Bug#1066077: usr-is-merged fails to install on a /usr-merged system

[David W]

Package: usr-is-merged
Version: 39

When attempting to install, I received the following message:

**
*
* The usr-is-merged package cannot be installed because this system does
* not have a merged /usr.
*
* Please install the usrmerge package to convert this system to merged-/usr.
*
* For more information please read https://wiki.debian.org/UsrMerge.
*
**

This despite the fact that I have version 39 of usrmerge installed, and the
symlinks were indeed set up correctly.

In the end, it turned out to be because /usr itself was a symlink, and
although this causes no issues for either the merging process or any
running software, since the check is using "readlink -f" it erroneously
fails.

-- 
=D ave

Bug#1066052: gcc-13: several acats tests raise ADA.CALENDAR.TIME_ERROR : a-calend.adb:601

[John David Anglin]

Source: gcc-12
Version: 12.3.0-15
Severity: normal

Dear Maintainer,

In test log, I see a number of tests with following error:

splitting /build/gcc-12-TxDF5I/gcc-12-12.3.0/build/gcc/testsuite/ada/acats1/test
s/a/a26007a.adt into:
   a26007a.adb
BUILD a26007a.adb
/build/gcc-12-TxDF5I/gcc-12-12.3.0/build/gcc/gnatmake 
--GNATBIND=/build/gcc-12-TxDF5I/gcc-12-12.3.0/build/gcc/gnatbind 
--GNATLINK=/build/gcc-12-TxDF5I/gcc-12-12.3.0/build/gcc/gnatlink 
--GCC=/build/gcc-12-TxDF5I/gcc-12-12.3.0/build/gcc/xgcc 
-B/build/gcc-12-TxDF5I/gcc-12-12.3.0/build/gcc/ -gnatws -O2 -gnat95 
-I/build/gcc-12-TxDF5I/gcc-12-12.3.0/build/gcc/testsuite/ada/acats1/../acats/support
 a26007a.adb -largs --GCC=/build/gcc-12-TxDF5I/gcc-12-12.3.0/build/gcc/xgcc 
-B/build/gcc-12-TxDF5I/gcc-12-12.3.0/build/gcc/
/build/gcc-12-TxDF5I/gcc-12-12.3.0/build/gcc/xgcc -c 
-B/build/gcc-12-TxDF5I/gcc-12-12.3.0/build/gcc/ -gnatws -O2 -gnat95 
-I/build/gcc-12-TxDF5I/gcc-12-12.3.0/build/gcc/testsuite/ada/acats1/../acats/support
 a26007a.adb
/build/gcc-12-TxDF5I/gcc-12-12.3.0/build/gcc/gnatbind 
-I/build/gcc-12-TxDF5I/gcc-12-12.3.0/build/gcc/testsuite/ada/acats1/../acats/support
 -x a26007a.ali
/build/gcc-12-TxDF5I/gcc-12-12.3.0/build/gcc/gnatlink a26007a.ali -O2 
--GCC=/build/gcc-12-TxDF5I/gcc-12-12.3.0/build/gcc/xgcc 
-B/build/gcc-12-TxDF5I/gcc-12-12.3.0/build/gcc/
RUN a26007a


raised ADA.CALENDAR.TIME_ERROR : a-calend.adb:601
FAIL:   a26007a

Regards,
Dave Anglin


-- System Information:
Debian Release: trixie/sid
  APT prefers buildd-unstable
  APT policy: (500, 'buildd-unstable'), (500, 'unstable')
Architecture: hppa (parisc64)

Kernel: Linux 6.1.80+ (SMP w/4 CPU threads)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

-- no debconf information

Bug#1065831: apt tries to uninstall kde & plasma (full-upgrade)

[David Kalnischkies]

On Mon, Mar 11, 2024 at 05:09:47PM +0100, Miguel Angel Rojas wrote:
> Yes, it is confusing for me too. Without considering this t64 migration,
> “apt upgrade” should *NOT* remove any package (just upgrading a package to
> a newer version or install new dependencies). But it is removing packages
> right now! i.e. again, with this t64 migration, it makes the old libraries
> to be uninstalled and install the new *t64 version.
> 
> Any thoughts why “apt upgrade” is removing packages even when documentation
> says it shouldn’t? or is it a bug?

If "apt upgrade" is saying that it removes packages, that is a bug, yes.

Please run: apt upgrade -s -o Dir::Log::Solver=/tmp/apt-upgrade-bug.edsp.xz
(as normal user; the -s enables simulation so nothing bad can happen)

That will create a /tmp/apt-upgrade-bug.edsp.xz file (a few MBs big) you
can sent to me (it might be too big for a bug and/or the mailinglist).
That file contains information about all packages currently available to
you and which of them you have installed – as that changes quiet often
and its near impossible to reproduce a problem, especially while a big
transition is underway, otherwise.

If that package-removing upgrade happened in the past, you can look it
up in /var/log/apt/history.log – far less details and harder to
reproduce, but at least some chance…


I do have to note that I am somewhat dubious through. I have heard that
claim quiet often recently and so far it turned out not to be an "apt
upgrade" invocation in the end, confusing it with autoremove remarks or
didn't expect that some non-t64 and t64 packages became co-installable…
but never say never.


Best regards

David Kalnischkies


signature.asc
Description: PGP signature

Bug#1065038: src:commit-patch: fails to migrate to testing for too long: uploader built arch:all binary

[David Caldwell]

Hi,

Your package is only blocked because the arch:all binary package(s) 
aren't built on a buildd. Unfortunately the Debian infrastructure 
doesn't allow arch:all packages to be properly binNMU'ed. Hence, I will 
shortly do a no-changes source-only upload to DELAYED/15, closing this 
bug. Please let me know if I should delay or cancel that upload.


I think this failed. I got this email shortly afterward:


Subject: commit-patch_2.6.2-1_amd64.changes REJECTED

>

Version check failed:
Your upload included the source package commit-patch, version 2.6.2-1,
however unstable already has version 2.6.2-1.
Uploads to unstable must have a higher version than present in unstable.


Is this expected or did something go wrong?

Today I got this:


commit-patch 2.6-2.1 is marked for autoremoval from testing on 2024-03-29

It is affected by these RC bugs:
1065038: commit-patch: fails to migrate to testing for too long: uploader built 
arch:all binary
 https://bugs.debian.org/1065038


So I think things are not in a good state. What is the solution to this?

Thanks,
  David

Bug#1065720: Useless in Debian nowadays

[David Prévot]

Package: php-text-wiki
Version: 1.2.1-3.1
Severity: serious

php-text-wiki has no reverse dependencies anymore. We should probably
not ship this package in Trixie (not sure if we actually want to remove
it from Bookworm).

I intend to follow up with an RM request in a few months if nobody
objects (but feel free to beat me to it).

Regards

David


signature.asc
Description: PGP signature

Bug#1065719: Useless in Debian nowadays

[David Prévot]

Package: php-net-dime
Version: 1.0.2-3.1
Severity: serious

php-net-dime has no reverse dependencies anymore. We should probably not
ship this package in Trixie (not sure if we actually want to remove it
from Bookworm).

I intend to follow up with an RM request in a few months if nobody
objects (but feel free to beat me to it).

Regards

David


signature.asc
Description: PGP signature

Bug#1065718: Useless in Debian nowadays

[David Prévot]

Package: php-net-nntp
Version: 1.5.0-2.1
Severity: serious

php-net-nntp has no reverse dependencies anymore. We should probably not
ship this package in Trixie (not sure if we actually want to remove it
from Bookworm).

I intend to follow up with an RM request in a few months if nobody
objects (but feel free to beat me to it).

Regards

David



signature.asc
Description: PGP signature

Bug#1065716: Useless in Debian nowadays

[David Prévot]

Package: php-letodms-core
Version: 3.4.2-1.1
Severity: serious

php-letodms-core has no reverse dependencies anymore. We should probably
not ship this package in Trixie (not sure if we actually want to remove
it from Bookworm).

I intend to follow up with RM requests in a few months if nobody objects
(but feel free to beat me to it).

Regards

David


signature.asc
Description: PGP signature

Bug#1065717: Useless in Debian nowadays

[David Prévot]

Package: php-http-webdav-server
Version: 1.0.0RC8-1.1
Severity: serious

php-http-webdav-server has no reverse dependencies anymore. We should
probably not ship this package in Trixie (not sure if we actually want
to remove it from Bookworm).

I intend to follow up with RM requests in a few months if nobody objects
(but feel free to beat me to it).

Regards

David


signature.asc
Description: PGP signature

Bug#1065712: Useless in Debian nowadays

[David Prévot]

Package: php-net-whois
Version: 1.0.5-3.2
Severity: serious
X-Debbugs-Cc: Debian PHP PEAR Maintainers 

[ Filled as RC by a Debian PHP PEAR Maintainers team member to see this
  package auto-removed from testing. ]

php-net-whois has no reverse dependencies anymore. We should probably
not ship this package in Trixie (not sure if we actually want to remove
it from Bookworm, Bullseye, etc.)

I intend to follow up with RM requests in a few months if nobody objects
(but feel free to beat me to it).

Regards

David



signature.asc
Description: PGP signature

Bug#1065710: Useless in Debian nowadays

[David Prévot]

Package: debpear
Version: 0.5+nmu1
Severity: serious

[ Filled as RC by a team member to see this package auto-removed from
  testing. ]

debpear has no reverse dependencies, not seen any development in the
last ten years, and has a decreasing popcon (probably in link with the
decreasing interest in PEAR as a way to distribute PHP packages compared
to Composer). We should probably not ship this package in Trixie (not
sure if it is worth removing from Bookworm).

I intend to follow up with RM requests in a few months if nobody objects
(but feel free to beat me to it).

Regards

David


signature.asc
Description: PGP signature

Bug#1065708: Useless in Debian nowadays

[David Prévot]

Package: php-validate
Version: 0.8.5-4.2
Severity: serious
X-Debbugs-Cc: Debian PHP PEAR Maintainers 

[ Filled as RC by a Debian PHP PEAR Maintainers team member to see this
  package auto-removed from testing. ]

php-validate has no reverse dependencies anymore. We should probably not
ship this package in Trixie (not sure if we actually want to remove it
from Bookworm, Bullseye, etc.)

I intend to follow up with RM requests in a few months if nobody objects
(but feel free to beat me to it).

Regards

David


signature.asc
Description: PGP signature

Bug#1041477: php-net-ftp: PHP Fatal error with Bookworm PHP 8.2

[David Prévot]

control: tags -1 serious

Hi Benjamin,

Thank you for the report, and apologies nobody came back to you sooner.

Le Wed, Jul 19, 2023 at 11:24:44AM +, Benjamin Renard a écrit :
> Package: php-net-ftp
> Version: 1:1.4.0-2.1
[…]
> This package seem not compatible with the PHP 8.2 version included in
> Debian Bookworn.

Also, this package has no reverse dependencies. Given the amount of care
it brought in the last few years, I believe it should be removed from
the archive. Bumping the severity to see it removed from testing ASAP,
maybe it should also be removed from (at least) Bookworm.

I intend to follow up with RM requests in a few months if nobody objects
(but feel free to beat me to it).

Regards

David


signature.asc
Description: PGP signature

Bug#1065707: Useless in Debian nowadays

[David Prévot]

Package: libphp-snoopy
Version: 2.0.0-3
Severity: serious


[ Filled as RC by a team member to see this package auto-removed from
  testing. ]

libphp-snoopy has no reverse dependencies anymore. We should probably
not ship this package in Trixie (not sure if we actually want to remove
it from Bookworm and Bullseye).

I intend to follow up with RM requests in a few months if nobody objects
(but feel free to beat me to it).

Regards

David


signature.asc
Description: PGP signature

Bug#1065705: Useless in Debian nowadays

[David Prévot]

Package: php-mdb2
Version: 2.5.0b5-2.1
Severity: serious

[ Filled as RC by a team member to see this package auto-removed from
  testing. ]

php-mdb2 has no reverse dependencies anymore (except for
php-mdb2-driver-pgsql and php-mdb2-driver-mysql that are also targeted
by this bug report). We should probably not ship these packages in
Trixie (not sure if we actually want to remove them from Bookworm).

I intend to follow up with RM requests in a few months if nobody objects
(but feel free to beat me to it).

Regards

David


signature.asc
Description: PGP signature

Bug#1041982: Speeding up Symfony 6 transition? [Was: Upcoming transitions (Symfony, PHPUnit, etc.)]

[David Prévot]

Hi,

Le Wed, Feb 21, 2024 at 08:19:06AM +0100, David Prévot a écrit :

> […] I wish to
> proceed with the transition during the next MiniDebCampHamburg happening
> early March (in less than two weeks).
> 
> https://wiki.debian.org/DebianEvents/de/2024/MiniDebCampHamburg

And that’s done (in unstable)! It needed some last minute tweaking for
debci mostly, but the [excuses] page looks good now. I expect the only
blockers will be removal (or fix) of php-laravel-lumen-framework and
php-laravel-framework (autoremoval expected March 14 and April 7
respectively, sooner if the release team uses some magic).

excuses: https://qa.debian.org/excuses.php?package=symfony

Thanks to everyone involved!

I intend to follow up with some more major version bump on packages that
were waiting for Symfony (php-psr-link, php-psr-log, php-email-validator
and some packages from the Doctrine stack…). The next big transition in
PHP libraries before Trixie may be PHPUnit 11 if we manage to pull it
off.

Cheers,

taffit


signature.asc
Description: PGP signature

Bug#1065597: racket: Inclusion of mzdyn.o in the binary package

[David Bremner]

Rafael Laboissière  writes:

> At any rate, I wonder why the following mzscheme code:
>
>  (begin
>   (require dynext/link)
>   (with-handlers
>(((lambda args #t) (lambda args #f)))
>(for-each (lambda (x) (printf "~a" x))
>  (expand-for-link-variant 
> (current-standard-link-libraries)
>

I'm not sure what will come of it, but I have reported this issue as

https://github.com/racket/cext-lib/issues/4

I haven't marked this Debian bug as forwarded as I believe they are
different bugs.

Bug#1065633: [SPAM] Re: Bug#1065633: openldap: FTBFS on hppa - implicit declaration of function 'kadm5_s_init_with_password_ctx'

[John David Anglin]

On 2024-03-07 7:21 p.m., Ryan Tandy wrote:

On Thu, Mar 07, 2024 at 01:29:54PM -0800, Ryan Tandy wrote:
The binNMUs succeeded on several release arches already. I'm not sure why hppa would be different. I see 
-Werror=implicit-function-declaration in its compiler commands, but I don't know where it's coming from.


I remembered later maybe seeing something about this around time64 build flags, 
and sure enough, in dpkg 1.22.5:

https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=ef90821fe45b99fa8c8c4279b9a74c30f59f491d

So actually it looks like hppa was only the first to encounter it, and armel/armhf are likely to fail the same way (right now they are still 
BD-Uninstallable), in which case this bug will be RC.

Yes, see:
https://wiki.debian.org/BrainDumpT64

We have been doing a lot of manual builds, so it's possible we may have messed 
up.

--
John David Anglin  dave.ang...@bell.net

Bug#1065633: openldap: FTBFS on hppa - implicit declaration of function ‘kadm5_s_init_with_password_ctx’

[John David Anglin]

Source: openldap
Version: 2.5.13+dfsg-5+b4
Severity: normal
Tags: ftbfs

Dear Maintainer,

See:
https://buildd.debian.org/status/fetch.php?pkg=openldap=hppa=2.5.13%2Bdfsg-5%2Bb4=1709830559=0

smbk5pwd.c: In function ‘smbk5pwd_modules_init’:
smbk5pwd.c:917:23: error: implicit declaration of function 
‘kadm5_s_init_with_password_ctx’; did you mean ‘kadm5_init_with_password_ctx’? 
[-Werror=implicit-function-declaration]
  917 | ret = kadm5_s_init_with_password_ctx( context,
  |   ^~
  |   kadm5_init_with_password_ctx
smbk5pwd.c:924:25: warning: ‘krb5_get_error_string’ is deprecated 
[-Wdeprecated-declarations]
  924 | err_str = krb5_get_error_string( context );
  | ^~~
In file included from /usr/include/heimdal/krb5.h:967,
 from smbk5pwd.c:45:
/usr/include/heimdal/krb5-protos.h:4188:1: note: declared here
 4188 | krb5_get_error_string (krb5_context /*context*/)
  | ^
smbk5pwd.c:926:33: warning: ‘krb5_get_err_text’ is deprecated 
[-Wdeprecated-declarations]
  926 | err_msg = (char *)krb5_get_err_text( 
context, ret );
  | ^~~
/usr/include/heimdal/krb5-protos.h:4152:1: note: declared here
 4152 | krb5_get_err_text (
  | ^
smbk5pwd.c:931:33: warning: ‘krb5_free_error_string’ is deprecated 
[-Wdeprecated-declarations]
  931 | krb5_free_error_string( context, 
err_str );
  | ^~
/usr/include/heimdal/krb5-protos.h:3721:1: note: declared here
 3721 | krb5_free_error_string (
  | ^~
cc1: some warnings being treated as errors
make[2]: *** [Makefile:54: smbk5pwd.lo] Error 1

Regards,
Dave Anglin

-- System Information:
Debian Release: trixie/sid
  APT prefers buildd-unstable
  APT policy: (500, 'buildd-unstable'), (500, 'unstable')
Architecture: hppa (parisc64)

Kernel: Linux 6.1.80+ (SMP w/4 CPU threads)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Bug#1065597: racket: Inclusion of mzdyn.o in the binary package

[David Bremner]

Rafael Laboissière  writes:

>
> However, it does not work because the file mzdyn.o is needed and 
> cannot be found anywhere. Indeed, this file is mentioned in the Racket 
> documentation.[*]
>

My knowledge here is incomplete, and I'd be happy to be corrected, but:

I think that documentation relates to the old "bc" backend of racket.
For most architectures we are using the new "cs" backend (and will
possibly migrate the remaining architectures).  So it may not be
possible to do the same kind of linking as was done with the old
backend.

Bug#1065583: quodlibet: Clicking cover art stifles keyboard input & any clicks outside the image - accessibility nightmare

[David Z]

Package: quodlibet
Version: 4.5.0-2
Severity: normal
Tags: upstream a11y
X-Debbugs-Cc: unimportantdav...@gmail.com

To reproduce:

1. Start playing a track that causes some associated album art to be displayed
in the small icon at right.

2. Click that small album art thumbnail to enlarge the image.

3. Attempt to control Quod Libet using either the keyboard or mouse in any way
other than a mouse-click inside the enlarged displayed image (including
important "meta" controls like minimizing the window, pressing Ctrl+Q to
attempt to Quit, etc.). Optionally, attempt expected ways to close the album
art preview like pressing Esc, Space, or Enter. Such controls do not work.

4. Control can be regained only by clicking within the enlarged album art
display, or by pressing Ctrl+W, and as far as I can tell, absolutely no other
means.


Proposed actions:

1. The enlarged album art display should be very easy to close/dismiss,
including by pressing the keys Esc, Space, or Enter, and possibly even by
pressing any key whatsoever. This is especially important for disabled users
who may use accessibility tools and alternative input devices to control their
systems, and significantly also those who are reliant on standard keyboard
inputs and shortcuts.

2. The album art should also be closed/dismissed when a user clicks outside of
the enlarged image, or, alternatively, the functions of Quod Libet not covered
by the enlarged image should be able to be operated with mouse clicks, if they
are not covered, though my preference would be the former.

3. Having the album art enlarged should not prevent windowing system controls
(minimize button, "X" close button, etc.) from being clicked.

Thanks so much for contributing to the best music player on the planet.


-- System Information:
Debian Release: 12.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-18-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages quodlibet depends on:
ii  exfalso  4.5.0-2
ii  gir1.2-gst-plugins-base-1.0  1.22.0-3+deb12u1
ii  gir1.2-gstreamer-1.0 1.22.0-2
ii  gir1.2-keybinder-3.0 0.3.2-1.1
ii  gstreamer1.0-alsa1.22.0-3+deb12u1
ii  gstreamer1.0-plugins-base1.22.0-3+deb12u1
ii  gstreamer1.0-plugins-good1.22.0-5+deb12u1
ii  gstreamer1.0-plugins-ugly1.22.0-2+deb12u1
ii  python3  3.11.2-1+b1

Versions of packages quodlibet recommends:
ii  gir1.2-gtksource-3.0   3.24.11-2+b1
ii  gir1.2-webkit2-4.0 2.42.5-1~deb12u1
ii  gnome-shell [notification-daemon]  43.9-0+deb12u1
ii  python3-dbus   1.3.2-4+b1
ii  python3-pyinotify  0.9.6-2

Versions of packages quodlibet suggests:
ii  gstreamer1.0-plugins-bad  1.22.0-4+deb12u5

-- no debconf information

Bug#1057689: minetest: calls home for upstream version check

[David Heidelberg]

Hello!

as a workaround you can set empty `update_information_url` in 
`~/.minetest/minetest.conf`.


For Debian developer maintaining minetest, this can be patched in 
`src/defaultsettings.cpp` same way by setting it to empty string.


Please, consider this message also as a request to bump minetest up to 
5.8.0 version.


Thank you!

--
David Heidelberg

Bug#1065497: Please allow php-psr-log 3

[David Prévot]

Hi Sunil,

Le Tue, Mar 05, 2024 at 02:47:18PM -0800, Sunil Mohan Adapa a écrit :
> On Tue, 5 Mar 2024 14:48:49 +0100 David =?iso-8859-1?Q?Pr=E9vot?=
>  wrote:
> > Package: php-klogger
> > Version: 1.2.2-2
> > Severity: important
[…]
> > Please, test your package with php-psr-log 3 and […]
> > […] upload to experimental a fix to make your packages work with
> > php-psr-log 3 (so we can easily upload it to unstable in sync with
> > php-psr-log 3).
> 
> I have patch available for making php-klogger depend on php-psr-log >= 3.0.

Thanks for the quick follow up!

> However, it does not work with php-psr-log 1.x anymore. So I don't know how
> the two packages can be uploaded together.

That’s fine, the patched version of php-klogger can be uploaded to
experimental now (so we may detect eventual regressions), and once we’re
ready, we just have to upload php-psr-log 3 and the patched version of
php-klogger in sync.

Regards,

taffit


signature.asc
Description: PGP signature

Bug#1065500: orc: liborc-0.4-dev-bin depends on both liborc-0.4-0 and liborc-0.4-0t64

[John David Anglin]

Source: orc
Version: 1:0.4.34-4.2
Severity: normal

Dear Maintainer,

See:
https://packages.debian.org/sid/liborc-0.4-dev-bin

Regards,
Dave Anglin

-- System Information:
Debian Release: trixie/sid
  APT prefers buildd-unstable
  APT policy: (500, 'buildd-unstable'), (500, 'unstable')
Architecture: hppa (parisc64)

Kernel: Linux 6.1.80+ (SMP w/4 CPU threads)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Bug#1065497: Please allow php-psr-log 3

[David Prévot]

Package: php-klogger
Version: 1.2.2-2
Severity: important

Hi James, Sunil,

AFAICT, php-klogger is the only blocker preventing php-psr-log 3 upload
to unstable. php-psr-log 3 is available in experimental since 2021, and
recent php-psr-log will be needed for the php-monolog 3 transition.

Please, test your package with php-psr-log 3 and relax the versioned
dependency if you manage to make your package work with any php-psr-log
version, or upload to experimental a fix to make your packages work with
php-psr-log 3 (so we can easily upload it to unstable in sync with
php-psr-log 3).

TIA.

Cheers,

taffit


signature.asc
Description: PGP signature

Bug#1063721: spip: has stopped working, complains about PHP version being ‘too recent’

[David Prévot]

control: severity -1 serious
control: found -1 4.1.15+dfsg-1

Hi,

Le Sun, Feb 11, 2024 at 07:30:39PM +0100, Axel a écrit :
> Package: spip
> Version: 4.1.9+dfsg-1+deb12u4
> Severity: important
[…]
> after the upgrade, I could not log in to my site anymore. […] …/ecrire shows:
> 
> “This installation will probably fail, or damage your site. PHP version 8.2.7 
> too recent (maximum = 8.1.99)”

Ouch, thanks for the feedback, I was able reproduce the issue on a new
install (it also breaks on new installation…), I assume changing
_PHP_MAX to 8.2.99 in /usr/share/spip/ecrire/inc_version.php should
allow one to workaround this issue.

Regards,

taffit


signature.asc
Description: PGP signature

Bug#1064998: guile-lib: broken package when cross building

[David Pirotte]

Hello debian maintainers,
Vagrant,

> Forwarding this upstream, originally submitted in the Debian bug
> tracking system at:

>   https://bugs.debian.org/1064998
> ...

> Would the guile-lib developers consider merging this? Are there any
> use-cases where this is inappropriate?

Certainly! Thanks for the report, it somehow did skip my attention
when i worked on this (a long long time ago ...), that calling
GUILE_SITE_DIR also defines GUILE_SITE_CCACHE

I'll fix this for the next release.

> Thanks!

I am the one who thanks (all of you)
David


pgpIY56GkC7Pr.pgp
Description: OpenPGP digital signature

Bug#1065112: Acknowledgement (linux-image-6.1.0-18-amd64: System unresponsive after resume from suspend when WoWLAN enabled in iwlwifi)

[David Balch]

Some more data...

Testing various kernels from https://snapshot.debian.org/binary/?cat=l , I
have found that:

• linux-image-6.0.0-0.deb11.2-amd64 - has an error, but stays responsive
(log except below, full dmesg at http://paste.debian.net/1309322/).
• linux-image-6.0.0-1-amd64 - has an error, and is unresponsive except for
(some) sysrq keys (stack trace photo at https://imgur.com/a/1R6gYLh ).

Although there is some sort of error/crash in both kernels, only
linux-image-6.0.0-1-amd64 becomes unusable, so that's probably more urgent.

Log excerpt for linux-image-6.0.0-0.deb11.2-amd6 ...

