git a/gbp/git/repository.py b/gbp/git/repository.py
index a44c71e1..dfc8e556 100644
--- a/gbp/git/repository.py
+++ b/gbp/git/repository.py
@@ -1613,7 +1613,7 @@ class GitRepository(object):
  merge commit
 @type first_parent: C{bool}
 """
-args = GitArgs('--pretty=format:%H')
+args = GitArgs('--pretty=format:%H', '--no-show-signature')
 args.add_true(num, '-%d' % num)
 args.add_true(first_parent, '--first-parent')
 if since:
@@ -1694,7 +1694,7 @@ class GitRepository(object):
 commit_sha1 = self.rev_parse("%s^0" % commitish)
 args = GitArgs('--pretty=format:%an%x00%ae%x00%ad%x00%cn%x00%ce%x00%cd%x00%s%x00%f%x00%b%x00',
'-z', '--date=raw', '--no-renames', '--name-status',
-   commit_sha1)
+

Bug#888767: jessie-pu: package debian-security-support/2018.01.29~deb8u1

2018-06-14 Thread Guido Günther

Hi,
On Fri, Jun 08, 2018 at 10:18:18PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Mon, 2018-01-29 at 17:45 +0100, Guido Günther wrote:
> > This update brings debian-security-support in line with unstable.
> > Most
> > notably in oldstable this affects swftools since security support for
> > it is
> > now limited and chromium which doesn't receive any further security
> > updates.
> > 
> 
> Please go ahead.

Uploaded. Thanks!
 -- Guido

> 
> Regards,
> 
> Adam
>

Re: Updating libvirt and qemu in stable

2018-05-16 Thread Guido Günther

On Tue, May 15, 2018 at 05:52:14PM +0100, Ben Hutchings wrote:
> In order to support Spectre v2 mitigation in Windows guests, I believe
> the microcoded mitigation features (IBPB and IBRS) need to be exposed
> to them.  This may also be useful for Linux guests using OVMF, unless
> it is rebuilt with the retpoline mitigation.
> 
> The kernel side of this in KVM was already implemented in version
> 4.9.82-1+deb9u1, although the microcode updates are not yet in stable.
> 
> libvirt and qemu (and maybe other related packages) also need to be
> updated so that they recognise and enable the new CPU feature bits for
> guests.  Is this likely to be doable?

With  libvirt should already work iff qemu
handles ibpb and ibrs (1.12.0 and 1.11.1 onward according to ¹). I've
just tested this on sid with 1.12 and Westmere-IBRS and the recent
microcode update.

For stable we need to update libvirt's cpu_map.xml to support non
host-passthrough configuration. E.g. virt-manager uses host-model which
needs an updated cpu_map.xml.

Cheers,
 -- Guido

¹) https://www.qemu.org/2018/02/14/qemu-2-11-1-and-spectre-update/

Bug#888766: stretch-pu: package debian-security-support/2018.01.29~deb9u1

2018-03-05 Thread Guido Günther

On Fri, Mar 02, 2018 at 05:38:18PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Mon, 2018-01-29 at 17:36 +0100, Guido Günther wrote:
> > This update brings debian-security-support in line with unstable.
> > Most notably in stable this affects swftools since security support
> > for it is now limited.
> > 
> 
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,44 @@
> +debian-security-support (2018.01.29~deb9u1) stable-proposed-updates; 
> urgency=medium
> 
> Please use "stretch" as the changelog distribution and feel free to
> upload.

Changed and uploaded now. Thanks
 -- Guido

Bug#891503: stretch-pu: package osinfo-db/0.20180226-1~deb9u1

2018-02-27 Thread Guido Günther

On Mon, Feb 26, 2018 at 08:47:48PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Mon, 2018-02-26 at 10:59 +0100, Guido Günther wrote:
> > I'd like to update osinfo-db in stretch. This would allow us to have
> > up
> > to date information for operating system installs with e.g. gnome-
> > boxes
> > and virt-manager by adding new data for recent debian, ubuntu and
> > freebsd releases as well as updating existing ones.
> > 
> 
> I must admit that I'm confused by the changes of the type:
> 
> -  
> http://cdimage.debian.org/cdimage/archive/9.0.0/i386/iso-cd/debian-9.0.0-i386-netinst.iso;
> +  
> http://cdimage.debian.org/cdimage/archive/9.2.1/i386/iso-cd/debian-9.2.1-i386-netinst.iso;
>    
> 
> given that 9.3 was released on the same day as 8.10, and the latter is
> reflected in the diff.

We're only using releases that are under archive/ already since these
URLs stay stable a bit longer (#813797). It seems 9.3.0 hasn't been
archived yet while 8.10 is.

> In any case, please go ahead.

Uploaded. Thanks!
 -- Guido

> 
> Regards,
> 
> Adam
>

Bug#887855: stretch-pu: package libvirt/3.0.0-4+deb9u2

2018-02-26 Thread Guido Günther

On Fri, Feb 23, 2018 at 04:42:46PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Sat, 2018-01-20 at 18:46 +0100, Guido Günther wrote:
> > the above update addresses CVE-2018-5748 as well as a bug where disks
> > with cache=directsync couldn't be migrated (#883208).
> > 
> 
> +_("Migration may lead to data corruption if 
> disks"
> +- " use cache != none"));
> ++ " use cache != none or cache != directsync"));
> 
> I think that message should use "and", not "or" - all possible values
> are "!= none or != directsync". (Or maybe "if disks use cache != none
> or directsync" or something.)

I agree but that's what upstream uses so I optet for leaving it as is.

> Please go ahead.

Uploded. Thanks.
 -- Guido

Bug#891503: stretch-pu: package osinfo-db/0.20180226-1~deb9u1

2018-02-26 Thread Guido Günther

c
   
 
 
-  http://cdimage.ubuntu.com/releases/xenial/release/ubuntu-16.04.2-server-ppc64el.iso
+  http://cdimage.ubuntu.com/releases/xenial/release/ubuntu-16.04.3-server-ppc64el.iso
   
 Ubuntu-Server 16.04(.\d)? LTS ppc64
   
 
 
-  http://cdimage.ubuntu.com/releases/xenial/release/ubuntu-16.04.2-server-s390x.iso
+  http://cdimage.ubuntu.com/releases/xenial/release/ubuntu-16.04.3-server-s390x.iso
   
 Ubuntu-Server 16.04(.\d)? LTS s390x
   
diff --git a/data/os/ubuntu.com/ubuntu-17.04.xml.in b/data/os/ubuntu.com/ubuntu-17.04.xml.in
index 271d7ea..69e5a27 100644
--- a/data/os/ubuntu.com/ubuntu-17.04.xml.in
+++ b/data/os/ubuntu.com/ubuntu-17.04.xml.in
@@ -30,7 +30,7 @@
 
 
 
-  http://releases.ubuntu.com/releases/zesty/ubuntu-17.04-server-i386.iso
+  http://old-releases.ubuntu.com/releases/zesty/ubuntu-17.04-server-i386.iso
   
 Ubuntu-Server 17.04(.\d)? i386
   
@@ -38,7 +38,7 @@
   install/initrd.gz
 
 
-  http://releases.ubuntu.com/releases/zesty/ubuntu-17.04-server-amd64.iso
+  http://old-releases.ubuntu.com/releases/zesty/ubuntu-17.04-server-amd64.iso
   
 Ubuntu-Server 17.04(.\d)? amd64
   
@@ -46,7 +46,7 @@
   install/initrd.gz
 
 
-  http://releases.ubuntu.com/releases/zesty/ubuntu-17.04-desktop-i386.iso
+  http://old-releases.ubuntu.com/releases/zesty/ubuntu-17.04-desktop-i386.iso
   
 Ubuntu 17.04(.\d)? i386
   
@@ -54,7 +54,7 @@
   casper/initrd.lz
 
 
-  http://releases.ubuntu.com/releases/zesty/ubuntu-17.04-desktop-amd64.iso
+  http://old-releases.ubuntu.com/releases/zesty/ubuntu-17.04-desktop-amd64.iso
   
 Ubuntu 17.04(.\d)? amd64
   
@@ -62,19 +62,19 @@
   casper/initrd.lz
 
 
-  http://cdimage.ubuntu.com/releases/zesty/release/ubuntu-17.04-server-arm64.iso
+  http://old-releases.ubuntu.com/releases/zesty/ubuntu-17.04-server-arm64.iso
   
 Ubuntu-Server 17.04(.\d)? arm64
   
 
 
-  http://cdimage.ubuntu.com/releases/zesty/release/ubuntu-17.04-server-ppc64el.iso
+  http://old-releases.ubuntu.com/releases/zesty/ubuntu-17.04-server-ppc64el.iso
   
 Ubuntu-Server 17.04(.\d)? ppc64
   
 
 
-  http://cdimage.ubuntu.com/releases/zesty/release/ubuntu-17.04-server-s390x.iso
+  http://old-releases.ubuntu.com/releases/zesty/ubuntu-17.04-server-s390x.iso
   
 Ubuntu-Server 17.04(.\d)? s390x
   
diff --git a/data/os/ubuntu.com/ubuntu-17.10.xml.in b/data/os/ubuntu.com/ubuntu-17.10.xml.in
new file mode 100644
index 000..b396197
--- /dev/null
+++ b/data/os/ubuntu.com/ubuntu-17.10.xml.in
@@ -0,0 +1,79 @@
+
+
+  http://ubuntu.com/ubuntu/17.10;>
+ubuntu17.10
+ubuntuartful
+<_name>Ubuntu 17.10
+17.10
+<_vendor>Canonical Ltd
+linux
+ubuntu
+Artful Aardvark
+http://ubuntu.com/ubuntu/17.04"/>
+http://ubuntu.com/ubuntu/17.04"/>
+
+2017-10-19
+
+
+  
+10
+1
+1073741824
+5368709120
+  
+  
+10
+1073741824
+16106127360
+  
+
+
+
+  http://releases.ubuntu.com/releases/artful/ubuntu-17.10.1-server-i386.iso
+  
+Ubuntu-Server 17.10(.\d)? i386
+  
+  install/vmlinuz
+  install/initrd.gz
+
+
+  http://releases.ubuntu.com/releases/artful/ubuntu-17.10.1-server-amd64.iso
+  
+Ubuntu-Server 17.10(.\d)? amd64
+  
+  install/vmlinuz
+  install/initrd.gz
+
+
+  http://releases.ubuntu.com/releases/artful/ubuntu-17.10.1-desktop-amd64.iso
+  
+Ubuntu 17.10(.\d)? amd64
+  
+  casper/vmlinuz
+  casper/initrd.lz
+
+
+  http://cdimage.ubuntu.com/releases/artful/release/ubuntu-17.10-server-arm64.iso
+  
+Ubuntu-Server 17.10(.\d)? arm64
+  
+
+
+  http://cdimage.ubuntu.com/releases/artful/release/ubuntu-17.10-server-ppc64el.iso
+  
+Ubuntu-Server 17.10(.\d)? ppc64
+  
+
+
+  http://cdimage.ubuntu.com/releases/artful/release/ubuntu-17.10-server-s390x.iso
+  
+Ubuntu-Server 17.10(.\d)? s390x
+  
+
+
+
+  
+
+  
+
diff --git a/debian/changelog b/debian/changelog
index 69bca11..eedb453 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+osinfo-db (0.20180226-1~deb9u1) stretch; urgency=medium
+
+  * Rebuild for stretch.
+
+ -- Guido Günther <a...@sigxcpu.org>  Mon, 26 Feb 2018 10:46:53 +0100
+
+sinfo-db (0.20180226-1) unstable; urgency=medium
+
+  * Test that we can generate install scripts
+  * New upstream git snapshot (Closes: #884521)
+  * Update debian/watch URL.  We're using git snapshots anyway but it's better
+to have this correct. (Closes: #884520)
+
+ -- Guido Günther <a...@sigxcpu.org>  Mon, 26 Feb 2018 10:21:37 +0100
+
 osi

Bug#888731: stretch-pu: package virt-what/1.15-1+deb9u1

2018-02-25 Thread Guido Günther

On Sun, Feb 25, 2018 at 02:59:02PM +, Adam D. Barratt wrote:
> Control: tags -1 + pending
> 
> On Fri, 2018-02-23 at 18:50 +0100, Guido Günther wrote:
> > On Fri, Feb 23, 2018 at 04:53:27PM +, Adam D. Barratt wrote:
> > > Control: tags -1 + confirmed
> > > 
> > > On Mon, 2018-01-29 at 10:25 +0100, Guido Günther wrote:
> > > > The update fixes problems with virt detection arch/aarch64 since
> > > > these
> > > > fall back to uname -m. x86 uses cpuid mostly so it went there
> > > > undetected.
> > > > 
> > > 
> > > +virt-what (1.15-1+deb9u1) stable-proposed-updates; urgency=medium
> > > 
> > > "stretch", please.
> > > 
> > > Please go ahead.
> > 
> > Uploaded. Thanks,
> 
> (Without the distribution change.)

Sorry, I misread that. Will use stretch for future updates.
 -- Guido

> 
> Flagged for acceptance.
> 
> Regards,
> 
> Adam
>

Bug#888731: stretch-pu: package virt-what/1.15-1+deb9u1

2018-02-23 Thread Guido Günther

On Fri, Feb 23, 2018 at 04:53:27PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Mon, 2018-01-29 at 10:25 +0100, Guido Günther wrote:
> > The update fixes problems with virt detection arch/aarch64 since
> > these
> > fall back to uname -m. x86 uses cpuid mostly so it went there
> > undetected.
> > 
> 
> +virt-what (1.15-1+deb9u1) stable-proposed-updates; urgency=medium
> 
> "stretch", please.
> 
> Please go ahead.

Uploaded. Thanks,
 -- Guido

Bug#888767: jessie-pu: package debian-security-support/2018.01.29~deb8u1

2018-01-29 Thread Guido Günther

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-CC: t...@security.debian.org

This update brings debian-security-support in line with unstable. Most
notably in oldstable this affects swftools since security support for it is
now limited and chromium which doesn't receive any further security updates.
Cheers,
 -- Guido


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'stable-updates'), (500, 'oldoldstable'), (500, 
'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf

Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index 94d43a6..f55e7e1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,44 @@
+debian-security-support (2018.01.29~deb8u1) oldstable-proposed-updates; urgency=medium
+
+  * Rebuild for jessie
+
+ -- Guido Günther <a...@sigxcpu.org>  Mon, 29 Jan 2018 17:30:46 +0100
+
+debian-security-support (2018.01.29) unstable; urgency=medium
+
+  [ Markus Koschany ]
+  * Add teamspeak to security-support-ended.deb7
+  * Add libstruts1.2-java to security-support-ended.deb7.
+  * Add nvidia-graphics-drivers to security-support-ended.deb7.
+Non-free is not supported
+  * Add glassfish to security-support-ended.deb7
+  * Mark jbossas4 as end-of-life in Wheezy.
+  * Mark jasperreports as unsupported in Wheezy.
+No sponsor users it. Targeted fixes not possible because detailed
+information about the vulnerabilities and their solution (patches) is not
+available.
+
+  [ Salvatore Bonaccorso ]
+  * Mark chromium-browser as end-of-life for Debian 8 (Jessie)
+
+  [ Raphaël Hertzog ]
+  * Mark libnet-ping-external-perl as unsupported in wheezy.
+  * Mark mp3gain as unsupported in wheezy.
+
+  [ Emilio Pozuelo Monfort ]
+  * Mark tor as unsupported in wheezy.
+
+  [ Guido Günther ]
+  * Add swftools to security support limited
+swftools is orphaned (#885088) and the security tracker is currently
+counting 25 open CVEs. It is a useful tool with trusted content though.
+  * Bump standards version to 4.1.3.
+No changes needed
+  * Bump debhelper compat level to 9 which is available in oldoldstable
+(wheezy).
+
+ -- Guido Günther <a...@sigxcpu.org>  Mon, 29 Jan 2018 17:05:46 +0100
+
 debian-security-support (2017.06.02~deb8u1) jessie; urgency=medium
 
   * Rebuild for jessie.
diff --git a/debian/compat b/debian/compat
index 45a4fb7..ec63514 100644
--- a/debian/compat
+++ b/debian/compat
@@ -1 +1 @@
-8
+9
diff --git a/debian/control b/debian/control
index 2b827d1..f764ab9 100644
--- a/debian/control
+++ b/debian/control
@@ -3,7 +3,7 @@ Section: admin
 Priority: optional
 Maintainer: Christoph Biedl <debian.a...@manchmal.in-ulm.de>
 Uploaders: Debian Security Team <t...@security.debian.org>
-Build-Depends: debhelper (>= 8~),
+Build-Depends: debhelper (>= 9~),
 asciidoc,
 gettext,
 gawk,
@@ -15,7 +15,7 @@ Build-Depends: debhelper (>= 8~),
 original-awk,
 po-debconf,
 xmlto,
-Standards-Version: 3.9.8
+Standards-Version: 4.1.3
 Vcs-Git: https://anonscm.debian.org/cgit/collab-maint/debian-security-support.git
 Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/debian-security-support.git
 
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 000..525d1b4
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch=jessie
diff --git a/security-support-ended.deb7 b/security-support-ended.deb7
index 5cfd110..5278edb 100644
--- a/security-support-ended.deb7
+++ b/security-support-ended.deb7
@@ -52,3 +52,13 @@ kfreebsd-8  8.3-6+deb7u12016-02-06  Not supported in Deb
 kfreebsd-9  9.0-10+deb70.10 2016-02-06  Not supported in Debian LTS
 ioquake31.36+svn2287-1  2017-03-15  Not supported in Debian LTS (https://lists.debian.org/debian-lts/2017/03/msg00075.html)
 autotrace   0.31.1-16   2017-06-01  Not supported in Debian LTS (https://lists.debian.org/debian-lts/2017/05/msg00124.html)
+teamspeak-server2.0.24.1+debian-1.1 2017-07-31  Not supported in Debian LTS (non-free)
+teamspeak-client2.0.32-3.1  2017-07-31  Not supported in Debian LTS (non-free)
+libstruts1.2-java   1.2.9-5+deb7u2  2017-09-23  Not supported in Debian LTS
+nvidia-graphics-drivers 304.131-1   2017-09-24  Not supported in Debian LTS (non-free)
+glassfish   1:2.1.1-b31g-3  2017-09-26  Not supported in Debian LTS
+jbossas44.2.3.GA-7  2017-1

Bug#888766: stretch-pu: package debian-security-support/2018.01.29~deb9u1

2018-01-29 Thread Guido Günther

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

This update brings debian-security-support in line with unstable. Most
notably in stable this affects swftools since security support for it is
now limited.
Cheers,
 -- Guido

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'stable-updates'), (500, 'oldoldstable'), (500, 
'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf

Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index 28a9b5d..669e194 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,44 @@
+debian-security-support (2018.01.29~deb9u1) stable-proposed-updates; urgency=medium
+
+  * Rebuild for stretch
+
+ -- Guido Günther <a...@sigxcpu.org>  Mon, 29 Jan 2018 17:23:45 +0100
+
+debian-security-support (2018.01.29) unstable; urgency=medium
+
+  [ Markus Koschany ]
+  * Add teamspeak to security-support-ended.deb7
+  * Add libstruts1.2-java to security-support-ended.deb7.
+  * Add nvidia-graphics-drivers to security-support-ended.deb7.
+Non-free is not supported
+  * Add glassfish to security-support-ended.deb7
+  * Mark jbossas4 as end-of-life in Wheezy.
+  * Mark jasperreports as unsupported in Wheezy.
+No sponsor users it. Targeted fixes not possible because detailed
+information about the vulnerabilities and their solution (patches) is not
+available.
+
+  [ Salvatore Bonaccorso ]
+  * Mark chromium-browser as end-of-life for Debian 8 (Jessie)
+
+  [ Raphaël Hertzog ]
+  * Mark libnet-ping-external-perl as unsupported in wheezy.
+  * Mark mp3gain as unsupported in wheezy.
+
+  [ Emilio Pozuelo Monfort ]
+  * Mark tor as unsupported in wheezy.
+
+  [ Guido Günther ]
+  * Add swftools to security support limited
+swftools is orphaned (#885088) and the security tracker is currently
+counting 25 open CVEs. It is a useful tool with trusted content though.
+  * Bump standards version to 4.1.3.
+No changes needed
+  * Bump debhelper compat level to 9 which is available in oldoldstable
+(wheezy).
+
+ -- Guido Günther <a...@sigxcpu.org>  Mon, 29 Jan 2018 17:05:46 +0100
+
 debian-security-support (2017.06.02) unstable; urgency=medium
 
   [ Moritz Muehlenhoff ]
diff --git a/debian/compat b/debian/compat
index 45a4fb7..ec63514 100644
--- a/debian/compat
+++ b/debian/compat
@@ -1 +1 @@
-8
+9
diff --git a/debian/control b/debian/control
index 2b827d1..f764ab9 100644
--- a/debian/control
+++ b/debian/control
@@ -3,7 +3,7 @@ Section: admin
 Priority: optional
 Maintainer: Christoph Biedl <debian.a...@manchmal.in-ulm.de>
 Uploaders: Debian Security Team <t...@security.debian.org>
-Build-Depends: debhelper (>= 8~),
+Build-Depends: debhelper (>= 9~),
 asciidoc,
 gettext,
 gawk,
@@ -15,7 +15,7 @@ Build-Depends: debhelper (>= 8~),
 original-awk,
 po-debconf,
 xmlto,
-Standards-Version: 3.9.8
+Standards-Version: 4.1.3
 Vcs-Git: https://anonscm.debian.org/cgit/collab-maint/debian-security-support.git
 Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/debian-security-support.git
 
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 000..ee4e7df
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch=stretch
diff --git a/security-support-ended.deb7 b/security-support-ended.deb7
index 5cfd110..5278edb 100644
--- a/security-support-ended.deb7
+++ b/security-support-ended.deb7
@@ -52,3 +52,13 @@ kfreebsd-8  8.3-6+deb7u12016-02-06  Not supported in Deb
 kfreebsd-9  9.0-10+deb70.10 2016-02-06  Not supported in Debian LTS
 ioquake31.36+svn2287-1  2017-03-15  Not supported in Debian LTS (https://lists.debian.org/debian-lts/2017/03/msg00075.html)
 autotrace   0.31.1-16   2017-06-01  Not supported in Debian LTS (https://lists.debian.org/debian-lts/2017/05/msg00124.html)
+teamspeak-server2.0.24.1+debian-1.1 2017-07-31  Not supported in Debian LTS (non-free)
+teamspeak-client2.0.32-3.1  2017-07-31  Not supported in Debian LTS (non-free)
+libstruts1.2-java   1.2.9-5+deb7u2  2017-09-23  Not supported in Debian LTS
+nvidia-graphics-drivers 304.131-1   2017-09-24  Not supported in Debian LTS (non-free)
+glassfish   1:2.1.1-b31g-3  2017-09-26  Not supported in Debian LTS
+jbossas44.2.3.GA-7  2017-10-31  Not supported in Debian LTS
+libnet-ping-external-perl 0.13-12017-12-21  N

