Re: Bug#975016: #975016 - OpenJDK 17 support state for Bullseye
On 2/10/22 11:26, Moritz Mühlenhoff wrote: > Am Thu, Feb 03, 2022 at 03:59:00PM +0100 schrieb Thorsten Glaser: >> Hi Holger, >> >>> and filed against src:debian-security-support, as openjdk-17 seems to be >>> supported and src:debian-security-support's purpose is to documented what's >> >> no, 11 is supported, 17 is just for users to run third-party >> stuff on (IIUC). > > In Bullseye 11 is the default Java and fully covered by security support. > > 17 can be installed (and it can also take over the typical alternatives), > but nothing pulls it in via dependencies. But if anyone needs to run an > application requiring 17, this is the JRE of choice (those are rare at > this point, but it will change over the life time of Bullseye). > > And yes there have been security updates for 17 already, but it's a best > effort > thing. If someone commits to rebuild the openjdk-17 uploads to unstable > for bullseye-security (along with proper testing), we can also omit a note > for src:debian-security-support. "along with proper testing" means, that we can turn on again the tests during the build, which requires a heap of new upstream versions for jtreg, jtharness, testng, groovy, and probably much more. Matthias
Bug#1005355: bullseye-pu: package ldap2zone/0.2-11+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: debian-edu-pkg-t...@alioth-lists.debian.net, debian-...@lists.debian.org [ Reason ] In Debian Edu, the ldap2zone package is used and called via CRON hourly. When using deprecated tempfile command a warning gets generated to stderr that ends up in the CRON mail. Thus, an hourly mail on the internal MTA (root@postoffice.intern) for a CRON job that acutally succeeds. [ Impact ] Noisy root mailbox on Debian Edu mainservers. [ Tests ] Manual tests on a deployed school network. [ Risks ] None, really. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] + * debian/patches: ++ Update 0004_revert-broken-zones.patch. Stop using deprecated $(tempfile) + command. (Closes: #1005354) [ Other info ] None. diff -Nru ldap2zone-0.2/debian/changelog ldap2zone-0.2/debian/changelog --- ldap2zone-0.2/debian/changelog 2018-08-14 21:43:26.0 +0200 +++ ldap2zone-0.2/debian/changelog 2022-02-11 21:49:57.0 +0100 @@ -1,3 +1,11 @@ +ldap2zone (0.2-11+deb11u1) bullseye; urgency=medium + + * debian/patches: ++ Update 0004_revert-broken-zones.patch. Stop using deprecated $(tempfile) + command. (Closes: #1005354) + + -- Mike Gabriel Fri, 11 Feb 2022 21:49:57 +0100 + ldap2zone (0.2-11) unstable; urgency=medium * debian/patches: diff -Nru ldap2zone-0.2/debian/patches/0004_revert-broken-zones.patch ldap2zone-0.2/debian/patches/0004_revert-broken-zones.patch --- ldap2zone-0.2/debian/patches/0004_revert-broken-zones.patch 2016-04-18 01:15:32.0 +0200 +++ ldap2zone-0.2/debian/patches/0004_revert-broken-zones.patch 2022-02-11 21:48:41.0 +0100 @@ -16,7 +16,7 @@ - if $ldap2zone $domain $LDAP_URI $TTL > /tmp/$domain; then - lines=$(cat /tmp/$domain | wc -l) - [ $lines -gt 1 ] && mv /tmp/$domain $BIND_DATA/${PREFIX}${domain} -+ TMPFILE=$(tempfile) ++ TMPFILE=$(mktemp) + CURRENT=$BIND_DATA/${PREFIX}${domain} + OLD=$BIND_DATA/${PREFIX}${domain}.old-$$ + if $ldap2zone $domain $LDAP_URI $TTL > $TMPFILE; then
Bug#1005353: buster-pu: package apache-log4j2/2.11.1-2
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: a...@debian.org Hi, I would like to fix CVE-2021-44832 in Buster. Apache Log4j2 has been affected by some serious remote code execution vulnerabilities in the past months. The most severe ones have been already addressed in buster-security with version 2.17.0-1~deb10u1. CVE-2021-44832 is less severe thus the security team decided to mark this issue as no-dsa. I have prepared a backport of the current Log4j2 version in testing which again is a new upstream release instead of a targeted fix. I am confident this one works as well as the other upgrades before and I recommend to use it in oldstable from now on. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Regards, Markus apache-log4j2_buster.debdiff.gz Description: application/gzip
Bug#1005351: bullseye-pu: package apache-log4j2/2.16.0-1~deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: a...@debian.org Hi, I would like to fix CVE-2021-44832 in Bullseye. Apache Log4j2 has been affected by some serious remote code execution vulnerabilities in the past months. The most severe ones have been already addressed in buster-security with version 2.17.0-1~deb11u1. CVE-2021-44832 is less severe thus the security team decided to mark this issue as no-dsa. I have prepared a backport of the current Log4j2 version in testing which again is a new upstream release instead of a targeted fix. I am confident this one works as well as the other upgrades before and I recommend to use it in stable from now on. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Regards, Markus apache-log4j2_bullseye.debdiff.gz Description: application/gzip