[9.755992] IPv6: ADDRCONF(NETDEV_CHANGE): wlp3s0: link becomes ready
[   10.556787] wlp3s0: Limiting TX power to 20 (20 - 0) dBm as advertised
by 4c:22:f3:aa:0a:c3
[  127.171444] PM: suspend entry (deep)
[  127.180424] Filesystems sync: 0.008 seconds
[  127.205820] (NULL device *): firmware: direct-loading firmware
regulatory.db
[  127.205857] (NULL device *): firmware: direct-loading firmware
regulatory.db.p7s
[  127.206064] (NULL device *): firmware: direct-loading firmware
iwlwifi-7265D-29.ucode
[  127.206147] (NULL device *): firmware: direct-loading firmware
i915/skl_dmc_ver1_27.bin
[  127.206217] Freezing user space processes ... (elapsed 0.001 seconds)
done.
[  127.207668] OOM killer disabled.
[  127.207677] Freezing remaining freezable tasks ... (elapsed 0.001
seconds) done.
[  127.210388] serial 00:01: disabled
[  127.210518] e1000e: EEE TX LPI TIMER: 0011
[  127.232775] sd 0:0:0:0: [sda] Synchronizing SCSI cache
[  127.232926] sd 0:0:0:0: [sda] Stopping disk
[  127.236750] iwlwifi :03:00.0: Applying debug destination
EXTERNAL_DRAM
[  127.696949] ACPI: PM: Preparing to enter system sleep state S3
[  127.698270] ACPI: PM: Saving platform NVS memory
[  127.698427] Disabling non-boot CPUs ...
[  127.700468] smpboot: CPU 1 is now offline
[  127.703320] smpboot: CPU 2 is now offline
[  127.705876] smpboot: CPU 3 is now offline
[  127.708599] ACPI: PM: Low-level resume complete
[  127.708642] ACPI: PM: Restoring platform NVS memory
[  127.709314] Enabling non-boot CPUs ...
[  127.709350] x86: Booting SMP configuration:
[  127.709352] smpboot: Booting Node 0 Processor 1 APIC 0x2
[  127.710109] CPU1 is up
[  127.710136] smpboot: Booting Node 0 Processor 2 APIC 0x4
[  127.710779] CPU2 is up
[  127.710813] smpboot: Booting Node 0 Processor 3 APIC 0x6
[  127.711515] CPU3 is up
[  127.712376] ACPI: PM: Waking up from system sleep state S3
[  127.720256] pcieport :00:1b.0: Intel SPT PCH root port ACS
workaround enabled
[  127.720642] pcieport :00:1d.0: Intel SPT PCH root port ACS
workaround enabled
[  127.724156] i915 :00:02.0: [drm] [ENCODER:94:DDI B/PHY B] is
disabled/in DSI mode with an ungated DDI clock, gate it
[  127.724168] i915 :00:02.0: [drm] [ENCODER:103:DDI C/PHY C] is
disabled/in DSI mode with an ungated DDI clock, gate it
[  127.724172] i915 :00:02.0: [drm] [ENCODER:114:DDI D/PHY D] is
disabled/in DSI mode with an ungated DDI clock, gate it
[  127.724175] i915 :00:02.0: [drm] [ENCODER:124:DDI E/PHY E] is
disabled/in DSI mode with an ungated DDI clock, gate it
[  127.724389] ACPI BIOS Error (bug): AE_AML_BUFFER_LIMIT, Field [DRQL] at
bit offset/length 136/8 exceeds size of target Buffer (128 bits)
(20220331/dsopcode-198)
[  127.724397] ACPI Error: Aborting method \_SB.PCI0.LPCB.SIO1.DSRS due to
previous error (AE_AML_BUFFER_LIMIT) (20220331/psparse-529)
[  127.724403] ACPI Error: Aborting method \_SB.PCI0.LPCB.UAR1._SRS due to
previous error (AE_AML_BUFFER_LIMIT) (20220331/psparse-529)
[  127.724409] serial 00:01: activation failed
[  127.724411] serial 00:01: PM: dpm_run_callback():
pnp_bus_resume+0x0/0xa0 returns -5
[  127.724417] serial 00:01: PM: failed to resume: error -5
[  127.733272] sd 0:0:0:0: [sda] Starting disk
[  127.743867] [ cut here ]
[  127.743869] Timeout waiting for hardware access (CSR_GP_CNTRL 0x080403d8)
[  127.743883] WARNING: CPU: 2 PID: 1113 at
drivers/net/wireless/intel/iwlwifi/pcie/trans.c:2128
__iwl_trans_pcie_grab_nic_access+0x1ef/0x220 [iwlwifi]
[  127.743899] Modules linked in: snd_seq_dummy snd_hrtimer snd_seq
snd_seq_device ctr ccm qrtr snd_hda_codec_hdmi binfmt_misc intel_rapl_msr
intel_rapl_common nls_ascii nls_cp437 vfat fat x86_pkg_temp_thermal
intel_powerclamp coretemp kvm_intel snd_ctl_led kvm iwlmvm irqbypass
snd_hda_codec_realtek ghash_clmulni_intel mac80211 snd_hda_codec_generic
snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi libarc4 aesni_intel
crypto_simd snd_hda_codec cryptd mei_hdcp mei_wdt snd_hda_core iwlwifi
snd_hwdep rapl snd_pcm intel_cstate dell_wmi sparse_keymap ledtrig_audio
intel_uncore snd_timer iTCO_wdt dell_smbios dcdbas intel_pmc_bxt cfg80211
wmi_bmof dell_wmi_descriptor pcspkr snd mei_me iTCO_vendor_support watchdog
ee1004 rfkill soundcore mei intel_pch_thermal intel_pmc_core acpi_pad evdev
sg msr parport_pc ppdev lp parport fuse efi_pstore loop dm_mod configfs
efivarfs ip_tables x_tables 

Bug#1065266: bullseye-pu: package php-phpseclib/2.0.30-2+deb11u2

[David Prévot]

Le Sat, Mar 02, 2024 at 11:22:22AM +0100, David Prévot a écrit :
[…]
>   [x] attach debdiff against the package in oldstable

Second try.

diff -Nru php-phpseclib-2.0.30/debian/changelog php-phpseclib-2.0.30/debian/changelog
--- php-phpseclib-2.0.30/debian/changelog	2023-12-31 15:36:22.0 +0100
+++ php-phpseclib-2.0.30/debian/changelog	2024-02-27 21:15:41.0 +0100
@@ -1,3 +1,15 @@
+php-phpseclib (2.0.30-2+deb11u2) bullseye; urgency=medium
+
+  * Backport upstream fixes
+- BigInteger: put guardrails on isPrime() and randomPrime() [CVE-2024-27354]
+- BigInteger: rm visibility modifiers from static variables
+- ASN1: limit OID length [CVE-2024-27355]
+- Tests: updates for phpseclib 2.0
+- BigInteger: phpseclib 2.0 updates
+- BigInteger: fix getLength()
+
+ -- David Prévot   Tue, 27 Feb 2024 21:15:41 +0100
+
 php-phpseclib (2.0.30-2+deb11u1) bullseye-security; urgency=medium
 
   * Backport upstream SSH2 changes
diff -Nru php-phpseclib-2.0.30/debian/patches/0028-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch php-phpseclib-2.0.30/debian/patches/0028-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch
--- php-phpseclib-2.0.30/debian/patches/0028-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch	1970-01-01 01:00:00.0 +0100
+++ php-phpseclib-2.0.30/debian/patches/0028-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch	2024-02-27 21:15:41.0 +0100
@@ -0,0 +1,76 @@
+From: terrafrost 
+Date: Fri, 23 Feb 2024 08:57:22 -0600
+Subject: BigInteger: put guardrails on isPrime() and randomPrime()
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/ad5dbdf2129f5e0fb644637770b7f33de8ca8575
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-27354
+---
+ phpseclib/Math/BigInteger.php | 41 -
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/phpseclib/Math/BigInteger.php b/phpseclib/Math/BigInteger.php
+index 9df0bf0..bbe7c86 100644
+--- a/phpseclib/Math/BigInteger.php
 b/phpseclib/Math/BigInteger.php
+@@ -729,6 +729,33 @@ class BigInteger
+ return $result;
+ }
+ 
++/**
++ * Return the size of a BigInteger in bits
++ *
++ * @return int
++ */
++function getLength()
++{
++if (MATH_BIGINTEGER_MODE != MATH_BIGINTEGER_MODE_INTERNAL) {
++return strlen($this->toBits());
++}
++
++$max = count($this->value) - 1;
++return $max != -1 ?
++$max * MATH_BIGINTEGER_BASE + ceil(log($a->value[$max] + 1, 2)) :
++0;
++}
++
++/**
++ * Return the size of a BigInteger in bytes
++ *
++ * @return int
++ */
++function getLengthInBytes()
++{
++return ceil($this->getLength() / 8);
++}
++
+ /**
+  * Copy an object
+  *
+@@ -3237,6 +3264,11 @@ class BigInteger
+ $min = $temp;
+ }
+ 
++$length = $max->getLength();
++if ($length > 8196) {
++user_error('Generation of random prime numbers larger than 8196 has been disabled');
++}
++
+ static $one, $two;
+ if (!isset($one)) {
+ $one = new static(1);
+@@ -3344,7 +3376,14 @@ class BigInteger
+  */
+ function isPrime($t = false)
+ {
+-$length = strlen($this->toBytes());
++$length = $this->getLength();
++// OpenSSL limits RSA keys to 16384 bits. The length of an RSA key is equal to the length of the modulo, which is
++// produced by multiplying the primes p and q by one another. The largest number two 8196 bit primes can produce is
++// a 16384 bit number so, basically, 8196 bit primes are the largest OpenSSL will generate and if that's the largest
++// that it'll generate it also stands to reason that that's the largest you'll be able to test primality on
++if ($length > 8196) {
++user_error('Primality testing is not supported for numbers larger than 8196 bits');
++}
+ 
+ if (!$t) {
+ // see HAC 4.49 "Note (controlling the error probability)"
diff -Nru php-phpseclib-2.0.30/debian/patches/0029-BigInteger-rm-visibility-modifiers-from-static-varia.patch php-phpseclib-2.0.30/debian/patches/0029-BigInteger-rm-visibility-modifiers-from-static-varia.patch
--- php-phpseclib-2.0.30/debian/patches/0029-BigInteger-rm-visibility-modifiers-from-static-varia.patch	1970-01-01 01:00:00.0 +0100
+++ php-phpseclib-2.0.30/debian/patches/0029-BigInteger-rm-visibility-modifiers-from-static-varia.patch	2024-02-27 21:15:41.0 +0100
@@ -0,0 +1,48 @@
+From: terrafrost 
+Date: Fri, 23 Feb 2024 21:55:47 -0600
+Subject: BigInteger: rm visibility modifiers from static variables
+
+the non static variables don't have privacy modifiers so idk that
+the static ones ought to either. phpseclib 3.0 uses privacy
+modifiers but not the 2.0 branch
+
+Origin: upstream, https

Bug#1065268: bullseye-pu: package phpseclib/1.0.19-3+deb11u2

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: phpsec...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:phpseclib
User: release.debian@packages.debian.org
Usertags: pu

Hi,

This issue is simalar to #1065264 for bookworm

I’d like to see CVE-2024-27354 and CVE-2024-27355 addressed in the next
point release. We agreed with the security team that these issues are
not worth a DSA. This update also fixes an issue in dependency loading
similar to CVE-2024-24821 as fixed in composer/DSA-5632-1.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in oldstable
  [x] the issue is verified as fixed in unstable

TIA for considering.

Cheers,

taffit
diff -Nru phpseclib-1.0.19/debian/autoload.php.tpl phpseclib-1.0.19/debian/autoload.php.tpl
--- phpseclib-1.0.19/debian/autoload.php.tpl	2023-12-31 15:43:05.0 +0100
+++ phpseclib-1.0.19/debian/autoload.php.tpl	2024-02-27 21:27:58.0 +0100
@@ -1,7 +1,7 @@
   Tue, 27 Feb 2024 21:27:58 +0100
+
 phpseclib (1.0.19-3+deb11u1) bullseye-security; urgency=medium
 
   * Track bullseye
diff -Nru phpseclib-1.0.19/debian/patches/0029-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch phpseclib-1.0.19/debian/patches/0029-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch
--- phpseclib-1.0.19/debian/patches/0029-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch	1970-01-01 01:00:00.0 +0100
+++ phpseclib-1.0.19/debian/patches/0029-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch	2024-02-27 21:27:58.0 +0100
@@ -0,0 +1,76 @@
+From: terrafrost 
+Date: Fri, 23 Feb 2024 08:57:22 -0600
+Subject: BigInteger: put guardrails on isPrime() and randomPrime()
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/ad5dbdf2129f5e0fb644637770b7f33de8ca8575
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-27354
+---
+ phpseclib/Math/BigInteger.php | 41 -
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/phpseclib/Math/BigInteger.php b/phpseclib/Math/BigInteger.php
+index 35df7ad..1dd4729 100644
+--- a/phpseclib/Math/BigInteger.php
 b/phpseclib/Math/BigInteger.php
+@@ -746,6 +746,33 @@ class Math_BigInteger
+ return $result;
+ }
+ 
++/**
++ * Return the size of a BigInteger in bits
++ *
++ * @return int
++ */
++function getLength()
++{
++if (MATH_BIGINTEGER_MODE != MATH_BIGINTEGER_MODE_INTERNAL) {
++return strlen($this->toBits());
++}
++
++$max = count($this->value) - 1;
++return $max != -1 ?
++$max * MATH_BIGINTEGER_BASE + ceil(log($a->value[$max] + 1, 2)) :
++0;
++}
++
++/**
++ * Return the size of a BigInteger in bytes
++ *
++ * @return int
++ */
++function getLengthInBytes()
++{
++return ceil($this->getLength() / 8);
++}
++
+ /**
+  * Copy an object
+  *
+@@ -3283,6 +3310,11 @@ class Math_BigInteger
+ $min = $temp;
+ }
+ 
++$length = $max->getLength();
++if ($length > 8196) {
++user_error('Generation of random prime numbers larger than 8196 has been disabled');
++}
++
+ static $one, $two;
+ if (!isset($one)) {
+ $one = new Math_BigInteger(1);
+@@ -3390,7 +3422,14 @@ class Math_BigInteger
+  */
+ function isPrime($t = false)
+ {
+-$length = strlen($this->toBytes());
++$length = $this->getLength();
++// OpenSSL limits RSA keys to 16384 bits. The length of an RSA key is equal to the length of the modulo, which is
++// produced by multiplying the primes p and q by one another. The largest number two 8196 bit primes can produce is
++// a 16384 bit number so, basically, 8196 bit primes are the largest OpenSSL will generate and if that's the largest
++// that it'll generate it also stands to reason that that's the largest you'll be able to test primality on
++if ($length > 8196) {
++user_error('Primality testing is not supported for numbers larger than 8196 bits');
++}
+ 
+ if (!$t) {
+ // see HAC 4.49 "Note (controlling the error probability)"
Les fichiers binaires /tmp/q2874tUZtM/phpseclib-1.0.19/debian/patches/0030-ASN1-limit-OID-length.patch et /tmp/8dbXhTc93J/phpseclib-1.0.19/debian/patches/0030-ASN1-limit-OID-length.patch sont différents
diff -Nru phpseclib-1.0.19/debian/patches/0031-BigInteger-fix-getLength.patch phpseclib-1.0.19/debian/patches/0031-BigInteger-fix-getLength.patch
--- phpseclib-1.0.19/debian/patches/0031-BigInteger-fix-getLength.patch	1970-01-01 01:00:00.0 +0100
+++ phpseclib-1.0.19/debian/patches/0031-BigInteger-fix-getLength.patch	2024-02-27 21:27:58.0 +0100
@@ -0,0 +1,31 @@
+From: terrafrost 
+Date: Sat, 24 

Bug#1065266: bullseye-pu: package php-phpseclib/2.0.30-2+deb11u2

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: php-phpsec...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:php-phpseclib
User: release.debian@packages.debian.org
Usertags: pu

Hi,

This issue is similar to #1065263 for bookworm

I’d like to see CVE-2024-27354 and CVE-2024-27355 addressed in the next
point release. We agreed with the security team that these issues are
not worth a DSA.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in oldstable
  [x] the issue is verified as fixed in unstable

TIA for considering.

Cheers,

taffit


signature.asc
Description: PGP signature

Bug#1065264: bookworm-pu: package phpseclib/1.0.20-1+deb12u2

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: phpsec...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:phpseclib
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I’d like to see CVE-2024-27354 and CVE-2024-27355 addressed in the next
point release. We agreed with the security team that these issues are
not worth a DSA. This update also fixes an issue in dependency loading
similar to CVE-2024-24821 as fixed in composer/DSA-5632-1.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

TIA for considering.

Cheers,

taffit
diff -Nru phpseclib-1.0.20/debian/changelog phpseclib-1.0.20/debian/changelog
--- phpseclib-1.0.20/debian/changelog	2023-12-31 11:37:21.0 +0100
+++ phpseclib-1.0.20/debian/changelog	2024-02-26 22:58:32.0 +0100
@@ -1,3 +1,13 @@
+phpseclib (1.0.20-1+deb12u2) bookworm; urgency=medium
+
+  * Backport upstream fixes
+- BigInteger: put guardrails on isPrime() and randomPrime() [CVE-2024-27354]
+- ASN1: limit OID length [CVE-2024-27355]
+- BigInteger: fix getLength()
+  * Force system dependencies loading
+
+ -- David Prévot   Mon, 26 Feb 2024 22:58:32 +0100
+
 phpseclib (1.0.20-1+deb12u1) bookworm-security; urgency=medium
 
   * Track Bookworm
diff -Nru phpseclib-1.0.20/debian/patches/0011-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch phpseclib-1.0.20/debian/patches/0011-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch
--- phpseclib-1.0.20/debian/patches/0011-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch	1970-01-01 01:00:00.0 +0100
+++ phpseclib-1.0.20/debian/patches/0011-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch	2024-02-26 22:58:32.0 +0100
@@ -0,0 +1,76 @@
+From: terrafrost 
+Date: Fri, 23 Feb 2024 08:57:22 -0600
+Subject: BigInteger: put guardrails on isPrime() and randomPrime()
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/ad5dbdf2129f5e0fb644637770b7f33de8ca8575
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-27354
+---
+ phpseclib/Math/BigInteger.php | 41 -
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/phpseclib/Math/BigInteger.php b/phpseclib/Math/BigInteger.php
+index 961e6ca..5f6b8f3 100644
+--- a/phpseclib/Math/BigInteger.php
 b/phpseclib/Math/BigInteger.php
+@@ -746,6 +746,33 @@ class Math_BigInteger
+ return $result;
+ }
+ 
++/**
++ * Return the size of a BigInteger in bits
++ *
++ * @return int
++ */
++function getLength()
++{
++if (MATH_BIGINTEGER_MODE != MATH_BIGINTEGER_MODE_INTERNAL) {
++return strlen($this->toBits());
++}
++
++$max = count($this->value) - 1;
++return $max != -1 ?
++$max * MATH_BIGINTEGER_BASE + ceil(log($a->value[$max] + 1, 2)) :
++0;
++}
++
++/**
++ * Return the size of a BigInteger in bytes
++ *
++ * @return int
++ */
++function getLengthInBytes()
++{
++return ceil($this->getLength() / 8);
++}
++
+ /**
+  * Copy an object
+  *
+@@ -3283,6 +3310,11 @@ class Math_BigInteger
+ $min = $temp;
+ }
+ 
++$length = $max->getLength();
++if ($length > 8196) {
++user_error('Generation of random prime numbers larger than 8196 has been disabled');
++}
++
+ static $one, $two;
+ if (!isset($one)) {
+ $one = new Math_BigInteger(1);
+@@ -3390,7 +3422,14 @@ class Math_BigInteger
+  */
+ function isPrime($t = false)
+ {
+-$length = strlen($this->toBytes());
++$length = $this->getLength();
++// OpenSSL limits RSA keys to 16384 bits. The length of an RSA key is equal to the length of the modulo, which is
++// produced by multiplying the primes p and q by one another. The largest number two 8196 bit primes can produce is
++// a 16384 bit number so, basically, 8196 bit primes are the largest OpenSSL will generate and if that's the largest
++// that it'll generate it also stands to reason that that's the largest you'll be able to test primality on
++if ($length > 8196) {
++user_error('Primality testing is not supported for numbers larger than 8196 bits');
++}
+ 
+ if (!$t) {
+ // see HAC 4.49 "Note (controlling the error probability)"
Les fichiers binaires /tmp/iyz_ted7Do/phpseclib-1.0.20/debian/patches/0012-ASN1-limit-OID-length.patch et /tmp/6XyXWtF89o/phpseclib-1.0.20/debian/patches/0012-ASN1-limit-OID-length.patch sont différents
diff -Nru phpseclib-1.0.20/debian/patches/0013-BigInteger-fix-getLength.patch phpseclib-1.0.20/debian/patches/0013-BigInteger-fix-getLength.patc

Bug#1065263: bookworm-pu: package php-phpseclib/2.0.42-1+deb12u2

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: php-phpsec...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:php-phpseclib
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I’d like to see CVE-2024-27354 and CVE-2024-27355 addressed in the next
point release. We agreed with the security team that these issues are
not worth a DSA.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

TIA for considering.

Cheers,

taffit
diff -Nru php-phpseclib-2.0.42/debian/changelog php-phpseclib-2.0.42/debian/changelog
--- php-phpseclib-2.0.42/debian/changelog	2023-12-31 11:49:50.0 +0100
+++ php-phpseclib-2.0.42/debian/changelog	2024-02-26 23:23:19.0 +0100
@@ -1,3 +1,15 @@
+php-phpseclib (2.0.42-1+deb12u2) bookworm; urgency=medium
+
+  * Backport upstream fixes
+- BigInteger: put guardrails on isPrime() and randomPrime() [CVE-2024-27354]
+- BigInteger: rm visibility modifiers from static variables
+- ASN1: limit OID length [CVE-2024-27355]
+- Tests: updates for phpseclib 2.0
+- BigInteger: phpseclib 2.0 updates
+- BigInteger: fix getLength()
+
+ -- David Prévot   Mon, 26 Feb 2024 23:23:19 +0100
+
 php-phpseclib (2.0.42-1+deb12u1) bookworm-security; urgency=medium
 
   * Track bookworm
diff -Nru php-phpseclib-2.0.42/debian/patches/0010-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch php-phpseclib-2.0.42/debian/patches/0010-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch
--- php-phpseclib-2.0.42/debian/patches/0010-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch	1970-01-01 01:00:00.0 +0100
+++ php-phpseclib-2.0.42/debian/patches/0010-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch	2024-02-26 23:23:19.0 +0100
@@ -0,0 +1,76 @@
+From: terrafrost 
+Date: Fri, 23 Feb 2024 08:57:22 -0600
+Subject: BigInteger: put guardrails on isPrime() and randomPrime()
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/ad5dbdf2129f5e0fb644637770b7f33de8ca8575
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-27354
+---
+ phpseclib/Math/BigInteger.php | 41 -
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/phpseclib/Math/BigInteger.php b/phpseclib/Math/BigInteger.php
+index 81b69ac..fd9cd57 100644
+--- a/phpseclib/Math/BigInteger.php
 b/phpseclib/Math/BigInteger.php
+@@ -729,6 +729,33 @@ class BigInteger
+ return $result;
+ }
+ 
++/**
++ * Return the size of a BigInteger in bits
++ *
++ * @return int
++ */
++function getLength()
++{
++if (MATH_BIGINTEGER_MODE != MATH_BIGINTEGER_MODE_INTERNAL) {
++return strlen($this->toBits());
++}
++
++$max = count($this->value) - 1;
++return $max != -1 ?
++$max * MATH_BIGINTEGER_BASE + ceil(log($a->value[$max] + 1, 2)) :
++0;
++}
++
++/**
++ * Return the size of a BigInteger in bytes
++ *
++ * @return int
++ */
++function getLengthInBytes()
++{
++return ceil($this->getLength() / 8);
++}
++
+ /**
+  * Copy an object
+  *
+@@ -3237,6 +3264,11 @@ class BigInteger
+ $min = $temp;
+ }
+ 
++$length = $max->getLength();
++if ($length > 8196) {
++user_error('Generation of random prime numbers larger than 8196 has been disabled');
++}
++
+ static $one, $two;
+ if (!isset($one)) {
+ $one = new static(1);
+@@ -3344,7 +3376,14 @@ class BigInteger
+  */
+ function isPrime($t = false)
+ {
+-$length = strlen($this->toBytes());
++$length = $this->getLength();
++// OpenSSL limits RSA keys to 16384 bits. The length of an RSA key is equal to the length of the modulo, which is
++// produced by multiplying the primes p and q by one another. The largest number two 8196 bit primes can produce is
++// a 16384 bit number so, basically, 8196 bit primes are the largest OpenSSL will generate and if that's the largest
++// that it'll generate it also stands to reason that that's the largest you'll be able to test primality on
++if ($length > 8196) {
++user_error('Primality testing is not supported for numbers larger than 8196 bits');
++}
+ 
+ if (!$t) {
+ // see HAC 4.49 "Note (controlling the error probability)"
diff -Nru php-phpseclib-2.0.42/debian/patches/0011-BigInteger-rm-visibility-modifiers-from-static-varia.patch php-phpseclib-2.0.42/debian/patches/0011-BigInteger-rm-visibility-modifiers-from-static-varia.patch
--- php-phpseclib-2.0.42/debian/patches/0011-BigInteger-rm-visibility-modifiers-from-static-varia.patch	1970-01-01 01:00

Bug#1065261: bookworm-pu: package php-phpseclib3/3.0.19-1+deb12u3

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: php-phpsecl...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:php-phpseclib3
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I’d like to see CVE-2024-27354 and CVE-2024-27355 addressed in the next
point release. We agreed with the security team that these issues are
not worth a DSA. This update also fixes an issue in dependency loading
similar to CVE-2024-24821 as fixed in composer/DSA-5632-1.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

TIA for considering.