Bug#888731: stretch-pu: package virt-what/1.15-1+deb9u1

2018-01-29 Thread Guido Günther

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

The update fixes problems with virt detection arch/aarch64 since these
fall back to uname -m. x86 uses cpuid mostly so it went there
undetected.
Cheers,
 -- Guido

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'stable-updates'), (500, 'oldoldstable'), (500, 
'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf

Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index beabec6..a9fcd09 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+virt-what (1.15-1+deb9u1) stable-proposed-updates; urgency=medium
+
+  * Unbreak virt detection on arm/aarch64 (Closes: #888690)
+
+ -- Guido Günther <a...@sigxcpu.org>  Sun, 28 Jan 2018 19:41:53 +0100
+
 virt-what (1.15-1) unstable; urgency=medium
 
   [ Guido Günther ]
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 760033d..a57e359 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,6 +1,6 @@
 [DEFAULT]
 upstream-branch=upstream/latest
-debian-branch=debian/sid
+debian-branch=debian/stretch
 
 [pq]
 patch-numbers = False
diff --git a/debian/patches/Determine-architecture-via-uname-m.patch b/debian/patches/Determine-architecture-via-uname-m.patch
new file mode 100644
index 000..3352f96
--- /dev/null
+++ b/debian/patches/Determine-architecture-via-uname-m.patch
@@ -0,0 +1,28 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <a...@sigxcpu.org>
+Date: Sat, 27 Jan 2018 13:11:36 +0100
+Subject: Determine architecture via 'uname -m'
+
+'uname -p' only gives unknown on x86_64, i386, arm6l (rpi) and aarch64
+(scaleways).
+
+Closes: #888690
+---
+ virt-what.in | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/virt-what.in b/virt-what.in
+index a5ed33e..ddfb53a 100644
+--- a/virt-what.in
 b/virt-what.in
+@@ -101,9 +101,9 @@ cpuid=$(virt-what-cpuid-helper)
+ dmi=$(LANG=C dmidecode 2>&1)
+ 
+ # Architecture.
+-# Note for the purpose of testing, we only call uname with -p option.
++# Note for the purpose of testing, we only call uname with -m option.
+ 
+-arch=$(uname -p | sed -e 's/i.86/i386/' | sed -e 's/arm.*/arm/')
++arch=$(uname -m | sed -e 's/i.86/i386/' | sed -e 's/arm.*/arm/')
+ 
+ # Check for VMware.
+ # cpuid check added by Chetan Loke.
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..4879f6d
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+Determine-architecture-via-uname-m.patch

Bug#887855: stretch-pu: package libvirt/3.0.0-4+deb9u2

2018-01-20 Thread Guido Günther

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,
the above update addresses CVE-2018-5748 as well as a bug where disks
with cache=directsync couldn't be migrated (#883208).
O.k. to upload to stretch-pu?
Cheers,
 -- Guido

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'stable-updates'), (500, 'oldoldstable'), (500, 
'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index 222b31e543..f9aca519eb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+libvirt (3.0.0-4+deb9u2) stretch; urgency=medium
+
+  * CVE-2018-5748: qemu: avoid denial of service reading from QEMU monitor
+(Closes: #887700)
+  * qemu: shared disks with cache=directsync should be safe for migration.
+Thanks to Carsten Burkhardt (Closes: #883208)
+
+ -- Guido Günther <a...@sigxcpu.org>  Sat, 20 Jan 2018 17:51:39 +0100
+
 libvirt (3.0.0-4+deb9u1) stretch-security; urgency=high
 
   * CVE-2017-1000256: qemu: ensure TLS clients always verify the server
diff --git 
a/debian/patches/qemu-avoid-denial-of-service-reading-from-QEMU-monitor-CV.patch
 
b/debian/patches/qemu-avoid-denial-of-service-reading-from-QEMU-monitor-CV.patch
new file mode 100644
index 00..5d675ae6c3
--- /dev/null
+++ 
b/debian/patches/qemu-avoid-denial-of-service-reading-from-QEMU-monitor-CV.patch
@@ -0,0 +1,49 @@
+From: "Daniel P. Berrange" <berra...@redhat.com>
+Date: Tue, 16 Jan 2018 17:00:11 +
+Subject: qemu: avoid denial of service reading from QEMU monitor
+ (CVE-2018-5748)
+
+We read from QEMU until seeing a \r\n pair to indicate a completed reply
+or event. To avoid memory denial-of-service though, we must have a size
+limit on amount of data we buffer. 10 MB is large enough that it ought
+to cope with normal QEMU replies, and small enough that we're not
+consuming unreasonable mem.
+
+Signed-off-by: Daniel P. Berrange <berra...@redhat.com>
+---
+ src/qemu/qemu_monitor.c | 15 +++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
+index 1610ae3..86ce2d1 100644
+--- a/src/qemu/qemu_monitor.c
 b/src/qemu/qemu_monitor.c
+@@ -55,6 +55,15 @@ VIR_LOG_INIT("qemu.qemu_monitor");
+ #define DEBUG_IO 0
+ #define DEBUG_RAW_IO 0
+ 
++/* We read from QEMU until seeing a \r\n pair to indicate a
++ * completed reply or event. To avoid memory denial-of-service
++ * though, we must have a size limit on amount of data we
++ * buffer. 10 MB is large enough that it ought to cope with
++ * normal QEMU replies, and small enough that we're not
++ * consuming unreasonable mem.
++ */
++#define QEMU_MONITOR_MAX_RESPONSE (10 * 1024 * 1024)
++
+ struct _qemuMonitor {
+ virObjectLockable parent;
+ 
+@@ -565,6 +574,12 @@ qemuMonitorIORead(qemuMonitorPtr mon)
+ int ret = 0;
+ 
+ if (avail < 1024) {
++if (mon->bufferLength >= QEMU_MONITOR_MAX_RESPONSE) {
++virReportSystemError(ERANGE,
++ _("No complete monitor response found in %d 
bytes"),
++ QEMU_MONITOR_MAX_RESPONSE);
++return -1;
++}
+ if (VIR_REALLOC_N(mon->buffer,
+   mon->bufferLength + 1024) < 0)
+ return -1;
diff --git 
a/debian/patches/qemu-shared-disks-with-cache-directsync-should-be-safe-fo.patch
 
b/debian/patches/qemu-shared-disks-with-cache-directsync-should-be-safe-fo.patch
new file mode 100644
index 00..01bcc4ca64
--- /dev/null
+++ 
b/debian/patches/qemu-shared-disks-with-cache-directsync-should-be-safe-fo.patch
@@ -0,0 +1,41 @@
+From: Hao Peng <peng.h...@zte.com.cn>
+Date: Sat, 15 Jul 2017 23:01:25 +0800
+Subject: qemu: shared disks with cache=directsync should be safe for
+ migration
+
+At present shared disks can be migrated with either readonly or cache=none. But
+cache=directsync should be safe for migration, because both cache=directsync 
and cache=none
+don't use the host page cache, and cache=direct write through qemu block layer 
cache.
+
+Signed-off-by: Peng Hao <peng.h...@zte.com.cn>
+Reviewed-by: Wang Yechao <wang.yechao...@zte.com.cn>
+---
+ src/qemu/qemu_migration.c | 7 ---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
+index 0f4a6cf..dba5897 100644
+--- a/src/qemu/qemu_migration.c
 b/src/qemu/qemu_migration.c
+@@ -2375,9 +2375,10 @@ qemuMigratio

Bug#876731: stretch-pu: package osinfo-db/0.20170225-3~deb9u1

2017-09-29 Thread Guido Günther

Hi,
On Fri, Sep 29, 2017 at 06:45:37PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Mon, 2017-09-25 at 12:43 +0200, Guido Günther wrote:
> > I'd like to update osinfo-db in stretch. This would allow us to have
> > up
> > to date information for operating system installs with e.g. gnome-
> > boxes
> > by adding new data for recent centos, ubuntu and freebsd releases as
> > well as updating existing ones.
> > 
> > This version also included all our debian/patches/.
> > 
> > Since it's a new upstream version I've attached the full diff. Note
> > that
> > osinfo-db was split out from libosinfo to facilitate this kind of
> > upgrades.
> > 
> 
> Please go ahead, bearing in mind that the window for 9.2 closes during
> this weekend.

Uploaded. Thanks!
 -- Guido

Bug#876731: stretch-pu: package osinfo-db/0.20170225-3~deb9u1

2017-09-25 Thread Guido Günther

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,
I'd like to update osinfo-db in stretch. This would allow us to have up
to date information for operating system installs with e.g. gnome-boxes
by adding new data for recent centos, ubuntu and freebsd releases as
well as updating existing ones.

This version also included all our debian/patches/.

Since it's a new upstream version I've attached the full diff. Note that
osinfo-db was split out from libosinfo to facilitate this kind of
upgrades.

O.k. to upload to stretch-p-u?
Cheers,
 -- Guido


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'stable-updates'), (500, 'oldoldstable'), (500, 
'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/Makefile b/Makefile
index 6ff9b5c..1846f7a 100644
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,11 @@
 
 VPATH = .
 
-TODAY = $(shell date +"%Y%m%d")
+ifdef SOURCE_DATE_EPOCH
+TODAY = $(shell date --utc --date="@$(SOURCE_DATE_EPOCH)" +"%Y%m%d")
+else
+TODAY = $(shell date +"%Y%m%d")
+endif
 
 OSINFO_DB_EXPORT = osinfo-db-export
 OSINFO_DB_IMPORT = osinfo-db-import
@@ -27,6 +31,8 @@ ARCHIVE = osinfo-db-$(TODAY).tar.xz
 
 ZANATA = zanata-cli
 
+XMLLINT = xmllint
+
 V = 0
 
 V_I18N = $(V_I18N_$(V))
@@ -79,7 +85,7 @@ clean:
 	rm -f $(DATA_FILES) $(SCHEMA_FILES) po/POTFILES.in po/osinfo-db.pot
 
 po/POTFILES.in:
-	$(V_GEN) find data -name *.xml.in > $@
+	$(V_GEN) find data -name *.xml.in | LC_ALL=C sort > $@
 
 po/osinfo-db.pot: po/POTFILES.in $(DATA_FILES_IN)
 	$(V_GEN) cd po && $(INTLTOOL_UPDATE) --gettext-package $(GETTEXT_PACKAGE) --pot
@@ -114,3 +120,10 @@ update-po:
   fi; \
 done
 
+check: $(DATA_FILES) $(SCHEMA_FILES)
+	for xml in `find data -name '*.xml' | sort`; do \
+	  if ! $(XMLLINT) --relaxng data/schema/osinfo.rng --noout $$xml; then \
+	exit 1; \
+	  fi; \
+	done
+
diff --git a/README b/README
index b2822cb..9f2f3af 100644
--- a/README
+++ b/README
@@ -17,6 +17,21 @@ Dependencies
 - Required:
   - osinfo-db-tools
   - intltool
+- Optional:
+  - xmllint (from libxml2) -- for testing
+
+Build reproducibility
+=
+
+To build libosinfo reproduciblity, you should export the SOURCE_DATE_EPOCH[0]
+environment variable to the build system. For example:
+
+$ export SOURCE_DATE_EPOCH="$(date +%s)"
+$ ./configure [...]
+$ make
+[...]
+
+[0] https://reproducible-builds.org/specs/source-date-epoch/
 
 Patch submissions
 =
diff --git a/data/install-script/fedoraproject.org/fedora-kickstart-desktop.xml.in b/data/install-script/fedoraproject.org/fedora-kickstart-desktop.xml.in
index 6f53299..bdc9f5d 100644
--- a/data/install-script/fedoraproject.org/fedora-kickstart-desktop.xml.in
+++ b/data/install-script/fedoraproject.org/fedora-kickstart-desktop.xml.in
@@ -176,13 +176,13 @@ useradd -G wheel  # Add user
 if test -z ''; then
 passwd -d  # Make user account passwordless
 else
-echo  |passwd --stdin 
+echo '' |passwd --stdin 
 fi
 
 if test -z ''; then
 passwd -d root # Make root account passwordless
 else
-echo  |passwd --stdin root
+echo '' |passwd --stdin root
 fi
 
 # Set user avatar
diff --git a/data/install-script/opensuse.org/opensuse-autoyast-desktop.xml.in b/data/install-script/opensuse.org/opensuse-autoyast-desktop.xml.in
index 04399b5..6554eb6 100644
--- a/data/install-script/opensuse.org/opensuse-autoyast-desktop.xml.in
+++ b/data/install-script/opensuse.org/opensuse-autoyast-desktop.xml.in
@@ -31,7 +31,7 @@
 xmlns:xsl="http://www.w3.org/1999/XSL/Transform;
 version="1.0">
 
-
+
 
 
   
@@ -119,7 +119,7 @@
   
   
 true
- resume=/dev/vda1 splash=silent quiet showopts
+resume=/dev/vda1 splash=silent quiet showopts
 false
 false
 false
@@ -215,18 +215,16 @@

Bug#867461: should ca-certificates certdata.txt synchronize across all suites?

2017-07-21 Thread Guido Günther

Hi,
On Fri, Jul 21, 2017 at 11:03:22PM +0200, Moritz Mühlenhoff wrote:
> On Fri, Jul 21, 2017 at 09:51:45AM -0400, Antoine Beaupré wrote:
> > On 2017-07-20 18:15:00, Philipp Kern wrote:
> > > On 07/17/2017 09:41 PM, Antoine Beaupré wrote:
> > >> Let's not jump the gun here. We're not shipping NSS in ca-certificates,
> > >> just a tiny part of it: one text file, more or less.
> > >
> > > Yeah, and the consensus of the world external to Debian seems to be that
> > > this might not be the smartest choice.
> > 
> > I'm not sure I understand what you are proposing as an alternative
> > here. Should we stop shipping ca-certificates? Or make it a binary
> > package of the NSS source package?
> 
> Most distros rebase to the latest NSS release across all supported suites.
> 
> We also did this once or twice in -security (for changes which were too
> instrusive to backport) and upstream apparently usually supports this.
> 
> But it's quite some effort to test all the reverse deps (that's why 
> backporting
> isolated fixes is easier in such cases) to ensure no breakage creeps in, so
> this would need a volunteer to deal with testing reverse deps.

Which could be mitigated via p-u since this at least allows others
(including machines that build all the rdeps and run the autopkg tests)
to see things before the hit everybody running stable.
Cheers,
 -- Guido

Bug#863970: jessie-pu: package debian-security-support/2016.06.02~deb8u1

2017-07-16 Thread Guido Günther

Hi,
On Sat, Jul 15, 2017 at 11:33:25AM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Fri, 2017-06-02 at 14:55 +0200, Guido Günther wrote:
> > I'd like to update debian-security-support among the supported suites so
> > users get up to date information from check-security-support. Since the
> > last update to Jessie was almost a year ago I've rebuilt the current
> > version for Jessie.
> > 
> > The debdiff looks huge due to translation improvements but if you filter
> > these out (2016.06.02+deb8u1-withou-po.diff) it doesn't look that bad.
> > 
> > O.k. to upload to stable-p-u?
> 
> Well, not stable-p-u now. :-)
> 
> +debian-security-support (2017.06.02+deb8u1) jessie; urgency=medium
> 
> That wants to be 2017.06.02~deb8u1, as you need the version to be
> smaller than unstable.
> 
> With that change, please go ahead.

Uploaded. Thanks!
 -- Guido

Bug#867461: should ca-certificates certdata.txt synchronize across all suites?

2017-07-07 Thread Guido Günther

On Fri, Jul 07, 2017 at 03:57:35PM +0200, Philipp Kern wrote:
> On 07/06/2017 08:01 PM, Antoine Beaupré wrote:
> > In looking at fixing #858539 (blocking WoSign and StartCom, in CC) for
> > wheezy, I noticed the issue was also pending in jessie. Furthermore, the
> > idea originally raised by pabs[1] was to also update the packages for
> > the latest changes in certdata.txt in wheezy, including the ISRG Root
> > for Let's Encrypt (LE).
> > 
> > While it should be fairly trivial to do this update, I wonder if the
> > same logic should apply to jessie itself. Right now, jessie and stretch
> > are synchronized, but that's only because there's an update pending in
> > unstable to synchronize with the upstream 2.11 NSS database.
> > 
> > This raises the question of how synchronized we want this file to be? It
> > seems a little arbitrary to me to synchronize the file from jessie to
> > wheezy only for this one certificate authority (LE). How about the other
> > authorities? It doesn't seem like we should be calling the shots on
> > this: if we follow the Mozilla policies here, either we update all
> > supported suites at once, or we accept that some suites will have
> > outdated material.
> > 
> > I have therefore opened this specific discussion with the release team
> > in #867461 (in CC as well). Hopefully this will bring a consistent
> > policy.
> > 
> > For what it's worth, my opinion is that we should attempt to synchronize
> > certdata.txt (and blacklist.txt, for that matter) across all suites (but
> > not other changes to the packaging). This would remove another decision
> > point in our infrastructure and ensure harmonious X509 processing across
> > suites.
> > 
> > [1]: https://lists.debian.org/1490430746.9127.2.ca...@debian.org
> > 
> > Thanks for any feedback. For now I'll hold on another week or so for the
> > wheezy update, since it seems unreasonable to push that update out
> > before jessie is updated and that question is resolved.
> 
> But it's not just about certdata.txt. The WoSign and StartCom distrust
> was actually hardcoded in NSS and hence what Mozilla enforced in NSS we
> couldn't check in any other tools using ca-certificates. We also do not
> sync the NSS version or backport the cert checks when such distrusts
> happen. So we can only react in a similar way when the time for full
> distrust has come (which is sort of the case now with these two),
> otherwise we diverge in logic and potentially break users with different
> expectations[1].

Which brings us back to #824872 (same nss/nspr in all suites). We're
basically shipping new NSS with firefox / thunderbird but not for the
rest.
 -- Guido

> 
> Kind regards
> Philipp Kern
> 
> [1] If they are realistic is another question.
> 
> 





signature.asc
Description: PGP signature

Bug#865483: jessie-pu: package libosinfo/0.2.11-1.1+deb8u1

2017-06-30 Thread Guido Günther

On Fri, Jun 30, 2017 at 06:49:28PM +0200, Cyril Brulebois wrote:
> Cyril Brulebois  (2017-06-30):
> > I see you changed the version number for something shorter (-1.1+deb8u1 vs.
> > -2), but I don't think this makes a huge difference, except for being a bit
> > more compact. Feel free to upload, thanks.
> 
> Having checked internally, please use -1.1+deb8u1 as planned initially.

O.k. uploaded not with the above version. Sorry for the confusion, I
really need to teach "gbp dch" to do the right thing automatically.
Cheers,
 -- Guido

Bug#865483: jessie-pu: package libosinfo/0.2.11-1.1+deb8u1

2017-06-28 Thread Guido Günther

Hi Cyril,
On Tue, Jun 27, 2017 at 09:24:03PM +0200, Cyril Brulebois wrote:
> Hi Guido,
> 
> Guido Günther <a...@sigxcpu.org> (2017-06-27):
> > One thing that just crossed my mind: should we delay this update for
> > Jessie past the first stretch point release. I would then change the
> > patch to use an URL for stretch from
> > 
> > http://cdimage.debian.org/mirror/cdimage/archive/9.0.0
> > 
> > instead of
> > 
> > http://cdimage.debian.org/mirror/cdimage/release/
> > 
> > so we have a stable URL that doesn't break with every stretch point
> > release asking for further updates? Sorry for not thinking about this
> > earlier.
> 
> It's likely we'll release 8.9 & 9.1 during the same week-end. So maybe
> you could include this change right away? It would only be an annoyance
> for people fetching the updated package “in advance” from the
> jessie-proposed-updates suite? But then, we don't have stretch support
> at all right now, so that's not even a regression.

Great. See new debdiff attached. I've also attached the diff with
patches applied for the relevant part of the debian.xml.in
(url-change.diff). For the sake of completeness: I've also changed
debian/gbp.conf to point to debian/jessie so gbp picks up the right
chroot withou further typing.

Tested on Jessie:

$ osinfo-detect debian-9.0.0-amd64-netinst.iso 
Media is bootable.
Media is an installer for OS 'Debian Stretch'

O.k. to upload to jessie-p-u?
Cheers,
 -- Guido

> 
> > Regarding the tests:
> > 
> > Things are split up in stretch so that tests/ are in libosinfo while the
> > data is in osinfo-db:
> > 
> > 
> > https://gitlab.com/agx1/libosinfo/commit/117029715f90c5c7a2f2a996b21e9fefca6585c8
> > 
> > and I deemed updating libosifo in stretch as well only for the tests
> > overkill (but I ran them there as well).
> 
> (Just to be clear: I was really enjoying seeing tests get added.)
> 
> 
> KiBi.


diff --git a/data/oses/debian.xml.in b/data/oses/debian.xml.in
index 5924850..73bc327 100644
--- a/data/oses/debian.xml.in
+++ b/data/oses/debian.xml.in
@@ -334,7 +334,7 @@
 
 
 
-  http://cdimage.debian.org/cdimage/release/current/i386/iso-cd/debian-9.0.0-i386-netinst.iso
+  http://cdimage.debian.org/mirror/cdimage/archive/9.0.0/i386/iso-cd/debian-9.0.0-i386-netinst.iso
   
 Debian 9.\d.\d i386 (1|n)
   
@@ -342,7 +342,7 @@
   install.386/initrd.gz
 
 
-  http://cdimage.debian.org/cdimage/release/current/amd64/iso-cd/debian-9.0.0-amd64-netinst.iso
+  http://cdimage.debian.org/mirror/cdimage/archive/9.0.0/amd64/iso-cd/debian-9.0.0-amd64-netinst.iso
   
 Debian 9.\d.\d amd64 (1|n)
   
diff --git a/debian/changelog b/debian/changelog
index 45f9af0..10d7772 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libosinfo (0.2.11-2) jessie; urgency=medium
+
+  * [4b4388e] Add Debian Jessie and Stretch
+  * [335f18d] Adjust gbp.conf for Debian Jessie
+
+ -- Guido Günther <a...@sigxcpu.org>  Wed, 28 Jun 2017 19:06:22 +0200
+
 libosinfo (0.2.11-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 4b41283..9103184 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,4 +1,4 @@
 [DEFAULT]
-debian-branch = debian/sid
+debian-branch = debian/jessie
 upstream-tag = v%(version)s
 upstream-branch = upstream/master
diff --git a/debian/patches/Add-Debian-Jessie-and-Stretch.patch b/debian/patches/Add-Debian-Jessie-and-Stretch.patch
new file mode 100644
index 000..fd7e856
--- /dev/null
+++ b/debian/patches/Add-Debian-Jessie-and-Stretch.patch
@@ -0,0 +1,242 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <a...@sigxcpu.org>
+Date: Wed, 21 Jun 2017 08:36:07 +0200
+Subject: Add Debian Jessie and Stretch
+
+---
+ data/oses/debian.xml.in| 100 -
+ .../debian/debian8/debian-8.7.1-amd64-CD-1.iso.txt |  29 ++
+ .../debian9/debian-9.0-amd64-netinst.iso.txt   |  29 ++
+ .../debian/debian9/debian-9.0-amd64.iso.txt|  29 ++
+ 4 files changed, 185 insertions(+), 2 deletions(-)
+ create mode 100644 test/isodata/debian/debian8/debian-8.7.1-amd64-CD-1.iso.txt
+ create mode 100644 test/isodata/debian/debian9/debian-9.0-amd64-netinst.iso.txt
+ create mode 100644 test/isodata/debian/debian9/debian-9.0-amd64.iso.txt
+
+diff --git a/data/oses/debian.xml.in b/data/oses/debian.xml.in
+index 61d4d52..73bc327 100644
+--- a/data/oses/debian.xml.in
 b/data/oses/debian.xml.in
+@@ -238,7 +238,7 @@
+ 
+ 
+ 
+-  http://cdimage.debian.org/debian-cd/7.3.0/i386/iso-dvd/debian-7.3.0-i386-DVD-1.iso
++  http://cdimage.debian.org/mirror/cdimage/archive/7.11.0/i386/iso-dvd/debian-7.11.0-i386-DVD-1.iso
+   
+ Debian 7.\d.\d i386 1
+   
+@@ -246,7 +246,

Bug#865483: jessie-pu: package libosinfo/0.2.11-1.1+deb8u1

2017-06-27 Thread Guido Günther

Hi,
On Tue, Jun 27, 2017 at 06:13:08AM +0200, Cyril Brulebois wrote:
> Control: tag -1 confirmed
> 
> Hi,
> 
> Guido Günther <a...@sigxcpu.org> (2017-06-21):
> > the attached debdiff updates the release information for jessie,
> > wheezy and stretch. Fortunately this is split out to osinfo-db in
> > stretch. O.k. to upload to jessie-p-u?
> 
> Assuming this was tested successfully on jessie (and I like the
> additions under test/ anyway), this looks good to me. Feel free
> to upload.

