Bug#1068951: new upstream (6.x)

[Jakub Ružička]

Hey Daniel,

I did a spring cleaning in upstream debian packaging (distro/pkg/deb),
merging -core and -manager into knot-resolver6, porting most of your
debian/experimental patches, and removing many lintian warnings.

This was done in upstream MRs now merged into `master` branch (which is now
v6, `master-5` is for v5). For your convenience, here's a link to upstream
debian dir distro/pkg/deb:

https://gitlab.nic.cz/knot/knot-resolver/-/tree/master/distro/pkg/deb

The upstream package was renamed to knot-resolver6 in order to prevent
unwanted upgrades as there is sadly no upgrade path from v5 to v6.

Users were already complaining about such issues with shared v5 & v6 upstream
repos and the situation will be equivalent on bookworm -> trixie update so
I suggest using that (knot-resolver6) in Debian packaging as well. Debian in
particual is expected not to break working systems on upgrade and I don't see
a way to ensure that without knot-resolver6 rename.

Remaining issues:

* debian: adduser -> useradd patch doesn't create knot-resolver group as it 
should
* debian: package should be renamed to knot-resolver6 (?)
* debian: python modules must be properly installed (see upstream d/rules)
* upstream: meson / ninja is invoked manually as opposed to dh_auto_* because
  I don't know how to properly refernce meson build dir

I did what I could with the upstream packaging, so now it's your turn with
debian/experimental, Daniel, if you have the time :)

Feel free to sync what you think is good, do the knot-resolver6 rename (or
not, I'm still not 100 % decided there), properly use dh_auto_* (if you know
how to reference meson builddir in d/rules) or whatever you see fit.

After that I'll go one more round of upstream <-> debian sync, hunt some more
lintian warnings, and finally release the debian/experimental package.


Cheers,
Jakub


signature.asc
Description: PGP signature

Bug#1068951: new upstream (6.x)

[Jakub Ružička]

Yo Santiago (CC'd), could you please drop your opinion on this for extra 
reference?


On 4/30/24 18:34, Daniel Baumann wrote:

Hi,

On 4/30/24 18:12, Jakub Ružička wrote:
Secondary reason for that was that there is no upgrade path from 5.x 
to 6.x so it's unwanted for knot-resolver 5 packages to auto-update 
to 6.


For that, the package probably needs a different name (like 
knot-resolver6)


imho this should be handled in the package (e.g. by showing a debconf 
note or so) and be included in the trixie release notes. renaming the 
binary package doesn't really solve much and is more suited for 
(library) transitions, i.e. if there were several 
knot-resolver-module-* packages or so.
We currently have v5 and v6 packages in a single knot-resolver repo on 
pkg.labs.nic.cz and v5 users are safe to `apt update` from the repo 
without breaking their setup or they can `apt install knot-resolver6` to 
upgrade. This would apply to Bookworm -> Trixie transition as well.


If there was no distinction between v5 and v6 packages, unwanted updates 
leading into broken setups are bound to happen, that's not very user 
friendly. I could split the upstream repos (knot-resolver5, 
knot-resolver6), but that won't solve Bookworm -> Trixie case.


OTOH knot-resolver6 fork is extra maintenance (new source package & 
Salsa repo...) and an unwanted irregularity although it gets the job 
done. This was the case for bird2 and upcoming bird3 for example, which 
also isn't a library.


also (I haven't looked at it), is it worthwile to (with users consent) 
to "try" to guess with (some parts of) the old config to generate the 
new config from?

I don't think that's worthwhile, that's why it's not officially supported.




So what do you suggest?


generally, the amount of binary packages should be limited to a 
minimum - oiow there needs to be a reason why an additional binary 
package is added. some of them are:


  * saving relative excessive amount of diskspace (e.g. large
    documentation can be split into a -doc package)

  * different parts have different dependencies and/or particulary
    long dependency chains (e.g. gtk parts of a cli tool)

therefore, imho the following binary packages make sense here:

  * knot-resolver
  * knot-resolver-doc
  * knot-resolver-module-dnstap
  * knot-resolver-module-http
Consulting with upstream, there doesn't seem to be a strong reason not 
to merge like that. Separating the python module(s) in a sub-package 
could be useful in some (official unsupported edge) cases like 
containers where pulling the extra python deps might increase the image 
size significantly.