Bug#1005343: nmu: asterisk-flite_3.0-4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 nmu asterisk-flite_3.0-4 . ANY . unstable . -m "rebuild against asterisk-1:18.10.0~dfsg+~cs6.10.40431411-1" -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmIGoHwACgkQLHwxRsGg ASFhMQ/9G8Ef5zhHcBYz898NFx3l9hw8g0cITEyoNZgo/f5Kqi5H1AEoEYV5i99Q YZORP89rFcwhy8jVN4ggBB6IIVzmAiWf0mo0QTExd5vfAjPrk6/y1AXIf2IM7xSX LU6rAhIGMh6ITVuBjlzmWwj3hKWa7vtuXupLdcf+jVUJ9SpJqpOnOuI46hG8+pHb kQxXidURsrQbBHocTdTYAD279VI9XdTCg7dKQRS3iZa2rNoO/dJfXC3riCWvOyFv NC1Gx8L1MHhBnn8cd9etmP4xKu202HhSRKpjUgRsZ3LOtDqHaYYtvd/qW0aPJTJv M+LhQ0xTJzgXRgT15JUSHjczoqydd6v7u59IyTRx/kaRL385W6H1kMTezPIjU9fY rwyiGu3LwHDlEfj0OV/kXHPQwRkw9Yp7ROkDWalyvdeomg6r3EmWd7eEw7C37K3Q DOgYEJsHh9UULwTvA38MJM6j1Ddd+aNKJqAlxsv1dAHBxV3tZvmd1EVqBhAHlOpl /HYBh6/B43ju6BKbF1i7jQiv5WTxhKMR1EKctrodzNHaYOaS6b7nYBhCEd5glizf AiJPqWx888NEcumnKHNTBlwCzVqM/o8CAlffcSlc2vHVf8YIKY1KY2MUR+zBGzFX rrUNoWguaQ0KshOw41nCwBaAllEXwWp1wZKpt98NyhWiQOtCu+8= =9LuI -END PGP SIGNATURE-
Bug#1005328: RM: uglifyjs/2.8.29-8
[ adding Yadd as cc ] Quoting Sebastian Ramacher (2022-02-11 15:25:19) > On 2022-02-11 14:48:00 +0100, Jonas Smedegaard wrote: > > Quoting Sebastian Ramacher (2022-02-11 13:24:16) > > > Control: tags -1 moreinfo > > > > > > On 2022-02-11 12:08:52 +0100, Jonas Smedegaard wrote: > > > > Package: release.debian.org > > > > Severity: normal > > > > User: release.debian@packages.debian.org > > > > Usertags: rm > > > > X-Debbugs-Cc: Debian Javascript Maintainers > > > > > > > > > > > > uglifyjs v2 was last updated upstream in 2017, and has no real > > > > maintainer in Debian since December 2020 - see bug#958117 > > > > > > > > The package should not be released with bookworm, but may still have > > > > reverse (build-)dependencies, and I therefore request removal only from > > > > testing for now. Please advice if another approach is more sensible. > > > > > > So this is the same request as #968137. The current situation is: > > > > > > I: [2022-02-11T12:19:15+] - trying: -uglifyjs > > > I: [2022-02-11T12:19:15+] - skipped: -uglifyjs (0, 33, 62) > > > I: [2022-02-11T12:19:15+] - got: 123+0: > > > a-3:a-0:a-0:a-0:i-119:m-0:m-0:p-0:s-1 > > > I: [2022-02-11T12:19:15+] - * amd64: rails, ruby-uglifier > > > > Package requested for removal is src:uglifyjs, building binary package > > node-uglify which provides virtual package uglifyjs. > > > > Packages (build-)depending (unversioned or with only lower bounds) on > > "uglifyjs" should _not_ break: Such dependency is satisfied by package > > src:uglify-js, building binary package uglifyjs. > > > > (i.e. there are 2 packages, one with and one without dash) > > > > > > > Checking reverse dependencies... > > [ false positive satisfied by src:uglify-js snipped ] > > > > > ruby-uglifier: ruby-uglifier > > > > Current upstream code FTBFS with Uglifyjs: see bug#981224 > > > > v2 branch currently in Debian unstable last update upstream in 2015: > > https://github.com/lautis/uglifier/tags?after=v3.0.0 > > > > > > > # Broken Build-Depends: > > [ false positives satisfied by src:uglify-js snipped ] > > > > > class.js: node-uglify > > > > Bug#979888 > > > > > flightgear-phi: node-uglify > > > > Bug#979902 > > > > > jquery-coolfieldset: node-uglify > > > > Bug#979906 > > > > > jquery-lazyload: node-uglify > > > > Bug#979911 > > > > > jquery-reflection: node-uglify > > > > Bug#979907 > > > > > jquery-watermark: node-uglify > > > > Bug#979943 > > > > > jquery-caret.js: node-uglify > > > > Bug#979934 > > > > > jquery-simpletreemenu: node-uglify > > > > Bug#979940 > > > > > jquery-throttle-debounce: node-uglify > > > > Bug#979886 > > > > > raphael: node-uglify (>= 1.1.1-2~) > > > > Bug#979937 > > > > > ruby-rails-assets-favico.js: node-uglify > > > > Bug#979962 > > > > > ruby-rails-assets-jquery-fullscreen-plugin: node-uglify > > > > Bug#979955 > > > > > ruby-rails-assets-perfect-scrollbar: node-uglify > > > > Bug#979936 > > > > > ruby-uglifier: libjs-uglify > > > > (see reasons at build-dependency above) > > > > > slick: node-uglify > > > > Bug#979954 > > > > > sockjs-client: node-uglify (>= 2.0) > > > > Bug979958 > > > > > > > If you want to get uglifyjs removed from testing, there needs to > > > be an upgrade path to uglify-js 3.15.0 or all of these packages > > > need to be updated. So what's your plan here? > > > > I have no plan. What plan might be sensible? > > As I have no idea what uglifyjs is used for, I cannot tell you. If > it's a drop in replacement, update the build dependencies or establish > an upgrade path via transitional packages. If it's not, patch them. > > In the end, the above bugs need to be fixed to get uglifjs removed. @Yadd: You did the mass-filing - can I ask you to please bump severity, since the normal process of bumping _after_ a package releationship changes to be a FTBFS cannot be used here because src:uglifyjs is transitively a key package. Maybe my post to bug#979886 is useful for such followup mail. > > > > (I tried to get the package auto-kicked from testing by filing > > > > release-critical bug#958117 but evidently that didn't work.) > > > > > > uglifyjs is a key package, so auto-removal does not apply. > > > > What does "key package" mean? Simply that other packages > > (build-)depend on it, or perhaps some manually maintained list by > > the release team? > > > > If the latter, then please remove src:uglifyjs as key package and > > instead treat src:uglify-js as key package. > > You can check with the link Paul sent. It looks like other key > packages (there seems to be a path from reportbug via pytest to > uglifjs) build-depend on it. (Build)-Dependencies of key packages are > again key packages. So it will only be removed from the key package > list once those dependencies are fixed. Ah, thanks - now I understand how to use the link from Paul. Seems it is jquery-throttle-debounce that turns src:uglifyjs into a key package. I