One thing that just crossed my mind: should we delay this update for
Jessie past the first stretch point release. I would then change the
patch to use an URL for stretch from

http://cdimage.debian.org/mirror/cdimage/archive/9.0.0

instead of

http://cdimage.debian.org/mirror/cdimage/release/

so we have a stable URL that doesn't break with every stretch point
release asking for further updates? Sorry for not thinking about this
earlier.

Regarding the tests:

Things are split up in stretch so that tests/ are in libosinfo while the
data is in osinfo-db:

https://gitlab.com/agx1/libosinfo/commit/117029715f90c5c7a2f2a996b21e9fefca6585c8

and I deemed updating libosifo in stretch as well only for the tests
overkill (but I ran them there as well).

Cheers,
 -- Guido

Bug#865270: stretch-pu: package osinfo-db/0.20170225-3+deb9u1

2017-06-26 Thread Guido Günther

Hi KiBi,
On Mon, Jun 26, 2017 at 01:41:51PM +0200, Cyril Brulebois wrote:
> Control: tag -1 confirmed
> 
> Guido Günther <a...@sigxcpu.org> (2017-06-26):
> > That was caused by #858031 and me not getting around to verify
> > everything before the release.
> 
> Oh, for some reason I didn't realize/remember you were the one
> requesting this change. :)
> 
> > Yes, since they're on archive these will stay stable although users
> > will get a slightly outdated version. Due to #813797 there's little we
> > can do at the moment within libosinfo itself. Either fix the former on
> > the cd generating end or use the reflection service:
> > 
> > http://cdr.debian.net/debian-cd/8/i386/iso-dvd
> > http://cdr.debian.net/debian-cd/9/i386/iso-dvd
> > 
> > I'm tracking the changes to the Debian URLs upstream and hope that we
> > can get a newer osinfo-db version in from time to time so people not
> > get recent URLs for Debian itself but also for other linux distros and
> > non-free OSes.
> 
> Thanks for the context.
> 
> I think it would be great to have some kind of yaml file or so indexing
> all images, their type, etc., on the cdimage side, yeah.
> 
> > > Anyway, back to business: I'd like to see an updated debdiff with a
> > > proper version number.
> > 
> > Attached.
> >  -- Guido
> 
> Looks good to me, feel free to upload.

Uploaded. Thanks!
 -- Guido

Bug#865270: stretch-pu: package osinfo-db/0.20170225-3+deb9u1

2017-06-26 Thread Guido Günther

Hi Cyril,
On Sun, Jun 25, 2017 at 11:30:40PM +0200, Cyril Brulebois wrote:
> Hi Guido,
> 
> Guido Günther <a...@sigxcpu.org> (2017-06-20):
> > this update makes stretch DVDs detectable by libosinfo (used by
> > virt-manager, gnome-boxes, ...) and adjusts the installer links to the
> > current locations.
> 
> You can't upload to stretch with a version higher than the one in
> unstable (0.20170225-3+deb9u1). You seem to have wanted to backport
> latest unstable to stretch, in which case, you want 0.20170225-3~deb9u1.

Argh, my bad, sorry.

> (Putting aside my release assistant hat for a minute.)
> 
> I'm a bit surprised by the asymmetry of the diff: I would have expected
> RCs to be replaced by final images in a comparable number. But I suspect
> this might be due to not spending time on feeding links to all images at
> first? AFAICT we use a very similar setup between RCs and final
> builds,

This is mostly caused by a rename in the series file:

-Add-Debian-Stretch-RCs.patch
+Add-Debian-Stretch.patch

> so maybe having had all links from the beginning would have helped
> spotting the issue filed as #864923?

That was caused by #858031 and me not getting around to verify
everything before the release.

> 
> > It also updates the Jessie ones now that things moved for stretch.
> 
> Speaking of which, will those still work when 8.9 is out?

Yes, since they're on archive these will stay stable although users will
get a slightly outdated version. Due to #813797 there's little we can do
at the moment within libosinfo itself. Either fix the former on the cd
generating end or use the reflection service:

http://cdr.debian.net/debian-cd/8/i386/iso-dvd
http://cdr.debian.net/debian-cd/9/i386/iso-dvd

I'm tracking the changes to the Debian URLs upstream and hope that we
can get a newer osinfo-db version in from time to time so people not get
recent URLs for Debian itself but also for other linux distros and
non-free OSes.
> 
> 
> Anyway, back to business: I'd like to see an updated debdiff with a
> proper version number.

Attached.
 -- Guido
diff --git a/debian/changelog b/debian/changelog
index 9bd6632..d5134fe 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+osinfo-db (0.20170225-3~deb9u1) stretch; urgency=medium
+
+  * [17d85a0] Adjust gbp.conf for stretch
+
+ -- Guido Günther <a...@sigxcpu.org>  Tue, 20 Jun 2017 08:26:19 +0200
+
+osinfo-db (0.20170225-3) unstable; urgency=medium
+
+  * [c058963] Update Jessie DVD links.
+  * [745d2f5] Add Debian Stretch (Closes: #864923)
+
+ -- Guido Günther <a...@sigxcpu.org>  Mon, 19 Jun 2017 19:34:55 +0200
+
 osinfo-db (0.20170225-2) unstable; urgency=medium
 
   * [7016785] Fix Stretch URL for i386.
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 760033d..a57e359 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,6 +1,6 @@
 [DEFAULT]
 upstream-branch=upstream/latest
-debian-branch=debian/sid
+debian-branch=debian/stretch
 
 [pq]
 patch-numbers = False
diff --git a/debian/patches/Add-Debian-Stretch-RCs.patch b/debian/patches/Add-Debian-Stretch-RCs.patch
deleted file mode 100644
index 620e5b2..000
--- a/debian/patches/Add-Debian-Stretch-RCs.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From: =?utf-8?q?Guido_G=C3=BCnther?= <a...@sigxcpu.org>
-Date: Mon, 13 Mar 2017 19:20:33 +0100
-Subject: Add Debian Stretch RCs
-
-Closes: #856667

- data/os/debian.org/debian-9.xml.in  | 64 +
- debian/patches/Add-Debian-Stretch-RCs.patch |  4 +-
- 2 files changed, 66 insertions(+), 2 deletions(-)
- create mode 100644 data/os/debian.org/debian-9.xml.in
-
-diff --git a/data/os/debian.org/debian-9.xml.in b/data/os/debian.org/debian-9.xml.in
-new file mode 100644
-index 000..4200f45
 /dev/null
-+++ b/data/os/debian.org/debian-9.xml.in
-@@ -0,0 +1,64 @@
-+
-+
-+  http://debian.org/debian/9;>
-+debian9
-+debianstretch
-+<_name>Debian Stretch
-+9
-+<_vendor>Debian Project
-+linux
-+debian
-+http://debian.org/debian/8"/>
-+http://debian.org/debian/8"/>
-+
-+2017-02-02
-+
-+
-+  http://pcisig.com/pci/1af4/1041"/>
-+  http://pcisig.com/pci/1af4/1042"/>
-+  http://pcisig.com/pci/1af4/1043"/>
-+  http://pcisig.com/pci/1af4/1044"/>
-+  http://pcisig.com/pci/1af4/1045"/>
-+  http://pcisig.com/pci/1af4/1048"/>
-+  http://pcisig.com/pci/1af4/1049"/>
-+  http://pcisig.com/pci/1af4/1052"/>
-+
-+
-+
-+  
-+10
-+1
-+1073741824
-+10737418240
-+  
-+  
-+10
-+1073741824
-+21474836480
-+  
-+
-+
-+
-+  http://cdimage.debian.org/cdimage/stretch_di_rc3/i386/iso-dvd/debian-stretch-DI-rc3-i386-DVD-1.iso
-+  
-+Debian stretch-DI-rc\d i38

Bug#865483: jessie-pu: package libosinfo/0.2.11-1.1+deb8u1

2017-06-21 Thread Guido Günther

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,
the attached debdiff updates the release information for jessie, wheezy
and stretch. Fortunately this is split out to osinfo-db in
stretch. O.k. to upload to jessie-p-u?
Cheers,
 -- Guido

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'oldoldstable'), (500, 'unstable'), (500, 'stable'), 
(1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/debian/changelog b/debian/changelog
index 45f9af0..c2e0a73 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libosinfo (0.2.11-1.1+deb8u1) jessie; urgency=medium
+
+  * [6e5ed77] Add Debian Jessie and Stretch
+and update the Wheezy links to the final point release.
+
+ -- Guido Günther <a...@sigxcpu.org>  Wed, 21 Jun 2017 08:47:43 +0200
+
 libosinfo (0.2.11-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff --git a/debian/patches/Add-Debian-Jessie-and-Stretch.patch b/debian/patches/Add-Debian-Jessie-and-Stretch.patch
new file mode 100644
index 000..89f25d3
--- /dev/null
+++ b/debian/patches/Add-Debian-Jessie-and-Stretch.patch
@@ -0,0 +1,242 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <a...@sigxcpu.org>
+Date: Wed, 21 Jun 2017 08:36:07 +0200
+Subject: Add Debian Jessie and Stretch
+
+---
+ data/oses/debian.xml.in| 100 -
+ .../debian/debian8/debian-8.7.1-amd64-CD-1.iso.txt |  29 ++
+ .../debian9/debian-9.0-amd64-netinst.iso.txt   |  29 ++
+ .../debian/debian9/debian-9.0-amd64.iso.txt|  29 ++
+ 4 files changed, 185 insertions(+), 2 deletions(-)
+ create mode 100644 test/isodata/debian/debian8/debian-8.7.1-amd64-CD-1.iso.txt
+ create mode 100644 test/isodata/debian/debian9/debian-9.0-amd64-netinst.iso.txt
+ create mode 100644 test/isodata/debian/debian9/debian-9.0-amd64.iso.txt
+
+diff --git a/data/oses/debian.xml.in b/data/oses/debian.xml.in
+index 61d4d52..5924850 100644
+--- a/data/oses/debian.xml.in
 b/data/oses/debian.xml.in
+@@ -238,7 +238,7 @@
+ 
+ 
+ 
+-  http://cdimage.debian.org/debian-cd/7.3.0/i386/iso-dvd/debian-7.3.0-i386-DVD-1.iso
++  http://cdimage.debian.org/mirror/cdimage/archive/7.11.0/i386/iso-dvd/debian-7.11.0-i386-DVD-1.iso
+   
+ Debian 7.\d.\d i386 1
+   
+@@ -246,7 +246,7 @@
+   install.386/initrd.gz
+ 
+ 
+-  http://cdimage.debian.org/debian-cd/7.3.0/amd64/iso-dvd/debian-7.3.0-amd64-DVD-1.iso
++  http://cdimage.debian.org/mirror/cdimage/archive/7.11.0/amd64/iso-dvd/debian-7.11.0-amd64-DVD-1.iso
+   
+ Debian 7.\d.\d amd64 1
+   
+@@ -260,4 +260,100 @@
+ 
+   
+ 
++  http://debian.org/debian/8;>
++debian8
++debianjessie
++<_name>Debian Jessie
++8
++<_vendor>Debian Project
++linux
++debian
++http://debian.org/debian/7"/>
++http://debian.org/debian/7"/>
++
++
++  
++10
++1
++134217728
++5368709120
++  
++  
++10
++1073741824
++21474836480
++  
++
++
++
++  http://cdimage.debian.org/mirror/cdimage/archive/8.8.0/i386/iso-dvd/debian-8.8.0-i386-DVD-1.iso
++  
++Debian 8.\d.\d i386 1
++  
++  install.386/vmlinuz
++  install.386/initrd.gz
++
++
++  http://cdimage.debian.org/mirror/cdimage/archive/8.8.0/amd64/iso-dvd/debian-8.8.0-amd64-DVD-1.iso
++  
++Debian 8.\d.\d amd64 1
++  
++  install.amd/vmlinuz
++  install.amd/initrd.gz
++
++
++
++  
++  
++
++  
++
++  http://debian.org/debian/9;>
++debian9
++debianstretch
++<_name>Debian Stretch
++9
++<_vendor>Debian Project
++linux
++debian
++http://debian.org/debian/8"/>
++http://debian.org/debian/8"/>
++
++
++  
++10
++1
++134217728
++5368709120
++  
++  
++10
++1073741824
++21474836480
++  
++
++
++
++  http://cdimage.debian.org/cdimage/release/current/i386/iso-cd/debian-9.0.0-i386-netinst.iso
++  
++Debian 9.\d.\d i386 (1|n)
++  
++  install.386/vmlinuz
++  install.386/initrd.gz
++
++
++  http://cdimage.debian.org/cdimage/release/current/amd64/iso-cd/debian-9.0.0-amd64-netinst.iso
++  
++Debian 9.\d.\d amd64 (1|n)
++  
++  install.amd/vmlinuz
++  install.amd/initrd.gz
++
++
++
++  
++  
++
++  
++
+ 
+diff --git a/test/isodata/debian/debian8/

Bug#865270: stretch-pu: package osinfo-db/0.20170225-3+deb9u1

2017-06-20 Thread Guido Günther

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,
this update makes stretch DVDs detectable by libosinfo (used by
virt-manager, gnome-boxes, ...) and adjusts the installer links to the
current locations.
It also updates the Jessie ones now that things moved for stretch.
Cheers,
 -- Guido


-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'oldoldstable'), (500, 'unstable'), (500, 'stable'), 
(1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/debian/changelog b/debian/changelog
index 9bd6632..7060abe 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+osinfo-db (0.20170225-3+deb9u1) stretch; urgency=medium
+
+  * [17d85a0] Adjust gbp.conf for stretch
+
+ -- Guido Günther <a...@sigxcpu.org>  Tue, 20 Jun 2017 08:26:19 +0200
+
+osinfo-db (0.20170225-3) unstable; urgency=medium
+
+  * [c058963] Update Jessie DVD links.
+  * [745d2f5] Add Debian Stretch (Closes: #864923)
+
+ -- Guido Günther <a...@sigxcpu.org>  Mon, 19 Jun 2017 19:34:55 +0200
+
 osinfo-db (0.20170225-2) unstable; urgency=medium
 
   * [7016785] Fix Stretch URL for i386.
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 760033d..a57e359 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,6 +1,6 @@
 [DEFAULT]
 upstream-branch=upstream/latest
-debian-branch=debian/sid
+debian-branch=debian/stretch
 
 [pq]
 patch-numbers = False
diff --git a/debian/patches/Add-Debian-Stretch-RCs.patch b/debian/patches/Add-Debian-Stretch-RCs.patch
deleted file mode 100644
index 620e5b2..000
--- a/debian/patches/Add-Debian-Stretch-RCs.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From: =?utf-8?q?Guido_G=C3=BCnther?= <a...@sigxcpu.org>
-Date: Mon, 13 Mar 2017 19:20:33 +0100
-Subject: Add Debian Stretch RCs
-
-Closes: #856667

- data/os/debian.org/debian-9.xml.in  | 64 +
- debian/patches/Add-Debian-Stretch-RCs.patch |  4 +-
- 2 files changed, 66 insertions(+), 2 deletions(-)
- create mode 100644 data/os/debian.org/debian-9.xml.in
-
-diff --git a/data/os/debian.org/debian-9.xml.in b/data/os/debian.org/debian-9.xml.in
-new file mode 100644
-index 000..4200f45
 /dev/null
-+++ b/data/os/debian.org/debian-9.xml.in
-@@ -0,0 +1,64 @@
-+
-+
-+  http://debian.org/debian/9;>
-+debian9
-+debianstretch
-+<_name>Debian Stretch
-+9
-+<_vendor>Debian Project
-+linux
-+debian
-+http://debian.org/debian/8"/>
-+http://debian.org/debian/8"/>
-+
-+2017-02-02
-+
-+
-+  http://pcisig.com/pci/1af4/1041"/>
-+  http://pcisig.com/pci/1af4/1042"/>
-+  http://pcisig.com/pci/1af4/1043"/>
-+  http://pcisig.com/pci/1af4/1044"/>
-+  http://pcisig.com/pci/1af4/1045"/>
-+  http://pcisig.com/pci/1af4/1048"/>
-+  http://pcisig.com/pci/1af4/1049"/>
-+  http://pcisig.com/pci/1af4/1052"/>
-+
-+
-+
-+  
-+10
-+1
-+1073741824
-+10737418240
-+  
-+  
-+10
-+1073741824
-+21474836480
-+  
-+
-+
-+
-+  http://cdimage.debian.org/cdimage/stretch_di_rc3/i386/iso-dvd/debian-stretch-DI-rc3-i386-DVD-1.iso
-+  
-+Debian stretch-DI-rc\d i386 1
-+  
-+  install.386/vmlinuz
-+  install.386/initrd.gz
-+
-+
-+  http://cdimage.debian.org/cdimage/stretch_di_rc3/amd64/iso-dvd/debian-stretch-DI-rc3-amd64-DVD-1.iso
-+  
-+	Debian stretch-DI-rc\d amd64 1
-+  
-+  install.amd/vmlinuz
-+  install.amd/initrd.gz
-+
-+
-+
-+  
-+  
-+
-+  
-+
diff --git a/debian/patches/Add-Debian-Stretch.patch b/debian/patches/Add-Debian-Stretch.patch
new file mode 100644
index 000..f03bd32
--- /dev/null
+++ b/debian/patches/Add-Debian-Stretch.patch
@@ -0,0 +1,145 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <a...@sigxcpu.org>
+Date: Mon, 13 Mar 2017 19:20:33 +0100
+Subject: Add Debian Stretch
+
+---
+ data/os/debian.org/debian-9.xml.in | 130 +
+ 1 file changed, 130 insertions(+)
+ create mode 100644 data/os/debian.org/debian-9.xml.in
+
+diff --git a/data/os/debian.org/debian-9.xml.in b/data/os/debian.org/debian-9.xml.in
+new file mode 100644
+index 000..e0b9085
+--- /dev/null
 b/data/os/debian.org/debian-9.xml.in
+@@ -0,0 +1,130 @@
++
++
++  http://debian.org/debian/9;>
++debian9
++debianstretch
++<_name>Debian Stretch
++9
++<_vendor>Debian Project
++linux
++debian
++http://debian.org

Bug#864054: RM: calypso/1.5-3

2017-06-03 Thread Guido Günther

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm

Calypso currently has issues with UTF-8 encoding when using "recent"
python-vobject

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841247

My attempt to fix this upstream went uncommented which is related to the
fact that there wasn't much upstream activity in the last year.

I'd feel better if we'd pull calypso from stretch and rather not offer
any support for it at the moment given that there are other things
pending like strong password hash support.

I intend to push the changes I made and release a new version but given
the current number of users backports is likely good enough and easier
to keep updated.

cc'ing Jemer who also worked on the package in the past.
Cheers,
 -- Guido

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), 
(500, 'oldstable'), (1, 'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#863967: unblock: debian-security-support/2017.06.02

2017-06-02 Thread Guido Günther

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package debian-security-support

It would be great to start out with an up to date
debian-security-support package in stretch.

Since I intend to sync this version to jessie and wheezy as well it
would be great if stretch would not be releaed with a lower version.