Cheers,

taffit
diff -Nru php-phpseclib3-3.0.19/debian/autoload.php.tpl php-phpseclib3-3.0.19/debian/autoload.php.tpl
--- php-phpseclib3-3.0.19/debian/autoload.php.tpl	1970-01-01 01:00:00.0 +0100
+++ php-phpseclib3-3.0.19/debian/autoload.php.tpl	2024-02-27 21:58:00.0 +0100
@@ -0,0 +1,31 @@
+  Tue, 27 Feb 2024 21:58:00 +0100
+
 php-phpseclib3 (3.0.19-1+deb12u2) bookworm-security; urgency=medium
 
   * Backport upstream SSH2 changes
diff -Nru php-phpseclib3-3.0.19/debian/clean php-phpseclib3-3.0.19/debian/clean
--- php-phpseclib3-3.0.19/debian/clean	2023-12-31 12:13:49.0 +0100
+++ php-phpseclib3-3.0.19/debian/clean	2024-02-27 21:58:00.0 +0100
@@ -1,6 +1,7 @@
-debian/autoload.php.tpl
 debian/autoload.tests.php.tpl
+ParagonIE
 phpseclib/autoload.php
 phpseclib3
+random_compat
 tests/.phpunit.result.cache
 vendor/
diff -Nru php-phpseclib3-3.0.19/debian/patches/0011-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch php-phpseclib3-3.0.19/debian/patches/0011-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch
--- php-phpseclib3-3.0.19/debian/patches/0011-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch	1970-01-01 01:00:00.0 +0100
+++ php-phpseclib3-3.0.19/debian/patches/0011-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch	2024-02-27 21:58:00.0 +0100
@@ -0,0 +1,42 @@
+From: terrafrost 
+Date: Sat, 24 Feb 2024 08:38:47 -0600
+Subject: BigInteger: put guardrails on isPrime() and randomPrime()
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/0358eb163c55a9fd7b3848b9ecc83f6b9e49dbf5
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-27354
+---
+ phpseclib/Math/BigInteger/Engines/Engine.php | 14 ++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/phpseclib/Math/BigInteger/Engines/Engine.php b/phpseclib/Math/BigInteger/Engines/Engine.php
+index 2b00bc3..3a735e7 100644
+--- a/phpseclib/Math/BigInteger/Engines/Engine.php
 b/phpseclib/Math/BigInteger/Engines/Engine.php
+@@ -781,6 +781,11 @@ abstract class Engine implements \JsonSerializable
+ $min = $temp;
+ }
+ 
++$length = $max->getLength();
++if ($length > 8196) {
++throw new \RuntimeException("Generation of random prime numbers larger than 8196 has been disabled ($length)");
++}
++
+ $x = static::randomRange($min, $max);
+ 
+ return static::randomRangePrimeInner($x, $min, $max);
+@@ -985,6 +990,15 @@ abstract class Engine implements \JsonSerializable
+  */
+ public function isPrime($t = false)
+ {
++// OpenSSL limits RSA keys to 16384 bits. The length of an RSA key is equal to the length of the modulo, which is
++// produced by multiplying the primes p and q by one another. The largest number two 8196 bit primes can produce is
++// a 16384 bit number so, basically, 8196 bit primes are the largest OpenSSL will generate and if that's the largest
++// that it'll generate it also stands to reason that that's the largest you'll be able to test primality on
++$length = $this->getLength();
++if ($length > 8196) {
++throw new \RuntimeException("Primality testing is not supported for numbers larger than 8196 bits ($length)");
++}
++
+ if (!$t) {
+ $t = $this->setupIsPrime();
+ }
diff -Nru php-phpseclib3-3.0.19/debian/patches/0012-Tests-add-unit-test-for-EC-pub-key-with-excessively-.patch php-phpseclib3-3.0.19/debian/patches/0012-Tests-add-unit-test-for-EC-pub-key-with-excessively-.patch
--- php-phpseclib3-3.0.19/debian/patches/0012-Tests-add-unit-test-for-EC-pub-key-with-excessively-.patch	1970-01-01 01:00:00.0 +0100
+++ php-phpseclib3-3.0.19/debian/patches/0012-Tests-add-unit-test-for-EC-pub-key-with-excessively-.patch	2024-02-27 21:58:00.0 +0100
@@ -0,0 +1,46 @@
+From: terrafrost 
+Date: Sat, 24 Feb 2024 08:42:27 -0600
+Subject: Tests: add unit test for EC pub key with excessively large integer
+
+Origin: backport, https://github.com/phpseclib/phpseclib/commit/e17409a3e39baf7c8ed9635c04130802463b117b
+---
+ tests/Unit/File/X509/X509Test.php|  12 
+ tests/Unit/File/X509/mal-cert-01.der | Bin 0 -> 

Bug#1065209: package sae_pk_gen

[David Mandelberg]

Package: hostapd
Version: 2:2.10-12
Severity: wishlist

Hi,

I think https://w1.fi/cgit/hostap/tree/hostapd/sae_pk_gen.c is needed to 
configure hostapd for SAE-PK. Would it be possible to build it 
(https://w1.fi/cgit/hostap/tree/hostapd/Makefile#n1390) and include that 
in the package?

Bug#1065120: python3-tables: includes Python package dependency on blosc2 in metadata

[David M. Cooke]

Package: python3-tables
Version: 3.9.2-1
Severity: normal
X-Debbugs-Cc: none, david.m.co...@gmail.com, David M. Cooke 


Dear Maintainer,

While attempting to run vitables, I get the following traceback:

Traceback (most recent call last):
  File "/usr/bin/vitables", line 33, in 
sys.exit(load_entry_point('ViTables==3.0.2', 'gui_scripts', 
'vitables-run')())
 ^^
  File "/usr/bin/vitables", line 25, in importlib_load_entry_point
return next(matches).load()
   
  File "/usr/lib/python3.11/importlib/metadata/__init__.py", line 202, in load
module = import_module(match.group('module'))
 
  File "/usr/lib/python3.11/importlib/__init__.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
   
  File "", line 1204, in _gcd_import
  File "", line 1176, in _find_and_load
  File "", line 1147, in _find_and_load_unlocked
  File "", line 690, in _load_unlocked
  File "", line 940, in exec_module
  File "", line 241, in _call_with_frames_removed
  File "/usr/share/vitables/vitables/start.py", line 31, in 
from vitables.vtapp import VTApp
  File "/usr/share/vitables/vitables/vtapp.py", line 43, in 
import vitables.preferences.pluginsloader as pluginsloader
  File "/usr/share/vitables/vitables/preferences/pluginsloader.py", line 26, in 

import pkg_resources
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 3327, 
in 
@_call_aside
 ^^^
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 3302, 
in _call_aside
f(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 3340, 
in _initialize_master_working_set
working_set = WorkingSet._build_master()
  ^^
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 631, in 
_build_master
ws.require(__requires__)
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 968, in 
require
needed = self.resolve(parse_requirements(requirements))
 ^^
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 829, in 
resolve
dist = self._resolve_dist(
   ^^^
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 870, in 
_resolve_dist
raise DistributionNotFound(req, requirers)
pkg_resources.DistributionNotFound: The 'blosc2>=2.3.0' distribution was not 
found and is required by tables

(Reported as Bug#1065117)

Ultimately, I believe the problem to be that
/usr/lib/python3/dist-packages/tables-3.9.2.dist-info/METADATA
includes a line 'Requires-Dist: blosc2 >=2.3.0' (unless that information
is somewhere elso also; I couldn't find it elsewhere).  However, the
blosc2 Python package isn't installed (nor, for that matter, packaged
for Debian).  When vitables starts to look for plugins, the
pkg_resources module attempts to resolve vitables' Python dependencies.

>From what I can tell, the Python bindings in the blosc2 package aren't
used, and it's only listed for the blosc2 library and headers it
includes -- python3-tables is built against the libblosc2-2 Debian
package instead.

I think removing the offending line from METADATA should be a
sufficient fix.

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.6.15-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en_US
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages python3-tables depends on:
ii  python-tables-data  3.9.2-1
ii  python3 3.11.6-1
ii  python3-cpuinfo 9.0.0-1
ii  python3-numexpr 2.9.0-1
ii  python3-numpy   1:1.24.2-2
ii  python3-packaging   23.2-1
ii  python3-tables-lib  3.9.2-1

python3-tables recommends no packages.

Versions of packages python3-tables suggests:
pn  python-tables-doc  
ii  python3-netcdf41.6.5-1+b1
ii  vitables   3.0.2-4

-- no debconf information

Bug#1065117: vitables: fails to start

[David Cooke]

Package: vitables
Version: 3.0.2-4
Severity: important
X-Debbugs-Cc: david.m.co...@gmail.com

Dear Maintainer,

Running vitables (version 3.0.2-4 from sid) results in the following
Python traceback:

Traceback (most recent call last):
  File "/usr/bin/vitables", line 33, in 
sys.exit(load_entry_point('ViTables==3.0.2', 'gui_scripts', 'vitables-
run')())
 ^^
  File "/usr/bin/vitables", line 25, in importlib_load_entry_point
return next(matches).load()
   
  File "/usr/lib/python3.11/importlib/metadata/__init__.py", line 202, in load
module = import_module(match.group('module'))
 
  File "/usr/lib/python3.11/importlib/__init__.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
   
  File "", line 1204, in _gcd_import
  File "", line 1176, in _find_and_load
  File "", line 1147, in _find_and_load_unlocked
  File "", line 690, in _load_unlocked
  File "", line 940, in exec_module
  File "", line 241, in _call_with_frames_removed
  File "/usr/share/vitables/vitables/start.py", line 31, in 
from vitables.vtapp import VTApp
  File "/usr/share/vitables/vitables/vtapp.py", line 43, in 
import vitables.preferences.pluginsloader as pluginsloader
  File "/usr/share/vitables/vitables/preferences/pluginsloader.py", line 26, in

import pkg_resources
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 3327,
in 
@_call_aside
 ^^^
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 3302,
in _call_aside
f(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 3340,
in _initialize_master_working_set
working_set = WorkingSet._build_master()
  ^^
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 631, in
_build_master
ws.require(__requires__)
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 968, in
require
needed = self.resolve(parse_requirements(requirements))
 ^^
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 829, in
resolve
dist = self._resolve_dist(
   ^^^
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 870, in
_resolve_dist
raise DistributionNotFound(req, requirers)
pkg_resources.DistributionNotFound: The 'blosc2>=2.3.0' distribution was not
found and is required by tables


I believe the problem is that when vitables starts to look for plugins,
the pkg_resource module examines the vitable package requirements (contained in
/usr/share/vitables/ViTables-3.0.2.egg-info/requires.txt), which
leads it to the tables package and to its METADATA file
/usr/lib/python3/dist-packages/tables-3.9.2.dist-info/METADATA
which contains 'Requires-Dist: blosc2 >=2.3.0'.

Now, the tables package (packaged as the Debian packages python3-tables,
python3-tables-lib, python3-tables-data, or source package pytables)
doesn't actually use the Python bindings in the Python package blosc2,
as per its documentation, but only the C library and headers that
package provides (as a convenience). Python3-tables-lib instead is built
directly with libblosc2-2 (which should be fine).

Basically, Debian requirements aren't matching the requirements
declared by Python.  I'll file a separate bug against python3-tables.

(As a side note: this is about the third Python app package I've filed
a bug against for crashing while _starting_ the program.  Please!
Actually try to run things before uploading!!)


-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.6.15-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en_US
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages vitables depends on:
ii  python3  3.11.6-1
ii  python3-numexpr  2.9.0-1
ii  python3-numpy1:1.24.2-2
ii  python3-pyqt55.15.10+dfsg-1
ii  python3-qtpy 2.4.1-2
ii  python3-tables   3.9.2-1

vitables recommends no packages.

vitables suggests no packages.

-- no debconf information

Bug#1065112: Acknowledgement (linux-image-6.1.0-18-amd64: System unresponsive after resume from suspend when WoWLAN enabled in iwlwifi)

[David Balch]

Clarification:

The above step: "3. After suspend, press a key" is to wake the system up.
(I had tried magic packet and it didn't work, so pressed a key to wake and
got a lit screen but no interactivity.)

With WoWLAN disabled, pressing a key would successfully wake.
With WoWLAN enabled, WoWLAN didn't work, and pressing a key would wake it
enough to light the display - but not respond except to sysrq.

On Thu, 29 Feb 2024 at 21:18, Debian Bug Tracking System <
ow...@bugs.debian.org> wrote:

> Thank you for filing a new Bug report with Debian.
>
> You can follow progress on this Bug here: 1065112:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065112.
>
> This is an automatically generated reply to let you know your message
> has been received.
>
> Your message is being forwarded to the package maintainers and other
> interested parties for their attention; they will reply in due course.
>
> As you requested using X-Debbugs-CC, your message was also forwarded to
>   da...@balch.co.uk
> (after having been given a Bug report number, if it did not have one).
>
> Your message has been sent to the package maintainer(s):
>  Debian Kernel Team 
>
> If you wish to submit further information on this problem, please
> send it to 1065...@bugs.debian.org.
>
> Please do not send mail to ow...@bugs.debian.org unless you wish
> to report a problem with the Bug-tracking system.
>
> --
> 1065112: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065112
> Debian Bug Tracking System
> Contact ow...@bugs.debian.org with problems
>

Bug#1065112: linux-image-6.1.0-18-amd64: System unresponsive after resume from suspend when WoWLAN enabled in iwlwifi

[David Balch]

Package: src:linux
Version: 6.1.76-1
Severity: normal
X-Debbugs-Cc: da...@balch.co.uk

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?

I am trying to get WoWLAN working on an old DELL via a PCIe WiFi card ( 
https://www.amazon.co.uk/dp/B0BTCNG9TD?psc=1=ppx_yo2ov_dt_b_product_details 
)
that uses the Intel 7265 chipset ( 
https://www.intel.com/content/www/us/en/products/sku/83635/intel-dual-band-wirelessac-7265/specifications.html
 ).

The card's result from lspci:
  03:00.0 Network controller [0280]: "Intel Corporation Wireless 7265 
[8086:095a] (rev 59)"



   * What exactly did you do (or not do) that was effective (or
 ineffective)?

1. Enabled WoWLAN with magic-packet with `iw phy0 wowlan enable magic-packet`
2. Suspend PC with `echo "mem" > /sys/power/state`
3. After suspend, press a key.

I also tried this with a pristine build of linux 6.7.6, and encountered the 
same problem.


   * What was the outcome of this action?

The display lit up, showing the same information as before suspend, but the 
mouse and keyboard don't respond.
Magic SysRq does respond.


I found my way to seeing the kernel crash message (via preventing 
console_suspend, and tweaking /proc/sys/kernel/{prink,sysrq} values),
as shown in the image at: https://imgur.com/a/E7dD0ND


Initial analysis of that photo from iam_tj[m]1 on irc #debian-kernel 
(2024-02-29 19:48):

>From your photo we see  
>`drivers/net/wireless/intel/iwlwifi/iwl-trans.c::iwl_trans_txq_enable_cfg()` 
>report "bad state" and that is called from 
>`drivers/net/wireless/intel/iwlwifi/mvm/d3.c::iwl_mvm_send_wowlan_get_status()`
> that reports "failed to query wakeup status (-5)".
>From reading the code around WoWLAN it seems a special WoWLAN firmware should 
>be loaded into the device on suspend and on resume the driver is checking it 
>is (still) there.
If not the driver should cause a full device reset.
`asm_exc_invalid_op` is a TRAP leading to 
`arch/x86/kernel/traps.c::handle_invalid_op()` which may imply the code in RAM 
has been corrupted (in the function `iwl_pcie_tx_start()` presumably).
Doesn't seem too likely though since code (.text sections) should be read-only 
unless the RAM itself is faulty - but if that one wouldn't expect the same 
error every time.



   * What outcome did you expect instead?

The system resumes from suspend and is fully interactive (as it does when 
WoWLAN is disabled).





-- Package-specific info:
** Version:
Linux version 6.1.0-18-amd64 (debian-ker...@lists.debian.org) (gcc-12 (Debian 
12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 SMP 
PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01)

** Command line:
BOOT_IMAGE=/boot/vmlinuz-6.1.0-18-amd64 
root=UUID=b15802a9-4b38-4cb9-9109-fdf1cad881b0 ro quiet crashkernel=384M-:128M

** Not tainted

** Kernel log:
[4.039828] mei_me :00:16.0: enabling device ( -> 0002)
[4.064801] input: PC Speaker as /devices/platform/pcspkr/input/input9
[4.066671] ee1004 0-0051: 512 byte EE1004-compliant SPD EEPROM, read-only
[4.066685] ee1004 0-0053: 512 byte EE1004-compliant SPD EEPROM, read-only
[4.110654] iTCO_wdt iTCO_wdt: Found a Intel PCH TCO device (Version=4, 
TCOBASE=0x0400)
[4.112303] dcdbas dcdbas: Dell Systems Management Base Driver (version 
5.6.0-3.4)
[4.113931] iTCO_wdt iTCO_wdt: initialized. heartbeat=30 sec (nowayout=0)
[4.128354] cfg80211: Loading compiled-in X.509 certificates for regulatory 
database
[4.128506] cfg80211: Loaded X.509 cert 'b...@debian.org: 
577e021cb980e0e820821ba7b54b4961b8b4fadf'
[4.128645] cfg80211: Loaded X.509 cert 'romain.per...@gmail.com: 
3abbc6ec146e09d1b6016ab9d6cf71dd233f0328'
[4.128783] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[4.128917] cfg80211: Loaded X.509 cert 'wens: 
61c038651aabdcf94bd0ac7ff06c7248db18c600'
[4.133009] platform regulatory.0: firmware: direct-loading firmware 
regulatory.db
[4.133129] platform regulatory.0: firmware: direct-loading firmware 
regulatory.db.p7s
[4.133616] input: Dell WMI hotkeys as 
/devices/platform/PNP0C14:00/wmi_bus/wmi_bus-PNP0C14:00/9DBB5994-A997-11DA-B012-B622A1EF5492/input/input10
[4.154628] Intel(R) Wireless WiFi driver for Linux
[4.166726] pcieport :00:1d.0: Intel SPT PCH root port ACS workaround 
enabled
[4.166880] iwlwifi :03:00.0: enabling device (0100 -> 0102)
[4.169833] iwlwifi :03:00.0: firmware: direct-loading firmware 
iwlwifi-7265D-29.ucode
[4.169856] iwlwifi :03:00.0: Found debug destination: EXTERNAL_DRAM
[4.169857] iwlwifi :03:00.0: Found debug configuration: 0
[4.170045] iwlwifi :03:00.0: loaded firmware version 29.4063824552.0 
7265D-29.ucode op_mode iwlmvm
[4.184779] snd_hda_intel :00:1f.3: enabling device (0100 -> 0102)
[4.187148] RAPL PMU: API unit is 2^-32 Joules, 4 fixed counters, 655360 ms 
ovfl timer
[4.187150] RAPL PMU: hw unit of domain 

Bug#1065041: src:racket-mode: fails to migrate to testing for too long: autopkgtest failure

[David Bremner]

Paul Gevers  writes:

> Source: racket-mode
> Version: 20231222git0-1
> Severity: serious
> Control: close -1 20240129git0-1
> Tags: sid trixie
> User: release.debian@packages.debian.org
> Usertags: out-of-sync
>

In principle the autopkgtest failure should be fixed with 20240129git0-2
just uploaded to unstable. We'll have to wait for the servers to catch
up to see for sure.

d

Bug#1065079: bullseye-pu: package php-doctrine-annotations/1.11.2-1+deb11u1

[David Prévot]

Le Thu, Feb 29, 2024 at 03:06:35PM +0100, David Prévot a écrit :
>   [x] attach debdiff against the package in (old)stable

One more time…
diff -Nru php-doctrine-annotations-1.11.2/debian/autoload.php.tpl php-doctrine-annotations-1.11.2/debian/autoload.php.tpl
--- php-doctrine-annotations-1.11.2/debian/autoload.php.tpl	2020-11-26 19:54:10.0 +0100
+++ php-doctrine-annotations-1.11.2/debian/autoload.php.tpl	2024-02-18 12:30:56.0 +0100
@@ -1,6 +1,6 @@
   Sun, 18 Feb 2024 12:32:47 +0100
+
 php-doctrine-annotations (1.11.2-1) unstable; urgency=medium
 
   [ Grégoire Paris ]
diff -Nru php-doctrine-annotations-1.11.2/debian/clean php-doctrine-annotations-1.11.2/debian/clean
--- php-doctrine-annotations-1.11.2/debian/clean	2020-11-26 19:54:10.0 +0100
+++ php-doctrine-annotations-1.11.2/debian/clean	2024-02-18 12:31:13.0 +0100
@@ -1,3 +1,7 @@
 .phpunit.result.cache
 lib/Doctrine/Common/Annotations/autoload.php
+lib/Doctrine/Common/Cache
+lib/Doctrine/Common/Lexer
+lib/Psr
+lib/Symfony
 vendor/
diff -Nru php-doctrine-annotations-1.11.2/debian/control php-doctrine-annotations-1.11.2/debian/control
--- php-doctrine-annotations-1.11.2/debian/control	2021-02-20 14:32:25.0 +0100
+++ php-doctrine-annotations-1.11.2/debian/control	2024-02-18 12:29:35.0 +0100
@@ -10,7 +10,7 @@
phpab,
phpunit
 Standards-Version: 4.5.1
-Vcs-Git: https://salsa.debian.org/php-team/pear/php-doctrine-annotations.git -b debian/latest
+Vcs-Git: https://salsa.debian.org/php-team/pear/php-doctrine-annotations.git -b debian/bullseye
 Vcs-Browser: https://salsa.debian.org/php-team/pear/php-doctrine-annotations
 Homepage: https://www.doctrine-project.org/projects/annotations.html
 Rules-Requires-Root: no
diff -Nru php-doctrine-annotations-1.11.2/debian/gbp.conf php-doctrine-annotations-1.11.2/debian/gbp.conf
--- php-doctrine-annotations-1.11.2/debian/gbp.conf	2021-02-20 14:25:27.0 +0100
+++ php-doctrine-annotations-1.11.2/debian/gbp.conf	2024-02-18 12:29:42.0 +0100
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/latest
+debian-branch = debian/bullseye
 filter = [ '.gitattributes' ]
 pristine-tar = True
 upstream-vcs-tag = %(version%~%-)s
diff -Nru php-doctrine-annotations-1.11.2/debian/rules php-doctrine-annotations-1.11.2/debian/rules
--- php-doctrine-annotations-1.11.2/debian/rules	2021-02-20 14:32:22.0 +0100
+++ php-doctrine-annotations-1.11.2/debian/rules	2024-02-18 12:31:33.0 +0100
@@ -1,7 +1,7 @@
 #!/usr/bin/make -f
 
 %:
-	dh $@
+	dh $@ -XCommon/Cache -XCommon/Lexer -Xlib/Psr -XSymfony
 
 override_dh_auto_build:
 	phpab \
@@ -9,6 +9,10 @@
 		--template debian/autoload.php.tpl \
 		lib/Doctrine/Common/Annotations
 	mkdir --parents vendor
+	ln -s /usr/share/php/Doctrine/Common/Cache lib/Doctrine/Common
+	ln -s /usr/share/php/Doctrine/Common/Lexer lib/Doctrine/Common
+	ln -s /usr/share/php/Psr lib
+	ln -s /usr/share/php/Symfony lib
 	phpab \
 		--output vendor/autoload.php \
 		--template debian/autoload.tests.php.tpl \


signature.asc
Description: PGP signature

Bug#1065079: bullseye-pu: package php-doctrine-annotations/1.11.2-1+deb11u1

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: php-doctrine-annotati...@packages.debian.org, 
t...@security.debian.org
Control: affects -1 + src:php-doctrine-annotations
User: release.debian@packages.debian.org
Usertags: pu

[6/6 for bullseye]

This is a follow up from composer/DSA-5632-1, similar to #1065065 in
bookworm.

In order to fix a Debian-specific issue related to CVE-2024-24821, we
agreed with the security team to push related dependencies via the next
point release.

The only change (besides changelog entry) in the binary package is the
following (thanks to diffoscope).

│ │ ├── ./usr/share/php/Doctrine/Common/Annotations/autoload.php
│ │ │ @@ -1,10 +1,10 @@
│ │ │  

signature.asc
Description: PGP signature

Bug#1065077: bullseye-pu: package php-zend-code/4.0.0-2+deb11u1

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: php-zend-c...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:php-zend-code
User: release.debian@packages.debian.org
Usertags: pu

[5/6 for bullseye]

This is a follow up from composer/DSA-5632-1, similar to #1065062 in
bookworm.

In order to fix a Debian-specific issue related to CVE-2024-24821, we
agreed with the security team to push related dependencies via the next
point release.

The only change (besides changelog entry) in the binary package is the
following (thanks to diffoscope).

│ │ ├── ./usr/share/php/Laminas/Code/autoload.php
│ │ │ @@ -1,14 +1,12 @@
│ │ │  diff -Nru php-zend-code-4.0.0/debian/autoload.php.tpl php-zend-code-4.0.0/debian/autoload.php.tpl
--- php-zend-code-4.0.0/debian/autoload.php.tpl	2021-01-11 20:28:16.0 +0100
+++ php-zend-code-4.0.0/debian/autoload.php.tpl	2024-02-18 12:20:19.0 +0100
@@ -1,10 +1,8 @@
   Sun, 18 Feb 2024 12:21:22 +0100
+
 php-zend-code (4.0.0-2) unstable; urgency=medium
 
   * Upload to unstable in sync with (reverse-)dependencies
diff -Nru php-zend-code-4.0.0/debian/clean php-zend-code-4.0.0/debian/clean
--- php-zend-code-4.0.0/debian/clean	2021-01-03 18:07:35.0 +0100
+++ php-zend-code-4.0.0/debian/clean	2024-02-18 12:18:12.0 +0100
@@ -1,4 +1,5 @@
 .phpunit.result.cache
+Doctrine
 src/autoload.php
 vendor/
 Laminas/
diff -Nru php-zend-code-4.0.0/debian/control php-zend-code-4.0.0/debian/control
--- php-zend-code-4.0.0/debian/control	2021-01-03 18:08:00.0 +0100
+++ php-zend-code-4.0.0/debian/control	2024-02-18 12:13:21.0 +0100
@@ -12,7 +12,7 @@
pkg-php-tools
 Standards-Version: 4.5.1
 Homepage: https://docs.laminas.dev/laminas-code/
-Vcs-Git: https://salsa.debian.org/php-team/pear/php-zend-code.git -b debian/latest
+Vcs-Git: https://salsa.debian.org/php-team/pear/php-zend-code.git -b debian/bullseye
 Vcs-Browser: https://salsa.debian.org/php-team/pear/php-zend-code
 Rules-Requires-Root: no
 
diff -Nru php-zend-code-4.0.0/debian/gbp.conf php-zend-code-4.0.0/debian/gbp.conf
--- php-zend-code-4.0.0/debian/gbp.conf	2021-01-03 18:07:35.0 +0100
+++ php-zend-code-4.0.0/debian/gbp.conf	2024-02-18 12:13:27.0 +0100
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/latest
+debian-branch = debian/bullseye
 pristine-tar = True
 pristine-tar-commit = True
 
diff -Nru php-zend-code-4.0.0/debian/rules php-zend-code-4.0.0/debian/rules
--- php-zend-code-4.0.0/debian/rules	2021-01-03 18:07:35.0 +0100
+++ php-zend-code-4.0.0/debian/rules	2024-02-18 12:21:22.0 +0100
@@ -7,7 +7,10 @@
 		--template debian/autoload.php.tpl \
 		src
 	mkdir --parents vendor Laminas
-	ln -s ../src Laminas/Code
+	cp -r src Laminas/Code
+	ln -s /usr/share/php/Doctrine .
+	ln -s /usr/share/php/Laminas/EventManager Laminas
+	ln -s /usr/share/php/Laminas/Stdlib Laminas
 	phpab	--output vendor/autoload.php \
 		--template debian/autoload.tests.php.tpl \
 		test


signature.asc
Description: PGP signature

Bug#1065076: bullseye-pu: package php-proxy-manager/2.11.1+1.0.3-1+deb11u1

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: php-proxy-mana...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:php-proxy-manager
User: release.debian@packages.debian.org
Usertags: pu

[4/6 for bullseye]

This is a follow up from composer/DSA-5632-1, similar to #1065061 in
bookworm.