I believe vast majority of users will use the manager so it's desirable 
to install it by default, which would be 100 % ensured by having it a 
part of knot-resolver package, so that's a plus.


Those who want to use kresd without manager can simply disable manager 
and do what they want at the cost of some unused python deps. I don't 
think that's too bad of a compromise.


So I'm generally in favor of merging the -manager package, I'm just 
worried about unwanted upgrades if we don't change the name 
(knot-resolver6) as there isn't really an upgrade path. Such is the 
price of progress.


Note that Fedora policies/customs are strongly in favor of not forking 
per-version - in line of what you suggest.




Note that -dbg packages are generated automatically and don't need to 
be specified in control (I'll provide a commit for that).

Oh, right :)


Cheers,
Jakub

Bug#1068951: new upstream (6.x)

[Jakub Ružička]

On 4/29/24 21:13, Daniel Baumann wrote:

On 4/29/24 19:50, Daniel Baumann wrote:
pushing to the repo requires me to be added to the salsa project.. 
would you mind adding me?


in the meantime, I've pushed to here:
https://git.progress-linux.org/users/daniel.baumann/debian/todo/knot-resolver/log/ 


Nice!

before I'll continue: what's the idea of adding knot-resolver-manager 
binary package?


I can't think of a reason why one would use kresd (knot-resolver-core) 
without the manager, and thus, would fold knot-resolver-manager and 
knot-resolver-core (back) into knot-resolver. But probably I'm missing 
something..
That is a great question and in fact the primary topic I wanted some 
other DD to review. You basically answered that already, but let me 
elaborate why it's like this.


Manager was initially developed in a separate repo imported into kresd 
as a git submodule and it wasn't clear back then how integrated / 
optional / required it will be.


Manager is now quite integrated in kresd and while it's theoretically 
possible to use knot-resolver-core without knot-resolver-manager, this 
isn't officially supported and generally a use case probably not worth 
supporting.


Secondary reason for that was that there is no upgrade path from 5.x to 
6.x so it's unwanted for knot-resolver 5 packages to auto-update to 6.


For that, the package probably needs a different name (like 
knot-resolver6) so I made this little trick of moving knot-resolver to 
knot-resolver-core and added manager to knot-resolver-manager with 
Provides: knot-resolver6. That way no upgrade is triggered as there is 
no knot-resolver package in 6.0.


However, this is probably just unneeded complexity - I guess the 
packages could or even should be merged.


So what do you suggest? Merging -manager and -core into knot-resolver6? 
Or is there a way to prevent upgrade without changing package name?



Cheers,
Jakub


OpenPGP_signature.asc
Description: OpenPGP digital signature

Bug#1068951: new upstream (6.x)

[Jakub Ružička]

On 4/23/24 14:05, Daniel Baumann wrote:

Hi,

On 4/23/24 13:58, Jakub Ružička wrote:
but we've agreed the time has come to get extra testing & feedback 
through Debian experimental.


yay, thanks!

[ we use knot-resolver at work for the central resolvers for the 
university, and we love it. kresd 6 offers some nice improvements for 
us, so looking forward testing it (via local bookworm-backports we 
maintain) ]
Awesome, I've forwarded your words of praise to the hard-working Knot 
Resolver team :)


The only blocker for that is missing python3-json-schema-for-humans 
needed for docs build which I intend to package later - for now I 
guess I'll just disable the docs build.


(just as an offer) I'll maintain a bunch of python modules already and 
don't mind another, so I can upload that later today if this is any help.


Thanks, but I'm part of PythonTeam so I can do that myself and I'm 
actually quite interested in (the nightmares of) python packaging in 
general so it's a welcome opportunity to have some real world experience 
plus I think it will be a trivial package.





I'm hitting boundaries of my Debian knowledge so it's slow.


I'm happy to help if you want.
Cool, I've already mental-marked you as a person I'm gonna bother with 
reviewing my v6 changes even before your willing reply :)




For example, upstream package uses meson directly and builds in 
meson_deb dir, but debian package uses debhelper with 
obj-x86_64-linux-gnu dir and I don't know howto properly reference it 
from d/rules without relying on shady strings.


I didn't find a branch on the salsa repo, where would I find the 
current 6.x state to send patches against?
I don't like pushing broken/incomplete branches but yeah this is gonna 
take a while so I pushed my Draft to debian/experimental salsa branch 
(also pristine-tar and new upstream-6).