Re: chromium: Update to version 94.0.4606.61 (security-fixes)
On 2/11/22 06:18, Roger Shimizu wrote: Dear Andres, Thanks for your work for chromium! On Mon, Jan 3, 2022 at 7:33 PM Andres Salomon wrote: I saw https://salsa.debian.org/dilinger/chromium/-/commit/5c05f430e192961527ec9a64bbaa64401dc14d95 , but buster now also includes LLVM/clang 11 (it was introduced to support a more recent Rust toolchain needed for Firefox), so you might be reduce complexity here further: https://tracker.debian.org/pkg/llvm-toolchain-11 It's in buster-proposed-updates since there hasn't been a point release since, but for the purposes of buster-security builds, it doesn't matter (they chroots have been modified to includen buster-proposed-updates temporarily): Ah, very helpful, thanks! I'll give buster a try (just created the 'v96-buster' branch). Between that and various backports, I think we might be in good shape. Unfortunately it needs a newer nodejs than what's in buster, so I'll go back to focusing on bullseye & sid for now. :( I tried to backport bullseye's v97 to buster, but error below occured. I also tired the v96-buster branch from your salsa git repo, and got similar error. So this is the error you mentioned above that buster's nodejs package is too old for chromium? Is it possible to use embed nodejs to workaround this issue? I also guess this might be related to incompatible between system's nodejs and embed rollup binary. Is it possible to add a patch to replace with system's rollup? Error from buster-backports pbuilder for bullseye's chromium v97: FAILED: gen/third_party/devtools-frontend/src/front_end/panels/timeline/components/components.js python3 ../../third_party/node/node.py ../../third_party/devtools-frontend/src/node_modules/rollup/dist/bin/rollup --silent --config ../../third_party/devtools-frontend/src/scripts/build/rollup.config.js --input gen/third_party/devtools-frontend/src/front_end/panels/timeline/components/components.prebundle.js --file gen/third_party/devtools-frontend/src/front_end/panels/timeline/components/components.js --configDCHECK Traceback (most recent call last): File "../../third_party/node/node.py", line 36, in RunNode(sys.argv[1:]) File "../../third_party/node/node.py", line 31, in RunNode raise RuntimeError('%s failed: %s' % (cmd, stderr)) RuntimeError: ['/usr/bin/nodejs', '../../third_party/devtools-frontend/src/node_modules/rollup/dist/bin/rollup', '--silent', '--config', '../../third_party/devtools-frontend/src/scripts/build/rollup.config.js', '--input', 'gen/third_party/devtools-frontend/src/front_end/panels/timeline/components/components.prebundle.js', '--file', 'gen/third_party/devtools-frontend/src/front_end/panels/timeline/components/components.js', '--configDCHECK'] failed: b'[!] (plugin minify-html-template-literals) TypeError: result.matchAll is not a function\ngen/third_party/devtools-frontend/src/front_end/panels/timeline/components/WebVitalsTimeline.js\nTypeError: result.matchAll is not a function\nat Object.minifyHTML (/build/chromium-97.0.4692.99/third_party/devtools-frontend/src/node_modules/minify-html-literals/src/strategy.ts:145:41)\n at Object.minifyHTML (/build/chromium-97.0.4692.99/third_party/devtools-frontend/src/scripts/build/rollup.config.js:80:37)\n at templates.forEach.template (/build/chromium-97.0.4692.99/third_party/devtools-frontend/src/node_modules/minify-html-literals/src/minifyHTMLLiterals.ts:322:24)\n at Array.forEach ()\nat Object.minifyHTMLLiterals (/build/chromium-97.0.4692.99/third_party/devtools-frontend/src/node_modules/minify-html-literals/src/minifyHTMLLiterals.ts:297:13)\n at Object.transform (/build/chromium-97.0.4692.99/third_party/devtools-frontend/src/node_modules/rollup-plugin-minify-html-template-literals/dist/index.js:15:47)\n at Promise.resolve.then (/build/chromium-97.0.4692.99/third_party/devtools-frontend/src/node_modules/rollup/dist/shared/rollup.js:20218:25)\n\n' Cheers, Yes, that's the error. "String.matchAll is only available from Node.js 12.0 onwards", according to https://stackoverflow.com/questions/58558257/string-matchall-is-undefined , which also says that String.match is available. I didn't put any effort into working around it (either backporting a newer nodejs or replacing all String.matchAlls with something else), since I wanted to get chromium shipped for bullseye. Unfortunately my chromium test builds are now breaking in sid due to another node (library, I think) change, so we're going to need to figure out something a bit more reliable with the node stuff. I'm not sure what that will look like yet. We're currently using the system rollup, although I think since there's multiple embedded node library copies, we might have an embedded rollup in there somewhere. I don't recall if my v96 branch used the system rollup or not, but I've merged everything into the chromium-team repo so you can use the bullseye branch from https://salsa.debian.org/chromium-team/chromium for