Debdiff attached.
Cheers,
 -- Guido

unblock debian-security-support/2017.06.02

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), 
(500, 'oldstable'), (1, 'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/debian/changelog b/debian/changelog
index 72acd16..28a9b5d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,27 @@
+debian-security-support (2017.06.02) unstable; urgency=medium
+
+  [ Moritz Muehlenhoff ]
+  * Remove acidbase entry from security-support-limited, it's been removed
+and is no longer present in any currently supported suite
+  * Mark trn as unsupported in jessie, it got removed in 8.6
+  * Mark sogo as unsupported in jessie, it got removed in 8.7
+  * Mark dotclear as unsupported in jessie, it got removed in 8.7
+
+  [ Raphaël Hertzog ]
+  * Mark autotrace as unsupported in wheezy.
+
+  [ Chris Lamb ]
+  * Mark ioquake3 as unsupported in wheezy.
+
+  [ Guido Günther ]
+  * Mark freebsd-* as unsupported in wheezy.
+  * Mark cgiemail as unsupported in jessie, it got removed in 8.8.
+  * Mark owncloud as unsupported in jessie, it got removed in 8.8.
+  * Mark owncloud-app as unsupported in jessie, it got removed in 8.8.
+  * d/control: Use https Git URL
+
+ -- Guido Günther <a...@sigxcpu.org>  Fri, 02 Jun 2017 12:15:58 +0200
+
 debian-security-support (2017.01.03) unstable; urgency=medium
 
   * Add Teeworlds to security-support-ended.deb7 because games are not
diff --git a/debian/control b/debian/control
index aa759f0..2b827d1 100644
--- a/debian/control
+++ b/debian/control
@@ -16,7 +16,7 @@ Build-Depends: debhelper (>= 8~),
 po-debconf,
 xmlto,
 Standards-Version: 3.9.8
-Vcs-Git: git://anonscm.debian.org/collab-maint/debian-security-support.git
+Vcs-Git: https://anonscm.debian.org/cgit/collab-maint/debian-security-support.git
 Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/debian-security-support.git
 
 Package: debian-security-support
diff --git a/security-support-ended.deb7 b/security-support-ended.deb7
index 49b4724..5cfd110 100644
--- a/security-support-ended.deb7
+++ b/security-support-ended.deb7
@@ -47,3 +47,8 @@ swift   1.4.8-2+deb7u1  2016-02-06  Not supported in Deb
 inspircd2.0.5-1+deb7u2  2016-09-13  Not supported in Debian LTS (https://lists.debian.org/debian-lts/2016/09/msg00052.html)
 matrixssl   1.8.8-1 2016-09-08  Not supported in Debian LTS (https://lists.debian.org/debian-lts/2016/09/msg00030.html)
 teeworlds   0.6.1+dfsg-12016-11-18  Games are not supported in Wheezy
+
+kfreebsd-8  8.3-6+deb7u12016-02-06  Not supported in Debian LTS
+kfreebsd-9  9.0-10+deb70.10 2016-02-06  Not supported in Debian LTS
+ioquake31.36+svn2287-1  2017-03-15  Not supported in Debian LTS (https://lists.debian.org/debian-lts/2017/03/msg00075.html)
+autotrace   0.31.1-16   2017-06-01  Not supported in Debian LTS (https://lists.debian.org/debian-lts/2017/05/msg00124.html)
diff --git a/security-support-ended.deb8 b/security-support-ended.deb8
index ea00a26..8b8498a 100644
--- a/security-support-ended.deb8
+++ b/security-support-ended.deb8
@@ -13,3 +13,9 @@
 mediawiki1:1.19.20+dfsg-2.3  2016-04-26  https://www.debian.org/releases/jessie/amd64/release-notes/ch-information.html#mediawiki-security
 tomcat6  6.0.41-32016-12-31  https://lists.debian.org/debian-java/2016/01/msg00069.html
 virtualbox   4.3.36-dfsg-1+deb8u12016-10-25  https://lists.debian.org/debian-security-announce/2016/msg00280.html
+trn  3.6-23  2016-09-17  https://lists.debian.org/debian-announce/2016/msg8.html
+dotclear 2.6.4+dfsg-12017-01-14  https://lists.debian.org/debian-announce/2017/msg0.html
+sogo 2.2.9+git20141017-1 2017-01-14  https://lists.debian.org/debian-announce/2017/msg0.html
+cgiemail 1.6-37  2017-06-02  https://lists.debian.org/debian-announce/2017/msg2.html
+owncloud 7.0.4+dfsg-4~deb8u3 2017-06-

Bug#863471: RM: libvirt-sandbox/0.5.1+git20151113-3

2017-05-27 Thread Guido Günther

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm

The current code would need updating to work with docker images and even
if we did that there are still bugs. We can ship via stretch-backports
once I've worked this out. This will be simpler than supporting this
version until the end of LTS.

Cheers
 -- Guido

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), 
(500, 'oldstable'), (1, 'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#858973: wheezy-pu: package ejabberd/2.1.10-4+deb7u2

2017-04-16 Thread Guido Günther

On Sun, Apr 16, 2017 at 04:44:22PM -0400, PICCORO McKAY Lenz wrote:
> does any other tested the pckage with real production clients?

Yes we did.
 -- Guido

> 
> i could test that but its better upgrade event use a unmantained package..
> 
> some times ago i try to mantain that package but the debian process are a
> great obstacle!
> 
> today i used my own package and made track of the debian ...
> 
> Lenz McKAY Gerardo (PICCORO)
> http://qgqlochekone.blogspot.com
> 
> 2017-04-16 14:43 GMT-04:00 Markus Raab :
> 
> > Hello,
> >
> > Thanks for still maintaining wheezy.
> >
> > This security fix broke the N900 jabber (xmpp) client (included in Maemo).
> >
> > With 2.1.10-4+deb7u1 the N900 xmpp client was connecting without troubles,
> > since 2.1.10-4+deb7u2 it immediately fails with a "network error".
> >
> > I only wanted to mention the bug for reference, it is much more likely that
> > the problem is the unmaintained N900 xmpp client, and not the security fix.
> >
> > best regards,
> > Markus
> >
> >

Bug#858973: wheezy-pu: package ejabberd/2.1.10-4+deb7u2

2017-04-16 Thread Guido Günther

Hi Markus,
On Sun, Apr 16, 2017 at 08:43:36PM +0200, Markus Raab wrote:
> Hello,
> 
> Thanks for still maintaining wheezy.
> 
> This security fix broke the N900 jabber (xmpp) client (included in Maemo).
> 
> With 2.1.10-4+deb7u1 the N900 xmpp client was connecting without troubles, 
> since 2.1.10-4+deb7u2 it immediately fails with a "network error".
> 
> I only wanted to mention the bug for reference, it is much more likely that 
> the problem is the unmaintained N900 xmpp client, and not the security fix.

I think the reason is that the N900s telepathy-gabble doesn't support
any better than SSL 3.0 and that got disabled with the ejabberd
update. Can you report that to the Maemo folks? Maybe they can enable it
(they enabled it for other things like IMAP in the past).

Cheers,
 -- Guido

Bug#858028: jessie-pu: package libvirt/1.2.9-9+deb8u4

2017-03-19 Thread Guido Günther

On Sun, Mar 19, 2017 at 05:05:13PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Fri, 2017-03-17 at 15:10 +0100, Guido Günther wrote:
> > I'd like to update libvirt in jessie since the current one doesn't work
> > with recent QEMU 2.6 (as the one in backports). It needs a single patch
> > to to not generate QEMU invocationst that aren't understood by newer
> > QEMU.
> 
> Please go ahead.

Uploaded. Thanks a lot!
 -- Guido

Bug#858028: jessie-pu: package libvirt/1.2.9-9+deb8u4

2017-03-17 Thread Guido Günther

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,
I'd like to update libvirt in jessie since the current one doesn't work
with recent QEMU 2.6 (as the one in backports). It needs a single patch
to to not generate QEMU invocationst that aren't understood by newer
QEMU.

While at that unbreak test-suite compilation.

O.k. to upload to p-u?
Cheers,
 -- Guido

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), 
(500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/debian/changelog b/debian/changelog
index 0c6761f61..021db6987 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+libvirt (1.2.9-9+deb8u4) jessie; urgency=medium
+
+  [ Guido Günther ]
+  * [7e378ce] Make sure the cgroup update notice is also shown in backports
+  * [bd11c4c] Unbreak compilation of qemuhelptest
+
+  [ Hilko Bengen ]
+  * [fffb132] Add patch to improve qemu v2.6+ compatibility (Closes: #841291)
+
+ -- Guido Günther <a...@sigxcpu.org>  Fri, 17 Mar 2017 14:53:44 +0100
+
 libvirt (1.2.9-9+deb8u3) jessie-security; urgency=high
 
   * [9da83d8] CVE-2016-5008: qemu: Let empty default VNC password work as
diff --git a/debian/libvirt-daemon.NEWS b/debian/libvirt-daemon.NEWS
index 823e8aaec..59bdd40a5 100644
--- a/debian/libvirt-daemon.NEWS
+++ b/debian/libvirt-daemon.NEWS
@@ -1,4 +1,4 @@
-libvirt (1.1.4-2) unstable; urgency=low
+libvirt (1.1.4-2~) unstable; urgency=low
 
   If you're using cgroups make sure you're using a different mount per cgroup
   controller (cpu, memory, ...) that is mounted to /sys/fs/cgroup/.
diff --git a/debian/patches/series b/debian/patches/series
index b30557ba3..7d8ea4851 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -34,3 +34,4 @@ upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch
 security/CVE-2015-5313-storage-don-t-allow-in-filesystem-volu.patch
 debian/Debianize-bridge-helper-path.patch
 security/CVE-2016-5008-qemu-Let-empty-default-VNC-password-work-as.patch
+upstream/qemu-Specify-format-iff-disk-source-is-not-empty.patch
diff --git a/debian/patches/upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch b/debian/patches/upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch
index 1f6dab730..2adc0dbfa 100644
--- a/debian/patches/upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch
+++ b/debian/patches/upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch
@@ -176,7 +176,7 @@ index 975edf3..271fddc 100644
  
  if (virQEMUCapsParseHelpStr("QEMU", help, flags,
 -, _kvm, _version, false) == -1)
-+, _kvm, _version, false, NULL) == -1) {
++, _kvm, _version, false, NULL) == -1)
  goto cleanup;
  
  # ifndef WITH_YAJL
diff --git a/debian/patches/upstream/qemu-Specify-format-iff-disk-source-is-not-empty.patch b/debian/patches/upstream/qemu-Specify-format-iff-disk-source-is-not-empty.patch
new file mode 100644
index 0..5738fab50
--- /dev/null
+++ b/debian/patches/upstream/qemu-Specify-format-iff-disk-source-is-not-empty.patch
@@ -0,0 +1,52 @@
+From: Michal Privoznik <mpriv...@redhat.com>
+Date: Mon, 28 Dec 2015 15:13:52 +0100
+Subject: qemu: Specify format= iff disk source is not empty
+
+Just recently, qemu forbade specifying format for sourceless
+disks (qemu commit 39c4ae941ed992a3bb5). It kind of makes sense.
+If there's no file to open, why specify its format. Anyway, I
+have a domain like this:
+
+
+  
+  
+  
+  
+
+
+and obviously I am unable to start it. Therefore, a fix on our
+side is needed too.
+
+Signed-off-by: Michal Privoznik <mpriv...@redhat.com>
+---
+ src/qemu/qemu_command.c | 10 +-
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
+index eb72451..755671d 100644
+--- a/src/qemu/qemu_command.c
 b/src/qemu/qemu_command.c
+@@ -3467,6 +3467,11 @@ qemuBuildDriveStr(virConnectPtr conn,
+ }
+ 
+ virBufferEscape(, ',', ",", "%s,", source);
++
++if (disk->src->format > 0 &&
++disk->src->type != VIR_STORAGE_TYPE_DIR)
++virBufferAsprintf(, "format=%s,",
++  virStorageFileFormatTypeToString(disk->src->format));
+ }
+ VIR_FREE(source);
+ 
+@@ -3527,11 +3532,6 @@ qemuBuildDriveStr(virConnectPtr conn,
+_("transient disks not suppo

Bug#858019: unblock: libvirt/3.0.0-4

2017-03-17 Thread Guido Günther

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package libvirt

It fixes a bug where we fail to detect emulators that don't implement
query-cpu-definitions QMP command like mips and others thus dropping
them completely from the list of available emulators.

It furthermore unbreaks using qemu-bridge-helper so e.g. installs with
gnome-boxes work with apparmor enabled.

(include/attach the debdiff against the package in testing)

unblock libvirt/3.0.0-4

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), 
(500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/debian/changelog b/debian/changelog
index 253d0b172..cf68a1931 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+libvirt (3.0.0-4) unstable; urgency=medium
+
+  * [2a23b23] qemu: skip QMP probing of CPU definitions when missing.
+Don't probe CPU definitions if we lack the monitor command. This
+unbreaks e.g. mips based VMs. (Closes: #85412)
+  * [21bc332] apprarmor: unbreak lbvirt invoking qemu-bridge-helpers
+This makes VM creation in gnome-boxes work with apparmor enabled.
+
+ -- Guido Günther <a...@sigxcpu.org>  Fri, 17 Mar 2017 11:20:13 +0100
+
 libvirt (3.0.0-3) unstable; urgency=medium
 
   * [62ad289] Debianize virtlogd
diff --git a/debian/patches/apparmor-allow-usr-lib-qemu-qemu-bridge-helper.patch b/debian/patches/apparmor-allow-usr-lib-qemu-qemu-bridge-helper.patch
new file mode 100644
index 0..77691a526
--- /dev/null
+++ b/debian/patches/apparmor-allow-usr-lib-qemu-qemu-bridge-helper.patch
@@ -0,0 +1,31 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <a...@sigxcpu.org>
+Date: Thu, 16 Mar 2017 17:50:33 +0100
+Subject: apparmor: allow /usr/lib/qemu/qemu-bridge-helper
+
+This unbreaks e.g. gnome-boxes
+---
+ examples/apparmor/usr.sbin.libvirtd | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
+index c40930b..ef241a5 100644
+--- a/examples/apparmor/usr.sbin.libvirtd
 b/examples/apparmor/usr.sbin.libvirtd
+@@ -67,7 +67,7 @@
+   # allow changing to our UUID-based named profiles
+   change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+ 
+-  /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
++  /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
+   # child profile for bridge helper process
+   profile qemu_bridge_helper {
+#include 
+@@ -83,7 +83,7 @@
+/etc/qemu/** r,
+owner @{PROC}/*/status r,
+ 
+-   /usr/{lib,libexec}/qemu-bridge-helper rmix,
++   /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
+   }
+   
+   # Site-specific additions and overrides. See local/README for details.
diff --git a/debian/patches/qemu-skip-QMP-probing-of-CPU-definitions-when-missing.patch b/debian/patches/qemu-skip-QMP-probing-of-CPU-definitions-when-missing.patch
new file mode 100644
index 0..85fd5b88f
--- /dev/null
+++ b/debian/patches/qemu-skip-QMP-probing-of-CPU-definitions-when-missing.patch
@@ -0,0 +1,1053 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <a...@sigxcpu.org>
+Date: Thu, 16 Mar 2017 09:19:02 +0100
+Subject: qemu: skip QMP probing of CPU definitions when missing
+
+This unbreaks emulators that don't support this command such as
+qemu-system-mips*.
+
+Closes: #854125
+---
+ src/qemu/qemu_capabilities.c   |   5 +
+ src/qemu/qemu_capabilities.h   |   1 +
+ tests/qemucapabilitiesdata/caps_1.2.2.x86_64.xml   |   1 +
+ tests/qemucapabilitiesdata/caps_1.3.1.x86_64.xml   |   1 +
+ tests/qemucapabilitiesdata/caps_1.4.2.x86_64.xml   |   1 +
+ tests/qemucapabilitiesdata/caps_1.5.3.x86_64.xml   |   1 +
+ tests/qemucapabilitiesdata/caps_1.6.0.x86_64.xml   |   1 +
+ tests/qemucapabilitiesdata/caps_1.7.0.x86_64.xml   |   1 +
+ tests/qemucapabilitiesdata/caps_2.1.1.x86_64.xml   |   1 +
+ tests/qemucapabilitiesdata/caps_2.4.0.x86_64.xml   |   1 +
+ tests/qemucapabilitiesdata/caps_2.5.0.x86_64.xml   |   1 +
+ .../caps_2.6.0-gicv2.aarch64.xml   |   1 +
+ .../caps_2.6.0-gicv3.aarch64.xml   |   1 +
+ tests/qemucapabilitiesdata/caps_2.6.0.ppc64le.xml  |   1 +
+ tests/qemucapabilitiesdata/caps_2.6.0.x86_64.xml   |   1 +
+ tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml|   1 +
+ tests/qemucapabilitiesdata/caps_2.7.0.x86_64.xml   |   1 +
+ tests/qemucapabilitiesdata/caps_2.8.0.s390x.xml|   1 +
+ tests/qemucapabilitiesdata/caps_2.8.0.x86_64.xml   |   1 +
+ tests/qemucapabilitie

Bug#857854: unblock: osinfo-db/0.20170225-1

2017-03-15 Thread Guido Günther

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package osinfo-db

it contains updated information for recent linux distributions and other
operating systems (so we detect these properly in virt-manager,
gnome-boxes, ...)  as well as a fix for the license information.

We will (if the srm approve) have more of these updates during point
releases to have support for newer operating system releases.

unblock osinfo-db/0.20170225-1

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), 
(500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#857764: RM: sapgui-package/0.0.10+nmu1

2017-03-14 Thread Guido Günther

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm

I don't have means to test the package atm and I doubt it's working at
all (see #56726).
Cheers,
 -- Guido

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), 
(500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#856340: unblock: libvirt/3.0.0-3

2017-02-27 Thread Guido Günther

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package libvirt

It fixes on CVE using the upstream commit and one RHism in the unit file
of virtlogd grabbing the configuration from /etc/sysconfig/virtlogd
instead of /etc/default/virtlogd.
Cheers,
 -- Guido

unblock libvirt/3.0.0-3

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), 
(500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/debian/changelog b/debian/changelog
index 31b53b902..253d0b172 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+libvirt (3.0.0-3) unstable; urgency=medium
+
+  * [62ad289] Debianize virtlogd
+  * [cb216b5] CVE-2017-2635: qemu: Don't update physical storage size of empty drives
+(Closes: #856313)
+
+ -- Guido Günther <a...@sigxcpu.org>  Mon, 27 Feb 2017 20:07:41 +0100
+
 libvirt (3.0.0-2) unstable; urgency=medium
 
   * Upload to unstable
diff --git a/debian/patches/CVE-2017-2635-qemu-Don-t-update-physical-storage-size-of-.patch b/debian/patches/CVE-2017-2635-qemu-Don-t-update-physical-storage-size-of-.patch
new file mode 100644
index 0..7040d757b
--- /dev/null
+++ b/debian/patches/CVE-2017-2635-qemu-Don-t-update-physical-storage-size-of-.patch
@@ -0,0 +1,33 @@
+From: Peter Krempa <pkre...@redhat.com>
+Date: Thu, 23 Feb 2017 10:07:30 +0100
+Subject: CVE-2017-2635: qemu: Don't update physical storage size of empty
+ drives
+
+Previously the code called virStorageSourceUpdateBlockPhysicalSize which
+did not do anything on empty drives since it worked only on block
+devices. After the refactor in c5f6151390 it's called for all devices
+and thus attempts to deref the NULL path of empty drives.
+
+Add a check that skips the update of the physical size if the storage
+source is empty.
+
+Upstream-Commit: c3de387380f6057ee0e46cd9f2f0a092e8070875
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1420718
+---
+ src/qemu/qemu_driver.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index d4422f3..2bb5906 100644
+--- a/src/qemu/qemu_driver.c
 b/src/qemu/qemu_driver.c
+@@ -11644,6 +11644,9 @@ qemuDomainStorageUpdatePhysical(virQEMUDriverPtr driver,
+ int fd = -1;
+ struct stat sb;
+ 
++if (virStorageSourceIsEmpty(src))
++return 0;
++
+ if (qemuDomainStorageOpenStat(driver, cfg, vm, src, , ) < 0)
+ return -1;
+ 
diff --git a/debian/patches/debian/Debianize-virtlogd.patch b/debian/patches/debian/Debianize-virtlogd.patch
new file mode 100644
index 0..ce0d98c88
--- /dev/null
+++ b/debian/patches/debian/Debianize-virtlogd.patch
@@ -0,0 +1,21 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <a...@sigxcpu.org>
+Date: Fri, 3 Feb 2017 13:23:22 +0100
+Subject: Debianize virtlogd
+
+---
+ src/logging/virtlogd.service.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/logging/virtlogd.service.in b/src/logging/virtlogd.service.in
+index 09e0740..87ac468 100644
+--- a/src/logging/virtlogd.service.in
 b/src/logging/virtlogd.service.in
+@@ -6,7 +6,7 @@ Documentation=man:virtlogd(8)
+ Documentation=http://libvirt.org
+ 
+ [Service]
+-EnvironmentFile=-/etc/sysconfig/virtlogd
++EnvironmentFile=-/etc/default/virtlogd
+ ExecStart=@sbindir@/virtlogd $VIRTLOGD_ARGS
+ ExecReload=/bin/kill -USR1 $MAINPID
+ # Loosing the logs is a really bad thing that will
diff --git a/debian/patches/series b/debian/patches/series
index 462605e4f..a5eeda373 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -18,3 +18,5 @@ Pass-GPG_TTY-env-var-to-the-ssh-binary.patch
 openpty-Skip-test-if-no-pty-is-available.patch
 test-posix_openpt-don-t-fail-on-EACCESS.patch
 Disable-use-of-namespaces-by-default.patch
+debian/Debianize-virtlogd.patch
+CVE-2017-2635-qemu-Don-t-update-physical-storage-size-of-.patch

Bug#854827: Re: Bug#854827: unblock: gtk-vnc/0.6.0-3

2017-02-20 Thread Guido Günther

Hi Niels,
On Mon, Feb 20, 2017 at 07:27:00PM +, Niels Thykier wrote:
> Niels Thykier:
> > Guido Günther:
> >> Package: release.debian.org
> >> Severity: normal
> >> User: release.debian@packages.debian.org
> >> Usertags: unblock
> >>
> >> Please unblock package gtk-vnc
> >>
> >> It fixes CVE-2017-5885 and CVE-2017-5884. There's more noise in the diff
> >> than there should be since wanted to bring patches into a more
> >> git-format-patch compatible layout. The diff is probably easier to read
> >> here:
> >>
> >>   https://anonscm.debian.org/cgit/pkg-libvirt/gtk-vnc.git/log/
> >>
> >> unblock gtk-vnc/0.6.0-3
> >>
> >> [...]
> > 
> > Unblocked, thanks.
> > 
> > ~Niels
> > 
> 
> Hi,
> 
> This upload caused FTBFS regressions and cannot migrate in its current
> state (despite my previous unblock hint).  Please review and solve the
> build issues.