The upstream package is well tested, but it diverged quite far from 
debian package and syncing them is non-trivial - my mission is to fix that.


git clone -b 6.0 https://gitlab.nic.cz/knot/knot-resolver
meld knot-resolver/distro/pkg/deb ~/debian/knot-resolver/debian

IOW ~/src/knot-resolver/distro/pkg/deb and ~/debian/knot-resolver/debian 
should be as close as possible.


Of course the changes can flow both ways - I'm happy to update the 
upstream packaging as well.


Feel free to push your changes (if any) to debian/experimental or use 
your branch as you prefer, I'm always eager to learn how other DDs do 
things.


I'd be especially interested about how you translate the 
distro/pkg/deb/rules to debian/rules without using the static build_deb 
dir 樂 There might be variable already defined for this purpose, but I 
just don't know how to find it.




Regards,
Daniel



Cheers,
Jakub



OpenPGP_signature.asc
Description: OpenPGP digital signature

Bug#1068951: new upstream (6.x)

[Jakub Ružička]

Hello,

we have a working upstream packages for knot-resolver 6.x alpha at

https://pkg.labs.nic.cz/doc/?project=knot-resolver

but we've agreed the time has come to get extra testing & feedback 
through Debian experimental.


The only blocker for that is missing python3-json-schema-for-humans 
needed for docs build which I intend to package later - for now I guess 
I'll just disable the docs build.


I'm working on deep-cleaning the knot-resolver package (silencing the 
many cries of lintian and such) and syncing it closer with upstream but 
I'm hitting boundaries of my Debian knowledge so it's slow.


For example, upstream package uses meson directly and builds in 
meson_deb dir, but debian package uses debhelper with 
obj-x86_64-linux-gnu dir and I don't know howto properly reference it 
from d/rules without relying on shady strings.


I'll take some more time to clean the package properly so that it starts 
its 6.x life with a clean slate but it's going to hit experimental in 
upcoming weeks :)



Thanks for indicating interest, I'll get it done.


Cheers,
Jakub Ružička

On 4/14/24 08:39, Daniel Baumann wrote:

Package: knot-resolver
Severity: wishlist

Hi,

it would be nice if you could upload knot-resolver 6.x to experimental.

Regards,
Daniel


OpenPGP_signature.asc
Description: OpenPGP digital signature

Bug#1012289: Bug #1012289: Following up on Lintian

[Jakub Ružička]

Hello,


On Wed, 27 Dec 2023 18:54:14 + Simon Quigley  wrote:
> In most recent Ubuntu cycles, I've taken on the "archive bootstrapping" 
> responsibility of adding the new Ubuntu codename to Lintian. I remember 
> having some deeper conversations with the former Lintian maintainer 
> regarding further contributions and maintenance, but I also recall some 
> politics, and quite frankly, *I don't care*. Regardless, Lintian is 
> something I look at every cycle.

Same.


> I'm writing today to express my concern about the current state of 
> Lintian maintenance. I already understand that there is an RFH filed 
> against Lintian, but that has not received any sort of followup since 
> 2022. The most recent Lintian upload is from March 2023, and as of the 
> time of writing, there are 26 open merge requests[1].

Currently, there are quite a few merged patches ready in VCS as well,
including the one I'm interested in (added support for loong64).

Just being able to actually release new version of lintian would be nice.


> I also understand that this is a volunteer team. My goal here is not to 
> diminish the work of the current maintainers in any way, quite the 
> opposite. I would simply like to ask, "do you need help?"

I'm pretty sure we need hands on lintian and I'm willing to help as well.

 
> I'm not volunteering to take over Lintian entirely, nor do I want to. 
> That being said, I would be motivated to sort through the current MR 
> list and at least shave off some technical debt. If this is something 
> you are open to, or if anyone else would be open to this as well, I 
> think it is a worthwhile effort.

Same. My perl-fu isn't strong enough to take over maintainership of core
package in perl.


> Lintian is crucially important for Debian development as it stands 
> today. Before sponsoring a package, before uploading our own packages, 
> and even once in the archive, we run Lintian all the time. I do not 
> believe it is too late to put some additional minds behind this, to 
> ensure Lintian survives for years to come. I simply feel as if *someone* 
> should bump this thread, so we do not lose sight of it.

Agreed, lintian is crucially important.

