Bug#1069672: bookworm-pu: package flatpak/1.14.8-1~deb12u1

[Simon McVittie]

On Tue, 30 Apr 2024 at 17:54:29 +0100, Simon McVittie wrote:
> flatpak 1.14.7 has now been released, closely followed by 1.14.8 to
> revert unintended changes to the libglnx and bubblewrap submodules.
> I would like to get this into a Debian 12 point release if possible.

Based on in-person discussion with a release team member, I've uploaded
this to proposed-updates NEW in the hope that the new upstream stable
release can be accepted into a future bookworm update.

If it is likely to be rejected, please let me know so that I can propose a
more minimal update via patches (in particular fixing the high-visibility
app-name bug, which has lingered for too long).

Thanks,
smcv

Bug#1071161: glib2.0 2.66.8-1+deb11u4 flagged for acceptance

[Simon McVittie]

On Mon, 20 May 2024 at 20:12:24 +, Adam D Barratt wrote:
> The upload referenced by this bug report has been flagged for acceptance
> into the proposed-updates queue for Debian bullseye.
...
> Package: glib2.0
> Version: 2.66.8-1+deb11u4
> Explanation: fix a (rare) memory leak

Thanks for reviewing this change. Please consider also accepting #1071159
into bookworm-p-u (same change, different base version) to preserve the
property that bookworm has no regressions when compared with bullseye,
which I assume is something we want to be able to treat as an invariant.

smcv

Bug#1071161: bullseye-pu: package glib2.0/2.66.8-1+deb11u4

[Simon McVittie]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: glib...@packages.debian.org
Control: affects -1 + src:glib2.0

[ Reason ]
Fix a minor memory leak introduced by recent security updates, matching
a similar request for bookworm-pu.

[ Impact ]
In an unusual situation that I believe is very rare in practice, programs
using D-Bus via GLib will leak memory.

[ Tests ]
There is a relatively extensive test suite, which is how the leak was found
in the first place, and it still passes.

I no longer have Debian 11 on real hardware, but I tried the proposed
version briefly in a GNOME virtual machine and it still works.

[ Risks ]
Low risk. The change is small and obviously correct, already migrated
to testing, and was included in the backported security fix for Debian
10 LTS. It was discovered too late to be included with the more serious
regression fixes in Debian 12 and 11, and in any case would not have been
urgent enough to justify delaying fixes for the more serious regression.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  - this is vs. bullseye-security, I assume that's OK
  [x] the issue is verified as fixed in unstable

[ Changes ]
All changes are for this single bug fix.

[ Other info ]
I already uploaded the proposed version to bullseye-proposed-updates.

The security team did not consider this to be important enough to issue
another DSA update.
diffstat for glib2.0-2.66.8 glib2.0-2.66.8

 debian/changelog   |8 +
 debian/patches/gdbusmessage-Clean-the-cached-arg0-when-setting-the-messa.patch |   41 ++
 debian/patches/series  |1 
 gio/gdbusmessage.c |6 -
 4 files changed, 53 insertions(+), 3 deletions(-)

diff -Nru glib2.0-2.66.8/debian/changelog glib2.0-2.66.8/debian/changelog
--- glib2.0-2.66.8/debian/changelog	2024-05-08 16:25:40.0 +0100
+++ glib2.0-2.66.8/debian/changelog	2024-05-14 11:12:17.0 +0100
@@ -1,3 +1,11 @@
+glib2.0 (2.66.8-1+deb11u4) bullseye; urgency=medium
+
+  * d/p/gdbusmessage-Clean-the-cached-arg0-when-setting-the-messa.patch:
+Add patch from upstream fixing a memory leak that can occur in
+rare situations since 2.66.8-1+deb11u2 (Closes: #1070851)
+
+ -- Simon McVittie   Tue, 14 May 2024 11:12:17 +0100
+
 glib2.0 (2.66.8-1+deb11u3) bullseye-security; urgency=high
 
   * d/p/CVE-2024-34397/gdbusconnection-Allow-name-owners-to-have-the-syntax-of-a.patch:
diff -Nru glib2.0-2.66.8/debian/patches/gdbusmessage-Clean-the-cached-arg0-when-setting-the-messa.patch glib2.0-2.66.8/debian/patches/gdbusmessage-Clean-the-cached-arg0-when-setting-the-messa.patch
--- glib2.0-2.66.8/debian/patches/gdbusmessage-Clean-the-cached-arg0-when-setting-the-messa.patch	1970-01-01 01:00:00.0 +0100
+++ glib2.0-2.66.8/debian/patches/gdbusmessage-Clean-the-cached-arg0-when-setting-the-messa.patch	2024-05-14 11:12:17.0 +0100
@@ -0,0 +1,41 @@
+From: =?utf-8?b?Ik1hcmNvIFRyZXZpc2FuIChUcmV2acOxbyki?= 
+Date: Wed, 8 May 2024 22:53:51 +0200
+Subject: gdbusmessage: Clean the cached arg0 when setting the message body
+
+We're now caching arg0 but such value is not cleared when a new body is
+set as it's in the connection filter test cases where we've a leak as
+highlighted by both valgrind and leak sanitizer
+
+Origin: upstream, 2.80.3, commit:fe89e9f3cb6e0fd0dc2bd8a2d413799e1443cef1
+Bug-Debian: https://bugs.debian.org/1070851
+---
+ gio/gdbusmessage.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/gio/gdbusmessage.c b/gio/gdbusmessage.c
+index c4357cb..ffe8827 100644
+--- a/gio/gdbusmessage.c
 b/gio/gdbusmessage.c
+@@ -1127,10 +1127,12 @@ g_dbus_message_set_body (GDBusMessage  *message,
+ 
+   if (message->body != NULL)
+ g_variant_unref (message->body);
++
++  g_clear_pointer (>arg0_cache, g_variant_unref);
++
+   if (body == NULL)
+ {
+   message->body = NULL;
+-  message->arg0_cache = NULL;
+   g_dbus_message_set_signature (message, NULL);
+ }
+   else
+@@ -1144,8 +1146,6 @@ g_dbus_message_set_body (GDBusMessage  *message,
+   if (g_variant_is_of_type (message->body, G_VARIANT_TYPE_TUPLE) &&
+   g_variant_n_children (message->body) > 0)
+ message->arg0_cache = g_variant_get_child_value (message->body, 0);
+-  else
+-message->arg0_cache = NULL;
+ 
+   type_string = g_variant_get_type_string (body);
+   type_string_len = strlen (type_string);
diff -Nru glib2.0-2.66.8/debian/patches/series glib2.0-2.66.8/debian/patches/series
--- glib2.0-2.66.8/debian/patches/series	2024-05-08 16:25:40.0 +0100
+++ glib2.0-2.66.8/debian/patches/s

Bug#1071159: bookworm-pu: package glib2.0/2.74.6-2+deb12u3

[Simon McVittie]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: glib...@packages.debian.org
Control: affects -1 + src:glib2.0

[ Reason ]
Fix a minor memory leak introduced by recent security updates.

[ Impact ]
In an unusual situation that I believe is very rare in practice, programs
using D-Bus via GLib will leak memory.

(Specifically, that situation is: the program allocates a GDBus message
with a non-empty body, then replaces the message body with something
different, and the original body is leaked. The only use I'm aware of
for editing messages in this way in Debian was in a hack to avoid gdm3
upgrades from jessie to stretch being unable to unlock the screensaver,
by rewriting D-Bus messages in-place, and that was removed between
stretch and buster.)

[ Tests ]
There is a relatively extensive test suite, which is how the leak was found
in the first place, and it still passes.

The proposed version is also working well to run the GNOME environment
where I'm typing this.

[ Risks ]
Low risk. The change is small and obviously correct, already migrated
to testing, and was included in the backported security fix for Debian
10 LTS. It was discovered too late to be included with the more serious
regression fixes in Debian 12 and 11, and in any case would not have been
urgent enough to justify delaying fixes for the more serious regression.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  - the debdiff is vs. bookworm-security, I assume that's OK
  [x] the issue is verified as fixed in unstable

[ Changes ]
All changes are for this single bug fix.

[ Other info ]
I already uploaded to -proposed-updates.

The security team agreed with my assessment that this is not important
enough to issue another DSA update.

Thanks,
smcv
diffstat for glib2.0-2.74.6 glib2.0-2.74.6

 debian/changelog   |8 +
 debian/patches/gdbusmessage-Clean-the-cached-arg0-when-setting-the-messa.patch |   41 ++
 debian/patches/series  |1 
 gio/gdbusmessage.c |6 -
 4 files changed, 53 insertions(+), 3 deletions(-)

diff -Nru glib2.0-2.74.6/debian/changelog glib2.0-2.74.6/debian/changelog
--- glib2.0-2.74.6/debian/changelog	2024-05-08 12:35:38.0 +0100
+++ glib2.0-2.74.6/debian/changelog	2024-05-14 11:11:32.0 +0100
@@ -1,3 +1,11 @@
+glib2.0 (2.74.6-2+deb12u3) bookworm; urgency=medium
+
+  * d/p/gdbusmessage-Clean-the-cached-arg0-when-setting-the-messa.patch:
+Add patch from upstream fixing a memory leak that can occur in
+rare situations since 2.74.6-2+deb12u1 (Closes: #1070851)
+
+ -- Simon McVittie   Tue, 14 May 2024 11:11:32 +0100
+
 glib2.0 (2.74.6-2+deb12u2) bookworm-security; urgency=high
 
   * d/p/CVE-2024-34397/gdbusconnection-Allow-name-owners-to-have-the-syntax-of-a.patch:
diff -Nru glib2.0-2.74.6/debian/patches/gdbusmessage-Clean-the-cached-arg0-when-setting-the-messa.patch glib2.0-2.74.6/debian/patches/gdbusmessage-Clean-the-cached-arg0-when-setting-the-messa.patch
--- glib2.0-2.74.6/debian/patches/gdbusmessage-Clean-the-cached-arg0-when-setting-the-messa.patch	1970-01-01 01:00:00.0 +0100
+++ glib2.0-2.74.6/debian/patches/gdbusmessage-Clean-the-cached-arg0-when-setting-the-messa.patch	2024-05-14 11:11:32.0 +0100
@@ -0,0 +1,41 @@
+From: =?utf-8?b?Ik1hcmNvIFRyZXZpc2FuIChUcmV2acOxbyki?= 
+Date: Wed, 8 May 2024 22:53:51 +0200
+Subject: gdbusmessage: Clean the cached arg0 when setting the message body
+
+We're now caching arg0 but such value is not cleared when a new body is
+set as it's in the connection filter test cases where we've a leak as
+highlighted by both valgrind and leak sanitizer
+
+Origin: upstream, 2.80.3, commit:fe89e9f3cb6e0fd0dc2bd8a2d413799e1443cef1
+Bug-Debian: https://bugs.debian.org/1070851
+---
+ gio/gdbusmessage.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/gio/gdbusmessage.c b/gio/gdbusmessage.c
+index a8656df..9e8fca7 100644
+--- a/gio/gdbusmessage.c
 b/gio/gdbusmessage.c
+@@ -1164,10 +1164,12 @@ g_dbus_message_set_body (GDBusMessage  *message,
+ 
+   if (message->body != NULL)
+ g_variant_unref (message->body);
++
++  g_clear_pointer (>arg0_cache, g_variant_unref);
++
+   if (body == NULL)
+ {
+   message->body = NULL;
+-  message->arg0_cache = NULL;
+   g_dbus_message_set_signature (message, NULL);
+ }
+   else
+@@ -1181,8 +1183,6 @@ g_dbus_message_set_body (GDBusMessage  *message,
+   if (g_variant_is_of_type (message->body, G_VARIANT_TYPE_TUPLE) &&
+   g_variant_n_children (message->body) > 0)
+ message->arg0_cache = g_variant_get_child_value (message->bo

Re: Bug#1070706: gtk4 udeb has unsatisfiable dependencies

[Simon McVittie]

Control: severity 1070706 normal
Control: severity 1070714 normal

On Tue, 07 May 2024 at 22:53:33 +0200, Cyril Brulebois wrote:
> Simon McVittie  (2024-05-07):
> > do the release/installer teams consider udeb dependencies
> > on non-udeb packages, by udebs that d-i does not currently need or use,
> > to be a RC issue or merely a nice-to-have?
> 
> If udebs are actually used, I call that an RC bug and try to get it
> fixed swiftly (sometimes NMUing right away when time is of the essence).
> Otherwise I usually let those fly (without even filing bug reports).

In that case I'm downgrading #1070714 and #1070706 to normal, because the
issues I noticed while investigating #1070706 are worth tracking and being
aware of but non-RC, and the issue that Peter originally reported is not
actionable for the gtk4 maintainers (it needs to be fixed via a binNMU).

We'll need to revisit #1070714 and #1070706 if someone makes a concerted
effort to GTK3ize the installer, but that has been on my to-do list since
before bookworm and shows no signs of approaching the top, so it might
have to be someone else's project.

Thanks!

smcv

Re: Bug#1070706: gtk4 udeb has unsatisfiable dependencies

[Simon McVittie]

On Tue, 07 May 2024 at 22:02:12 +0200, Paul Gevers wrote:
> On 07-05-2024 7:49 p.m., Simon McVittie wrote:
> > The version in testing, 4.12.5+ds-3, has the same dependencies, so this
> > is not a regression.
> 
> Is it? It seems that the version in unstable depends on libpng16-16t64-udeb
> where the version in testing depends on libpng16-16-udeb. The later exists,
> the former not.

Oh, well spotted! It looks as though src:gtk4 needs a binNMU against
libpng-dev (>= 1.6.43-4) for #1066069, because we were unlucky with
the timing of gtk4's most recent upload and so it got built against the
incorrect libpng-dev.

My understanding is that a binNMU would be better than a sourceful upload
of gtk4 because it won't reset the migration clock. If that's correct,
please could someone with release team or wanna-build powers schedule it?

nmu gtk4_4.12.5+ds-6 . ALL . -m 'rebuild with #1066069 fixed'

Looking at the d-i Packages.gz for amd64, the only other source
package that has picked up the bad libpng16-16t64-udeb dependency
seems to be matchbox-keyboard, which needs a sourceful upload to fix an
implicit-declarations FTBFS anyway, therefore isn't useful to binNMU.

After those binNMUs, the gtk4 udeb will still not be installable into
the debian-installer environment (either in testing or in unstable), but
it should at least be able to migrate, because all of its dependencies
will be packages that exist (whether deb or udeb).

After that: do the release/installer teams consider udeb dependencies
on non-udeb packages, by udebs that d-i does not currently need or use,
to be a RC issue or merely a nice-to-have?

Thanks,
smcv

Re: Bug#1070706: gtk4 udeb has unsatisfiable dependencies

[Simon McVittie]

Control: tags -1 + d-i
Control: found -1 4.12.5+ds-3
Control: retitle -1 gtk4 udeb has unsatisfiable dependencies
Control: clone -1 -2
Control: retitle -2 libvte-2.91-0-udeb depends on both GTK 3 and GTK 4
Control: reassign -2 src:vte2.91 0.75.92-1

On Tue, 07 May 2024 at 15:44:02 +0100, Peter Michael Green wrote:
> According to britney, gtk4's udebs are uninstallable.

gtk4 is not yet used by debian-installer (which is still on GTK 2)
so the udeb is not actually necessary, and one workaround would be to
disable it entirely (but then we'd have to put GTK 4 through NEW again
if we are ever able to upgrade d-i to it).

The version in testing, 4.12.5+ds-3, has the same dependencies, so this
is not a regression. Is this requirement newly enforced by britney?

I think a large part of the problem is that when GTK 4 support was added
to src:vte2.91, both the GTK 3 and GTK 4 versions were put into the same
udeb package, libvte-2.91-0-udeb, instead of giving the GTK 4 version
its own udeb. However, I'm unsure how that change got into testing -
if britney is enforcing installability of udebs, I would have expected
that the updated libvte-2.91-0-udeb would have been newly-uninstallable,
preventing its migration?

It seems most realistic that d-i in Debian 13 will depend on GTK 3 if
someone finds the time to do the necessary porting and testing, or stay
on GTK 2 if not, so libvte-2.91-0-udeb should become a udeb version of
only libvte-2.91-0 (i.e. GTK 3 only) as it was in Debian 12, and drop
its GTK 4 parts. That would mean that GTK 4 would no longer be regressing
the installability of libvte-2.91-0-udeb.

If there is a serious attempt to get d-i using GTK *4*, then that would
require a new libvte-2.91-gtk4-0-udeb. However, GTK 4's threading model
is definitely incompatible with the current design of cdebconf-gtk (it
calls into GTK from more than one thread, which is discouraged in GTK
3 and not allowed at all in GTK 4), so a prerequisite for that would
be to move all of cdebconf-gtk's GTK interactions onto one thread,
with message-passing between that thread and the cdebconf thread.

I'm also unsure how GTK 4 can possibly have caused libvte-2.91-0-udeb's
installability to regress anyway, because libvte-2.91-0-udeb in testing
depends on liblz4-1, which does not have a corresponding udeb. That
will need fixing (by adding a liblz4-1-udeb, or linking it statically,
or allowing .deb libraries to satisfy udebs' dependencies) if we ever
want a GTK 3 or later installer.

Making the GTK 4 udeb installable looks like a significant task. It depends
on:

OK - fontconfig-udeb (>= 2.15.0),
OK - libc6-udeb (>= 2.37),
!! - libcairo-script-interpreter2 (>= 1.18.0),
OK - libcairo2-udeb (>= 1.18.0),
OK - libepoxy0-udeb (>= 1.5.4),
OK - libfribidi0-udeb (>= 1.0.13),
OK - libgdk-pixbuf-2.0-0-udeb (>= 2.42.10+dfsg),
OK - libglib2.0-udeb (>= 2.78.4),
!! - libgraphene-1.0-0 (>= 1.10.8),
OK - libharfbuzz0-udeb (>= 8.3.0),
!! - libjpeg62-turbo (>= 1:2.1.5),
OK - libpango1.0-udeb (>= 1.52.1+ds),
OK - libpng16-16t64-udeb (>= 1.6.2),
!! - libtiff6 (>= 4.5.1+git230720),
OK - libx11-6-udeb (>= 2:1.6.0),
OK - libxcursor1-udeb (>> 1.1.2),
!! - libxdamage1 (>= 1:1.1),
OK - libxext6-udeb (>= 2:1.3.0),
OK - libxfixes3-udeb (>= 1:5.0),
OK - libxi6-udeb (>= 2:1.6.99.1),
OK - libxinerama1-udeb (>= 2:1.1.4),
OK - libxrandr2-udeb (>= 2:1.5)

cairo has a udeb, but it doesn't include the equivalent of
libcairo-script-interpreter2. It might be possible to disable the GTK
features that rely on that library? Or it might be possible to add the
script interpreter to the udeb?

graphene does not have udebs at all, and I think it's a mandatory
dependency for GTK 4, so if we ever want a GTK-4-based d-i, there is
no avoiding adding a graphene udeb.

libjpeg-turbo, tiff and libxdamage are in the same situation as graphene
(these were optional in GTK 3 but are required in GTK 4). Unlike graphene,
these are not maintained by the GNOME team, so we cannot unilaterally
add udebs to them.

smcv

Bug#1069672: bookworm-pu: package flatpak/1.14.8-1~deb12u1

[Simon McVittie]

est for CVE-2024-32462
+  + Fix a double-free in the test suite
+  + Skip more tests if bubblewrap works but FUSE doesn't
+- New upstream stable release 1.14.8
+  + Respin of 1.14.7 reverting unintended submodule changes
+- d/control: Move dbus-system-bus from Depends to Recommends.
+  `flatpak run` no longer has a working system bus as a hard requirement
+  (verified in `podman run --privileged --rm -it debian:sid-slim`)
+- Drop CVE-2024-32462 patches, included in the upstream stable release
+- debian/test.sh: Disable http proxy if used, to ensure we can reach
+  a HTTP server on localhost during automated tests
+  * Changes relative to 1.14.8-1 in unstable:
+- Revert polkitd dependencies to polkitd | policykit-1 as previously
+  used in bookworm
+- Revert pkgconf dependencies to pkg-config as previously used in
+  bookworm
+- Revert location of systemd unit to /lib/systemd/system as previously
+  used in bookworm, dropping versioned dependency on debhelper 13.11.6~
+- Revert changes related to Debian 13 GIR XML packaging policy
+
+ -- Simon McVittie   Tue, 30 Apr 2024 16:50:10 +0100
+
 flatpak (1.14.4-1+deb12u1) bookworm-sec

Bug#1070121: nmu: coreutils_9.4-3 (trixie), pam_1.5.2-9.1 (trixie)

[Simon McVittie]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu
X-Debbugs-Cc: coreut...@packages.debian.org, p...@packages.debian.org, 
debian-b...@lists.debian.org
Control: affects -1 + src:coreutils src:pam

coreutils_9.4-3.1 and pam_1.5.3-7 aren't currently migrating to trixie
for whatever reason. Because debootstrap doesn't currently know about
versioned Provides, I think it would be useful to get versions of these
packages in trixie that have been rebuilt against the 64-bit time_t ABIs
and package names.

If the versions in trixie don't migrate imminently, please consider:

nmu coreutils_9.4-3 . ANY . trixie . -m "rebuild against libssl3t64"
nmu pam_1.5.2-9.1 . ANY . trixie . -m "rebuild against libdb5.3t64"

In a trixie derivative (a non-public future branch of the Steam Runtime)
I found that local rebuilds of those two source packages were enough to
bring a minbase debootstrap back from repeatably failing to reasonably
reliable. I hope they would have a similar effect in real trixie.

Based on kibi's thread "Making trixie debootstrap-able again?" on -release
and -boot, binNMUing util-linux and iproute2 might also help for d-i's
use-case, which is larger than minbase and wants fdisk and iproute2:

nmu util-linux_2.39.3-6 . ANY . trixie . -m "rebuild against libreadline8t64"
nmu iproute2_6.7.0-2 . ANY . trixie . -m "rebuild against libtirpc3t64"

but I have not independently verified that those two are necessary
or sufficient.

smcv

Bug#1069672: bookworm-pu: package flatpak/1.14.6-1~deb12u1 or 1.14.7-1~deb12u1

[Simon McVittie]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: flat...@packages.debian.org
Control: affects -1 + src:flatpak

After the dust has settled from CVE-2024-32462, I would like to do a
stable-update of Flatpak using the upstream 1.14.x branch.

At the moment bookworm-security has 1.14.4 plus the patches for
CVE-2024-32462. The current upstream release is 1.14.6 (also available in
unstable and in testing-proposed-updates), which moves the security fix
from patches into the upstream source and fixes various less serious bugs.

We are also hoping to do a 1.14.7 upstream release soon, perhaps this
week. Would the stable release team prefer this to be proposed as one
big update from 1.14.4 to 1.14.7, or two smaller updates
1.14.4 → 1.14.6 → 1.14.7, or do you not mind either way?

[ Impact ]
If not accepted, several known bugs remain present in stable.
The highest-visibility is that the developer name of an app appears
in the CLI where the app name should be, for example "The Chromium Authors"
instead of the correct "Chromium Web Browser".

Also, if we keep up with upstream stable releases, then next time there
is a CVE, we can take upstream's stable release directly instead of
having to backport individual patches.

[ Tests ]
There is a fairly comprehensive test suite. It cannot be run under schroot
or lxc due to limitations of nested containers, but I run in
autopkgtest-virt-qemu before each upload, and ci.debian.net has now been
configured to run flatpak's tests under autopkgtest-virt-qemu has well.

I will test a final version manually on a bookworm system before upload.

[ Risks ]
Somewhat low risk, all changes are targeted bug fixes. I would say that
the highest-risk are the alterations to how AppStream metadata is parsed
and displayed, but several distributions are already using those changes
via the 1.15.x branch and we have not had regression reports.

[ Checklist ]
The changes in 1.14.7 will not be finalized until the release actually
happens, but I have reviewed and attached a proposed diff.

  [½] *all* changes are documented in the d/changelog
  [½] I reviewed all changes and I approve them
  [½] attach debdiff against the package in (old)stable
  [½] the issue is verified as fixed in unstable

[ Changes in 1.14.5 and 1.14.6 ]
See attached flatpak-1.14.6-bookworm.diff.gz

* Makefile.am,
  configure.ac,
  data/Makefile.am.inc,
  data/tmpfiles.d/flatpak.conf,
  debian/flatpak.install,
  sideload-repos-systemd/Makefile.am.inc:
  - Delete obsolete /var/tmp/flatpak-cache-* (if any) during boot

* app/flatpak-builtins-build.c,
  common/flatpak-dir.c,
  common/flatpak-run.c,
  tests/test-run.sh:
  - Fix CVE-2024-32462 (previously done via a patch)

* app/flatpak-builtins-remote-info.c:
  - Fix display of app info in `flatpak remote-info`
  - Fix some uses of deprecated libappstream API
  - Forward-compatibility with libappstream 0.17.x and 1.0

* app/flatpak-builtins-remote-ls.c,
  app/flatpak-builtins-search.c,
  app/flatpak-builtins-utils.c,
  app/flatpak-builtins-utils.h,
  config.h.in,
  configure.ac:
  - Fix some uses of deprecated libappstream API
  - Forward-compatibility with libappstream 0.17.x and 1.0

* app/flatpak-builtins-run.c,
  common/flatpak-dir.c,
  tests/testlibrary.c:
  - Silence some compiler warning false-positives

* common/flatpak-appdata.c,
  tests/make-test-app.sh,
  tests/test-info.sh:
  - Don't parse the app developer name as though it was the app name

* common/flatpak-run.c,
  doc/flatpak-run.xml:
  - Don't let the sandboxed app inherit a wrong value for $VK_DRIVER_FILES,
$VK_ICD_FILENAMES

* common/flatpak-utils-http.c:
  - Cancel downloads if they become very slow

* common/flatpak-utils.c,
  tests/test-exports.c,
  tests/test-instance.c:
  - Forward-compatibility with newer GLib releases

* NEWS,
  common/flatpak-version-macros.h,
  configure.ac,
  tests/package_version.txt:
  - The usual release management noise

* debian/test.sh:
  - Unset proxy environment variables to make sure a test http server on
localhost is reachable

* doc/flatpak-metadata.xml:
  - Provide anchors for internal linking
  - Clarify documentation on which D-Bus names are allowed by default

* doc/reference/html/*.html:
  - Regenerated with Debian 12 toolchain
(these are also re-regenerated during build)
  (Filtered from debdiff)

* po/*.po,
  po/flatpak.pot:
  - Regenerated during upstream release procedure (different line numbering)
  (Filtered from debdiff)

* portal/flatpak-portal.c:
  - Save the original environment before setting GIO_USE_VFS, and restore it
before starting sandboxed programs, so that GVfs can work

* revokefs/main.c:
  - Forward-compatibility with libostree 2023.4

* session-helper/flatpak-session-helper.c:
  - Same as portal/, but for programs run on the host system by trusted
Flatpak apps

* tests/make-test-runtime.sh:
  - Fail tests earlier, with a better error message, if a 

Bug#1069285: trixie-pu: package flatpak/1.14.6-1~deb13u1

[Simon McVittie]

On Fri, 19 Apr 2024 at 14:09:24 +0200, Emilio Pozuelo Monfort wrote:
> On 19/04/2024 12:49, Simon McVittie wrote:
> > Fix CVE-2024-32462, a sandbox escape vulnerability, without having to
> > wait for the whole 64-bit time_t transition.
> 
> Please go ahead once you're ready, and let us know so that we can hint it
> into testing.

Uploaded, no changes since the debdiff you saw.

smcv

Bug#1069285: trixie-pu: package flatpak/1.14.6-1~deb13u1

[Simon McVittie]

his file was extended by Flatpak $as_me 1.14.6, which was
 generated by GNU Autoconf 2.71.  Invocation command line was
 
   CONFIG_FILES= $CONFIG_FILES
@@ -22668,7 +22668,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config='$ac_cs_config_escaped'
 ac_cs_version="\\
-Flatpak config.status 1.14.5
+Flatpak config.status 1.14.6
 configured by $0, generated by GNU Autoconf 2.71,
   with options \\"\$ac_cs_config\\"
 
diff -Nru flatpak-1.14.5/configure.ac flatpak-1.14.6/configure.ac
--- flatpak-1.14.5/configure.ac	2023-12-08 12:15:05.0 +
+++ flatpak-1.14.6/configure.ac	2024-04-17 18:28:16.0 +0100
@@ -15,7 +15,7 @@
 
 m4_define([flatpak_major_version], [1])
 m4_define([flatpak_minor_version], [14])
-m4_define([flatpak_micro_version], [5])
+m4_define([flatpak_micro_version], [6])
 m4_define([flatpak_extra_version], [])
 m4_define([flatpak_interface_age], [0])
 m4_define([flatpak_binary_age],
diff -Nru flatpak-1.14.5/debian/changelog flatpak-1.14.6/debian/changelog
--- flatpak-1.14.5/debian/changelog	2023-12-08 12:25:50.0 +
+++ flatpak-1.14.6/debian/changelog	2024-04-19 11:00:13.0 +0100
@@ -1,3 +1,22 @@
+flatpak (1.14.6-1~deb13u1) trixie; urgency=high
+
+  * Rebuild for trixie
+
+ -- Simon McVittie   Fri, 19 Apr 2024 11:00:13 +0100
+
+flatpak (1.14.6-1) unstable; urgency=high
+
+  * New upstream stable release 1.14.6
+- Don't allow an executable name to be misinterpreted as a command-line
+  option for bwrap(1). This prevents a sandbox escape where a malicious
+  or compromised app could ask xdg-desktop-portal to generate a .desktop
+  file with access to files outside the sandbox. (CVE-2024-32462)
+- Don't parse `` as the application name
+  * d/control: Drop alternative dependencies on transitional policykit-1.
+polkitd was released in Debian 12 and Ubuntu 22.04.
+
+ -- Simon McVittie   Wed, 17 Apr 2024 19:34:28 +0100
+
 flatpak (1.14.5-1) unstable; urgency=medium
 
   * New upstream stable release
diff -Nru flatpak-1.14.5/debian/control flatpak-1.14.6/debian/control
--- flatpak-1.14.5/debian/control	2023-12-08 12:25:50.0 +
+++ flatpak-1.14.6/debian/control	2024-04-19 11:00:13.0 +0100
@@ -52,7 +52,7 @@
  libzstd-dev,
  ostree (>= 2020.8) ,
  pkgconf,
- polkitd  | policykit-1 ,
+ polkitd ,
  procps,
  python3:any,
  python3-pyparsing,
@@ -87,7 +87,7 @@
  gtk-update-icon-cache,
  libpam-systemd,
  p11-kit,
- polkitd | policykit-1,
+ polkitd,
  shared-mime-info,
  xdg-desktop-portal (>= 1.6),
  xdg-desktop-portal-gtk (>= 1.6) | xdg-desktop-portal-backend,
diff -Nru flatpak-1.14.5/ltmain.sh flatpak-1.14.6/ltmain.sh
--- flatpak-1.14.5/ltmain.sh	2023-12-08 10:49:53.0 +
+++ flatpak-1.14.6/ltmain.sh	2024-04-17 19:17:44.0 +0100
@@ -31,7 +31,7 @@
 
 PROGRAM=libtool
 PACKAGE=libtool
-VERSION="2.4.7 Debian-2.4.7-7"
+VERSION="2.4.7 Debian-2.4.7-5"
 package_revision=2.4.7
 
 
@@ -572,15 +572,27 @@
 # -
 # Append VALUE onto the existing contents of VAR.
 
+  # We should try to minimise forks, especially on Windows where they are
+  # unreasonably slow, so skip the feature probes when bash or zsh are
+  # being used:
+  if test set = "${BASH_VERSION+set}${ZSH_VERSION+set}"; then
+: ${_G_HAVE_ARITH_OP="yes"}
+: ${_G_HAVE_XSI_OPS="yes"}
+# The += operator was introduced in bash 3.1
+case $BASH_VERSION in
+  [12].* | 3.0 | 3.0*) ;;
+  *)
+: ${_G_HAVE_PLUSEQ_OP="yes"}
+;;
+esac
+  fi
+
   # _G_HAVE_PLUSEQ_OP
   # Can be empty, in which case the shell is probed, "yes" if += is
   # useable or anything else if it does not work.
-  if test -z "$_G_HAVE_PLUSEQ_OP" &&  \
-  __PLUSEQ_TEST="a" &&  \
-  __PLUSEQ_TEST+=" b" 2>/dev/null &&  \
-  test "a b" = "$__PLUSEQ_TEST"; then
-_G_HAVE_PLUSEQ_OP=yes
-  fi
+  test -z "$_G_HAVE_PLUSEQ_OP" \
+&& (eval 'x=a; x+=" b"; test "a b" = "$x"') 2>/dev/null \
+&& _G_HAVE_PLUSEQ_OP=yes
 
 if test yes = "$_G_HAVE_PLUSEQ_OP"
 then
@@ -2296,7 +2308,7 @@
compiler:   $LTCC
compiler flags: $LTCFLAGS
linker: $LD (gnu? $with_gnu_ld)
-   version:$progname $scriptversion Debian-2.4.7-7
+   version:$progname $scriptversion Debian-2.4.7-5
automake:   `($AUTOMAKE --version) 2>/dev/null |$SED 1q`
autoconf:   `($AUTOCONF --version) 2>/dev/null |$SED 1q`
 
diff -Nru flatpak-1.14.5/NEWS flatpak-1.14.6/NEWS
--- flatpak-1.14.5/NEWS	2023-12-08 12:15:04.0 +
+++ flatpak-1.14.6/NEWS	2024-04-17 18:28:07.0 +0100
@@ -1,3 +1,18 @@
+Changes in 1.14.6
+~
+
+Security fixes:
+
+ * Don't allow an executable name to be misinterpreted as a command-line

Bug#1067840: nmu: gsound_1.0.3-3.2

[Simon McVittie]

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: gso...@packages.debian.org
Control: affects -1 + src:gsound
User: release.debian@packages.debian.org
Usertags: binnmu

nmu gsound_1.0.3-3.2 . armhf . unstable . -m "rebuild against libcanberra0t64"

This should unblock gnome-bluetooth3, or at least go some way towards it.

smcv

Bug#1067769: nmu: libjcat_0.2.0-2+b1

[Simon McVittie]

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: libj...@packages.debian.org
Control: affects -1 + src:libjcat
User: release.debian@packages.debian.org
Usertags: binnmu

nmu libjcat_0.2.0-2 . armel armhf . unstable . -m "rebuild against 
libgpgme11t64"

Possibly not very high impact, but I think this would unblock fwupd.

smcv

Bug#1036884: transition: time64_t -> sphinxbase

[Simon McVittie]

I think binNMUs for packages involved in
https://release.debian.org/transitions/html/auto-sphinxbase.html
would be useful. If I'm reading correctly, that would unblock ffmpeg
on armel/armhf (or at least get some way towards it), and ffmpeg is
involved in a bunch of other sub-transitions.