Bug#1005340: bullseye-pu: package golang-1.15/1.15.15-1~deb11u3
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: z...@debian.org, t...@security.debian.org [ Reason ] Backport patches for CVE-2022-23806 CVE-2022-23772 CVE-2022-23773 [ Impact ] + CVE-2022-23806: crypto/elliptic: fix IsOnCurve for big.Int values that are not valid coordinates + CVE-2022-23772: math/big: prevent large memory consumption in Rat.SetString + CVE-2022-23773: cmd/go: prevent branches from materializing into versions All are minor security issues, so I'd like to go with stable-pu. [ Tests ] For CVE-2022-23806 and CVE-2022-23772, regression tests are backported as well. For CVE-2022-23773 the tests in upstream patch are hard to backport, so I test it manully. The test is similar with upstream patch[1] [1] https://github.com/golang/go/commit/fa4d9b8e2bc2612960c80474fca83a4c85a974eb#diff-6d41824e441b8846a74c31ab4968dc114a1e650c05172e1f89826ea9e55d4c5aR421 For example, running GOPROXY=direct /usr/lib/go-1.15/bin/go get vcs-test.golang.org/git/semver-branch.git@v1.0.0 Will get same result and error in [1]. [ Risks ] Patch for CVE-2022-23806 and CVE-2022-23772 are trivial and easy to review. Patch for CVE-2022-23773 is larger, and is backported by 3way merge. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [ ] the issue is verified as fixed in unstable golang-1.15 has been removed from unstable. [ Changes ] See attachment. [ Other info ] CVE-2022-23806 and CVE-2022-23772 are for Go std library, which is statically linked in all Go programs. But these issues look like too minor to rebuild all Go programs. diff -Nru golang-1.15-1.15.15/debian/changelog golang-1.15-1.15.15/debian/changelog --- golang-1.15-1.15.15/debian/changelog2021-12-04 17:37:57.0 +0800 +++ golang-1.15-1.15.15/debian/changelog2022-02-11 23:45:44.0 +0800 @@ -1,3 +1,14 @@ +golang-1.15 (1.15.15-1~deb11u3) bullseye; urgency=medium + + * Backport patches for CVE-2022-23806 CVE-2022-23772 CVE-2022-23773 ++ CVE-2022-23806: crypto/elliptic: fix IsOnCurve for big.Int values + that are not valid coordinates ++ CVE-2022-23772: math/big: prevent large memory consumption in + Rat.SetString ++ CVE-2022-23773: cmd/go: prevent branches from materializing into versions + + -- Shengjing Zhu Fri, 11 Feb 2022 23:45:44 +0800 + golang-1.15 (1.15.15-1~deb11u2) bullseye; urgency=medium * Backport patch for CVE-2021-38297 diff -Nru golang-1.15-1.15.15/debian/patches/0012-CVE-2022-23806.patch golang-1.15-1.15.15/debian/patches/0012-CVE-2022-23806.patch --- golang-1.15-1.15.15/debian/patches/0012-CVE-2022-23806.patch 1970-01-01 08:00:00.0 +0800 +++ golang-1.15-1.15.15/debian/patches/0012-CVE-2022-23806.patch 2022-02-11 23:45:44.0 +0800 @@ -0,0 +1,132 @@ +From: Filippo Valsorda +Date: Wed, 2 Feb 2022 09:15:44 -0800 +Subject: CVE-2022-23806 + +Origin: backport, https://github.com/golang/go/commit/6b3e741a +--- + src/crypto/elliptic/elliptic.go | 5 +++ + src/crypto/elliptic/elliptic_test.go | 81 + src/crypto/elliptic/p224.go | 5 +++ + 3 files changed, 91 insertions(+) + +diff --git a/src/crypto/elliptic/elliptic.go b/src/crypto/elliptic/elliptic.go +index f93dc16..afedf18 100644 +--- a/src/crypto/elliptic/elliptic.go b/src/crypto/elliptic/elliptic.go +@@ -71,6 +71,11 @@ func (curve *CurveParams) polynomial(x *big.Int) *big.Int { + } + + func (curve *CurveParams) IsOnCurve(x, y *big.Int) bool { ++ if x.Sign() < 0 || x.Cmp(curve.P) >= 0 || ++ y.Sign() < 0 || y.Cmp(curve.P) >= 0 { ++ return false ++ } ++ + // y² = x³ - 3x + b + y2 := new(big.Int).Mul(y, y) + y2.Mod(y2, curve.P) +diff --git a/src/crypto/elliptic/elliptic_test.go b/src/crypto/elliptic/elliptic_test.go +index e80e773..bb16b0d 100644 +--- a/src/crypto/elliptic/elliptic_test.go b/src/crypto/elliptic/elliptic_test.go +@@ -721,3 +721,84 @@ func testMarshalCompressed(t *testing.T, curve Curve, x, y *big.Int, want []byte + t.Errorf("point did not round-trip correctly: got (%v, %v), want (%v, %v)", X, Y, x, y) + } + } ++ ++func testAllCurves(t *testing.T, f func(*testing.T, Curve)) { ++ tests := []struct { ++ name string ++ curve Curve ++ }{ ++ {"P256", P256()}, ++ {"P256/Params", P256().Params()}, ++ {"P224", P224()}, ++ {"P224/Params", P224().Params()}, ++ {"P384", P384()}, ++ {"P384/Params", P384().Params()}, ++ {"P521", P521()}, ++ {"P521/Params", P521().Params()}, ++ } ++ if testing.Short() { ++ tests = tests[:1] ++ } ++ for _, test := range tests { ++
Bug#1003548: transition: libwebp
On 2022-02-11 07:27:42 -0800, Jeff Breidenbach wrote: > # remove the moreinfo tag > tags 1003548 - moreinfo > thanks > > Sebastian, may we move forward with ibwebp? The perl 5.34 transition is currently ongoing. As libwebp and perl 5.34 collide, libwebp will need to wait until perl is done. Cheers -- Sebastian Ramacher signature.asc Description: PGP signature
Processed: Re: transition: libwebp
Processing commands for cont...@bugs.debian.org: > # remove the moreinfo tag > tags 1003548 - moreinfo Bug #1003548 [release.debian.org] transition: libwebp Removed tag(s) moreinfo. > thanks Stopping processing here. Please contact me if you need assistance. -- 1003548: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003548 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1003548: transition: libwebp