Yeah, I noticed but couldn't reproduce the FTBFS locally. I'll give it
another whirl in a couple of days.
 -- Guido

Bug#854827: unblock: gtk-vnc/0.6.0-3

2017-02-10 Thread Guido Günther

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package gtk-vnc

It fixes CVE-2017-5885 and CVE-2017-5884. There's more noise in the diff
than there should be since wanted to bring patches into a more
git-format-patch compatible layout. The diff is probably easier to read
here:

  https://anonscm.debian.org/cgit/pkg-libvirt/gtk-vnc.git/log/

unblock gtk-vnc/0.6.0-3

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), 
(500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/debian/changelog b/debian/changelog
index 8698ecc..28203ee 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+gtk-vnc (0.6.0-3) unstable; urgency=medium
+
+  * [b8d9918] CVE-2017-5884: Fix bounds checking for RRE, hextile & copyrect
+encodings
+  * [ca87ace] CVE-2017-5885: Correctly validate color map range indexes
+(Closes: #854450)
+  * [0e71020] Link against GIO_LIBS explicitly to fix build failure
+  * [7d3fdde] Rediff patches to make them more git-format-patch compatible
+
+ -- Guido Günther <a...@sigxcpu.org>  Fri, 10 Feb 2017 14:20:29 +0100
+
 gtk-vnc (0.6.0-2) unstable; urgency=medium
 
   * Team upload.
diff --git a/debian/patches/Add-I-m4-to-Makefile.am.patch b/debian/patches/Add-I-m4-to-Makefile.am.patch
new file mode 100644
index 000..8d44369
--- /dev/null
+++ b/debian/patches/Add-I-m4-to-Makefile.am.patch
@@ -0,0 +1,19 @@
+From: Joao Eriberto Mota Filho <eribe...@debian.org>
+Date: Fri, 10 Feb 2017 10:22:10 +0100
+Subject: Add -I m4 to Makefile.am
+
+---
+ Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 69d1f50..dabb899 100644
+--- a/Makefile.am
 b/Makefile.am
+@@ -1,5 +1,5 @@
+ SUBDIRS = src tools examples po vapi
+-ACLOCAL_AMFLAGS = ${ACLOCAL_FLAGS}
++ACLOCAL_AMFLAGS = ${ACLOCAL_FLAGS} -I m4
+ 
+ pkgconfig_DATA = $(PACKAGE)-$(GTK_VNC_API_VERSION).pc gvnc-1.0.pc
+ pkgconfigdir = $(libdir)/pkgconfig
diff --git a/debian/patches/Add-m4.patch b/debian/patches/Add-m4.patch
deleted file mode 100644
index c5bdca4..000
--- a/debian/patches/Add-m4.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Description: add -I m4 to Makefile.am
-Author: Joao Eriberto Mota Filho <eribe...@debian.org>
-Last-Update: 2017-01-08
 gtk-vnc-0.6.0.orig/Makefile.am
-+++ gtk-vnc-0.6.0/Makefile.am
-@@ -1,5 +1,5 @@
- SUBDIRS = src tools examples po vapi
--ACLOCAL_AMFLAGS = ${ACLOCAL_FLAGS}
-+ACLOCAL_AMFLAGS = ${ACLOCAL_FLAGS} -I m4
- 
- pkgconfig_DATA = $(PACKAGE)-$(GTK_VNC_API_VERSION).pc gvnc-1.0.pc
- pkgconfigdir = $(libdir)/pkgconfig
diff --git a/debian/patches/Link-against-GIO_LIBS-explicitly.patch b/debian/patches/Link-against-GIO_LIBS-explicitly.patch
new file mode 100644
index 000..d962eb4
--- /dev/null
+++ b/debian/patches/Link-against-GIO_LIBS-explicitly.patch
@@ -0,0 +1,31 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <a...@sigxcpu.org>
+Date: Fri, 10 Feb 2017 13:16:26 +0100
+Subject: Link against GIO_LIBS explicitly
+
+to avoid
+
+libtool: link: gcc -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include -g -O2 -fdebug-prefix-map=/build/gtk-vnc-0.6.0=. -fstack-protector-strong -Wformat -Werror=format-security -Wl,-z -Wl,relro
+ -Wl,-z -Wl,now -o .libs/vncconnectiontest vncconnectiontest-vncconnectiontest.o  ./.libs/libgvnc-1.0.so -lz -pthread
+/usr/bin/ld: vncconnectiontest-vncconnectiontest.o: undefined reference to symbol 'g_io_stream_get_output_stream'
+//usr/lib/x86_64-linux-gnu/libgio-2.0.so.0: error adding symbols: DSO missing from command line
+
+Also make the use of *_CFLAGS and *_LIBS match.
+---
+ src/Makefile.am | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/Makefile.am b/src/Makefile.am
+index f7c1d9d..8bc9085 100644
+--- a/src/Makefile.am
 b/src/Makefile.am
+@@ -317,8 +317,8 @@ BUILT_SOURCES += $(MARSHAL_FILES) $(ENUM_FILES)
+ CLEANFILES = $(MARSHAL_FILES) $(ENUM_FILES)
+ 
+ vncconnectiontest_SOURCES = vncconnectiontest.c
+-vncconnectiontest_CFLAGS = $(GOBJECT_CFLAGS)
+-vncconnectiontest_LDADD = libgvnc-1.0.la
++vncconnectiontest_CFLAGS = $(GOBJECT_CFLAGS) $(GIO_CLFAGS)
++vncconnectiontest_LDADD = libgvnc-1.0.la $(GOBJECT_LIBS) $(GIO_LIBS)
+ 
+ if WITH_PYTHON
+ pyexec_LTLIBRARIES = gtkvnc.la
diff --git a/debian/patches/Remove-GNUmakefile-links.patch b/debian/patches/Remove-GNUmakefile-links.patch
index e35e3b9..a25c47f 100644
--- a/debian/patches/Remove-GNUmakefile-links.patch
+++ b/debian/patches/Remove-GNUmakefile-links.patch
@@ -9,10 +9,10 @@ since it breaks the out of tree build
  2

Bug#854337: unblock: git-buildpackage/0.8.12.1

2017-02-06 Thread Guido Günther

control: tag -1 moreinfo

Hi Jonathan,
On Mon, Feb 06, 2017 at 01:57:09PM +, Jonathan Wiltshire wrote:
> Control: tag -1 confirmed moreinfo
> 
> Hi,
> 
> On 2017-02-06 07:43, Guido Günther wrote:
> > It would be great if gbp could be unblocked (and just handled as if it
> > would have been uploaded 1 day earlier). This would make it possible for
> > me to fix #854333 and other things coming up during the freeze as
> > targeted fixes (otherwise I'd have to somehow revert to 0.8.10 in sid).
> 
> I'll trade you it for the fix for #854333; then I can deal with only one
> unblock request and not another in a few days time.
> 
> Please upload a fix for that bug to unstable, as you would normally, and
> update this bug removing moreinfo. I'll unblock the whole lot.

Deal. Uploaded to unstable. Thanks a lot!
 -- Guido

Bug#854337: unblock: git-buildpackage/0.8.12.1

2017-02-05 Thread Guido Günther

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package git-buildpackage

This is basically an "I'm 1 day late" request:

  $ grep-excuses git-buildpackage
  git-buildpackage (0.8.10 to 0.8.12.1)
  Maintainer: Guido Günther
  Too young, only 9 of 10 days old
  Piuparts tested OK - 
https://piuparts.debian.org/sid/source/g/git-buildpackage.html
  Not considered

It would be great if gbp could be unblocked (and just handled as if it
would have been uploaded 1 day earlier). This would make it possible for
me to fix #854333 and other things coming up during the freeze as
targeted fixes (otherwise I'd have to somehow revert to 0.8.10 in sid).

unblock git-buildpackage/0.8.12.1

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), 
(500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#854177: unblock: libvirt-python/3.0.0-2

2017-02-04 Thread Guido Günther

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package libvirt-python

This version matches the libvirt version in testing and fixes the FTBFS
which is caused by the version currently in stretch not knowing about
all of libvirts symbols.

unblock libvirt-python/3.0.0-2

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), 
(500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#824872: jessie-pu: package nspr/2:4.12-2+deb8u1

2016-12-24 Thread Guido Günther

Hi Julien,
On Sat, Dec 17, 2016 at 11:03:12AM +0100, Julien Cristau wrote:
> On Tue, Jun 28, 2016 at 12:38:15 +0200, Guido Günther wrote:
> 
> > Hi Julien,
> > On Tue, Jun 28, 2016 at 11:46:06AM +0200, Julien Cristau wrote:
> > > On Sun, May 29, 2016 at 14:58:51 +0200, Guido Günther wrote:
> > > 
> > > > Upstream has an internal test suite which we enabled for the package
> > > > builds in nspr as well as nss (+ some autopkg smoke test in nss
> > > > itself). Howver I don't know as to what extend ABI compatibility is
> > > > tested upstream. Hopefully Mike (cc:) may have some input on this.
> > > > 
> > > > In order get some ideas about ABI compatibility myself I ran
> > > > abi-compliance-tester. The results for both NSS and NSPR are also
> > > > attached. We would do that on all point release updates.
> > > > 
> > > > Note that the only (as to my understanding) serious regression has been
> > > > pointed out by Florian as well:
> > > > 
> > > > https://lists.debian.org/debian-lts/2015/11/msg00037.html
> > > > https://bugzilla.redhat.com/show_bug.cgi?id=1260698
> > > > 
> > > > and it's unclear if this part of the ABI. The API break (removal of
> > > > CERT_FindCertURLExtension) is bogus since the symbol was not exported.
> > > > 
> > > I don't understand why you seem to be talking about ABI stability
> > > issues.  There are other kinds of bugs.
> > 
> > The "other kind of bugs" were the reason why I enabled the test suites
> > in nss/nspr and started to add some autpkg tests. What else would you
> > expect?
> > 
> > We could also add (and run) autopkg tests for reverse dependencies of
> > nss/nspr over time.
> 
> How many of the nss/nspr reverse dependencies in stable have meaningful
> autopkgtests?  Overall my confidence in our QA abilities for stable
> updates is pretty low, so I'm not wild about routinely upgrading
> libraries to major new versions.  Regressions in stable point releases
> that need follow-on fixes are a major PITA.

Some of the package have autopkgtests but at least the bigger ones I
looked at (389-ds, ceph icedove and firefox) don't have coverage in that
area but I think it's a chicken and egg problem. Some of the packages
have internal test suites which could be used to gain confidence. And
having icedove and firefox not switch to embedded copy soon after a
release would also help to detect breackage.

I'm not advocating the pick up _every_ new upstream versions by all
means but some of the security fixes are not doable in years old
versions and having stable-proposed-updates gives the packages at least
some exposure that is not available for packages going via security
master (like the recent nss 3.26).

Cheers,
 -- Guido

Bug#824872: jessie-pu: package nspr/2:4.12-2+deb8u1

2016-06-28 Thread Guido Günther

Hi Julien,
On Tue, Jun 28, 2016 at 11:46:06AM +0200, Julien Cristau wrote:
> On Sun, May 29, 2016 at 14:58:51 +0200, Guido Günther wrote:
> 
> > Upstream has an internal test suite which we enabled for the package
> > builds in nspr as well as nss (+ some autopkg smoke test in nss
> > itself). Howver I don't know as to what extend ABI compatibility is
> > tested upstream. Hopefully Mike (cc:) may have some input on this.
> > 
> > In order get some ideas about ABI compatibility myself I ran
> > abi-compliance-tester. The results for both NSS and NSPR are also
> > attached. We would do that on all point release updates.
> > 
> > Note that the only (as to my understanding) serious regression has been
> > pointed out by Florian as well:
> > 
> > https://lists.debian.org/debian-lts/2015/11/msg00037.html
> > https://bugzilla.redhat.com/show_bug.cgi?id=1260698
> > 
> > and it's unclear if this part of the ABI. The API break (removal of
> > CERT_FindCertURLExtension) is bogus since the symbol was not exported.
> > 
> I don't understand why you seem to be talking about ABI stability
> issues.  There are other kinds of bugs.

The "other kind of bugs" were the reason why I enabled the test suites
in nss/nspr and started to add some autpkg tests. What else would you
expect?

We could also add (and run) autopkg tests for reverse dependencies of
nss/nspr over time.

Cheers,
 -- Guido

Bug#824872: jessie-pu: package nspr/2:4.12-2+deb8u1

2016-05-30 Thread Guido Günther

Hi,
On Sun, May 29, 2016 at 06:15:06PM +0200, Florian Weimer wrote:
> * Guido Günther:
> 
> > Note that the only (as to my understanding) serious regression has been
> > pointed out by Florian as well:
> >
> > https://lists.debian.org/debian-lts/2015/11/msg00037.html
> > https://bugzilla.redhat.com/show_bug.cgi?id=1260698
> >
> > and it's unclear if this part of the ABI.
> 
> The practical impact seems pretty low.
> 
> There is another ABI issue:
> 
>   https://bugzilla.mozilla.org/show_bug.cgi?id=1247021
> 
> But I think we are rebasing past the introduction of this struct and
> its change, so it wouldn't impact Debian stable.

…the bug is a nice example how this is handled upstream (and that we
wouldn't be alone tracking/fixing these regressions). Overall I'd feel
more certain to fix these than to backport large invasive patches in
order to fix CVE-2015-4000, CVE-2014-3566 and friends. Especially since
we have abi-compliance-checker.

Cheers,
 -- Guido

Bug#824872: jessie-pu: package nspr/2:4.12-2+deb8u1

2016-05-20 Thread Guido Günther

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,
as put out in more detail in

  https://lists.debian.org/debian-release/2016/02/msg00753.html

we discussed in the LTS and security team the possibility to use the
same NSS and NSPR upstream version in all suites to be able to handle
things like CVE-2014-3566 and CVE-2015-4000 in a consistent manner.

I'd like to propose this here again via a bug report so we have easier
means of tracking/tagging. Would it be o.k. with the release team to update
nss/nspr to the versions currently in sid/testing and continue to do so
from here on. If it works out for jessie we'll do the same in LTS via
wheezy-security.
In order to increase confidence in the backports I've enabled the
internal testsuites in nspr and nss.

If this is o.k. I'm happy to attach debdiffs and provide a matching bug
for nss as well.

Cheers,
 -- Guido

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'unstable'), 
(500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.4.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#819362: wheezy-pu: package gtk+3.0/3.4.2-7+deb7u1

2016-04-15 Thread Guido Günther

On Wed, Apr 13, 2016 at 09:28:10PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Sun, 2016-03-27 at 17:15 +0200, Guido Günther wrote:
> > I'd like to upate gtk+3.0 in wheezy to fix CVE-2013-7447.patch with the
> > attached debiff. Wheezy is currnelty the only unfixed gtk+3.0 version.
> 
> Please go ahead.

Uploaded. Thanks!
 -- Guido

Bug#819362: wheezy-pu: package gtk+3.0/3.4.2-7+deb7u1

2016-03-27 Thread Guido Günther

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian@packages.debian.org
Usertags: pu

Hi,
I'd like to upate gtk+3.0 in wheezy to fix CVE-2013-7447.patch with the
attached debiff. Wheezy is currnelty the only unfixed gtk+3.0 version.

Cheers,
 -- Guido

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'unstable'), 
(500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/debian/changelog b/debian/changelog
index 999a883..37c3d67 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+gtk+3.0 (3.4.2-7+deb7u1) oldstable-proposed-updates; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2013-7447.patch: Avoid integer overflow when allocating a large block
+of memory in gdk_cairo_set_source_pixbuf (Closes: #818090)
+
+ -- Guido Günther <a...@sigxcpu.org>  Sun, 13 Mar 2016 16:22:28 +0100
+
 gtk+3.0 (3.4.2-7) stable; urgency=low
 
   [ Raphaël Geissert ]
diff --git a/debian/patches/CVE-2013-7447.patch 
b/debian/patches/CVE-2013-7447.patch
new file mode 100644
index 000..cb851a2
--- /dev/null
+++ b/debian/patches/CVE-2013-7447.patch
@@ -0,0 +1,24 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <a...@sigxcpu.org>
+Date: Sun, 13 Mar 2016 15:38:37 +0100
+Subject: CVE-2013-7447
+
+Cherry-pick of upstream commit
+
+https://git.gnome.org/browse/gtk+/commit?id=894b1ae76a32720f4bb3d39cf460402e3ce331d6
+---
+ gdk/gdkcairo.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gdk/gdkcairo.c b/gdk/gdkcairo.c
+index 19bed04..2e1d8dc 100644
+--- a/gdk/gdkcairo.c
 b/gdk/gdkcairo.c
+@@ -213,7 +213,7 @@ gdk_cairo_set_source_pixbuf (cairo_t *cr,
+ format = CAIRO_FORMAT_ARGB32;
+ 
+   cairo_stride = cairo_format_stride_for_width (format, width);
+-  cairo_pixels = g_malloc (height * cairo_stride);
++  cairo_pixels = g_malloc_n (height, cairo_stride);
+   surface = cairo_image_surface_create_for_data ((unsigned char 
*)cairo_pixels,
+  format,
+  width, height, cairo_stride);
diff --git a/debian/patches/series b/debian/patches/series
index e9942cf..866e6e9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -15,3 +15,4 @@
 074_try-harder-to-discriminate-Shift-F10-and-F10.patch
 075_gtkplug-fix-handling-of-key-events-for-layouts.patch
 076_check_wm_supports_hint.patch
+CVE-2013-7447.patch

Bug#817015: jessie-pu: package libvirt/1.2.9-9+deb8u1

2016-03-25 Thread Guido Günther

Hi,
On Fri, Mar 25, 2016 at 02:58:13PM +0100, Philipp Matthias Hahn wrote:
[..snip..]
> I started working on libvirt from wheezy-backports, where the test suite
> is not yet disabled. Maybe I run the build as root in some VM, where a
> different set of tests are executed.
> 
> I re-run the build in a new jessie-pbuilder environment as non-root and
> it work there, so the FTBFS patches are not needed for now.

Great, so we're on the safe side for jessie.

> But you will have to fix them some time if you wan't to re-enable
> running test ests.

We will need to fix libxml first.

> 
> > > diff -Nru 
> > > libvirt-1.2.9/debian/patches/Disable-failing-virnetsockettest.patch 
> > > libvirt-1.2.9/debian/patches/Disable-failing-virnetsockettest.patch
> > > --- libvirt-1.2.9/debian/patches/Disable-failing-virnetsockettest.patch   
> > > 2015-08-24 16:20:54.0 +0200
> > > +++ libvirt-1.2.9/debian/patches/Disable-failing-virnetsockettest.patch   
> > > 2016-03-04 14:47:12.0 +0100
> > > @@ -7,11 +7,25 @@
> > >   tests/virnetsockettest.c | 2 ++
> > >   1 file changed, 2 insertions(+)
> > >  
> > > -diff --git a/tests/virnetsockettest.c b/tests/virnetsockettest.c
> > > -index 5d91f26..1f283a3 100644
> > >  --- a/tests/virnetsockettest.c
> > >  +++ b/tests/virnetsockettest.c
> > > -@@ -501,10 +501,12 @@ mymain(void)
> > > +@@ -333,6 +333,7 @@ static int testSocketUNIXAddrs(const voi
> > > + return ret;
> > > + }
> > > + 
> > > ++#if 0
> > > + static int testSocketCommandNormal(const void *data ATTRIBUTE_UNUSED)
> > > + {
> > > + virNetSocketPtr csock = NULL; /* Client socket */
> > > +@@ -383,6 +384,7 @@ static int testSocketCommandFail(const v
> > > + virObjectUnref(csock);
> > > + return ret;
> > > + }
> > > ++#endif
> > 
> > Why did you disable this one?
> 
> The alling site is disabled by
> debian/patches/Disable-failing-virnetsockettest.patch, but the functions
> are still defines. After running autoreconf gcc complains about defines
> but unused functions.
> My patch also puts the function definitions in a conditional block to
> fix that issue.

O.k. since I'd rather not introduce autoreconf for the stable release we
can skip this one (dh_autoreconf defaults to on in sid already).

> > > diff -Nru libvirt-1.2.9/debian/patches/series 
> > > libvirt-1.2.9/debian/patches/series
> > > --- libvirt-1.2.9/debian/patches/series   2015-08-24 16:20:54.0 
> > > +0200
> > > +++ libvirt-1.2.9/debian/patches/series   2016-03-05 08:18:07.0 
> > > +0100
> > > @@ -31,3 +31,5 @@
> > >  Allow-access-to-libnl-3-config-files.patch
> > >  Fix-crash-on-live-migration.patch
> > >  upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch
> > > +security/CVE-2015-5313-storage-don-t-allow-in-filesystem-volu.patch
> > > +debian/Debianize-bridge-helper-path.patch
> > > diff -Nru 
> > > libvirt-1.2.9/debian/patches/upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch
> > >  
> > > libvirt-1.2.9/debian/patches/upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch
> > > --- 
> > > libvirt-1.2.9/debian/patches/upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch
> > >   2015-08-24 16:20:54.0 +0200
> > > +++ 
> > > libvirt-1.2.9/debian/patches/upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch
> > >   2016-03-04 14:47:12.0 +0100
> > > @@ -176,7 +176,7 @@
> > >   
> > >   if (virQEMUCapsParseHelpStr("QEMU", help, flags,
> > >  -, _kvm, _version, false) 
> > > == -1)
> > > -+, _kvm, _version, false, 
> > > NULL) == -1) {
> > > ++, _kvm, _version, false, 
> > > NULL) == -1)
> > >   goto cleanup;
> > 
> > I wonder why this one changed as well.
> 
> 
> # tail -n 12 
> debian/patches/upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch
>  
> | index 975edf3..271fddc 100644
> | --- a/tests/qemuhelptest.c
> | +++ b/tests/qemuhelptest.c
> | @@ -58,7 +58,7 @@ static int testHelpStrParsing(const void *data)
> |  goto cleanup;
> |  
> |  if (virQEMUCapsParseHelpStr("QEMU", help, flags,
> | -, _kvm, _version, false) == 
> -1)
> | +, _kvm, _version, false, 
> NULL) == -1) {
> |  goto cleanup;

This one will manifest in the Wheezy backports then, I'll cp it when
preparing the update.

[..snip..]

> 
> 
> How to proceed from here: Are you going to upload your version or should
> I redo my work and do the upload?

I picked your patches and uploaded the package (to hopefully meet the
deadline for the point release this weekend).

I've also added your README.Debian improvements to the debian/sid branch
in git. Thanks a lot for your patches!