In order to fix a Debian-specific issue related to CVE-2024-24821, we
agreed with the security team to push related dependencies via the next
point release.

The only change (besides changelog entry) in the binary package is the
following (thanks to diffoscope).

│ │ ├── ./usr/share/php/ProxyManager/autoload.php
│ │ │ @@ -1,10 +1,10 @@
│ │ │  diff -Nru php-proxy-manager-2.11.1+1.0.3/debian/autoload.php.tpl php-proxy-manager-2.11.1+1.0.3/debian/autoload.php.tpl
--- php-proxy-manager-2.11.1+1.0.3/debian/autoload.php.tpl	2021-01-27 20:55:23.0 +0100
+++ php-proxy-manager-2.11.1+1.0.3/debian/autoload.php.tpl	2024-02-18 12:10:10.0 +0100
@@ -1,6 +1,6 @@
   Sun, 18 Feb 2024 12:10:39 +0100
+
 php-proxy-manager (2.11.1+1.0.3-1) unstable; urgency=medium
 
   [ Nicolas Grekas ]
diff -Nru php-proxy-manager-2.11.1+1.0.3/debian/clean php-proxy-manager-2.11.1+1.0.3/debian/clean
--- php-proxy-manager-2.11.1+1.0.3/debian/clean	2021-01-15 03:02:22.0 +0100
+++ php-proxy-manager-2.11.1+1.0.3/debian/clean	2024-02-18 12:10:10.0 +0100
@@ -1,4 +1,6 @@
 .phpunit.result.cache
-ProxyManager
+Laminas
+ProxyManager/
 src/ProxyManager/autoload.php
+Symfony
 vendor/
diff -Nru php-proxy-manager-2.11.1+1.0.3/debian/control php-proxy-manager-2.11.1+1.0.3/debian/control
--- php-proxy-manager-2.11.1+1.0.3/debian/control	2021-01-27 21:03:45.0 +0100
+++ php-proxy-manager-2.11.1+1.0.3/debian/control	2024-02-18 12:10:10.0 +0100
@@ -12,7 +12,7 @@
pkg-php-tools
 Standards-Version: 4.5.1
 Homepage: https://github.com/FriendsOfPHP/proxy-manager-lts
-Vcs-Git: https://salsa.debian.org/php-team/pear/php-proxy-manager.git -b debian/lts
+Vcs-Git: https://salsa.debian.org/php-team/pear/php-proxy-manager.git -b debian/bullseye
 Vcs-Browser: https://salsa.debian.org/php-team/pear/php-proxy-manager
 Rules-Requires-Root: no
 
diff -Nru php-proxy-manager-2.11.1+1.0.3/debian/gbp.conf php-proxy-manager-2.11.1+1.0.3/debian/gbp.conf
--- php-proxy-manager-2.11.1+1.0.3/debian/gbp.conf	2021-01-27 20:55:23.0 +0100
+++ php-proxy-manager-2.11.1+1.0.3/debian/gbp.conf	2024-02-18 12:10:10.0 +0100
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/lts
+debian-branch = debian/bullseye
 pristine-tar = True
 pristine-tar-commit = True
 upstream-branch = upstream-lts
diff -Nru php-proxy-manager-2.11.1+1.0.3/debian/patches/0001-Also-skip-system-classes-during-tests.patch php-proxy-manager-2.11.1+1.0.3/debian/patches/0001-Also-skip-system-classes-during-tests.patch
--- php-proxy-manager-2.11.1+1.0.3/debian/patches/0001-Also-skip-system-classes-during-tests.patch	2021-01-27 20:55:23.0 +0100
+++ php-proxy-manager-2.11.1+1.0.3/debian/patches/0001-Also-skip-system-classes-during-tests.patch	2024-02-18 12:10:10.0 +0100
@@ -3,22 +3,23 @@
 Subject: Also skip system classes during tests
 
 ---
- tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php | 2 ++
- 1 file changed, 2 insertions(+)
+ tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php | 3 +++
+ 1 file changed, 3 insertions(+)
 
 diff --git a/tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php b/tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php
-index 146eeb0..abded91 100644
+index 146eeb0..37cceb8 100644
 --- a/tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php
 +++ b/tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php
-@@ -112,6 +112,7 @@ final class FatalPreventionFunctionalTest extends TestCase
+@@ -112,6 +112,8 @@ final class FatalPreventionFunctionalTest extends TestCase
  realpath(__DIR__ . '/../../../src'),
  realpath(__DIR__ . '/../../../vendor'),
  realpath(__DIR__ . '/../../ProxyManagerTest'),
++realpath(__DIR__ . '/../../../ProxyManager'),
 +realpath('/usr/share/php'),
  ];
  
  return array_filter(
-@@ -138,6 +139,7 @@ final class FatalPreventionFunctionalTest extends TestCase
+@@ -138,6 +140,7 @@ final class FatalPreventionFunctionalTest extends TestCase
  
  if (strpos($realPath, $skippedPath) === 0) {
  // skip classes defined within ProxyManager, vendor or the test suite
diff -Nru php-proxy-manager-2.11.1+1.0.3/debian/rules php-proxy-manager-2.11.1+1.0.3/debian/rules
--- php-proxy-manager-2.11.1+1.0.3/debian/rules	2021-01-27 20:55:23.0 +0100
+++ php-proxy-manager-2.11.1+1.0.3/debian/rules	2024-02-18 12:10:10.0 +0100
@@ -15,7 +15,9 @@
 		tests/ProxyManagerTest \
 		tests/ProxyManagerTestAsset \
 		tests/Stubbed/Laminas/Server
-	ln -s src/ProxyManager .
+	cp 

Bug#1065075: bullseye-pu: package symfony/4.4.19+dfsg-2+deb11u5

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: symf...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:symfony
User: release.debian@packages.debian.org
Usertags: pu

[3/6 for bullseye]

This is a follow up from composer/DSA-5632-1, similar to #1065059 in
bookworm.

In order to fix a Debian-specific issue related to CVE-2024-24821, we
agreed with the security team to push related dependencies via the next
point release. It also adds an upstream patch in order to fix the
testsuite, already referenced via #1061033 in Debian.

The only change (besides changelog entry) in the binary packages is of
the following kind (thanks to diffoscope), for example for
php-symfony-cache.

│ │ ├── ./usr/share/php/Symfony/Component/Cache/autoload.php
│ │ │ @@ -1,14 +1,13 @@
│ │ │  diff -Nru symfony-4.4.19+dfsg/debian/autoload.php 
symfony-4.4.19+dfsg/debian/autoload.php
--- symfony-4.4.19+dfsg/debian/autoload.php 2023-11-11 19:09:20.0 
+0100
+++ symfony-4.4.19+dfsg/debian/autoload.php 2024-02-18 10:59:51.0 
+0100
@@ -1,76 +1,76 @@
   Sun, 18 Feb 2024 10:59:51 +0100
+
 symfony (4.4.19+dfsg-2+deb11u4) bullseye; urgency=medium
 
   * [Mime] regenerate test certificates (Closes: #1034854)
diff -Nru symfony-4.4.19+dfsg/debian/clean symfony-4.4.19+dfsg/debian/clean
--- symfony-4.4.19+dfsg/debian/clean2023-11-11 19:09:20.0 +0100
+++ symfony-4.4.19+dfsg/debian/clean2024-02-18 10:59:51.0 +0100
@@ -1,5 +1,6 @@
 .phpunit.result.cache
 CHANGELOG
+build/
 debian/autoloaders/
 debian/packages_to_build/
 vendor/
diff -Nru 
symfony-4.4.19+dfsg/debian/patches/make-sure-that-the-submitted-year-is-an-accepted-choice.patch
 
symfony-4.4.19+dfsg/debian/patches/make-sure-that-the-submitted-year-is-an-accepted-choice.patch
--- 
symfony-4.4.19+dfsg/debian/patches/make-sure-that-the-submitted-year-is-an-accepted-choice.patch
1970-01-01 01:00:00.0 +0100
+++ 
symfony-4.4.19+dfsg/debian/patches/make-sure-that-the-submitted-year-is-an-accepted-choice.patch
2024-02-18 10:59:51.0 +0100
@@ -0,0 +1,35 @@
+From: Christian Flothmann 
+Date: Tue, 2 Jan 2024 08:56:56 +0100
+Subject: make sure that the submitted year is an accepted choice
+
+Origin: upstream, 
https://github.com/symfony/symfony/commit/64f675ced4c60a67f564608fb598dc27ea3de9f6
+Bug-Debian: https://bugs.debian.org/1061033
+---
+ .../Component/Form/Tests/Extension/Core/Type/DateTimeTypeTest.php| 1 +
+ src/Symfony/Component/Form/Tests/Extension/Core/Type/DateTypeTest.php| 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git 
a/src/Symfony/Component/Form/Tests/Extension/Core/Type/DateTimeTypeTest.php 
b/src/Symfony/Component/Form/Tests/Extension/Core/Type/DateTimeTypeTest.php
+index 506ec11..3016069 100644
+--- a/src/Symfony/Component/Form/Tests/Extension/Core/Type/DateTimeTypeTest.php
 b/src/Symfony/Component/Form/Tests/Extension/Core/Type/DateTimeTypeTest.php
+@@ -701,6 +701,7 @@ class DateTimeTypeTest extends BaseTypeTest
+ $form = $this->factory->create(static::TESTED_TYPE, null, [
+ 'widget' => $widget,
+ 'empty_data' => $emptyData,
++'years' => range(2018, (int) date('Y')),
+ ]);
+ $form->submit(null);
+ 
+diff --git 
a/src/Symfony/Component/Form/Tests/Extension/Core/Type/DateTypeTest.php 
b/src/Symfony/Component/Form/Tests/Extension/Core/Type/DateTypeTest.php
+index 5891cc0..893fac1 100644
+--- a/src/Symfony/Component/Form/Tests/Extension/Core/Type/DateTypeTest.php
 b/src/Symfony/Component/Form/Tests/Extension/Core/Type/DateTypeTest.php
+@@ -1021,6 +1021,7 @@ class DateTypeTest extends BaseTypeTest
+ $form = $this->factory->create(static::TESTED_TYPE, null, [
+ 'widget' => $widget,
+ 'empty_data' => $emptyData,
++'years' => range(2018, (int) date('Y')),
+ ]);
+ $form->submit(null);
+ 
diff -Nru symfony-4.4.19+dfsg/debian/patches/series 
symfony-4.4.19+dfsg/debian/patches/series
--- symfony-4.4.19+dfsg/debian/patches/series   2023-11-11 19:09:20.0 
+0100
+++ symfony-4.4.19+dfsg/debian/patches/series   2024-02-18 10:59:51.0 
+0100
@@ -24,3 +24,4 @@
 Security-Http-Remove-CSRF-tokens-from-storage-on-successf.patch
 Mime-regenerate-test-certificates.patch
 TwigBridge-Ensure-CodeExtension-s-filters-properly-escape.patch
+make-sure-that-the-submitted-year-is-an-accepted-choice.patch
diff -Nru 
symfony-4.4.19+dfsg/debian/patches/VarDumper-Adapt-to-homemade-autoload.patch 
symfony-4.4.19+dfsg/debian/patches/VarDumper-Adapt-to-homemade-autoload.patch
--- 
symfony-4.4.19+dfsg/debian/patches/VarDumper-Adapt-to-homemade-autoload.patch   
2023-11-11 19:09:20.0 +0100
+++ 
symfony-4.4.19+dfsg/debian/patches/VarDumper-Adapt-to-homemade-autoload.patch   
2024-02-18 10:59:51.0 +0100
@@ -4,11 +4,11 @@
 
 Forwarded: no
 ---
- src/Symfony/Component/VarDumper/Resources/bin/var-dump-server | 8 
- 1 file 

Bug#1065071: bullseye-pu: package php-symfony-contracts/1.1.10-2+deb11u1

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: php-symfony-contra...@packages.debian.org, 
t...@security.debian.org
Control: affects -1 + src:php-symfony-contracts
User: release.debian@packages.debian.org
Usertags: pu

[2/6 for bullseye]

This is a follow up from composer/DSA-5632-1, similar to #1065058 in
bookworm.

In order to fix a Debian-specific issue related to CVE-2024-24821, we
agreed with the security team to push related dependencies via the next
point release.

The only change (besides changelog entry) in the binary packages is of
the following kind (thanks to diffoscope), for example for
php-symfony-cache-contracts.

│ │ ├── ./usr/share/php/Symfony/Contracts/Cache/autoload.php
│ │ │ @@ -1,13 +1,11 @@
│ │ │  diff -Nru php-symfony-contracts-1.1.10/debian/changelog php-symfony-contracts-1.1.10/debian/changelog
--- php-symfony-contracts-1.1.10/debian/changelog	2020-09-15 22:17:37.0 +0200
+++ php-symfony-contracts-1.1.10/debian/changelog	2024-02-18 11:57:14.0 +0100
@@ -1,3 +1,9 @@
+php-symfony-contracts (1.1.10-2+deb11u1) bookworm; urgency=medium
+
+  * Force system dependencies loading
+
+ -- David Prévot   Sun, 18 Feb 2024 11:57:14 +0100
+
 php-symfony-contracts (1.1.10-2) unstable; urgency=medium
 
   * Revert "stop using deprecated PHPUnit APIs", fixing symfony FTBFS
diff -Nru php-symfony-contracts-1.1.10/debian/rules php-symfony-contracts-1.1.10/debian/rules
--- php-symfony-contracts-1.1.10/debian/rules	2020-09-15 22:17:37.0 +0200
+++ php-symfony-contracts-1.1.10/debian/rules	2024-02-18 11:57:10.0 +0100
@@ -45,13 +45,13 @@
 	  fi; \
 	 done
 	cp debian/autoload.php .
-	mkdir --parents vendor Symfony
+	mkdir --parents vendor Symfony/Contracts
 	phpab \
 		--output vendor/autoload.php \
 		--template debian/autoload.tests.php.tpl \
 		Tests
 	# Mimic expected path for tests
-	cp -r autoload.php Cache Deprecation EventDispatcher HttpClient Service Translation Symfony/Contracts
+	cp -r autoload.php Cache EventDispatcher HttpClient Service Translation Symfony/Contracts
 	ln -s /usr/share/php/Symfony/Component Symfony
 	ln -s /usr/share/php/Psr .
 


signature.asc
Description: PGP signature

Bug#1065070: bookworm-pu: package php-composer-xdebug-handler/1.4.5-1+deb11u1

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: php-composer-xdebug-hand...@packages.debian.org, 
t...@security.debian.org
Control: affects -1 + src:php-composer-xdebug-handler
User: release.debian@packages.debian.org
Usertags: pu

[1/6 for bullseye]

This is a follow up from composer/DSA-5632-1, similar to #1065057 in
bookworm.

In order to fix a Debian-specific issue related to CVE-2024-24821, we
agreed with the security team to push related dependencies via the next
point release.

The only change (besides changelog entry) in the binary package is the
following (thanks to diffoscope).

│ │ ├── ./usr/share/php/Composer/XdebugHandler/autoload.php
│ │ │ @@ -1,10 +1,10 @@
│ │ │  diff -Nru php-composer-xdebug-handler-1.4.5/debian/autoload.php.tpl php-composer-xdebug-handler-1.4.5/debian/autoload.php.tpl
--- php-composer-xdebug-handler-1.4.5/debian/autoload.php.tpl	2020-11-22 16:28:34.0 +0100
+++ php-composer-xdebug-handler-1.4.5/debian/autoload.php.tpl	2024-02-18 09:01:17.0 +0100
@@ -1,6 +1,6 @@
   Sun, 18 Feb 2024 09:02:41 +0100
+
 php-composer-xdebug-handler (1.4.5-1) unstable; urgency=medium
 
   [ Martin Matthaei ]
diff -Nru php-composer-xdebug-handler-1.4.5/debian/clean php-composer-xdebug-handler-1.4.5/debian/clean
--- php-composer-xdebug-handler-1.4.5/debian/clean	2020-11-22 16:28:34.0 +0100
+++ php-composer-xdebug-handler-1.4.5/debian/clean	2024-02-18 09:01:35.0 +0100
@@ -1,4 +1,5 @@
 Composer/
+Psr
 src/autoload.php
 vendor/
 .phpunit.result.cache
diff -Nru php-composer-xdebug-handler-1.4.5/debian/control php-composer-xdebug-handler-1.4.5/debian/control
--- php-composer-xdebug-handler-1.4.5/debian/control	2020-11-22 16:31:14.0 +0100
+++ php-composer-xdebug-handler-1.4.5/debian/control	2024-02-18 08:59:53.0 +0100
@@ -11,7 +11,7 @@
 Standards-Version: 4.5.1
 Homepage: https://github.com/composer/xdebug-handler
 Vcs-Browser: https://salsa.debian.org/php-team/pear/php-composer-xdebug-handler
-Vcs-Git: https://salsa.debian.org/php-team/pear/php-composer-xdebug-handler.git -b debian/latest
+Vcs-Git: https://salsa.debian.org/php-team/pear/php-composer-xdebug-handler.git -b debian/bullseye
 Rules-Requires-Root: no
 
 Package: php-composer-xdebug-handler
diff -Nru php-composer-xdebug-handler-1.4.5/debian/gbp.conf php-composer-xdebug-handler-1.4.5/debian/gbp.conf
--- php-composer-xdebug-handler-1.4.5/debian/gbp.conf	2020-11-22 16:29:46.0 +0100
+++ php-composer-xdebug-handler-1.4.5/debian/gbp.conf	2024-02-18 08:59:57.0 +0100
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/latest
+debian-branch = debian/bullseye
 pristine-tar = True
 pristine-tar-commit = True
 
diff -Nru php-composer-xdebug-handler-1.4.5/debian/rules php-composer-xdebug-handler-1.4.5/debian/rules
--- php-composer-xdebug-handler-1.4.5/debian/rules	2020-11-22 16:28:34.0 +0100
+++ php-composer-xdebug-handler-1.4.5/debian/rules	2024-02-18 09:02:12.0 +0100
@@ -8,7 +8,8 @@
 		--template debian/autoload.php.tpl \
 		src
 	mkdir --parents vendor Composer
-	ln -s ../src Composer/XdebugHandler
+	cp -r src Composer/XdebugHandler
+	ln -s /usr/share/php/Psr .
 	phpab \
 		--output vendor/autoload.php \
 		--template debian/autoload.tests.php.tpl \


signature.asc
Description: PGP signature

Bug#1065068: bookworm-pu: package php-doctrine-deprecations/1.0.0-2+deb12u1

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: php-doctrine-deprecati...@packages.debian.org, 
t...@security.debian.org
Control: affects -1 + src:php-doctrine-deprecations
User: release.debian@packages.debian.org
Usertags: pu

[9/9 for bookworm]

This is a follow up from composer/DSA-5632-1 (the last one for
Bookworm).

In order to fix a Debian-specific issue related to CVE-2024-24821, we
agreed with the security team to push related dependencies via the next
point release.

The only change (besides changelog entry) in the binary package is the
following (thanks to diffoscope).

│ │ ├── ./usr/share/php/Doctrine/Deprecations/autoload.php
│ │ │ @@ -1,13 +1,13 @@
│ │ │  diff -Nru php-doctrine-deprecations-1.0.0/debian/autoload.php.tpl php-doctrine-deprecations-1.0.0/debian/autoload.php.tpl
--- php-doctrine-deprecations-1.0.0/debian/autoload.php.tpl	1970-01-01 01:00:00.0 +0100
+++ php-doctrine-deprecations-1.0.0/debian/autoload.php.tpl	2024-02-15 23:25:51.0 +0100
@@ -0,0 +1,29 @@
+  Thu, 15 Feb 2024 23:26:09 +0100
+
 php-doctrine-deprecations (1.0.0-2) unstable; urgency=medium
 
   * Be tolerant about line number pointer (PHP 8.2 related fix)
diff -Nru php-doctrine-deprecations-1.0.0/debian/clean php-doctrine-deprecations-1.0.0/debian/clean
--- php-doctrine-deprecations-1.0.0/debian/clean	2022-06-19 21:05:43.0 +0200
+++ php-doctrine-deprecations-1.0.0/debian/clean	2024-02-15 23:25:51.0 +0100
@@ -1,5 +1,5 @@
 .phpunit.result.cache
-debian/autoload.php.tpl
 debian/autoload.tests.php.tpl
 lib/Doctrine/Deprecations/autoload.php
+lib/Psr
 vendor/
diff -Nru php-doctrine-deprecations-1.0.0/debian/control php-doctrine-deprecations-1.0.0/debian/control
--- php-doctrine-deprecations-1.0.0/debian/control	2022-06-19 21:19:29.0 +0200
+++ php-doctrine-deprecations-1.0.0/debian/control	2024-02-15 23:23:24.0 +0100
@@ -10,7 +10,7 @@
phpunit,
pkg-php-tools (>= 1.41~)
 Standards-Version: 4.6.1
-Vcs-Git: https://salsa.debian.org/php-team/pear/php-doctrine-deprecations.git
+Vcs-Git: https://salsa.debian.org/php-team/pear/php-doctrine-deprecations.git -b debian/bookworm
 Vcs-Browser: https://salsa.debian.org/php-team/pear/php-doctrine-deprecations
 Homepage: https://www.doctrine-project.org/
 Rules-Requires-Root: no
diff -Nru php-doctrine-deprecations-1.0.0/debian/gbp.conf php-doctrine-deprecations-1.0.0/debian/gbp.conf
--- php-doctrine-deprecations-1.0.0/debian/gbp.conf	2022-06-19 21:07:24.0 +0200
+++ php-doctrine-deprecations-1.0.0/debian/gbp.conf	2024-02-15 23:23:30.0 +0100
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/latest
+debian-branch = debian/bookworm
 filter = [ '.gitattributes' ]
 pristine-tar = True
 upstream-vcs-tag = v%(version%~%-)s
diff -Nru php-doctrine-deprecations-1.0.0/debian/install php-doctrine-deprecations-1.0.0/debian/install
--- php-doctrine-deprecations-1.0.0/debian/install	2022-06-19 21:05:43.0 +0200
+++ php-doctrine-deprecations-1.0.0/debian/install	2024-02-15 23:25:51.0 +0100
@@ -1 +1 @@
-lib/*	usr/share/php
+lib/Doctrine	usr/share/php
diff -Nru php-doctrine-deprecations-1.0.0/debian/rules php-doctrine-deprecations-1.0.0/debian/rules
--- php-doctrine-deprecations-1.0.0/debian/rules	2022-06-19 21:05:43.0 +0200
+++ php-doctrine-deprecations-1.0.0/debian/rules	2024-02-15 23:25:51.0 +0100
@@ -4,12 +4,12 @@
 	dh $@
 
 override_dh_auto_build:
-	phpabtpl composer.json > debian/autoload.php.tpl
 	phpab \
 		--output lib/Doctrine/Deprecations/autoload.php \
 		--template debian/autoload.php.tpl \
 		lib/Doctrine/Deprecations
 	mkdir --parents vendor
+	ln -s /usr/share/php/Psr lib/
 	phpabtpl \
 		--require doctrine/deprecations \
 		> debian/autoload.tests.php.tpl


signature.asc
Description: PGP signature

Bug#1065067: bookworm-pu: package php-doctrine-lexer/2.1.0-2+deb12u1

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: php-doctrine-le...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:php-doctrine-lexer
User: release.debian@packages.debian.org
Usertags: pu

[8/9 for bookworm]

This is a follow up from composer/DSA-5632-1.

In order to fix a Debian-specific issue related to CVE-2024-24821, we
agreed with the security team to push related dependencies via the next
point release.

The only change (besides changelog entry) in the binary package is the
following (thanks to diffoscope).

│ │ ├── ./usr/share/php/Doctrine/Common/Lexer/autoload.php
│ │ │ @@ -1,11 +1,11 @@
│ │ │  diff -Nru php-doctrine-lexer-2.1.0/debian/autoload.php.tpl php-doctrine-lexer-2.1.0/debian/autoload.php.tpl
--- php-doctrine-lexer-2.1.0/debian/autoload.php.tpl	1970-01-01 01:00:00.0 +0100
+++ php-doctrine-lexer-2.1.0/debian/autoload.php.tpl	2024-02-15 23:22:05.0 +0100
@@ -0,0 +1,29 @@
+  Thu, 15 Feb 2024 23:22:10 +0100
+
 php-doctrine-lexer (2.1.0-2) unstable; urgency=medium
 
   * Upload to unstable
diff -Nru php-doctrine-lexer-2.1.0/debian/clean php-doctrine-lexer-2.1.0/debian/clean
--- php-doctrine-lexer-2.1.0/debian/clean	2022-12-12 07:58:13.0 +0100
+++ php-doctrine-lexer-2.1.0/debian/clean	2024-02-15 23:22:05.0 +0100
@@ -1,5 +1,4 @@
 .phpunit.result.cache
-debian/autoload.php.tpl
 debian/autoload.tests.php.tpl
 Doctrine/
 src/autoload.php
diff -Nru php-doctrine-lexer-2.1.0/debian/control php-doctrine-lexer-2.1.0/debian/control
--- php-doctrine-lexer-2.1.0/debian/control	2023-01-01 10:10:48.0 +0100
+++ php-doctrine-lexer-2.1.0/debian/control	2024-02-15 23:20:25.0 +0100
@@ -9,7 +9,7 @@
phpab,
phpunit
 Standards-Version: 4.6.2
-Vcs-Git: https://salsa.debian.org/php-team/pear/php-doctrine-lexer.git -b debian/bookworm
+Vcs-Git: https://salsa.debian.org/php-team/pear/php-doctrine-lexer.git -b debian/bookworm-security
 Vcs-Browser: https://salsa.debian.org/php-team/pear/php-doctrine-lexer
 Homepage: https://www.doctrine-project.org/projects/lexer.html
 Rules-Requires-Root: no
diff -Nru php-doctrine-lexer-2.1.0/debian/gbp.conf php-doctrine-lexer-2.1.0/debian/gbp.conf
--- php-doctrine-lexer-2.1.0/debian/gbp.conf	2023-01-01 10:10:48.0 +0100
+++ php-doctrine-lexer-2.1.0/debian/gbp.conf	2024-02-15 23:20:29.0 +0100
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/bookworm
+debian-branch = debian/bookworm-security
 filter = [ '.gitattributes' ]
 pristine-tar = True
 upstream-branch = upstream-2.x
diff -Nru php-doctrine-lexer-2.1.0/debian/rules php-doctrine-lexer-2.1.0/debian/rules
--- php-doctrine-lexer-2.1.0/debian/rules	2022-12-12 07:59:50.0 +0100
+++ php-doctrine-lexer-2.1.0/debian/rules	2024-02-15 23:22:05.0 +0100
@@ -3,13 +3,13 @@
 	dh $@
 
 override_dh_auto_build:
-	phpabtpl composer.json > debian/autoload.php.tpl
 	phpab \
 		--output src/autoload.php \
 		--template debian/autoload.php.tpl \
 		src
 	mkdir --parents vendor Doctrine/Common
-	ln -s ../../src Doctrine/Common/Lexer
+	cp -r src Doctrine/Common/Lexer
+	ln -s /usr/share/php/Doctrine/Deprecations Doctrine
 	phpabtpl \
 		--require doctrine/lexer \
 		> debian/autoload.tests.php.tpl


signature.asc
Description: PGP signature

Bug#1065065: bookworm-pu: package php-doctrine-annotations/2.0.1-1+deb12u1

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: php-doctrine-annotati...@packages.debian.org, 
t...@security.debian.org
Control: affects -1 + src:php-doctrine-annotations
User: release.debian@packages.debian.org
Usertags: pu

[7/9 for bookworm]

This is a follow up from composer/DSA-5632-1.