(I hope this is an OK format to make suggestions in?)

Thanks,
smcv

Bug#1067749: nmu: ffmpeg_7:6.1.1-3

[Simon McVittie]

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: ffm...@packages.debian.org
Control: affects -1 + src:ffmpeg
User: release.debian@packages.debian.org
Usertags: binnmu

Manual (bootstrap?) builds of ffmpeg on armel, armhf seem to have been done
with libglib2.0-0, which is depended on by at least libavcodec-extra60.

nmu ffmpeg_7:6.1.1-3 . armel armhf . unstable . -m "rebuild against 
libglib2.0-0t64"

Thanks,
smcv

Bug#1036884: transition: time64_t - openjdk-17 needs re-bootstrap on armel,armhf

[Simon McVittie]

It seems that some of the dependency chains for packages that are still
waiting to be rebuilt on armel,armhf now end at openjdk-17, which is the
default Java version for most architectures and Build-Depends on itself
(with an alternative dependency on openjdk-16, but that no longer exists).
evolution-data-server -> libphonenumber-dev is an example.

Are the ARM or Java teams intending to re-bootstrap openjdk-17 somehow?

Or do maintainers of packages that build both a C/C++ library and Java
bindings from a single source package need to disable its Java bindings
on the affected architectures, either temporarily or permanently?

openjdk-21 is in a similar situation, build-depending on itself, while
openjdk-22 and openjdk-23 build-depend on -21 and -22 respectively.
Presumably once we have a single OpenJDK version that is installable,
it would be possible to step through 18,19,20,21 building each version
with the previous one.

In the -ports world, hppa doesn't have Java anyway, while m68k, powerpc
and sh4 seem to have had a re-bootstrap at some point; so I think it's
only the release architectures armel and armhf that have a problem here.

smcv

Bug#1067559: nmu: roc-toolkit_0.3.0+dfsg-7

[Simon McVittie]

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: roc-tool...@packages.debian.org, debian-...@lists.debian.org
Control: affects -1 + src:roc-toolkit
User: release.debian@packages.debian.org
Usertags: binnmu

Another binNMU suggestion for the 64-bit time_t transition. This one
would partially unblock pipewire.

(It could be rebuilt across all architectures if you prefer to keep them
in sync.)

nmu roc-toolkit_0.3.0+dfsg-7 . armel armhf . unstable . -m "rebuild against 
libuv1t64"

Thanks,
smcv

Bug#1067430: nmu: graphviz_2.42.2-9

[Simon McVittie]

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: graph...@packages.debian.org, debian-...@lists.debian.org
Control: affects -1 + src:graphviz
User: release.debian@packages.debian.org
Usertags: binnmu

libgvc6_2.42.2-9_armel depends on libglib2.0-0t64 (the "new" side of
the 64-bit time_t transition) but also on libgts-0.7-5 (the "old" side),
which was only successfully NMU'd recently; the original NMU seems to
have had a symbols file bug that made it uninstallable.

nmu graphviz_2.42.2-9 . armel armhf . unstable . -m "rebuild against 
libgts-0.7-5t64"
dw graphviz_2.42.2-9 . armel armhf . -m 'libgts-dev (>= 0.7.6+darcs121130-5.2)'

This is blocking the pending rebuild of sane-backends.

ignition-common might need similar treatment. The other rdeps of
libgts-0.7-5 seem to have rebuilds pending and stuck in BD-Uninstallable
on armel/armhf for other reasons, so they probably don't need a binNMU.

I have to wonder whether a library that is only available as a VCS
snapshot from 2012 is something that ought to be in our critical path
for re-bootstrapping... but apparently graphviz needs it for
"interconnected triangles support", whatever that means.

smcv

Bug#1067421: nmu: gstreamer1.0_1.24.0-1

[Simon McVittie]

On Thu, 21 Mar 2024 at 11:49:22 +, Simon McVittie wrote:
> gst-plugins-base1.0 is currently unbuildable on armel and armhf due to
> gstreamer1.0 having been built before libdw1 transitioned to libdw1t64.
> Please consider:
> 
> nmu gstreamer1.0_1.24.0-1 . armel armhf . unstable . -m "rebuild against 
> libdw1t64"

I should have mentioned that gstreamer1.0 has a FTBFS (test failure)
bug reported (https://bugs.debian.org/1066797), but when I tried the
build in armel and armhf chroots on the porterbox amdahl, it succeeded -
so I think it's worth trying the binNMU anyway, in the hope that the FTBFS
either doesn't affect these architectures or is intermittent.

smcv

Bug#1067421: nmu: gstreamer1.0_1.24.0-1

[Simon McVittie]

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: gstreamer...@packages.debian.org, debian-...@lists.debian.org
Control: affects -1 + src:gstreamer1.0
User: release.debian@packages.debian.org
Usertags: binnmu

gst-plugins-base1.0 is currently unbuildable on armel and armhf due to
gstreamer1.0 having been built before libdw1 transitioned to libdw1t64.
Please consider:

nmu gstreamer1.0_1.24.0-1 . armel armhf . unstable . -m "rebuild against 
libdw1t64"

(or maybe rebuild on all architectures if avoiding multi-arch skew is
considered to be important).

This is one of several things blocking gtk4 being rebuilt for the time64
transition, which in turn prevents rebuilds of a lot of the GTK ecosystem
from being tried. In the short term I'm intending to work around that
by disabling its GStreamer plugin on the affected architectures, but
upstream considers this to be an unsupported configuration, so we should
put it back as soon as we can.

Thanks,
smcv

Bug#1036884: transition: time64_t

[Simon McVittie]

Control: block -1 by 1065787 1066049

One dependency chain that is blocking a lot of rebuilds right now is
this one:

... => curl -> stunnel4 -> python-cryptography => cargo => ...

key: => mandatory dependency
 -> nocheck dependency

In the medium term, cargo needs re-bootstrapping on the affected
architectures (armel and armhf, plus a bunch of -ports architectures
where as far as I can see cargo was never available in the past) -
that's #1065787, and Steve already replied to that bug describing how
Ubuntu did this. Is there a porter who can take responsibility for that?

In the shorter term, I think it might be pragmatic to build either curl
or stunnel4 with tests disabled on the affected architectures, breaking
that dependency chain and allowing most C/C++ packages that are being held
up by curl to be rebuilt in parallel.

I think disabling tests in stunnel4 would have less impact on the rest
of Debian than disabling tests in curl if it results in an undetected
regression, so I'd suggest stunnel4 as the place to break that chain. I've
sent a proposed patch to #1066049.

On IRC, Michael Biebl suggested an alternative plan of configuring the
armel|armhf buildds to always build with the nocheck profile for the
duration of the transition (and presumably keep track of the affected
packages to be rebuilt with build-time tests afterwards), but as far as
I know that's not possible in our infrastructure?

Thanks,
smcv

Re: Bug#1060779: src:mesa: fails to migrate to testing for too long: unavailable Build-Depends on mips64el

[Simon McVittie]

On Sun, 14 Jan 2024 at 08:39:52 +0100, Paul Gevers wrote:
> The Release Team considers packages that are out-of-sync between testing and
> unstable for more than 30 days as having a Release Critical bug in testing
> [1]. Your package src:mesa has been trying to migrate for 31 days [2].
> Hence, I am filing this bug. The version in unstable build depends on
> binaries from llvm-toolchain-17, which haven't been built on mips64el yet
> (reported in bug 1056116).

Adding mips64el porting team to Cc for visibility.

Mesa could probably work around this by disabling the LLVM parts on
mips64el (removing mips64 from LLVM_ARCHS in d/rules and from various
lists of LLVM-capable architectures in d/control).

The cost would be that most mips64el users would have to use slow
fallback software rendering, because disabling LLVM support would
disable llvmpipe (which it seems doesn't actually work properly
on mips* in any case) but also the AMD driver (which is what
graphical MIPS users rely on in practice, according to discussion on
https://salsa.debian.org/gnome-team/gnome-shell/-/merge_requests/71).

That's a high cost for mips64el users, but the alternative seems to be
letting mips64el hold back all of our other architectures, and I don't
think that's really viable.

Thanks,
smcv

Bug#1059929: release.debian.org: gobject-introspection_1.78.1-9 is said to have an unsatisfiable dependency

[Simon McVittie]

On Thu, 04 Jan 2024 at 09:54:52 +0100, Helmut Grohne wrote:
> I am not sure that you are the one who should express a qemu dependency.

Discussion of whether gobject-introspection has the ideal dependencies
seems off-topic for a release.d.o bug, so I've sent a reply to #1030223,
dropping the release and apt teams from cc (but keeping -cross). Please
follow up there with any further g-i-specifics.

The part of this issue that was relevant for release.d.o was: given
the current metadata of g-i_1.78.1-9, was britney2 correct to think its
deps are satisfiable? And the answer was: no, it was a bug that britney2
disagreed with apt on this.

According to the experimental pseudo-excuses, it seems that Paul's fix
for that bug was successful, and the fixed version of britney2 is now
happy to (pretend to) migrate g-i_1.78.1-9 if its autopkgtests pass.

Thanks,
smcv

Bug#1036884: 64-bit time_t: updated archive analysis, proposed transition plan with timeline

[Simon McVittie]

On Mon, 08 Jan 2024 at 15:01:11 -0800, Steve Langasek wrote:
> If a maintainer ignores the NMU and drops the rename, they'll be introducing
> a new library transition again on 32-bit archs.  Won't they also be caught
> again in binary NEW, for those packages that don't have the same runtime
> library package name in experimental?

To have a concrete example of this, I think you are saying:

- NMU of src:foo renames libfoo0 to libfoo0t64
- maintainer ignores NMU and uploads, effectively renaming libfoo0t64
  back to libfoo0
- you want the maintainer's upload to get stuck in NEW

I am not a ftp team member, but if I understand NEW correctly, this
will only trigger a new trip through NEW if the ftp team have already
removed libfoo0 from the overrides file ("decrufting"), which is not
done immediately, only after libfoo0 has not been built by src:foo for
a little while.

If libfoo0 exists in testing and/or stable, I'm not sure whether that
prevents the ftp team's processes from removing it from the overrides file.
If it does, then a new, maintainer upload of libfoo0 will certainly not be
considered NEW, and the safety-catch that you are thinking of will not be
effective.

smcv

Bug#1059929: release.debian.org: gobject-introspection_1.78.1-9 is said to have an unsatisfiable dependency

[Simon McVittie]

On Sat, 06 Jan 2024 at 10:16:28 +0100, Paul Gevers wrote:
> I guess there are exceptions we could accept like from
> src:steam-installer (which doesn't use :i386 or :amd64 at the moment if I'm
> correct)

src:steam-installer avoids using :i386 in dependencies because I was
under the impression that explicitly naming an architecture like that
wasn't supported/allowed. Instead, steam-installer:amd64 Depends on
steam-libs-i386, which only exists in the i386 Packages file (and is
M-A: foreign so that it can satisfy the dependency from an amd64 package).

I thought this was the standard workaround for something in the stack
(apt? dpkg? the multiarch spec?) not allowing saying what I actually mean,
which is: steam-installer:amd64 Depends on both steam-libs (implicitly
:amd64) and steam-libs:i386. nss-mdns and the NVIDIA drivers both used
this technique in the past, and Wine still does (it's called wine32 rather
than wine-i386 but the principle is the same).

If an explicit dependency on steam-libs:i386 would be valid, I'd be happy
to use that, and remove the steam-libs-i386 binary package as redundant.
Because it currently uses a lockstep dependency, I think we'd have to
relax it to >=, and then keep it as a transitional package until after
trixie.

> packages being blocked for useful use cases (that we could hint
> through, but that britney2 would consider non-installable, so not protected
> from then on)

I agree that explicit cross-architecture dependencies like the ones in
steam-installer, nss-mdns and nvidia-graphics-drivers are quite rare,
and it seems fine for them to need some manual intervention. The only
use cases I know of are for proprietary i386 binaries that we can't just
recompile as pure amd64 (like Steam and whatever Windows program you want
to run via wine32), or for packages that support those (wine32 itself,
graphics drivers, NSS plugins and so on).

Maybe if cross-architecture dependencies were less of a special
case, we might see a bit more use of this when cross-compiling
(gcc-aarch64-linux-gnu Depends libc6-dev:arm64, making
libc6-dev-arm64-cross unnecessary?) or for firmware for coprocessors
(like if your x86 machine has a peripheral with a riscv64 processor that
can run ordinary riscv64 code).

> I think this bug report is one of only a couple over the years
> that requested anything on this front

This bug #1059929 involving gobject-introspection_1.78.1-9 is different
from things like steam-installer and nss-mdns: in the steam-installer case
I had to ask the release team (a while ago) to apply some force to work
around a known limitation in britney2, but in the gobject-introspection
case, my hope is that it can be resolved (possibly by a bug fix
in britney2, or possibly by changing gobject-introspection) without
forcing the installability check to be ignored.

Yes, the dependencies are meant to be cross-satisfiable (and the package
would be a lot simpler if that wasn't the goal), but they are also meant
to be more trivially satisfiable in a single-architecture scenario.

It shouldn't matter for this particular use-case whether you can
*actually* cross-compile using gobject-introspection, because the
scenario that I'm asking britney2 to evaluate when it considers migrating
gobject-introspection is whether it's installable within a limited
packaging universe that contains only :amd64 and :all packages - which
is something that apt and dpkg are happy with.

smcv

Bug#1036884: 64-bit time_t: updated archive analysis, proposed transition plan with timeline

[Simon McVittie]

On Fri, 05 Jan 2024 at 00:17:04 -0800, Steve Langasek wrote:
> - In multi-library packages, there is no reliable way to map from a set of
>   headers in a dev package to specific shared libraries in a runtime library
>   package that's not additionally computationally prohibitive; we therefore
>   conservatively assume that if any headers from a source package show
>   time_t ABI changes, all the runtime library packages from the source
>   package are affected by the transition.

> 0 dbus-tests

Please ignore this specific binary package. The only public API/ABI
of src:dbus is in libdbus-1-3 + libdbus-1-dev, so analyzing those two
is enough. (dbus-tests accidentally contains one header file, but that's
a minor bug.)

libdbus-1-dev is widely depended-on, so I hope that taking src:dbus off
your list will avoid some unnecessary rebuilds?

> 0 gobject-introspection

Similarly the only public API/ABI of src:gobject-introspection is in
libgirepository1.0-dev, libgirepository-1.0-1, and (in experimental)
libgirepository-1.0-dev. gobject-introspection contains some source
and header files that are used by other packages' regression tests,
but they are not public ABI.

smcv

Bug#1059898: unblock: steam-installer/1:1.0.0.78~ds-4

[Simon McVittie]

On Wed, 03 Jan 2024 at 20:51:46 +0100, Paul Gevers wrote:
> Thanks for letting us know. I prefer to keep the status quo for a day such
> that I can debug this tomorrow.

That's absolutely fine, this particular migration is not urgent and can
remain stuck for another few days or weeks if necessary.

It will only become urgent if it gets flagged as "out-of-sync for too
long", or if its udev rules become a blocker for the transition to
all-files-in-/usr.

smcv

Bug#1059929: release.debian.org: gobject-introspection_1.78.1-9 is said to have an unsatisfiable dependency

[Simon McVittie]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: britney
X-Debbugs-Cc: gobject-introspect...@packages.debian.org, 
debian-cr...@lists.debian.org

gobject-introspection in experimental has this in
https://release.debian.org/britney/pseudo-excuses-experimental.html#gobject-introspection:

gobject-introspection (1.78.1-6 to 1.78.1-9)

Migration status for gobject-introspection (1.78.1-6 to 1.78.1-9): BLOCKED: 
Rejected/violates migration policy/introduces a regression
Issues preventing migration:
gobject-introspection/amd64 has unsatisfiable dependency
gobject-introspection/arm64 has unsatisfiable dependency
Additional info:
uninstallable on arch amd64, not running autopkgtest there
uninstallable on arch arm64, not running autopkgtest there

The gobject-introspection binary package *is* installable, and in fact
I have it installed locally. Taking the amd64 version as an example,
it depends on:

- binutils-x86-64-linux-gnu:any, a real Multi-Arch: allowed package

- gcc-x86-64-linux-gnu, a virtual package provided by gcc:amd64

- gobject-introspection-bin | qemu-user | qemu-user-static, where
  g-i-bin is a Multi-Arch: allowed package from the same source

- gobject-introspection-little-endian:any, a virtual package provided
  by g-i-bin, which is Multi-Arch: allowed
  (experimentally, apt and dpkg both seem to be happy to assume that
  this makes the gobject-introspection-little-endian virtual package
  behave as though it was also Multi-Arch: allowed)

- pkgconf, a real package

- python3:any, a real Multi-Arch: allowed package

I think all of those are correct?

Or do I need to make gobject-introspection-bin Multi-Arch: foreign,
drop the :any from gobject-introspection-little-endian:any, and
replace the gobject-introspection-bin | qemu-user | qemu-user-static
dependency by python3 | qemu-user | qemu-user-static or similar?

My goal here is that you can install gobject-introspection:amd64 on an
amd64 machine, or on any other little-endian machine that will be able to
cross-compile amd64 binaries and then run them by explicitly invoking them
via qemu-user, as discussed with Helmut Grohne at the recent Cambridge
miniDebconf. (It has to be little-endian because g-ir-inspect and similar
tools don't currently support byte-swapping fields in binary typelibs.)

Thanks,
smcv

Bug#1059898: unblock: steam-installer/1:1.0.0.78~ds-4

[Simon McVittie]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: steam-instal...@packages.debian.org, debian...@lists.debian.org
Control: affects -1 + src:steam-installer

steam-installer doesn't seem to be migrating, and its excuses page
presents an empty list of reasons why not.

In the HTML output, under "Additional info" (which if I understand
correctly is meant to be for notes that do not affect migration), it
says:

- Additional info:
- uninstallable on arch amd64, not running autopkgtest there
- uninstallable on arch i386, not running autopkgtest there

but in the YAML output, I see that actually this might be the reason why
it isn't migrating:

autopkgtest:
  verdict: REJECTED_TEMPORARILY
  ...
  reason:
  - autopkgtest

I find this confusing, because steam-installer doesn't have any autopkgtest
coverage at all.

The steam-installer:amd64 contrib binary package is uninstallable if you
don't have an i386 foreign architecture added, because Valve's proprietary
code has hard dependencies on both amd64 and i386 libraries. Is this
perhaps what the migration software is unhappy about? But I thought we
could have uninstallable packages as long as they are not a regression?

Similarly, the steam:i386 contrib binary package is uninstallable unless
you are actually on an amd64 system.

The other binary packages (in main) should be installable on their
appropriate architectures with no special measures.

Thanks,
smcv

Bug#1059395: libacl1, debhelper: changelog handling with --no-trim seems to be not binNMU-safe

[Simon McVittie]

Package: libacl1,debhelper
Control: found -1 libacl1/2.3.1-3
Control: found -1 debhelper/13.11.9
Severity: important
X-Debbugs-Cc: debian-release@lists.debian.org

libacl1 was recently binNMU'd on all architectures to address version skew.
Unfortunately, the binNMU'd version is no longer multiarch co-installable
because its changelog differs between architectures:

│ │ ├── ./usr/share/doc/libacl1/changelog.Debian.gz
│ │ │ ├── changelog.Debian
│ │ │ │ @@ -1,13 +1,13 @@
│ │ │ │  acl (2.3.1-3+b1) sid; urgency=low, binary-only=yes
│ │ │ │
│ │ │ │ -  * Binary-only non-maintainer upload for amd64; no source changes.
│ │ │ │ +  * Binary-only non-maintainer upload for i386; no source changes.
│ │ │ │* Rebuild to sync binNMU versions
│ │ │ │
│ │ │ │ - -- all / amd64 / i386 Build Daemon (x86-conova-01) ...
│ │ │ │ + -- i386 Build Daemon (x86-grnet-01) ...

This binNMU changelog entry would normally be separated into
changelog.Debian.${DEB_HOST_ARCH}.gz, as can be seen in
/usr/share/doc/libxext6/ at the time of writing. However, that mechanism
doesn't seem to have been effective for libacl1.

I notice that libacl1 uses dh_installchangelogs --no-trim in its
debian/rules to suppress the default exclusion of older changelog
entries. It appears that using that option also suppresses the separation
of binNMU changelog entries into a separate file? I think it probably
should not, because the trimming of old changelog entries is merely
a nice-to-have to save some disk space, but the separation of binNMU
changelog entries is functionally necessary if we want packages to remain
multiarch co-installable across binNMUs.

A sourceful upload of libacl1 would temporarily address this (until the
next binNMU) by not being a binNMU, but would not be a long-term solution,
unless we stop using binNMUs entirely and replace them with "no-changes"
machine-assisted sourceful uploads like Ubuntu has done.

Not using --no-trim could address this from the libacl1 side, but
presumably the libacl1 maintainer has used that option intentionally and
for a reason. (Is that reason more important than having co-installable
binNMUs?)

Making --no-trim only disable the trimming of old changelog entries, but
retain the separation of binNMU changelog entries (and then binNMU'ing
libacl1 again) could address this from the debhelper side.

I don't know which of these ways forward is the right one. Please reassign
or clone as appropriate, and in the meantime please consider doing a
sourceful upload of libacl1 to unblock multi-arch co-installability.

Thanks,
smcv

Re: /usr-move: Do we support upgrades without apt?

[Simon McVittie]

On Thu, 21 Dec 2023 at 15:31:55 +0100, Marc Haber wrote:
> Do those GUI frontends that work via packagekit or other frameworks
> count as "using apt"?

Managing apt/dpkg packages via packagekit uses libapt-pkg6.0 (via
/usr/lib/*/packagekit-backend/libpk_backend_apt.so). I don't know whether
that's enough to give it the specific desirable behaviour around Conflicts
that Helmut is referring to, but I hope it is.

Other non-CLI package management like unattended-upgrades is generally
in a similar situation, using libapt-pkg or its language bindings,
but not the apt(8) or apt-get(8) CLIs specifically.

smcv

Re: Bug#1058687: gnome-shell: ftbfs on riscv64 due to tests failed

[Simon McVittie]

On Thu, 14 Dec 2023 at 21:59:19 +0800, Bo YU wrote:
> 10/12 gnome-shell:shell / perf-basic  FAIL   189.57s  
>  exit status 1
> 11/12 gnome-shell:shell / perf-closeWithActiveWindows FAIL76.88s  
>  exit status 1
> 12/12 gnome-shell:shell / perf-headlessStart  FAIL   100.23s  
>  exit status 1
...
> It looks to be the same case as mips64el[1]. It will be built if on
> my local Unmatched with graphic card

It seems likely that this is a bug in Mesa or LLVM (specifically, Mesa's
software rendering drivers) rather than a bug in GNOME Shell.

On mips* architectures, there are several reported bugs against mesa
- https://bugs.debian.org/868745, https://bugs.debian.org/935884,
https://bugs.debian.org/1010838, https://bugs.debian.org/1049404 - which
do not seem to have had any response from mips* porters. This is not
really sustainable: desktop environment maintainers can't afford to spend
a large amount of time on learning how to fix bugs that are specific to
architectures with relatively few users, because that prevents us from
spending that time on fixing bugs that affect everyone.

If there is a similar issue for llvmpipe on riscv64, I would recommend
that the riscv64 community look into fixing that bug and making llvmpipe
work correctly, so that individual packages don't have to work around it.

I notice from the Mesa changelog that recent uploads of Mesa enabled
LLVM JIT on riscv64. Does that solve this bug?

Or, if that change *caused* this bug, please work with the mesa
maintainers to test llvmpipe on riscv64 and enable/disable/fix as
appropriate, so that only features that work are enabled.

> So the workaround allows Dedebia users to use the package(if so) ASAP.

I am reluctant to disable test coverage on new architectures if there is
any alternative, because the automated tests are usually the only evidence
we have that a new version of the package still works correctly on all
the architectures that Debian supports. Having a release architecture
where we can't expect automated tests to work correctly is not really
sustainable. I am not in a position to fix that for mips64el, but I can at
least try to avoid making the problem worse by doing the same on riscv64.

These tests being disabled on mips64el is a workaround that should be
avoided if possible. Unfortunately, they were only added relatively
recently (August 2023), so before that, nobody knew that GNOME Shell
didn't work on mips64el + llvmpipe; and based on past experience, doing
architecture-specific removals of GNOME components isn't practical,
because nobody knows what will happen in debian-installer if a desktop
task becomes uninstallable.

If GNOME is missing from riscv64 for now, as far as I know that isn't
a regression (it has never been available on riscv64 within official
Debian), and it gives riscv64 porters an incentive to get this fixed
properly.

(But I've cc'd the release team, to give them the opportunity to overrule
me on this, if they want to say that making GNOME available on riscv64
is more important than having test coverage that gives us some confidence
that it still works.)

smcv

Bug#1055894: bookworm-pu: package gnome-session/43.0-1+deb12u1

[Simon McVittie]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: gnome-sess...@packages.debian.org, 
debian-gtk-gn...@lists.debian.org
Control: affects -1 + src:gnome-session

Please consider including my recent gnome-session upload in Debian 12.3.

[ Reason ]
Open text files in gnome-text-editor if gedit is not installed,
fixing https://bugs.debian.org/1055838

[ Impact ]
If not fixed, in a default task-gnome-desktop installation, plain text
files (including XML, CSS, various programming languages, etc.) default
to being opened in Libreoffice Writer (a word processor), and not in
GNOME Text Editor (a text editor) as intended.

Mitigation: if the system was upgraded from Debian 11, it will probably
still have the gedit package installed. If so, plain text files will open
in gedit by default, which is an entirely reasonable choice too.

For context, GNOME Text Editor is a simple text editor like Windows
Notepad, whereas gedit is more of a programmers' editor; which one gets to
open text files by default if both are installed is a matter of opinion
and taste, but the default on a GNOME desktop ought to be one of those two,
and certainly not a word processor.

[ Tests ]
Manually tested:
* Start from a Debian 12 VM with task-gnome-desktop and no other desktop
  environments
* Ensure gedit is *not* installed (by default, it will not be)
* echo "Hello, world!" > ~/Documents/hello.txt
* nautilus ~/Documents
* Right-click hello.txt
* Good result: the top choice is "Open With Text Editor [Return]"
* Bad result: the top choice is "Open With LibreOffice Writer [Return]"
* After verifying good result with the proposed gnome-session installed,
  additionally install gedit
* Right-click hello.txt
* Good result: the top choice is "Open With gedit [Return]"
* Bad result: anything else

[ Risks ]
Low risk: no code change, just adjusting desktop-specific defaults for
GNOME (including derivatives like Budgie and GNOME Flashback).

To minimize observable behaviour changes for systems that were already
upgraded from Debian 11 to 12, I have chosen to make gedit the default
text editor for GNOME if happens to be installed (no change for upgraded
systems), falling back to GNOME Text Editor if gedit is not present
(a fresh task-gnome-desktop installation will use this fallback in practice).
This is the opposite of my recent upload to unstable, where I made
gnome-text-editor higher priority (I think it's reasonable to expect the
default text editor to change in a major-version upgrade).

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
d/gnome-mimeapps.list: Fix the bug. It might be helpful to know that
values after the equals sign in mimeapps.list are semicolon-delimited
lists, and canonically end with a single semicolon after the last item
(but it's optional and frequently omitted, particularly for single-item
lists).

d/gbp.conf: administrivia since this is the first Debian 12 update proposed
for this package.
diffstat for gnome-session-43.0 gnome-session-43.0

 changelog   |   21 +
 gbp.conf|4 +--
 gnome-mimeapps.list |   62 ++--
 3 files changed, 54 insertions(+), 33 deletions(-)

diff -Nru gnome-session-43.0/debian/changelog gnome-session-43.0/debian/changelog
--- gnome-session-43.0/debian/changelog	2022-10-11 19:08:35.0 +0100
+++ gnome-session-43.0/debian/changelog	2023-11-13 18:34:53.0 +
@@ -1,3 +1,24 @@
+gnome-session (43.0-1+deb12u1) bookworm; urgency=medium
+
+  * Team upload
+  * d/gbp.conf: Configure branches for Debian 12 stable updates
+  * Open text files in gnome-text-editor if gedit is not installed.
+The preinstalled text editor for Debian GNOME systems was changed
+from gedit in Debian 11 to gnome-text-editor in Debian 12, but this
+file was not updated to match, resulting in various plain-text formats
+being opened in Libreoffice Writer rather than gnome-text-editor in a
+default task-gnome-desktop installation with no further configuration.
+To preserve current behaviour for systems that have gedit installed
+(perhaps as a result of them having been upgraded from Debian 11 to
+12), for all file types that were previously handled with gedit,
+continue to use gedit by default if it happens to be installed,
+but fall back to gnome-text-editor if gedit is not present.
+The preference order is likely to change to gnome-text-editor as
+default, with gedit as a fallback, in Debian 13.
+    (Closes: #1055838)
+
+ -- Simon McVittie   Mon, 13 Nov 2023 18:34:53 +
+
 gnome-session (43.0-1) unstable; urgency=medium
 
   [ Nathan Pratta Teodosio ]
diff -N

Bug#1053307: glib2.0 2.66.8-1+deb11u1 flagged for acceptance

[Simon McVittie]

On Sun, 12 Nov 2023 at 14:58:42 +, Adam D Barratt wrote:
> Package: glib2.0
> Version: 2.66.8-1+deb11u1
> 
> Explanation: align with upstream stable fixes; fix denial of service issues 
> [CVE-2023-32665 CVE-2023-32611 CVE-2023-29499 CVE-2023-32636]; fix buffer 
> overflow issue [CVE-2023-32643]

If you're able to adjust the release notes between now and the 11.9
point release, you might want to change this wording so it just mentions
the DoS issues and other stable-branch fixes, but excludes the buffer
overflow issue CVE-2023-32643 from the description of this update.

CVE-2023-32643 was a regression caused by errors in the initial fixes
for the DoS issues. It was important that we avoided introducing it
into Debian 11, but Debian 11.8 is not vulnerable (too old), and after
accepting 2.66.8-1+deb11u1, to the best of my knowledge Debian 11.9 will
not be vulnerable either (too new).

(For the record: I think 2.74.3-1 in unstable was briefly vulnerable to
CVE-2023-32643, but that version never migrated to testing, and a fix was
included in the next upload 2.74.4-1; so testing was never vulnerable,
and therefore neither was Debian 12.0.)

Thanks,
smcv

Bug#1053307: bullseye-pu: package glib2.0/2.66.8-1+deb11u1

[Simon McVittie]

On Sun, 01 Oct 2023 at 11:52:25 +0100, Simon McVittie wrote:
> I would like to update glib2.0 in Debian 11.9. We're too close to the
> 11.8 deadline for an update with this size of diffstat, so I'd like
> to upload it to bullseye-proposed-updates shortly after 11.8 is out,
> to give it the maximum amount of review and testing possible.

Now that 11.8 has happened, I've uploaded this to stable-NEW. (Sorry for
the delay, there was some confusion on my part over whether the security
team wanted different changelog wording, but it seems they are now happy
with the version I proposed.)

> [ Tests ]

I built an amd64 netboot-gtk image with this glib2.0's udeb included
(using steps similar to #1050868 and #1025708) and was able to install
a Plasma desktop successfully.

As mentioned previously, for those who cannot access stable-NEW, a
test-build that differs only in its changelog and version number can be
downloaded from: https://people.debian.org/~smcv/11.9/pool/main/g/glib2.0/
(built from commit f23101922 and mentioning that commit ID in its
version number). Testing by bullseye users would be appreciated, I don't
routinely run bullseye on my own systems any more.

The version I uploaded to stable-NEW is functionally equivalent to commit
f23101922, with the only difference being `dch -r`.

Thanks,
smcv

Bug#1025708: bullseye-pu: package debootstrap/1.0.123+deb11u2

[Simon McVittie]

On Sat, 28 Oct 2023 at 14:54:45 +0200, Cyril Brulebois wrote:
> Compared to what I get from a `dpkg-buildpackage -S` run locally (using
> the bullseye branch at tag debian/1.0.123+deb11u2), the source package
> available on coccia adds the debian/.gitignore file

I believe dpkg-source defaults to the equivalent of `dpkg-source -I`
for 3.0 (native) format packages, which ignores some files that would
normally appear in git, notably .gitignore.