Cheers,
 -- Guido

Bug#817015: jessie-pu: package libvirt/1.2.9-9+deb8u1

2016-03-25 Thread Guido Günther

On Fri, Mar 25, 2016 at 11:02:35AM +0100, Guido Günther wrote:
> Hi Philipp,
> 
> thanks for looking into this!
> 
> On Thu, Mar 24, 2016 at 05:51:21PM +0100, Philipp Hahn wrote:
> > diff -Nru libvirt-1.2.9/debian/changelog libvirt-1.2.9/debian/changelog
> > --- libvirt-1.2.9/debian/changelog  2015-08-26 08:34:22.0 +0200
> > +++ libvirt-1.2.9/debian/changelog  2016-03-05 08:18:07.0 +0100
> > @@ -1,3 +1,13 @@
> > +libvirt (1.2.9-9+deb8u2) jessie; urgency=medium
> > +
> > +  * Non-maintainer upload.
> > +  * Fix CVE-2015-5313 (Closes: #808273)
> > +  * libvirt-daemon: Expects qemu-bridge-helper in /usr/libexec/
> > +(Closes: #816602)
> > +  * Fix several FTBFS errors
> 
> Could you elaborate on the FTBFS errors? I just rebuilt the current
> jessie version without any changes so "Fix several FTBFS errors" sounds
> very vague and exaggeratet. We already had a point release in Jessie so
> I wonder how these would get introduced?
> 
> > +
> > + -- Philipp Matthias Hahn <pmh...@debian.org>  Fri, 04 Mar 2016 12:01:36 
> > +0100
> > +
> >  libvirt (1.2.9-9+deb8u1) jessie; urgency=medium
> >  
> >[ Guido Günther ]
> > diff -Nru libvirt-1.2.9/debian/control libvirt-1.2.9/debian/control
> > --- libvirt-1.2.9/debian/control2015-08-24 16:20:54.0 +0200
> > +++ libvirt-1.2.9/debian/control2016-03-04 13:42:30.0 +0100
> > @@ -5,6 +5,7 @@
> >  Uploaders: Guido Günther <a...@sigxcpu.org>, Laurent Léonard 
> > <laur...@open-minds.org>
> >  Build-Depends:
> >   debhelper (>= 7),
> > + dh-autoreconf,
> >   dh-systemd (>= 1.18~),
> >   libxml2-dev,
> >   libncurses5-dev,
> > diff -Nru 
> > libvirt-1.2.9/debian/patches/debian/Debianize-bridge-helper-path.patch 
> > libvirt-1.2.9/debian/patches/debian/Debianize-bridge-helper-path.patch
> > --- libvirt-1.2.9/debian/patches/debian/Debianize-bridge-helper-path.patch  
> > 1970-01-01 01:00:00.0 +0100
> > +++ libvirt-1.2.9/debian/patches/debian/Debianize-bridge-helper-path.patch  
> > 2016-03-05 08:18:07.0 +0100
> > @@ -0,0 +1,42 @@
> > +libvirt-daemon: Expects qemu-bridge-helper in /usr/libexec/
> > +
> > +$ strings /usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so | grep 
> > bridge-helper
> > +/usr/libexec/qemu-bridge-helper
> > +
> > +$ dpkg -S bridge-helper
> > +qemu-system-common: /usr/lib/qemu/qemu-bridge-helper
> > +
> > +Closes #816602
> > +--- a/src/qemu/qemu.conf
> >  b/src/qemu/qemu.conf
> > +@@ -357,7 +357,7 @@
> > + # is used to create  interfaces when libvirtd is
> > + # running unprivileged.  libvirt invokes the helper directly, instead
> > + # of using "-netdev bridge", for security reasons.
> > +-#bridge_helper = "/usr/libexec/qemu-bridge-helper"
> > ++#bridge_helper = "/usr/lib/qemu/qemu-bridge-helper"
> > + 
> > + 
> > + 
> > +--- a/src/qemu/qemu_conf.c
> >  b/src/qemu/qemu_conf.c
> > +@@ -244,7 +244,7 @@ virQEMUDriverConfigPtr virQEMUDriverConf
> > + goto error;
> > + }
> > + 
> > +-if (VIR_STRDUP(cfg->bridgeHelperName, 
> > "/usr/libexec/qemu-bridge-helper") < 0)
> > ++if (VIR_STRDUP(cfg->bridgeHelperName, 
> > "/usr/lib/qemu/qemu-bridge-helper") < 0)
> > + goto error;
> > + 
> > + cfg->clearEmulatorCapabilities = true;
> > +--- a/src/qemu/test_libvirtd_qemu.aug.in
> >  b/src/qemu/test_libvirtd_qemu.aug.in
> > +@@ -56,7 +56,7 @@ module Test_libvirtd_qemu =
> > + { "auto_dump_bypass_cache" = "0" }
> > + { "auto_start_bypass_cache" = "0" }
> > + { "hugetlbfs_mount" = "/dev/hugepages" }
> > +-{ "bridge_helper" = "/usr/libexec/qemu-bridge-helper" }
> > ++{ "bridge_helper" = "/usr/lib/qemu/qemu-bridge-helper" }
> > + { "clear_emulator_capabilities" = "1" }
> > + { "set_process_name" = "1" }
> > + { "max_processes" = "0" }
> > diff -Nru 
> > libvirt-1.2.9/debian/patches/Disable-failing-virnetsockettest.patch 
> > libvirt-1.2.9/debian/patches/Disable-failing-virnetsockettest.patch
> > --- libvirt-1.2.9/debian/patches/Disable-failing-virnetsockettest.patch 
> > 2015-08-24 16:20:54.0 +0200
> > +++ libvirt-1.2.9/debian/patches/Disable-failing-virnetsockettest.patch 
> > 2016-03-04 14:47:12.0 +0100
> > @@

Bug#817015: jessie-pu: package libvirt/1.2.9-9+deb8u1

2016-03-25 Thread Guido Günther

Hi Philipp,

thanks for looking into this!

On Thu, Mar 24, 2016 at 05:51:21PM +0100, Philipp Hahn wrote:
> diff -Nru libvirt-1.2.9/debian/changelog libvirt-1.2.9/debian/changelog
> --- libvirt-1.2.9/debian/changelog2015-08-26 08:34:22.0 +0200
> +++ libvirt-1.2.9/debian/changelog2016-03-05 08:18:07.0 +0100
> @@ -1,3 +1,13 @@
> +libvirt (1.2.9-9+deb8u2) jessie; urgency=medium
> +
> +  * Non-maintainer upload.
> +  * Fix CVE-2015-5313 (Closes: #808273)
> +  * libvirt-daemon: Expects qemu-bridge-helper in /usr/libexec/
> +(Closes: #816602)
> +  * Fix several FTBFS errors

Could you elaborate on the FTBFS errors? I just rebuilt the current
jessie version without any changes so "Fix several FTBFS errors" sounds
very vague and exaggeratet. We already had a point release in Jessie so
I wonder how these would get introduced?

> +
> + -- Philipp Matthias Hahn <pmh...@debian.org>  Fri, 04 Mar 2016 12:01:36 
> +0100
> +
>  libvirt (1.2.9-9+deb8u1) jessie; urgency=medium
>  
>[ Guido Günther ]
> diff -Nru libvirt-1.2.9/debian/control libvirt-1.2.9/debian/control
> --- libvirt-1.2.9/debian/control  2015-08-24 16:20:54.0 +0200
> +++ libvirt-1.2.9/debian/control  2016-03-04 13:42:30.0 +0100
> @@ -5,6 +5,7 @@
>  Uploaders: Guido Günther <a...@sigxcpu.org>, Laurent Léonard 
> <laur...@open-minds.org>
>  Build-Depends:
>   debhelper (>= 7),
> + dh-autoreconf,
>   dh-systemd (>= 1.18~),
>   libxml2-dev,
>   libncurses5-dev,
> diff -Nru 
> libvirt-1.2.9/debian/patches/debian/Debianize-bridge-helper-path.patch 
> libvirt-1.2.9/debian/patches/debian/Debianize-bridge-helper-path.patch
> --- libvirt-1.2.9/debian/patches/debian/Debianize-bridge-helper-path.patch
> 1970-01-01 01:00:00.0 +0100
> +++ libvirt-1.2.9/debian/patches/debian/Debianize-bridge-helper-path.patch
> 2016-03-05 08:18:07.0 +0100
> @@ -0,0 +1,42 @@
> +libvirt-daemon: Expects qemu-bridge-helper in /usr/libexec/
> +
> +$ strings /usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so | grep 
> bridge-helper
> +/usr/libexec/qemu-bridge-helper
> +
> +$ dpkg -S bridge-helper
> +qemu-system-common: /usr/lib/qemu/qemu-bridge-helper
> +
> +Closes #816602
> +--- a/src/qemu/qemu.conf
>  b/src/qemu/qemu.conf
> +@@ -357,7 +357,7 @@
> + # is used to create  interfaces when libvirtd is
> + # running unprivileged.  libvirt invokes the helper directly, instead
> + # of using "-netdev bridge", for security reasons.
> +-#bridge_helper = "/usr/libexec/qemu-bridge-helper"
> ++#bridge_helper = "/usr/lib/qemu/qemu-bridge-helper"
> + 
> + 
> + 
> +--- a/src/qemu/qemu_conf.c
>  b/src/qemu/qemu_conf.c
> +@@ -244,7 +244,7 @@ virQEMUDriverConfigPtr virQEMUDriverConf
> + goto error;
> + }
> + 
> +-if (VIR_STRDUP(cfg->bridgeHelperName, 
> "/usr/libexec/qemu-bridge-helper") < 0)
> ++if (VIR_STRDUP(cfg->bridgeHelperName, 
> "/usr/lib/qemu/qemu-bridge-helper") < 0)
> + goto error;
> + 
> + cfg->clearEmulatorCapabilities = true;
> +--- a/src/qemu/test_libvirtd_qemu.aug.in
>  b/src/qemu/test_libvirtd_qemu.aug.in
> +@@ -56,7 +56,7 @@ module Test_libvirtd_qemu =
> + { "auto_dump_bypass_cache" = "0" }
> + { "auto_start_bypass_cache" = "0" }
> + { "hugetlbfs_mount" = "/dev/hugepages" }
> +-{ "bridge_helper" = "/usr/libexec/qemu-bridge-helper" }
> ++{ "bridge_helper" = "/usr/lib/qemu/qemu-bridge-helper" }
> + { "clear_emulator_capabilities" = "1" }
> + { "set_process_name" = "1" }
> + { "max_processes" = "0" }
> diff -Nru libvirt-1.2.9/debian/patches/Disable-failing-virnetsockettest.patch 
> libvirt-1.2.9/debian/patches/Disable-failing-virnetsockettest.patch
> --- libvirt-1.2.9/debian/patches/Disable-failing-virnetsockettest.patch   
> 2015-08-24 16:20:54.0 +0200
> +++ libvirt-1.2.9/debian/patches/Disable-failing-virnetsockettest.patch   
> 2016-03-04 14:47:12.0 +0100
> @@ -7,11 +7,25 @@
>   tests/virnetsockettest.c | 2 ++
>   1 file changed, 2 insertions(+)
>  
> -diff --git a/tests/virnetsockettest.c b/tests/virnetsockettest.c
> -index 5d91f26..1f283a3 100644
>  --- a/tests/virnetsockettest.c
>  +++ b/tests/virnetsockettest.c
> -@@ -501,10 +501,12 @@ mymain(void)
> +@@ -333,6 +333,7 @@ static int testSocketUNIXAddrs(const voi
> + return ret;
> + }
> + 
> ++#if 0
> + static int testSocketCommandNormal(const void *data ATTRIBUTE_UNUSED)
> + {
> + virNetSocketPtr csock = NULL;

Bug#815730: jessie-pu: package whatmaps/0.0.9-1+deb8u1

2016-03-24 Thread Guido Günther

Hi Adam,
On Wed, Mar 23, 2016 at 08:35:36PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Wed, 2016-02-24 at 09:00 +0100, Guido Günther wrote:
> > I'd like to update whatmaps in p-u to fix #791569. Due to the rename
> > of the apache package from apache2.2 to apache2 whatmaps fails to
> > restart apache after a security upgrade.
> 
> Please go ahead, bearing in mind that the window for 8.4 closes this
> weekend.

Uploaded. Thanks!
 -- Guido

Bug#818006: jessie-pu: package aptdaemon/1.1.1-4+deb8u1

2016-03-12 Thread Guido Günther

On Sat, Mar 12, 2016 at 05:26:47PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Sat, 2016-03-12 at 17:56 +0100, Guido Günther wrote:
> > I'd like to update apt-daemon in jessie to fix CVE-2015-1323 which is
> > already fixed in squeeze-lts.
> 
> Please go ahead.

Uploaded. Thanks!
 -- Guido

Bug#818007: wheezy-pu: package aptdaemon/0.45-2+deb7u1.debdiff

2016-03-12 Thread Guido Günther

On Sat, Mar 12, 2016 at 05:23:46PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Sat, 2016-03-12 at 17:59 +0100, Guido Günther wrote:
> > I'd like to update apt-daemon in wheezy to fix CVE-2015-1323 which is
> > already fixed in squeeze-lts.
> 
> Please go ahead.

Uploaded. Thanks!
 -- Guido

Bug#818007: wheezy-pu: package aptdaemon/0.45-2+deb7u1.debdiff

2016-03-12 Thread Guido Günther

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I'd like to update apt-daemon in wheezy to fix CVE-2015-1323 which is
already fixed in squeeze-lts.

The debdiff is attached.

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'unstable'), 
(500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/debian/changelog b/debian/changelog
index eb3eb13..80547b9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+aptdaemon (0.45-2+deb7u1) oldstable-proposed-updates; urgency=medium
+
+  * Non maintainer upload
+  * Add CVE-2015-1323.patch to address CVE-2015-1323 - taken from
+0.43+bzr805-0ubuntu10 (Closes: #789162)
+
+ -- Guido Günther <a...@sigxcpu.org>  Mon, 29 Feb 2016 08:33:47 +0100
+
 aptdaemon (0.45-2) unstable; urgency=medium
 
   * Check downloaded key id; merged from Ubuntu (CVE-2012-0962)
diff --git a/debian/patches/CVE-2015-1323.patch 
b/debian/patches/CVE-2015-1323.patch
new file mode 100644
index 000..09bcfb6
--- /dev/null
+++ b/debian/patches/CVE-2015-1323.patch
@@ -0,0 +1,373 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <a...@sigxcpu.org>
+Date: Sun, 28 Feb 2016 19:55:02 +0100
+Subject: CVE-2015-1323
+
+---
+ aptdaemon/core.py | 10 ++
+ aptdaemon/pkcompat.py | 11 +++
+ aptdaemon/policykit1.py   |  9 ++---
+ aptdaemon/worker.py   | 43 ++-
+ tests/test_dbus_type.py   |  6 --
+ tests/test_unicodedecoding.py |  3 ++-
+ tests/test_worker.py  | 31 ---
+ 7 files changed, 79 insertions(+), 34 deletions(-)
+
+diff --git a/aptdaemon/core.py b/aptdaemon/core.py
+index b69923d..6d841e3 100644
+--- a/aptdaemon/core.py
 b/aptdaemon/core.py
+@@ -330,7 +330,7 @@ class Transaction(DBusObject):
+"DebconfSocket", "MetaData", "Locale",
+"RemoveObsoleteDepends")
+ 
+-def __init__(self, tid, role, queue, pid, uid, cmdline, sender,
++def __init__(self, tid, role, queue, pid, uid, gid, cmdline, sender,
+  connect=True, bus=None, packages=None, kwargs=None):
+ """Initialize a new Transaction instance.
+ 
+@@ -365,6 +365,7 @@ class Transaction(DBusObject):
+ kwargs = {}
+ self.queue = queue
+ self.uid = uid
++self.gid = gid
+ self.locale = dbus.String("")
+ self.allow_unauthenticated = dbus.Boolean(False)
+ self.remove_obsoleted_depends = dbus.Boolean(False)
+@@ -1469,11 +1470,12 @@ class AptDaemon(DBusObject):
+ @inline_callbacks
+ def _create_trans(self, role, sender, packages=None, kwargs=None):
+ """Helper method which returns the tid of a new transaction."""
+-pid, uid, cmdline = \
++pid, uid, gid, cmdline = \
+ yield policykit1.get_proc_info_from_dbus_name(sender, 
self.bus)
+ tid = uuid.uuid4().get_hex()
+-trans = Transaction(tid, role, self.queue, pid, uid, cmdline, sender,
+-packages=packages, kwargs=kwargs, bus=self.bus)
++trans = Transaction(
++tid, role, self.queue, pid, uid, gid, cmdline, sender,
++packages=packages, kwargs=kwargs, bus=self.bus)
+ self.queue.limbo[trans.tid] = trans
+ return_value(trans.tid)
+ 
+diff --git a/aptdaemon/pkcompat.py b/aptdaemon/pkcompat.py
+index 0806201..845c72e 100644
+--- a/aptdaemon/pkcompat.py
 b/aptdaemon/pkcompat.py
+@@ -408,9 +408,10 @@ class PackageKit(aptdaemon.core.DBusObject):
+ 
+ @inline_callbacks
+ def _get_tid(self, sender):
+-pid, uid, cmdline = \
++pid, uid, gid, cmdline = \
+ yield policykit1.get_proc_info_from_dbus_name(sender, 
self.bus)
+-pktrans = PackageKitTransaction(pid, uid, cmdline, self.queue, sender)
++pktrans = PackageKitTransaction(
++pid, uid, gid, cmdline, self.queue, sender)
+ return_value(pktrans.tid)
+ 
+ # pylint: disable-msg=C0103,C0322
+@@ -531,7 +532,8 @@ class MergedTransaction(aptdaemon.core.Transaction):
+ def __init__(self, pktrans, role, queue, connect=True,
+  bus=None, packages=None, kwargs=None):
+ aptdaemon.core.Transaction.__init__(self, pktrans.tid[1:], role, 
queue,
+-pktrans.pid, pktrans.uid,
++pktrans.pid,
++

Bug#818006: jessie-pu: package aptdaemon/1.1.1-4+deb8u1

2016-03-12 Thread Guido Günther

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I'd like to update apt-daemon in jessie to fix CVE-2015-1323 which is
already fixed in squeeze-lts.

The debdiff is attached.

Cheers,
 -- Guido

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'unstable'), 
(500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/debian/changelog b/debian/changelog
index 38e82be..7a93d22 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+aptdaemon (1.1.1-4+deb8u1) stable-proposed-updates; urgency=medium
+
+  * Non maintainer upload
+  * Add CVE-2015-1323.patch to address CVE-2015-1323 - taken from
+1.1.1-1ubuntu5.2 (Closes: #789162)
+
+ -- Guido Günther <a...@sigxcpu.org>  Mon, 29 Feb 2016 21:13:01 +0100
+
 aptdaemon (1.1.1-4) unstable; urgency=medium
 
   * Merge all changes from Ubuntu trusty.
diff --git a/debian/patches/CVE-2015-1323.patch 
b/debian/patches/CVE-2015-1323.patch
new file mode 100644
index 000..bc6a963
--- /dev/null
+++ b/debian/patches/CVE-2015-1323.patch
@@ -0,0 +1,377 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <a...@sigxcpu.org>
+Date: Sun, 28 Feb 2016 19:55:02 +0100
+Subject: CVE-2015-1323
+
+---
+ aptdaemon/core.py | 10 +---
+ aptdaemon/pkcompat.py | 10 +---
+ aptdaemon/policykit1.py   |  9 ---
+ aptdaemon/progress.py |  5 
+ aptdaemon/worker.py   | 31 ++--
+ tests/_test_py2_string_handling.py|  3 ++-
+ tests/test_high_trust_repository_whitelist.py |  4 +--
+ tests/test_worker.py  | 35 ++-
+ 8 files changed, 74 insertions(+), 33 deletions(-)
+
+diff --git a/aptdaemon/core.py b/aptdaemon/core.py
+index 9e1e9d3..35f40d7 100644
+--- a/aptdaemon/core.py
 b/aptdaemon/core.py
+@@ -342,7 +342,7 @@ class Transaction(DBusObject):
+"DebconfSocket", "MetaData", "Locale",
+"RemoveObsoleteDepends")
+ 
+-def __init__(self, tid, role, queue, pid, uid, cmdline, sender,
++def __init__(self, tid, role, queue, pid, uid, gid, cmdline, sender,
+  connect=True, bus=None, packages=None, kwargs=None):
+ """Initialize a new Transaction instance.
+ 
+@@ -378,6 +378,7 @@ class Transaction(DBusObject):
+ kwargs = {}
+ self.queue = queue
+ self.uid = uid
++self.gid = gid
+ self.locale = dbus.String("")
+ self.allow_unauthenticated = dbus.Boolean(False)
+ self.remove_obsoleted_depends = dbus.Boolean(False)
+@@ -1538,11 +1539,12 @@ class AptDaemon(DBusObject):
+ @inline_callbacks
+ def _create_trans(self, role, sender, packages=None, kwargs=None):
+ """Helper method which returns the tid of a new transaction."""
+-pid, uid, cmdline = (
++pid, uid, gid, cmdline = (
+ yield policykit1.get_proc_info_from_dbus_name(sender, self.bus))
+ tid = uuid.uuid4().hex
+-trans = Transaction(tid, role, self.queue, pid, uid, cmdline, sender,
+-packages=packages, kwargs=kwargs, bus=self.bus)
++trans = Transaction(
++tid, role, self.queue, pid, uid, gid, cmdline, sender,
++packages=packages, kwargs=kwargs, bus=self.bus)
+ self.queue.limbo[trans.tid] = trans
+ return_value(trans.tid)
+ 
+diff --git a/aptdaemon/pkcompat.py b/aptdaemon/pkcompat.py
+index cc05415..da99a32 100644
+--- a/aptdaemon/pkcompat.py
 b/aptdaemon/pkcompat.py
+@@ -469,9 +469,10 @@ class PackageKit(core.DBusObject):
+ 
+ @inline_callbacks
+ def _create_transaction(self, sender):
+-pid, uid, cmdline = yield policykit1.get_proc_info_from_dbus_name(
++pid, uid, gid, cmdline = yield 
policykit1.get_proc_info_from_dbus_name(
+ sender, self.bus)
+-pktrans = PackageKitTransaction(pid, uid, cmdline, self.queue, sender)
++pktrans = PackageKitTransaction(
++pid, uid, gid, cmdline, self.queue, sender)
+ return_value(pktrans.tid)
+ 
+ # pylint: disable-msg=C0103,C0322
+@@ -602,7 +603,7 @@ class MergedTransaction(core.Transaction):
+ def __init__(self, pktrans, role, queue, connect=True,
+  bus=None, packages=None, kwargs=None):
+ core.Transaction.__init__(self, pktrans.tid[1:], role, queue,
+-  pktrans.pid, pktrans.uid,
++

Re: Using the same nss upstream version in all suites?

2016-02-29 Thread Guido Günther

On Thu, Dec 31, 2015 at 01:13:19PM +0100, Guido Günther wrote:
> Hi release team,
> on the LTS list we discussed if it would be feasible to have the same
> nspr/nss[1] upstream version in all suites (nameley testing, stable,
> oldstable, oldoldstable). There are several reasons for this:
> 
>   * Doing so would reduce the number of embedded code copies in
> icedove/iceweasel/chromium/ They currently become necessary at
> one point once the version shipped in stable becomes too old.
> 
>   * NSS receives frequent security updates that currently requires
> backporting the patches to very different versions
> 
>   * Backporting NSS patches becomes much harder over the years so
> introducing a new version might become less risky than doing the
> backport.
> 
>   * NSS/NSPR have strict ABI policies[2] to not break backward
> compatibility.
> 
>   * Security bugs are often restricted on the mozilla bug tracker for
> a long time so we know there _is_ a bug but might not know what it
> is until the bug is publicaly accessible.
> 
>   * We would have the same crypto policies for programs linked against
> nss in all suites.
> 
> As a first step we discussed if it would be possible to introduce the
> new nspr/nss versions via stable point releases. This would allow us to
> ask for testing via the proposed-updates repo while still being able to
> fix any regressions via a DSA. Backporting would become simpler since
> the same backporting would happen for stable/oldstable and oldoldstable
> and the diff to the new upstream version is minimal.
> 
> In order to improve confidence in nss upstream releases we enable the
> test suite during the build and added some basic autopkg tests[3,4].
> 
> Would it be o.k. for the release team to handle new nss/nspr versions
> via stable point releases?

Now that squeeze moves out of support would it be o.k. to update nss via
p-u for stable and oldstable?