# remove the moreinfo tag tags 1003548 - moreinfo thanks Sebastian, may we move forward with ibwebp?
Bug#1005328: RM: uglifyjs/2.8.29-8
On 2022-02-11 14:48:00 +0100, Jonas Smedegaard wrote: > Quoting Sebastian Ramacher (2022-02-11 13:24:16) > > Control: tags -1 moreinfo > > > > On 2022-02-11 12:08:52 +0100, Jonas Smedegaard wrote: > > > Package: release.debian.org > > > Severity: normal > > > User: release.debian@packages.debian.org > > > Usertags: rm > > > X-Debbugs-Cc: Debian Javascript Maintainers > > > > > > > > > uglifyjs v2 was last updated upstream in 2017, and has no real > > > maintainer in Debian since December 2020 - see bug#958117 > > > > > > The package should not be released with bookworm, but may still have > > > reverse (build-)dependencies, and I therefore request removal only from > > > testing for now. Please advice if another approach is more sensible. > > > > So this is the same request as #968137. The current situation is: > > > > I: [2022-02-11T12:19:15+] - trying: -uglifyjs > > I: [2022-02-11T12:19:15+] - skipped: -uglifyjs (0, 33, 62) > > I: [2022-02-11T12:19:15+] - got: 123+0: > > a-3:a-0:a-0:a-0:i-119:m-0:m-0:p-0:s-1 > > I: [2022-02-11T12:19:15+] - * amd64: rails, ruby-uglifier > > Package requested for removal is src:uglifyjs, building binary package > node-uglify which provides virtual package uglifyjs. > > Packages (build-)depending (unversioned or with only lower bounds) on > "uglifyjs" should _not_ break: Such dependency is satisfied by package > src:uglify-js, building binary package uglifyjs. > > (i.e. there are 2 packages, one with and one without dash) > > > > Checking reverse dependencies... > [ false positive satisfied by src:uglify-js snipped ] > > > ruby-uglifier: ruby-uglifier > > Current upstream code FTBFS with Uglifyjs: see bug#981224 > > v2 branch currently in Debian unstable last update upstream in 2015: > https://github.com/lautis/uglifier/tags?after=v3.0.0 > > > > # Broken Build-Depends: > [ false positives satisfied by src:uglify-js snipped ] > > > class.js: node-uglify > > Bug#979888 > > > flightgear-phi: node-uglify > > Bug#979902 > > > jquery-coolfieldset: node-uglify > > Bug#979906 > > > jquery-lazyload: node-uglify > > Bug#979911 > > > jquery-reflection: node-uglify > > Bug#979907 > > > jquery-watermark: node-uglify > > Bug#979943 > > > jquery-caret.js: node-uglify > > Bug#979934 > > > jquery-simpletreemenu: node-uglify > > Bug#979940 > > > jquery-throttle-debounce: node-uglify > > Bug#979886 > > > raphael: node-uglify (>= 1.1.1-2~) > > Bug#979937 > > > ruby-rails-assets-favico.js: node-uglify > > Bug#979962 > > > ruby-rails-assets-jquery-fullscreen-plugin: node-uglify > > Bug#979955 > > > ruby-rails-assets-perfect-scrollbar: node-uglify > > Bug#979936 > > > ruby-uglifier: libjs-uglify > > (see reasons at build-dependency above) > > > slick: node-uglify > > Bug#979954 > > > sockjs-client: node-uglify (>= 2.0) > > Bug979958 > > > > If you want to get uglifyjs removed from testing, there needs to be an > > upgrade path to uglify-js 3.15.0 or all of these packages need to be > > updated. So what's your plan here? > > I have no plan. What plan might be sensible? As I have no idea what uglifyjs is used for, I cannot tell you. If it's a drop in replacement, update the build dependencies or establish an upgrade path via transitional packages. If it's not, patch them. In the end, the above bugs need to be fixed to get uglifjs removed. > > > (I tried to get the package auto-kicked from testing by filing > > > release-critical bug#958117 but evidently that didn't work.) > > > > uglifyjs is a key package, so auto-removal does not apply. > > What does "key package" mean? Simply that other packages (build-)depend > on it, or perhaps some manually maintained list by the release team? > > If the latter, then please remove src:uglifyjs as key package and > instead treat src:uglify-js as key package. You can check with the link Paul sent. It looks like other key packages (there seems to be a path from reportbug via pytest to uglifjs) build-depend on it. (Build)-Dependencies of key packages are again key packages. So it will only be removed from the key package list once those dependencies are fixed. Cheers -- Sebastian Ramacher signature.asc Description: PGP signature
Bug#1005328: RM: uglifyjs/2.8.29-8