What we need is a perl magician willing and able to do the actual lintian
release. Who wants to get blamed for breaking a core tool? :)

Then folks like you and me can help with fixing individual issues and/or
merging MRs.


> Thank you for your time. Please do let me know if you have any 
> questions, or if I can do anything else to help.

Thank you for bumping this, we need to get this sorted one way or another.


Cheers,
Jakub Ružička


signature.asc
Description: PGP signature

Bug#1054236: ITP: python-nvchecker -- new version checker

[Jakub Ružička]

Package: wnpp
Severity: wishlist
Owner: Jakub Ružička 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: python-nvchecker
  Version : 2.12
  Upstream Contact: lilydjwg 
* URL : https://github.com/lilydjwg/nvchecker
* License : Expat
  Programming Lang: Python
  Description : new version checker

nvchekcer (short for new version checker) is a Python library and CLI for
checking if a new version of some software has been released.

It's a handy tool for querying various sources (such as deb/rpm repos or
repology) for software versions.

Individual version sources are modular and can be easily reused from python
code, making nvchecker useful both as a CLI and as a reusable library.

Upstream is friendly and active.

I plan to maintain this as a part of PythonTeam.

Bug#1043360: Any progress on ITP: python-poetry-dynamic-versioning?

[Jakub Ružička]

Hi Roland,

in the end, I've replaced poetry by hatchling due to various issues 
and/or I use dunamai manually in affected projects so I no longer have 
an incentive/opportunity to package and test poetry-dynamic-versioning.


Sorry for not following up on my intent, I'm not sure how to properly 
indicate this on the wnpp bug 


I haven't really started with the packaging so feel free to start from 
scratch.


At least python-dunamai made it to testing and I've uploaded latest 
1.19.0 to sid today so that you can work with the latest and greatest 
version.


If you need an extra pair of eyes for review or something, let me know.


Cheers,
Jakub Ružička


On 10/10/23 15:09, Roland Mas wrote:

Hi Jakub,

Is there any progress on the package? A package of mine (dioptas) has 
started depending on it, so it would be nice to have in Debian. Can I 
help somehow? Is there any beta code somewhere that I could test and 
help with?


Thanks,

Roland.



OpenPGP_signature
Description: OpenPGP digital signature

Bug#1043360: ITP: python-poetry-dynamic-versioning -- dynamic versioning plugin for Poetry

[Jakub Ružička]

On 23-08-09 15:08, Colin Watson wrote:
> How will this sort of thing work when a git tree isn't necessarily
> available at binary package build time, since buildds build binary
> packages from a source package rather than directly from git and the
> source package doesn't usually include a git tree?  Is it just a matter
> of causing the plugin to exist so that pybuild doesn't fail, but in
> practice the version is still going to be set by something that's
> actually in the source package?

A primary objective is to provide the plugin so that

python3 -m build

works in general, not limited to package builds.

Supporting pybuild correctly out of the box for projects using the plugin is
a next step.

I'm not sure how it will behave when no VCS is available as in source package.

IIRC it replaces version in pyproject.toml during build. So possibly
a mechanism that does the same during package build but from d/changelog
version might solve this... Hmmm, sounds non-trivial.

This will certainly require some testing.

Bug#1043360: ITP: python-poetry-dynamic-versioning -- dynamic versioning plugin for Poetry

[Jakub Ružička]

Package: wnpp
Severity: wishlist
Owner: Jakub Ružička 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: python-poetry-dynamic-versioning
  Version : 0.25.0
  Upstream Contact: Matthew T. Kennerly 
* URL : https://github.com/mtkennerly/poetry-dynamic-versioning
* License : Expat
  Programming Lang: Python
  Description : dynamic versioning plugin for Poetry

This is a Python plugin for Poetry and Poetry Core to enable dynamic
versioning based on tags in your version control system, powered by Dunamai.
Many different version control systems are supported, including Git and
Mercurial.


Poetry is very popular in the Python world and this plugin makes it easy to
use dynamic versioning in Poetry-managed projects.

Having this in Debian is a prerequisite for packaging of any projects using
poetry-dynamic-versioning. Some of existing packages require this in order to
update to latest upstream version which started using the plugin.

I plan to maintain the package as a part of the PythonTeam alongside
its requirement python-dunamai by the same upstream author.