In order to fix a Debian-specific issue related to CVE-2024-24821, we
agreed with the security team to push related dependencies via the next
point release.

The only change (besides changelog entry) in the binary package is the
following (thanks to diffoscope).

│ │ ├── ./usr/share/php/Doctrine/Common/Annotations/autoload.php
│ │ │ @@ -1,12 +1,12 @@
│ │ │  diff -Nru php-doctrine-annotations-2.0.1/debian/autoload.php.tpl php-doctrine-annotations-2.0.1/debian/autoload.php.tpl
--- php-doctrine-annotations-2.0.1/debian/autoload.php.tpl	1970-01-01 01:00:00.0 +0100
+++ php-doctrine-annotations-2.0.1/debian/autoload.php.tpl	2024-02-15 23:14:38.0 +0100
@@ -0,0 +1,30 @@
+  Thu, 15 Feb 2024 23:14:38 +0100
+
 php-doctrine-annotations (2.0.1-1) unstable; urgency=medium
 
   [ Alexander M. Turek ]
diff -Nru php-doctrine-annotations-2.0.1/debian/clean php-doctrine-annotations-2.0.1/debian/clean
--- php-doctrine-annotations-2.0.1/debian/clean	2021-05-23 19:31:29.0 +0200
+++ php-doctrine-annotations-2.0.1/debian/clean	2024-02-15 23:14:38.0 +0100
@@ -1,5 +1,8 @@
 .phpunit.result.cache
-debian/autoload.php.tpl
 debian/autoload.tests.php.tpl
 lib/Doctrine/Common/Annotations/autoload.php
+lib/Doctrine/Common/Cache
+lib/Doctrine/Common/Lexer
+lib/Psr
+lib/Symfony
 vendor/
diff -Nru php-doctrine-annotations-2.0.1/debian/control php-doctrine-annotations-2.0.1/debian/control
--- php-doctrine-annotations-2.0.1/debian/control	2023-02-03 05:25:51.0 +0100
+++ php-doctrine-annotations-2.0.1/debian/control	2024-02-15 23:14:38.0 +0100
@@ -13,7 +13,7 @@
phpunit,
pkg-php-tools
 Standards-Version: 4.6.2
-Vcs-Git: https://salsa.debian.org/php-team/pear/php-doctrine-annotations.git
+Vcs-Git: https://salsa.debian.org/php-team/pear/php-doctrine-annotations.git -b debian/bookworm
 Vcs-Browser: https://salsa.debian.org/php-team/pear/php-doctrine-annotations
 Homepage: https://www.doctrine-project.org/projects/annotations.html
 Rules-Requires-Root: no
diff -Nru php-doctrine-annotations-2.0.1/debian/gbp.conf php-doctrine-annotations-2.0.1/debian/gbp.conf
--- php-doctrine-annotations-2.0.1/debian/gbp.conf	2021-02-20 14:25:27.0 +0100
+++ php-doctrine-annotations-2.0.1/debian/gbp.conf	2024-02-15 23:14:38.0 +0100
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/latest
+debian-branch = debian/bookworm
 filter = [ '.gitattributes' ]
 pristine-tar = True
 upstream-vcs-tag = %(version%~%-)s
diff -Nru php-doctrine-annotations-2.0.1/debian/rules php-doctrine-annotations-2.0.1/debian/rules
--- php-doctrine-annotations-2.0.1/debian/rules	2021-10-11 03:02:26.0 +0200
+++ php-doctrine-annotations-2.0.1/debian/rules	2024-02-15 23:14:38.0 +0100
@@ -1,15 +1,18 @@
 #!/usr/bin/make -f
 
 %:
-	dh $@
+	dh $@ -XCommon/Cache -XCommon/Lexer -Xlib/Psr -XSymfony
 
 override_dh_auto_build:
-	phpabtpl composer.json > debian/autoload.php.tpl
 	phpab \
 		--output lib/Doctrine/Common/Annotations/autoload.php \
 		--template debian/autoload.php.tpl \
 		lib/Doctrine/Common/Annotations
 	mkdir --parents vendor
+	ln -s /usr/share/php/Doctrine/Common/Cache lib/Doctrine/Common
+	ln -s /usr/share/php/Doctrine/Common/Lexer lib/Doctrine/Common
+	ln -s /usr/share/php/Psr lib
+	ln -s /usr/share/php/Symfony lib
 	phpabtpl \
 		--require doctrine/annotations \
 		--require doctrine/cache \


signature.asc
Description: PGP signature

Bug#1065062: bookworm-pu: package php-zend-code/4.8.0-1+deb12u1

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: php-zend-c...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:php-zend-code
User: release.debian@packages.debian.org
Usertags: pu

[6/9 for bookworm]

This is a follow up from composer/DSA-5632-1.

In order to fix a Debian-specific issue related to CVE-2024-24821, we
agreed with the security team to push related dependencies via the next
point release.

The only change (besides changelog entry) in the binary package is the
following (thanks to diffoscope).

│ │ ├── ./usr/share/php/Laminas/Code/autoload.php
│ │ │ @@ -1,14 +1,14 @@
│ │ │  diff -Nru php-zend-code-4.8.0/debian/autoload.php.tpl php-zend-code-4.8.0/debian/autoload.php.tpl
--- php-zend-code-4.8.0/debian/autoload.php.tpl	1970-01-01 01:00:00.0 +0100
+++ php-zend-code-4.8.0/debian/autoload.php.tpl	2024-02-15 23:03:09.0 +0100
@@ -0,0 +1,30 @@
+  Thu, 15 Feb 2024 23:03:09 +0100
+
 php-zend-code (4.8.0-1) unstable; urgency=medium
 
   [ Marco Pivetta ]
diff -Nru php-zend-code-4.8.0/debian/clean php-zend-code-4.8.0/debian/clean
--- php-zend-code-4.8.0/debian/clean	2022-12-11 17:50:13.0 +0100
+++ php-zend-code-4.8.0/debian/clean	2024-02-15 23:03:09.0 +0100
@@ -1,6 +1,6 @@
 .phpunit.result.cache
-debian/autoload.php.tpl
 debian/autoload.tests.php.tpl
+Doctrine
 src/autoload.php
 vendor/
 Laminas/
diff -Nru php-zend-code-4.8.0/debian/control php-zend-code-4.8.0/debian/control
--- php-zend-code-4.8.0/debian/control	2022-06-18 16:41:55.0 +0200
+++ php-zend-code-4.8.0/debian/control	2024-02-15 23:03:09.0 +0100
@@ -12,7 +12,7 @@
pkg-php-tools (>= 1.41~)
 Standards-Version: 4.6.1
 Homepage: https://docs.laminas.dev/laminas-code/
-Vcs-Git: https://salsa.debian.org/php-team/pear/php-zend-code.git
+Vcs-Git: https://salsa.debian.org/php-team/pear/php-zend-code.git -b debian/bookworm
 Vcs-Browser: https://salsa.debian.org/php-team/pear/php-zend-code
 Rules-Requires-Root: no
 
diff -Nru php-zend-code-4.8.0/debian/gbp.conf php-zend-code-4.8.0/debian/gbp.conf
--- php-zend-code-4.8.0/debian/gbp.conf	2021-04-09 03:16:02.0 +0200
+++ php-zend-code-4.8.0/debian/gbp.conf	2024-02-15 23:03:09.0 +0100
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/latest
+debian-branch = debian/bookworm
 filter = [ '.gitattributes' ]
 pristine-tar = True
 upstream-vcs-tag = %(version%~%-)s
diff -Nru php-zend-code-4.8.0/debian/rules php-zend-code-4.8.0/debian/rules
--- php-zend-code-4.8.0/debian/rules	2022-12-11 17:50:13.0 +0100
+++ php-zend-code-4.8.0/debian/rules	2024-02-15 23:03:09.0 +0100
@@ -3,12 +3,13 @@
 	dh $@ -Xindex.md
 
 override_dh_auto_build:
-	phpabtpl composer.json > debian/autoload.php.tpl
 	phpab	--output src/autoload.php \
 		--template debian/autoload.php.tpl \
 		src
 	mkdir --parents vendor Laminas
-	ln -s ../src Laminas/Code
+	cp -r src Laminas/Code
+	ln -s /usr/share/php/Doctrine .
+	ln -s /usr/share/php/Laminas/Stdlib Laminas
 	phpabtpl \
 --require laminas/laminas-code \
 > debian/autoload.tests.php.tpl


signature.asc
Description: PGP signature

Bug#1065061: bookworm-pu: package php-proxy-manager/2.11.1+1.0.14-1+deb12u1

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: php-proxy-mana...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:php-proxy-manager
User: release.debian@packages.debian.org
Usertags: pu

[5/9 for bookworm]

This is a follow up from composer/DSA-5632-1.

In order to fix a Debian-specific issue related to CVE-2024-24821, we
agreed with the security team to push related dependencies via the next
point release.

The only change (besides changelog entry) in the binary package is the
following (thanks to diffoscope).

│ │ ├── ./usr/share/php/ProxyManager/autoload.php
│ │ │ @@ -1,12 +1,12 @@
│ │ │  diff -Nru php-proxy-manager-2.11.1+1.0.14/debian/autoload.php.tpl php-proxy-manager-2.11.1+1.0.14/debian/autoload.php.tpl
--- php-proxy-manager-2.11.1+1.0.14/debian/autoload.php.tpl	1970-01-01 01:00:00.0 +0100
+++ php-proxy-manager-2.11.1+1.0.14/debian/autoload.php.tpl	2024-02-15 22:58:41.0 +0100
@@ -0,0 +1,30 @@
+  Thu, 15 Feb 2024 22:58:41 +0100
+
 php-proxy-manager (2.11.1+1.0.14-1) unstable; urgency=medium
 
   [ Nicolas Grekas ]
diff -Nru php-proxy-manager-2.11.1+1.0.14/debian/clean php-proxy-manager-2.11.1+1.0.14/debian/clean
--- php-proxy-manager-2.11.1+1.0.14/debian/clean	2022-10-22 12:12:26.0 +0200
+++ php-proxy-manager-2.11.1+1.0.14/debian/clean	2024-02-15 22:58:41.0 +0100
@@ -1,6 +1,7 @@
 .phpunit.result.cache
-ProxyManager
-debian/autoload.php.tpl
 debian/autoload.tests.php.tpl
+Laminas
+ProxyManager/
 src/ProxyManager/autoload.php
+Symfony
 vendor/
diff -Nru php-proxy-manager-2.11.1+1.0.14/debian/control php-proxy-manager-2.11.1+1.0.14/debian/control
--- php-proxy-manager-2.11.1+1.0.14/debian/control	2023-01-30 13:41:38.0 +0100
+++ php-proxy-manager-2.11.1+1.0.14/debian/control	2024-02-15 22:58:41.0 +0100
@@ -13,7 +13,7 @@
pkg-php-tools (>= 1.41~)
 Standards-Version: 4.6.2
 Homepage: https://github.com/FriendsOfPHP/proxy-manager-lts
-Vcs-Git: https://salsa.debian.org/php-team/pear/php-proxy-manager.git
+Vcs-Git: https://salsa.debian.org/php-team/pear/php-proxy-manager.git -b debian/bookworm
 Vcs-Browser: https://salsa.debian.org/php-team/pear/php-proxy-manager
 Rules-Requires-Root: no
 
diff -Nru php-proxy-manager-2.11.1+1.0.14/debian/gbp.conf php-proxy-manager-2.11.1+1.0.14/debian/gbp.conf
--- php-proxy-manager-2.11.1+1.0.14/debian/gbp.conf	2022-10-22 12:12:26.0 +0200
+++ php-proxy-manager-2.11.1+1.0.14/debian/gbp.conf	2024-02-15 22:58:41.0 +0100
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/lts
+debian-branch = debian/bookworm
 filter = [ '.gitattributes' ]
 pristine-tar = True
 upstream-branch = upstream-lts
diff -Nru php-proxy-manager-2.11.1+1.0.14/debian/patches/0001-Also-skip-system-classes-during-tests.patch php-proxy-manager-2.11.1+1.0.14/debian/patches/0001-Also-skip-system-classes-during-tests.patch
--- php-proxy-manager-2.11.1+1.0.14/debian/patches/0001-Also-skip-system-classes-during-tests.patch	2023-01-30 13:40:33.0 +0100
+++ php-proxy-manager-2.11.1+1.0.14/debian/patches/0001-Also-skip-system-classes-during-tests.patch	2024-02-15 22:58:41.0 +0100
@@ -3,22 +3,23 @@
 Subject: Also skip system classes during tests
 
 ---
- tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php | 2 ++
- 1 file changed, 2 insertions(+)
+ tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php | 3 +++
+ 1 file changed, 3 insertions(+)
 
 diff --git a/tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php b/tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php
-index 8e4f48d..9d65c6f 100644
+index 8e4f48d..eebd45a 100644
 --- a/tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php
 +++ b/tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php
-@@ -109,6 +109,7 @@ final class FatalPreventionFunctionalTest extends TestCase
+@@ -109,6 +109,8 @@ final class FatalPreventionFunctionalTest extends TestCase
  realpath(__DIR__ . '/../../../src'),
  realpath(__DIR__ . '/../../../vendor'),
  realpath(__DIR__ . '/../../ProxyManagerTest'),
++realpath(__DIR__ . '/../../../ProxyManager'),
 +realpath('/usr/share/php'),
  ];
  
  return array_filter(
-@@ -135,6 +136,7 @@ final class FatalPreventionFunctionalTest extends TestCase
+@@ -135,6 +137,7 @@ final class FatalPreventionFunctionalTest extends TestCase
  
  if (strpos($realPath, $skippedPath) === 0) {
  // skip classes defined within ProxyManager, vendor or the test suite
diff -Nru php-proxy-manager-2.11.1+1.0.14/debian/rules php-proxy-manager-2.11.1+1.0.14/debian/rules
--- php-proxy-manager-2.11.1+1.0.14/debian/rules	2022-10-22 12:12:26.0 +0200
+++ php-proxy-manager-2.11.1+1.0.14/debian/rules	2024-02-15 22:58:41.0 +0100
@@ -3,7 +3,6 @@
 	dh $@
 
 override_dh_auto_build:
-	phpabtpl composer.json > 

Bug#1065060: bookworm-pu: package php-proxy-manager/2.11.1+1.0.14-1+deb12u1

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: php-proxy-mana...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:php-proxy-manager
User: release.debian@packages.debian.org
Usertags: pu

[5/9 for bookworm]

This is a follow up from composer/DSA-5632-1.

In order to fix a Debian-specific issue related to CVE-2024-24821, we
agreed with the security team to push related dependencies via the next
point release.

The only change (besides changelog entry) in the binary package is the
following (thanks to diffoscope).

│ │ ├── ./usr/share/php/ProxyManager/autoload.php
│ │ │ @@ -1,12 +1,12 @@
│ │ │  diff -Nru php-proxy-manager-2.11.1+1.0.14/debian/autoload.php.tpl 
php-proxy-manager-2.11.1+1.0.14/debian/autoload.php.tpl
--- php-proxy-manager-2.11.1+1.0.14/debian/autoload.php.tpl 1970-01-01 
01:00:00.0 +0100
+++ php-proxy-manager-2.11.1+1.0.14/debian/autoload.php.tpl 2024-02-15 
22:58:41.0 +0100
@@ -0,0 +1,30 @@
+  Thu, 15 Feb 2024 22:58:41 +0100
+
 php-proxy-manager (2.11.1+1.0.14-1) unstable; urgency=medium
 
   [ Nicolas Grekas ]
diff -Nru php-proxy-manager-2.11.1+1.0.14/debian/clean 
php-proxy-manager-2.11.1+1.0.14/debian/clean
--- php-proxy-manager-2.11.1+1.0.14/debian/clean2022-10-22 
12:12:26.0 +0200
+++ php-proxy-manager-2.11.1+1.0.14/debian/clean2024-02-15 
22:58:41.0 +0100
@@ -1,6 +1,7 @@
 .phpunit.result.cache
-ProxyManager
-debian/autoload.php.tpl
 debian/autoload.tests.php.tpl
+Laminas
+ProxyManager/
 src/ProxyManager/autoload.php
+Symfony
 vendor/
diff -Nru php-proxy-manager-2.11.1+1.0.14/debian/control 
php-proxy-manager-2.11.1+1.0.14/debian/control
--- php-proxy-manager-2.11.1+1.0.14/debian/control  2023-01-30 
13:41:38.0 +0100
+++ php-proxy-manager-2.11.1+1.0.14/debian/control  2024-02-15 
22:58:41.0 +0100
@@ -13,7 +13,7 @@
pkg-php-tools (>= 1.41~)
 Standards-Version: 4.6.2
 Homepage: https://github.com/FriendsOfPHP/proxy-manager-lts
-Vcs-Git: https://salsa.debian.org/php-team/pear/php-proxy-manager.git
+Vcs-Git: https://salsa.debian.org/php-team/pear/php-proxy-manager.git -b 
debian/bookworm
 Vcs-Browser: https://salsa.debian.org/php-team/pear/php-proxy-manager
 Rules-Requires-Root: no
 
diff -Nru php-proxy-manager-2.11.1+1.0.14/debian/gbp.conf 
php-proxy-manager-2.11.1+1.0.14/debian/gbp.conf
--- php-proxy-manager-2.11.1+1.0.14/debian/gbp.conf 2022-10-22 
12:12:26.0 +0200
+++ php-proxy-manager-2.11.1+1.0.14/debian/gbp.conf 2024-02-15 
22:58:41.0 +0100
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/lts
+debian-branch = debian/bookworm
 filter = [ '.gitattributes' ]
 pristine-tar = True
 upstream-branch = upstream-lts
diff -Nru 
php-proxy-manager-2.11.1+1.0.14/debian/patches/0001-Also-skip-system-classes-during-tests.patch
 
php-proxy-manager-2.11.1+1.0.14/debian/patches/0001-Also-skip-system-classes-during-tests.patch
--- 
php-proxy-manager-2.11.1+1.0.14/debian/patches/0001-Also-skip-system-classes-during-tests.patch
 2023-01-30 13:40:33.0 +0100
+++ 
php-proxy-manager-2.11.1+1.0.14/debian/patches/0001-Also-skip-system-classes-during-tests.patch
 2024-02-15 22:58:41.0 +0100
@@ -3,22 +3,23 @@
 Subject: Also skip system classes during tests
 
 ---
- tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php | 2 ++
- 1 file changed, 2 insertions(+)
+ tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php | 3 +++
+ 1 file changed, 3 insertions(+)
 
 diff --git 
a/tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php 
b/tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php
-index 8e4f48d..9d65c6f 100644
+index 8e4f48d..eebd45a 100644
 --- a/tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php
 +++ b/tests/ProxyManagerTest/Functional/FatalPreventionFunctionalTest.php
-@@ -109,6 +109,7 @@ final class FatalPreventionFunctionalTest extends TestCase
+@@ -109,6 +109,8 @@ final class FatalPreventionFunctionalTest extends TestCase
  realpath(__DIR__ . '/../../../src'),
  realpath(__DIR__ . '/../../../vendor'),
  realpath(__DIR__ . '/../../ProxyManagerTest'),
++realpath(__DIR__ . '/../../../ProxyManager'),
 +realpath('/usr/share/php'),
  ];
  
  return array_filter(
-@@ -135,6 +136,7 @@ final class FatalPreventionFunctionalTest extends TestCase
+@@ -135,6 +137,7 @@ final class FatalPreventionFunctionalTest extends TestCase
  
  if (strpos($realPath, $skippedPath) === 0) {
  // skip classes defined within ProxyManager, vendor 
or the test suite
diff -Nru php-proxy-manager-2.11.1+1.0.14/debian/rules 
php-proxy-manager-2.11.1+1.0.14/debian/rules
--- php-proxy-manager-2.11.1+1.0.14/debian/rules2022-10-22 
12:12:26.0 +0200
+++ php-proxy-manager-2.11.1+1.0.14/debian/rules2024-02-15 
22:58:41.0 +0100
@@ -3,7 

Bug#1065059: bookworm-pu: package symfony/5.4.23+dfsg-1+deb12u2

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: symf...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:symfony
User: release.debian@packages.debian.org
Usertags: pu

[4/9 for bookworm]

This is a follow up from composer/DSA-5632-1 and similar to #1065058.

In order to fix a Debian-specific issue related to CVE-2024-24821, we
agreed with the security team to push related dependencies via the next
point release. It also adds an upstream patch in order to fix the
testsuite, already referenced via #1061033 in Debian.

The only change (besides changelog entry) in the binary packages is of
the following kind (thanks to diffoscope), for example for
php-symfony-cache.

│ │ ├── ./usr/share/php/Symfony/Component/Cache/autoload.php
│ │ │ @@ -1,16 +1,16 @@
│ │ │  

signature.asc
Description: PGP signature

Bug#1065058: bookworm-pu: package php-symfony-contracts/2.5.2-1+deb12u1

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: php-symfony-contra...@packages.debian.org, 
t...@security.debian.org
Control: affects -1 + src:php-symfony-contracts
User: release.debian@packages.debian.org
Usertags: pu

[3/9 for bookworm]

This is a follow up from composer/DSA-5632-1, #1065056 and #1065057.

In order to fix a Debian-specific issue related to CVE-2024-24821, we
agreed with the security team to push related dependencies via the next
point release.

The only change (besides changelog entry) in the binary packages is of
the following kind (thanks to diffoscope), for example for
php-symfony-cache-contracts.

│ │ ├── ./usr/share/php/Symfony/Contracts/Cache/autoload.php
│ │ │ @@ -1,14 +1,14 @@
│ │ │  diff -Nru php-symfony-contracts-2.5.2/debian/autoload.php php-symfony-contracts-2.5.2/debian/autoload.php
--- php-symfony-contracts-2.5.2/debian/autoload.php	2022-06-18 17:59:28.0 +0200
+++ php-symfony-contracts-2.5.2/debian/autoload.php	2024-02-15 22:48:06.0 +0100
@@ -3,12 +3,12 @@
 // require_once 'Psr/Container/autoload.php'; (already required by Service)
 // require_once 'Psr/EventDispatcher/autoload.php'; (already required by EventDispatcher)
 
-require_once 'Symfony/Contracts/Cache/autoload.php';
-require_once 'Symfony/Contracts/Deprecation/autoload.php';
-require_once 'Symfony/Contracts/EventDispatcher/autoload.php';
-require_once 'Symfony/Contracts/HttpClient/autoload.php';
-require_once 'Symfony/Contracts/Service/autoload.php';
-require_once 'Symfony/Contracts/Translation/autoload.php';
+require_once __DIR__ . '/Cache/autoload.php';
+require_once __DIR__ . '/Deprecation/autoload.php';
+require_once __DIR__ . '/EventDispatcher/autoload.php';
+require_once __DIR__ . '/HttpClient/autoload.php';
+require_once __DIR__ . '/Service/autoload.php';
+require_once __DIR__ . '/Translation/autoload.php';
 
 // if (stream_resolve_include_path('Symfony/Component/Cache/autoload.php')){ (already suggested by Cache)
 // include_once 'Symfony/Component/Cache/autoload.php';
diff -Nru php-symfony-contracts-2.5.2/debian/changelog php-symfony-contracts-2.5.2/debian/changelog
--- php-symfony-contracts-2.5.2/debian/changelog	2022-07-01 07:08:46.0 +0200
+++ php-symfony-contracts-2.5.2/debian/changelog	2024-02-15 22:48:06.0 +0100
@@ -1,3 +1,10 @@
+php-symfony-contracts (2.5.2-1+deb12u1) bookworm; urgency=medium
+
+  * Track debian/bookworm-security
+  * Force system dependencies loading
+
+ -- David Prévot   Thu, 15 Feb 2024 22:48:06 +0100
+
 php-symfony-contracts (2.5.2-1) unstable; urgency=medium
 
   [ Nicolas Grekas ]
diff -Nru php-symfony-contracts-2.5.2/debian/clean php-symfony-contracts-2.5.2/debian/clean
--- php-symfony-contracts-2.5.2/debian/clean	2022-06-18 17:59:28.0 +0200
+++ php-symfony-contracts-2.5.2/debian/clean	2024-02-15 22:48:06.0 +0100
@@ -1,14 +1,14 @@
 .phpunit.result.cache
+autoload.php
 Cache/autoload.php
+debian/autoloaders/
+debian/autoload.tests.php.tpl
+debian/packages_to_build/
 Deprecation/autoload.php
 EventDispatcher/autoload.php
 HttpClient/autoload.php
+Psr
 Service/autoload.php
-Tests/autoload.php
 Translation/autoload.php
-autoload.php
-debian/autoloaders/
-debian/packages_to_build/
-debian/*.tpl
 Symfony/
 vendor/
diff -Nru php-symfony-contracts-2.5.2/debian/control php-symfony-contracts-2.5.2/debian/control
--- php-symfony-contracts-2.5.2/debian/control	2022-06-18 18:24:38.0 +0200
+++ php-symfony-contracts-2.5.2/debian/control	2024-02-15 22:48:06.0 +0100
@@ -15,7 +15,7 @@
pkg-php-tools (>= 1.41~)
 Standards-Version: 4.6.1
 Homepage: https://symfony.com/components/Contracts
-Vcs-Git: https://salsa.debian.org/php-team/pear/php-symfony-contracts.git -b debian/bookworm
+Vcs-Git: https://salsa.debian.org/php-team/pear/php-symfony-contracts.git -b debian/bookworm-security
 Vcs-Browser: https://salsa.debian.org/php-team/pear/php-symfony-contracts
 Rules-Requires-Root: no
 
diff -Nru php-symfony-contracts-2.5.2/debian/gbp.conf php-symfony-contracts-2.5.2/debian/gbp.conf
--- php-symfony-contracts-2.5.2/debian/gbp.conf	2022-06-18 18:24:38.0 +0200
+++ php-symfony-contracts-2.5.2/debian/gbp.conf	2024-02-15 22:48:06.0 +0100
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/bookworm
+debian-branch = debian/bookworm-security
 pristine-tar = True
 upstream-branch = upstream-2
 upstream-vcs-tag = v%(version%~%-)s
diff -Nru php-symfony-contracts-2.5.2/debian/php-symfony-cache-contracts.autoload.php.tpl php-symfony-contracts-2.5.2/debian/php-symfony-cache-contracts.autoload.php.tpl
--- php-symfony-contracts-2.5.2/debian/php-symfony-cache-contracts.autoload.php.tpl	1970-01-01 01:00:00.0 +0100
+++ php-symfony-contracts-2.5.2/debian/php-symfony-cache-contracts.autoload.php.tpl	2024-02-15 22:48:06.0 +0100
@@ -0,0 +1,30 @@
+> debian/packages_to_build/$$deb_pkg_name; \
 	   echo "pkg_path='$$pkg_path'" >> debian/packages_to_build/$$deb

Bug#1065057: bookworm-pu: package php-composer-xdebug-handler/3.0.3-2+deb12u1

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: php-composer-xdebug-hand...@packages.debian.org, 
t...@security.debian.org
Control: affects -1 + src:php-composer-xdebug-handler
User: release.debian@packages.debian.org
Usertags: pu

[2/9 for bookworm]

This is a follow up from composer/DSA-5632-1.