Quoting Sebastian Ramacher (2022-02-11 13:24:16) > Control: tags -1 moreinfo > > On 2022-02-11 12:08:52 +0100, Jonas Smedegaard wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: rm > > X-Debbugs-Cc: Debian Javascript Maintainers > > > > > > uglifyjs v2 was last updated upstream in 2017, and has no real > > maintainer in Debian since December 2020 - see bug#958117 > > > > The package should not be released with bookworm, but may still have > > reverse (build-)dependencies, and I therefore request removal only from > > testing for now. Please advice if another approach is more sensible. > > So this is the same request as #968137. The current situation is: > > I: [2022-02-11T12:19:15+] - trying: -uglifyjs > I: [2022-02-11T12:19:15+] - skipped: -uglifyjs (0, 33, 62) > I: [2022-02-11T12:19:15+] - got: 123+0: > a-3:a-0:a-0:a-0:i-119:m-0:m-0:p-0:s-1 > I: [2022-02-11T12:19:15+] - * amd64: rails, ruby-uglifier Package requested for removal is src:uglifyjs, building binary package node-uglify which provides virtual package uglifyjs. Packages (build-)depending (unversioned or with only lower bounds) on "uglifyjs" should _not_ break: Such dependency is satisfied by package src:uglify-js, building binary package uglifyjs. (i.e. there are 2 packages, one with and one without dash) > Checking reverse dependencies... [ false positive satisfied by src:uglify-js snipped ] > ruby-uglifier: ruby-uglifier Current upstream code FTBFS with Uglifyjs: see bug#981224 v2 branch currently in Debian unstable last update upstream in 2015: https://github.com/lautis/uglifier/tags?after=v3.0.0 > # Broken Build-Depends: [ false positives satisfied by src:uglify-js snipped ] > class.js: node-uglify Bug#979888 > flightgear-phi: node-uglify Bug#979902 > jquery-coolfieldset: node-uglify Bug#979906 > jquery-lazyload: node-uglify Bug#979911 > jquery-reflection: node-uglify Bug#979907 > jquery-watermark: node-uglify Bug#979943 > jquery-caret.js: node-uglify Bug#979934 > jquery-simpletreemenu: node-uglify Bug#979940 > jquery-throttle-debounce: node-uglify Bug#979886 > raphael: node-uglify (>= 1.1.1-2~) Bug#979937 > ruby-rails-assets-favico.js: node-uglify Bug#979962 > ruby-rails-assets-jquery-fullscreen-plugin: node-uglify Bug#979955 > ruby-rails-assets-perfect-scrollbar: node-uglify Bug#979936 > ruby-uglifier: libjs-uglify (see reasons at build-dependency above) > slick: node-uglify Bug#979954 > sockjs-client: node-uglify (>= 2.0) Bug979958 > If you want to get uglifyjs removed from testing, there needs to be an > upgrade path to uglify-js 3.15.0 or all of these packages need to be > updated. So what's your plan here? I have no plan. What plan might be sensible? > > (I tried to get the package auto-kicked from testing by filing > > release-critical bug#958117 but evidently that didn't work.) > > uglifyjs is a key package, so auto-removal does not apply. What does "key package" mean? Simply that other packages (build-)depend on it, or perhaps some manually maintained list by the release team? If the latter, then please remove src:uglifyjs as key package and instead treat src:uglify-js as key package. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#1005328: RM: uglifyjs/2.8.29-8
Control: tags -1 moreinfo On 2022-02-11 12:08:52 +0100, Jonas Smedegaard wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: rm > X-Debbugs-Cc: Debian Javascript Maintainers > > > uglifyjs v2 was last updated upstream in 2017, and has no real > maintainer in Debian since December 2020 - see bug#958117 > > The package should not be released with bookworm, but may still have > reverse (build-)dependencies, and I therefore request removal only from > testing for now. Please advice if another approach is more sensible. So this is the same request as #968137. The current situation is: I: [2022-02-11T12:19:15+] - trying: -uglifyjs I: [2022-02-11T12:19:15+] - skipped: -uglifyjs (0, 33, 62) I: [2022-02-11T12:19:15+] - got: 123+0: a-3:a-0:a-0:a-0:i-119:m-0:m-0:p-0:s-1 I: [2022-02-11T12:19:15+] - * amd64: rails, ruby-uglifier If one checks with dak: Will remove the following packages from testing: libjs-uglify | 2.8.29-8 | all node-uglify | 2.8.29-8 | all uglifyjs | 2.8.29-8 | source Maintainer: Debian Javascript Maintainers --- Reason --- -- Checking reverse dependencies... # Broken Depends: node-dryice: node-dryice ruby-uglifier: ruby-uglifier # Broken Build-Depends: angular.js: uglifyjs asciimathtml: uglifyjs autosize.js: uglifyjs awesomplete: uglifyjs backbone: uglifyjs (>= 3) bignumber.js: uglifyjs blockui: uglifyjs bootsidemenu.js: uglifyjs c3: uglifyjs chartkick.js: uglifyjs class.js: node-uglify coffeescript: uglifyjs d3: uglifyjs d3-tip.js: uglifyjs dask.distributed: uglifyjs elycharts.js: uglifyjs eonasdan-bootstrap-datetimepicker: uglifyjs explorercanvas: uglifyjs flightgear-phi: node-uglify flot: uglifyjs gettext.js: uglifyjs gitgraph.js: uglifyjs glowing-bear: uglifyjs highlight.js: uglifyjs jquery-areyousure: uglifyjs jquery-caret.js: node-uglify jquery-coolfieldset: node-uglify jquery-goodies: uglifyjs jquery-i18n.js: uglifyjs jquery-lazyload: node-uglify jquery-minicolors: uglifyjs