I don't expect this package to be maintenance heavy.


signature.asc
Description: PGP signature

Bug#992341: Acknowledgement (bird2: does not properly take over /etc/bird/bird.conf)

[Jakub Ružička]

Hello,

I'm the new bird2 maintainer and I'm happy to help with this.


On 23-08-04 11:08, Jonathan Wiltshire wrote:
> Control: retitle -1 bird2: does not properly take over from bird package
> Control: severity -1 serious

This results in

Version 2.0.12-7 of bird2 is marked for autoremoval from testing on Sat 19 Aug 
2023.

I think this help noone.

If any of the two packages should be dropped from testing, it's bird as it's
nearing upstream EOL at the end of 2023.


> Control: affects -1 + src:bird
> 
> Hi,
> 
> I have just run into this again on the upgrade from bullseye to bookworm.

bullseye contains bird_1.6.8-2.1 which is the same as bookworm,
so I tested on bookworm as it should be equivalent.


> In fact it's worse than just the config files now: bird in its postrm does
> things like disabling and masking the systemd units bird2 uses, and attempts
> to remove the 'bird' user.

I'm unable to reproduce the error on purge after upgrade on my machine, in VM,
or in a container:

$ apt install bird
Setting up bird (1.6.8-2.1+b1) ...

$ apt install bird2
Removing bird (1.6.8-2.1+b1) ...
Setting up bird2 (2.0.12-7) ...

$ apt purge bird
Purging configuration files for bird (1.6.8-2.1+b1) ...

$ grep bird /etc/passwd
bird:x:105:110::/run/bird:/usr/sbin/nologin

$ ls /etc/bird
bird.conf
envvars

$ ls /run/bird
bird.ctl
   
$ systemctl status bird
● bird.service - BIRD Internet Routing Daemon
Loaded: loaded (/lib/systemd/system/bird.service; disabled; preset: 
enabled)
Active: active (running) since Mon 2023-08-07 12:29:43 UTC; 3min 45s ago


On further investigation, the collision you describe is fixed by a patch
included in bird_1.6.7-1 (2019):

https://salsa.debian.org/debian/bird/-/commit/7738791be2

It checks for the ownership of /etc/bird/bird.conf using ucf and only performs
actual purging (including the removal of bird user) when it should.


> disabling and masking the systemd units bird2 uses

I don't see such thing happening in current bird/bird2 package sources:

https://salsa.debian.org/debian/bird/-/blob/master/debian/bird.postrm


The problems you describe imply upgrading from older bird package than 1.6.7,
for example buster 1.6.6-1 but that that's old-old-stable now.

This seems fixed both in bookworm and bullseye. IOW upgrading from a fully
upgraded bullseye system bird_1.6.8 to bookworm bird2_2.0.12 seems to work.

Are you sure you upgraded from latest bullseye bird package?

If so, I'm afraid you might be a victim of a fallout from previous package
versions.


> Please work together to make these two packages cooperate better.

They cooperated just fine in my testing with current bullseye/bookworm
versions and the above-described patch seems to have addressed exactly this 
issue.

Please provide a reproducer with current (bookworm/bullseye) packages,
otherwise I think this was fixed in bird_1.6.7-1.


Cheers,
Jakub Ružička


signature.asc
Description: PGP signature

Bug#1033361: ITP: dunamai -- dynamic versioning library and CLI

[Jakub Ružička]

Package: wnpp
Severity: wishlist
Owner: Jakub Ružička 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: dunamai
  Version : 1.16.0
  Upstream Contact: Matthew T. Kennerly 
* URL : https://github.com/mtkennerly/dunamai
* License : MIT
  Programming Lang: Python
  Description : dynamic versioning library and CLI

Dunamai is a Python library and command line tool for producing dynamic,
standards-compliant version strings, derived from tags in your version control
system. This facilitates uniquely identifying nightly or per-commit builds in
continuous integration and releasing new versions of your software simply by
creating a tag.

I plan to maintain this nice tool along with poetry-dynamic-versioning from
the same author which integrates Dunamai into Poetry as a plugin.

I have the packaging ready for review in Salsa repo:

https://salsa.debian.org/jruzicka/dunamai

Salsa CI is green including lintian and simple autopkgtest. I've wrote
a manpage as well.

Note that this is the first time I've used poetry-core with pyproject pybuild
system and it seems to work, awesome stuff!

I'd like to join PythonTeam and maintain this alongside other python projects.