I normally use
DEBUILD_DPKG_BUILDPACKAGE_OPTS="-us -uc -I.*.sw? -I.sw? -I.git" which
disables the default `-I` and instead excludes .git but not .gitignore,
making the uploaded source package exactly equivalent to what's in git
(and as a result, more dgit-friendly). If you would prefer any subsequent
uploads of d-i-related components to always exclude the .gitignore,
I'll try to remember that for the future.

smcv

Bug#1050237: transition: mutter/gnome-shell 45

[Simon McVittie]

I don't think this was cc'd to the release team when it was reassigned,
so quoting full text below for the release team's reference:

On Tue, 24 Oct 2023 at 14:09:06 -0400, Jeremy Bícha wrote:
> We will be ready to do the GNOME Shell/Mutter 45 transition once
> magpie is accepted from Debian NEW and budgie-desktop switches to it.
> I'm setting the moreinfo tag until that happens.
> 
> The remaining sourceful re-uploads from Experimental are:
> 
> * mutter
> * gnome-shell
> * gnome-shell-extensions
> * gnome-remote-desktop
> 
> And these extensions, so far:
> * gnome-shell-extension-appindicator
> * gnome-shell-extension-arc-menu
> * gnome-shell-extension-caffeine
> * gnome-shell-extension-dash-to-panel
> * gnome-shell-extension-dashtodock
> * gnome-shell-extension-desktop-icons-ng
> * gnome-shell-extension-espresso
> * gnome-shell-extension-gsconnect
> * gnome-shell-extension-hide-activities
> * gnome-shell-extension-kimpanel
> * gnome-shell-extension-runcat
> * gnome-shell-extension-shortcuts
> * gnome-shell-extension-tiling-assistant
> * gnome-shell-pomodoro
> * gpaste
> * workrave
> * yaru-theme
> 
> And then any remaining extensions in
> https://udd.debian.org/cgi-bin/bts-usertags.cgi?user=pkg-gnome-maintainers%40lists.alioth.debian.org=gnome-shell-45
> will need to be either fixed or temporarily kicked out of testing
> to let the transition through.
> 
> We can provide a specific list of extensions to remove from Testing
> when we get to that point in the transition.
> 
> Notably, every GNOME Shell extension needs to be adjusted for the new
> ESM import style. It is not possible for extensions to be compatible
> with both GNOME Shell >=45 and <=44 without some source code changes.
> For more details of required changes, see
> https://gjs.guide/extensions/upgrading/gnome-shell-45.html
> 
> The tracker for this transition is
> https://release.debian.org/transitions/html/gnome-shell-45.html

Bug#1025708: bullseye-pu: package debootstrap/1.0.123+deb11u2

[Simon McVittie]

On Thu, 31 Aug 2023 at 00:12:53 +0100, Simon McVittie wrote:
> I did the same testing as for bookworm's #1050868, summarized on
> <https://salsa.debian.org/installer-team/debootstrap/-/merge_requests/105>.
> As with #1050868, all differences between the output of a reference
> version (from Debian 12.1) and the output of this version were expected
> or ignorable.

I have now also tried the proposed debootstrap_*.udeb via d-i, using
essentially the same steps as in
<https://lists.debian.org/debian-release/2023/10/msg00518.html>.
This time I installed XFCE rather than GNOME. Installation was successful.

Errata:
- The steps I wrote were incomplete, installing git and fakeroot on the
  build machine was also necessary
- As previously noted on #1050868, the proposed udeb needs to be copied
  into debian-installer_bullseye/build/localudebs/
- d-i 11 doesn't include "less", so the step involving viewing
  /usr/share/debootstrap/functions needs to use "more" instead

An additional note is that if you send Ctrl+Alt+F2 sufficiently early in
the "Installing the base system" step, and "ls -l /target" repeatedly, you
can see that as a result of Helmut's code changes, /target is initially
non-merged-/usr then gets converted to merged-/usr after unpacking the
Essential set.

smcv

Bug#1050868: bookworm-pu: package debootstrap/1.0.128+nmu2+deb12u1

[Simon McVittie]

On Sun, 15 Oct 2023 at 11:56:21 +0100, Simon McVittie wrote:
>   - copy the proposed debootstrap-udeb_1.0.128+nmu2+deb12u1_all.udeb into
> debian-installer_bookworm/build/pkg-lists/base

Sorry, that should of course have said: into
debian-installer_bookworm/build/localudebs/.

smcv

Bug#1050868: bookworm-pu: package debootstrap/1.0.128+nmu2+deb12u1

[Simon McVittie]

On Wed, 30 Aug 2023 at 23:40:12 +0100, Simon McVittie wrote:
> On Wed, 30 Aug 2023 at 16:27:12 +0100, Simon McVittie wrote:
> > Part of the transition to merged-/usr, and more specifically, allowing
> > us to stop shipping files in trixie whose physical path on disk does
> > not match their path in the dpkg database due to directory aliasing.
> > 
> > This change needs to be in bookworm (and bullseye, and maybe buster)
> > before that process can continue, because official buildds run debootstrap
> > from stable (or older).
> > 
> > I also took the opportunity to backport changes that make the autopkgtests
> > pass.
> 
> Sorry, I should have mentioned that this is a (significant) d-i component
> and so will presumably need a d-i ack.

I have attempted to test the proposed version in d-i. I am not an expert
on d-i, but I hope what I have done here is approximately correct:

* on a bookworm VM (the build VM):
  - git clone -b bookworm 
https://salsa.debian.org/installer-team/debian-installer.git 
debian-installer_bookworm
  - cd debian-installer_bookworm
  - sudo apt --no-install-recommends build-dep .
  - edit build/pkg-lists/base and add debootstrap-udeb to the list of
packages to be bundled into the installer rather than downloaded from
a mirror
- this seemed easier than finding out how to add a second apt source
  for installer components
  - copy the proposed debootstrap-udeb_1.0.128+nmu2+deb12u1_all.udeb into
debian-installer_bookworm/build/pkg-lists/base
  - make -C build reallyclean
  - fakeroot make -C build build_netboot-gtk

* on the host system:
  - copy debian-installer_bookworm/build/dest/netboot/gtk/mini.iso from the
build VM
  - boot a second VM from it (the installation VM)

* in the installation VM:
  - proceed through the installation as usual
  - during the step "Installing the base system", send Ctrl+Alt+F2 and
run "debootstrap --version"
- the answer should be the proposed version
  - also run "less /usr/share/debootstrap/functions"
- it should contain a comment
  "Previous implementation of merged /usr: not used within debootstrap,"
  and so on, indicating that this is a version that includes Helmut's
  changes for "implement merged-/usr by post-merging" from 1.0.130 and
  my follow-up from 1.0.131
  - go back to the GUI and continue installation
- any package set will do, I installed GNOME
  - installation was successful
  - the installed system boots successfully
  - the installed system is merged-/usr

I hope this is helpful information.

smcv

Bug#1052229: bookworm-pu: gnome-shell/43.9-0+deb12u1

[Simon McVittie]

Control: retitle -1 bookworm-pu: gnome-shell/43.9-0+deb12u1

On Sat, 23 Sep 2023 at 20:45:51 +0100, Adam D. Barratt wrote:
> On Tue, 2023-09-19 at 11:40 +0100, Simon McVittie wrote:
> > Several new upstream bugfix releases.
>
> Please go ahead.

The version I've uploaded has one additional change from upstream
(attached) since the version that Adam saw. I have been testing this
on bookworm GNOME machines in my household for a couple of weeks with
no obvious regressions. An updated full diff between patched trees in
12.2 and the uploaded version, filtered to exclude the patches themselves
and translations, is also attached.

The revised version is functionally equivalent to the one labelled
b1c065d1 in <https://people.debian.org/~smcv/12.3/pool/main/g/gnome-shell/>,
which replaced my earlier test-build. I've confirmed with debdiff that
the only difference is the changelog.

Reason for the new change: when there is a single opaque full-screen
window like a game or a video player, the Shell is meant to let that
window scan-out directly to the screen ("unredirection") instead of
going through non-trivial compositor code, which minimizes latency and
maximizes rendering performance. This mechanism needs to be disabled
when in the zoomed-out overview mode (Windows key), and re-enabled
when leaving the overview. For whatever reason, re-enabling it when
leaving the overview wasn't 100% reliable, causing reduced performance
after a while. The change backported from 44.5-2 integrates this with
a state machine that already needed to exist for other reasons, so that
unredirection is enabled whenever it can safely be enabled.

Impact if the new change is not accepted: worse latency and rendering
performance for full screen games/videos/etc. after a while, and perhaps
also worse power consumption.

There's also some minor rewording in the changelog to clarify that all
changes were also part of 44.5-2 in testing/unstable.

I can revert the additional change as a 43.9-0+deb12u2 if it becomes
necessary, but I hope it won't be.

Thanks,
smcv
From: "robert.ma...@collabora.com" 
Date: Wed, 27 Sep 2023 01:10:45 +0200
Subject: overview: Handle unredirection in OverviewShown state machine

Under certain unknown circumstances currently not every
`disable_unredirect_for_display()` gets matched with an
`enable_unredirect_for_display()` when closing the overview.

As we only want to not disable unredirection when hidden and we nowadays
have a state machine that ensures we transition to and from one state to
another only once, handle unredirection en-/disablement as part of the
state transition.

(cherry picked from commit a94fcee9616ef52d0f1d6453515a104d69c6cb92)

Bug: https://gitlab.gnome.org/GNOME/mutter/-/issues/2994
Origin: https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/2970
Applied-upstream: 43.10, commit:3b921ba0cb28c38ff5b7faba2dfe446cbc845bb4
---
 js/ui/overview.js | 14 +-
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/js/ui/overview.js b/js/ui/overview.js
index 757a8e4..bf3ffca 100644
--- a/js/ui/overview.js
+++ b/js/ui/overview.js
@@ -296,6 +296,11 @@ var Overview = class extends Signals.EventEmitter {
 `${this._shownState} to ${state}`);
 }
 
+if (this._shownState === OverviewShownState.HIDDEN)
+Meta.disable_unredirect_for_display(global.display);
+else if (state === OverviewShownState.HIDDEN)
+Meta.enable_unredirect_for_display(global.display);
+
 this._shownState = state;
 this.emit(OVERVIEW_SHOWN_TRANSITIONS[state].signal);
 }
@@ -402,8 +407,6 @@ var Overview = class extends Signals.EventEmitter {
 
 _gestureUpdate(tracker, progress) {
 if (!this._shown) {
-Meta.disable_unredirect_for_display(global.display);
-
 this._shown = true;
 this._visible = true;
 this._visibleTarget = true;
@@ -559,8 +562,6 @@ var Overview = class extends Signals.EventEmitter {
 this._visibleTarget = true;
 this._activationTime = GLib.get_monotonic_time() / GLib.USEC_PER_SEC;
 
-Meta.disable_unredirect_for_display(global.display);
-
 Main.layoutManager.overviewGroup.set_child_above_sibling(
 this._coverPane, null);
 this._coverPane.show();
@@ -627,9 +628,6 @@ var Overview = class extends Signals.EventEmitter {
 }
 
 _hideDone() {
-// Re-enable unredirection
-Meta.enable_unredirect_for_display(global.display);
-
 this._coverPane.hide();
 
 this._visible = false;
@@ -679,8 +677,6 @@ var Overview = class extends Signals.EventEmitter {
 // the animation because of a race in the xserver where the grab
 // fails when requested very early during startup.
 
-Meta.disable_unredirect_for_display(global.display);
-
 this._changeShownState(OverviewShownState.SHOWING);
 
 this._overview.runStar

Bug#1052227: bookworm-pu: mutter/43.8-0+deb12u1

[Simon McVittie]

Control: retitle -1 bookworm-pu: mutter/43.8-0+deb12u1

On Sun, 24 Sep 2023 at 11:31:45 +0100, Simon McVittie wrote:
> I have been asked to roll one additional change into this update: updating
> the (non-upstream) triple-buffering patch to its latest version

There have been a couple of further revisions to the triple-buffering
patchset since the version Adam saw, which are included in the version
that I have now uploaded:

- Fix increased mouse input latency after resolving LP 2017137, LP 2017097
  (LP: #2023363)
- Fix mouse cursor stuttering when moving across animated UI elements
  (LP: #2023766)

The new changes are attached. I have also switched from applying the
triple-buffering patchset as a single large patch to putting it in the
form of individual commits in debian/patches/triple-buffering/
(I verified that this did not change the patched tree), and re-worded
the changelog to expand on which patch does what and what newer versions
in unstable/experimental also have it.

An updated full debdiff between patched trees (12.2 to proposed version) is
also attached, filtered to exclude the patches themselves.

The version I uploaded is functionally equivalent to the one
labelled 69d27b60 in
<https://people.debian.org/~smcv/12.3/pool/main/m/mutter/>, which I've
been testing for about 2 weeks on my household's bookworm machines
with no obvious regressions. I have confirmed using debdiff that there is
no difference other than the changelog.

If the new changes cause any problems, then I can upload a 43.8-0+deb12u2
that reverts or adjusts them.

Thanks,
smcv
From: Daniel van Vugt 
Date: Wed, 14 Jun 2023 19:49:29 +0800
Subject: clutter/frame-clock: Avoid rapidly toggling dynamic max render time

This could happen when moving the cursor over GUIs that only redraw
in response to cursor movement. Mutter would experience alternating
cursor-only updates and page flips, and so the `max_render_time_allowed_us`
would jump between pessimised and optimised resulting in inconsistent
frame pacing.

Aside from fixing the smoothness problem this should also provide
lower latency cursor movement.

Fixes: https://launchpad.net/bugs/2023766
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/3074>

(cherry picked from commit be0aa2976e19f4a6b91bd90ce3942d6b107af7c0)

Origin: https://gitlab.gnome.org/Community/Ubuntu/mutter/-/commits/triple-buffering-v4-43
---
 clutter/clutter/clutter-frame-clock.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/clutter/clutter/clutter-frame-clock.c b/clutter/clutter/clutter-frame-clock.c
index f89db25..e7c67a7 100644
--- a/clutter/clutter/clutter-frame-clock.c
+++ b/clutter/clutter/clutter-frame-clock.c
@@ -109,6 +109,7 @@ struct _ClutterFrameClock
   EstimateQueue swap_to_flip_us;
   /* If we got new measurements last frame. */
   gboolean got_measurements_last_frame;
+  gboolean ever_got_measurements;
 
   gboolean pending_reschedule;
   gboolean pending_reschedule_now;
@@ -315,6 +316,7 @@ clutter_frame_clock_notify_presented (ClutterFrameClock *frame_clock,
 swap_to_flip_us);
 
   frame_clock->got_measurements_last_frame = TRUE;
+  frame_clock->ever_got_measurements = TRUE;
 }
   else
 {
@@ -389,7 +391,7 @@ clutter_frame_clock_compute_max_render_time_us (ClutterFrameClock *frame_clock)
 
   refresh_interval_us = frame_clock->refresh_interval_us;
 
-  if (!frame_clock->got_measurements_last_frame ||
+  if (!frame_clock->ever_got_measurements ||
   G_UNLIKELY (clutter_paint_debug_flags &
   CLUTTER_DEBUG_DISABLE_DYNAMIC_MAX_RENDER_TIME))
 {
From: Daniel van Vugt 
Date: Tue, 18 Jul 2023 16:08:25 +0800
Subject: clutter/frame-clock: Record measurements of zero for cursor-only
 updates

But only if we've ever got actual swap measurements
(COGL_FEATURE_ID_TIMESTAMP_QUERY). If it's supported then we now drop to
double buffering and get optimal latency on a burst of cursor-only
updates.

Fixes: https://launchpad.net/bugs/2023363

Origin: https://gitlab.gnome.org/Community/Ubuntu/mutter/-/commits/triple-buffering-v4-43
---
 clutter/clutter/clutter-frame-clock.c | 24 
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/clutter/clutter/clutter-frame-clock.c b/clutter/clutter/clutter-frame-clock.c
index e7c67a7..7b00041 100644
--- a/clutter/clutter/clutter-frame-clock.c
+++ b/clutter/clutter/clutter-frame-clock.c
@@ -287,19 +287,27 @@ clutter_frame_clock_notify_presented (ClutterFrameClock *frame_clock,
 
   frame_clock->got_measurements_last_frame = FALSE;
 
-  if (frame_info->cpu_time_before_buffer_swap_us != 0 &&
-  frame_info->gpu_rendering_duration_ns != 0)
+  if ((frame_info->cpu_time_before_buffer_swap_us != 0 &&
+   frame_info->gpu_rendering_duration_ns != 0) ||
+   frame_clock->ever_got_measurements)
 {
   int64_t dispatch_to_swap_us, s

Bug#1053307: bullseye-pu: package glib2.0/2.66.8-1+deb11u1

[Simon McVittie]

Package: release.debian.org
Severity: normal
Tags: bullseye d-i
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: glib...@packages.debian.org, debian-gtk-gn...@lists.debian.org
Control: affects -1 + src:glib2.0

I would like to update glib2.0 in Debian 11.9. We're too close to the
11.8 deadline for an update with this size of diffstat, so I'd like
to upload it to bullseye-proposed-updates shortly after 11.8 is out,
to give it the maximum amount of review and testing possible.

glib2.0 has a udeb and is actively used in the graphical installer,
so this will need a d-i ack, either before upload or before acceptance.

[ Reason ]
Fix denial of service vulnerabilities when parsing untrusted
GVariant data, either in binary form (CVE-2023-32665, CVE-2023-32611,
CVE-2023-29499, which were marked as no-dsa by the security team) or
in text form (no CVEs for these, I don't think the GLib maintainers
consider parsing GVariant text notation to be a valid thing to do with
untrusted input).

The vulnerabilities with CVEs were already fixed in Debian 10 LTS. The
issues without CVEs were not fixed in Debian 10 LTS, but I think fixing
them will give us a lower regression risk as well as more bug fixes.

[ Impact ]
If not fixed, anything that parses untrusted data in GVariant format will
be subject to denial of service attacks, and the LTS team will presumably
backport the same changes into Debian 11 LTS in a less complete form with
(IMO) a higher risk of regressions.

Flatpak and ostree parse trusted or at least semi-trusted data in GVariant
format, so they will be subject to this denial of service, but it isn't
urgent to fix (the integrity of GVariant data they process is protected
by PGP signatures and/or https, and it rarely makes sense to access a
completely untrusted ostree repository). I don't currently know of any
software in Debian that parses totally untrusted GVariant data.

[ Tests ]
A test-build that differs only in its changelog and version number can be
downloaded from: https://people.debian.org/~smcv/11.9/pool/main/g/glib2.0/

GLib's automated test suite passes (dh_auto_test and autopkgtest on both
amd64 and i386), and new coverage for several of the issues fixed here
accounts for around 30% of the diff.

There were no obvious regressions in a Debian 11 GNOME VM. I'll try this
on one of my work test machines before upload, but I no longer have any
bullseye machines in production use, so I can only do this on a test
installation that is not used day-to-day.

Any further testing that bullseye users can provide would be appreciated.

[ Risks ]
The diffstat is considerable, but I have tried to minimize the risk by
backporting *all* GVariant fixes from the version we ship in Debian 12,
and verifying that the only remaining non-comment differences in
`glib/gvariant*` between Debian 12 and this version are inclusion of
some compatibility headers. This means that if there were regressions
caused by these changes, we should already have seen them in Debian 12
(we haven't). Also, if regressions are discovered in this area in future,
their fixes should backport cleanly from Debian 12.

The initial versions of the denial-of-service fixes introduced a more
serious vulnerability (a buffer overflow, CVE-2023-32643) and some bugs
(a crash on big-endian architectures, and another denial of service
detected by a fuzzer). I have made sure to backport the fixes for those too.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in oldstable
  [x] the issue is verified as fixed in unstable (and stable)

[ Changes ]
po/hr.po is (obviously) a translation update, from upstream.

All other changes are for the denial of service vulnerabilities, or are
small bug fixes in the same module which I have backported in order to
minimize risk.

All changes are straightforward cherry-picks from upstream via
Debian 12's GLib 2.74.x, except for the translation update, which was
applied to upstream's 2.66.x branch after its final point release, and
"debian/patches/Exclude-g_variant_maybe_get_child_value-from-API-document.patch",
which adjusts the content of a doc-comment to prevent a documentation
check from causing FTFBS (no changes to the actual code).

[ Other info ]
For my reference, this proposed version is
https://salsa.debian.org/gnome-team/glib/-/merge_requests/26 v1.

Thanks,
smcv


glib2.0_2.66.8-1+deb11u1_f2310192.diff.gz
Description: application/gzip

Bug#1052227: bookworm-pu (pre-approval): mutter/43.8-0+deb12u1

[Simon McVittie]

On Sat, 23 Sep 2023 at 20:44:14 +0100, Adam D. Barratt wrote:
> On Tue, 2023-09-19 at 11:26 +0100, Simon McVittie wrote:
> > Several new upstream bugfix releases. I've been trying to get these
> > into
> > a suitable state for a stable update since 12.1, but every time I've
> > been testing one long enough to think about asking for upload
> > approval,
> > there have been more bugfixes upstream and the cycle starts again.
> > 
> > This might be the last upstream bugfix release in the 43.x series,
> > or we might get a 43.9.
> > 
> 
> Please go ahead.

To be clear, do you want this and the accompanying gnome-shell update
uploaded in time for 12.2, or should I upload them after 12.2 for inclusion
in 12.3 as I suggested in the request?

I have been asked to roll one additional change into this update: updating
the (non-upstream) triple-buffering patch to its latest version, which
fixes an issue where some session types (Xorg and some video drivers like
Raspberry Pi) would only refresh at 30fps rather than the intended 60fps,
fixing https://bugs.launchpad.net/ubuntu/+source/mutter/+bug/2017137 and
https://bugs.launchpad.net/ubuntu/+source/mutter/+bug/2017097. I have not
tested that change yet, but the equivalent for mutter 44 has been in Ubuntu
since May. After I've tested it in v43 on Debian, would that be OK to
include? The additional diff (beyond what you already saw) will be what's
attached, plus a changelog entry.

Thanks,
smcv
>From b6d4b5bade286b2d3b6d2d9faa348574ad87503d Mon Sep 17 00:00:00 2001
From: Daniel van Vugt 
Date: Mon, 24 Apr 2023 17:42:42 +0800
Subject: [PATCH] clutter/frame-clock: Fall back to triple buffering, not
 double buffering

When the driver doesn't support GPU timestamps (Xorg, Raspberry Pi, others)

https://launchpad.net/bugs/2017137
https://launchpad.net/bugs/2017097
---
 clutter/clutter/clutter-frame-clock.c | 10 +-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/clutter/clutter/clutter-frame-clock.c b/clutter/clutter/clutter-frame-clock.c
index 78f8dde9b4..f89db2582c 100644
--- a/clutter/clutter/clutter-frame-clock.c
+++ b/clutter/clutter/clutter-frame-clock.c
@@ -392,7 +392,15 @@ clutter_frame_clock_compute_max_render_time_us (ClutterFrameClock *frame_clock)
   if (!frame_clock->got_measurements_last_frame ||
   G_UNLIKELY (clutter_paint_debug_flags &
   CLUTTER_DEBUG_DISABLE_DYNAMIC_MAX_RENDER_TIME))
-return refresh_interval_us * SYNC_DELAY_FALLBACK_FRACTION;
+{
+  int64_t ret = refresh_interval_us * SYNC_DELAY_FALLBACK_FRACTION;
+
+  if (!triple_buffering_disabled &&
+  frame_clock->state == CLUTTER_FRAME_CLOCK_STATE_DISPATCHED_ONE)
+ret += refresh_interval_us;
+
+  return ret;
+}
 
   for (i = 0; i < ESTIMATE_QUEUE_LENGTH; ++i)
 {
-- 
2.40.1

Bug#1052068: bookworm-pu: package dbus/1.14.10-1~deb12u1

[Simon McVittie]

Control: tags -1 + d-i

On Sat, 16 Sep 2023 at 21:59:55 +0100, Simon McVittie wrote:
> [ Reason ]
> New upstream bugfix release

I realise this technically needs a d-i ack, since dbus has udebs (for the
benefit of a11y in the graphical installer), although as discussed in
previous stable update requests they are essentially vestigial.

smcv

Bug#1025708: bullseye-pu: package debootstrap/1.0.123+deb11u2

[Simon McVittie]

On Thu, 31 Aug 2023 at 00:12:45 +0100, Simon McVittie wrote:
> [ Reason ]
> The same changes proposed for bookworm in #1050868, but for bullseye.
> Because official buildds that build trixie/sid are not yet all running
> bookworm, we'll need this change in bullseye too.
> 
> I also included the changes that Luca previously proposed on this bug,
> which are backports from bookworm's debootstrap:
> 
> - no longer including usrmerge and its dependencies in the installed
>   system if usr-is-merged would be sufficient, saving ~ 50MB on a minbase
>   image and effectively fixing a regression caused by making
>   usrmerge|usr-is-merged transitively Essential in bookworm (#1025657)
> - enabling merged-/usr on Hurd
> 
> These are technically a behaviour change for bullseye, but we're making
> a larger behaviour change here already, and it aligns the behaviour
> with what we have in bookworm. We could revert those if required, but
> they're really small changes and seem desirable to me: in particular,
> they make the whole merged-/usr code path into the same tested code
> that's in trixie and proposed for bookworm.
> 
> [ Impact ]
> If not accepted, trixie will continue to be stuck in a
> mostly-but-not-entirely merged-/usr limbo, with the moratorium from #1035831
> remaining in place (until all buildds can be upgraded to bookworm).

I'm aware that we're getting close to the deadline for 12.2 and 11.8,
so I've uploaded the proposed version to bullseye-proposed-updates for
easier testing and review. Luca: the proposed version and a signed tag
are available from my fork on salsa (I am not able to push to the d-i
repository for debootstrap). I uploaded with dgit, so the git tree and
the .dsc have been verified to be identical.

If this version is not accepted for whatever reason, then I think we
should treat version 1.0.123+deb11u2 as having been used, and skip
ahead to 1.0.123+deb11u3 for any subsequent bullseye update.
(And if there is a problem with having this version in bullseye-pu for
whatever reason, I'm happy to upload a +deb11u3 that is identical to
1.0.123+deb11u1 except for the changelog.)

Thanks,
smcv

Bug#1050868: bookworm-pu: package debootstrap/1.0.128+nmu2+deb12u1

[Simon McVittie]

On Wed, 30 Aug 2023 at 16:27:12 +0100, Simon McVittie wrote:
> [ Reason ]
> Part of the transition to merged-/usr, and more specifically, allowing
> us to stop shipping files in trixie whose physical path on disk does
> not match their path in the dpkg database due to directory aliasing.
> 
> This change needs to be in bookworm (and bullseye, and maybe buster)
> before that process can continue, because official buildds run debootstrap
> from stable (or older).
> 
> I also took the opportunity to backport changes that make the autopkgtests
> pass.
> 
> [ Impact ]
> If not accepted, trixie will continue to be stuck in a
> mostly-but-not-entirely merged-/usr limbo, with the moratorium from #1035831
> remaining in place.

I'm aware that we're getting close to the deadline for 12.2 and 11.8,
so I've uploaded the proposed version to bookworm-proposed-updates for
easier testing and review. Luca: the proposed version and a signed tag
are available from my fork on salsa (I am not able to push to the d-i
repository for debootstrap). I uploaded with dgit, so the git tree and
the .dsc have been verified to be identical.

If this version is not accepted for whatever reason, then I think we
should treat version 1.0.128+nmu2+deb12u1 as having been used, and skip
ahead to 1.0.128+nmu2+deb12u2 for any subsequent bookworm update.
(And if there is a problem with having this version in bookworm-pu for
whatever reason, I'm happy to upload a +deb12u2 that is identical to
1.0.128+nmu2 except for the changelog.)

Thanks,
smcv

Bug#1052229: bookworm-pu (pre-approval): gnome-shell/43.9-0+deb12u1

[Simon McVittie]

 during scrolling (gnome-shell#6835)
+- Support translated strings in more files
+- Upstream CI adjustments not relevant to Debian
+- All other changes were already in 43.7-1 or 43.7-2
+  * New upstream stable release 43.9
+- Avoid exposing window previews on lock screen via keyboard shortcuts
+  (CVE-2023-43090, gnome-shell#6990; previously fixed for bookworm via
+  patches in 43.6-1~deb12u2)
+- Improve handling of latched vs. locked modes in on-screen keyboard
+  (gnome-shell#5763)
+- Reverse slider direction in RTL locales (gnome-shell#5107)
+- Add missing environment variables required to launch ibus-daemon
+  (gnome-shell#6998)
+- Translation updates
+  * d/patches: Drop patches that were included in the new upstream releases
+
+ -- Simon McVittie   Sun, 17 Sep 2023 16:36:01 +0100
+
+gnome-shell (43.7-2) unstable; urgency=medium
+
+  * Team upload
+  * d/p/main-Leak-the-GJS-context-and-ShellGlobal.patch:
+Add patch from Fedora to skip final cleanup during exit.
+This has been implicated in various crashes during exit, which cause
+gnome-shell to disable extensions during the next startup. Leaking some
+memory at this point does not matter since the process is exiting anyway.
+The crashes during exit are believed to have been fixed in 44.beta, but
+those changes are too intrusive to be suitable for a backport.
+(Closes: #1038972)
+
+ -- Simon McVittie   Thu, 17 Aug 2023 10:46:44 +0100
+
+gnome-shell (43.7-1) unstable; urgency=medium
+
+  * Team upload
+  * New upstream stable release
+- Apply hotspot translation to mouse cursor while using magnifier,
+  fixing an offset between the visble pointer position and the actual
+  pointer (gnome-shell#4584, also fixed in 44.3)
+- Don't log an error when AccountsService signals a change while
+  parental controls are disabled globally
+  (gnome-shell#6749, also fixed in 44.3)
+- Keep rounded corners on the overview's view of the desktop, even
+  after the background image changes
+  (gnome-shell#4125, also fixed in 44.3)
+  * d/patches: Update to upstream gnome-43 branch commit 43.7-1-g0d51f199e
+- Translation update: fa
+  * d/gbp.conf, d/control.in: Use debian/trixie branch
+
+ -- Simon McVittie   Thu, 10 Aug 2023 10:33:35 +0100
+
 gnome-shell (43.6-1~deb12u2) bookworm-security; urgency=high
 
   * Team upload
diff --git a/debian/patches/series b/debian/patches/series
index bed0752ec..cbdcdddc1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,4 +1,2 @@
-screenshot-Do-not-wrongly-enable-window-button.patch
-screenshot-Only-handle-mode-switch-shortcut-when-supporte.patch
 debian/gnome-shell-extension-prefs-Give-Debian-specific-advice.patch
 debian/Revert-build-Port-to-gcr4.patch
diff --git a/js/misc/ibusManager.js b/js/misc/ibusManager.js
index 969556dc2..214db558e 100644
--- a/js/misc/ibusManager.js
+++ b/js/misc/ibusManager.js
@@ -108,17 +108,9 @@ var IBusManager = class extends Signals.EventEmitter {
 
 _spawn(extraArgs = []) {
 try {
-let cmdLine = ['ibus-daemon', '--panel', 'disable', ...extraArgs];
-let env = [];
-
-this._tryAppendEnv(env, 'DBUS_SESSION_BUS_ADDRESS');
-this._tryAppendEnv(env, 'WAYLAND_DISPLAY');
-this._tryAppendEnv(env, 'HOME');
-this._tryAppendEnv(env, 'LANG');
-this._tryAppendEnv(env, 'LC_CTYPE');
-this._tryAppendEnv(env, 'COMPOSE_FILE');
-this._tryAppendEnv(env, 'DISPLAY');
-
+const cmdLine = ['ibus-daemon', '--panel', 'disable', ...extraArgs];
+const launchContext = global.create_app_launch_context(0, -1);
+const env = launchContext.get_environment();
 // Use DO_NOT_REAP_CHILD to avoid adouble-fork internally
 // since ibus-daemon refuses to start with init as its parent.
 const [success_, pid] = GLib.spawn_async(
diff --git a/js/misc/inputMethod.js b/js/misc/inputMethod.js
index e008e6411..e01eac8de 100644
--- a/js/misc/inputMethod.js
+++ b/js/misc/inputMethod.js
@@ -12,6 +12,8 @@ Gio._promisify(IBus.InputContext.prototype,
 
 var HIDE_PANEL_TIME = 50;
 
+const HAVE_REQUIRE_SURROUNDING_TEXT = GObject.signal_lookup('require-surrounding-text', IBus.InputContext);
+
 var InputMethod = GObject.registerClass({
 Signals: {
 'surrounding-text-set': {},
@@ -76,7 +78,6 @@ var InputMethod = GObject.registerClass({
 
 this._context.set_client_commit_preedit(true);
 this._context.connect('commit-text', this._onCommitText.bind(this));
-this._context.connect('require-surrounding-text', this._onRequireSurroundingText.bind(this));
 this._context.connect('delete-surrounding-text', this._onDeleteSurroundingText.bind(this));
 this._context.connect('update-preedit-text-with-mode', this._onUpdatePreeditText.bind(this));
 this._context.connect('show-preedit-text', this

Bug#1052227: bookworm-pu (pre-approval): mutter/43.8-0+deb12u1

[Simon McVittie]

_z_position (pv->actor) == 0)
+  if (pv->is_2d &&
+  (!pv->actor || clutter_actor_get_z_position (pv->actor) == 0))
 {
   /* If the volume/actor are perfectly 2D, take the bounding box as
* good. We won't need to add any extra room for sub-pixel positioning
diff --git a/clutter/clutter/clutter-stage.c b/clutter/clutter/clutter-stage.c
index 7d24cf4a8f..84ae7fc92a 100644
--- a/clutter/clutter/clutter-stage.c
+++ b/clutter/clutter/clutter-stage.c
@@ -152,6 +152,8 @@ enum
   PROP_PERSPECTIVE,
   PROP_TITLE,
   PROP_KEY_FOCUS,
+  PROP_IS_GRABBED,
+
   PROP_LAST
 };
 
@@ -1175,6 +1177,10 @@ clutter_stage_get_property (GObject*gobject,
   g_value_set_object (value, priv->key_focused_actor);
   break;
 