jquery-reflection: node-uglify jquery-simpletreemenu: node-uglify jquery-throttle-debounce: node-uglify jquery-typeahead.js: uglifyjs jquery-ui-touch-punch.js: uglifyjs jquery-watermark: node-uglify jquery.sparkline: uglifyjs jqueryui: uglifyjs json-js: uglifyjs (>= 3) jsrender: uglifyjs jstimezonedetect.js: uglifyjs knowl.js: uglifyjs kytos-sphinx-theme: uglifyjs ldap-account-manager: uglifyjs leaflet: uglifyjs (>= 3) leaflet-geometryutil: uglifyjs leaflet-markercluster: uglifyjs (>= 3) lemonldap-ng: uglifyjs libjs-autolink: uglifyjs libjs-blazy: uglifyjs libjs-bootbox: uglifyjs (>= 3) libjs-chosen: uglifyjs (>= 2) libjs-cssrelpreload: uglifyjs libjs-dropzone: uglifyjs libjs-jquery-center: uglifyjs libjs-jquery-jstree: uglifyjs libjs-jquery-markitup: uglifyjs libjs-jquery-scrollto: uglifyjs libjs-jquery-timeago: uglifyjs libjs-jsxc: uglifyjs libjs-material-design-lite: uglifyjs libjs-qunit: uglifyjs (>= 3) libjs-sdp: uglifyjs (>= 3) libjs-term.js: uglifyjs libjs-webrtc-adapter: uglifyjs (>= 3) lightbox2.js: uglifyjs (>= 3.6.3) modernizr: uglifyjs moment-timezone.js: uglifyjs mustache.js: uglifyjs node-ansi-up: uglifyjs node-async: uglifyjs node-autolinker: uglifyjs node-big.js: uglifyjs node-bluebird: uglifyjs node-bootstrap-tour: uglifyjs node-browser-pack: uglifyjs node-browserify-lite: uglifyjs node-chart.js: uglifyjs node-chroma-js: uglifyjs node-deep-eql: uglifyjs node-dryice: uglifyjs node-es5-shim: uglifyjs node-es6-shim: uglifyjs node-eventemitter2: uglifyjs node-expect.js: uglifyjs node-fast-levenshtein: uglifyjs node-functional-red-black-tree: uglifyjs (>= 3) node-immutable-tuple: uglifyjs node-imurmurhash: uglifyjs node-inflected: uglifyjs node-is-typedarray: uglifyjs node-iscroll: uglifyjs node-jsonselect: uglifyjs node-katex: uglifyjs node-knockout: uglifyjs node-lodash: uglifyjs node-lunr: uglifyjs (>= 3) node-moment: uglifyjs node-mousetrap: uglifyjs node-n3: uglifyjs (>= 3) node-nouislider: uglifyjs (>= 3.13.0) node-pinkyswear: uglifyjs node-q: uglifyjs node-seedrandom: uglifyjs node-sink-test: uglifyjs node-sprintf-js: uglifyjs node-stable: uglifyjs node-turbolinks: uglifyjs node-tweetnacl: uglifyjs node-typedarray-to-buffer: uglifyjs node-umd: uglifyjs node-util: uglifyjs node-uuid: uglifyjs node-websocket: uglifyjs node-with: uglifyjs node-zrender: uglifyjs olm: uglifyjs (>= 3) openlayers: uglifyjs pegjs: uglifyjs polymake: uglifyjs prefixfree: uglifyjs prosody-modules: uglifyjs pympler: uglifyjs python-django-colorfield: uglifyjs queue-async: uglifyjs rainbow.js: uglifyjs raphael: node-uglify (>= 1.1.1-2~) requirejs: uglifyjs requirejs-text: uglifyjs reqwest: uglifyjs rickshaw: uglifyjs ruby-rails-assets-favico.js: node-uglify ruby-rails-assets-jquery-fullscreen-plugin: node-uglify ruby-rails-assets-perfect-scrollbar: node-uglify ruby-uglifier: libjs-uglify sax.js: uglifyjs science.js: uglifyjs select2.js:
Processed: Re: Bug#1005328: RM: uglifyjs/2.8.29-8
Processing control commands: > tags -1 moreinfo Bug #1005328 [release.debian.org] RM: uglifyjs/2.8.29-8 Added tag(s) moreinfo. -- 1005328: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005328 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1005328: RM: uglifyjs/2.8.29-8
Hi Jonas, On 11-02-2022 12:08, Jonas Smedegaard wrote: (I tried to get the package auto-kicked from testing by filing release-critical bug#958117 but evidently that didn't work.) That would work if uglifyjs was not a key-package. We can only remove it if that's no longer the case, and then autoremoval will do it's work. Have you filed bugs with revers (build) dependencies already? It needs to be fixed there. Paul https://udd.debian.org/cgi-bin/key_packages.yaml.cgi - reason: jquery-throttle-debounce build-depends node-uglify source: uglifyjs (Be aware, the above reason my not be the only one reason why it's in key packages, it's just the first that the script encountered) OpenPGP_signature Description: OpenPGP digital signature
Re: chromium: Update to version 94.0.4606.61 (security-fixes)
Dear Andres, Thanks for your work for chromium! On Mon, Jan 3, 2022 at 7:33 PM Andres Salomon wrote: > > > I saw > > > https://salsa.debian.org/dilinger/chromium/-/commit/5c05f430e192961527ec9a64bbaa64401dc14d95 > > > , but buster now also includes LLVM/clang 11 (it was introduced to > > > support a more recent Rust toolchain needed for Firefox), so you > > > might be reduce complexity here further: > > > https://tracker.debian.org/pkg/llvm-toolchain-11 > > > > > > It's in buster-proposed-updates since there hasn't been a point > > > release since, but for the purposes of buster-security builds, it > > > doesn't matter (they chroots have been modified to includen > > > buster-proposed-updates