FYI at the time of writing, Dunamai is packaged for:

* Arch/Manjaro
* Fedora >= 36
* nixpkgs >= 22.05


signature.asc
Description: PGP signature

Bug#993796: bullseye-pu: package knot-resolver/5.3.1-1

[Jakub Ružička]

On 7/1/22 19:57, Adam D. Barratt wrote:

On Fri, 2021-12-03 at 16:59 +0100, Julien Cristau wrote:

Control: tag -1 confirmed

On Mon, Sep 06, 2021 at 04:21:15PM +, Jakub Ružička wrote:

[ Reason ]
Fixing bug #991463 (CVE-2021-40083) - potential DoS.

[...]

Feel free to go ahead and upload, thank you.

Ping?

Hello,

thanks for the ping, the previous mail got lost in my endless inbox and 
this bug isn't shown in the bug list available from knot-resolver 
package tracker so I completely lost track.


Better late than never, I've uploaded knot-resolver_5.3.1-1+deb11u1 into 
proposed-updates.



Cheers,
Jakub Ružička 

Bug#993796: bullseye-pu: package knot-resolver/5.3.1-1

[Jakub Ružička]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jakub.ruzi...@nic.cz

[ Reason ]
Fixing bug #991463 (CVE-2021-40083) - potential DoS.

[ Impact ]
Vulnerability to DoS attack.

[ Tests ]
I've tested the fix manually by running the deckard (DNS test harness)
test sets/resolver/val_iter_high.rpl supplied with the upstream fix.

It's not trivial to setup system for deckard so I've used upstream
Debian bullseye docker image from Knot CI:

docker run -it --privileged 
registry.nic.cz/knot/knot-resolver/ci/debian-11:knot-3.0

With current knot-resolver-5.3.1-1 the test failed.
With suggested knot-resolver-5.3.1-1+deb11u1 the test passed.

[ Risks ]
This is a simple backport of upstream fix.

Upstream tests run during package build so chances of something
breaking are small.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]
Backport of upstream fix for #991463:

https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1169/diffs#c22c39e3a02cdfb0d3d47b16ff46e65d196df19d
diff -Nru knot-resolver-5.3.1/debian/changelog 
knot-resolver-5.3.1/debian/changelog
--- knot-resolver-5.3.1/debian/changelog2021-04-12 05:59:28.0 
+
+++ knot-resolver-5.3.1/debian/changelog2021-08-31 16:20:00.0 
+
@@ -1,3 +1,10 @@
+knot-resolver (5.3.1-1+deb11u1) bullseye; urgency=medium
+
+  * Fix possible assertion failure in NSEC3 edge-case (CVE-2021-40083)
+(Closes: #991463)
+
+ -- Jakub Ružička   Tue, 31 Aug 2021 16:20:00 +
+
 knot-resolver (5.3.1-1) unstable; urgency=medium
 
   [ Jakub Ružička ]
diff -Nru knot-resolver-5.3.1/debian/gbp.conf 
knot-resolver-5.3.1/debian/gbp.conf
--- knot-resolver-5.3.1/debian/gbp.conf 2021-04-12 05:59:28.0 +
+++ knot-resolver-5.3.1/debian/gbp.conf 2021-08-31 16:20:00.0 +
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/master
+debian-branch = debian/bullseye
 debian-tag = debian/%(version)s
 upstream-branch = upstream
 upstream-tag = upstream/%(version)s
diff -Nru 
knot-resolver-5.3.1/debian/patches/0002-validator-avoid-assertion-in-an-edge-case.patch
 