+case PROP_IS_GRABBED:
+  g_value_set_boolean (value, !!priv->topmost_grab);
+  break;
+
 default:
   G_OBJECT_WARN_INVALID_PROPERTY_ID (gobject, prop_id, pspec);
   break;
@@ -1363,6 +1369,17 @@ clutter_stage_class_init (ClutterStageClass *klass)
CLUTTER_PARAM_READWRITE |
G_PARAM_EXPLICIT_NOTIFY);
 
+  /**
+   * ClutterStage:is-grabbed:
+   *
+   * %TRUE if there is currently an active grab on the stage.
+   */
+  obj_props[PROP_IS_GRABBED] =
+  g_param_spec_boolean ("is-grabbed", NULL, NULL,
+FALSE,
+CLUTTER_PARAM_READABLE |
+G_PARAM_EXPLICIT_NOTIFY);
+
   g_object_class_install_properties (gobject_class, PROP_LAST, obj_props);
 
   /**
@@ -3787,6 +3804,7 @@ clutter_stage_grab (ClutterStage *stage,
 {
   ClutterStagePrivate *priv;
   ClutterGrab *grab;
+  gboolean was_grabbed;
 
   g_return_val_if_fail (CLUTTER_IS_STAGE (stage), NULL);
   g_return_val_if_fail (CLUTTER_IS_ACTOR (actor), NULL);
@@ -3815,6 +3833,8 @@ clutter_stage_grab (ClutterStage *stage,
   grab->prev = NULL;
   grab->next = priv->topmost_grab;
 
+  was_grabbed = !!priv->topmost_grab;
+
   if (priv->topmost_grab)
 priv->topmost_grab->prev = grab;
 
@@ -3822,6 +3842,9 @@ clutter_stage_grab (ClutterStage *stage,
   clutter_actor_attach_grab (actor, grab);
   clutter_stage_notify_grab (stage, grab, grab->next);
 
+  if (was_grabbed != !!priv->topmost_grab)
+g_object_notify_by_pspec (G_OBJECT (stage), obj_props[PROP_IS_GRABBED]);
+
   return grab;
 }
 
@@ -3831,6 +3854,7 @@ clutter_stage_unlink_grab (ClutterStage *stage,
 {
   ClutterStagePrivate *priv = stage->priv;
   ClutterGrab *prev, *next;
+  gboolean was_grabbed;
 
   /* This grab is already detached */
   if (!grab->prev && !grab->next && priv->topmost_grab != grab)
@@ -3844,6 +3868,8 @@ clutter_stage_unlink_grab (ClutterStage *stage,
   if (next)
 next->prev = prev;
 
+  was_grabbed = !!priv->topmost_grab;
+
   if (priv->topmost_grab == grab)
 {
   /* This is the active grab */
@@ -3866,6 +3892,9 @@ clutter_stage_unlink_grab (ClutterStage *stage,
   priv->grab_state = CLUTTER_GRAB_STATE_NONE;
 }
 
+  if (was_grabbed != !!priv->topmost_grab)
+g_object_notify_by_pspec (G_OBJECT (stage), obj_props[PROP_IS_GRABBED]);
+
   grab->next = NULL;
   grab->prev = NULL;
 }
diff --git a/cogl/cogl/driver/gl/cogl-gl-framebuffer-fbo.c b/cogl/cogl/driver/gl/cogl-gl-framebuffer-fbo.c
index c8db6a23a2..7cc5377637 100644
--- a/cogl/cogl/driver/gl/cogl-gl-framebuffer-fbo.c
+++ b/cogl/cogl/driver/gl/cogl-gl-framebuffer-fbo.c
@@ -76,7 +76,7 @@ ensure_bits_initialized (CoglGlFramebufferFbo *gl_framebuffer_fbo)
 COGL_FRAMEBUFFER_STATE_BIND);
 
 #ifdef HAVE_COGL_GL
-  if (!_cogl_has_private_feature (ctx, COGL_PRIVATE_FEATURE_QUERY_FRAMEBUFFER_BITS))
+  if (_cogl_has_private_feature (ctx, COGL_PRIVATE_FEATURE_QUERY_FRAMEBUFFER_BITS))
 {
   const struct {
 GLenum attachment, pname;
diff --git a/debian/changelog b/debian/changelog
index eeabc8782b..2deb81868d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,66 @@
+mutter (43.8-0+deb12u1) UNRELEASED; urgency=medium
+
+  * d/control.in, d/gbp.conf: Use debian/bookworm branch
+  * Apply changes from 43.7-2 to bookworm
+(Closes: #1035092, #1049934, #1042055)
+  * New upstream stable release 43.8
+- Fix the ability to drag libdecor windows by their title bar on
+  touchscreens (mutter#2872)
+- Fix flickering and rendering artifacts when using software rendering,
+  for example on older Intel hardware unsupported by the Gallium i915
+  driver (mutter#2602)
+- Improve GNOME Shell app grid performance by avoiding repainting
+  monitors other than the one it is displayed on
+  (partially fixes gnome-shell#6819)
+- Upstream CI adjustments not relevant to Debian
+- All other changes were previously included in 43.7-1, 43.7-2
+  * d/patches: Drop patches that were included in the upstream release
+
+ -- Simon McVittie   Thu, 14 Sep

Bug#1052068: bookworm-pu: package dbus/1.14.10-1~deb12u1

[Simon McVittie]

1 +373,35 @@
  * @param uid the UID
  * @param group_ids return location for array of group IDs
  * @param n_group_ids return location for length of returned array
+ * @param error error to fill in on failure
  * @returns #TRUE if the UID existed and we got some credentials
  */
 dbus_bool_t
 _dbus_groups_from_uid (dbus_uid_t uid,
dbus_gid_t   **group_ids,
-   int   *n_group_ids)
+   int   *n_group_ids,
+   DBusError *error)
 {
   DBusUserDatabase *db;
   const DBusUserInfo *info;
   *group_ids = NULL;
   *n_group_ids = 0;
 
-  /* FIXME: this can't distinguish ENOMEM from other errors */
   if (!_dbus_user_database_lock_system ())
-return FALSE;
+{
+  _DBUS_SET_OOM (error);
+  return FALSE;
+}
 
   db = _dbus_user_database_get_system ();
   if (db == NULL)
 {
+  _DBUS_SET_OOM (error);
   _dbus_user_database_unlock_system ();
   return FALSE;
 }
 
-  if (!_dbus_user_database_get_uid (db, uid,
-, NULL))
+  if (!_dbus_user_database_get_uid (db, uid, , error))
 {
   _dbus_user_database_unlock_system ();
   return FALSE;
@@ -410,6 +414,7 @@
   *group_ids = dbus_new (dbus_gid_t, info->n_group_ids);
   if (*group_ids == NULL)
 {
+  _DBUS_SET_OOM (error);
 	  _dbus_user_database_unlock_system ();
   return FALSE;
 }
diff -Nru dbus-1.14.8/debian/20dbus_xdg-runtime dbus-1.14.10/debian/20dbus_xdg-runtime
--- dbus-1.14.8/debian/20dbus_xdg-runtime	2023-07-11 20:59:33.0 +0100
+++ dbus-1.14.10/debian/20dbus_xdg-runtime	2023-09-16 11:03:58.0 +0100
@@ -20,5 +20,9 @@
   # to put a minimal subset of the Xsession's environment in activated
   # services' environments
   dbus-update-activation-environment --verbose --systemd \
-DBUS_SESSION_BUS_ADDRESS DISPLAY XAUTHORITY
+DBUS_SESSION_BUS_ADDRESS \
+DISPLAY \
+XAUTHORITY \
+XDG_CURRENT_DESKTOP \
+${NULL+}
 fi
diff -Nru dbus-1.14.8/debian/changelog dbus-1.14.10/debian/changelog
--- dbus-1.14.8/debian/changelog	2023-07-11 20:59:33.0 +0100
+++ dbus-1.14.10/debian/changelog	2023-09-16 11:03:58.0 +0100
@@ -1,3 +1,29 @@
+dbus (1.14.10-1~deb12u1) bookworm; urgency=medium
+
+  * Rebuild for bookworm
+
+ -- Simon McVittie   Sat, 16 Sep 2023 11:03:58 +0100
+
+dbus (1.14.10-1) unstable; urgency=medium
+
+  * New upstream stable release
+- Fix a dbus-daemon crash during policy reload if a connection belongs
+  to a user account that has been deleted, or if a Name Service Switch
+  plugin is broken, on kernels not supporting SO_PEERGROUPS
+- Report the error correctly if getting the groups of a uid fails
+- If a connection has a primary group ID but no supplementary groups,
+  report the primary group ID in GetConnectionCredentials()
+  UnixGroupIDs field
+  * dbus-user-session: Copy XDG_CURRENT_DESKTOP to activation environment.
+Previously this was only done if dbus-x11 was installed.
+This is needed by various freedesktop.org specifications, in particular
+for xdg-desktop-portal (>= 1.17) to choose the correct portal backend
+for a desktop session. Some session managers like gnome-session and
+plasma-workspace already upload this into the activation environment,
+but many older or simpler session managers do not.
+
+ -- Simon McVittie   Fri, 01 Sep 2023 15:41:38 +0100
+
 dbus (1.14.8-2~deb12u1) bookworm; urgency=medium
 
   * Rebuild for bookworm
diff -Nru dbus-1.14.8/NEWS dbus-1.14.10/NEWS
--- dbus-1.14.8/NEWS	2023-06-06 14:00:36.0 +0100
+++ dbus-1.14.10/NEWS	2023-09-01 15:30:45.0 +0100
@@ -1,3 +1,22 @@
+dbus 1.14.10 (2023-09-01)
+=
+
+Bug fixes:
+
+• Avoid a dbus-daemon crash if re-creating a connection's policy fails.
+  If it isn't possible to re-create its policy (for example if it belongs
+  to a user account that has been deleted or if the Name Service Switch is
+  broken, on a system not supporting SO_PEERGROUPS), we now log a warning,
+  continue to use its current policy, and continue to reload other
+  connections' policies. (dbus#343; Peter Benie, Simon McVittie)
+
+• If getting the groups from a user ID fails, report the error correctly,
+  instead of logging "(null)" (dbus#343, Simon McVittie)
+
+• Return the primary group ID in GetConnectionCredentials()' UnixGroupIDs
+  field for processes with a valid-but-empty supplementary group list
+  (dbus!422, cptpcrd)
+
 dbus 1.14.8 (2023-06-06)
 
 
diff -Nru dbus-1.14.8/test/CMakeLists.txt dbus-1.14.10/test/CMakeLists.txt
--- dbus-1.14.8/test/CMakeLists.txt	2023-02-08 12:04:02.0 +
+++ dbus-1.14.10/test/CMakeLists.txt	2023-09-01 15:23:58.0 +0100
@@ -201,6 +201,7 @@
 add_test_executable(test-sysdeps internals/sysdeps.c ${TEST_LIBRARIES})
 add_test_executable(test-sys

Bug#1050071: llvm-defaults: move to 16

[Simon McVittie]

On Mon, 11 Sep 2023 at 19:46:07 +0300, Timo Aaltonen wrote:
> Simon McVittie kirjoitti 11.9.2023 klo 12.36:
> > I've opened a Mesa bug at wishlist severity suggesting a move to version
> > 16, and set it to block the bug for llvm-toolchain-15 removal (#1050070).
> 
> The remaining blocker for this is that using llvm-16 requires a newer
> bindgen, and the latest upstream version split the cli separate, so that
> needs to be packaged (has been done AIUI) and processed through NEW first,
> see:
> 
> https://salsa.debian.org/rust-team/debcargo-conf/-/issues/50

Does this block a general swap of the defaults from 14 to 16, or is it
just a blocker for Mesa moving to 16 as a result of something Mesa-specific?

Is there / does there need to be a transition tracking bug for this?

Perhaps to avoid the trip through NEW it would be pragmatic to make
rust-bindgen be temporarily or permanently a multiple-upstream-tarball
binary package that combines the upstream projects bindgen and
bindgen-cli, avoiding needing to wait for NEW on the critical path?

Thanks,
smcv

Bug#1050071: llvm-defaults: move to 16

[Simon McVittie]

On Sat, 09 Sep 2023 at 12:03:10 +0200, Sebastian Ramacher wrote:
> And one more issue: llvm-toolchain-16 does not build python3-lldb-16 on
> mips64el, rendering python3-lldb uninstallable there.

I think this is actually a non-issue? python3-lldb:mips64el is no longer
built from llvm-defaults/unstable (and it wasn't present in bookworm).

There is an old python3-lldb:mips64el_1:13.0-53 binary in unstable, but
it's already uninstallable. I've opened a ftp team bug asking for it to
be removed to reduce confusion (ideally this should have been done as part
of dropping the lldb-related packages from mips64el, before bookworm).

smcv

Bug#1050071: llvm-defaults: move to 16

[Simon McVittie]

On Sat, 19 Aug 2023 at 10:39:44 +0200, Sylvestre Ledru wrote:
> llvm-defaults has been pointing to 16 in experimental for quite sometime.
> Opening this transition to make sure it is on your radar! :)
> 
> I opened bug #1050070 & #1050069 for future removals.

Mesa is a significant user of LLVM, and hard-codes its own non-default
version of LLVM which often runs ahead of the default (currently 15).
It seems to be relatively common for a LLVM version upgrade to cause
regressions or uninstallability on at least one architecture, and also
relatively common for a LLVM version upgrade to be necessary to unblock
features or bug fixes in Mesa, which I assume is why the Mesa maintainers
have felt the need to control this themselves.

Should Mesa try moving to -16 *before* the default changes? It would
seem unhelpful to move the rest of the distribution to a version that
Mesa can't use for whatever reason.

I've opened a Mesa bug at wishlist severity suggesting a move to version
16, and set it to block the bug for llvm-toolchain-15 removal (#1050070).

smcv

Bug#1051580: bookworm-pu: package gtk+3.0/3.24.38-2~deb12u1

[Simon McVittie]

k+3.0-3.24.38/debian/changelog	2023-09-09 20:30:40.0 +0100
@@ -1,3 +1,55 @@
+gtk+3.0 (3.24.38-2~deb12u1) bookworm; urgency=medium
+
+  * Rebuild new upstream release 3.24.38 for Debian 12
+  * Changes since 3.24.37-2 in initial Debian 12 release:
+- Fix application crash with "Couldn't find current GLX or EGL context"
+  under unknown circumstances (gtk#5711 upstream, regression in 3.24.37)
+- Fix a gnome-flashback crash when taking screenshots
+  (gtk#5691, regression in 3.24.37)
+- Fix application crash when running under Wayland with the
+  cursor-theme-size GSetting set to 0 (gtk#5700)
+- Ensure apps launched under Wayland after setting
+  org.gtk.Settings.Modules will load the desired modules at startup
+  (gtk!5733)
+- Don't crash in Wayland environments that don't implement
+  xdg_activation_v1, such as Enlightenment (Closes: #1043000)
+- Fix a crash in gtk_application_set_screensaver_active() during
+  app exit (gtk#5775)
+- Silence GFileInfo warnings if used with a backported version of GLib
+  (gtk!5645)
+- Use a light colour for the caret in dark themes, making it much
+  easier to see in some apps, in particular Evince (evince#1842)
+- Show more information in the "inspector" debugging interface: Pango
+  backend, input method module (gtk!5706, gtk#4512)
+- Fix broken links in documentation (gtk!5718)
+- Update documentation to discourage use of
+  gdk_pixbuf_get_from_window() (gtk#5691)
+- Translation updates: ab, bg, ca, da, de, es, eu, fa, fr, gl, he, hu,
+  id, it, ka, ko, lt, nl, pl, pt, pt_BR, ru, sl, sr, sv, tr, uk
+- testsuite: Disable some reftests that are not reliable
+- Windows-specific changes not relevant to Debian
+- macOS-specific (Quartz) changes not relevant to Debian
+- d/p/Update-Galician-translation.patch,
+  d/p/Update-Hebrew-translation.patch,
+  d/p/selection-Use-the-right-mime-type.patch:
+  Drop patches that were included in 3.24.38
+
+ -- Simon McVittie   Sat, 09 Sep 2023 20:30:40 +0100
+
+gtk+3.0 (3.24.38-2) unstable; urgency=medium
+
+  * Release to unstable
+
+ -- Jeremy Bícha   Sun, 23 Jul 2023 16:14:18 -0400
+
+gtk+3.0 (3.24.38-1) experimental; urgency=medium
+
+  [ Jeremy Bícha ]
+  * New upstream release
+  * Drop 3 patches applied in new release
+
+ -- Jeremy Bícha   Mon, 22 May 2023 13:35:52 -0400
+
 gtk+3.0 (3.24.37-2) unstable; urgency=medium
 
   * d/p/selection-Use-the-right-mime-type.patch:
diff -Nru gtk+3.0-3.24.37/debian/control gtk+3.0-3.24.38/debian/control
--- gtk+3.0-3.24.37/debian/control	2023-03-08 14:52:40.0 +
+++ gtk+3.0-3.24.38/debian/control	2023-09-09 20:30:40.0 +0100
@@ -2,7 +2,7 @@
 Section: libs
 Priority: optional
 Maintainer: Debian GNOME Maintainers 
-Uploaders: Simon McVittie , Jeremy Bicha 
+Uploaders: Simon McVittie , Dmitry Shachnev 
 Build-Depends: adwaita-icon-theme-full ,
at-spi2-core ,
dbus-daemon ,
@@ -61,7 +61,7 @@
 Rules-Requires-Root: no
 Standards-Version: 4.6.2
 Vcs-Browser: https://salsa.debian.org/gnome-team/gtk3
-Vcs-Git: https://salsa.debian.org/gnome-team/gtk3.git
+Vcs-Git: https://salsa.debian.org/gnome-team/gtk3.git -b debian/bookworm
 Homepage: https://www.gtk.org/
 
 Package: libgtk-3-0
diff -Nru gtk+3.0-3.24.37/debian/control.in gtk+3.0-3.24.38/debian/control.in
--- gtk+3.0-3.24.37/debian/control.in	2023-03-08 14:52:40.0 +
+++ gtk+3.0-3.24.38/debian/control.in	2023-09-09 20:30:40.0 +0100
@@ -61,7 +61,7 @@
 Rules-Requires-Root: no
 Standards-Version: 4.6.2
 Vcs-Browser: https://salsa.debian.org/gnome-team/gtk3
-Vcs-Git: https://salsa.debian.org/gnome-team/gtk3.git
+Vcs-Git: https://salsa.debian.org/gnome-team/gtk3.git -b debian/bookworm
 Homepage: https://www.gtk.org/
 
 Package: @SHARED_PKG@
diff -Nru gtk+3.0-3.24.37/debian/gbp.conf gtk+3.0-3.24.38/debian/gbp.conf
--- gtk+3.0-3.24.37/debian/gbp.conf	2023-03-08 14:52:40.0 +
+++ gtk+3.0-3.24.38/debian/gbp.conf	2023-09-09 20:30:40.0 +0100
@@ -1,6 +1,6 @@
 [DEFAULT]
 pristine-tar = True
-debian-branch = debian/master
+debian-branch = debian/bookworm
 upstream-branch = upstream/latest
 
 [buildpackage]
diff -Nru gtk+3.0-3.24.37/debian/patches/series gtk+3.0-3.24.38/debian/patches/series
--- gtk+3.0-3.24.37/debian/patches/series	2023-03-08 14:52:40.0 +
+++ gtk+3.0-3.24.38/debian/patches/series	2023-09-09 20:30:40.0 +0100
@@ -1,6 +1,3 @@
-selection-Use-the-right-mime-type.patch
-Update-Hebrew-translation.patch
-Update-Galician-translation.patch
 016_no_offscreen_widgets_grabbing.patch
 017_no_offscreen_device_grabbing.patch
 060_ignore-random-icons.patch
diff -Nru gtk+3.0-3.24.37/gdk/gdkgl.c gtk+3.0-3.24.38/gdk/gdkgl.c
--- gtk+3.0-3.24.37/gdk/gdkgl.c	2023-03-03 00:31:52.0 +
+++ gtk+3.0-3.24.38/gdk/gdkgl.c	2023-05-22 03:22:08.0 +0100
@@ -367,7 +367,7 @@
 
   clip

Bug#1051578: bookworm-pu: package gtk4/4.8.3+ds-2+deb12u1

[Simon McVittie]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: g...@packages.debian.org
Control: affects -1 + src:gtk4

[ Reason ]
User request in #1043261

[ Impact ]
Parts of the left sidebar in the file chooser dialog (File -> Open,
File -> Save As) are truncated if the window is narrow or the sidebar
contains items with a long name, especially if the accessibility option
for larger-than-default font size is turned on.

[ Tests ]
A prerelease (equivalent except for the changelog and version number) is
available in https://people.debian.org/~smcv/12.2/pool/main/g/gtk4/, and I
have been using it for a couple of weeks on two bookworm GNOME machines
(a gaming desktop and my partner's laptop) with no obvious regressions.

I was able to reproduce something resembling the bug report on bookworm,
and I confirm that this change avoided it.

The same change was in 4.9.3 in experimental and 4.10.x in testing/unstable.

[ Risks ]
I would say this is low risk: it's a targeted fix backported from
upstream, and all it does is to set the ellipsize property on more rows.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
debian/patches/placessidebar-Make-all-rows-ellipsize.patch,
gtk/gtksidebarrow.c, gtk/ui/gtksidebarrow.ui:
Fix #1043261

debian/patches/gdk-x11-Reset-all-scroll-valuators-on-enter.patch:
Metadata changes only, no functional change

d/control.in, d/control, d/gbp.conf, d/watch:
Branch-related trivialities because this is the first bookworm update
for gtk4

[ Other info ]
There are various other fixes queued up on upstream's gtk-4-8 branch,
but I don't think they are going to do a 4.8.4 release with those fixes
included, or any particular QA of their own. We cannot directly test
4.8.x changes in testing/unstable any more, because testing/unstable
have been updated to the 4.10.x and then 4.12.x branches already.

If I find the time to assess impact vs risk for the rest of the gtk-4-8
changes, I'll propose another bookworm update with some or all of them -
but that doesn't seem likely to happen any time soon, and I hope that
reviewing more than one update won't increase the stable release team's
workload too much when compared with a single large cumulative update?

Thanks,
smcv
diffstat for gtk4-4.8.3+ds gtk4-4.8.3+ds

 debian/changelog |   11 ++
 debian/control   |2 
 debian/control.in|2 
 debian/gbp.conf  |2 
 debian/patches/gdk-x11-Reset-all-scroll-valuators-on-enter.patch |3 
 debian/patches/placessidebar-Make-all-rows-ellipsize.patch   |   46 ++
 debian/patches/series|3 
 debian/watch |2 
 gtk/gtksidebarrow.c  |5 -
 gtk/ui/gtksidebarrow.ui  |1 
 10 files changed, 67 insertions(+), 10 deletions(-)

diff -Nru gtk4-4.8.3+ds/debian/changelog gtk4-4.8.3+ds/debian/changelog
--- gtk4-4.8.3+ds/debian/changelog	2023-02-04 15:14:39.0 +
+++ gtk4-4.8.3+ds/debian/changelog	2023-09-09 20:32:02.0 +0100
@@ -1,3 +1,14 @@
+gtk4 (4.8.3+ds-2+deb12u1) bookworm; urgency=medium
+
+  * d/p/placessidebar-Make-all-rows-ellipsize.patch:
+Add patch from upstream gtk-4-8 branch to fix truncation in places
+sidebar with large text accessibility setting (Closes: #1043261)
+  * d/patches: Mark patch for #1029972 as also applied for 4.8.4
+  * d/watch: Only watch for versions 4.8.x for bookworm
+  * d/gbp.conf, d/control.in: Switch packaging branch to debian/bookworm
+
+ -- Simon McVittie   Sat, 09 Sep 2023 20:32:02 +0100
+
 gtk4 (4.8.3+ds-2) unstable; urgency=medium
 
   [ Jeremy Bicha ]
diff -Nru gtk4-4.8.3+ds/debian/control gtk4-4.8.3+ds/debian/control
--- gtk4-4.8.3+ds/debian/control	2023-02-04 15:14:39.0 +
+++ gtk4-4.8.3+ds/debian/control	2023-09-09 20:32:02.0 +0100
@@ -79,7 +79,7 @@
 Rules-Requires-Root: no
 Standards-Version: 4.6.2
 Vcs-Browser: https://salsa.debian.org/gnome-team/gtk4
-Vcs-Git: https://salsa.debian.org/gnome-team/gtk4.git
+Vcs-Git: https://salsa.debian.org/gnome-team/gtk4.git -b debian/bookworm
 Homepage: https://www.gtk.org/
 
 Package: libgtk-4-1
diff -Nru gtk4-4.8.3+ds/debian/control.in gtk4-4.8.3+ds/debian/control.in
--- gtk4-4.8.3+ds/debian/control.in	2023-02-04 15:14:39.0 +
+++ gtk4-4.8.3+ds/debian/control.in	2023-09-09 20:32:02.0 +0100
@@ -79,7 +79,7 @@
 Rules-Requires-Root: no
 Standards-Version: 4.6.2
 Vcs-Browser: https://salsa.debian.org/gnome-team/gtk4
-Vcs-Git:

Bug#1051576: bookworm-pu: package gjs/1.74.2-1+deb12u1

[Simon McVittie]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: g...@packages.debian.org
Control: affects -1 + src:gjs

[ Reason ]
#1034356

[ Impact ]
If there is a particular category of programming error (something
not disconnecting all of its signal/idle/timeout handlers when it
should, for example #1049947 which seems most likely to be a bug in
gnome-shell-extension-vertical-overview) then the failure mode is an
infinite loop of assertion messages/stack traces, flooding the log and
(in the case of GNOME Shell) freezing the UI. With the change proposed
in this update, it should instead log O(1) assertion messages and stack
traces, then continue normally, avoiding the infinite loop.

[ Tests ]
A prerelease (equivalent except for the changelog and version number) is
available in https://people.debian.org/~smcv/12.2/pool/main/g/gjs/, and I
have been using it for a couple of weeks on two bookworm GNOME machines
(a gaming desktop and my partner's laptop) with no obvious regressions.

The submitter of #1034356/#1049947 has been testing the same prerelease
for 2 weeks, but they do not know how to reproduce the bug on-demand,
so it is not immediately clear whether it has been fixed. I sent a
reminder today asking them to report their test results.

The same change has been in unstable since 17 August with no obvious
regressions, and should be released in upstream 1.78.0 soon.

[ Risks ]
I would say this is low risk: it's a targeted fix backported from
upstream, changing the order of some operations so that on a programming
error, callbacks reliably return a zero-filled value (usually 0 or NULL)
instead of whatever happens to be in uninitialized memory.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
All changes are for #1034356.
diffstat for gjs-1.74.2 gjs-1.74.2

 debian/changelog  |   12 +
 debian/patches/function-Always-initialize-callback-return-value.patch |   66 ++
 debian/patches/series |1 
 gi/function.cpp   |   18 +-
 4 files changed, 87 insertions(+), 10 deletions(-)

diff -Nru gjs-1.74.2/debian/changelog gjs-1.74.2/debian/changelog
--- gjs-1.74.2/debian/changelog	2023-02-21 12:13:29.0 +
+++ gjs-1.74.2/debian/changelog	2023-09-09 20:29:21.0 +0100
@@ -1,3 +1,15 @@
+gjs (1.74.2-1+deb12u1) bookworm; urgency=medium
+
+  * d/p/function-Always-initialize-callback-return-value.patch:
+Add patch backported from upstream 1.77.1 avoiding infinite loops
+of idle callbacks if an idle handler is called during GC. The most
+common reason for this is if a GNOME Shell extension incorrectly does
+not disconnect all of its signal/idle/timeout handlers. This change
+mitigates the infinite loop and associated log flooding, but does not
+fix the extension behaviour. (Closes: #1034356)
+
+ -- Simon McVittie   Sat, 09 Sep 2023 20:29:21 +0100
+
 gjs (1.74.2-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru gjs-1.74.2/debian/patches/function-Always-initialize-callback-return-value.patch gjs-1.74.2/debian/patches/function-Always-initialize-callback-return-value.patch
--- gjs-1.74.2/debian/patches/function-Always-initialize-callback-return-value.patch	1970-01-01 01:00:00.0 +0100
+++ gjs-1.74.2/debian/patches/function-Always-initialize-callback-return-value.patch	2023-09-09 20:29:21.0 +0100
@@ -0,0 +1,66 @@
+From: Sebastian Keller 
+Date: Thu, 16 Mar 2023 22:35:49 +0100
+Subject: function: Always initialize callback return value
+
+When callback_closure() exits early, for example due to being called
+during GC, the return value would not be initialized. This value is
+often non-zero. If the callback is a source func of an idle or a timeout
+this would then get interpreted as G_SOURCE_CONTINUE and the same would
+repeat in the next iteration. If this happens fast enough, this results
+in the entire process being seemingly frozen while spamming the log with
+error messages.
+
+To fix this always initialize the return value to 0 or a comparable
+neutral value.
+
+Related: https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/1868
+Bug-Debian: https://bugs.debian.org/1034356
+Forwarded: https://gitlab.gnome.org/GNOME/gjs/-/merge_requests/832
+Applied-upstream: 1.77.1, commit:c925d91e5d018f38b0f66d0ac592274d4b007efb
+---
+ gi/function.cpp | 18 --
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/gi/function.cpp b/gi/function.cpp
+index 08a0ea2..2fe4b2c 100644
+--- a/gi/function.cpp
 b/gi/function.cpp
+@@ -287,6 +287,14 @@ void GjsCallbackTrampoline::warn_about_illegal_js_callback(const char* when,
+ void

Bug#1050872: release.debian.org: mips64el apparently relies on buster (oldoldstable) LTS?

[Simon McVittie]

On Thu, 31 Aug 2023 at 08:30:00 +0200, Aurelien Jarno wrote:
> This has already been discussed on IRC that you should not worry about
> debootstrap for buster, provide you leave us ~1 month. Not sure yet what
> we'll do, it could be your option, stopping the buildds as discussed on
> IRC, or maybe yet another option.

Thank you! (I was not part of that IRC conversation.)

Some of the forward progress with DEP-17 is blocked by getting an updated
debootstrap into 12.2 and 11.8, which are planned for 2023-10-07 if I
understand correctly, so resolving this within the next month would take
mips64el off the critical path.

Another option that occurred to me would be that the affected buildds
could perhaps be upgraded to bullseye user-space, but with the kernel
metapackage held back to buster's? Obviously that's not ideal (no
kernel security updates) but at least that way they'd have user-space
security updates to components like sshd, together with the same
schroot/sbuild/debootstrap behaviours as most of the other architectures'
buildds.

smcv

Bug#1050872: release.debian.org: mips64el apparently relies on buster (oldoldstable) LTS?

[Simon McVittie]

On Wed, 30 Aug 2023 at 21:26:24 +0200, Aurelien Jarno wrote:
> On 2023-08-30 16:54, Simon McVittie wrote:
> > Luca Boccassi and I have been preparing stable and oldstable updates for
> > debootstrap so that the transition described in DEP-17 can continue.
> > Because DEP-17 involves changes to trixie/sid chroots' bootstrap
> > procedures, the updated debootstrap needs to be deployable to every
> > official buildd
>
> We have issues running [bookworm?] and bullseye kernels on
> some arm32 and mips*el buildds. The problem on arm has been solved by
> decommissioning the hardware or by hosts dying. We still have problems
> with a big part of the mips*el hosts.

Would it be possible to make an exception to the usual rule that buildds
get their debootstrap from (old)stable point releases, and manually
install a newer debootstrap (the version proposed for bullseye should
be suitable) onto the affected mips*el machines? I see that they already
have a newer-than-buster version of sbuild, possibly from the
buster-backports suite (which was discontinued when buster was handed over
to the LTS team).

I would prefer not to spend time preparing and testing a special buster
version of debootstrap and negotiating with the Debian 10 LTS team to get
it into buster/updates in the security archive; and it's not clear to
me that there is actually any apt repository that we could put it into
that would be accepted by the affected buildds, because buster is read-only
in the main Debian archive, and debian-security no longer has
dists/buster/updates/main/binary-mips64el at all?

(debian-security does have binary-all, and debootstrap is Architecture:
all, but I'm not sure how much that would help us with buster's apt, since
separate Packages files for binary-all seem to be a relatively new thing.)

> > From the point of view of the project having control over its own future,
> > I would have hoped that official Debian infrastructure would only be using
> > suites that are supported by Debian as a whole, rather than handing over
> > control and responsibility to the Debian-LTS subproject.