temporarily): > > > > Ah, very helpful, thanks! I'll give buster a try (just created > > the 'v96-buster' branch). Between that and various backports, I think > > we might be in good shape. > > Unfortunately it needs a newer nodejs than what's in buster, so I'll go > back to focusing on bullseye & sid for now. :( I tried to backport bullseye's v97 to buster, but error below occured. I also tired the v96-buster branch from your salsa git repo, and got similar error. So this is the error you mentioned above that buster's nodejs package is too old for chromium? Is it possible to use embed nodejs to workaround this issue? I also guess this might be related to incompatible between system's nodejs and embed rollup binary. Is it possible to add a patch to replace with system's rollup? Error from buster-backports pbuilder for bullseye's chromium v97: FAILED: gen/third_party/devtools-frontend/src/front_end/panels/timeline/components/components.js python3 ../../third_party/node/node.py ../../third_party/devtools-frontend/src/node_modules/rollup/dist/bin/rollup --silent --config ../../third_party/devtools-frontend/src/scripts/build/rollup.config.js --input gen/third_party/devtools-frontend/src/front_end/panels/timeline/components/components.prebundle.js --file gen/third_party/devtools-frontend/src/front_end/panels/timeline/components/components.js --configDCHECK Traceback (most recent call last): File "../../third_party/node/node.py", line 36, in RunNode(sys.argv[1:]) File "../../third_party/node/node.py", line 31, in RunNode raise RuntimeError('%s failed: %s' % (cmd, stderr)) RuntimeError: ['/usr/bin/nodejs', '../../third_party/devtools-frontend/src/node_modules/rollup/dist/bin/rollup', '--silent', '--config', '../../third_party/devtools-frontend/src/scripts/build/rollup.config.js', '--input', 'gen/third_party/devtools-frontend/src/front_end/panels/timeline/components/components.prebundle.js', '--file', 'gen/third_party/devtools-frontend/src/front_end/panels/timeline/components/components.js', '--configDCHECK'] failed: b'[!] (plugin minify-html-template-literals) TypeError: result.matchAll is not a function\ngen/third_party/devtools-frontend/src/front_end/panels/timeline/components/WebVitalsTimeline.js\nTypeError: result.matchAll is not a function\nat Object.minifyHTML (/build/chromium-97.0.4692.99/third_party/devtools-frontend/src/node_modules/minify-html-literals/src/strategy.ts:145:41)\n at Object.minifyHTML (/build/chromium-97.0.4692.99/third_party/devtools-frontend/src/scripts/build/rollup.config.js:80:37)\n at templates.forEach.template (/build/chromium-97.0.4692.99/third_party/devtools-frontend/src/node_modules/minify-html-literals/src/minifyHTMLLiterals.ts:322:24)\n at Array.forEach ()\nat Object.minifyHTMLLiterals (/build/chromium-97.0.4692.99/third_party/devtools-frontend/src/node_modules/minify-html-literals/src/minifyHTMLLiterals.ts:297:13)\n at Object.transform (/build/chromium-97.0.4692.99/third_party/devtools-frontend/src/node_modules/rollup-plugin-minify-html-template-literals/dist/index.js:15:47)\n at Promise.resolve.then (/build/chromium-97.0.4692.99/third_party/devtools-frontend/src/node_modules/rollup/dist/shared/rollup.js:20218:25)\n\n' Cheers, -- Roger Shimizu, GMT +9 Tokyo PGP/GPG: 4096R/6C6ACD6417B3ACB1
Bug#1005328: RM: uglifyjs/2.8.29-8
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm X-Debbugs-Cc: Debian Javascript Maintainers -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 uglifyjs v2 was last updated upstream in 2017, and has no real maintainer in Debian since December 2020 - see bug#958117 The package should not be released with bookworm, but may still have reverse (build-)dependencies, and I therefore request removal only from testing for now. Please advice if another approach is more sensible. (I tried to get the package auto-kicked from testing by filing release-critical bug#958117 but evidently that didn't work.) - Jonas -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmIGQ8EACgkQLHwxRsGg ASGcbw//TF1/n+bTOHNqo2UR5/PNAs818+b7CN2uKH+xFXSY3seSnyE95DEHng7K 2rNOTgo7Io2mOvQ2ND+vE0niPqm/p1wwFl70q1Owl0TQ4Dibw5MniXjc55wwQxX4 8wfJY3c4xlLneeiIr9+AskrqbafonDrRTxCC+NAtvTSQSBgsPdOUDPG15umHwSu3 /sx6bfsmH/LzSw6L6/yiskys3C4CfA4FYlcPdKZK+gWkmb+VWdhn1T4hRaUAN2I8 HCuJFGQns7ckb7O/RwSnOkC5ct9c00P8Y1O1kEUxkrGlBmMEq0mIvlCEP63t31Ud ZtmJt/K4WQJ4G/IVfG4/dtcEomPGmZIn07CFEqOU9B1r++nubeCULiCa2Tc9WsmQ eTziPFTcX24lRQ+O69ukg5G+N5WHKKu9uHYacZJa9jdS6qe5TKp07IH+BwTe4w9E LyG8AegBAVjnJ8U68B+KWFXrdpAkcjv3En7IeU3vryUXNPsZr2b3go/Ac2XecdFX 268H9z2rlUiamWQ6bOUNW8DYRvHF7CFNlVJ0tfgyo1bLNNjKjEwCfkHsTSsXQOt5 8g0UkVc168m//PrXQlNWJLWUV4VT+p0QLQGoEC6ES6N61U0H8zVRBEu048b3DFs3 W0QBhZDHxyJUAm1MbiAnRGmzY4/dxkFs4uZmAXRU/zired3XnaM= =40Qo -END PGP SIGNATURE-