knot-resolver-5.3.1/debian/patches/0002-validator-avoid-assertion-in-an-edge-case.patch
--- 
knot-resolver-5.3.1/debian/patches/0002-validator-avoid-assertion-in-an-edge-case.patch
 1970-01-01 00:00:00.0 +
+++ 
knot-resolver-5.3.1/debian/patches/0002-validator-avoid-assertion-in-an-edge-case.patch
 2021-08-31 16:20:00.0 +
@@ -0,0 +1,58 @@
+From: =?utf-8?b?VmxhZGltw61yIMSMdW7DoXQ=?= 
+Date: Mon, 12 Apr 2021 15:23:02 +0200
+Subject: [PATCH] validator: avoid assertion in an edge-case
+
+Case: NSEC3 with too many iterations used for a positive wildcard proof.
+
+To really fix the answers, this also needed fixing the `any_rank` part
+which I somehow forgot in commit 7107faebc :-(
+---
+ lib/dnssec/nsec3.c   | 7 +++
+ lib/dnssec/nsec3.h   | 1 +
+ lib/layer/validate.c | 3 ++-
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/lib/dnssec/nsec3.c b/lib/dnssec/nsec3.c
+index e9e536a..f3a48c0 100644
+--- a/lib/dnssec/nsec3.c
 b/lib/dnssec/nsec3.c
+@@ -596,6 +596,13 @@ int kr_nsec3_wildcard_answer_response_check(const 
knot_pkt_t *pkt, knot_section_
+   if (rrset->type != KNOT_RRTYPE_NSEC3) {
+   continue;
+   }
++  if (knot_nsec3_iters(rrset->rrs.rdata) > 
KR_NSEC3_MAX_ITERATIONS) {
++  /* Avoid hashing with too many iterations.
++   * If we get here, the `sname` wildcard probably ends 
up bogus,
++   * but it gets downgraded to KR_RANK_INSECURE when 
validator
++   * gets to verifying one of these over-limit NSEC3 RRs. 
*/
++  continue;
++  }
+   int ret = covers_name(, rrset, sname);
+   if (ret != 0) {
+   return ret;
+diff --git a/lib/dnssec/nsec3.h b/lib/dnssec/nsec3.h
+index 1e316f5..0fdbfce 100644
+--- a/lib/dnssec/nsec3.h
 b/lib/dnssec/nsec3.h
+@@ -39,6 +39,7 @@ int kr_nsec3_name_error_response_check(const knot_pkt_t 
*pkt, knot_section_t sec
+  * KNOT_ERANGE - NSEC3 RR that covers a wildcard
+  * has been found, but has opt-out flag set;
+  * otherwise - error.
++ * Records over KR_NSEC3_MAX_ITERATIONS are skipped, so you probably get 
kr_error(ENOENT).
+  */
+ int kr_nsec3_wildcard_answer_response_check(const knot_pkt_t *pkt, 
knot_section_t section_id,
+ const knot_dname_t *sname, int 
trim_to_next);
+diff --git a/lib/layer/validate.c b/lib/layer/validate.c
+index cf5dda2..cf5c88a 100644
+--- a/lib/layer/validate.c
 b/lib/layer/validate.c
+

Bug#991463: fixed in knot-resolver 5.4.1-1

[Jakub Ružička]

> I've opened transition bug #993027

Got ack from RT, I've uploaded knot-3.1.1-4 into unstable to start the
transition.

Do I need to wait until the new knot built on all archs before uploading
depending knot-resolver-5.4.1-2 or is there a smart mechanism ensuring
build against correct/latest version?

> Yes, that I should fix the issue with the next (first) bullseye-point
> release after it's been fixed in unstable.

I've prepared knot-resolver-5.3.1-2+deb11u1 with the backport of
upstream fix in new debian/bullseye salsa branch:

https://salsa.debian.org/dns-team/knot-resolver/-/commits/debian/bullseye

Please review my changes before I attempt the bullseye upload as I'm new
to this process.


,
Jakub


OpenPGP_0xA4254072E373042C.asc
Description: OpenPGP public key

Bug#991463: fixed in knot-resolver 5.4.1-1

[Jakub Ružička]

On 8/26/21 10:42 PM, Santiago Ruano Rincón wrote:
> El 26/08/21 a las 14:45, Jakub Ružička escribió:
>>> - Includes fix for CVE-2021-40083 (Closes: #991463)
>> I've used this magic syntax found throughout the changelog and it closed
>> the bug upon experimental upload, which isn't what I expected. Please
>> reopen as needed, I'm not yet familiar with handling bugs wrt different
>> Debian branches.
>>
> Why would you like to reopen the bug? The BTS knows it is still to be
> fixed in unstable. Take a look at the image at the top right of the bug
> report page:
> https://bugs.debian.org/cgi-bin/version.cgi?absolute=0;found=knot-resolver%2F5.3.1-1;info=1;fixed=knot-resolver%2F5.4.1-1;collapse=1;package=knot-resolver
Aha! I didn't notice that all-important image at all, thanks. So BTS is
as smart as I hoped 拾

Please disregard my prior confusion.
>
>> Regardless, experimental knot-resolver-5.4.1-1 built against
>> experimental knot-3.1.1-3 so I'll try to proceed with the transition
>> which should fix the bug for sid.
> Awesome, thanks!
My pleasure!