Sam Hartman pointed out on #debian-devel that this is worse than I thought,
because Debian-LTS doesn't cover mips*el. So as far as I can see, there is
no channel that gets security updates onto these buildds at all?

smcv

Bug#1025708: bullseye-pu: package debootstrap/1.0.123+deb11u2

[Simon McVittie]

3+deb11u1/debian/changelog	2022-07-28 12:04:03.0 +0100
+++ debootstrap-1.0.123+deb11u2/debian/changelog	2023-08-30 22:34:37.0 +0100
@@ -1,3 +1,47 @@
+debootstrap (1.0.123+deb11u2) bullseye; urgency=medium
+
+  * Non-maintainer upload targeting Debian 11, with maintainer approval
+from Luca Boccassi.
+
+  [ Samuel Thibault ]
+  * Enable usrmerge on hurd-i386 too
+
+  [ Ansgar, Tianon Gravi ]
+  * debian-common: exclude usrmerge and its dependencies when installing
+usr-is-merged. These are not needed on systems where /usr is already
+merged, and avoiding them saves around 50M in a minbase installation.
+(Closes: #1025657)
+
+  [ Hideki Yamane ]
+  * Add support for bootstrapping trixie
+
+  [ Simon McVittie, Luca Boccassi ]
+  * Backport merged-/usr support changes from trixie:
+- Implement merged-/usr by post-merging.
+  This changes the bootstrap order so that it will be possible for a
+  future version of base-files in trixie/sid to take responsibility for
+  creating the /bin, /sbin, /lib* symlinks, and is a prerequisite for
+  lifting the moratorium imposed by #1035831.
+  (Closes: #1049898; implementation by Helmut Grohne)
+- functions: Reinstate setup_merged_usr() as it existed before
+  fixing #1049898, for backwards-compatibility with older versions of
+  mmdebstrap.
+- functions: Default to merged-/usr for suites newer than bookworm,
+  even for the buildd profile. This allows packages targeting trixie
+  to assume that merged-/usr is the only layout possible, and is a
+  prerequisite for lifting the moratorium imposed by #1035831.
+- Mention --merged-usr in --help output. (Closes: #1031828)
+  * Backport autopkgtest regression fixes from trixie:
+- Revert fake/schroot-1.6.10-3 to an accurate emulation of the
+  behaviour of schroot 1.6.10-3 (Closes: #983311)
+- Document schroot 1.6.10-3 with the default profile as expected to
+  fail to use /dev/pts in a lxc >= 3 or Docker container; this is a
+  schroot bug (#983423) and not a debootstrap bug
+- With these changes, the autopkgtest is confirmed to pass in
+  autopkgtest-virt-qemu (Closes: #983197)
+
+ -- Simon McVittie   Wed, 30 Aug 2023 22:34:37 +0100
+
 debootstrap (1.0.123+deb11u1) bullseye; urgency=medium
 
   * Non-maintainer upload.
diff -Nru debootstrap-1.0.123+deb11u1/debian/gbp.conf debootstrap-1.0.123+deb11u2/debian/gbp.conf
--- debootstrap-1.0.123+deb11u1/debian/gbp.conf	2022-07-13 23:17:17.0 +0100
+++ debootstrap-1.0.123+deb11u2/debian/gbp.conf	2023-08-30 22:34:37.0 +0100
@@ -1,2 +1,3 @@
-[buildpackage]
+[DEFAULT]
 debian-tag = %(version)s
+debian-branch = bullseye
diff -Nru debootstrap-1.0.123+deb11u1/debian/.gitignore debootstrap-1.0.123+deb11u2/debian/.gitignore
--- debootstrap-1.0.123+deb11u1/debian/.gitignore	1970-01-01 01:00:00.0 +0100
+++ debootstrap-1.0.123+deb11u2/debian/.gitignore	2023-08-30 22:34:37.0 +0100
@@ -0,0 +1,6 @@
+debootstrap
+debootstrap-udeb
+files
+*.debhelper.log
+*.substvars
+
diff -Nru debootstrap-1.0.123+deb11u1/debian/salsa-ci.yml debootstrap-1.0.123+deb11u2/debian/salsa-ci.yml
--- debootstrap-1.0.123+deb11u1/debian/salsa-ci.yml	2022-07-13 23:17:17.0 +0100
+++ debootstrap-1.0.123+deb11u2/debian/salsa-ci.yml	2023-08-30 22:34:37.0 +0100
@@ -6,3 +6,4 @@
 variables:
   SALSA_CI_DISABLE_BLHC: 1
   SALSA_CI_DISABLE_BUILD_PACKAGE_ANY: 1
+  RELEASE: 'bullseye'
diff -Nru debootstrap-1.0.123+deb11u1/debian/tests/debian-testing debootstrap-1.0.123+deb11u2/debian/tests/debian-testing
--- debootstrap-1.0.123+deb11u1/debian/tests/debian-testing	2022-07-13 23:17:17.0 +0100
+++ debootstrap-1.0.123+deb11u2/debian/tests/debian-testing	2023-08-30 22:34:37.0 +0100
@@ -132,12 +132,31 @@
 cat /etc/debian_version)]),
 $reference);
 
-check_fake_schroot(%params, reference => $reference);
+# The schroot behaviour proposed to fix #856877 and #983423 works,
+# even inside (privileged) lxc.
 check_fake_schroot(%params, reference => $reference, version => 'proposed');
 check_fake_schroot(%params, reference => $reference, version => 'proposed',
 extra_argv => ['--sbuild']);
 
-# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=817236
+# As of 1.6.10-3, or equivalently 1.6.10-11, the default profile
+# certainly doesn't work in lxc >= 3 or in Docker:
+# https://bugs.debian.org/983423
+# It probably won't work in other container managers either, for
+# similar reasons.
+if (defined $params{container}) {
+TODO: {
+local $TODO = "schroot default profile doesn't work in lxc >= 3 or Docker";
+check_fake_schroot(%params, reference => $reference,
+version => '1.6.10-3');
+}
+}
+else {
+check_fake_schroot(%params, reference => $reference,
+version => '1.6.10-3');
+

Bug#1050868: bookworm-pu: package debootstrap/1.0.128+nmu2+deb12u1

[Simon McVittie]

Control: tags -1 + d-i

On Wed, 30 Aug 2023 at 16:27:12 +0100, Simon McVittie wrote:
> Part of the transition to merged-/usr, and more specifically, allowing
> us to stop shipping files in trixie whose physical path on disk does
> not match their path in the dpkg database due to directory aliasing.
> 
> This change needs to be in bookworm (and bullseye, and maybe buster)
> before that process can continue, because official buildds run debootstrap
> from stable (or older).
> 
> I also took the opportunity to backport changes that make the autopkgtests
> pass.

Sorry, I should have mentioned that this is a (significant) d-i component
and so will presumably need a d-i ack. I haven't explicitly cc'd
debian-boot on the basis that it's already the package's maintainer of
record (and the bug already appeared on the mailing list).

smcv

Bug#1050872: release.debian.org: mips64el apparently relies on buster (oldoldstable) LTS?

[Simon McVittie]

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: debian-m...@lists.debian.org, bl...@debian.org, 
debian-wb-t...@lists.debian.org

Luca Boccassi and I have been preparing stable and oldstable updates for
debootstrap so that the transition described in DEP-17 can continue.
Because DEP-17 involves changes to trixie/sid chroots' bootstrap
procedures, the updated debootstrap needs to be deployable to every
official buildd, and we've been told that (old)stable point releases
are the preferred way to achieve that.

When Luca asked how many suites we needed this change in, we were hoping
the answer would be stable only, and maybe oldstable (which is still
in its 1 year of overlapping support from the security team and DDs
in general).

However, if I understand correctly, Luca has been told that some official
mips64el buildds are running mipsel user-space on mips64el hardware which
only works with the buster kernel, and therefore those official buildds
are still stuck on buster, meaning we also need to prepare a buster
version of debootstrap and get it into Debian 10 LTS via buster-security.

Is this true?

>From the point of view of the project having control over its own future,
I would have hoped that official Debian infrastructure would only be using
suites that are supported by Debian as a whole, rather than handing over
control and responsibility to the Debian-LTS subproject.

Also, from the point of view of continued development of testing/unstable,
I would have hoped that packages in testing/unstable could safely
assume that they will run on at least the kernel from stable (or maybe
oldstable for a short time after a new stable release), following our
usual "skipping a release is unsupported" rule. Obviously if the buildds
are running on an oldoldstable kernel, any mips64el package that might
be used at compile-time or for build-time tests will be unable to make
that assumption.

Please could someone with knowledge of the buildds clarify the situation?

If our official buildds for a release architecture are unable to run on
either the stable or oldstable kernel, I think that raises some important
questions about suitability for inclusion in future releases.

Thanks,
smcv

Bug#1050868: bookworm-pu: package debootstrap/1.0.128+nmu2+deb12u1

[Simon McVittie]

ocument schroot 1.6.10-3 with the default profile as expected to
+  fail to use /dev/pts in a lxc >= 3 or Docker container; this is a
+  schroot bug (#983423) and not a debootstrap bug
+- With these changes, the autopkgtest is confirmed to pass in
+  autopkgtest-virt-qemu (Closes: #983197)
+
+ -- Simon McVittie   Wed, 30 Aug 2023 15:21:17 +0100
+
 debootstrap (1.0.128+nmu2) unstable; urgency=low
 
   * Non-maintainer upload.
diff -Nru debootstrap-1.0.128+nmu2/debian/gbp.conf debootstrap-1.0.128+nmu2+deb12u1/debian/gbp.conf
--- debootstrap-1.0.128+nmu2/debian/gbp.conf	2022-10-18 23:48:32.0 +0100
+++ debootstrap-1.0.128+nmu2+deb12u1/debian/gbp.conf	2023-08-30 15:21:17.0 +0100
@@ -1,2 +1,3 @@
 [DEFAULT]
 debian-tag = %(version)s
+debian-branch = bookworm
diff -Nru debootstrap-1.0.128+nmu2/debian/.gitignore debootstrap-1.0.128+nmu2+deb12u1/debian/.gitignore
--- debootstrap-1.0.128+nmu2/debian/.gitignore	1970-01-01 01:00:00.0 +0100
+++ debootstrap-1.0.128+nmu2+deb12u1/debian/.gitignore	2023-08-30 15:21:17.0 +0100
@@ -0,0 +1,6 @@
+debootstrap
+debootstrap-udeb
+files
+*.debhelper.log
+*.substvars
+
diff -Nru debootstrap-1.0.128+nmu2/debian/salsa-ci.yml debootstrap-1.0.128+nmu2+deb12u1/debian/salsa-ci.yml
--- debootstrap-1.0.128+nmu2/debian/salsa-ci.yml	2022-08-30 20:48:37.0 +0100
+++ debootstrap-1.0.128+nmu2+deb12u1/debian/salsa-ci.yml	2023-08-30 15:21:17.0 +0100
@@ -6,3 +6,4 @@
 variables:
   SALSA_CI_DISABLE_BLHC: 1
   SALSA_CI_DISABLE_BUILD_PACKAGE_ANY: 1
+  RELEASE: 'bookworm'
diff -Nru debootstrap-1.0.128+nmu2/debian/tests/debian-testing debootstrap-1.0.128+nmu2+deb12u1/debian/tests/debian-testing
--- debootstrap-1.0.128+nmu2/debian/tests/debian-testing	2022-08-30 20:48:37.0 +0100
+++ debootstrap-1.0.128+nmu2+deb12u1/debian/tests/debian-testing	2023-08-30 15:21:17.0 +0100
@@ -132,12 +132,31 @@
 cat /etc/debian_version)]),
 $reference);
 
-check_fake_schroot(%params, reference => $reference);
+# The schroot behaviour proposed to fix #856877 and #983423 works,
+# even inside (privileged) lxc.
 check_fake_schroot(%params, reference => $reference, version => 'proposed');
 check_fake_schroot(%params, reference => $reference, version => 'proposed',
 extra_argv => ['--sbuild']);
 
-# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=817236
+# As of 1.6.10-3, or equivalently 1.6.10-11, the default profile
+# certainly doesn't work in lxc >= 3 or in Docker:
+# https://bugs.debian.org/983423
+# It probably won't work in other container managers either, for
+# similar reasons.
+if (defined $params{container}) {
+TODO: {
+local $TODO = "schroot default profile doesn't work in lxc >= 3 or Docker";
+check_fake_schroot(%params, reference => $reference,
+version => '1.6.10-3');
+}
+}
+else {
+check_fake_schroot(%params, reference => $reference,
+version => '1.6.10-3');
+}
+
+# schroot 1.6.10-3's sbuild profile does work in lxc, but only on newer
+# kernels: https://bugs.debian.org/856877
 if (Dpkg::Version->new($params{kernel}) < Dpkg::Version->new('4.7') &&
 defined $params{container} && $params{container} eq 'lxc') {
 TODO: {
@@ -160,10 +179,12 @@
 extra_argv => ['--sbuild']);
 }
 
+# pbuilder >= 0.228.6 works fine
 check_fake_pbuilder(%params, reference => $reference,
 version => 'proposed');
 
-# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=817236
+# Older pbuilder doesn't work if we are in a container where we can't
+# create the /dev/ptmx device node: https://bugs.debian.org/841935
 if (! $params{can_mknod_ptmx}) {
 TODO: {
 local $TODO = "schroot --sbuild doesn't work when /dev/ptmx is ".
diff -Nru debootstrap-1.0.128+nmu2/debian/tests/fake/schroot-1.6.10-3 debootstrap-1.0.128+nmu2+deb12u1/debian/tests/fake/schroot-1.6.10-3
--- debootstrap-1.0.128+nmu2/debian/tests/fake/schroot-1.6.10-3	2022-08-30 20:48:37.0 +0100
+++ debootstrap-1.0.128+nmu2+deb12u1/debian/tests/fake/schroot-1.6.10-3	2023-08-30 15:21:17.0 +0100
@@ -34,7 +34,6 @@
 
 [ "$bind_dev" = no ] || mount --bind /dev "$chroot/dev"
 mount --bind /dev/pts "$chroot/dev/pts"
-mount --bind /dev/ptmx "$chroot/dev/ptmx"
 
 ls -l "$chroot/dev/ptmx" | sed -e 's/^/# fake-schroot: /' >&2
 ls -l "$chroot/dev/pts/ptmx" | sed -e 's/^/# fake-schroot: /' >&2
@@ -43,7 +42,6 @@
 chroot "$chroot" "$@" || e=$?
 
 umount "$chroot/dev/pts"
-umount "$chroot/dev/ptmx"
 [ "$bind_dev" = no ] || umount "$chroot/dev"
 
 exit "$e"
diff -Nru debootstrap-1.0.128+nmu2/debootstrap deboots

Bug#1025708: bullseye-pu: package debootstrap/1.0.123+deb11u2

[Simon McVittie]

Control: tags -1 + moreinfo

On Wed, 07 Dec 2022 at 20:11:11 +, Luca Boccassi wrote:
> An improvement to reduce the number of dependencies pulled down by the
> usr-merged debootstrapped image has been available in unstable,
> bookworm and bullseye-backports for a while. I'd like to make this
> improvement available in bullseye as well, as it saves ~50MB on a
> minbase image.

As discussed with jmw at the #debian-uk summer party, I'm repurposing
this bug for a newer debootstrap backport incorporating some changes that
are needed to complete the transition to merged /usr, so it is not ready
for further action until updated. Marking as moreinfo to take it off the
SRMs' radar for now.

(Our intention is that I'll implement and test a release candidate,
Luca will review, and then we'll re-propose this when we're both happy.)

On Wed, 15 Mar 2023 at 21:07, Jonathan Wiltshire  wrote:
> This sounds like a behaviour change in stable, which would be very unusual
> unless it fixes significant issues. Can it really be justified?

The situation has changed since then: bookworm is now stable, bullseye
is oldstable, bookworm has the "new" behaviour, and we're going to need
to make a larger behaviour change in bullseye anyway (for the benefit of
any official buildds that have not yet been upgraded to bookworm).
Aligning bullseye debootstrap behaviour more closely with bookworm seems
likely to be more palatable than entirely new behaviours.

I discussed this with jmw and he agreed the SRMs could consider getting
#1025657 fixed in oldstable. Of course, if the change previously proposed
here seems too risky, we can revert it and keep only the higher-priority
stuff.

smcv

Bug#1043144: transition: mutter/gnome-shell 44

[Simon McVittie]

On Sun, 20 Aug 2023 at 19:52:50 +, Graham Inggs wrote:
> On Tue, 15 Aug 2023 at 17:18, Simon McVittie  wrote:
> > I think this is ready to go. Repeating the list of packages needing
> > sourceful uploads from experimental into unstable in approximately this
> > order, for the release team's convenience

We uploaded all these, and then did a follow-up upload of mutter and
gnome-shell to ignore some mutter autopkgtest regressions on s390x
(#1050220, which I do not intend to treat as RC since s390x is not
really a useful or realistic platform for this purpose).

> > And then any remaining extensions in
> > https://udd.debian.org/cgi-bin/bts-usertags.cgi?user=pkg-gnome-maintainers%40lists.alioth.debian.org=gnome-shell-44
> > will need temporarily removing from testing to let the transition through.

Please consider adding hints as follows:

remove gnome-shell-extension-arc-menu/49+forkv29-3
remove gnome-shell-extension-dashtodock/75-1
remove gnome-shell-extension-easyscreencast/1.7.0-2
remove gnome-shell-extension-flypie/21-1
remove gnome-shell-extension-freon/52+dfsg-1
remove gnome-shell-extension-gamemode/8-2
remove gnome-shell-extension-hamster/0.10.0+git20210628-4
remove gnome-shell-extension-impatience/0.4.8-2
remove gnome-shell-extension-panel-osd/1.0.50.gc032923-3
remove gnome-shell-extension-system-monitor/40-5
remove gnome-shell-extension-vertical-overview/10-1
remove gnome-shell-extension-weather/119-1

which if all goes well should get this transition migrated at the weekend.

If I understand britney syntax correctly, if extension maintainers do
a new sourceful upload fixing the "needs update for GNOME Shell 44" RC
bugs, those removal hints would not match the updated package because
its version would be higher, so the newer version would still be allowed
to migrate and stay in testing.

Thanks,
smcv

Bug#1043144: transition: mutter/gnome-shell 44

[Simon McVittie]

On Sun, 20 Aug 2023 at 19:52:50 +, Graham Inggs wrote:
> I added your combined ben file to the tracker with some minor changes:
> https://release.debian.org/transitions/html/gnome-shell-44.html

Thanks!

> Please go ahead.

Initial round of builds in progress.

smcv

Bug#1050124: bookworm-pu: package vte2.91/0.70.6-2~deb12u1

[Simon McVittie]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: vte2...@packages.debian.org
Control: affects -1 + src:vte2.91

I've uploaded another proposed vte2.91 update for bookworm. Please consider
this for 12.2.

[ Reason ]
#1040049

[ Impact ]
If not fixed, there is a crash with an assertion failure that occurs
frequently in some user workflows (I've never been able to reproduce it
myself, but the bug reporter Luca Boccassi saw it frequently).

[ Tests ]
Luca has been running a prerelease version of this update (identical except
for version number) for several weeks, and has not seen the bug again.
Available from: https://people.debian.org/~smcv/12.2/pool/main/v/vte2.91/

A functionally equivalent version was in testing for about 1 week before
being superseded by a newer upstream release, with no regression reports.
The version proposed here is a straightforward rebuild of that version
for bookworm.

[ Risks ]
Low risk: targeted fix from upstream which just invalidates caches more
often.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
All changes are for #1040049, no extraneous diff present.
diffstat for vte2.91-0.70.6 vte2.91-0.70.6

 debian/changelog  |   17 ++
 debian/patches/series |1 
 debian/patches/widget-Invalidate-ringview-when-the-invalidating.patch |   69 
++
 src/vte.cc|   13 +
 4 files changed, 100 insertions(+)

diff -Nru vte2.91-0.70.6/debian/changelog vte2.91-0.70.6/debian/changelog
--- vte2.91-0.70.6/debian/changelog 2023-06-14 12:17:06.0 +0100
+++ vte2.91-0.70.6/debian/changelog 2023-08-09 13:01:27.0 +0100
@@ -1,3 +1,20 @@
+vte2.91 (0.70.6-2~deb12u1) bookworm; urgency=medium
+
+  * Team upload
+  * Rebuild for bookworm (Closes: #1040049)
+
+ -- Simon McVittie   Wed, 09 Aug 2023 13:01:27 +0100
+
+vte2.91 (0.70.6-2) unstable; urgency=medium
+
+  * Team upload
+  * d/p/widget-Invalidate-ringview-when-the-invalidating.patch:
+Add patch from upstream git to invalidate ring view more often when
+necessary, fixing various assertion failures during event handling
+(Closes: #1040049)
+
+ -- Simon McVittie   Fri, 14 Jul 2023 11:31:40 +0100
+
 vte2.91 (0.70.6-1~deb12u1) bookworm; urgency=medium
 
   * Team upload
diff -Nru vte2.91-0.70.6/debian/patches/series 
vte2.91-0.70.6/debian/patches/series
--- vte2.91-0.70.6/debian/patches/series2023-06-14 12:17:06.0 
+0100
+++ vte2.91-0.70.6/debian/patches/series2023-08-09 13:01:27.0 
+0100
@@ -1 +1,2 @@
+widget-Invalidate-ringview-when-the-invalidating.patch
 Allow-background-color-and-color-on-VteTerminal-widgets-t.patch
diff -Nru 
vte2.91-0.70.6/debian/patches/widget-Invalidate-ringview-when-the-invalidating.patch
 
vte2.91-0.70.6/debian/patches/widget-Invalidate-ringview-when-the-invalidating.patch
--- 
vte2.91-0.70.6/debian/patches/widget-Invalidate-ringview-when-the-invalidating.patch
1970-01-01 01:00:00.0 +0100
+++ 
vte2.91-0.70.6/debian/patches/widget-Invalidate-ringview-when-the-invalidating.patch
2023-08-09 13:01:27.0 +0100
@@ -0,0 +1,69 @@
+From: Egmont Koblinger 
+Date: Thu, 13 Jul 2023 21:59:29 +0200
+Subject: widget: Invalidate ringview when the invalidating
+
+When the ringview is not invalidated when the ring has changed leads to
+failed assertion aborts when handling events, e.g. vte#2636, vte#2637,
+vte#2632, vte#2577.
+
+Bug: https://gitlab.gnome.org/GNOME/vte/-/issues/2636
+Bug: https://gitlab.gnome.org/GNOME/vte/-/issues/2637
+Bug-Debian: https://bugs.debian.org/1040049
+Applied-upstream: 0.73.0, commit:461bc3e43c819fa0e3b62d0cf40ef533a69cc7f7
+---
+ src/vte.cc | 13 +
+ 1 file changed, 13 insertions(+)
+
+diff --git a/src/vte.cc b/src/vte.cc
+index b8e15d7..561cc42 100644
+--- a/src/vte.cc
 b/src/vte.cc
+@@ -2050,6 +2050,7 @@ Terminal::queue_adjustment_value_changed(double v)
+ _vte_debug_print(VTE_DEBUG_ADJ,
+  "Scrolling by %f\n", dy);
+ 
++m_ringview.invalidate();
+ invalidate_all();
+ match_contents_clear();
+ emit_text_scrolled(dy);
+@@ -2899,6 +2900,9 @@ Terminal::drop_scrollback()
+ if (m_screen == _normal_screen) {
+ queue_adjustment_value_changed(m_normal_screen.insert_delta);
+ adjust_adjustments_full();
++m_ringview.invalidate();
++invalidate_all();
++match_contents_clear();
+ }
+ }
+ 
+@@ -7548,6 +7552,9 @@ Terminal::set_size(long columns,
+   gtk_widget_queue_resize(m_widget); // FIXMEgtk4

Bug#1043144: transition: mutter/gnome-shell 44

[Simon McVittie]

On Sun, 06 Aug 2023 at 18:21:29 +0100, Simon McVittie wrote:
> It's about time we migrate GNOME Shell 44 to unstable.

I think this is ready to go. Repeating the list of packages needing
sourceful uploads from experimental into unstable in approximately this
order, for the release team's convenience:

* mutter
* gnome-shell
* gnome-shell-extensions
* gnome-remote-desktop
* budgie-desktop
* gnome-shell-extension-bluetooth-quick-connect
* gnome-shell-extension-gsconnect
* gnome-shell-extension-tiling-assistant

And then any remaining extensions in
https://udd.debian.org/cgi-bin/bts-usertags.cgi?user=pkg-gnome-maintainers%40lists.alioth.debian.org=gnome-shell-44
will need temporarily removing from testing to let the transition through.

The release team has traditionally been relatively trigger-happy about
removing broken Shell extensions, since they are clearly less important
than GNOME itself. When the transition is otherwise ready to migrate,
I'll provide a full list of packages needing removal.

> There is one current blocker, #1042980, which is that gnome-shell is
> failing build-time tests on mips64el and mipsel.

This has essentially been resolved.

There is an apparent bug in llvmpipe, which we would normally use to run
the build-time tests: https://bugs.debian.org/1049404

There is also an apparent timing-, thread- or race-condition-related bug
in gnome-shell or one of its dependencies, seen only when using softpipe:
https://bugs.debian.org/1049407

I think neither of these needs to be RC or block this transition, since
GNOME is primarily designed to be used on hardware GPUs (and secondarily
on fast x86 VMs with working llvmpipe), so we're now skipping the affected
tests on mips(64)el.

> I've asked a mips porter to confirm whether Shell
> v43 works with unstable's LLVM and Mesa or whether it is already broken

According to mips porter YunQiang Su, both v43 and v44 work acceptably
on the category of mips64el hardware where it would be reasonable to
run a full GNOME session (with an AMD GPU supported by Mesa).

smcv

Bug#1043144: transition: mutter/gnome-shell 44

[Simon McVittie]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition
X-Debbugs-Cc: debian-gtk-gn...@lists.debian.org
Control: affects -1 + src:mutter src:gnome-shell
Control: block -1 by 1042980

It's about time we migrate GNOME Shell 44 to unstable. We delayed this for
a few months for the bookworm release, and then to get more testing for
the packages we wanted included in 12.1, but we should try to get 44 into
testing before upstream gets too close to releasing 45. Ubuntu already
did this transition for their 23.04 'lunar' short-term-support release.

This will require sourceful re-uploads of the following packages from
experimental into unstable, in approximately this order:

* mutter
* gnome-shell
* gnome-shell-extensions
* gnome-remote-desktop
* budgie-desktop
* gnome-shell-extension-bluetooth-quick-connect
* gnome-shell-extension-gsconnect

And then any remaining extensions in
https://udd.debian.org/cgi-bin/bts-usertags.cgi?user=pkg-gnome-maintainers%40lists.alioth.debian.org=gnome-shell-44
will need to be either fixed, re-uploaded from experimental to unstable
if already fixed in experimental, or temporarily kicked out of testing
to let the transition through.

There is one current blocker, #1042980, which is that gnome-shell is
failing build-time tests on mips64el and mipsel. So far I've fixed one
genuine bug in gnome-shell, and worked around another bug (seemingly in
LLVM or Mesa) by running the tests with softpipe rather than llvmpipe;
but there are still test failures. I don't think anyone in the GNOME
team has mips hardware or knowledge, and there's a limit to how usefully
we can debug this on eller. The failing test is new in v44, so we don't
know whether it would have failed in v43 if it existed there, or whether
it's a real regression: I've asked a mips porter to confirm whether Shell
v43 works with unstable's LLVM and Mesa or whether it is already broken,
but I haven't seen an answer so far.

Unlike s390x, I'm told mips(64)el does have desktop-class hardware that
could at least in principle run GNOME. I don't know how common that
hardware is, whether it's common to run GNOME on it, or whether mips
porters do so in practice (the extent of my information is "There are
some MIPS desktop cases").

Possible resolutions for #1042980:

* If mips porters can diagnose/fix the failing tests before we are
  otherwise ready to do this transition, then of course we should do that
  (but I think we need a contingency plan for if this doesn't happen)
* Or we could do architecture-specific removals on mips(64)el, making
  these uninstallable:
  - gdm3
  - gnome-core and other meta-gnome3 metapackages
  - gnome-session
  - ibus-tests
  - various Architecture: all packages such as Shell extensions
  - indirectly, task-gnome-desktop
* Or we could ignore the failing tests on mips(64)el, and let a
  potentially broken gnome-shell:mips(64)el into testing; and if the GNOME
  desktop has users on mips(64)el hardware who report that it doesn't work,
  ask mips porters to investigate and fix that

I feel as though holding back GNOME Shell 44 for the benefit of mips(64)el
users would be a worse result for Debian than getting GNOME 44 into
testing for the benefit of users of all the other architectures. Do
the release team have thoughts on which would be the best strategy to
avoid that?

Here is an attempt at a ben file that combines the mutter and gnome-shell
transitions, since they're really one transition:

title = "gnome-shell-44";
is_affected = .depends ~ 
/\b(gir1\.2\-mutter\-12|libmutter\-12\-0|libmutter\-12\-dev|libmutter\-test\-12|mutter\-12\-tests|gir1\.2\-mutter\-11|libmutter\-11\-0|libmutter\-11\-dev|libmutter\-test\-11|mutter\-11\-tests|gnome\-shell)\b/
is_good = .depends ~ 
/\b(gir1\.2\-mutter\-12|libmutter\-12\-0|libmutter\-12\-dev|libmutter\-test\-12|mutter\-12\-tests)\b/
 | .depends ~ /gnome\-shell (<< 4[5-9]/ | !.depends ~ /gnome\-shell (<

Bug#1039911: transition: sdl12-compat taking over libsdl1.2-dev

[Simon McVittie]

On Sun, 16 Jul 2023 at 18:18:09 +0100, Simon McVittie wrote:
> On Sun, 16 Jul 2023 at 18:55:28 +0200, Sebastian Ramacher wrote:
> > Could you check whether that is an issue in sdl12-compat or
> > libsdl-perl?
>
> I already opened <https://bugs.debian.org/1041211> and marked it as
> blocking this transition-tracker bug.

After talking to SDL upstream, it looks as though libsdl-perl was always
doing something that ought to be undefined behaviour (freeing the global
video surface object, which is "owned" by the SDL video implementation),
but an implementation quirk of libsdl1.2 meant that attempting to free
the global video surface was silently ignored.

The regression with sdl12-compat is because sdl12-compat is more likely
to deallocate the global video surface and allocate a new one, whereas
libsdl1.2 would usually keep using the same global video surface for the
lifetime of the process, even if parameters like the colour depth changed.

Possible solutions to continue this transition:

1. fix libsdl-perl (#1041211, RC; I sent a potential patch upstream, but
   I've never tried writing Perl XS bindings before, so I'm not very
   confident that I'm getting it right)

2. work around the issue in sdl12-compat because they aim for bug-for-bug
   compatibility (#1041416, wishlist, also forwarded upstream), after
   which #1041211 can be downgraded to non-RC

3. kick out libsdl-perl, dizzy, frozen-bubble and pangzero from testing
   until at least one of those two bugs can be fixed
   (I've checked with `dak rm -R -n -s testing` that those four source
   packages would be enough)

Or wait until one of those happens, and if we wait long enough with no
progress, autoremovals will implement (3) for us.

smcv

Bug#1039911: transition: sdl12-compat taking over libsdl1.2-dev

[Simon McVittie]

On Sun, 16 Jul 2023 at 18:55:28 +0200, Sebastian Ramacher wrote:
> The autopkgtests of libsdl-perl regressed on the 32-bit architectures.

Yes, and also intermittently on some 64-bit architectures, and it
will also FTBFS with the same test failure (reliably on 32-bit or
intermittently on 64-bit). Unfortunately it seems to be reliable (for
whatever reason) on amd64, which is where I did my rebuild-tests.

I already opened  and marked it as
blocking this transition-tracker bug.

> Could you check whether that is an issue in sdl12-compat or
> libsdl-perl?

It's on my list. I've never used these Perl bindings or written Perl/XS
bindings for a C library, so it might take some time.

smcv

Bug#1040915: bookworm-pu: package dbus/1.14.8-2~deb12u1

[Simon McVittie]

On Thu, 13 Jul 2023 at 16:58:54 +0100, Adam D. Barratt wrote:
> On Wed, 2023-07-12 at 12:34 +0100, Simon McVittie wrote:
> > On Wed, 12 Jul 2023 at 12:12:47 +0100, Simon McVittie wrote:
> > > [ Reason ]
> > > https://bugs.debian.org/1040790
> 
> Please go ahead, bearing in mind that the window for 12.1 closes over
> the coming weekend.

I uploaded it already, it's in
<https://release.debian.org/proposed-updates/stable.html>. The
corresponding unstable update should reach testing tomorrow.

I'm sorry for the timing. I fixed it as fast as I was able, as soon as
I was aware of the issue (I know both should have happened quicker).

smcv

Bug#1040915: bookworm-pu: package dbus/1.14.8-2~deb12u1

[Simon McVittie]

On Wed, 12 Jul 2023 at 12:12:47 +0100, Simon McVittie wrote:
> [ Reason ]
> https://bugs.debian.org/1040790
> [ Changes ]
> All changes are part of resolving or testing #1040790.

Debdiff attached.