In order to fix a Debian-specific issue related to CVE-2024-24821, we
agreed with the security team to push related dependencies via the next
point release.

The only change (besides changelog entry) in the binary package is the
following (thanks to diffoscope).

│ │ ├── ./usr/share/php/Composer/XdebugHandler/autoload.php
│ │ │ @@ -1,12 +1,12 @@
│ │ │  diff -Nru php-composer-xdebug-handler-3.0.3/debian/autoload.php.tpl php-composer-xdebug-handler-3.0.3/debian/autoload.php.tpl
--- php-composer-xdebug-handler-3.0.3/debian/autoload.php.tpl	1970-01-01 01:00:00.0 +0100
+++ php-composer-xdebug-handler-3.0.3/debian/autoload.php.tpl	2024-02-13 17:13:43.0 +0100
@@ -0,0 +1,30 @@
+  Tue, 13 Feb 2024 17:13:43 +0100
+
 php-composer-xdebug-handler (3.0.3-2) unstable; urgency=medium
 
   * Upload to unstable for composer 2.3
diff -Nru php-composer-xdebug-handler-3.0.3/debian/clean php-composer-xdebug-handler-3.0.3/debian/clean
--- php-composer-xdebug-handler-3.0.3/debian/clean	2022-01-05 14:42:04.0 +0100
+++ php-composer-xdebug-handler-3.0.3/debian/clean	2024-02-13 17:13:43.0 +0100
@@ -1,6 +1,6 @@
 .phpunit.result.cache
 Composer/
-debian/autoload.php.tpl
 debian/autoload.tests.php.tpl
+Psr
 src/autoload.php
 vendor/
diff -Nru php-composer-xdebug-handler-3.0.3/debian/control php-composer-xdebug-handler-3.0.3/debian/control
--- php-composer-xdebug-handler-3.0.3/debian/control	2022-06-17 19:03:15.0 +0200
+++ php-composer-xdebug-handler-3.0.3/debian/control	2024-02-13 17:13:43.0 +0100
@@ -12,7 +12,7 @@
 Standards-Version: 4.6.1
 Homepage: https://github.com/composer/xdebug-handler
 Vcs-Browser: https://salsa.debian.org/php-team/pear/php-composer-xdebug-handler
-Vcs-Git: https://salsa.debian.org/php-team/pear/php-composer-xdebug-handler.git -b debian/latest
+Vcs-Git: https://salsa.debian.org/php-team/pear/php-composer-xdebug-handler.git -b debian/bookworm-security
 Rules-Requires-Root: no
 
 Package: php-composer-xdebug-handler
diff -Nru php-composer-xdebug-handler-3.0.3/debian/gbp.conf php-composer-xdebug-handler-3.0.3/debian/gbp.conf
--- php-composer-xdebug-handler-3.0.3/debian/gbp.conf	2022-01-05 15:28:30.0 +0100
+++ php-composer-xdebug-handler-3.0.3/debian/gbp.conf	2024-02-13 17:13:43.0 +0100
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/latest
+debian-branch = debian/bookworm-security
 filter = [ '.gitattributes' ]
 pristine-tar = True
 upstream-vcs-tag = %(version%~%-)s
diff -Nru php-composer-xdebug-handler-3.0.3/debian/rules php-composer-xdebug-handler-3.0.3/debian/rules
--- php-composer-xdebug-handler-3.0.3/debian/rules	2022-01-05 14:42:04.0 +0100
+++ php-composer-xdebug-handler-3.0.3/debian/rules	2024-02-13 17:13:43.0 +0100
@@ -3,13 +3,14 @@
 	dh $@
 
 override_dh_auto_build:
-	phpabtpl composer.json > debian/autoload.php.tpl
 	phpab \
 		--output src/autoload.php \
 		--template debian/autoload.php.tpl \
 		src
 	mkdir --parents vendor Composer
-	ln -s ../src Composer/XdebugHandler
+	cp -r src Composer/XdebugHandler
+	ln -s /usr/share/php/Composer/Pcre Composer
+	ln -s /usr/share/php/Psr .
 	phpabtpl \
 		--require composer/xdebug-handler \
 		> debian/autoload.tests.php.tpl


signature.asc
Description: PGP signature

Bug#1065056: bookworm-pu: package php-composer-class-map-generator/1.0.0-2+deb12u1

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: php-composer-class-map-genera...@packages.debian.org, 
t...@security.debian.org
Control: affects -1 + src:php-composer-class-map-generator
User: release.debian@packages.debian.org
Usertags: pu

[1/9 for bookworm]

This is a follow up from composer/DSA-5632-1.

In order to fix a Debian-specific issue related to CVE-2024-24821, we
agreed with the security team to push related dependencies via the next
point release.

The only change (besides changelog entry) in the binary package is the
following (thanks to diffoscope).

│ │ ├── ./usr/share/php/Composer/ClassMapGenerator/autoload.php
│ │ │ @@ -1,12 +1,12 @@
│ │ │  diff -Nru php-composer-class-map-generator-1.0.0/debian/autoload.php.tpl php-composer-class-map-generator-1.0.0/debian/autoload.php.tpl
--- php-composer-class-map-generator-1.0.0/debian/autoload.php.tpl	1970-01-01 01:00:00.0 +0100
+++ php-composer-class-map-generator-1.0.0/debian/autoload.php.tpl	2024-02-13 17:00:47.0 +0100
@@ -0,0 +1,30 @@
+  Tue, 13 Feb 2024 17:00:52 +0100
+
 php-composer-class-map-generator (1.0.0-2) unstable; urgency=medium
 
   * Upload to unstable
diff -Nru php-composer-class-map-generator-1.0.0/debian/clean php-composer-class-map-generator-1.0.0/debian/clean
--- php-composer-class-map-generator-1.0.0/debian/clean	2021-12-09 12:41:37.0 +0100
+++ php-composer-class-map-generator-1.0.0/debian/clean	2024-02-13 17:00:47.0 +0100
@@ -1,6 +1,6 @@
 .phpunit.result.cache
 Composer/
-debian/autoload.php.tpl
 debian/autoload.tests.php.tpl
 src/autoload.php
+Symfony
 vendor/
diff -Nru php-composer-class-map-generator-1.0.0/debian/control php-composer-class-map-generator-1.0.0/debian/control
--- php-composer-class-map-generator-1.0.0/debian/control	2022-07-26 11:03:24.0 +0200
+++ php-composer-class-map-generator-1.0.0/debian/control	2024-02-13 17:00:47.0 +0100
@@ -13,7 +13,7 @@
 Standards-Version: 4.6.1
 Homepage: https://github.com/composer/class-map-generator
 Vcs-Browser: https://salsa.debian.org/php-team/pear/php-composer-class-map-generator
-Vcs-Git: https://salsa.debian.org/php-team/pear/php-composer-class-map-generator.git
+Vcs-Git: https://salsa.debian.org/php-team/pear/php-composer-class-map-generator.git -b debian/bookworm
 Rules-Requires-Root: no
 
 Package: php-composer-class-map-generator
diff -Nru php-composer-class-map-generator-1.0.0/debian/gbp.conf php-composer-class-map-generator-1.0.0/debian/gbp.conf
--- php-composer-class-map-generator-1.0.0/debian/gbp.conf	2021-12-09 12:43:32.0 +0100
+++ php-composer-class-map-generator-1.0.0/debian/gbp.conf	2024-02-13 17:00:47.0 +0100
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/latest
+debian-branch = debian/bookworm
 filter = [ '.gitattributes' ]
 pristine-tar = True
 upstream-branch = upstream/latest
diff -Nru php-composer-class-map-generator-1.0.0/debian/rules php-composer-class-map-generator-1.0.0/debian/rules
--- php-composer-class-map-generator-1.0.0/debian/rules	2022-07-26 08:11:20.0 +0200
+++ php-composer-class-map-generator-1.0.0/debian/rules	2024-02-13 17:00:47.0 +0100
@@ -3,13 +3,14 @@
 	dh $@
 
 override_dh_auto_build:
-	phpabtpl composer.json > debian/autoload.php.tpl
 	phpab \
 		--output src/autoload.php \
 		--template debian/autoload.php.tpl \
 		src
 	mkdir --parents vendor Composer
-	ln -s ../src Composer/ClassMapGenerator
+	cp -r src Composer/ClassMapGenerator
+	ln -s /usr/share/php/Composer/Pcre Composer
+	ln -s /usr/share/php/Symfony .
 	phpabtpl \
 		--require composer/class-map-generator \
 		--require symfony/filesystem \


signature.asc
Description: PGP signature

Bug#1064018: Testsuite is not run

[Plasma (David Paul)]

On Tue, 27 Feb 2024 11:53:16 +0100
Lukas Märdian  wrote:

> Hey! How does this patch relate to my proposed changes in the
> following MR?
> https://salsa.debian.org/debian/libcbor/-/merge_requests/3

It makes the addition of '-DWITH_TESTS=ON' to the dh_auto_configure
line in your proposed change no longer necessary. Your remaining
proposed changes are unaffected by this patch.

In versions 0.10.2-1.1 and earlier of the libcbor package in Debian,
the testsuite was not run at build time. The WITH_TESTS CMake variable
in the upstream source controlled the running of tests. However, this
is not the idiomatic way to control test execution using CMake and the
package's rules file did not define that variable.

Starting with version 0.10.2-1.2, the package has been modified with my
patch to run the testsuite by default. The testsuite can be skipped by
running CMake with the '-DBUILD_TESTING=OFF' option. Starting with
debhelper version 13.12, dh_auto_configure automatically calls CMake
with that option if the DEB_BUILD_OPTIONS environment variable contains
'nocheck'.

> I cannot see the tests being run at build-time even with the most
> recent upload. Am I missing something?

The testsuite should be run automatically starting with version
0.10.2-1.2. Please confirm you have the right version.

-- 
Plasma

Bug#1041982: Speeding up Symfony 6 transition? [Was: Upcoming transitions (Symfony, PHPUnit, etc.)]

[David Prévot]

control: severity 1039731 serious
control: severity 1051989 serious
control: severity 1051985 serious
control: severity 1039733 serious

Le Wed, Feb 21, 2024 at 08:19:06AM +0100, David Prévot a écrit :
> Le Wed, Jan 03, 2024 at 07:04:12PM +0100, David Prévot a écrit :
> […]
> > I’m in favour of raising the severity of bugs blocking this transition
> > to RC level ASAP: Symfony 6 has been in experimental for a while now
> 
> I intend to do so early next week

And here we are.

Cheers,

taffit


signature.asc
Description: PGP signature

Bug#1064870: thunar: Thunar 100% CPU usage sshfs

[David Christensen]

Package: thunar
Version: 4.16.8-1
Severity: important
X-Debbugs-Cc: dpchr...@holgerdanske.com

Dear Maintainer,

When using Thunar to browse a file system mounted via sshfs, Thunar
sometimes triggers 100% usage of all CPU's.  This persists until Thunar
is killed:

2024-02-26 13:26:03 dpchrist@laalaa ~
$ ps -A | grep -i thunar
   1565 ?00:00:00 panel-27-thunar
   1624 ?00:29:18 Thunar

2024-02-26 13:26:08 dpchrist@laalaa ~
$ kill 1624


David



-- System Information:
Debian Release: 11.9
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 
'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-28-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages thunar depends on:
ii  desktop-file-utils   0.26-1
ii  exo-utils4.16.0-1+deb11u1
ii  libatk1.0-0  2.36.0-2
ii  libc62.31-13+deb11u8
ii  libcairo21.16.0-5
ii  libexo-2-0   4.16.0-1+deb11u1
ii  libgdk-pixbuf-2.0-0  2.42.2+dfsg-1+deb11u1
ii  libglib2.0-0 2.66.8-1+deb11u1
ii  libgtk-3-0   3.24.24-4+deb11u3
ii  libgudev-1.0-0   234-1
ii  libice6  2:1.0.10-1
ii  libnotify4   0.7.9-3
ii  libpango-1.0-0   1.46.2-3
ii  libsm6   2:1.2.3-1
ii  libthunarx-3-0   4.16.8-1
ii  libxfce4ui-2-0   4.16.0-1
ii  libxfce4util74.16.0-1
ii  libxfconf-0-34.16.0-2
ii  shared-mime-info 2.0-1
ii  thunar-data  4.16.8-1

Versions of packages thunar recommends:
ii  dbus-user-session [default-dbus-session-bus]  1.12.28-0+deb11u1
ii  gvfs  1.46.2-1
ii  libxfce4panel-2.0-4   4.16.2-1
ii  policykit-1-gnome [polkit-1-auth-agent]   0.105-7
ii  thunar-volman 4.16.0-1
ii  tumbler   4.16.0-1
ii  udisks2   2.9.2-2+deb11u1
ii  xdg-user-dirs 0.17-2

Versions of packages thunar suggests:
pn  gvfs-backends 
ii  thunar-archive-plugin 0.4.0-2
ii  thunar-media-tags-plugin  0.3.0-2

-- no debconf information

Bug#1064846: kdevelop: Code highlighting breaks when changing compiler

[David James]

Package: kdevelop
Version: 4:23.08.1-2+b1
Severity: normal
X-Debbugs-Cc: davidjamescastor...@proton.me

Dear Maintainer,

When using the default compiler on my system (GCC/G++) the code highlighting
works fine and mousing over variables shows declaration etc.. However, when I
switch the compiler to clang or cross compiling for ARM (by passing 
-DCMAKE_C_COMPILER=/usr/bin/clang in "extra parameters" in the configuration
dialog), the code highlight and variable prediction/help text stops working. 
Keywords like void and extern are still coloured blue, and strings are still 
coloured red, but everything else is just plain.

These were all CMake projects.

-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.6.15-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages kdevelop depends on:
ii  kdevelop-data 4:23.08.1-2
ii  kdevelop512-libs  4:23.08.1-2+b1
ii  kinit 5.107.0-1
ii  kio   5.107.0-1+b1
ii  libapr1   1.7.2-3+b2
ii  libaprutil1   1.6.3-1+b1
ii  libastyle33.1-3+b1
ii  libc6 2.37-15
ii  libclang1-16  1:16.0.6-19
ii  libgcc-s1 14-20240201-3
ii  libgrantlee-templates5 [grantlee5-templates-5-3]  5.3.1-3+b1
ii  libkasten4controllers05:0.26.15-1
ii  libkasten4core0   5:0.26.15-1
ii  libkasten4okteta2controllers0 5:0.26.15-1
ii  libkasten4okteta2core05:0.26.15-1
ii  libkasten4okteta2gui0 5:0.26.15-1
ii  libkf5archive55.107.0-1+b1
ii  libkf5bookmarks5  5.107.0-1+b1
ii  libkf5codecs5 5.107.0-1+b1
ii  libkf5completion5 5.107.0-1+b1
ii  libkf5configcore5 5.107.0-1+b1
ii  libkf5configgui5  5.107.0-1+b1
ii  libkf5configwidgets5  5.107.0-2+b1
ii  libkf5coreaddons5 5.107.0-1+b1
ii  libkf5crash5  5.107.0-1+b1
ii  libkf5declarative55.107.0-1+b1
ii  libkf5guiaddons5  5.107.0-1+b1
ii  libkf5i18n5   5.107.0-1+b1
ii  libkf5iconthemes5 5.107.0-1+b1
ii  libkf5itemmodels5 5.107.0-1+b1
ii  libkf5itemviews5  5.107.0-1+b1
ii  libkf5jobwidgets5 5.107.0-1+b1
ii  libkf5kiocore55.107.0-1+b1
ii  libkf5kiofilewidgets5 5.107.0-1+b1
ii  libkf5kiogui5 5.107.0-1+b1
ii  libkf5kiowidgets5 5.107.0-1+b1
ii  libkf5newstuffcore5   5.107.0-2+b1
ii  libkf5newstuffwidgets55.107.0-2+b1
ii  libkf5parts5  5.107.0-1+b1
ii  libkf5purpose-bin 5.107.0-1+b1
ii  libkf5purpose55.107.0-1+b1
ii  libkf5service-bin 5.107.0-1+b1
ii  libkf5service55.107.0-1+b1
ii  libkf5sonnetui5   5.107.0-1+b1
ii  libkf5texteditor5 5.107.0-1+b1
ii  libkf5textwidgets55.107.0-1+b1
ii  libkf5threadweaver5   5.107.0-1+b1
ii  libkf5widgetsaddons5  5.107.0-1+b1
ii  libkf5xmlgui5 5.107.0-1+b1
ii  libkomparediff2-5 4:22.12.3-1
ii  libokteta3core0   5:0.26.15-1
ii  libokteta3gui05:0.26.15-1
ii  libprocesscore9   4:5.27.10-1
ii  libprocessui9 4:5.27.10-1
ii  libqt5core5a  5.15.10+dfsg-7
ii  libqt5dbus5   5.15.10+dfsg-7
ii  libqt5gui55.15.10+dfsg-7
ii  

Bug#1064641: Useless in Debian

[David Prévot]

Package: php-sql-formatter
Version: 1.2.17+dct1.1.3-1
Severity: serious
Tags: sid trixie

[ Filled as an RC-bug by the maintainer to see the package auto-removed
  from testing. ]

I packaged php-sql-formatter as used by php-doctrine-bundle, but
php-doctrine-bundle got removed a while ago from testing (cf. #996108)
and unstable (cf. #1036726). There is a priori little point to ship
php-sql-formatter in the next (or current TBH) stable Debian release.

I intend to follow up with an RM request in a few months if nobody
objects (but feel free to beat me to it).

Regards

David


signature.asc
Description: PGP signature

Bug#1064538: perftest FTBFS on hppa: get_cycles not implemented

[John David Anglin]

Source: perftest
Version: 24.01.0+0.38-1
Severity: normal
Tags: ftbfs patch

Dear Maintainer,

See:
https://buildd.debian.org/status/fetch.php?pkg=perftest=hppa=24.01.0%2B0.38-1=1708389231=0

Attached patch fixes build.  Please install.

Regards,
Dave Anglin


-- System Information:
Debian Release: trixie/sid
  APT prefers buildd-unstable
  APT policy: (500, 'buildd-unstable'), (500, 'unstable')
Architecture: hppa (parisc64)

Kernel: Linux 6.1.77+ (SMP w/4 CPU threads)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
--- ./src/get_clock.h.save  2024-02-23 21:28:08.358672860 +
+++ ./src/get_clock.h   2024-02-23 21:34:51.861653976 +
@@ -114,6 +114,14 @@
return perf_get_cycles();
 }
 
+#elif defined(__hppa__)
+typedef unsigned long long cycles_t;
+static inline cycles_t get_cycles(void)
+{
+   cycles_t clk;
+   asm volatile("mfctl %%cr16, %0" : "=r" (clk));
+   return clk;
+}
 #else
 #warning get_cycles not implemented for this architecture: attempt asm/timex.h
 #include 

Bug#1064468: Settings schema 'org.gnome.desktop.a11y.interface' does not contain a key named 'show-status-shapes'

[David Mandelberg]

Package: gnome-settings-daemon
Version: 46~beta-1

After a recent upgrade, many applications running under gnome X11 
stopped using gnome's settings. (Like large text, cursor theme, etc.) 
Digging into it, I found that org.gnome.SettingsDaemon.XSettings.service 
had failed to start with this error message:


feb 21 23:54:27 solaria gsd-xsettings[2760]: Settings schema 
'org.gnome.desktop.a11y.interface' does not contain a key named 
'show-status-shapes'


Upgrading gsettings-desktop-schemas from 45.0-2 to 46~beta-3 seems to 
have fixed the problem. So I think gnome-settings-daemon's dependency on 
gsettings-desktop-schemas (>= 42~) should be updated to require a newer 
version?

Bug#1064381: ITP: elfkickers -- collection of programs that access and manipulate ELF files

[David Bremner]

Gürkan Myczko  writes:

> On 21.02.2024 12:28, David Bremner wrote:

> Being the universal operating system, these tools are certainly not for 
> normal users
> but more like developers and people in the embedded area.
>

I include developers in people who don't care about the implementation,

> I have found sstrip to squeeze away some more kilobytes from binaries.

A list of the tools with what they do would be more useful.

> Similar like elfutils it will only be interesting to people that want to 
> use it.

Sure, I'm not talking about making it interesting for every user, just
having a description that helps someone in the target audience find the
package and/or know if they want to install it.

Bug#1064381: ITP: elfkickers -- collection of programs that access and manipulate ELF files

[David Bremner]

Gürkan Myczko  writes:
>   This distribution is a collection of programs that are generally
>   unrelated, except in that they all deal with the ELF file format.
>   .
>   The main purpose of these programs is to be illustrative and
>   educational -- to help fellow programmers understand the ELF file
>   format and something of how it works under the Linux platform. For the
>   most part, these programs have limited real-world utility.
>   .
>   With the exception of shared use of the elfrw static library, each
>   program is independent of the others. There is no other shared code
>   between them, and they all take slightly different approaches to
>   handling ELF files.

I question how helpful this description is helpful for users of a
binary distribution like Debian, who are (IMHO) generally more focused
on functionality than studying the implementation of programs.

Bug#1041982: Speeding up Symfony 6 transition? [Was: Upcoming transitions (Symfony, PHPUnit, etc.)]

[David Prévot]

Hi,

Le Wed, Jan 03, 2024 at 07:04:12PM +0100, David Prévot a écrit :
[…]
> I’m in favour of raising the severity of bugs blocking this transition
> to RC level ASAP: Symfony 6 has been in experimental for a while now

I intend to do so early next week: symfony 6 was introduced in
experimental during the latest Debian Reunion Hamburg, and I wish to
proceed with the transition during the next MiniDebCampHamburg happening
early March (in less than two weeks).

https://wiki.debian.org/DebianEvents/de/2024/MiniDebCampHamburg

This transition should not interfere with any other one, and should not
even need any help from the Release Team (no binNMU since they’re all
arch:all packages), yet they were helpful last time to speed it up by
removing blocking packages from testing because we didn’t raise the
blocking bug severity early enough.

Regards,

taffit


signature.asc
Description: PGP signature

Bug#682397: darktable: recommend opencl package

[David Bremner]

Tino Mettler via Pkg-phototools-devel
 writes:

>
> This is a general issue that the darktable package can not change.  So
> I propose to close this bug.
>
> Regards,
> Tino

I wonder if having the bug helps people see that there is no point in
filing more bugs on the same topic. I guess we can always leave the next
OpenCL bug open if that occurs.

Bug#1064043: closed by Michael Biebl (Re: Bug#1064043: systemd: /etc/fstab x-systemd.automount mount points, x-systemd.idle-timeout changes not effective)

[David Sauvage - AdaLabs Ltd]

On 2/16/24 16:01, Michael Biebl wrote:

Am 16.02.24 um 12:51 schrieb David Sauvage - AdaLabs Ltd:


the changes are not applied even after restarting the mount unit 
mnt-resource.mount. (when already mounted or not)




Have you restarted the corresponding mnt-resource.automount unit as well?


changes updated successfully after restarting mnt-resource.automount 
unit as well.


Sorry for the noise.