Cheers,
 -- Guido

Bug#815730: jessie-pu: package whatmaps/0.0.9-1+deb8u1

2016-02-24 Thread Guido Günther

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,
I'd like to update whatmaps in p-u to fix #791569. Due to the rename
of the apache package from apache2.2 to apache2 whatmaps fails to
restart apache after a security upgrade.
Cheers,
 -- Guido

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'unstable'), 
(500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/debian/changelog b/debian/changelog
index 94fec4b..76adb40 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+whatmaps (0.0.9-1+deb8u1) stable-proposed-updates; urgency=medium
+
+  * [920f1dd] Respect jessie apache package rename (Closes: #791569)
+  * [7c61790] Adjust gbp.conf for Jessie
+
+ -- Guido Günther <a...@sigxcpu.org>  Wed, 24 Feb 2016 08:36:38 +0100
+
 whatmaps (0.0.9-1) unstable; urgency=medium
 
   * New upstream version:
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 9678e28..a446ca6 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,4 +1,4 @@
 [DEFAULT]
-debian-branch = debian/master
+debian-branch = debian/jessie
 upstream-tag = v%(version)s
 upstream-branch = master
diff --git a/debian/patches/Respect-jessie-apache-package-rename.patch b/debian/patches/Respect-jessie-apache-package-rename.patch
new file mode 100644
index 000..1ce75f6
--- /dev/null
+++ b/debian/patches/Respect-jessie-apache-package-rename.patch
@@ -0,0 +1,21 @@
+From: Santiago Garcia Mantinan <ma...@debian.org>
+Date: Tue, 7 Jul 2015 07:17:22 +0200
+Subject: Respect jessie apache package rename
+
+Closes: #791569
+---
+ whatmaps/debiandistro.py | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/whatmaps/debiandistro.py b/whatmaps/debiandistro.py
+index 3a3bf16..5c98c19 100644
+--- a/whatmaps/debiandistro.py
 b/whatmaps/debiandistro.py
+@@ -43,6 +43,7 @@ class DebianDistro(Distro):
+ _pkg_services = { 'apache2-mpm-worker':  [ 'apache2' ],
+   'apache2-mpm-prefork': [ 'apache2' ],
+   'apache2.2-bin':   [ 'apache2' ],
++  'apache2-bin': [ 'apache2' ],
+   'dovecot-imapd':   [ 'dovecot' ],
+   'dovecot-pop3d':   [ 'dovecot' ],
+   'exim4-daemon-light':  [ 'exim4' ],
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..d9c8b37
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+Respect-jessie-apache-package-rename.patch

Re: wheezy-security to wheezy-lts transition

2016-02-22 Thread Guido Günther

Hi Mortiz,
On Mon, Feb 22, 2016 at 11:28:48PM +0100, Moritz Mühlenhoff wrote:
> On Mon, Feb 22, 2016 at 06:42:20PM +0100, Guido Günther wrote:
> > Hi Adam,
> > On Sat, Feb 20, 2016 at 02:27:27PM +, Adam D. Barratt wrote:
> > > [apologies to anyone who's ended up with three copies of this; the
> > > original got eaten due to a misconfiguration on my side - please only
> > > reply to this copy]
> > > 
> > > Hi,
> > > 
> > > As I understand it, the plan is for wheezy-lts to re-use
> > > security.d.o:wheezy/updates directly, rather than a separate suite on
> > > ftp-master. Is that correct?
> > 
> > I think so. See
> > 
> > 
> > https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=prep-wheezy-lts;users=debian-...@lists.debian.org
> 
> While these two are long-standing enhancement bugs which would make
> the security team work much easier, they are unrelated to the plan
> outlined above.

I'm confused now. Arent these two bugs requirements to implement 
1) and 3) from Raphael's BoF summary:

   1/ the ftpmasters would reconfigure the suite to drop the "policy queue"
   in front of the repositories so that uploads are immediately accepted
   exactly like the current squeeze-lts repository (Ansgar told us this
   was easy to do)
   This solves problems 4 and 1 because LTS members no longer need shell
   access if there is "approval" step in the workflow.

   3/ the ftpmasters will fix dak to also send the ACCEPTED mails to the
   person who signed the upload (this was already part of their plans
   even before this discussion, this now gives them one reason more
   to actually do it before the Wheezy LTS period start, aka in February
   2016)

> That plan was mentioned during the DebConf BoF, but I'm not aware that anyone
> is working on that and I'm unsure whether it's feasible to implement
> in time?

> Especially since even far simpler changes like the two mentioned above are
> open for quite a long time.

I'm happy to help here but besides setting up my own dak and testing the
provided patches I'm not sure how.

Cheers,
 -- Guido

Re: wheezy-security to wheezy-lts transition

2016-02-22 Thread Guido Günther

Hi Adam,
On Sat, Feb 20, 2016 at 02:27:27PM +, Adam D. Barratt wrote:
> [apologies to anyone who's ended up with three copies of this; the
> original got eaten due to a misconfiguration on my side - please only
> reply to this copy]
> 
> Hi,
> 
> As I understand it, the plan is for wheezy-lts to re-use
> security.d.o:wheezy/updates directly, rather than a separate suite on
> ftp-master. Is that correct?

I think so. See


https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=prep-wheezy-lts;users=debian-...@lists.debian.org

> If so then we need to consider how the transition works in the short
> term. For example, the final point release of oldstable occurs after
> security support ceases, so that we can fold in as many of the remaining
> packages from the security archive as possible, including those that
> failed to build on some architectures originally - it would be confusing
> if we ended up pulling in any packages that were actually from
> wheezy-lts, or even having those appear in oldstable-new.

What would that involve? A flag day when the usual uploads to s.d.o for
wheezy stop and the point release is made? Or can we just stop
forwarding packages to oldstable-new at that day and that point release
can happen at a later date while the LTS uploads to s.d.o already start?

The planned date for wheezy LTS to start is 26th of April:

https://wiki.debian.org/LTS

Cheers,
 -- Guido

Bug#812362: jessie-pu: package giflib/4.1.6-11+deb8u1

2016-01-24 Thread Guido Günther

On Sun, Jan 24, 2016 at 07:28:39PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Fri, 2016-01-22 at 19:49 +0100, Guido Günther wrote:
> > I'd like to fix CVE-2015-7555 via jessie-pu since the bug is fixed in
> > Squeeze LTS and we try to not introduce new security issues when people
> > upgrade (the Debian security team marked this CVE as no-dsa).
> 
> Please go ahead.

Uploaded. Thanks a lot!
 -- Guido

Bug#812363: wheezy-pu: package giflib/4.1.6-10+deb7u1

2016-01-24 Thread Guido Günther

On Sun, Jan 24, 2016 at 07:27:47PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Fri, 2016-01-22 at 19:50 +0100, Guido Günther wrote:
> > I'd like to fix CVE-2015-7555 via wheezy-pu since the bug is fixed in
> > Squeeze LTS and we try to not introduce new security issues when people
> > upgrade (the Debian security team marked this CVE as no-dsa).
> 
> Please go ahead, with "wheezy" in the changelog rather than
> "oldstable-security".

Uploaded now. Thanks!
 -- Guido

Bug#812363: wheezy-pu: package giflib/4.1.6-10+deb7u1

2016-01-22 Thread Guido Günther

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian@packages.debian.org
Usertags: pu

Hi,
I'd like to fix CVE-2015-7555 via wheezy-pu since the bug is fixed in
Squeeze LTS and we try to not introduce new security issues when people
upgrade (the Debian security team marked this CVE as no-dsa).

Please find the debdiff attached.
Cheers,
 -- Guido

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'unstable'), 
(500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/debian/changelog b/debian/changelog
index 727ea97..f728114 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+giflib (4.1.6-10+deb7u1) oldstable-security; urgency=medium
+
+  * Non-maintainer upload by the LTS Security Team.
+  * CVE-2015-7555: bail out if Width > SWidth.
+Cherry-picked upstream commit 179510be300bf5e37528d79619b53c884a63
+(Closes: #808704)
+
+ -- Guido Günther <a...@sigxcpu.org>  Fri, 22 Jan 2016 19:03:38 +0100
+
 giflib (4.1.6-10) unstable; urgency=low
 
   * Fixing fprintf issues by YunQiang Su.
diff --git a/debian/patches/CVE-2015-7555-bail-out-if-Width-SWidth.patch b/debian/patches/CVE-2015-7555-bail-out-if-Width-SWidth.patch
new file mode 100644
index 000..e660bea
--- /dev/null
+++ b/debian/patches/CVE-2015-7555-bail-out-if-Width-SWidth.patch
@@ -0,0 +1,22 @@
+From: "Eric S. Raymond" <e...@thyrsus.com>
+Date: Tue, 5 Jan 2016 23:01:45 -0500
+Subject: CVE-2015-7555: bail out if Width > SWidth
+
+Cherry-picked upstream commit 179510be300bf5e37528d79619b53c884a63
+---
+ util/giffix.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/util/giffix.c b/util/giffix.c
+index 247305e..408d429 100644
+--- a/util/giffix.c
 b/util/giffix.c
+@@ -137,6 +137,8 @@ int main(int argc, char **argv)
+ 		Height = GifFileIn->Image.Height;
+ 		GifQprintf("\n%s: Image %d at (%d, %d) [%dx%d]: ",
+ 		PROGRAM_NAME, ++ImageNum, Col, Row, Width, Height);
++		if (Width > GifFileIn->SWidth)
++		GIF_EXIT("Image is wider than total");
+ 
+ 		/* Put the image descriptor to out file: */
+ 		if (EGifPutImageDesc(GifFileOut, Col, Row, Width, Height,
diff --git a/debian/patches/series b/debian/patches/series
index 3bcfb21..e297c1f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
 02-doc_fixes.patch
 03-spelling_fixes.patch
 04-fprintf_format_error.patch
+CVE-2015-7555-bail-out-if-Width-SWidth.patch

Re: Using the same nss upstream version in all suites?

2016-01-02 Thread Guido Günther

Hi Julien,
On Fri, Jan 01, 2016 at 09:47:11PM +0100, Julien Cristau wrote:
> On Thu, Dec 31, 2015 at 13:13:19 +0100, Guido Günther wrote:
> 
> >   * We would have the same crypto policies for programs linked against
> > nss in all suites.
> > 
> From a stable user perspective, I'm not sure I see that as an advantage,
> if it means things end up breaking on point releases.

I forgot to add that nss is very conservative in changing these
policies. The packages using it like icewaeasel/icedove are far more
aggressive in changing defaults.

Currently we have these things somethimes entangled with security
updates which is not ideal either so I think having these at point
release time with some time to prepare for upgrades is actually an
advantage.

Cheers,
 -- Guido

Using the same nss upstream version in all suites?

2015-12-31 Thread Guido Günther

Hi release team,
on the LTS list we discussed if it would be feasible to have the same
nspr/nss[1] upstream version in all suites (nameley testing, stable,
oldstable, oldoldstable). There are several reasons for this:

  * Doing so would reduce the number of embedded code copies in
icedove/iceweasel/chromium/ They currently become necessary at
one point once the version shipped in stable becomes too old.

  * NSS receives frequent security updates that currently requires
backporting the patches to very different versions

  * Backporting NSS patches becomes much harder over the years so
introducing a new version might become less risky than doing the
backport.

  * NSS/NSPR have strict ABI policies[2] to not break backward
compatibility.

  * Security bugs are often restricted on the mozilla bug tracker for
a long time so we know there _is_ a bug but might not know what it
is until the bug is publicaly accessible.

  * We would have the same crypto policies for programs linked against
nss in all suites.

As a first step we discussed if it would be possible to introduce the
new nspr/nss versions via stable point releases. This would allow us to
ask for testing via the proposed-updates repo while still being able to
fix any regressions via a DSA. Backporting would become simpler since
the same backporting would happen for stable/oldstable and oldoldstable
and the diff to the new upstream version is minimal.

In order to improve confidence in nss upstream releases we enable the
test suite during the build and added some basic autopkg tests[3,4].

Would it be o.k. for the release team to handle new nss/nspr versions
via stable point releases?

Cheers,
 -- Guido

[1] Mozillas Network Security Service libraries
[2] https://lists.debian.org/debian-lts/2015/11/msg00027.html
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806207
[4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806639

Bug#798028: jessie-pu: package pykerberos/1.1.5-0.1+deb8u1

2015-10-27 Thread Guido Günther

Hi Adam,
On Sun, Oct 25, 2015 at 01:40:33PM +, Adam D. Barratt wrote:
[..snip..]
> 
> Actually, what you uploaded was the wheezy package... Including the typo
> in debian/NEWS. :-|
> 
> I've flagged that for acceptance, but please still feel free to go ahead
> with the jessie upload. :-) (ideally without the typo.)

Sorry for the mix up. Uploaded now (with typo fixed) for jessie.
Cheers and thanks a lot!
 -- Guido

Bug#798091: wheezy-pu: package pykerberos/1.1+svn4895-1+deb7u1

2015-10-23 Thread Guido Günther

On Sat, Sep 05, 2015 at 03:40:55PM +0200, Guido Günther wrote:
> Package: release.debian.org
> Severity: normal
> Tags: wheezy
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> Hi,
> I'd like to fix CVE-2015-3206 (missing KDC authenticity verification)
> for wheezy via a point release. The debdiff is attached. The bug is
> fixed in unstable as well as squeeze-lts already.
> 
> As in squeeze-lts the KDC check is disabled by default to not break existing
> installations.

Ping?
 -- Guido

Bug#798028: jessie-pu: package pykerberos/1.1.5-0.1+deb8u1

2015-10-23 Thread Guido Günther

Hi Hadam,
On Sat, Oct 10, 2015 at 08:20:15PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Fri, 2015-09-04 at 17:41 +0200, Guido Günther wrote:
> > I'd like to fix CVE-2015-3206 (a loack (missing KDC authenticity
> > verification) for jessie via a point release. The debdiff is
> > attached. The bug is fixed in unstable as well as squeeze-lts already.
> > 
> > As in squeeze-lts the KDC check is disabled by default to not break existing
> > installations.
> 
> +++ b/debian/NEWS
> @@ -0,0 +1,42 @@
> [...]
> s/ordner/order/
> 
> Please go ahead.

Uploaded. Thanks!
 -- Guido

Bug#798091: wheezy-pu: package pykerberos/1.1+svn4895-1+deb7u1

2015-09-05 Thread Guido Günther

which is mandated by the symmetric nature of
+  Kerberos (whereas in the LDAP case, the use of public-key cryptography
+  allows anonymous verification).
+  .
+  The fact of pykerberos being susceptible to KDC spoofing attacks has
+  been filed as CVE-2015-3206.
+  .
+  With this version of the pykerberos package a new option is introduced
+  for the checkPassword() method. Setting verify to True when using
+  checkPassword() will perform a KDC verification. For this to work, you
+  need to provide a krb5.keytab file containing service principal keys for
+  the service you intend to use.
+  .
+  As the default krb5.keytab file in /etc is normally not accessible by
+  non-root users/processes, you have to make sure a custom krb5.keytab
+  file containing the correct principal keys is provided to your
+  application using the KRB5_KTNAME environment variable.
+  .
+  Note: In Debian wheezy, KDC verification support is disabled by
+  default in ordner not to break existing setups.
+
+ -- Guido Günther <a...@sigxcpu.org>  Sat, 05 Sep 2015 15:31:19 +0200
diff --git a/debian/changelog b/debian/changelog
index 27c11ff..f0076d2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+pykerberos (1.1+svn4895-1+deb7u1) wheezy; urgency=medium
+
+  * Add KDC authenticity verification support (CVE-2015-3206).
+Obtained from upstream, ignoring white-space changes, URL:
+https://github.com/02strich/pykerberos/commit/
+   02d13860b25fab58e739f0e000bed0067b7c6f9c
+
+ -- Guido Günther <a...@sigxcpu.org>  Sat, 05 Sep 2015 15:31:19 +0200
+
 pykerberos (1.1+svn4895-1) unstable; urgency=low
 
   * [d6e470d] fix typo in package description (Closes: #520276) - thanks to
diff --git a/debian/examples b/debian/examples
index de45608..10845a7 100644
--- a/debian/examples
+++ b/debian/examples
@@ -1 +1,2 @@
 bin/ftp-gss
+bin/login
diff --git a/pysrc/kerberos.py b/pysrc/kerberos.py
index eb8839f..a6c4c3a 100644
--- a/pysrc/kerberos.py
+++ b/pysrc/kerberos.py
@@ -27,7 +27,7 @@ class BasicAuthError(KrbError):
 class GSSError(KrbError):
 pass
 
-def checkPassword(user, pswd, service, default_realm):
+def checkPassword(user, pswd, service, default_realm, verify=False):
 """
 This function provides a simple way to verify that a user name and password match
 those normally used for Kerberos authentication. It does this by checking that the
@@ -49,6 +49,8 @@ def checkPassword(user, pswd, service, default_realm):
 @param default_realm: a string containing the default realm to use if one is not
 supplied in the user argument. Note that Kerberos realms are normally all
 uppercase (e.g., 'EXAMPLE.COM').
+@param verify:a boolean flagging KDC verification to enabled or disabled
+  (default: False).
 @return:  True if authentication succeeds, False otherwise.
 """
 
diff --git a/src/kerberos.c b/src/kerberos.c
index e0d8938..a887f7c 100644
--- a/src/kerberos.c
+++ b/src/kerberos.c
@@ -31,12 +31,13 @@ static PyObject *checkPassword(PyObject *self, PyObject *args)
 const char *pswd;
 const char *service;
 const char *default_realm;
+int verify = 0;
 int result = 0;
 
-if (!PyArg_ParseTuple(args, "", , , , _realm))
+if (!PyArg_ParseTuple(args, "|b", , , , _realm, ))
 return NULL;
 
-result = authenticate_user_krb5pwd(user, pswd, service, default_realm);
+result = authenticate_user_krb5pwd(user, pswd, service, default_realm, verify);
 
 if (result)
 return Py_INCREF(Py_True), Py_True;
diff --git a/src/kerberosbasic.c b/src/kerberosbasic.c
index 8b38f11..65ec176 100644
--- a/src/kerberosbasic.c
+++ b/src/kerberosbasic.c
@@ -26,9 +26,9 @@
 extern PyObject *BasicAuthException_class;
 static void set_basicauth_error(krb5_context context, krb5_error_code code);
 
-static krb5_error_code verify_krb5_user(krb5_context context, krb5_principal principal, const char *password, krb5_principal server);
+static krb5_error_code verify_krb5_user(krb5_context context, krb5_principal principal, const char *password, krb5_principal server, unsigned char verify);
 
-int authenticate_user_krb5pwd(const char *user, const char *pswd, const char *service, const char *default_realm)
+int authenticate_user_krb5pwd(const char *user, const char *pswd, const char *service, const char *default_realm, unsigned char verify)
 {
 krb5_contextkcontext = NULL;
 krb5_error_code code;
@@ -87,7 +87,7 @@ int authenticate_user_krb5pwd(const char *user, const char *pswd, const char *se
 goto end;
 }
 
-code = verify_krb5_user(kcontext, client, pswd, server);
+code = verify_krb5_user(kcontext, client, pswd, server, verify);
 
 if (code)
 {
@@ -113,10 +113,11 @@ end:
 }
 
 /* Inspired by krb5_verify_user from Heimdal */
-static krb5_error_code verify_krb5_user(krb5_context context, krb5_principal principal, const c

Bug#798028: jessie-pu: package pykerberos/1.1.5-0.1+deb8u1

2015-09-04 Thread Guido Günther

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,
I'd like to fix CVE-2015-3206 (a loack (missing KDC authenticity
verification) for jessie via a point release. The debdiff is
attached. The bug is fixed in unstable as well as squeeze-lts already.

As in squeeze-lts the KDC check is disabled by default to not break existing
installations.

Cheers,
 -- Guido.


-- System Information:
Debian Release: 8.1
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'unstable'), 
(500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/debian/NEWS b/debian/NEWS
new file mode 100644
index 000..490dd3d
--- /dev/null
+++ b/debian/NEWS
@@ -0,0 +1,42 @@
+pykerberos (1.1.5-0.1+deb8u1) jessie; urgency=medium
+ 
+  The python-kerberos checkPassword() method has been badly insecure in
+  previous releases. It used to do (and still does by default) a kinit
+  (AS-REQ) to ask a KDC for a TGT for the given user principal, and
+  interprets the success or failure of that as indicating whether the
+  password is correct. It does not, however, verify that it actually spoke
+  to a trusted KDC: an attacker may simply reply instead with an AS-REP
+  which matches the password he just gave you.
+  .
+  Imagine you were verifying a password using LDAP authentication rather
+  than Kerberos: you would, of course, use TLS in conjunction with LDAP to
+  make sure you were talking to a real, trusted LDAP server. The same
+  requirement applies here. kinit is not a password-verification service.
+  .
+  The usual way of doing this is to take the TGT you've obtained with the
+  user's password, and then obtain a ticket for a principal for which the
+  verifier has keys (e.g. a web server processing a username/password form
+  login might get a ticket for its own HTTP/host@REALM principal), which
+  it can then verify. Note that this requires that the verifier has its
+  own Kerberos identity, which is mandated by the symmetric nature of
+  Kerberos (whereas in the LDAP case, the use of public-key cryptography
+  allows anonymous verification).
+  .
+  The fact of pykerberos being susceptible to KDC spoofing attacks has
+  been filed as CVE-2015-3206.
+  .
+  With this version of the pykerberos package a new option is introduced
+  for the checkPassword() method. Setting verify to True when using
+  checkPassword() will perform a KDC verification. For this to work, you
+  need to provide a krb5.keytab file containing service principal keys for
+  the service you intend to use.
+  .
+  As the default krb5.keytab file in /etc is normally not accessible by
+  non-root users/processes, you have to make sure a custom krb5.keytab
+  file containing the correct principal keys is provided to your
+  application using the KRB5_KTNAME environment variable.
+  .
+  Note: In Debian Jessie, KDC verification support is disabled by default in
+  ordner not to break existing setups.
+ 
+ -- Guido Günther <a...@sigxcpu.org>  Sat, 22 Aug 2015 12:08:41 +0200
diff --git a/debian/changelog b/debian/changelog
index 9521150..e382a4a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+pykerberos (1.1.5-0.1+deb8u1) jessie; urgency=medium
+
+  * Add KDC authenticity verification support (CVE-2015-3206)
+Obtained from upstream, ignoring white-space changes, URL:
+https://github.com/02strich/pykerberos/commit/02d13860b25fab58e739f0e000bed0067b7c6f9c
+(Closes: #796195)
+
+ -- Guido Günther <a...@sigxcpu.org>  Sat, 22 Aug 2015 13:48:57 +0200
+
 pykerberos (1.1.5-0.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff --git a/debian/examples b/debian/examples
index de45608..10845a7 100644
--- a/debian/examples
+++ b/debian/examples
@@ -1 +1,2 @@
 bin/ftp-gss
+bin/login
diff --git a/debian/patches/Add-KDC-authenticity-verification-support-CVE-2015-3206.patch b/debian/patches/Add-KDC-authenticity-verification-support-CVE-2015-3206.patch
new file mode 100644
index 000..e495497
--- /dev/null
+++ b/debian/patches/Add-KDC-authenticity-verification-support-CVE-2015-3206.patch
@@ -0,0 +1,150 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <a...@sigxcpu.org>
+Date: Sat, 22 Aug 2015 11:51:13 +0200
+Subject: Add KDC authenticity verification support (CVE-2015-3206)
+
+Obtained from upstream, ignoring white-space changes, URL:
+https://github.com/02strich/pykerberos/commit/02d13860b25fab58e739f0e000bed0067b7c6f9c
+---
+ pysrc/kerberos.py   |  4 +++-
+ src/kerberos.c  |  5 +++--
+ src/kerberosbasic.c | 41 ++---
+ src/kerberosbasic.h |  2 +-
+ 4 files changed, 41 insertions(+), 11 deletions(-)
+
+diff --git a/pysrc/kerberos.py b/pysrc/kerberos.py
+inde

Bug#796088: jessie-pu: package libvirt/1.2.9-9+deb8u1

2015-08-26 Thread Guido Günther

Hi,
On Mon, Aug 24, 2015 at 10:16:40PM +0100, Adam D. Barratt wrote:
 Control: tags -1 + confirmed
 
 On Mon, 2015-08-24 at 20:10 +0200, intrigeri wrote:
  Control: tag -1 - moreinfo
  
  Hi,
  
  Guido Günther wrote (20 Aug 2015 11:57:36 GMT) :
   On Wed, Aug 19, 2015 at 04:53:32PM +0100, Adam D. Barratt wrote:
   I have to admit that I'm also confused by the patch for #786650:
 [...]
  We've discussed this on #786650, and as a result here's an updated
  debdiff: the only change, compared to the one Guido submitted
  initially, is that Allow-access-to-libnl-3-config-files.patch now does
  not include these changes, that are unrelated to #786650, that this
  patch as meant to fix.
 