> [ Tests ]

I should also have mentioned that I'm running the proposed package on
a bookworm desktop system and it works normally.

smcv
diffstat for dbus-1.14.8 dbus-1.14.8

 changelog|   16 +
 dbus-daemon.postinst |4 +--
 tests/control|9 +++
 tests/machine-id |   60 +++
 4 files changed, 87 insertions(+), 2 deletions(-)

diff -Nru dbus-1.14.8/debian/changelog dbus-1.14.8/debian/changelog
--- dbus-1.14.8/debian/changelog	2023-06-11 12:42:56.0 +0100
+++ dbus-1.14.8/debian/changelog	2023-07-11 20:59:33.0 +0100
@@ -1,3 +1,19 @@
+dbus (1.14.8-2~deb12u1) bookworm; urgency=medium
+
+  * Rebuild for bookworm
+
+ -- Simon McVittie   Tue, 11 Jul 2023 20:59:33 +0100
+
+dbus (1.14.8-2) unstable; urgency=high
+
+  * dbus-daemon.postinst: Stop trying to take DPKG_ROOT into account.
+This unintentionally disabled the code path that would copy systemd's
+/etc/machine-id in preference to creating an entirely new machine ID.
+(Closes: #1040790)
+  * d/tests: Add test coverage for #1040790
+
+ -- Simon McVittie   Tue, 11 Jul 2023 18:38:22 +0100
+
 dbus (1.14.8-1~deb12u1) bookworm; urgency=medium
 
   * Rebuild for bookworm
diff -Nru dbus-1.14.8/debian/dbus-daemon.postinst dbus-1.14.8/debian/dbus-daemon.postinst
--- dbus-1.14.8/debian/dbus-daemon.postinst	2023-06-11 12:42:56.0 +0100
+++ dbus-1.14.8/debian/dbus-daemon.postinst	2023-07-11 20:59:33.0 +0100
@@ -7,8 +7,8 @@
 # script does this anyway, but you also have to do this before a session
 # bus will work on non-systemd systems, so we do this here for the
 # benefit of people starting a temporary session bus in a chroot.
-mkdir -p "${DPKG_ROOT:-/}var/lib/dbus"
-dbus-uuidgen --ensure="${DPKG_ROOT:-/}var/lib/dbus/machine-id"
+mkdir -p /var/lib/dbus
+dbus-uuidgen --ensure
 fi
 
 #DEBHELPER#
diff -Nru dbus-1.14.8/debian/tests/control dbus-1.14.8/debian/tests/control
--- dbus-1.14.8/debian/tests/control	2023-06-11 12:42:56.0 +0100
+++ dbus-1.14.8/debian/tests/control	2023-07-11 20:59:33.0 +0100
@@ -25,6 +25,15 @@
 Restrictions: allow-stderr, superficial
 Depends: dbus-daemon
 
+Tests: machine-id
+Restrictions: allow-stderr, needs-root, superficial
+Depends: dbus-daemon
+
+Test-Command: debian/tests/machine-id with-systemd
+Features: test-name=machine-id_with_systemd
+Restrictions: allow-stderr, needs-root, superficial
+Depends: dbus-daemon, systemd
+
 Tests: dbus-session-bus-common
 Restrictions: allow-stderr, superficial
 Depends: dbus-session-bus-common
diff -Nru dbus-1.14.8/debian/tests/machine-id dbus-1.14.8/debian/tests/machine-id
--- dbus-1.14.8/debian/tests/machine-id	1970-01-01 01:00:00.0 +0100
+++ dbus-1.14.8/debian/tests/machine-id	2023-07-11 20:59:33.0 +0100
@@ -0,0 +1,60 @@
+#!/bin/sh
+set -eu
+
+# Regression test for https://bugs.debian.org/1040790
+
+mode="${1-}"
+
+export LC_ALL=C.UTF-8
+fail=
+set -x
+
+# dbus-daemon.deb provides a machine ID
+ls -l /etc/machine-id /var/lib/dbus/machine-id || :
+head /etc/machine-id /var/lib/dbus/machine-id || :
+uuid="$(dbus-uuidgen --get)"
+test -n "$uuid" || fail=yes
+# The machine ID consists of 32 lower-case hex digits (and the file
+# also has a newline)
+test "$uuid" = "$(perl -pe 'print "wrong: " unless /\A[a-z0-9]{32}\n\z/' /var/lib/dbus/machine-id)" || fail=yes
+
+# Intentionally not asserting that /etc/machine-id matches
+# /var/lib/dbus/machine-id: if the test container has both dbus and
+# systemd, and it was generated with a version of dbus that has #1040790,
+# then that assertion could fail.
+
+# If there is a systemd machine ID, installing dbus-daemon should
+# make the D-Bus machine ID be the same as it.
+# Unfortunately nothing currently guarantees that a Debian
+# system will have a machine ID, so this has to be conditional. (See
+# also #745876, #783716).
+if [ -e /etc/machine-id ] || [ "$mode" = with-systemd ]; then
+rm -f /var/lib/dbus/machine-id
+# This is for its side-effect of running the postinst, emulating
+# a fresh installation
+dpkg-reconfigure -fnoninteractive -pcritical dbus-daemon
+ls -l /etc/machine-id /var/lib/dbus/machine-id || :
+head /etc/machine-id /var/lib/dbus/machine-id || :
+uuid="$(dbus-uuidgen --get)"
+test -n "$uuid" || fail=yes
+test "$uuid" = "$(perl -pe 'print "wrong: " unless /\A[a-z0-9]{32}\n\z/' /var/lib/dbus/machine-id)" || fail=yes
+test "$uuid" = "$(perl -pe 'print "wrong: " unless /\A[a-z0-9]{32}\n\z/' /etc/machine-id)" || fail=yes
+fi
+
+# Similarly, 

Bug#1040915: bookworm-pu: package dbus/1.14.8-2~deb12u1

[Simon McVittie]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: d...@packages.debian.org, debian-b...@lists.debian.org
Control: affects -1 + src:dbus

[ Reason ]
https://bugs.debian.org/1040790

[ Impact ]
A regression in bookworm's dbus packaging led to /etc/machine-id and
/var/lib/dbus/machine-id having different contents in fresh installations
of bookworm or later. The machine ID is an opaque hex string analogous
to a MAC address, intended to identify the machine in contexts where the
hostname would traditionally have been used, but avoiding the risk that
a sysadmin setting an aesthetically appealing hostname will result in
non-uniqueness (either the same hostname on more than one concurrently
used installation, or the same installation having more than one hostname
over time).

Some packages that rely on this interface try /etc/machine-id first and
fall back to /var/lib/dbus/machine-id if it doesn't exist, while others
do the opposite, so this bug leads to those packages disagreeing on what
the machine ID is, and therefore potentially behaving as though they
are running on two different machines with a shared (NFS) home directory.
The full user-visible impact of this is unknown: the machine ID is
intentionally quite a general feature, so we cannot know all the things
that might use it.

pulseaudio, ibus, dbus-x11 and maybe others have autostart protocols that
involve it, so non-uniqueness could result in unintentionally running
two instances of the same service on the same machine.

Conversely, GNOME and maybe others store per-machine data in the user's
home directory (in particular, GNOME screen settings) keyed by the
machine ID, so the apparent machine ID changing could result in apparent
configuration data loss.

[ Tests ]
The majority of the changes are new automated test coverage.

I can reproduce the problem with mmdebstrap, and I have confirmed that
replacing packages from src:dbus with the proposed version resolves it.

I have not attempted to provide the updated dbus to a d-i image and do an
install from first principles.

[ Risks ]
Low-risk change, reverting unnecessary complexity in the postinst and
returning to what we did in bullseye.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
All changes are part of resolving or testing #1040790.

[ Other info ]
dbus technically has a udeb, but it's essentially unused, and in any case
dbus-udeb.postinst never had this bug (so it has not changed here).

I have not attempted to retroactively fix the machine ID of existing
installations: that would be much higher-risk and will require
considerably more thought. It's entirely possible that the best approach
to existing installations is to ignore the mismatch and hope that it
doesn't cause any user-visible symptoms.

Bug#1039911: transition: sdl12-compat taking over libsdl1.2-dev

[Simon McVittie]

On Tue, 11 Jul 2023 at 22:08:55 +0200, Sebastian Ramacher wrote:
> On 2023-06-29 13:26:03 +0100, Simon McVittie wrote:
> > As previously mentioned on -devel, I would like src:sdl12-compat to
> > take over the libsdl1.2-dev and libsdl1.2debian binary package names
> > from src:libsdl1.2 during the trixie cycle. This mirrors a transition
> > that already took place in several other distributions such as Fedora
> > and Arch.
> 
> Please go ahead and raise the remaining regression bugs to serious.

Thanks, I'll upload the equivalent of sdl12-compat/experimental to
unstable soon.

In the end none of the build regressions needed raising to RC:

- #1039479, #1039575, #1039581 have been fixed
- #1012232, #1039439, #1039574 have workarounds in upstream
  sdl12-compat, which I backported into Debian already

The two runtime regressions #1038738, #1038741 are currently tracked as
bugs in both sdl12-compat and the relevant game (it's not clear which
side a fix should come from), and I don't think they're bad enough to
qualify as RC (the game can still be played, and in particular using
native X11 instead of Xwayland is a workaround).

smcv

Bug#1039911: transition: sdl12-compat taking over libsdl1.2-dev

[Simon McVittie]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition
X-Debbugs-Cc: debian-devel-ga...@lists.debian.org, libsdl...@packages.debian.org

As previously mentioned on -devel, I would like src:sdl12-compat to
take over the libsdl1.2-dev and libsdl1.2debian binary package names
from src:libsdl1.2 during the trixie cycle. This mirrors a transition
that already took place in several other distributions such as Fedora
and Arch.

This is a "soft" transition and does not involve a SONAME bump: the new
library is intended to be fully API- and ABI-compatible with the old
(same SONAME, same pkg-config module name, same CLI interface to the
legacy sdl-config script, different implementation internally), so it's
more like an unusually intrusive minor-version release. I'm opening this
bug for tracking and to coordinate uploading the new version to unstable
at a time that will not disrupt transitions, rather than because any
explicit release team action is needed.

A version with the proposed changes is on its way into experimental,
versioned as sdl12-compat=1.2.64-4+exp1. For a preview of the proposed
changes, users can manually install libsdl12-compat-{shim,dev} from
bookworm, trixie or unstable.

Even after this transition, I consider it to be a (non-RC) bug for
packages to have dependencies on the SDL 1.2 API/ABI. I did a MBF for
that bug, and ideally they would all be ported to SDL 2; but moving to
sdl12-compat reduces the impact of having packages in Debian that have
not been ported.

Having briefly played the majority of the affected games, I suspect that
the value of many of these packages doesn't really justify the QA burden
of keeping them in Debian, but for the purposes of this transition I've
been giving them the benefit of the doubt and assuming that every package
is significant, unless it has obvious issues. (I did ask the ftp team
to remove zsnes and dgen, two non-free i386-only games console emulators
with portable alternatives available in main.)

Risks (build-time)
==

Dependent source packages do not need to be rebuilt, but if rebuilt for
an unrelated reason, the new libsdl1.2-dev might cause them to FTBFS. I
have done test rebuilds of all dependent packages on a porterbox and
opened bugs for the minority that failed, mostly because they made
assumptions about libsdl1.2-dev that are no longer true:

- 
https://udd.debian.org/cgi-bin/bts-usertags.cgi?user=pkg-sdl-maintainers%40lists.alioth.debian.org=ftbfs-libsdl1.2-compat-dev
- I sent a patch to #1039479 in xine-lib-1.2, which I will raise to RC
  if it's still open when we are ready to proceed
- I fixed #1039575 in powermanga and #1039581 in fenix via team uploads
  into unstable
- the rest have been worked around via sdl12-compat changes in
  trixie/unstable and therefore will not need to be RC

Risks (runtime)
===

Dependent binary packages might regress after the shared library has
been upgraded. I did some brief testing on the majority of remaining
SDL 1.2 games in bookworm, and most of the regressions that I reported
were promptly fixed or worked around by upstream in sdl12-compat (most
but not all of these fixes made it into bookworm, and all are in unstable
as of 1.2.64-4). The remaining known runtime regressions are:

- https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=sdl12-compat
- #1038738 in asc
- #1038741 in bumprace
- https://github.com/libsdl-org/sdl12-compat/issues/301 in fuse-emulator

I think those regressions are, while unfortunate, an acceptable price to
pay for replacing an unmaintained library with a somewhat maintained one.

In general I have not attempted to test non-game SDL-1.2-dependent
packages (mostly emulators and music production software), because
learning how to use them would be more time-consuming than it is for
a typical game, and some of them have non-trivial dependencies that I
do not have (emulators might need non-free ROMs, and some of the music
production software appears to need a manually-configured JACK daemon).

As part of my MBF for dependencies on SDL 1.2, I asked maintainers to
test their packages with sdl12-compat, and the responses so far have been
mostly positive (the fuse-emulator issue linked above was the only new
regression report so far).

smcv

Bug#1036849: bookworm-pu: package gnome-software/43.5-1~deb12u1

[Simon McVittie]

On Sun, 25 Jun 2023 at 17:13:01 +0100, Jonathan Wiltshire wrote:
> On Wed, Jun 21, 2023 at 11:22:35AM +0100, Simon McVittie wrote:
> > Tested on a bookworm system (browse available packages, upgrade Flatpak
> > apps, install a Flatpak app, install a .deb) and seems fine, and the
> > upstream changes are really minimal, so I uploaded the proposed package.
> 
> It doesn't seem to be in the queue so something has gone wrong with the
> upload. Please check and go ahead.

Sorry, I thought I had uploaded all of the GNOME 43.x bugfix releases that
I prepared so far. Uploaded gnome-software now.

smcv

Bug#1036849: bookworm-pu: package gnome-software/43.5-1~deb12u1

[Simon McVittie]

Control: retitle -1 bookworm-pu: package gnome-software/43.5-1~deb12u1

On Sat, 27 May 2023 at 21:53:35 +0100, Simon McVittie wrote:
> GNOME upstream has done a stable point release of gnome-software. This
> doesn't seem urgent enough to want to break the freeze for, but it would
> be good to get it in 12.1.
...
> I have not uploaded to unstable due to the full freeze, and I can't
> upload to experimental because GNOME 44 is already there.

I uploaded to unstable after Debian 12 was released, and that version
migrated to testing with no apparent regressions. The version I'm now
proposing is a simple rebuild of what's in testing.

Tested on a bookworm system (browse available packages, upgrade Flatpak
apps, install a Flatpak app, install a .deb) and seems fine, and the
upstream changes are really minimal, so I uploaded the proposed package.

smcv
diffstat for gnome-software-43.4 gnome-software-43.5

 NEWS|7 
 data/metainfo/org.gnome.Software.metainfo.xml.in|8 
 debian/changelog|   17 ++
 debian/gbp.conf |2 -
 debian/patches/01_details-Use-custom-icon-for-verified-developers.patch |4 +-
 debian/watch|2 -
 lib/gs-plugin-job-list-apps.c   |1 
 lib/gs-plugin-job-manage-repository.c   |2 +
 meson.build |2 -
 9 files changed, 40 insertions(+), 5 deletions(-)

diff -Nru gnome-software-43.4/data/metainfo/org.gnome.Software.metainfo.xml.in gnome-software-43.5/data/metainfo/org.gnome.Software.metainfo.xml.in
--- gnome-software-43.4/data/metainfo/org.gnome.Software.metainfo.xml.in	2023-02-10 07:57:26.0 +
+++ gnome-software-43.5/data/metainfo/org.gnome.Software.metainfo.xml.in	2023-03-03 11:34:54.0 +
@@ -66,6 +66,14 @@
Validate with `appstreamcli validate *.metainfo.xml`
   -->
   
+
+  
+This is a stable release with the following change:
+
+  Fix few memory leaks
+
+  
+
 
   
 This is a stable release with the following changes:
diff -Nru gnome-software-43.4/debian/changelog gnome-software-43.5/debian/changelog
--- gnome-software-43.4/debian/changelog	2023-02-10 18:27:14.0 +
+++ gnome-software-43.5/debian/changelog	2023-06-16 11:33:47.0 +0100
@@ -1,3 +1,20 @@
+gnome-software (43.5-1~deb12u1) bookworm; urgency=medium
+
+  * Team upload
+  * Rebuild for Debian 12
+
+ -- Simon McVittie   Fri, 16 Jun 2023 11:33:47 +0100
+
+gnome-software (43.5-1) unstable; urgency=medium
+
+  * d/gbp.conf: Use upstream/43.x branch to import new upstream versions
+  * d/watch: Only watch for versions 43.x
+  * New upstream release 43.5
+- Fix some memory leaks (Closes: #1036312)
+  * Refresh patch series (no functional changes)
+
+ -- Simon McVittie   Tue, 13 Jun 2023 10:25:39 +0100
+
 gnome-software (43.4-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru gnome-software-43.4/debian/gbp.conf gnome-software-43.5/debian/gbp.conf
--- gnome-software-43.4/debian/gbp.conf	2023-02-10 18:27:14.0 +
+++ gnome-software-43.5/debian/gbp.conf	2023-06-16 11:33:47.0 +0100
@@ -1,7 +1,7 @@
 [DEFAULT]
 pristine-tar = True
 debian-branch = debian/bookworm
-upstream-branch = upstream/latest
+upstream-branch = upstream/43.x
 
 [buildpackage]
 sign-tags = True
diff -Nru gnome-software-43.4/debian/patches/01_details-Use-custom-icon-for-verified-developers.patch gnome-software-43.5/debian/patches/01_details-Use-custom-icon-for-verified-developers.patch
--- gnome-software-43.4/debian/patches/01_details-Use-custom-icon-for-verified-developers.patch	2023-02-10 18:27:14.0 +
+++ gnome-software-43.5/debian/patches/01_details-Use-custom-icon-for-verified-developers.patch	2023-06-16 11:33:47.0 +0100
@@ -29,7 +29,7 @@
 +
 \ No newline at end of file
 diff --git a/src/gnome-software.gresource.xml b/src/gnome-software.gresource.xml
-index 941dd40..2d1f2ff 100644
+index 4efe369..9f897a5 100644
 --- a/src/gnome-software.gresource.xml
 +++ b/src/gnome-software.gresource.xml
 @@ -54,6 +54,7 @@
@@ -41,7 +41,7 @@
../data/icons/system-component-addon.svg
../data/icons/system-component-application.svg
 diff --git a/src/gs-details-page.ui b/src/gs-details-page.ui
-index 8b0e88b..4c120ef 100644
+index d3fad10..37c657b 100644
 --- a/src/gs-details-page.ui
 +++ b/src/gs-details-page.ui
 @@ -173,7 +173,7 @@
diff -Nru gnome-software-43.4/debian/watch gnome-software-43.5/debian/watch
--- gnome-software-43.4/debian/watch	2023-02-10 18:27:14.0 +
+++ gnome-software-43.5/debian/watch	2023-06-16 11:33:47.0 +0100
@@ -1,4 +1,4 @@
 version=4

Bug#1038777: bookworm-pu: package gnome-control-center/1:43.6-2~deb12u1

[Simon McVittie]

log	2023-02-14 16:08:53.0 +
+++ gnome-control-center-43.6/debian/changelog	2023-06-15 11:35:10.0 +0100
@@ -1,3 +1,48 @@
+gnome-control-center (1:43.6-2~deb12u1) bookworm; urgency=medium
+
+  * Team upload
+  * Rebuild for bookworm
+
+ -- Simon McVittie   Thu, 15 Jun 2023 11:35:10 +0100
+
+gnome-control-center (1:43.6-2) unstable; urgency=medium
+
+  * Team upload
+  * Expand previous changelog entry to include more details of the
+upstream changes
+
+ -- Simon McVittie   Tue, 13 Jun 2023 09:40:29 +0100
+
+gnome-control-center (1:43.6-1) unstable; urgency=medium
+
+  * New upstream bugfix release 43.5
+- Populate list of previous WWAN (Mobile Network) connetions more
+  reliably, avoiding creation of duplicate connections in
+  NetworkManager (gnome-control-center#1468 upstream)
+- Stop listing displays in the reverse of the intended order
+- Add 32:9 as a well-known aspect ratio
+  (gnome-control-center#2334 upstream)
+- Fix an assertion failure when activating the Users panel
+  (gnome-control-center#2219 upstream)
+- Don't access User objects before they are fully loaded
+  (gnome-control-center#2348, #2349 upstream)
+- Fix an assertion failure when cropping an avatar
+- Don't allow commas in users' "real name" field, because the GECOS
+  encoding in /etc/passwd cannot represent those
+  (gnome-control-center#888 upstream)
+- Automatically close user avatar chooser before showing file
+  chooser (gnome-control-center#2315 upstream)
+- Restore the default cursor when leaving the dialog to crop an
+  avatar (gnome-control-center#2359 upstream)
+- Fix a crash when cancelling authentication for Thunderbolt
+- Remove a duplicate property from the "add user" UI
+- Translation updates: ca, fr, hu
+  * New upstream bugfix release 43.6
+- Fix a use-after-free crash when editing network connections
+- Translation updates: ab, hu; add fo
+
+ -- Jeremy Bícha   Mon, 29 May 2023 15:21:14 -0400
+
 gnome-control-center (1:43.4.1-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru gnome-control-center-43.4.1/debian/watch gnome-control-center-43.6/debian/watch
--- gnome-control-center-43.4.1/debian/watch	2023-02-14 16:08:53.0 +
+++ gnome-control-center-43.6/debian/watch	2023-06-15 11:35:10.0 +0100
@@ -1,4 +1,4 @@
 version=4
 opts="searchmode=plain, uversionmangle=s/\.(alpha|beta|rc)/~$1/, downloadurlmangle=s|cache.json||" \
 https://download.gnome.org/sources/@PACKAGE@/cache.json \
-	[\d.]+/@PACKAGE@-([\d.]+)@ARCHIVE_EXT@
+	43/@PACKAGE@-([\d.]+)@ARCHIVE_EXT@
diff -Nru gnome-control-center-43.4.1/meson.build gnome-control-center-43.6/meson.build
--- gnome-control-center-43.4.1/meson.build	2023-06-21 10:47:27.0 +0100
+++ gnome-control-center-43.6/meson.build	2023-06-21 10:47:28.0 +0100
@@ -1,6 +1,6 @@
 project(
   'gnome-control-center', 'c',
-version : '43.4.1',
+version : '43.6',
 license : 'GPL2+',
   meson_version : '>= 0.57.0'
 )
diff -Nru gnome-control-center-43.4.1/NEWS gnome-control-center-43.6/NEWS
--- gnome-control-center-43.4.1/NEWS	2023-02-12 21:17:19.0 +
+++ gnome-control-center-43.6/NEWS	2023-05-26 04:57:33.0 +0100
@@ -1,4 +1,24 @@
 
+Version 43.6
+
+
+- Updated translations
+
+Network
+ - Fix crash when removing a connection
+
+
+Version 43.5
+
+
+ - Various fixes regarding updating the Cellular panel
+ - Fix order of monitors in display settings
+ - Add 32:9 to the known aspect ratios in display settings
+ - Fix behavior of User avatar chooser popover and file chooser
+ - Fix access to AccountsService object before loading
+ - Updated translations
+
+
 Version 43.4
 
 
diff -Nru gnome-control-center-43.4.1/panels/display/cc-display-config-dbus.c gnome-control-center-43.6/panels/display/cc-display-config-dbus.c
--- gnome-control-center-43.4.1/panels/display/cc-display-config-dbus.c	2023-02-12 21:17:19.0 +
+++ gnome-control-center-43.6/panels/display/cc-display-config-dbus.c	2023-05-26 04:57:33.0 +0100
@@ -1680,6 +1680,8 @@
  self, G_CONNECT_SWAPPED);
 }
 
+  self->monitors = g_list_reverse (self->monitors);
+
   while (TRUE)
 {
   g_autoptr(GVariant) variant = NULL;
diff -Nru gnome-control-center-43.4.1/panels/display/cc-display-settings.c gnome-control-center-43.6/panels/display/cc-display-settings.c
--- gnome-control-center-43.4.1/panels/display/cc-display-settings.c	2023-02-12 21:17:19.0 +
+++ gnome-control-center-43.6/panels/display/cc-display-settings.c	2023-05-26 04:57:33.0 +0100
@@ -152,6 +152,9 @@
 case 23:
   aspect = "21∶9";
   break;
+case 35:
+  aspect = "32∶9";
+  break;
 case 12:
   aspect = "5∶4";
   break;
diff 

Bug#1036858: bookworm-pu: package gnome-shell/43.6-1~deb12u1

[Simon McVittie]

On Wed, 07 Jun 2023 at 17:12:49 +0100, Simon McVittie wrote:
> On Sun, 28 May 2023 at 00:29:58 +0100, Simon McVittie wrote:
> > The gnome-shell 43.5 release from GNOME upstream seems like something
> > we should have in a bookworm update.
> 
> So does 43.6.
> 
> > This requires mutter 43.5, for which see #1036856.
> 
> Still true.
...
>   [ ] the issue is verified as fixed in unstable
>   - intentionally not done during the full freeze

As with mutter, I uploaded this to unstable after the bookworm release and
it has now reached testing. I've uploaded this in the hope that it can be
accepted into 12.1.

Updated debdiff attached.

smcv
git diff patch-queue/43.4.. | filterdiff -p1 -x'debian/patches/*.patch' -x.gitlab-ci.yml -x'.gitlab-ci/*' -x'po/*.po'

diffstat for gnome-shell-43.4 gnome-shell-43.6

 .gitlab-ci.yml|6 
 .gitlab-ci/install-meson-project.sh   |   84 
 NEWS  |   31 
 debian/changelog  |   56 
 debian/control|8 
 debian/control.in |8 
 debian/patches/Update-Abkhazian-translation.patch | 4910 --
 debian/patches/debian/Revert-build-Port-to-gcr4.patch |2 
 debian/patches/series |1 
 js/misc/ibusManager.js|2 
 js/misc/objectManager.js  |2 
 js/ui/appDisplay.js   |3 
 js/ui/components/autorunManager.js|2 
 js/ui/components/polkitAgent.js   |1 
 js/ui/dash.js |3 
 js/ui/dnd.js  |1 
 js/ui/messageTray.js  |5 
 js/ui/modalDialog.js  |2 
 js/ui/panelMenu.js|3 
 js/ui/screenshot.js   |8 
 js/ui/search.js   |7 
 js/ui/status/location.js  |2 
 js/ui/windowPreview.js|4 
 js/ui/workspacesView.js   |2 
 meson.build   |2 
 po/pt_BR.po   |  394 
 po/zh_CN.po   |  366 
 src/shell-app-system.c|   37 
 src/shell-window-preview-layout.c |4 
 subprojects/extensions-app/data/metainfo/org.gnome.Extensions.metainfo.xml.in |2 
 subprojects/extensions-app/generate-translations.sh   |2 
 subprojects/extensions-app/meson.build|2 
 subprojects/extensions-app/subprojects/shew/meson.build   |2 
 subprojects/extensions-tool/generate-translations.sh  |2 
 subprojects/extensions-tool/meson.build   |2 
 subprojects/shew/meson.build  |2 
 36 files changed, 634 insertions(+), 5336 deletions(-)

diff -Nru gnome-shell-43.4/debian/changelog gnome-shell-43.6/debian/changelog
--- gnome-shell-43.4/debian/changelog	2023-04-10 14:07:38.0 +0100
+++ gnome-shell-43.6/debian/changelog	2023-06-11 00:08:43.0 +0100
@@ -1,3 +1,59 @@
+gnome-shell (43.6-1~deb12u1) bookworm; urgency=medium
+
+  * Rebuild for bookworm
+
+ -- Simon McVittie   Sun, 11 Jun 2023 00:08:43 +0100
+
+gnome-shell (43.6-1) unstable; urgency=medium
+
+  * New upstream stable release 43.5
+- Fix a regression in 43~beta involving detection of hotplugged media
+  with autorunnable content (gnome-shell!2745)
+- Make search results fill unused space as intended (gnome-shell#5924)
+- Improve matching of app StartupWMClass to a .desktop file, giving
+  priority to apps that were not hidden by OnlyShowIn under the current
+  desktop environment, in particular preferring gnome-system-monitor's
+  non-KDE-specific .desktop 

Bug#1036856: bookworm-pu: package mutter/43.6-1~deb12u1

[Simon McVittie]

On Wed, 21 Jun 2023 at 00:06:15 +0100, Simon McVittie wrote:
> On Wed, 07 Jun 2023 at 17:05:37 +0100, Simon McVittie wrote:
> > On Sun, 28 May 2023 at 00:15:26 +0100, Simon McVittie wrote:
> > > The mutter 43.5 release from GNOME upstream seems like something we should
> > > have in a bookworm update.
> > 
> > So does the 43.6 release.
> 
> Updated debdiff attached (everything is the same as mutter_43.6-pre.diff,
> except for debian/changelog)

Really attached now...

smcv
diffstat for mutter-43.4 mutter-43.6

 NEWS  |   21 
 debian/changelog  |   27 
 debian/libmutter-11-0.symbols |1 
 debian/patches/Update-Abkhazian-translation.patch | 4262 --
 debian/patches/clutter-actor-Get-next-action-from-list-before-handling-c.patch|   51 
 debian/patches/cursor-tracker-Don-t-leak-window-cursor-on-exit.patch  |   22 
 debian/patches/debian/Mark-xwayland-test-case-as-known-to-be-flaky-on-32-bit-AR.patch |4 
 debian/patches/debian/meson-Do-not-mark-CI-test-tools-as-required.patch   |4 
 debian/patches/debian/tests-Disable-restore-size-test.patch   |4 
 debian/patches/debian/tests-Tag-unstable-tests-as-flaky.patch |4 
 debian/patches/meson-add-back-default_driver-option.patch |6 
 debian/patches/series |7 
 debian/patches/tests-Break-up-stacking-installed-tests-into-more-smaller.patch|4 
 debian/patches/wayland-Skip-subsurface-desync-if-parent-is-NULL.patch |   35 
 debian/patches/wayland-cursor-surface-Update-cursor-on-dispose.patch  |  701 -
 debian/patches/wayland-outputs-Fix-potential-crash-when-output-has-no-mo.patch|   40 
 debian/patches/wayland-xdg-shell-Dismiss-instead-of-destroy-invalid-popu.patch|   28 
 meson.build   |2 
 src/backends/meta-screen-cast-window-stream.c |   14 
 src/backends/meta-screen-cast-window.c|   12 
 src/backends/meta-screen-cast-window.h|6 
 src/backends/native/meta-kms-impl-device-dummy.c  |7 
 src/compositor/meta-compositor-view.c |2 
 src/compositor/meta-surface-actor-wayland.c   |   50 
 src/compositor/meta-window-actor-private.h|2 
 src/compositor/meta-window-actor.c|   32 
 src/core/window-private.h |2 
 src/meta/window.h |3 
 src/wayland/meta-wayland-actor-surface.c  |   17 
 src/wayland/meta-wayland-outputs.c|7 
 30 files changed, 229 insertions(+), 5148 deletions(-)

diff -Nru mutter-43.4/debian/changelog mutter-43.6/debian/changelog
--- mutter-43.4/debian/changelog	2023-04-21 10:10:24.0 +0100
+++ mutter-43.6/debian/changelog	2023-06-10 22:59:13.0 +0100
@@ -1,3 +1,30 @@
+mutter (43.6-1~deb12u1) bookworm; urgency=medium
+
+  * Rebuild for bookworm
+
+ -- Simon McVittie   Sat, 10 Jun 2023 22:59:13 +0100
+
+mutter (43.6-1) unstable; urgency=medium
+
+  * New upstream stable release 43.5
+- Always update surfaces belonging to a window that is being recorded
+  or included in a screencast, even if the window is not visible
+  on a local display (mutter#2538, mutter!2789)
+- Export previously-private meta_window_has_pointer(), needed by
+  screenshot UI fixes in gnome-shell 43.5 (mutter!2928)
+  + d/libmutter-11-0.symbols: Update to add that symbol
+- All other changes were already present in 43.4-2
+  * New upstream stable release 43.6
+- Fix a resource leak when a compositor view is destroyed (mutter!2991)
+- Fix a crash when headless gdm greeter via gnome-remote-desktop
+  attempts to blank the screen (mutter#2841)
+  * d/patches: Drop patches that were applied upstream
+  * d/p/wayland-outputs-Fix-potential-crash-when-output-has-no-mo.patch:
+Backport patch from 44~beta to fix a crash during suspend/resume on
+some systems (mutter#2570, Closes: #1036268)
+
+ -- Simon McVittie   Sat, 10 Jun 2023 21:17:19 +0100
+
 mutter (43.4-2) unstable; urgency=medium
 
   * Team upload
diff -Nru mutte

Bug#1036856: bookworm-pu: package mutter/43.6-1~deb12u1

[Simon McVittie]

On Wed, 07 Jun 2023 at 17:05:37 +0100, Simon McVittie wrote:
> On Sun, 28 May 2023 at 00:15:26 +0100, Simon McVittie wrote:
> > The mutter 43.5 release from GNOME upstream seems like something we should
> > have in a bookworm update.
> 
> So does the 43.6 release.
...
>   [ ] the issue is verified as fixed in unstable
>   - intentionally not done yet, due to full freeze

I uploaded the version from which this is a backport after the bookworm
release, and it has now migrated to testing.

Updated debdiff attached (everything is the same as mutter_43.6-pre.diff,
except for debian/changelog). I've uploaded this version in the hope that
it will be accepted.

I have only tested this and gnome-shell (#1036858) together, so please
accept both or neither.

smcv

Bug#1037214: bullseye-pu: package appstream-glib/0.7.18-1+deb11u1

[Simon McVittie]

Control: tags -1 - moreinfo

On Sat, 17 Jun 2023 at 18:45:31 +0200, Matthias Klumpp wrote:
> Thank you for working on this! It will be nice to have this issue
> fixed in bullseye soon, as it seems to affect quite a bunch of users!

I've assumed that counts as a "yes" from the maintainer, and uploaded
the proposed version for the stable release team's review.

Thanks,
smcv

Bug#1037196: bullseye-pu: package dbus/1.12.28-0+deb11u1

[Simon McVittie]

On Wed, 07 Jun 2023 at 14:24:36 +0100, Simon McVittie wrote:
> [ Reason ]
> Fix a local denial of service for which the security team does not intend
> to do a DSA (dbus#457, #1037151; CVE assignment pending).

CVE-2023-34969 was assigned. I didn't think it was worth editing the
changelog and repinning the package just to add that, so the diff I
previously attached is still current.

I went ahead with uploading to bullseye-proposed-updates in the hope that
this will save the release team some time.

>   [ ] the issue is verified as fixed in unstable
>   - intentionally not done yet due to the full freeze, because dbus
> has udebs

Now fixed in unstable by 1.14.8-1.

smcv

Bug#1037194: bookworm-pu: package dbus/1.14.8-1~deb12u1

[Simon McVittie]

On Wed, 07 Jun 2023 at 14:11:05 +0100, Simon McVittie wrote:
> Fix a local denial of service for which the security team does not intend
> to do a DSA (dbus#457, #1037151; CVE assignment pending).

CVE-2023-34969 was now assigned.

> I'll be uploading to unstable to get
> wider user testing as soon as the trixie cycle opens

1.14.8 has been in unstable for a few days. fwupd:armhf and
slic3r-prusa:arm64 show up as regressions, but both look more like a
flaky test than a dbus bug.

A release-candidate of the bookworm package is available from:

deb [trusted=yes] https://people.debian.org/~smcv/12.1 bookworm-proposed 
main

This is intentionally versioned slightly lower (as
1.14.8-1~deb12u1~1+1+g3b42362c0) but the changelog is the only difference.