Bug#1064043: closed by Michael Biebl (Re: Bug#1064043: systemd: /etc/fstab x-systemd.automount mount points, x-systemd.idle-timeout changes not effective)

[David Sauvage - AdaLabs Ltd]

the changes are not applied even after restarting the mount unit 
mnt-resource.mount. (when already mounted or not)


Regards,

Bug#1064043: systemd: /etc/fstab x-systemd.automount mount points, x-systemd.idle-timeout changes not effective

[David Sauvage]

Package: systemd
Version: 247.3-7+deb11u4
Severity: normal
X-Debbugs-Cc: david.sauv...@adalabs.com

Dear Maintainer,

Having a successful CFIS remote mount point specification using 
x-systemd.automount in /etc/fstab, after the first mount when the 
x-systemd.idle-timeout is changed, and necessary systemd updates run, the old 
idle timeout value is still the effective one, instead of the newly specified 
idle timeout value

Given;
- a successful CFIS remote mount point specification using x-systemd.automount 
in /etc/fstab [0]
- command systemctl daemon-reload executed successfully, and
- command systemctl restart remote-fs.target executed successfully, and
- the resource above has been automatically mounted when needed and unmount 
after the idle timeout at least one time

When;
- the corresponding resource is currently not mounted
- the x-systemd.idle-timeout parameter is changed (i.e from 900 to 60) in the 
/etc/fstab, and
- command systemctl daemon-reload executed successfully, and
- command systemctl restart remote-fs.target executed successfully

Then;
- The effective idle timeout is still the old one (i.e 900) instead of the 
newly specified value (i.e 60)
- The generated file /run/systemd/generator/mnt-resource.mount [3] have the 
correct updated idle timeout value (i.e 60)
- However, corresponding entries in /proc/mounts [1] and /proc/self/mountinfo 
[2] contains the old idle timeout value (i.e 900), which is the effective one, 
and not the newly specified idle timeout value (i.e 60).


[0] /etc/fstab
//W.X.Y.Z/Resource  /mnt/resource  cifs  
noauto,x-systemd.automount,x-systemd.idle-timeout=900,credentials=/dir/my-credentials,dir_mode=0755,file_mode=0644,uid=1000,gid=1000
 0

[1] /proc/mounts
systemd-1 /mnt/resource autofs 
rw,relatime,fd=52,pgrp=1,timeout=900,minproto=5,maxproto=5,direct,pipe_ino=13164
 0 0

[2] /proc/self/mountinfo
82 26 0:32 / /mnt/resource rw,relatime shared:42 - autofs systemd-1 
rw,fd=52,pgrp=1,timeout=900,minproto=5,maxproto=5,direct,pipe_ino=13164

[3] /run/systemd/generator/mnt-resource.mount
# Automatically generated by systemd-fstab-generator

[Unit]
Documentation=man:fstab(5) man:systemd-fstab-generator(8)
SourcePath=/etc/fstab

[Mount]
Where=/mnt/resource
What=//W.X.Y.Z/Resource
Type=cifs
Options=noauto,x-systemd.automount,x-systemd.idle-timeout=60,credentials=/dir/my-credentials,dir_mode=0755,file_mode=0644,uid=1000,gid=1000

-- Package-specific info:

-- System Information:
Debian Release: 11.8
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 
'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-26-amd64 (SMP w/1 CPU thread)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages systemd depends on:
ii  adduser  3.118+deb11u1
ii  libacl1  2.2.53-10
ii  libapparmor1 2.13.6-10
ii  libaudit11:3.0-2
ii  libblkid12.36.1-8+deb11u1
ii  libc62.31-13+deb11u7
ii  libcap2  1:2.44-1
ii  libcrypt11:4.4.18-4
ii  libcryptsetup12  2:2.3.7-1+deb11u1
ii  libgcrypt20  1.8.7-6
ii  libgnutls30  3.7.1-5+deb11u3
ii  libgpg-error01.38-2
ii  libip4tc21.8.7-1
ii  libkmod2 28-1
ii  liblz4-1 1.9.3-2
ii  liblzma5 5.2.5-2.1~deb11u1
ii  libmount12.36.1-8+deb11u1
ii  libpam0g 1.4.0-9+deb11u1
ii  libseccomp2  2.5.1-1+deb11u1
ii  libselinux1  3.1-3
ii  libsystemd0  247.3-7+deb11u4
ii  libzstd1 1.4.8+dfsg-2.1
ii  mount2.36.1-8+deb11u1
ii  util-linux   2.36.1-8+deb11u1

Versions of packages systemd recommends:
ii  dbus 1.12.28-0+deb11u1
ii  systemd-timesyncd [time-daemon]  247.3-7+deb11u4

Versions of packages systemd suggests:
pn  policykit-1
pn  systemd-container  

Versions of packages systemd is related to:
pn  dracut   
ii  initramfs-tools  0.140
ii  libnss-systemd   247.3-7+deb11u4
ii  libpam-systemd   247.3-7+deb11u4
ii  udev 247.3-7+deb11u4

-- no debconf information

Bug#1064018: [PATCH] #1064018: Enable testsuite

[Plasma (David Paul)]

Control: tags 1064018 + patch

Dear Maintainer,

Attached is a debdiff patch which fixes #1064018.

Questions/comments welcome.

Thanks,

-- 
Plasma
diff -Nru libcbor-0.10.2/debian/changelog libcbor-0.10.2/debian/changelog
--- libcbor-0.10.2/debian/changelog	2023-10-05 01:47:27.0 -0500
+++ libcbor-0.10.2/debian/changelog	2024-02-12 23:12:22.0 -0600
@@ -1,3 +1,16 @@
+libcbor (0.10.2-1.2) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * d/p/Fix-non-standard-testing.patch:
+Enable testing by default and toggle testing based on
+BUILD_TESTING CMake variable. (Closes: 1064018)
+  * d/control: Build-Depend-Arch on debhelper (>= 13.12~) when 
+build profile is active because the BUILD_TESTING CMake variable is
+automatically set to OFF for nocheck builds starting with
+debhelper 13.12.
+
+ -- Plasma (David Paul)   Thu, 15 Feb 2024 20:46:41 -0600
+
 libcbor (0.10.2-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru libcbor-0.10.2/debian/control libcbor-0.10.2/debian/control
--- libcbor-0.10.2/debian/control	2023-10-05 01:47:27.0 -0500
+++ libcbor-0.10.2/debian/control	2024-02-12 23:11:57.0 -0600
@@ -3,6 +3,7 @@
 Maintainer: Vincent Bernat 
 Build-Depends: debhelper-compat (= 13),
 Build-Depends-Arch: cmake,
+debhelper (>= 13.12~) ,
 libcmocka-dev ,
 Build-Depends-Indep: dh-sequence-sphinxdoc,
  doxygen,
--- libcbor-0.10.2/debian/patches/Fix-non-standard-testing.patch	1969-12-31 18:00:00.0 -0600
+++ libcbor-0.10.2/debian/patches/Fix-non-standard-testing.patch	2024-02-12 23:12:22.0 -0600
@@ -0,0 +1,52 @@
+Description: Use idiomatic CMake to control testsuite execution.
+ Rather than creating and relying upon a WITH_TESTS variable in the top-level
+ CMakeLists.txt file, instead make use of the BUILD_TESTING variable defined
+ by the included CTest module. Also remove the enable_testing() command
+ invocation in CMakeLists.txt and instead rely on the one in the CTest module
+ which gets run whenever the BUILD_TESTING variable is not set to OFF.
+Author: Plasma (David Paul) 
+Bug-Debian: https://bugs.debian.org/1064018
+Forwarded: no
+Last-Update: 2024-02-15
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: libcbor-0.10.2/CMakeLists.txt
+===
+--- libcbor-0.10.2.orig/CMakeLists.txt
 libcbor-0.10.2/CMakeLists.txt
+@@ -29,11 +29,6 @@ option(CBOR_PRETTY_PRINTER "Include a pr
+ set(CBOR_BUFFER_GROWTH "2" CACHE STRING "Factor for buffer growth & shrinking")
+ set(CBOR_MAX_STACK_SIZE "2048" CACHE STRING "maximum size for decoding context stack")
+ 
+-option(WITH_TESTS "[TEST] Build unit tests (requires CMocka)" OFF)
+-if(WITH_TESTS)
+-add_definitions(-DWITH_TESTS)
+-endif(WITH_TESTS)
+-
+ option(WITH_EXAMPLES "Build examples" ON)
+ 
+ option(HUGE_FUZZ "[TEST] Fuzz through 8GB of data in the test. Do not use with memory instrumentation!" OFF)
+@@ -97,8 +92,6 @@ else()
+ add_definitions(-DEIGHT_BYTE_SIZE_T)
+ endif()
+ 
+-enable_testing()
+-
+ set(CTEST_MEMORYCHECK_COMMAND "/usr/bin/valgrind")
+ set(MEMORYCHECK_COMMAND_OPTIONS "--tool=memcheck --track-origins=yes --leak-check=full --error-exitcode=1")
+ 
+@@ -168,12 +161,12 @@ if(use_lto)
+ set_property(DIRECTORY src PROPERTY INTERPROCEDURAL_OPTIMIZATION TRUE)
+ endif(use_lto)
+ 
+-if (WITH_TESTS)
++if (BUILD_TESTING)
+ add_subdirectory(test)
+ if(use_lto)
+ set_property(DIRECTORY test PROPERTY INTERPROCEDURAL_OPTIMIZATION TRUE)
+ endif(use_lto)
+-endif (WITH_TESTS)
++endif (BUILD_TESTING)
+ 
+ if (WITH_EXAMPLES)
+ add_subdirectory(examples)
--- libcbor-0.10.2/debian/patches/series	1969-12-31 18:00:00.0 -0600
+++ libcbor-0.10.2/debian/patches/series	2024-02-11 16:49:18.0 -0600
@@ -0,0 +1 @@
+Fix-non-standard-testing.patch

Bug#1064012: RFS: oaknut/2.0.2-1 [ITP] -- C++20 assembler for AArch64 (ARMv8.0 to ARMv8.2)

[David James]

Package: sponsorship-requests
Severity: wishlist
X-Debbugs-Cc: davidjamescastor...@proton.me

Dear mentors,

I am looking for a sponsor for my package "oaknut":

 * Package name : oaknut
   Version  : 2.0.2-1
   Upstream contact : merryhime <https://mary.rs/>
 * URL  : https://github.com/merryhime/oaknut
 * License  : Expat
 * Vcs  : https://salsa.debian.org/Castor216/oaknut
   Section  : libdevel

The source builds the following binary packages:

  liboaknut-dev - C++20 assembler for AArch64 (ARMv8.0 to ARMv8.2)

To access further information about this package, please visit the following 
URL:

  https://mentors.debian.net/package/oaknut/

Alternatively, you can download the package with 'dget' using this command:

  dget -x 
https://mentors.debian.net/debian/pool/main/o/oaknut/oaknut_2.0.2-1.dsc

Changes for the initial release:

 oaknut (2.0.2-1) unstable; urgency=medium
 .
   * Initial release. (Closes: #1061078)

Regards,
-- 
  David James

Bug#979332: New upstream version

[David Prévot]

Control: severity -1 serious

Le Mon, Feb 12, 2024 at 06:15:27PM -0700, skizz...@skizzerz.net a écrit :
> Seems the current version is causing errors due to using syntax removed in
> PHP 8. I'm seeing the following error message:
> TypeError: implode(): Argument #2 ($array) must be of type ?array, string
> given /usr/share/php/simplepie/library/SimplePie/Parse/Date.php(544)
> 
> This was fixed upstream a while ago, so I'm bumping this bug in hopes that
> the package can be updated. The dokuwiki package depends on this one and
> is broken on the pages that make use of the library, causing some wiki pages
> to become inaccessible after an upgrade to bookworm.

Increasing the severity accordingly (it affects stable too I assume…).

Regards

David


signature.asc
Description: PGP signature

Bug#1063748: ITP: pythonprop -- graphical interface to the VOACAP HF propagation engine

[David da Silva Polverari]

Package: wnpp
Severity: wishlist
Owner: David da Silva Polverari 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: pythonprop
  Version : 0.30.1
  Upstream Contact: James Watson 
* URL : https://github.com/jawatson/pythonprop
* License : GPL-2+
  Programming Lang: Python3
  Description : graphical interface to the VOACAP HF propagation engine
   pythonprop is a collection of Python 3 scripts designed to create VOACAP
   input (.dat) files and plot the resulting predictions.
   .
   It can be used either in point-to-point (P2P) mode, to produce HF (High
   Frequency) propagation predictions between two fixed locations, or in area
   mode, to produce HF propagation plots over a user-defined area from a fixed
   transmit site.
   .
   This package provides the voacapgui, voaP2PPlot and voaAreaPlot scripts. It 
is
   useful for making HF (High Frequency) circuit prediction for amateur radio
   ("ham radio") operators.

This package provides a GUI for the voacapl package [1]. I plan to
maintain it by myself initially, later proposing to include it on the
Debian Hamradio Team. I don't need a sponsor.

[1] https://bugs.debian.org/1063747

-- 
⢀⣴⠾⠻⢶⣦⠀ David da Silva Polverari 
⣾⠁⢠⠒⠀⣿⡁
⢿⡄⠘⠷⠚⠋⠀ Debian: The universal operating system
⠈⠳⣄

Bug#1063747: ITP: voacapl -- HF circuit prediction engine

[David da Silva Polverari]

Package: wnpp
Severity: wishlist
Owner: David da Silva Polverari 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: voacapl
  Version : 0.7.6
  Upstream Contact: James Watson 
* URL : https://github.com/jawatson/voacapl
* License : special (public domain), CC0-1.0 and GPL-3+ parts
  Programming Lang: Fortran
  Description : HF circuit prediction engine
   voacapl is an implementation of VOACAP, the NTIA/ITS professional HF (high
   frequency) propagation prediction program, originally developed for Voice of
   America (VOA). It reads input files in the standard VOACAP format and writes
   point-to-point or area prediction data to an output file (or files).
   .
   voacapl helps amateur radio operators ("hams") predict point-to-point path
   loss and coverage of a given transceiver if given as inputs the transmitting
   and receiving antennas, solar weather, and time/date.
   .
   The suggested pythonprop package provides a graphical interface for voacapl,
   accepting inputs as fields and plotting the results as graphics.

VOACAP (Voice of America Coverage Analysis Program) is a modified
version of IONCAP (Ionospheric Communication Analysis and Prediction
Program), developed for use by Voice Of America (VOA).

Originally, IONCAP was developed by the National Telecommunications and
Information Administration (NTIA), being a model that has been under
development by the U.S. Government since 1942. The strength of the model
is that it uses world maps of ionospheric parameters to construct the
ionospheric path and uses path-specific statistics to evaluate the
system performance factors.

IONCAP was selected by the VOA in 1985 because it provided the system
performance analysis capability they needed for design specifications
and it had a proven track record.

VOACAP's enhanced model is used worldwide to predict HF point-to-point
or area data. It is often used on Microsoft Windows, distributed inside
the HFWIN32 suite [1], where it is called VOACAPW.

There is a shortage of HF prediction packages on Debian. In the past, I
had to resort to using Windows machines to make HF predictions. Thus, I
intend to package voacapl, along with its companion GUI, pythonprop,
which depends on it.

Initially, I plan to package it by myself, and I will propose including
it in the Debian Hamradio Team. I don't need a sponsor. I have already
packaged them both, and just need to make some minor adjustments.

[1] http://www.greg-hand.com/hfwin32.html

-- 
⢀⣴⠾⠻⢶⣦⠀ David da Silva Polverari 
⣾⠁⢠⠒⠀⣿⡁
⢿⡄⠘⠷⠚⠋⠀ Debian: The universal operating system
⠈⠳⣄

Bug#1063185: readpe: NMU diff for 64-bit time_t transition

[David da Silva Polverari]

Dear Steve,

First of all, thanks for your report and for the work on the transition!

After having a look at [1] and [2], I found the only reported problem
was due to the usage of a pointer to the pe_ctx structure (typedef'ed as
pe_ctx_t) [3] as the first parameter of the exported functions from
libpe, as its map_size field is of type off_t ("Base type has been
changed from long to long long. Recompilation of a client program may be
broken.").

The output of `apt rdepends libpe1` shows that only the binaries built
by readpe depend on it. Besides, within readpe itself, there is only one
mention to accessing the map_size field directly outside of libpe, and
it is commented out [4].

That said, I am not sure that including readpe in the transition will be
necessary, but maybe I have overlooked something. But I thought I should
add this information here.

[1] 
https://adrien.dcln.fr/misc/armhf-time_t/2024-02-01T09:53:00/compat_reports/libpe-dev/base_to_lfs/compat_report.html
[2] 
https://adrien.dcln.fr/misc/armhf-time_t/2024-02-01T09:53:00/compat_reports/libpe-dev/lfs_to_time_t/compat_report.html
[3] 
https://salsa.debian.org/pkg-security-team/readpe/-/blob/debian/master/lib/libpe/include/libpe/context.h?ref_type=heads#L72
[4] 
https://salsa.debian.org/pkg-security-team/readpe/-/blob/debian/master/src/pescan.c?ref_type=heads#L372

Regards,

-- 
⢀⣴⠾⠻⢶⣦⠀ David da Silva Polverari 
⣾⠁⢠⠒⠀⣿⡁
⢿⡄⠘⠷⠚⠋⠀ Debian: The universal operating system
⠈⠳⣄

Bug#1063659: nginx: Set worker_cpu_affinity in default configuration

[David Gilman]

Package: nginx
Version: 1.22.1-9
Severity: wishlist
X-Debbugs-Cc: davidgilm...@gmail.com

Dear Maintainer,

Please consider setting `worker_cpu_affinity auto;` in the default
nginx.conf. The default configuration already sets `worker_processes
auto;` to direct nginx to spin up a worker process on each CPU. The auto
setting for worker_cpu_affinity is the sibling setting for auto
worker_processes, it takes each of those worker processes and pins them
to a unique CPU.

-- System Information:
Debian Release: 12.5
  APT prefers stable-updates
  APT policy: (991, 'stable-updates'), (991, 'stable-security'), (990, 
'stable'), (600, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-17-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages nginx depends on:
ii  iproute2  6.1.0-3
ii  libc6 2.36-9+deb12u4
ii  libcrypt1 1:4.4.36-4
ii  libpcre2-8-0  10.42-1
ii  libssl3   3.0.11-1~deb12u2
pn  nginx-common  
ii  zlib1g1:1.2.13.dfsg-1

nginx recommends no packages.

nginx suggests no packages.

Bug#1061429: tomboy-ng copy and paste error

[David Bannon]

Hi Shawn, sorry about a slow response to your report, for reasons I 
don't understand, it was not forwarded to my address. Lets see if it is 
this time !


I am unable to replicate your problem I am afraid. I have a Trixie Gnome 
install running in a VM and find I can copy and paste backwards and 
forwards between tomboy-ng and either the Gnome Text Editor or a 
terminal session without any surprises.


Can you advise me of what 'other' application you used in your failed 
test ?  tomboy-ng is happy to send and receive plain text, uft8 text or 
rtf to the clipboard. Its pretty unlikely your test application cannot 
handle at least one of those 


David

Bug#1063150: python3-samba: errors when executiong update-initramfs

[Erwan David]

Package: python3-samba
Version: 2:4.19.4+dfsg-3
Severity: normal

When executing update-initramfs (triggered by a mdadm upgrade), I get following
errors

  
/usr/lib/python3/dist-packages/samba/tests/dns_forwarder_helpers/server.py:80: 
SyntaxWarning: invalid escape sequence '\s'
  m = re.match(b'^timeout\s+([\d.]+)$', data.strip())
  /usr/lib/python3/dist-packages/samba/tests/samba_tool/join_member.py:43: 
SyntaxWarning: invalid escape sequence '\s'
  existing_records = re.findall('A:\s+(\d+\.\d+\.\d+\.\d+)\s', out)
  /usr/lib/python3/dist-packages/samba/tests/samba_tool/ntacl.py:93: 
SyntaxWarning: invalid escape sequence '\s'
  self.assertNotRegex(err, '^\s*File [^,]+, line \d+, in',
  
/usr/lib/python3/dist-packages/samba/tests/samba_tool/user_virtualCryptSHA.py:42:
 SyntaxWarning: invalid escape sequence '\s'
  p = re.compile("^" + name + ":\s+(\S+)")
  
/usr/lib/python3/dist-packages/samba/tests/samba_tool/user_virtualCryptSHA_base.py:42:
 SyntaxWarning: invalid escape sequence '\s'
  p = re.compile("^" + name + ":\s+(\S+)")



-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (900, 'testing'), (800, 'stable-security'), (600, 'unstable'), 
(500, 'stable-updates'), (500, 'proposed-updates'), (400, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.6.13-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages python3-samba depends on:
ii  libbsd0   0.11.8-1
ii  libc6 2.37-15~deb13u1
ii  libgnutls30   3.8.3-1
ii  libldb2   2:2.8.0+samba4.19.4+dfsg-3
ii  libpython3.11 3.11.7-2
ii  libtalloc22.4.2-1
ii  libtevent00.16.1-1
ii  python3   3.11.6-1
ii  python3-ldb   2:2.8.0+samba4.19.4+dfsg-3
ii  python3-talloc2.4.2-1
ii  python3-tdb   1.4.10-1
ii  samba-libs [libndr3]  2:4.19.4+dfsg-3

Versions of packages python3-samba recommends:
pn  python3-gpg  

python3-samba suggests no packages.

-- no debconf information

Bug#1063096: python3-webview: proxy_tools dependency not found

[David Purton]

Package: python3-webview
Version: 4.4.1+dfsg-1
Severity: important

Dear Maintainer,

With the upgrade to python3-webview from 3.3.5 to 4.4.1, the package is
no longer usable.

The package is unable to find the module proxy_tools.

For example, a simple script using webview fails:

---
#!/bin/python3
import webview
webview.create_window(title = 'Captive Portal Login', 
  url = 'http://network-test.debian.org/nm',
  width = 1024,
  height = 768,
  min_size = (1024, 768),
  resizable = False)
webview.start()
---

The error is:

---
Traceback (most recent call last):
  File "/home/user/bin/captiveportal.py", line 3, in 
import webview
  File "/usr/lib/python3/dist-packages/webview/__init__.py", line 23, in 

from proxy_tools import module_property
ModuleNotFoundError: No module named 'proxy_tools'
---

Presumably, python3-proxy_tools needs to be packaged and added to the
dependencies of python3-webview.

Thanks!

David

-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (500, 'testing'), (400, 'unstable'), (300, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.6.13-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages python3-webview depends on:
ii  gir1.2-webkit2-4.1   2.42.4-1
ii  python3 [python3-supported-min]  3.11.6-1
ii  python3-bottle   0.12.25-1
ii  python3-gi   3.46.0-3
ii  python3-gi-cairo 3.46.0-3
ii  python3-typing-extensions4.7.1-2

python3-webview recommends no packages.

python3-webview suggests no packages.

-- no debconf information

Bug#1062838: openconnect: NMU diff for 64-bit time_t transition

[David Woodhouse]

This looks like overkill to me, for openconnect.

There's precisely one function exported from libopenconnect which uses
time_t, and I suspect there aren't any *users* of that function in the
distribution anyway (neither openconnect(8) nor NetworkManager-
openconnect use it). So although it's not best practice, we could
actually get away with just *dropping* that function, and adding a new
function which returns either an explicit 64-bit value or a timespec or
something.

Alternatively... on how many of our 64-bit architectures can we just
return the high 32 bits of the 64-bit time_t in a register that we
call-clobbered anyway — so callers who expect a 64-bit time_t get to
see it all, and callers who expect a 32-bit time_t just don't notice?
The contents of the *low* 32 bits are the same either way, right? 

It definitely doesn't seem like we need to switch to a new soname ...
except *are* you switching the soname? Or just the package name? It
looks like the symbol versions are remaining the *same*...? How does
that work?

On Sat, 2024-02-03 at 16:13 -0300, Lucas Kanashiro wrote:
> Source: openconnect
> Version: 9.12-1
> Severity: serious
> Tags: patch pending sid trixie
> Justification: library ABI skew on upgrade
> User: debian-...@lists.debian.org
> Usertags: time-t
> 
> NOTICE: these changes must not be uploaded to unstable yet!
> 
> Dear maintainer,
> 
> As part of the 64-bit time_t transition required to support 32-bit
> architectures in 2038 and beyond
> (https://wiki.debian.org/ReleaseGoals/64bit-time), we have identified
> openconnect as a source package shipping runtime libraries whose ABI
> either is affected by the change in size of time_t, or could not be
> analyzed via abi-compliance-checker (and therefore to be on the safe
> side we assume is affected).
> 
> To ensure that inconsistent combinations of libraries with their
> reverse-dependencies are never installed together, it is necessary to
> have a library transition, which is most easily done by renaming the
> runtime library package.
> 
> Since turning on 64-bit time_t is being handled centrally through a
> change
> to the default dpkg-buildflags (https://bugs.debian.org/1037136), it
> is
> important that libraries affected by this ABI change all be uploaded
> close
> together in time.  Therefore I have prepared a 0-day NMU for
> openconnect
> which will initially be uploaded to experimental if possible, then to
> unstable after packages have cleared binary NEW.
> 
> Please find the patch for this NMU attached.
> 
> If you have any concerns about this patch, please reach out ASAP. 
> Although
> this package will be uploaded to experimental immediately, there will
> be a
> period of several days before we begin uploads to unstable; so if
> information
> becomes available that your package should not be included in the
> transition,
> there is time for us to amend the planned uploads.
> 
> 
> 
> -- System Information:
> Debian Release: trixie/sid
>   APT prefers unstable
>   APT policy: (500, 'unstable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 6.2.0-39-generic (SMP w/32 CPU threads; PREEMPT)
> Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
> TAINT_UNSIGNED_MODULE
> Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not
> set
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)



smime.p7s
Description: S/MIME cryptographic signature

Bug#1062366: nullmailer: adminaddr should also set From on mails from root@localhost

[David Bremner]

Martin-Éric Racine  writes:
>
> The /etc/nullmailer/adminaddr address should also define the From for
> messages sent BY root, not just TO root, and use it to make nullmailer
> overwrite any outgoing root@defaultdomain message.
>

Hi Martin-Éric;

Just to confirm, this seems like an upstream issue that I should
forward?

d

Bug#1061774: nmu: pngcheck_3.0.3-1

[David da Silva Polverari]

On Mon, Jan 29, 2024 at 04:45:59PM +0100, Filip Hroch wrote:
> Dear Release Team,
> 
> may I ask you to rebuild pngcheck package against to
> the current version of zlib?
> 
> I'm maintainer of fitspng package having bug #1059970,
> and I found that the bug is not related on fitspng itself.
> Actually, it is caused by pngcheck during CI tests
> verification. The current binary of pngcheck is compiled
> against an old zlib yet, and needs a recompilation.
> 
In my opinion, there is no need for a rebuild. This is just a warning
that upstream deemed useful to include on the program. If tests are
failing because of that, I believe that fitspng tests are the ones that
should be updated to take that behaviour into account (using
allow-stderr and grepping for the 'OK', for example). If zlib's SONAME
hasn't changed, there's not need to link against a newer version.