 That means it also still contains the typo where it claims to fix bug
 #7788171. :-)
 
  I've just built and tested on Jessie, and could successfully start
  a VM with AppArmor enforced.
 
 Thanks. Please feel free to upload, preferably with the changelog typo
 fixed.

Uploaded with the bugnumber fixed. Thanks intrigeri, Adam and Felix!
 -- Guido

Bug#796088: jessie-pu: package libvirt/1.2.9-9+deb8u1

2015-08-23 Thread Guido Günther

Hi,
On Sat, Aug 22, 2015 at 02:51:46PM +0100, Adam D. Barratt wrote:
 On Wed, 2015-08-19 at 18:37 +0200, Guido Günther wrote:
  Hi,
  On Wed, Aug 19, 2015 at 04:49:56PM +0100, Adam D. Barratt wrote:
   Control: tags -1 + moreinfo
  
  Thanks for looking into this so quickly.
  
   
   On Wed, 2015-08-19 at 13:22 +0200, Guido Günther wrote:
the I'd like to update libvirt in unstable to fix the broken AppArmor
   
   I assume stable :-)
   
support, a crash during live migration and a error handling problem
leading lots of users into the wrong direction. The debdiff is attached
and all bugs are already fixed in either sid or experimental (due to the
g++ transition).
   
   I have to admit that I'd really prefer that to be already fixed in
   sid. I'm not sure where libvirt is in the transition pile though.
  
  How would I find out? Libvirt is C but there's very likely C++ in the
  dependency graph.
 
 As long as there's no C++ code in libvirt itself and it does not expose
 any C++ artefacts in its public ABI, uploading it to unstable now should
 be fine.

There's no C++ involved so uploaded now...

 
We also have to disable the test suite due to a libxml2 bug.
   
   Ewww.
  
  Yeah, that's bad.
 
 I assume simply disabling some tests isn't a useful or viable option?

I'd rather put the time into fixing libxml2. While it's possible to skip
the affected tests it would introduce more changes in libvirt since we'd
need to swith to dh_autoreconf when changing makefiles to skip the
tests. I'd rather reenable the tests once libxml2 is fixed (since the
libxml2 but also leads to some user visible regressions visible in
libvirt)
Cheers,
 -- Guido

 
   
   +  * [be70aec] Fix crash on live migration
   +this supplements 07dbec0a64783f644854a22aa0355720f0328d17.
   +Thanks to Eckebrecht von Pappenheim (Closes: #7788171)
   
   ITYM #788171. However, the metadata for that bug suggests it's not
   currently fixed in either experimental or unstable.
  
  Missing bug hygiene on my end. The patch was in fact a cherry-pick from
  a newer version and I just checked that it's still fixed in 1.2.18.
 
 Ah, thanks.
 
 Regards,
 
 Adam

Re: [Pkg-libvirt-maintainers] virt-manager is marked for autoremoval from testing

2015-08-22 Thread Guido Günther

Hi,
On Sat, Aug 22, 2015 at 04:39:05AM +, Debian testing autoremoval watch 
wrote:
 virt-manager 1:1.0.1-5 is marked for autoremoval from testing on 2015-09-09
 
 It is affected by these RC bugs:
 793601: virt-manager: purging virt-manager deletes files owned by virtinst: 
 /usr/share/virt-manager/**/*.py

This is fixed in experimental, is it o.k. to upload to sid without
interfering with the gcc transition? The package is python only.

Cheers,
 -- Guido

Re: [Pkg-libvirt-maintainers] virt-manager is marked for autoremoval from testing

2015-08-22 Thread Guido Günther

On Sat, Aug 22, 2015 at 02:53:09PM +0100, Adam D. Barratt wrote:
 Hi,
 
 On Sat, 2015-08-22 at 11:59 +0200, Guido Günther wrote:
  Hi,
  On Sat, Aug 22, 2015 at 04:39:05AM +, Debian testing autoremoval watch 
  wrote:
   virt-manager 1:1.0.1-5 is marked for autoremoval from testing on 
   2015-09-09
   
   It is affected by these RC bugs:
   793601: virt-manager: purging virt-manager deletes files owned by 
   virtinst: /usr/share/virt-manager/**/*.py
  
  This is fixed in experimental, is it o.k. to upload to sid without
  interfering with the gcc transition? The package is python only.
 
 Similarly to libvirt, as long as there's no C++ code in virt-manager and
 it does not expose any C++ artefacts in its public ABI, uploading it to
 unstable now should be fine. Python only shouldn't be an issue.

It's python only - thanks for the clarification!
Cheers,
 -- Guido

Bug#796088: jessie-pu: package libvirt/1.2.9-9+deb8u1

2015-08-20 Thread Guido Günther

Hi,
On Wed, Aug 19, 2015 at 04:53:32PM +0100, Adam D. Barratt wrote:
 I have to admit that I'm also confused by the patch for #786650:
 
 On Wed, 2015-08-19 at 13:22 +0200, Guido Günther wrote:
 
 +Subject: Allow access to libnl-3 config files
 [...]
 ++  /etc/libnl-3/classid r,
 ++
 
 That seems to make sense...
 
 +   # for hostdev
 +   /sys/devices/ r,
 +   /sys/devices/** r,
 ++  deny /dev/sd* r,
 ++  deny /dev/vd* r,
 ++  deny /dev/dm-* r,
 ++  deny /dev/mapper/ r,
 ++  deny /dev/mapper/* r,
 
 ... these not so much.

According to Felix (cc:) these are only here to silence some denials
filling the logs otherwise. So they cause not harm but are not mentioned
in the changelog. I could fix that up before an upload.
Cheers,
 -- Guido

Bug#796088: jessie-pu: package libvirt/1.2.9-9+deb8u1

2015-08-19 Thread Guido Günther

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,
the I'd like to update libvirt in unstable to fix the broken AppArmor
support, a crash during live migration and a error handling problem
leading lots of users into the wrong direction. The debdiff is attached
and all bugs are already fixed in either sid or experimental (due to the
g++ transition).

We also have to disable the test suite due to a libxml2 bug.

O.k. to upload to p-u?
Cheers,
 -- Guido

-- System Information:
Debian Release: 8.1
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'unstable'), 
(500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/debian/changelog b/debian/changelog
index 5932017..5c79c12 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,24 @@
+libvirt (1.2.9-9+deb8u1) jessie; urgency=medium
+
+  [ Guido Günther ]
+  * [8e4cf5a] Teach virt-aa-helper to use TEMPLATE.qemu if the domain is kvm
+or kqemu.
+Thanks to Luke Faraone for the report (Closes: #786650)
+  * [ad1ff0b] Adjust gbp.conf for jessie
+  * [c830a54] Disable test suite due to libxml2 bug #781232 in jessie
+  * [be70aec] Fix crash on live migration
+this supplements 07dbec0a64783f644854a22aa0355720f0328d17.
+Thanks to Eckebrecht von Pappenheim (Closes: #7788171)
+
+  [ Felix Geyer ]
+  * [9fb6c59] Allow access to libnl-3 configuration (Closes: #786652)
+
+  [ Daniel P. Berrange ]
+  * [afae69a] Report original error when QMP probing fails with new QEMU
+(Closes: #780093)
+
+ -- Guido Günther a...@sigxcpu.org  Thu, 13 Aug 2015 15:56:49 +0200
+
 libvirt (1.2.9-9) unstable; urgency=medium
 
   * [4c14b83] qemu: Don't try to parse -help for new QEMU.
diff --git a/debian/gbp.conf b/debian/gbp.conf
index c97ab1d..3673a45 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,6 +1,7 @@
 [DEFAULT]
 upstream-branch=upstream/sid
-debian-branch=master
+debian-branch=debian/jessie
+dist=jessie
 
 [gbp-pq]
 patch-numbers = False
diff --git a/debian/patches/Allow-access-to-libnl-3-config-files.patch b/debian/patches/Allow-access-to-libnl-3-config-files.patch
new file mode 100644
index 000..6932e41
--- /dev/null
+++ b/debian/patches/Allow-access-to-libnl-3-config-files.patch
@@ -0,0 +1,30 @@
+From: Felix Geyer fge...@debian.org
+Date: Sat, 13 Jun 2015 10:22:40 +0200
+Subject: Allow access to libnl-3 config files
+
+Closes: #786650
+---
+ examples/apparmor/usr.lib.libvirt.virt-aa-helper | 7 +++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+index bceaaff..60739d0 100644
+--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
 b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+@@ -16,9 +16,16 @@
+   owner @{PROC}/[0-9]*/status r,
+   @{PROC}/filesystems r,
+ 
++  /etc/libnl-3/classid r,
++
+   # for hostdev
+   /sys/devices/ r,
+   /sys/devices/** r,
++  deny /dev/sd* r,
++  deny /dev/vd* r,
++  deny /dev/dm-* r,
++  deny /dev/mapper/ r,
++  deny /dev/mapper/* r,
+ 
+   /usr/lib/libvirt/virt-aa-helper mr,
+   /sbin/apparmor_parser Ux,
diff --git a/debian/patches/Fix-crash-on-live-migration.patch b/debian/patches/Fix-crash-on-live-migration.patch
new file mode 100644
index 000..9bd259c
--- /dev/null
+++ b/debian/patches/Fix-crash-on-live-migration.patch
@@ -0,0 +1,25 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= a...@sigxcpu.org
+Date: Sat, 13 Jun 2015 10:38:26 +0200
+Subject: Fix crash on live migration
+
+this supplements 07dbec0a64783f644854a22aa0355720f0328d17.
+
+Closes: #7788171
+Thanks: Eckebrecht von Pappenheim
+---
+ src/qemu/qemu_migration.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
+index e18556f..87f3f1a 100644
+--- a/src/qemu/qemu_migration.c
 b/src/qemu/qemu_migration.c
+@@ -2746,7 +2746,7 @@ qemuMigrationPrepareAny(virQEMUDriverPtr driver,
+ QEMU_ASYNC_JOB_MIGRATION_IN)  0)
+ goto stop;
+ 
+-if (STREQ(protocol, rdma) 
++if (STREQ_NULLABLE(protocol, rdma) 
+ virProcessSetMaxMemLock(vm-pid, vm-def-mem.hard_limit  10)  0) {
+ goto stop;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index fcb95a0..bac1f34 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -27,3 +27,7 @@ upstream/vbox-fix-a-bug-in-_machineStateInactive.patch
 security/CVE-2015-0236-qemu-Check-ACLs-when-dumping-security-.patch
 security/CVE-2015-0236-qemu-Check-ACLs-when-dumping-securi-14.patch
 qemu-Don-t-try-to-parse-help-for-new-QEM.patch
+upstream/Teach-virt-aa-helper-to-use-TEMPLATE.qemu-if-the-dom.patch
+Allow-access-to-libnl-3

Bug#796088: jessie-pu: package libvirt/1.2.9-9+deb8u1

2015-08-19 Thread Guido Günther

Hi,
On Wed, Aug 19, 2015 at 04:49:56PM +0100, Adam D. Barratt wrote:
 Control: tags -1 + moreinfo

Thanks for looking into this so quickly.

 
 On Wed, 2015-08-19 at 13:22 +0200, Guido Günther wrote:
  the I'd like to update libvirt in unstable to fix the broken AppArmor
 
 I assume stable :-)
 
  support, a crash during live migration and a error handling problem
  leading lots of users into the wrong direction. The debdiff is attached
  and all bugs are already fixed in either sid or experimental (due to the
  g++ transition).
 
 I have to admit that I'd really prefer that to be already fixed in
 sid. I'm not sure where libvirt is in the transition pile though.

How would I find out? Libvirt is C but there's very likely C++ in the
dependency graph.

 
  We also have to disable the test suite due to a libxml2 bug.
 
 Ewww.

Yeah, that's bad.

 
 +  * [be70aec] Fix crash on live migration
 +this supplements 07dbec0a64783f644854a22aa0355720f0328d17.
 +Thanks to Eckebrecht von Pappenheim (Closes: #7788171)
 
 ITYM #788171. However, the metadata for that bug suggests it's not
 currently fixed in either experimental or unstable.

Missing bug hygiene on my end. The patch was in fact a cherry-pick from
a newer version and I just checked that it's still fixed in 1.2.18.

Cheers,
 -- Guido

Bug#782064: unblock: virt-manager/1:1.0.1-5

2015-04-07 Thread Guido Günther

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package virt-manager

This fixes these issues:

* Make sure we don't use incompatible VTE versions (#781127)
* virtinst: only depend on QEMU utils. When merging vrtinst with
  virt-manager this got broken again. (Closes #644196 again)
* Also ship virt-xml. A simple python script to validate
  libvirt XML. (#775399). Another victim of the virtinst -
  virt-manager merger in early 2014.

The debdiff is attached.
Cheers,
 -- Guido

unblock virt-manager/1:1.0.1-5

-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'testing-updates'), (500, 'unstable'), 
(1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-rc6 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/debian/changelog b/debian/changelog
index c0bb905..e258a47 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+virt-manager (1:1.0.1-5) unstable; urgency=medium
+
+  * [b58bb6a] Add virt-xml (Closes: #775399)
+  * [44b9a97] Switch qemu recommendation to qemu-utils.  We only need the
+command line tools.
+  * [5eabe1d] Make sure we use a binary compatible version of vte.  Thanks to
+Vincent Danjean for the detailed report (Closes: #781127)
+
+ -- Guido Günther a...@sigxcpu.org  Wed, 25 Mar 2015 15:09:09 +0100
+
 virt-manager (1:1.0.1-4) unstable; urgency=medium
 
   * [8b6f491] Drop Gtk2 only python-spice-client-gtk
diff --git a/debian/control b/debian/control
index e4d2afd..1c0ef5a 100644
--- a/debian/control
+++ b/debian/control
@@ -47,7 +47,7 @@ Package: virtinst
 Architecture: all
 Depends: ${python:Depends}, ${shlibs:Depends}, ${misc:Depends}, python-libvirt (= 0.4.6),
  python-libxml2, python-urlgrabber
-Recommends: virt-viewer, qemu
+Recommends: virt-viewer, qemu-utils
 Description: Programs to create and clone virtual machines
  Virtinst is a set of commandline tools to create virtual machines using
  libvirt:
diff --git a/debian/patches/Make-sure-we-use-a-binary-compatible-version-of-vte.patch b/debian/patches/Make-sure-we-use-a-binary-compatible-version-of-vte.patch
new file mode 100644
index 000..2d047b8
--- /dev/null
+++ b/debian/patches/Make-sure-we-use-a-binary-compatible-version-of-vte.patch
@@ -0,0 +1,22 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= a...@sigxcpu.org
+Date: Wed, 25 Mar 2015 15:00:26 +0100
+Subject: Make sure we use a binary compatible version of vte
+
+Closes: #781127
+---
+ virtManager/serialcon.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/virtManager/serialcon.py b/virtManager/serialcon.py
+index 96e3d2f..ef4a394 100644
+--- a/virtManager/serialcon.py
 b/virtManager/serialcon.py
+@@ -29,6 +29,8 @@ import logging
+ from gi.repository import Gdk
+ from gi.repository import GLib
+ from gi.repository import Gtk
++import gi
++gi.require_version('Vte', '2.90')
+ from gi.repository import Vte
+ # pylint: enable=E0611
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 7930bea..79062f3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@ Move-GConf-values-to-GSettings.patch
 fix-removable-drive-support.patch
 details-Fix-changing-graphics-type-bz-1083903.patch
 Make-SpiceClientGtk-optional.patch
+Make-sure-we-use-a-binary-compatible-version-of-vte.patch
diff --git a/debian/virtinst.install b/debian/virtinst.install
index e011fbf..c74898c 100644
--- a/debian/virtinst.install
+++ b/debian/virtinst.install
@@ -2,15 +2,18 @@ usr/bin/virt-clone
 usr/bin/virt-convert
 usr/bin/virt-image
 usr/bin/virt-install
+usr/bin/virt-xml
 usr/share/man/man5/virt-image.5
 usr/share/man/man1/virt-install.1
 usr/share/man/man1/virt-image.1
 usr/share/man/man1/virt-convert.1
 usr/share/man/man1/virt-clone.1
+usr/share/man/man1/virt-xml.1
 usr/share/virt-manager/virt-clone
 usr/share/virt-manager/virt-convert
 usr/share/virt-manager/virt-image
 usr/share/virt-manager/virt-install
+usr/share/virt-manager/virt-xml
 usr/share/virt-manager/virtcli
 usr/share/virt-manager/virtconv
 usr/share/virt-manager/virtinst

Bug#777568: unblock: libvirt/1.2.9-9

2015-02-09 Thread Guido Günther

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package libvirt

This upload fixes two bugs with qemu/kvm preventing VMs to start. The
cleanup is an upgrade issue while the caps probing is a race with
recent (as in jessie) qemu.

Please unblock libvirt.
Cheers,
 -- Guido

unblock libvirt/1.2.9-9

-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'testing-updates'), (500, 'unstable'), 
(1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-rc6 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/debian/changelog b/debian/changelog
index 3f49894..5932017 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+libvirt (1.2.9-9) unstable; urgency=medium
+
+  * [4c14b83] qemu: Don't try to parse -help for new QEMU.
+Closes: #777138, #775773
+Thanks to Mathieu Malaterre for the debugging
+  * [1addae5] Force capability refresh on upgrades. This makes sure we
+refresh the capabilities at least once when upgrading from Wheezy.
+(Closes: #731815)
+
+ -- Guido Günther a...@sigxcpu.org  Fri, 06 Feb 2015 15:40:21 +0100
+
 libvirt (1.2.9-8) unstable; urgency=medium
 
   * [885f33d] Fix CVE-2015-0236.
diff --git a/debian/libvirt-daemon-system.postinst 
b/debian/libvirt-daemon-system.postinst
index ff68fd3..5d3ebd0 100644
--- a/debian/libvirt-daemon-system.postinst
+++ b/debian/libvirt-daemon-system.postinst
@@ -108,6 +108,9 @@ case $1 in
 if [ -d /run/systemd/system ]  systemctl status virtlockd.service 
/dev/null; then
systemctl reload virtlockd.service
 fi
+
+# Force refresh of capabilties (#731815)
+rm -f /var/cache/libvirt/qemu/capabilities/*.xml
 ;;
 
 abort-upgrade|abort-remove|abort-deconfigure)
diff --git a/debian/patches/qemu-Don-t-try-to-parse-help-for-new-QEM.patch 
b/debian/patches/qemu-Don-t-try-to-parse-help-for-new-QEM.patch
new file mode 100644
index 000..cdadbaf
--- /dev/null
+++ b/debian/patches/qemu-Don-t-try-to-parse-help-for-new-QEM.patch
@@ -0,0 +1,39 @@
+From: Mathieu Malaterre ma...@debian.org
+Date: Thu, 5 Feb 2015 16:05:49 +0100
+Subject: Description: qemu: Don't try to parse -help for new QEMU
+
+Since QEMU 1.2.0, we switched to QMP probing instead of parsing -help
+(and other commands, such as -cpu ?) output. However, if QMP probing
+failed, we still tried starting QEMU with various options and parsing
+the output, which was guaranteed to fail because the output changed.
+Let's just refuse parsing -help for QEMU = 1.2.0.
+
+Author: Jiri Denemark jdenemar redhat com
+Bug-Debian: https://bugs.debian.org/777138
+Origin: upstream, 
https://www.redhat.com/archives/libvir-list/2014-November/msg00407.html
+Reviewed-By: Mathieu Malaterre ma...@debian.org
+---
+ src/qemu/qemu_capabilities.c | 10 ++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
+index a409aaf..9e0158c 100644
+--- a/src/qemu/qemu_capabilities.c
 b/src/qemu/qemu_capabilities.c
+@@ -1382,6 +1382,16 @@ int virQEMUCapsParseHelpStr(const char *qemu,
+ 
+ *version = (major * 1000 * 1000) + (minor * 1000) + micro;
+ 
++/* Refuse to parse -help output for QEMU releases = 1.2.0 that should be
++ * using QMP probing.
++ */
++if (*version  1002000) {
++virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
++   _(QEMU %u.%u.%u is too new for help parsing),
++   major, minor, micro);
++goto cleanup;
++}
++
+ if (virQEMUCapsComputeCmdFlags(help, *version, *is_kvm, *kvm_version,
+qemuCaps, check_yajl)  0)
+ goto cleanup;
diff --git a/debian/patches/series b/debian/patches/series
index fb694c9..fcb95a0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -26,3 +26,4 @@ lxc-Don-t-crash-on-NULL-ifname_guest_actual.patch
 upstream/vbox-fix-a-bug-in-_machineStateInactive.patch
 security/CVE-2015-0236-qemu-Check-ACLs-when-dumping-security-.patch
 security/CVE-2015-0236-qemu-Check-ACLs-when-dumping-securi-14.patch
+qemu-Don-t-try-to-parse-help-for-new-QEM.patch

1 2 3 >

1 - 100 of 251 matches

Mail list logo