>   [ ] the issue is verified as fixed in unstable
>   - intentionally not done yet due to the full freeze

Now fixed in unstable by a functionally equivalent package.

Updated debdiff attached: the only difference between this and what I
previously sent (which is what's now in unstable) is the extra changelog
entry.

I've uploaded to stable-NEW in the hope that the stable release team will
be happy to continue following upstream stable branches like we did for
bullseye and buster, but please let me know if any of the changes are
considered inappropriate.

Thanks,
smcv
debdiff *.dsc | filterdiff -p1 -xaminclude_static.am -xMakefile.in -x'*/Makefile.in' -xconfigure

diffstat for dbus-1.14.6 dbus-1.14.8

 AUTHORS |9 ++
 Makefile.in |2 
 NEWS|   29 
 aminclude_static.am |2 
 bus/Makefile.in |2 
 bus/connection.c|   15 
 cmake/DBus1ConfigVersion.cmake  |2 
 configure   |   26 +++
 configure.ac|4 -
 dbus/Makefile.in|2 
 dbus/dbus-connection-internal.h |2 
 dbus/dbus-connection.c  |   11 ++-
 dbus/dbus-internals.h   |2 
 dbus/dbus-message.c |   12 ++-
 dbus/dbus-spawn-win.c   |8 +-
 dbus/dbus-sysdeps-win.c |4 -
 debian/changelog|   22 ++
 debian/control  |2 
 debian/gbp.conf |2 
 debian/watch|2 
 doc/dbus-api-design.duck|4 -
 test/Makefile.in|2 
 test/data/valid-config-files/forbidding.conf.in |3 
 test/monitor.c  |   84 +---
 24 files changed, 207 insertions(+), 46 deletions(-)

diff -Nru dbus-1.14.6/AUTHORS dbus-1.14.8/AUTHORS
--- dbus-1.14.6/AUTHORS	2022-10-05 11:03:53.0 +0100
+++ dbus-1.14.8/AUTHORS	2023-06-06 14:00:36.0 +0100
@@ -15,6 +15,7 @@
 Artem Bityutskiy 
 Arun Raghavan 
 Aurelien Jarno 
+Barnabás Pőcze 
 Benedikt Heine 
 Benjamin Reed 
 Bertrand SIMONNET 
@@ -46,6 +47,7 @@
 Daniel Reed 
 Daniel Wendt 
 Dan Williams 
+Dave Jones 
 Dave Reisner 
 David King 
 David Redondo 
@@ -58,6 +60,7 @@
 Dmitri Iouchtchenko 
 DreamNik 
 Eamon Walsh 
+Evgeny Vereshchagin 
 eXeC001er 
 Federico Mena Quintero 
 Felipe Franciosi 
@@ -75,6 +78,7 @@
 Havoc Pennington 
 Havoc Pennington 
 Hendrik Buschmeier 
+hongjinghao 
 hyeric 
 ilovezfs 
 Ioan-Adrian Ratiu 
@@ -90,6 +94,7 @@
 Jean-Louis Fuchs 
 Jens Granseuer 
 Jérémie Dimino 
+Jeremi Piotrowski 
 Jesper Dam 
 Jiří Klimeš 
 Joe Marcus Clarke 
@@ -104,7 +109,9 @@
 Jon Trowbridge 
 Julien Schueller 
 Justin Lee 
+Kai A. Hiller 
 Kay Sievers 
+Khem Raj 
 Kimmo Hämäläinen 
 Kir Kolyshkin 
 Kjartan Maraas 
@@ -126,6 +133,7 @@
 Marc Brockschmidt 
 Marc Mutz 
 Marc Mutz 
+Marco Trevisan (Treviño) 
 Marcus Brinkmann 
 Mark Brand 
 Mark McLoughlin 
@@ -236,6 +244,7 @@
 Wulf C. Krueger 
 Xan Lopez 
 Yaakov Selkowitz 
+Yen-Chin, Lee 
 Yiyang Fei 
 Zack Rusin 
 Zeeshan Ali 
diff -Nru dbus-1.14.6/bus/connection.c dbus-1.14.8/bus/connection.c
--- dbus-1.14.6/bus/connection.c	2022-10-02 15:06:53.0 +0100
+++ dbus-1.14.8/bus/connection.c	2023-06-06 14:00:36.0 +0100
@@ -2374,6 +2374,21 @@
   if (!dbus_message_set_sender (message, DBUS_SERVICE_DBUS))
 return FALSE;
 
+  /* Make sure the message has a non-zero serial number, otherwise
+   * bus_transaction_capture_error_reply() will not be able to mock up
+   * a corresponding reply for it. Normally this would be delayed until
+   * the first time we actually send the message out from a
+   * connection, when the transaction is committed, but that's too late
+   * in this case.
+   */
+  if (dbus_message_get_serial (message) == 0)
+{
+ 

Bug#1037932: transition: python-resolvelib

[Simon McVittie]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition
X-Debbugs-Cc: python-resolve...@packages.debian.org, 
ansible-c...@packages.debian.org
Control: affects -1 + src:ansible-core src:python-resolvelib

python3-resolvelib 1.x makes ansible-core uninstallable; reporting this
as a transition to get it on the release team's radar.

(I am not involved in this transition and was not responsible for planning
or starting it.)

Transition tracker:
https://release.debian.org/transitions/html/auto-upperlimit-python3-resolvelib.html

smcv

Bug#1037931: transition: platformdirs

[Simon McVittie]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition
X-Debbugs-Cc: platformd...@packages.debian.org, 
python-virtual...@packages.debian.org, poe...@packages.debian.org
Control: affects -1 + src:platformdirs src:python-virtualenv src:poetry

python3-platformdirs 3.x makes python3-virtualenv and python3-poetry
uninstallable; reporting this as a transition to get it on the release
team's radar.

(I am not involved in this transition and was not responsible for planning
or starting it.)

Transition tracker:
https://release.debian.org/transitions/html/auto-upperlimit-python3-platformdirs.html

smcv

Bug#1037214: bullseye-pu: package appstream-glib/0.7.18-1+deb11u1

[Simon McVittie]

On Wed, 07 Jun 2023 at 21:33:29 +0100, Simon McVittie wrote:
>   [x] attach debdiff against the package in (old)stable

That was, in fact, a lie. See attached (or the nmudiff on #1037206 if
you'd prefer the unfiltered version).

smcv
debdiff appstream-glib_0.7.18-1{,+deb11u1}.dsc | filterdiff -p1 -x'debian/patches/*.patch'

diffstat for appstream-glib-0.7.18 appstream-glib-0.7.18

 debian/.gitignore |1 
 debian/changelog  |   10 
 debian/patches/Improve-handling-of-em-and-code-tags.patch |  220 ++
 debian/patches/Properly-initialize-AsNodeToXmlHelper.patch|   34 +
 debian/patches/Support-em-code-tags.patch |  118 +
 debian/patches/series |4 
 debian/patches/trivial-Turn-is_-em-code-_text-fields-into-bitfields.patch |   26 +
 libappstream-glib/as-node.c   |  120 -
 libappstream-glib/as-self-test.c  |   51 ++
 9 files changed, 552 insertions(+), 32 deletions(-)

diff -Nru appstream-glib-0.7.18/debian/changelog appstream-glib-0.7.18/debian/changelog
--- appstream-glib-0.7.18/debian/changelog	2020-12-21 23:14:10.0 +
+++ appstream-glib-0.7.18/debian/changelog	2023-06-07 19:25:59.0 +0100
@@ -1,3 +1,13 @@
+appstream-glib (0.7.18-1+deb11u1) bullseye; urgency=medium
+
+  * Add patches from upstream to cope with  and  in metadata.
+Older versions of appstream-glib mis-parse upstream metadata that
+contains  and , causing flatpak 1.12.x or older to fail
+to load the metadata now published by Flathub. The symptom is that
+`flatpak search` fails. (Closes: #1037206, LP: #2023215)
+
+ -- Simon McVittie   Wed, 07 Jun 2023 19:25:59 +0100
+
 appstream-glib (0.7.18-1) unstable; urgency=medium
 
   [ Matthias Klumpp ]
diff -Nru appstream-glib-0.7.18/debian/.gitignore appstream-glib-0.7.18/debian/.gitignore
--- appstream-glib-0.7.18/debian/.gitignore	1970-01-01 01:00:00.0 +0100
+++ appstream-glib-0.7.18/debian/.gitignore	2023-06-07 19:25:59.0 +0100
@@ -0,0 +1 @@
+*~
diff -Nru appstream-glib-0.7.18/debian/patches/series appstream-glib-0.7.18/debian/patches/series
--- appstream-glib-0.7.18/debian/patches/series	1970-01-01 01:00:00.0 +0100
+++ appstream-glib-0.7.18/debian/patches/series	2023-06-07 19:25:59.0 +0100
@@ -0,0 +1,4 @@
+Support-em-code-tags.patch
+Properly-initialize-AsNodeToXmlHelper.patch
+trivial-Turn-is_-em-code-_text-fields-into-bitfields.patch
+Improve-handling-of-em-and-code-tags.patch
diff -Nru appstream-glib-0.7.18/libappstream-glib/as-node.c appstream-glib-0.7.18/libappstream-glib/as-node.c
--- appstream-glib-0.7.18/libappstream-glib/as-node.c	2020-09-07 11:20:43.894573000 +0100
+++ appstream-glib-0.7.18/libappstream-glib/as-node.c	2023-06-07 20:58:11.0 +0100
@@ -555,6 +555,8 @@
 	AsNode			*current;
 	AsNodeFromXmlFlags	 flags;
 	const gchar * const	*locales;
+	guint8			 is_em_text:1;
+	guint8			 is_code_text:1;
 } AsNodeToXmlHelper;
 
 /**
@@ -604,6 +606,16 @@
 	AsNode *current;
 	guint i;
 
+	/* do not create a child node for em and code tags */
+	if (g_strcmp0 (element_name, "em") == 0) {
+		helper->is_em_text = 1;
+		return;
+	}
+	if (g_strcmp0 (element_name, "code") == 0) {
+		helper->is_code_text = 1;
+		return;
+	}
+
 	/* check if we should ignore the locale */
 	data = g_slice_new0 (AsNodeData);
 
@@ -662,6 +674,53 @@
 			GError **error)
 {
 	AsNodeToXmlHelper *helper = (AsNodeToXmlHelper *) user_data;
+	AsNodeData *data = helper->current->data;
+
+	/* do not create a child node for em and code tags */
+	if (g_strcmp0 (element_name, "em") == 0) {
+		helper->is_em_text = 0;
+		return;
+	}
+	if (g_strcmp0 (element_name, "code") == 0) {
+		helper->is_code_text = 0;
+		return;
+	}
+
+	if (data->cdata != NULL) {
+		/* split up into lines and add each with spaces stripped */
+		if ((helper->flags & AS_NODE_FROM_XML_FLAG_LITERAL_TEXT) == 0) {
+			AsRefString *cdata = data->cdata;
+			data->cdata = as_node_reflow_text (cdata, strlen (cdata));
+			as_ref_string_unref (cdata);
+		}
+
+		/* intern commonly duplicated tag values and save a bit of memory */
+		if (data->is_tag_valid) {
+			AsNode *root = g_node_get_root (helper->current);
+			switch (data->tag) {
+			case AS_TAG_CATEGORY:
+			case AS_TAG_COMPULSORY_FOR_DESKTOP:
+			case AS_TAG_CONTENT_ATTRIBUTE:
+			case AS_TAG_DEVELOPER_NAME:
+			case AS_TAG_EXTENDS:
+			case AS_TAG_ICON:
+			case AS_TAG_ID:
+			case AS_TAG_KUDO:
+			case AS_TAG_LANG:
+			case AS_TAG_METADATA_LICENSE:
+			case AS_TAG_MIMETYPE:
+			case AS_TAG_PROJECT_GROUP:
+			case AS_TAG_PROJECT_LICENSE:
+			case AS_TAG_SOURCE_PKGNAME:
+			case AS_TAG_URL:
+as_node_cdata_to_intern

Bug#1037214: bullseye-pu: package appstream-glib/0.7.18-1+deb11u1

[Simon McVittie]

Package: release.debian.org
Severity: normal
Tags: bullseye moreinfo
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: appstream-g...@packages.debian.org
Control: affects -1 + src:appstream-glib

[ Reason ]
Recent server-side changes on flathub.org mean that it started publishing
Appstream metadata that appstream-glib doesn't understand ( and 
markup), and appstream-glib is intolerant of non-recognised markup in
this context, causing `flatpak search` to regress in bullseye. (#1037206)

[ Impact ]
If not fixed, `flatpak search` will show an error message for Flathub
users and not offer any search results, unless the user upgrades to
the version from bullseye-backports (which is unaffected by appstream-glib
bugs because it has switched to using libappstream, a different codebase).

[ Tests ]
I confirmed that this fixes the reproducer from #1037206.

bullseye's gnome-software, which uses appstream-glib, is still able
to display search results from both Debian (I searched for amoebax)
and Flathub (I searched for steamlink and organicmaps). The package
description for organicmaps, which includes  and therefore triggered
this bug, is not displayed correctly in gnome-software (text inside 
doesn't appear), but that isn't a regression: the same behaviour is seen
without this change.

The patches also add a regression test, which is run at build-time
and passes.

[ Risks ]
These are straightforward backports from the newer upstream release in
bookworm, and have also been proposed for an Ubuntu 22.04 stable update.
The original change introduced a test failure, for which the subsequent
upstream fix is also included.

I've marked this as moreinfo because it should ideally be reviewed by the
package's maintainer (not me).

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
All changes are part of solving #1037206.

Bug#1036858: bookworm-pu: package gnome-shell/43.6-1~deb12u1

[Simon McVittie]

Control: retitle -1 bookworm-pu: package gnome-shell/43.6-1~deb12u1

On Sun, 28 May 2023 at 00:29:58 +0100, Simon McVittie wrote:
> The gnome-shell 43.5 release from GNOME upstream seems like something
> we should have in a bookworm update.

So does 43.6.

> This requires mutter 43.5, for which see #1036856.

Still true.

[ Reason ]
New upstream stable release

[ Impact ]
If not accepted, our default desktop will have several known bugs.

[ Tests ]
Manual testing: I'm running this version on my main laptop.
I'll upload to unstable when bookworm has been released.

[ Risks ]
There's the potential for regressions of similar magnitude to what we're
fixing. GNOME is our default desktop, so any regressions will be highly
visible.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in bookworm
  [ ] the issue is verified as fixed in unstable
  - intentionally not done during the full freeze

[ Changes ]
js/misc/ibusManager.js:
- Fix input method popup getting stuck on screen during engine changes
  (gnome-shell#6717)

js/misc/objectManager.js:
- Receive notifications of removed objects from D-Bus ObjectManager
  instances correctly (gnome-shell!2730).
  This is utility code used in multiple places, I don't know what
  user-visible impact this has.

js/ui/appDisplay.js:
- Fix an assertion failure during shutdown (gnome-shell#6512)

js/ui/components/autorunManager.js:
- Fix a regression in 43~beta involving detection of hotplugged media
  with autorunnable content (gnome-shell!2745)

js/ui/components/polkitAgent.js:
- When cancelling the polkit agent prompt while using
  gnome-remote-desktop, don't break subsequent polkit prompts
  (gnome-shell!2761)

js/ui/dash.js:
- Avoid destroying labels twice, most commonly when using
  gnome-shell-extension-dash-to-dock (gnome-shell!2739)

js/ui/dnd.js:
- Fix "TypeError: this._dragActor is null" warnings related to
  drag-and-drop (gnome-shell!2770)

js/ui/messageTray.js:
- Fix queued notifications getting into a state where they can no
  longer be removed (gnome-shell!2736)

js/ui/modalDialog.js:
- After 60 second timeout in logout/reboot/poweroff confirmation
  dialog, do the requested action instead of leaving the Shell in a
  broken state (gnome-shell#6506)

js/ui/panelMenu.js:
- Avoid keyboard navigation focus getting stuck on top bar buttons with
  no associated menu (gnome-shell!2734; does not solve #1032319 but is
  helpful when working around it)

js/ui/screenshot.js (first hunk), d/control.in:
- Fix a regression in which the cursor would not be included in
  screenshots since mutter 43.1 (gnome-shell!2710).
  This needs mutter 43.5; strictly speaking it isn't a required
  dependency, but if mutter is too old then the regression won't
  be fixed, so to simplify things I made it a dependency.

js/ui/screenshot.js (second and third hunks):
- Fix a cursor appearing at 0,0 in screenshots that should not
  include it (gnome-shell!2702)

js/ui/search.js:
- Make search results fill unused space as intended (gnome-shell#5924)

js/ui/status/location.js:
- Fix an assertion failure if Geoclue isn't D-Bus-activatable
  (gnome-shell!2689)

js/ui/windowPreview.js:
- Fix assertion failures after a window preview is destroyed
  (gnome-shell#5512, gnome-shell#6065)

js/ui/workspacesView.js:
- Update visibility of workspaces in workspace switcher when required
  (gnome-shell#6519)

src/shell-app-system.c:
- Improve matching of app StartupWMClass to a .desktop file, giving
  priority to apps that were not hidden by OnlyShowIn under the current
  desktop environment, in particular preferring gnome-system-monitor's
  non-KDE-specific .desktop file while running GNOME (gnome-shell!2721)

src/shell-window-preview-layout.c:
- Fix a crash when a window preview is destroyed (gnome-shell#6570)

[ Other info ]
I have not uploaded to unstable due to the full freeze, and I can't
upload to experimental because GNOME 44 is already there.

The attached diff is between patched trees, excluding the patches
themselves to avoid duplicating the changes, and is lightly filtered to
ignore translations (very verbose) and upstream CI stuff (not used or
relevant in Debian). I normally upload using dgit, so if I'm the uploader,
the uploaded .dsc will be checked for an exact match to what's in git.

Thanks,
smcv
git diff patch-queue/43.4.. | filterdiff -p1 -x'debian/patches/*.patch' -x.gitlab-ci.yml -x'.gitlab-ci/*' -x'po/*.po'

diff --git a/NEWS b/NEWS
index d20f27985..87adbee86 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,34 @@
+43.6
+
+* Fix stuck authentication dialog in remote sessions [Joan; !2761]
+* Fix IM popup getting stuck on engine changes [Daniel; !2774]
+* Fixed crash [Carlos; !2756]
+* Misc. bug

Bug#1036856: bookworm-pu: package mutter/43.6-1~deb12u1

[Simon McVittie]

Control: retitle -1 bookworm-pu: package mutter/43.6-1~deb12u1

On Sun, 28 May 2023 at 00:15:26 +0100, Simon McVittie wrote:
> The mutter 43.5 release from GNOME upstream seems like something we should
> have in a bookworm update.

So does the 43.6 release.

[ Reason ]
New upstream stable release

[ Impact ]
If not accepted, our default desktop will have several known bugs including
a crash during suspend/resume under some circumstances, and selectively
recording/screencasting a window that is not visible on a display not being
reliable. Additionally, this update is a prerequisite for a bug fix in
gnome-shell which I would also like to get fixed in bookworm (separate
bookworm-pu request, #1036858).

[ Tests ]
Manual testing: I'm running this version on my main laptop, and I'll
upload to unstable as soon as bookworm has been released.

Automated testing: mutter's test-suite still passes at build-time and in
autopkgtest.

[ Risks ]
There's the potential for regressions of similar magnitude to what we're
fixing. GNOME is our default desktop, so any regressions will be highly
visible.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in bookworm
  [ ] the issue is verified as fixed in unstable
  - intentionally not done yet, due to full freeze

[ Changes ]
src/backends/meta-screen-cast-window-stream.c,
src/backends/meta-screen-cast-window.c,
src/compositor/meta-surface-actor-wayland.c,
src/compositor/meta-window-actor.c: make sure that if a window is being
recorded or screencasted, it gets updated at the refresh rate of at least
some arbitrary display, even if it's not actually visible on any display
(for example because it's obscured by a window in front).

src/backends/native/meta-kms-impl-device-dummy.c:
don't crash on trying to blank the screen when run "headless" by
gnome-remote-desktop

src/wayland/meta-wayland-actor-surface.c: consider updating windows even if
they're fully obscured, to make sure that single-window
recording/screencasting works as intended, at the cost of not optimizing
away as many non-user-visible window updates.

src/compositor/meta-compositor-view.c: simple change to fix a resource leak
by calling the parent class's destructor correctly

src/wayland/meta-wayland-outputs.c: backported patch from version 44
(not part of 43.x upstream) to avoid a known source of crashes during
suspend/resume, which might resolve Debian bug reports #1010478 and/or
#1036268

src/core/window-private.h, src/meta/window.h, debian/libmutter-11-0.symbols:
export a symbol needed by GNOME Shell 43.5 for a screenshot bug fix there,
already present in 44.1 in experimental

[ Other info ]
I have not uploaded to unstable due to the full freeze, and I can't
upload to experimental because GNOME 44 is already there.
git diff patch-queue/43.4.. | filterdiff -p1 -x'debian/patches/*.patch' -x'po/*.po'

diff --git a/NEWS b/NEWS
index 65e5d1cf89..410519419e 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,24 @@
+43.6
+
+* Fix popup issues [Jonas; !2940]
+* Plugged leak [Jonas; !2991]
+* Fixed crash [Jonas; !3037]
+
+Contributors:
+  Jonas Ådahl
+
+43.5
+
+* Fix recording windows on non-active workspaces [Robert; !2789]
+* Fixed crashes [Colin, Sebastian, Jonas; !2917, !2955, !2969]
+* Misc. bug fixes and cleanups [Ivan; !2928]
+
+Contributors:
+  Jonas Ådahl, Sebastian Keller, Colin Kinloch, Robert Mader, Ivan Molodetskikh
+
+Translators:
+  Nart Tlisha [ab]
+
 43.4
 
 * Do not overwrite previously set offsets on attach [Matthias; !2843]
diff --git a/debian/changelog b/debian/changelog
index d7daed1235..5ec723d601 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,24 @@
+mutter (43.6-1) UNRELEASED; urgency=medium
+
+  * New upstream stable release 43.5
+- Always update surfaces belonging to a window that is being recorded
+  or included in a screencast, even if the window is not visible
+  on a local display (mutter#2538, mutter!2789)
+- Export previously-private meta_window_has_pointer(), needed by
+  screenshot UI fixes in gnome-shell 43.5 (mutter!2928)
+  + d/libmutter-11-0.symbols: Update to add that symbol
+- All other changes were already present in 43.4-2
+  * New upstream stable release 43.6
+- Fix a resource leak when a compositor view is destroyed (mutter!2991)
+- Fix a crash when headless gdm greeter via gnome-remote-desktop
+  attempts to blank the screen (mutter#2841)
+  * d/patches: Drop patches that were applied upstream
+  * d/p/wayland-outputs-Fix-potential-crash-when-output-has-no-mo.patch:
+Backport patch from 44~beta to fix a crash during suspend/resume on
+some systems (mutter#2570, Closes: #1036268)
+
+ -- Simon McVittie   Tue, 06 Jun 2023 18:33:18 +0100
+
 mutter (43.4-2) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/libmutter-11-0.symbols b/debian/libmutter-11-0.symbols
index 1128f2ab36..f

Bug#1037196: bullseye-pu: package dbus/1.12.28-0+deb11u1

[Simon McVittie]

bus-1.12.28/dbus/dbus-sysdeps-unix.c
--- dbus-1.12.24/dbus/dbus-sysdeps-unix.c	2021-12-17 12:55:33.0 +
+++ dbus-1.12.28/dbus/dbus-sysdeps-unix.c	2023-02-08 11:41:48.0 +
@@ -2217,7 +2217,7 @@
 #else /* no supported mechanism */
 
 #warning Socket credentials not supported on this Unix OS
-#warning Please tell https://bugs.freedesktop.org/enter_bug.cgi?product=DBus
+#warning Please tell https://gitlab.freedesktop.org/dbus/dbus/-/issues/new
 
 /* Please add other operating systems known to support at least one of
  * the mechanisms above to this list, keeping alphabetical order.
diff -Nru dbus-1.12.24/debian/changelog dbus-1.12.28/debian/changelog
--- dbus-1.12.24/debian/changelog	2022-10-05 12:04:31.0 +0100
+++ dbus-1.12.28/debian/changelog	2023-06-06 15:07:35.0 +0100
@@ -1,3 +1,16 @@
+dbus (1.12.28-0+deb11u1) bullseye; urgency=medium
+
+  * New upstream stable release 1.12.26
+- Fixes a denial of service issue that is not relevant for the way
+  we compile dbus in Debian
+  * New upstream stable release 1.12.28
+- Fixes a denial of service issue if the root or messagebus user is
+  monitoring messages on the system bus with the Monitoring interface
+  (dbus-monitor, busctl monitor, gdbus monitor or similar)
+  (Closes: #1037151)
+
+ -- Simon McVittie   Tue, 06 Jun 2023 15:07:35 +0100
+
 dbus (1.12.24-0+deb11u1) bullseye-security; urgency=medium
 
   * New upstream stable release 1.12.22
diff -Nru dbus-1.12.24/doc/dbus-api-design.duck dbus-1.12.28/doc/dbus-api-design.duck
--- dbus-1.12.24/doc/dbus-api-design.duck	2018-02-08 14:13:45.0 +
+++ dbus-1.12.28/doc/dbus-api-design.duck	2023-06-06 10:36:54.0 +0100
@@ -320,7 +320,7 @@
 -->
 
   
-
+
 
   The progress should be reported as an enumerated value:
   [code style="valid" mime="application/xml"]
@@ -335,7 +335,7 @@
 -->
 
   
-
+
 
 D-Bus has none of the problems of signed versus unsigned integers which C has
 (specifically, it does not do implicit sign conversion), so integer types should
diff -Nru dbus-1.12.24/NEWS dbus-1.12.28/NEWS
--- dbus-1.12.24/NEWS	2022-10-05 11:01:46.0 +0100
+++ dbus-1.12.28/NEWS	2023-06-06 14:00:50.0 +0100
@@ -1,3 +1,57 @@
+dbus 1.12.x branch
+==
+
+The dbus 1.12.x branch was originally released in 2017, and is maintained
+for the benefit of long-term-support OS distributions such as Debian.
+It is planned to reach end-of-life status at the end of Debian 11
+mainstream security support, in mid 2024. After it reaches end-of-life
+there will be no more 1.12.x releases, even if new security issues
+are discovered.
+
+dbus 1.12.28 (2023-06-06)
+=
+
+Denial-of-service fixes:
+
+• Fix an assertion failure in dbus-daemon when a privileged Monitoring
+  connection (dbus-monitor, busctl monitor, gdbus monitor or similar)
+  is active, and a message from the bus driver cannot be delivered to a
+  client connection due to  rules or outgoing message quota. This
+  is a denial of service if triggered maliciously by a local attacker.
+  (dbus#457; hongjinghao, Simon McVittie)
+
+Other fixes:
+
+• Documentation:
+  · Fix syntax of a code sample in dbus-api-design
+(dbus!396; Yen-Chin, Lee)
+
+Tests and CI enhancements:
+
+• Fix CI pipelines after freedesktop/freedesktop#540
+  (dbus!405, dbus#456; Simon McVittie)
+
+dbus 1.12.26 (2023-02-08)
+=
+
+Denial of service fixes:
+
+• Fix an incorrect assertion that could be used to crash dbus-daemon or
+  other users of DBusServer prior to authentication, if libdbus was compiled
+  with assertions enabled.
+  We recommend that production builds of dbus, for example in OS distributions,
+  should be compiled with checks but without assertions.
+  (dbus#421, Ralf Habacker; thanks to Evgeny Vereshchagin)
+
+Other fixes:
+
+• Documentation:
+  · Consistently use Gitlab bug reporting URL (dbus!372, Marco Trevisan)
+
+• Tests fixes:
+  · Fix the test-apparmor-activation test after dbus#416
+(dbus!380, Dave Jones)
+
 dbus 1.12.24 (2022-10-05)
 =
 
diff -Nru dbus-1.12.24/test/data/dbus-installed-tests.aaprofile.in dbus-1.12.28/test/data/dbus-installed-tests.aaprofile.in
--- dbus-1.12.24/test/data/dbus-installed-tests.aaprofile.in	2017-10-30 12:26:18.0 +
+++ dbus-1.12.28/test/data/dbus-installed-tests.aaprofile.in	2023-02-08 11:41:44.0 +
@@ -32,6 +32,7 @@
   # We aren't really confining this process seriously; allow most things.
   /** mrix,
   /tmp/dbus-daemon-test.*/{,**} w,
+  /tmp/dbus-* w,
   @{sys}/kernel/security/apparmor/** w,
   dbus (send, receive, bind),
   network,
@@ -44,6 +45,7 @@
 #include 
 
 /** mrix,
+/tmp/dbus-* w,
 @{sys}/kernel/security/apparmor/** w,
 dbus (send, receive, bind),
 network,
@@ -62,6 +64,7 @@
 #include 
 
 /** mrix,
+/tmp/dbus-* w,
 @{sys}/kernel/secu

Bug#1037194: bookworm-pu: package dbus/1.14.8-1~deb12u1

[Simon McVittie]

List   *link);
 dbus_bool_t   _dbus_connection_has_messages_to_send_unlocked (DBusConnection *connection);
diff -Nru dbus-1.14.6/dbus/dbus-internals.h dbus-1.14.8/dbus/dbus-internals.h
--- dbus-1.14.6/dbus/dbus-internals.h	2023-02-08 10:03:39.0 +
+++ dbus-1.14.8/dbus/dbus-internals.h	2023-06-06 10:36:49.0 +0100
@@ -104,7 +104,7 @@
 DBUS_PRIVATE_EXPORT
 void _dbus_verbose_real   (const char *file, const int line, const char *function, 
const char *format,...) _DBUS_GNUC_PRINTF (4, 5);
-#  define _dbus_verbose(fmt,...) _dbus_verbose_real( __FILE__,__LINE__,__FUNCTION__,fmt, ## __VA_ARGS__)
+#  define _dbus_verbose(fmt,...) _dbus_verbose_real( __FILE__,__LINE__,_DBUS_FUNCTION_NAME,fmt, ## __VA_ARGS__)
 #else
 DBUS_PRIVATE_EXPORT
 void _dbus_verbose_real   (const char *format,
diff -Nru dbus-1.14.6/dbus/dbus-message.c dbus-1.14.8/dbus/dbus-message.c
--- dbus-1.14.6/dbus/dbus-message.c	2023-01-30 09:57:39.0 +
+++ dbus-1.14.8/dbus/dbus-message.c	2023-06-06 10:36:49.0 +0100
@@ -2275,7 +2275,7 @@
 {
   const DBusString *sig;
   DBusString retstr;
-  char *ret;
+  char *ret = NULL;
   int start, len;
   DBusMessageRealIter *real = (DBusMessageRealIter *)iter;
 
@@ -2289,9 +2289,13 @@
   if (!_dbus_string_append_len (,
 _dbus_string_get_const_data (sig) + start,
 len))
-return NULL;
-  if (!_dbus_string_steal_data (, ))
-return NULL;
+goto oom;
+
+  /* This is correct whether it succeeds or fails: on success it sets `ret`,
+   * and on failure it leaves `ret` set to NULL. */
+  _dbus_string_steal_data (, );
+
+oom:
   _dbus_string_free ();
   return ret;
 }
diff -Nru dbus-1.14.6/dbus/dbus-spawn-win.c dbus-1.14.8/dbus/dbus-spawn-win.c
--- dbus-1.14.6/dbus/dbus-spawn-win.c	2022-10-02 15:06:53.0 +0100
+++ dbus-1.14.8/dbus/dbus-spawn-win.c	2023-06-06 10:36:49.0 +0100
@@ -5,7 +5,7 @@
 #if !defined(SPAWN_DEBUG) || defined(_MSC_VER)
 #define PING()
 #else
-#define PING() fprintf (stderr, "%s:%s:%d\n", __FILE__, __FUNCTION__, __LINE__); fflush (stderr)
+#define PING() fprintf (stderr, "%s:%s:%d\n", __FILE__, _DBUS_FUNCTION_NAME, __LINE__); fflush (stderr)
 #endif
 
 #include 
@@ -105,7 +105,7 @@
 
   old_refcount = _dbus_atomic_inc (>refcount);
 
-  _dbus_babysitter_trace_ref (sitter, old_refcount, old_refcount+1, __FUNCTION__);
+  _dbus_babysitter_trace_ref (sitter, old_refcount, old_refcount+1, _DBUS_FUNCTION_NAME);
 
   sitter->child_handle = NULL;
 
@@ -139,7 +139,7 @@
 
   old_refcount = _dbus_atomic_inc (>refcount);
   _dbus_assert (old_refcount > 0);
-  _dbus_babysitter_trace_ref (sitter, old_refcount, old_refcount+1, __FUNCTION__);
+  _dbus_babysitter_trace_ref (sitter, old_refcount, old_refcount+1, _DBUS_FUNCTION_NAME);
 
   return sitter;
 }
@@ -180,7 +180,7 @@
 
   old_refcount = _dbus_atomic_dec (>refcount);
   _dbus_assert (old_refcount > 0);
-  _dbus_babysitter_trace_ref (sitter, old_refcount, old_refcount-1, __FUNCTION__);
+  _dbus_babysitter_trace_ref (sitter, old_refcount, old_refcount-1, _DBUS_FUNCTION_NAME);
 
   if (old_refcount == 1)
 {
diff -Nru dbus-1.14.6/dbus/dbus-sysdeps-win.c dbus-1.14.8/dbus/dbus-sysdeps-win.c
--- dbus-1.14.6/dbus/dbus-sysdeps-win.c	2022-10-02 15:06:53.0 +0100
+++ dbus-1.14.8/dbus/dbus-sysdeps-win.c	2023-06-06 10:36:49.0 +0100
@@ -1012,12 +1012,12 @@
   psid = token_user->User.Sid;
   if (!IsValidSid (psid))
 {
-  _dbus_verbose("%s invalid sid\n",__FUNCTION__);
+  _dbus_verbose("invalid sid\n");
   goto failed;
 }
   if (!ConvertSidToStringSidA (psid, sid))
 {
-  _dbus_verbose("%s invalid sid\n",__FUNCTION__);
+  _dbus_verbose("invalid sid\n");
   goto failed;
 }
 //okay:
diff -Nru dbus-1.14.6/debian/changelog dbus-1.14.8/debian/changelog
--- dbus-1.14.6/debian/changelog	2023-02-08 13:21:47.0 +
+++ dbus-1.14.8/debian/changelog	2023-06-06 15:05:50.0 +0100
@@ -1,3 +1,17 @@
+dbus (1.14.8-1) unstable; urgency=medium
+
+  [ Simon McVittie ]
+  * New upstream stable release
+- Fixes a denial of service issue if the root or messagebus user is
+  monitoring messages on the system bus with the Monitoring interface
+  (dbus-monitor, busctl monitor, gdbus monitor or similar)
+  (Closes: #1037151)
+
+  [ Helmut Grohne ]
+  * Mark dbus-daemon and dbus-bin Multi-Arch: foreign (Closes: #1033056)
+
+ -- Simon McVittie   Tue, 06 Jun 2023 15:05:50 +0100
+
 dbus (1.14.6-1) unstable; urgency=medium
 
   * New upstream stable release
diff -Nru dbus-1.14.6/debian/control dbus-1.14.8/debian/control
--- dbus-1.14.6/debian/control	2023-02-08 13:21:47.0 +
+++ dbus-1.14.8/debian/control	2023-06-06 15:05:50.0 +0100
@@ -130,6 +130,7 @@
 
 Package: dbus-bin
 Architecture: any
+Multi-Arch: foreign
 Depends:
  ${misc:Depends},
  ${shlibs:Depends},
@@ -147,6 +148,7 @@
 
 Package: dbus-daemon
 Archite

Bug#1036856: bookworm-pu: package mutter/43.5-0+deb12u1

[Simon McVittie]

On Sun, 28 May 2023 at 00:15:26 +0100, Simon McVittie wrote:
>   [x] attach debdiff against the package in [bookworm]

Sorry, here's the diff.