Regards,
David

Bug#1061733: RFS: dds-ktx/0.0~git20230626,c3ca8fe-1 -- Header-only library for parsing KTX textures

[David James]

Package: sponsorship-requests
Severity: normal
X-Debbugs-Cc: davidjamescastor...@proton.me

From: David James 
To: sub...@bugs.debian.org
Subject: RFS: dds-ktx/0.0~git20230626.c3ca8fe-1 [ITP] -- Header-only library 
for parsing KTX textures

Package: sponsorship-requests
Severity: wishlist

Dear mentors,

I am looking for a sponsor for my package "dds-ktx":

 * Package name : dds-ktx
   Version  : 0.0~git20230626.c3ca8fe-1
   Upstream contact : sep...@pm.me
 * URL  : https://github.com/septag/dds-ktx
 * License  : BSD-2-clause
 * Vcs  : https://salsa.debian.org/Castor216/dds-ktx
   Section  : libs

The source builds the following binary packages:

  dds-ktx-header - Header-only library for parsing KTX textures

To access further information about this package, please visit the following 
URL:

  https://mentors.debian.net/package/dds-ktx/

Alternatively, you can download the package with 'dget' using this command:

  dget -x 
https://mentors.debian.net/debian/pool/main/d/dds-ktx/dds-ktx_0.0~git20230626.c3ca8fe-1.dsc

Changes for the initial release:

 dds-ktx (0.0~git20230626.c3ca8fe-1) unstable; urgency=medium
 .
   * Initial release. (Closes: #1060208)

Notes:
This is one of the two remaining depedencies for the Citra Nintendo 3DS
emulator.

Regards,
-- 
  David James

Bug#1058764: opendmarc: installs deprecated /lib/opendmarc/opendmarc.service.generate

[David Bürgin]

Chris Hofstaedtler:
> Hi David,
> 
> On Sun, Jan 28, 2024 at 01:44:34PM +0100, David Bürgin wrote:
> > Hello Chris,
> > 
> > the deprecation notice was included only with the last stable release.
> > I think it would be nice to keep the file for another release or so.
> > 
> > Please also note that the same file exists in the opendkim package.
> 
> Alright. In this case, please move the file to /usr in your next
> upload, for trixie.
> 
> Please also make sure the packages don't keep installing a
> /lib/opendmarc directory (instead of /usr/lib/opendmarc).
> 
> Do you want a patch for that?

I’m very far away from this project. If you have a patch ready it is
welcome. thank you.

Bug#1061323: RFP: rust-toml2json -- A very small CLI for converting TOML to JSON

[David Bremner]

Matthias Geiger  writes:

> * Package name: rust-toml2json
>   Version : 1.3.1
>   Upstream Contact: woodruffw
> * URL : https://github.com/woodruffw/toml2json
> * License : MIT
>   Programming Lang: Rust
>   Description : A very small CLI for converting TOML to JSON
>
> Filing on behalf on bremner. Since src: reserialize provides a toml2json
> binary it would have to be renamed. All its dependencies are in debin
> so this would be easy to package.

I inherited this "wish" from a private upstream project. I'm not sure
it's strictly needed or if I can use the one from "reserialize" with
some work. I did notice some grumbling about reserialize (don't
know/remember the specifics) and that the rust toml2json supports a -p
for pretty-print option, while reserialize apparently does not support
pretty-printing.

Bug#1061354: packages.debian.org: MIT mirror returns 503 error

[David R. Hedges]

Package: www.debian.org
Severity: important

Dear Maintainer,

packages.debian.org appears to likely have two physical hosts, one at MIT, and 
one
hosted via conova(?):

=
packages.debian.org has address 128.31.0.51
packages.debian.org has address 195.192.210.132
packages.debian.org has IPv6 address 2603:400a::bb8::801f:33
packages.debian.org has IPv6 address 2a02:16a8:dc41:100::132

NetRange:   128.31.0.0 - 128.31.255.255
CIDR:   128.31.0.0/16
NetName:MIT-RES

NetRange:   2603:4000:: - 2603:40FF::::::
CIDR:   2603:4000::/24
NetName:MIT-V6


inetnum:195.192.208.0 - 195.192.215.255
netname:AT-CONOVA-19960403

inet6num:   2a02:16a8:dc41:100::/56
netname:CUS-DEBIAN
...
route6: 2a02:16a8::/32
descr:  conova communications GmbH IPv6 Route Object
=

While the two conova-associated IPs seem to work fine, the MIT-associated hosts 
hang for 60 seconds before eventually returning a 503:

=
$ time curl -I --resolve packages.debian.org:443:128.31.0.51 
"https://packages.debian.org/sid/p7zip;
HTTP/2 503
...
real1m4.353s

$ time curl -I --resolve packages.debian.org:443:[2a02:16a8:dc41:100::132] 
"https://packages.debian.org/sid/p7zip;
HTTP/2 200
...
real0m0.519s

$ time curl -I --resolve packages.debian.org:443:[2603:400a::bb8::801f:33] 
"https://packages.debian.org/sid/p7zip;
HTTP/2 503
...
real1m4.350s

$ time curl -I --resolve packages.debian.org:443:195.192.210.132 
"https://packages.debian.org/sid/p7zip;
HTTP/2 200
...
real0m0.523s


This also results in a web browser failing to load the page ~50% of the time 
(across launches).

I have confirmed this behavior from multiple ISPs, web browsers, and curl.

Bug#1058999: linux-image-6.5.0-5-amd64: System hangs when connecting an ethernet NIC to network which was not connected on boot

[Erwan David]

Le 22/01/2024 à 13:49, Erwan David a écrit :

Le 23/12/2023 à 21:26, Erwan David a écrit :

Le 19/12/2023 à 19:34, Diederik de Haas a écrit :

On Tuesday, 19 December 2023 19:16:33 CET Erwan David wrote:
Same behaviour with 6.6.3-1 from experimental (that's what apt gave 
me,

maybe tomoroow the 6.6.4).
Either your APT cache should be updated or you're using a mirror 
which is

rather severely out of date.
6.6.4-1 was uploaded to Debian on 2023-12-03, a day after .3-1.


it was 6.6.4. I tried with my Aten Dock : same thing.

I disabled the virtualbox service so that the virtualbox modules are 
not loaded : it does not hang immediately, but waits a few minutes 
before doing it.




Some more details :

1) problem does not come from ethernet Nics, but rather from Wifi 
chipset, blocking appears when it is deactivated either by BIOS (when 
connecting Ethernet) or manually (through nm-applet in KDE) Wifi 
chipset is 02:00.0 Network controller: Intel Corporation Wireless 8265 
/ 8275 (rev 78)



Sorry, mail sent too fast :

It seems to work better with kernel 6.6.11 (6.6.9 still had the bug).

I'll do some other tests when possible (this laptop is my work laptop, 
and I cannot do tests leading to possible crash as often as I would wa nt



--
Erwan David

Bug#1058999: linux-image-6.5.0-5-amd64: System hangs when connecting an ethernet NIC to network which was not connected on boot

[Erwan David]

Le 23/12/2023 à 21:26, Erwan David a écrit :

Le 19/12/2023 à 19:34, Diederik de Haas a écrit :

On Tuesday, 19 December 2023 19:16:33 CET Erwan David wrote:

Same behaviour with 6.6.3-1 from experimental (that's what apt gave me,
maybe tomoroow the 6.6.4).
Either your APT cache should be updated or you're using a mirror 
which is

rather severely out of date.
6.6.4-1 was uploaded to Debian on 2023-12-03, a day after .3-1.


it was 6.6.4. I tried with my Aten Dock : same thing.

I disabled the virtualbox service so that the virtualbox modules are 
not loaded : it does not hang immediately, but waits a few minutes 
before doing it.




Some more details :

1) problem does not come from ethernet Nics, but rather from Wifi 
chipset, blocking appears when it is deactivated either by BIOS (when 
connecting Ethernet) or manually (through nm-applet in KDE) Wifi chipset 
is 02:00.0 Network controller: Intel Corporation Wireless 8265 / 8275 
(rev 78)


--
Erwan David

Bug#1061169: aptitude: "aptitude install debhelper-compat" fails with "virtual package provided by: debhelper debhelper debhelper"

[David Kalnischkies]

(drive-by comment from an apt maintainer)

On Sat, Jan 20, 2024 at 06:30:34AM +, Askar Safin wrote:
> - Type "aptitude install debhelper-compat"
> 
> The command will fail with the following absolutely absurd message:
> 
> # aptitude install debhelper-compat
> "debhelper-compat" is a virtual package provided by:
>   debhelper debhelper debhelper debhelper debhelper 
> You must choose one to install.
> Unable to apply some actions, aborting

debhelper has (currently) five versioned provides. I think aptitude
doesn't support/expect versioned provides here (if at all):
src/cmdline/cmdline_action.cc:278 ff although there are other places
where a similar message is generated in src/pkg_item.cc and
src/gtk/entitysummary.cc.

Would be a good idea to check if a package is already in the pkgvector
before adding it again – or make that vector a set. Note that libapt has
wrappers like APT::PackageSet nowadays which should work better and more
natural than typedef'ed std-containers… but that
transition might be a bigger effort than just adding an (untested)
`if (std::ranges::find(possible, j) == possible.end())` before the
push_back.


Best regards

David Kalnischkies


signature.asc
Description: PGP signature

Bug#1061158: ITP: discord-rpc -- library for Discord Rich Presence integration

[David James]

Hi Mathias, 

That is very kind of you. When it clears lintian and I have tested it against 
Citra I will let you know.
 
Thanks again.
 
David

Bug#1061158: ITP: discord-rpc -- library for Discord Rich Presence integration

[David James]

Package: wnpp
Severity: wishlist
Owner: David James 
X-Debbugs-Cc: debian-de...@lists.debian.org, davidjamescastor...@proton.me

* Package name: discord-rpc
  Version : 3.4.0
  Upstream Contact: Discord, Inc
* URL : https://github.com/discord/discord-rpc
* License : MIT
  Programming Lang: C, C++, CMake, Python
  Description : library for Discord Rich Presence integration

This is a library for integrating Discord features into games and 
applications. For example, it allows an application to connect to Discord and 
show in-game activity on a user's profile.

It is also a Citra dependency. There are multiple FOSS projects
aside from Citra that also integrate this library and could make use of this 
package if they were ever packaged themselves (e.g. Duckstation, PCSX2 etc.).

I would be maintaining this package myself, but would need a sponsor.

Bug#1061148: apt: option -a has several meanings and is unusable

[David Kalnischkies]

On Fri, Jan 19, 2024 at 05:10:40PM +0100, Vincent Lefevre wrote:
> The -a=... version is not documented in the manual, only -a alone,

Compare -t, which also doesn't say -t=foo. Probably mostly due to -t foo
working as well or just because the manpages like their inconsistencies
and would deserve some love, but who has the time to not just complain
but also actually write all of it…


(reordered for posterity)

>-a, --host-architecture
>This option controls the architecture packages are built for by
>apt-get source --compile and how cross-builddependencies are
>satisfied.
> 
> There are 2 verbs "controls" and "are built". And I don't see how
> to parse "for by".

A package is "built for" the given (with -a) host architecture by
"apt-get source --compile" – aka its instructed to cross-compile
a package for the given host architecture instead of doing a "normal"
compile where host and build architecture are the same.

So, "apt-get source -b -a armhf foo" will (simplified) build a
"foo_armhf.deb" on your (likely amd64) machine to be used on another
(probably less powerful) armhf machine. Similar for build-dep, just
that this won't build anything but interprets certain dependencies
differently.

Using the option properly requires preparations that would fill their
own manpage to explain properly and its certainly not APTs place to do
that as it is just a tiny cog in the cross-machinery.


> Still, I don't see what this option does.

So, long story short: You would if you would need that option, but you
don't need it, so you don't.

--print-uris prints URIs; nowhere is explained what URI stands
for, it is just assumed that people who need it will know.

Hey, quick, what is a "build profile" and can you name a few?
Now go and ask that question another user and see how that goes.


>By default is it not set which means that the host
>architecture is the same as the build architecture (which is
>defined by APT::Architecture). Configuration Item:
>APT::Get::Host-Architecture.

> In the next sentence: "is it". Should this be
> "it is"? The comma is missing before "which".

Perhaps it should, "is it not" has the hint of a question. In German
I would write such a sentence without a comma as the added phrase isn't
[that] optional, but not sure if a German – or English – teacher would
actually agree on me claiming "definition phrase", which are not
separated by commas in both languages. Could easily be done without
a which if we were really trying.

Doesn't matter that much through as I would agree that the manpage(s)
need a revamp, but certainly not by me and not based on this. For this
specific option in particular, 99% of the user base are probably better
served if we were to remove its documentation entirely.

What about the 1%? Well, they deserve to write the patches to improve
the manpage and potentially fixup the translations (depending on how
much they reword here).

[Case in point, the option as documented doesn't work for years and
 nobody noticed – because 1% was an overstatement already; fixed in git]


Best regards

David Kalnischkies


signature.asc
Description: PGP signature

Bug#1061094: mmdebstrap vs. apt -o DPkg::Inhibit-Shutdown

[David Kalnischkies]

tl;dr: Fine by me, just some explaining comments for the record.

On Thu, Jan 18, 2024 at 12:54:45PM +1100, Trent W. Buck wrote:
> This MIGHT affect someone else doing "apt -o Dir=⋯" to do custom installs, but
> everything I can think of offhand is a wrapper around debootstrap, except for
> https://github.com/openSUSE/obs-build/blob/master/obs-docker-support#L118

This one sets different sources.list files, doesn't change Dir and is
hence still effected by the inhibit… except that this probably runs
somewhere in docker, so likely without dbus, systemd and what not.


> Everything I can find seems to set e.g. Dir::Etc rather than Dir itself.
> 
> https://codesearch.debian.net/search?q=apt.*-o.*Dir%5B%5E%3A%5D
> https://github.com/search?q=%2Fapt.*-o.*Dir%2F=code  (requires 
> Microsoft account, requires javascript)

Just for the record: To find more users you would need to look for
RootDir as well, which was used heavily before Dir. Looking for scripts
setting these options on the command line is probably not catching a lot
of users as command line parsing happens pretty late – after config
files are read – so setting {Root,}Dir is usually done in a config file
given via the APT_CONFIG environment variable.

Case in point: Our very own test cases do something akin to chrootless
mode of mmdebstrap with APT_CONFIG and Dir … and now I wonder how often
those tests inhibit and release the block on shutdown. I guess I never
tried to shutdown while running our tests. ☺

Also, as this is libapt, this isn't apt specific, could potentially be
used via apt-get, aptitude, python-apt, libapt-perl, synaptics, your run
of the mile software center, … its just increasingly unlikely.

A usecase I could imagine is someone trying to recover his main system
from a live CD. If your main system is sufficiently broken that
chrooting into it doesn't really work you could operate on it from the
outside similar to mmdebstrap (after all, the to be bootstrapped system
is sufficiently broken… given it doesn't really exist yet).


Anyway, this is a relatively new safeguard (60cc44d160 – April 2019)
nobody should really hard-depend on: Having it inhibited for too many
or for too few by default isn't that big of a problem and if someone
cares either way they can always set the option explicitly.

Given it is mainly supposed to avoid accidents for users who don't
interact with apt directly Dir == "/" is probably the closest we can
be to a sensible default value for the inhibition here if we ignore
that ideally the front ends would do the inhibition instead of our
low-level library, but that ship sailed…


Best regards

David Kalnischkies


signature.asc
Description: PGP signature

Bug#1061048: RFS: RPGMod/1.3 ITP -- heyo!

[David Kalnischkies]

On Tue, Jan 16, 2024 at 07:42:09PM -0300, peq42 wrote:
> I am looking for a sponsor for my package "RPGMod":

Package names are lowercase.

No idea about the package or what it even is, but it looks a bit and
mentions games, so the Debian Games Team might be a good place to
find people/sponsors who know the field and can give hints:
https://wiki.debian.org/Games/Team


> * URL : http://peq42.com

I suppose: https://peq42.com/projects/rpgmod/


> * Vcs : https://peq42.com/downloads/RPGmod%20-%20Linux.deb

"Vcs" means "Version control system", while optional its strongly
recommend to use one (also for your upstream development). Look it
up on your preferred search engine; it might change your life.


> Alternatively, you can download the package with 'dget' using this command:
> 
> dget -x https://peq42.com/downloads/RPGmod%20-%20Linux.deb

Usually, you upload a source package that builds one (or more) binary
packages (= the deb files).

Your deb uses zst as compressor, so I guess you built it on a semi
recent Ubuntu release (older versions might have problems with it,
Debian releases even more – read-only support exists rather recentish).
You don't need to know what the first part of that sentence means to be
a good packager (but feel free to look it up if you are interested), but
packages for Debian should be built in the Debian release they are
targeting (for a new package, that would usually be 'unstable') – you
can use virtual machines, chroots and what not for that and use e.g.
tools like sbuild.

Your package installs (most) things in /opt – that isn't suitable for
packages targeted at the Debian archive. I also note that your package
claims to have no dependencies whatsever, which I find somewhat hard to
believe even if it is technically possible.


> additional comments:
> I'm sorry if this e-mail is not exactly perfect or if anything is missing,
> this is my first time packaging and submiting a package to the debian store.
> I setup the package using my personal e-mail(gabrielpm2...@gmail.com) and
> real name(Gabriel), but for the sake of lowering spam I get there, if
> possible, utilize this one(admi...@peq42.com) in the store

You can give any mail you like in the packaging… personally I am using
my @debian.org address in the packages and my personal mail for
communication on this and other lists, reply to bugreports and so on.
Others do the reverse. None of it will help lower spam though as nobody
and nothing can avoid an (un)healthy dosage of spam.


Note that Debian doesn't have a "store". We have repository(s) which
can mean the same thing and actually pre-dates stores, but usually
involves a different mind set: (Personal opinion follows) We don't
"sell" individual packages as products, but an entire catalog of
70.000+ packages that work (and play) well together.


As said, I haven't looked too closely at the package, but even so
I think you will need to invest a lot more work into making it fit for
the Debian archive… or in other words: lots of documentation to read,
policies to follow and friends to make on and off list(s).


Good luck & Best regards

David Kalnischkies


signature.asc
Description: PGP signature

Bug#1061111: RFS: dpkg-buildenv/1.0.0 [ITP] -- Builds debian packages in a docker container.

[David Kalnischkies]

Hi,

On Thu, Jan 18, 2024 at 02:35:40PM +, Aidan wrote:
> I am looking for a sponsor for my package "dpkg-buildenv":

Similar to my recent "veto" of apt-verify in #1059267, which was
subsequently ignored and pushed into the archive anyhow, I would
like to call into question the naming of the package/application…

There are various "dpkg-build*" tools already that grabbing 'env' feels
wrong (I would confuse it probably with 'flag' on a bad day), especially
if that isn't at least discussed with dpkg maintainers (I at least see
no mention of it on the list) and given that this is something that
"just" works with Docker.


As explained in the other bug, there is no veto and as you can see its
easy to completely ignore me (and anyone else) but I wanted to say it
anyhow, so that nobody is surprised later on.


Best regards

David Kalnischkies


signature.asc
Description: PGP signature

Bug#1061078: ITP: oaknut -- Aarch64 (arm64) code emitter

[David James]

Package: wnpp
Severity: wishlist
Owner: David James 
X-Debbugs-Cc: debian-de...@lists.debian.org, davidjamescastor...@proton.me

* Package name: oaknut
  Version : 1.2.2
  Upstream Contact: MerryHime <https://mary.rs>
* URL : https://github.com/merryhime/oaknut
* License : MIT (Expat)
  Programming Lang: C++, CMake
  Description : Aarch64 (arm64) code emitter

Oaknut is a header-only C++20 assembler for arm64 systems. It is designed to 
process C++ code and emit it to memory at runtime.

I am in the process of packaging Citra, the Nintendo 3DS emulator. This is 
one of the dependencies required to package Citra on arm64. Without this, I 
would have to exclude the arm64 architecture entirely.

In addition to being a Citra dependency, this software would also be useful 
for anyone creating software to emulate an embedded ARM 8.0-8.2 system.

I would maintain this package myself, but would need a sponsor.

Bug#1059291: bookworm-pu: package spip/4.1.9+dfsg-1+deb12u4

[David Prévot]

Control: retitle -1 bookworm-pu: package spip/4.1.9+dfsg-1+deb12u4

Le Sat, Dec 30, 2023 at 12:06:56PM +0100, Salvatore Bonaccorso a écrit :
> On Fri, Dec 22, 2023 at 01:28:00PM +0100, David Prévot wrote:
[…]
> > This issue is similar to #1059289 for oldstable.
> > 
> > Another upstream release fixed a security (XSS) issue. The last two
> > updates of this kind didn’t warrant a DSA, so I guess this one will not
> > warrant one either (security team X-D-CCed in case I’m wrong).

And here we are again, another XSS was fixed (in a plugin not provided
by the version in oldstable), second debdiff attached, thanks in advance
for considering.

Regards,

taffit
diff --git a/debian/changelog b/debian/changelog
index 333c4146c1..23a523a96a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+spip (4.1.9+dfsg-1+deb12u4) bookworm; urgency=medium
+
+  * Backport security fix from 4.1.15
+- fix XSS in uploaded files using bigup
+
+ -- David Prévot   Fri, 12 Jan 2024 13:42:36 +0100
+
 spip (4.1.9+dfsg-1+deb12u3) bookworm; urgency=medium
 
   * Backport security fix from 4.1.13
diff --git a/debian/patches/0013-fix-viter-de-possibles-XSS-avec-le-nom-des-fichiers-.patch b/debian/patches/0013-fix-viter-de-possibles-XSS-avec-le-nom-des-fichiers-.patch
new file mode 100644
index 00..7c72b8539d
--- /dev/null
+++ b/debian/patches/0013-fix-viter-de-possibles-XSS-avec-le-nom-des-fichiers-.patch
@@ -0,0 +1,79 @@
+From: Matthieu Marcillaud 
+Date: Sun, 7 Jan 2024 22:07:19 +0100
+Subject: =?utf-8?q?fix=3A_=C3=89viter_de_possibles_XSS_avec_le_nom_des_fich?=
+ =?utf-8?q?iers_upload=C3=A9s_=28en_js=29?=
+
+(cherry picked from commit df7543f1dc9d04f068dd12c901b89a98db535961)
+
+Origin: upstream, https://git.spip.net/spip/bigup/commit/ada821c076d67d1147a195178223d0b4a6d8cecc
+---
+ plugins-dist/bigup/javascript/bigup.js   | 34 ++--
+ plugins-dist/bigup/javascript/bigup.utils.js | 12 +-
+ 2 files changed, 33 insertions(+), 13 deletions(-)
+
+diff --git a/plugins-dist/bigup/javascript/bigup.js b/plugins-dist/bigup/javascript/bigup.js
+index bd84fc1..5b9b5be 100644
+--- a/plugins-dist/bigup/javascript/bigup.js
 b/plugins-dist/bigup/javascript/bigup.js
+@@ -190,18 +190,28 @@ function Bigup(params, opts, callbacks) {
+ var extension = $.trouver_extension(file.name);
+ 
+ var template =
+-	'\n'
+-	+ '\n\t'
+-	+ '\n\t\t'
+-	+ '\n\t\t'
+-	+ '\n\t\t\t' + file.name + ''
+-	+ '\n\t\t\t' + $.taille_en_octets(file.size) + ''
+-	+ '\n\t\t'
+-	+ '\n\t\t'
+-	+ '\n\t\t\t' + _T("bigup:bouton_annuler") + ''
+-	+ '\n\t\t'
+-	+ '\n\t'
+-	+ '\n\n';
++	'\n' +
++	'\n\t' +
++	'\n\t\t' +
++	'\n\t\t' +
++	'\n\t\t\t' +
++	$.escapeHtml(file.name) +
++	'' +
++	'\n\t\t\t' +
++	$.taille_en_octets(file.size) +
++	'' +
++	'\n\t\t' +
++	'\n\t\t' +
++	'\n\t\t\t' +
++	_T('bigup:bouton_annuler') +
++	'' +
++	'\n\t\t' +
++	'\n\t' +
++	'\n\n';
+ 
+ return template;
+ 			}
+diff --git a/plugins-dist/bigup/javascript/bigup.utils.js b/plugins-dist/bigup/javascript/bigup.utils.js
+index 872123b..4a1bad9 100644
+--- a/plugins-dist/bigup/javascript/bigup.utils.js
 b/plugins-dist/bigup/javascript/bigup.utils.js
+@@ -171,4 +171,14 @@ $.mime_type_image = function(extension) {
+ 			break;
+ 	}
+ 	return mime;
+-};
+\ No newline at end of file
++};
++
++/** Escape HTML */
++$.escapeHtml = function(unsafe) {
++	return unsafe
++		.replaceAll('&', '')
++		.replaceAll('<', '')
++		.replaceAll('>', '')
++		.replaceAll('"', '')
++		.replaceAll("'", '');
++}
diff --git a/debian/patches/0014-fix-Ajout-d-un-point-virgule-manquant.patch b/debian/patches/0014-fix-Ajout-d-un-point-virgule-manquant.patch
new file mode 100644
index 00..33e6a87c7e
--- /dev/null
+++ b/debian/patches/0014-fix-Ajout-d-un-point-virgule-manquant.patch
@@ -0,0 +1,21 @@
+From: Glop 
+Date: Thu, 11 Jan 2024 17:16:45 +0100
+Subject: fix: Ajout d'un point-virgule manquant
+
+(cherry picked from commit ac51139245cea6e6dd44dba47b30122b69ff1f1c)
+
+Origin: upstream, https://git.spip.net/spip/bigup/commit/0757f015717cb72b84dba0e9a375ec71caddf1c2
+---
+ plugins-dist/bigup/javascript/bigup.utils.js | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/plugins-dist/bigup/javascript/bigup.utils.js b/plugins-dist/bigup/javascript/bigup.utils.js
+index 4a1bad9..a255f2f 100644
+--- a/plugins-dist/bigup/javascript/bigup.utils.js
 b/plugins-dist/bigup/javascript/bigup.utils.js
+@@ -181,4 +181,4 @@ $.escapeHtml = function(unsafe) {
+ 		.replaceAll('>', '')
+ 		.replaceAll('"', '')
+ 		.replaceAll("'", '');
+-}
++};
diff --git a/debian/patches/series b/debian/patches/series
index c0ceb74e71..38c2a1189b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,5 @@
 0010-security-Utiliser-auth_desensibiliser_se

Bug#1060208: ITP: dds-ktx -- header-only library for reading KTX format textures

[David James]

On further inspection, I have noticed that several commits have been made since 
1.1. To maintain compatibility with Citra I will therefore be bumping the 
version to 1.1~git20211021.c3ca8fe.