The attached diff is between patched trees, excluding the patches
themselves to avoid duplicating the changes, and is lightly filtered
to ignore translations (very verbose). I normally upload using dgit,
so if I'm the uploader, the uploaded .dsc will be checked for an exact
match to what's in git.

GNOME team (particularly Jeremy and Marco): This and the accompanying
gnome-shell update are particularly high-visibility and important to get
right, and the finer points of compositor behaviour are not my strong
point, so please check this. I have uploaded prerelease packages to
<https://people.debian.org/~smcv/12.1/> and will upload to unstable if
given permission. If someone with more compositor expertise wants to
take these over, they are very welcome to do so.

smcv
git diff patch-queue/43.4.. | filterdiff -p1 -x'debian/patches/*.patch' -x'po/*.po'

diff --git a/NEWS b/NEWS
index 65e5d1cf8..27862914b 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,15 @@
+43.5
+
+* Fix recording windows on non-active workspaces [Robert; !2789]
+* Fixed crashes [Colin, Sebastian, Jonas; !2917, !2955, !2969]
+* Misc. bug fixes and cleanups [Ivan; !2928]
+
+Contributors:
+  Jonas Ådahl, Sebastian Keller, Colin Kinloch, Robert Mader, Ivan Molodetskikh
+
+Translators:
+  Nart Tlisha [ab]
+
 43.4
 
 * Do not overwrite previously set offsets on attach [Matthias; !2843]
diff --git a/debian/changelog b/debian/changelog
index d7daed123..1440b273e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,27 @@
+mutter (43.5-0+deb12u1) UNRELEASED; urgency=medium
+
+  * New upstream stable release
+- Always update surfaces belonging to a window that is being recorded
+  or included in a screencast, even if the window is not visible
+  on a local display (mutter#2538, mutter!2789)
+- Export previously-private meta_window_has_pointer(), needed by
+  screenshot UI fixes in gnome-shell 43.5 (mutter!2928)
+  + d/libmutter-11-0.symbols: Update to add that symbol
+- All other changes were already present in 43.4-2
+  * d/patches: Drop patches that were applied upstream
+  * d/patches: Update to upstream gnome-43 branch commit 43.5-2-g8d7e958b8
+for additional post-release fixes
+- d/p/compositor-view-Chain-up-finalize.patch:
+  Fix a resource leak when a compositor view is destroyed (mutter!2991)
+- d/p/wayland-xdg-shell-Dismiss-instead-of-destroy-invalid-popu.patch:
+  Update metadata to reflect upstream backport, no functional change
+  * d/p/wayland-outputs-Fix-potential-crash-when-output-has-no-mo.patch:
+Backport patch from 44~beta to fix a crash during suspend/resume in
+some circumstances (mutter#2570, potentially also resolves
+#1010478 and #1036268)
+
+ -- Simon McVittie   Sat, 27 May 2023 15:46:33 +0100
+
 mutter (43.4-2) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/libmutter-11-0.symbols b/debian/libmutter-11-0.symbols
index 1128f2ab3..f3b181d85 100644
--- a/debian/libmutter-11-0.symbols
+++ b/debian/libmutter-11-0.symbols
@@ -780,6 +780,7 @@ libmutter-11.so.0 libmutter-11-0 #MINVER#
  meta_window_group_leader_changed@Base 43.0
  meta_window_has_attached_dialogs@Base 43.0
  meta_window_has_focus@Base 43.0
+ meta_window_has_pointer@Base 43.5
  meta_window_is_above@Base 43.0
  meta_window_is_always_on_all_workspaces@Base 43.0
  meta_window_is_ancestor_of_transient@Base 43.0
diff --git a/debian/patches/compositor-view-Chain-up-finalize.patch b/debian/patches/compositor-view-Chain-up-finalize.patch
new file mode 100644
index 0..383a1065d
diff --git a/debian/patches/series b/debian/patches/series
index 8be32b377..3068ed91d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,9 +1,6 @@
-wayland-Skip-subsurface-desync-if-parent-is-NULL.patch
-Update-Abkhazian-translation.patch
-clutter-actor-Get-next-action-from-list-before-handling-c.patch
-cursor-tracker-Don-t-leak-window-cursor-on-exit.patch
-wayland-cursor-surface-Update-cursor-on-dispose.patch
+compositor-view-Chain-up-finalize.patch
 wayland-xdg-shell-Dismiss-instead-of-destroy-invalid-popu.patch
+wayland-outputs-Fix-potential-crash-when-output-has-no-mo.patch
 tests-Break-up-stacking-installed-tests-into-more-smaller.patch
 tests-Use-a-more-interoperable-path-to-bash.patch
 meson-add-back-default_driver-option.patch
diff --git a/debian/patches/wayland-outputs-Fix-potential-crash-when-output-has-no-mo.patch b/debian/patches/wayland-outputs-Fix-potential-crash-when-output-has-no-mo.patch
new file mode 100644
index 0..afcde4c38
diff --git a/meson.build b/meson.build
index ba881c36f..f307a4736 100644
--- a/meson.build
+++ b/meson.build
@@ -1,5 +1,5 @@
 project('mutter', 'c',
-  version: '43.4',
+  version: '43.5',
   meson_version: '>= 0.55.0',
   license: 'GPLv2+'
 )
diff --git a/src/backends/meta-screen-cast-win

Bug#1036858: bookworm-pu: package gnome-shell/43.5-0+deb12u1

[Simon McVittie]

 [Florian; !2734]
+* Fix corner cases when matching apps on StartupWmClass [Marco; !2721]
+* Fix occasional misalignment of search results [Sebastian; !2744]
+* Fix regression in content-type sniffing on autorun [Balló; !2745]
+* Misc. bug fixes and cleanups [Will, Daniel, Florian, Jonas, Marco, Sebastian;
+  !2689, !2693, !2696, !2699, !2730, !2739, !2738, !2712]
+
+Contributors:
+  Jonas Dreßler, Balló György, Sebastian Keller, Ivan Molodetskikh, msizanoen1,
+  Florian Müllner, Will Thompson, Marco Trevisan (Treviño), Daniel van Vugt
+
+Translators:
+  Nart Tlisha [ab], Boyuan Yang [zh_CN]
+
 43.4
 
 * Plugged leak [Sebastian; !2652]
diff --git a/debian/changelog b/debian/changelog
index f44e61c0c..bdc1f210d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,45 @@
+gnome-shell (43.5-0+deb12u1) UNRELEASED; urgency=medium
+
+  * New upstream stable release
+- Fix a regression in 43~beta involving detection of hotplugged media
+  with autorunnable content (gnome-shell!2745)
+- Make search results fill unused space as intended (gnome-shell#5924)
+- Improve matching of app StartupWMClass to a .desktop file, giving
+  priority to apps that were not hidden by OnlyShowIn under the current
+  desktop environment, in particular preferring gnome-system-monitor's
+  non-KDE-specific .desktop file while running GNOME (gnome-shell!2721)
+- Fix assertion failures after a window preview is destroyed
+  (gnome-shell#5512, gnome-shell#6065)
+- Avoid destroying labels twice, most commonly when using
+  gnome-shell-extension-dash-to-dock (gnome-shell!2739)
+- Avoid keyboard navigation focus getting stuck on top bar buttons with
+  no associated menu (gnome-shell!2734, might help #1032319)
+- Fix queued notifications getting into a state where they can no
+  longer be removed (gnome-shell!2736)
+- Receive notifications of removed objects from D-Bus ObjectManager
+  instances correctly (gnome-shell!2730)
+- Fix a cursor appearing at 0,0 in screenshots that should not
+  include it (gnome-shell!2702)
+- Update visibility of workspaces in workspace switcher when required
+  (gnome-shell#6519)
+- After 60 second timeout in logout/reboot/poweroff confirmation
+  dialog, do the requested action instead of leaving the Shell in a
+  broken state (gnome-shell#6506)
+- Fix an assertion failure during shutdown (gnome-shell#6512)
+- Fix an assertion failure if Geoclue isn't D-Bus-activatable
+  (gnome-shell!2689)
+- Fix a regression in which the cursor would not be included in
+  screenshots since mutter 43.1 (gnome-shell!2710)
+- Upstream CI fixes not relevant to Debian
+- Translation update: zh_CN
+  * d/control.in: Build-depend on mutter 43.5, for a newly-public utility
+function needed by gnome-shell!2710
+  * d/patches: Drop ab translation patch, applied upstream
+  * d/patches: Update to gnome-43 branch commit 43.5-1-g2936e966a
+- Translation update: pt_BR
+
+ -- Simon McVittie   Sat, 27 May 2023 16:03:49 +0100
+
 gnome-shell (43.4-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/control b/debian/control
index 20815c4c6..78f01daa7 100644
--- a/debian/control
+++ b/debian/control
@@ -48,8 +48,8 @@ Build-Depends: appstream,
libgtk-4-dev,
libibus-1.0-dev (>= 1.5.22-2ubuntu2~),
libjson-glib-dev,
-   libmutter-11-dev (>= 43.0),
-   libmutter-test-11 (>= 43.0) ,
+   libmutter-11-dev (>= 43.5),
+   libmutter-test-11 (>= 43.5) ,
libnm-dev [linux-any],
libpipewire-0.3-dev (>= 0.3.10) [linux-any],
libpolkit-agent-1-dev,
@@ -62,7 +62,7 @@ Build-Depends: appstream,
libxml2-dev,
mesa-common-dev,
meson (>= 0.58.0),
-   mutter (>= 43.0) ,
+   mutter (>= 43.5) ,
pkg-config,
sassc,
systemd [linux-any],
@@ -96,7 +96,7 @@ Depends: gir1.2-accountsservice-1.0,
  gir1.2-gweather-4.0 (>= 4.1),
  gir1.2-freedesktop,
  gir1.2-ibus-1.0 (>= 1.5.22-2ubuntu2~),
- gir1.2-mutter-11 (>= 43.0),
+ gir1.2-mutter-11 (>= 43.5),
  gir1.2-nm-1.0 [linux-any],
  gir1.2-nma-1.0 [linux-any],
  gir1.2-pango-1.0,
diff --git a/debian/control.in b/debian/control.in
index f035c1d13..11fd3cabe 100644
--- a/debian/control.in
+++ b/debian/control.in
@@ -44,8 +44,8 @@ Build-Depends: appstream,
libgtk-4-dev,
libibus-1.0-dev (>= 1.5.22-2ubuntu2~),
libjson-glib-dev,
-   libmutter-11-dev (>= 43.0),
-   libmutter-test-11 (>= 43.0) ,
+   libmutter-11-dev (>= 43.5),
+   libmutter-test-11 (>= 43.5) ,
libnm-dev [linux-any],

Bug#1036856: bookworm-pu: package mutter/43.5-0+deb12u1

[Simon McVittie]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: mut...@packages.debian.org
Control: affects -1 + src:mutter

The mutter 43.5 release from GNOME upstream seems like something we should
have in a bookworm update. I don't think it's urgent enough to break
the full freeze for, although the suspend/resume crash is concerning.

This could be converted into an unblock request if the release team or
other GNOME team members want to break full freeze for this.

[ Reason ]
New upstream stable release

[ Impact ]
If not accepted, our default desktop will have several known bugs including
a crash during suspend/resume under some circumstances, and selectively
recording/screencasting a window that is not visible on a display not being
reliable. Additionally, this update is a prerequisite for a bug fix in
gnome-shell which I would also like to get fixed in bookworm (separate
bookworm-pu request to follow).

[ Tests ]
Manual testing: I'm running this version on my main laptop and gaming PC.
Automated testing: mutter's test-suite still passes at build-time and in
autopkgtest.

[ Risks ]
There's the potential for regressions of similar magnitude to what we're
fixing. GNOME is our default desktop, so any regressions will be highly
visible; I'd like to mitigate this by getting some wider real-world testing
in unstable during the closing stages of the freeze.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [ ] the issue is verified as fixed in unstable

[ Changes ]
src/backends/meta-screen-cast-window-stream.c,
src/backends/meta-screen-cast-window.c,
src/compositor/meta-surface-actor-wayland.c,
src/compositor/meta-window-actor.c: make sure that if a window is being
recorded or screencasted, it gets updated at the refresh rate of at least
some arbitrary display, even if it's not actually visible on any display
(for example because it's obscured by a window in front).

src/wayland/meta-wayland-actor-surface.c: consider updating windows even if
they're fully obscured, to make sure that single-window
recording/screencasting works as intended, at the cost of not optimizing
away as many non-user-visible window updates.

src/compositor/meta-compositor-view.c: simple change to fix a resource leak
by calling the parent class's destructor correctly

src/wayland/meta-wayland-outputs.c: backported patch from version 44
(not part of 43.x upstream) to avoid a known source of crashes during
suspend/resume, which might resolve Debian bug reports #1010478 and/or
#1036268

src/core/window-private.h, src/meta/window.h, debian/libmutter-11-0.symbols:
export a symbol needed by GNOME Shell 43.5 for a screenshot bug fix there,
already present in 44.1 in experimental

[ Other info ]
I have not uploaded to unstable due to the full freeze, and I can't
upload to experimental because GNOME 44 is already there.

May I upload this to unstable as 43.5-1 to get it some more testing,
on the understanding that if there is an unforeseen urgent change
to mutter, these fixes can either be included with it or avoided by
using t-p-u?  If I do that, presumably the upload to bookworm would
become 43.5-1~deb12u1.

Bug#1036849: bookworm-pu: package gnome-software/43.5-0+deb12u1

[Simon McVittie]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: gnome-softw...@packages.debian.org
Control: affects -1 + src:gnome-software

GNOME upstream has done a stable point release of gnome-software. This
doesn't seem urgent enough to want to break the freeze for, but it would
be good to get it in 12.1.

[ Reason ]
User request on #1036312; upstream stable release fixing memory leaks

[ Impact ]
If not fixed, presumably gnome-software will gradually leak memory.
I've asked the reporter of #1036312 for further context.
The bug reporter describes these as security fixes, but I don't understand
the basis for saying this.

[ Tests ]
Manually tested on my laptop (mixed testing+unstable+experimental),
seems to be able to upgrade packages successfully. I'll test it further
on a more pure bookworm system.

[ Risks ]
Low risk, the changes are narrowly-targeted and look obviously correct.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in bookworm
  [ ] the issue is verified as fixed in unstable

[ Changes ]
New upstream release with memory leak fixes and no other changes.

[ Other info ]
I have not uploaded to unstable due to the full freeze, and I can't
upload to experimental because GNOME 44 is already there.

May I upload this to unstable as 43.5-1 to get it some more testing,
on the understanding that if there is an unforeseen urgent change to
gnome-software, these fixes can be included with it? If I do that,
presumably the upload to bookworm would become 43.5-1~deb12u1.
diff --git a/NEWS b/NEWS
index 1c3f395b5..535bae910 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,10 @@
+Version 43.5
+
+Released: 2023-03-03
+
+This is a stable release with the following change:
+ * Fix few memory leaks
+
 Version 43.4
 
 Released: 2023-02-10
diff --git a/data/metainfo/org.gnome.Software.metainfo.xml.in b/data/metainfo/org.gnome.Software.metainfo.xml.in
index 27b65fca0..a43e442d3 100644
--- a/data/metainfo/org.gnome.Software.metainfo.xml.in
+++ b/data/metainfo/org.gnome.Software.metainfo.xml.in
@@ -66,6 +66,14 @@
Validate with `appstreamcli validate *.metainfo.xml`
   -->
   
+
+  
+This is a stable release with the following change:
+
+  Fix few memory leaks
+
+  
+
 
   
 This is a stable release with the following changes:
diff --git a/debian/changelog b/debian/changelog
index a7a4411c4..21adfbac3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+gnome-software (43.5-0+deb12u1) UNRELEASED; urgency=medium
+
+  * d/gbp.conf: Use upstream/43.x branch to import new upstream versions
+  * d/watch: Only watch for versions 43.x
+  * New upstream release 43.5
+- Fix some memory leaks (Closes: #1036312)
+  * Refresh patch series (no functional changes)
+
+ -- Simon McVittie   Sat, 27 May 2023 15:26:56 +0100
+
 gnome-software (43.4-1) unstable; urgency=medium
 
   * New upstream release
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 50a9f77f2..4a341ca18 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,7 +1,7 @@
 [DEFAULT]
 pristine-tar = True
 debian-branch = debian/bookworm
-upstream-branch = upstream/latest
+upstream-branch = upstream/43.x
 
 [buildpackage]
 sign-tags = True
diff --git a/debian/patches/01_details-Use-custom-icon-for-verified-developers.patch b/debian/patches/01_details-Use-custom-icon-for-verified-developers.patch
index 93660036e..5f79360e2 100644
--- a/debian/patches/01_details-Use-custom-icon-for-verified-developers.patch
+++ b/debian/patches/01_details-Use-custom-icon-for-verified-developers.patch
@@ -29,7 +29,7 @@ index 000..57c0f11
 +
 \ No newline at end of file
 diff --git a/src/gnome-software.gresource.xml b/src/gnome-software.gresource.xml
-index 941dd40..2d1f2ff 100644
+index 4efe369..9f897a5 100644
 --- a/src/gnome-software.gresource.xml
 +++ b/src/gnome-software.gresource.xml
 @@ -54,6 +54,7 @@
@@ -41,7 +41,7 @@ index 941dd40..2d1f2ff 100644
../data/icons/system-component-addon.svg
../data/icons/system-component-application.svg
 diff --git a/src/gs-details-page.ui b/src/gs-details-page.ui
-index 8b0e88b..4c120ef 100644
+index d3fad10..37c657b 100644
 --- a/src/gs-details-page.ui
 +++ b/src/gs-details-page.ui
 @@ -173,7 +173,7 @@
diff --git a/debian/watch b/debian/watch
index 64675b41f..94c24ddb9 100644
--- a/debian/watch
+++ b/debian/watch
@@ -1,4 +1,4 @@
 version=4
 opts="searchmode=plain, uversionmangle=s/\.(alpha|beta|rc)/~$1/, downloadurlmangle=s|cache.json||" \
 https://download.gnome.org/sources/@PACKAGE@/cache.json \
-	[\d.]+/@PACKAGE@-([\d.]+)@ARCHIVE_EXT@
+	43/@PACKAGE@-([\d.]+)@ARCHIVE_EXT@
diff --git a/lib/gs-plugin-job-list-apps.c b/lib/gs-plugin-job-list-apps.c
index a556387e5..56a4e14be 100644
--- a/lib/gs-plugin-job-list-apps.c
+++ b/lib/gs-plugin-jo

Bug#1034505: unblock: libsdl2/2.26.5+dfsg-1

[Simon McVittie]

Control: retitle -1 unblock: libsdl2/2.26.5+dfsg-1
Control: tags -1 - moreinfo

On Thu, 27 Apr 2023 at 10:23:17 +0200, Paul Gevers wrote:
> Please go ahead and remove the moreinfo tag once the upload happened.

Uploaded, identical to the diff already provided.

Thanks,
smcv

Bug#1034681: unblock: mutter/43.4-2

[Simon McVittie]

  Fix a crash in rare situations involving Wayland cursor changes,
+  and add test coverage (mutter!2969)
+  * d/libmutter-11-0.symbols: Add new private symbols used by tests
+for the above changes
+  * d/p/wayland-xdg-shell-Dismiss-instead-of-destroy-invalid-popu.patch:
+Backport a fix from upstream 44.x branch to fix popup-related crashes
+(mutter#2728, mutter!2940, Closes: #1033484)
+
+ -- Simon McVittie   Fri, 21 Apr 2023 10:10:24 +0100
+
 mutter (43.4-1) unstable; urgency=medium
 
   * Team upload
diff -Nru mutter-43.4/debian/libmutter-11-0.symbols mutter-43.4/debian/libmutter-11-0.symbols
--- mutter-43.4/debian/libmutter-11-0.symbols	2023-04-10 14:07:33.0 +0100
+++ mutter-43.4/debian/libmutter-11-0.symbols	2023-04-21 10:10:24.0 +0100
@@ -16,6 +16,7 @@
  meta_backend_get_context@Base 43.0
  meta_backend_get_core_idle_monitor@Base 43.0
  meta_backend_get_current_logical_monitor@Base 43.0
+ meta_backend_get_cursor_renderer@Base 43.4-2~
  meta_backend_get_cursor_tracker@Base 43.0
  meta_backend_get_default_seat@Base 43.0
  meta_backend_get_dnd@Base 43.0
@@ -159,6 +160,8 @@
  meta_crtc_unassign_output@Base 43.0
  meta_crtc_unset_config@Base 43.0
  meta_cursor_get_type@Base 43.0
+ meta_cursor_renderer_get_cursor@Base 43.4-2~
+ meta_cursor_sprite_wayland_get_type@Base 43.4-2~
  meta_cursor_tracker_get_for_display@Base 43.0
  meta_cursor_tracker_get_hot@Base 43.0
  meta_cursor_tracker_get_pointer@Base 43.0
diff -Nru mutter-43.4/debian/patches/series mutter-43.4/debian/patches/series
--- mutter-43.4/debian/patches/series	2023-04-10 14:07:33.0 +0100
+++ mutter-43.4/debian/patches/series	2023-04-21 10:10:24.0 +0100
@@ -1,5 +1,9 @@
 wayland-Skip-subsurface-desync-if-parent-is-NULL.patch
 Update-Abkhazian-translation.patch
+clutter-actor-Get-next-action-from-list-before-handling-c.patch
+cursor-tracker-Don-t-leak-window-cursor-on-exit.patch
+wayland-cursor-surface-Update-cursor-on-dispose.patch
+wayland-xdg-shell-Dismiss-instead-of-destroy-invalid-popu.patch
 tests-Break-up-stacking-installed-tests-into-more-smaller.patch
 tests-Use-a-more-interoperable-path-to-bash.patch
 meson-add-back-default_driver-option.patch
diff -Nru mutter-43.4/meson.build mutter-43.4/meson.build
--- mutter-43.4/meson.build	2023-04-21 15:14:44.0 +0100
+++ mutter-43.4/meson.build	2023-04-21 15:14:45.0 +0100
@@ -207,6 +207,7 @@
 if have_wayland
   wayland_server_dep = dependency('wayland-server', version: wayland_server_req)
   wayland_client_dep = dependency('wayland-client', version: wayland_server_req)
+  wayland_cursor_dep = dependency('wayland-cursor')
   wayland_protocols_dep = dependency('wayland-protocols',
  version: wayland_protocols_req)
   wayland_egl_dep = dependency('wayland-egl')
diff -Nru mutter-43.4/src/backends/meta-backend-private.h mutter-43.4/src/backends/meta-backend-private.h
--- mutter-43.4/src/backends/meta-backend-private.h	2023-03-19 22:26:48.0 +
+++ mutter-43.4/src/backends/meta-backend-private.h	2023-04-21 15:14:45.0 +0100
@@ -135,6 +135,7 @@
 MetaCursorTracker * meta_backend_get_cursor_tracker (MetaBackend *backend);
 MetaCursorRenderer * meta_backend_get_cursor_renderer_for_device (MetaBackend*backend,
   ClutterInputDevice *device);
+META_EXPORT_TEST
 MetaCursorRenderer * meta_backend_get_cursor_renderer (MetaBackend *backend);
 META_EXPORT_TEST
 MetaRenderer * meta_backend_get_renderer (MetaBackend *backend);
diff -Nru mutter-43.4/src/backends/meta-cursor-renderer.h mutter-43.4/src/backends/meta-cursor-renderer.h
--- mutter-43.4/src/backends/meta-cursor-renderer.h	2023-03-19 22:26:48.0 +
+++ mutter-43.4/src/backends/meta-cursor-renderer.h	2023-04-21 15:14:45.0 +0100
@@ -29,6 +29,7 @@
 
 #include "backends/meta-backend-types.h"
 #include "backends/meta-cursor.h"
+#include "core/util-private.h"
 
 #define META_TYPE_HW_CURSOR_INHIBITOR (meta_hw_cursor_inhibitor_get_type ())
 G_DECLARE_INTERFACE (MetaHwCursorInhibitor, meta_hw_cursor_inhibitor,
@@ -64,6 +65,7 @@
 void meta_cursor_renderer_update_position (MetaCursorRenderer *renderer);
 void meta_cursor_renderer_force_update (MetaCursorRenderer *renderer);
 
+META_EXPORT_TEST
 MetaCursorSprite * meta_cursor_renderer_get_cursor (MetaCursorRenderer *renderer);
 
 graphene_rect_t meta_cursor_renderer_calculate_rect (MetaCursorRenderer *renderer,
diff -Nru mutter-43.4/src/backends/meta-cursor-tracker.c mutter-43.4/src/backends/meta-cursor-tracker.c
--- mutter-43.4/src/backends/meta-cursor-tracker.c	2023-03-19 22:26:48.0 +
+++ mutter-43.4/src/backends/meta-cursor-tracker.c	2023-04-21 15:14:45.0 +0100
@@ -262,6 +262,7 @@
 
   g_clear_object (>effective_cursor);
   g_clear_object (>displayed_cursor);
+  g_clear_object (>window_cursor);
   g_clear_object (>root_cursor);
 
   G_OBJECT_CLASS (meta_cursor_tra

Bug#1034505: unblock (pre-approval): libsdl2/2.26.5+dfsg-1

[Simon McVittie]

L_render.c |7 
 src/video/cocoa/SDL_cocoakeyboard.m |   90 +
 src/video/windows/SDL_windowsevents.c   |3 
 src/video/windows/SDL_windowswindow.c   |6 
 test/testautomation_audio.c |  118 +++-
 29 files changed, 385 insertions(+), 249 deletions(-)

diff -Nru libsdl2-2.26.4+dfsg/CMakeLists.txt libsdl2-2.26.5+dfsg/CMakeLists.txt
--- libsdl2-2.26.4+dfsg/CMakeLists.txt	2023-03-06 23:54:00.0 +
+++ libsdl2-2.26.5+dfsg/CMakeLists.txt	2023-04-05 19:45:47.0 +0100
@@ -86,7 +86,7 @@
 # See docs/release_checklist.md
 set(SDL_MAJOR_VERSION 2)
 set(SDL_MINOR_VERSION 26)
-set(SDL_MICRO_VERSION 4)
+set(SDL_MICRO_VERSION 5)
 set(SDL_VERSION "${SDL_MAJOR_VERSION}.${SDL_MINOR_VERSION}.${SDL_MICRO_VERSION}")
 
 # Set defaults preventing destination file conflicts
@@ -3271,7 +3271,7 @@
 if(APPLE)
   foreach(SOURCE_FILE ${SOURCE_FILES})
 get_filename_component(FILE_EXTENSION ${SOURCE_FILE} EXT)
-if(FILE_EXTENSION STREQUAL "m")
+if(FILE_EXTENSION STREQUAL ".m")
   set_property(SOURCE ${SOURCE_FILE} APPEND_STRING PROPERTY COMPILE_FLAGS " -x objective-c")
 endif()
   endforeach()
diff -Nru libsdl2-2.26.4+dfsg/configure libsdl2-2.26.5+dfsg/configure
--- libsdl2-2.26.4+dfsg/configure	2023-03-06 23:54:01.0 +
+++ libsdl2-2.26.5+dfsg/configure	2023-04-05 19:45:47.0 +0100
@@ -3454,7 +3454,7 @@
 # See docs/release_checklist.md
 SDL_MAJOR_VERSION=2
 SDL_MINOR_VERSION=26
-SDL_MICRO_VERSION=4
+SDL_MICRO_VERSION=5
 SDL_VERSION=$SDL_MAJOR_VERSION.$SDL_MINOR_VERSION.$SDL_MICRO_VERSION
 
 SDL_BINARY_AGE=`expr $SDL_MINOR_VERSION \* 100 + $SDL_MICRO_VERSION`
diff -Nru libsdl2-2.26.4+dfsg/configure.ac libsdl2-2.26.5+dfsg/configure.ac
--- libsdl2-2.26.4+dfsg/configure.ac	2023-03-06 23:54:01.0 +
+++ libsdl2-2.26.5+dfsg/configure.ac	2023-04-05 19:45:47.0 +0100
@@ -13,7 +13,7 @@
 # See docs/release_checklist.md
 SDL_MAJOR_VERSION=2
 SDL_MINOR_VERSION=26
-SDL_MICRO_VERSION=4
+SDL_MICRO_VERSION=5
 SDL_VERSION=$SDL_MAJOR_VERSION.$SDL_MINOR_VERSION.$SDL_MICRO_VERSION
 
 SDL_BINARY_AGE=`expr $SDL_MINOR_VERSION \* 100 + $SDL_MICRO_VERSION`
diff -Nru libsdl2-2.26.4+dfsg/debian/changelog libsdl2-2.26.5+dfsg/debian/changelog
--- libsdl2-2.26.4+dfsg/debian/changelog	2023-03-09 10:49:35.0 +
+++ libsdl2-2.26.5+dfsg/debian/changelog	2023-04-12 09:41:21.0 +0100
@@ -1,3 +1,45 @@
+libsdl2 (2.26.5+dfsg-1) unstable; urgency=medium
+
+  * New upstream stable release 2.26.5
+- Improve quality and performance of audio resampling by using
+  more integer arithmetic
+- Ignore CRC of Bluetooth packets from PS4-compatible controllers
+  in raw HID mode if consistently wrong, fixing 8BitDo SN30 Pro with
+  2.00 firmware
+- Add support for digital-only trigger buttons on PS5-compatible
+  controllers such as Victrix Pro FS in raw HID mode
+- Fix crash when using fcitx if libdbus cannot be initialized
+- Ensure declarations needed for SDL_assert_always() are present even
+  if a dependent project is built with -DSDL_ASSERT_LEVEL=0
+- Report SDL_RENDERER_PRESENTVSYNC flag back to the application if
+  vsync is being simulated
+- Avoid string truncation when logging events
+- Fix compilation with -std=c2x compilers
+- Update list of known game controllers:
+  + Remove mappings for a generic USB joystick controller
+(vendor ID 0x0079, product ID 0x0006, version 0x or 0x6120)
+which cannot usefully be matched to a specific product
+  + Add mapping for 8BitDo Pro 2 Wired Controller for Xbox
+via in-tree xpad driver or out-of-tree xone driver
+  + Add mapping for Elecom 8button gamepad
+  + Add mapping for Flydigi Vader 2 with the latest firmware (6.0.4.9)
+  + Add mapping for Google Stadia Controller over Bluetooth
+  + Add mapping for Hori Pokken Tournament DX Pro Pad
+  + Add mapping for Sony DualSense Edge Wireless Controller via
+Bluetooth and evdev
+  + Add mapping for Ultimate Atari Fight Stick
+  + Respect SDL_GAMECONTROLLER_USE_BUTTON_LABELS hint for Retrolink
+SNES controller
+  + Sort the list in a canonical order
+  + Various Android mapping fixes not relevant to Debian
+- Various Android-, macOS- and Windows-specific fixes not relevant
+  to Debian
+  * d/p/Fixed-handling-simple-mode-PS4-reports.patch:
+Drop patch, included in the upstream release
+  * d/gbp.conf: Use upstream/2.26.x branch for bookworm
+
+ -- Simon McVittie   Wed, 12 Apr 2023 09:41:21 +0100
+
 libsdl2 (2.26.4+dfsg-1) unstable; urgency=medium
 
   * New upstream stable release 2.26.4
diff -Nru libsdl2-2.26.4+dfsg/debian/gbp.conf libsdl2-2.26.5+dfsg/debian/gbp.conf
--- libsdl2-2.26.4+dfsg/debian/gbp.conf	2023-03-09 10:49:35.0 +
+++ li