I've opened transition bug #993027
>
>> After that I plan to cherry-pick the fix for next bullseye-point release.
> Did you have any feedback from the security team?
Yes, that I should fix the issue with the next (first) bullseye-point
release after it's been fixed in unstable.

As the sid fix is in progress, I'll prepare the bullseye release (at
debian/bullseye Salsa branch I think) and follow instructions at

https://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable



,
Jakub



OpenPGP_signature
Description: OpenPGP digital signature

Bug#993027: transition: knot 3.0 to 3.1

[Jakub Ružička]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Hello,

in order to update knot to latest 3.1.1, its only reverse dependency
knot-resolver needs to be updated to >= 5.4 which supports new
knot 3.1 API/ABI.

I've tested this in experimental - knot-resolver-5.4.1-1 built against
knot-3.1.1-3. Both packages have autopkgtests as well upstream tests
enabled.

Ben file:

title = "knot";
is_affected = .depends ~ /\b(libknot12|libzscanner4|libknot11|libzscanner3)\b/;
is_good = .depends ~ /\b(libknot12|libzscanner4)\b/;
is_bad = .depends ~ /\b(libknot11|libzscanner3)\b/;

Thank you.


Cheers,
Jakub

Bug#991463: fixed in knot-resolver 5.4.1-1

[Jakub Ružička]

> - Includes fix for CVE-2021-40083 (Closes: #991463)

I've used this magic syntax found throughout the changelog and it closed
the bug upon experimental upload, which isn't what I expected. Please
reopen as needed, I'm not yet familiar with handling bugs wrt different
Debian branches.

Regardless, experimental knot-resolver-5.4.1-1 built against
experimental knot-3.1.1-3 so I'll try to proceed with the transition
which should fix the bug for sid.

After that I plan to cherry-pick the fix for next bullseye-point release.

Cheers,
Jakub



OpenPGP_signature
Description: OpenPGP digital signature

Bug#932087: knot-host: Add to update-alternatives

[Jakub Ružička]

Hello,

thanks for handling the bind9 side of things!

I'm happy to update the knot source package with update-alternatives
functionality as soon as it's implemented in bind9 package which is a
necessary prerequisite to avoid package file conflicts if I understand
correctly.


Cheers,
Jakub

On Wed, 28 Apr 2021 00:15:39 +0200 Daniel Baumann wrote:
> tag 932087 patch
> thanks
>
> Hi,
>
> I've attached patches that we're using in our Debian derrivate for this.
> I've also send the required patches to a bugreport against src:bind9
> (will add a "block by" to this bug after having recieved the bugnumber).
>
> Regards,
> Daniel
>



OpenPGP_signature
Description: OpenPGP digital signature

Bug#900374: updated knot.service file available since knot-3.0.1-1

[Jakub Ružička]

I've updated debian/knot.service file from upstream which already
addressed described issues.

It's been synced in knot-3.0.1-1 debian package release and it remains
in sync as of 3.0.4.

You can look at commit cc65f515c1:
https://salsa.debian.org/dns-team/knot-dns/-/commit/cc65f515c1

I believe this issue is solved and can be closed.


Cheers,
Jakub Ružička

Bug#974080: ITP: lua-binaryheap -- Binary heap implementation in lua

[Jakub Ružička]

On 11/20/20 10:34 AM, Santiago Ruano Rincón wrote:
> El 19/11/20 a las 22:04, Santiago Ruano Rincón escribió:
>> El 19/11/20 a las 17:56, Santiago Ruano Rincón escribió:
>> Before uploading a wanted to take a look at the debian/watch file.
>> Attached you can find a work-in-progress version. I cannot work more on
>> it today. There is still an error after downloading the file. Would you
>> like to fix it?  (c.f. man uscan)
>>
>> Cheers,
>>
>>  -- S
>> version=4
>> opts="filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/-$1\.tar\.gz/,uversionmangle=s/v/./"
>>  \
>>   https://github.com/Tieske/binaryheap.lua/tags .*/version_?(\d\S*)\.tar\.gz
> Somehow I messed up my working files (*). The attached (simpler) d/watch
> seems to work. Could you please test it?
Thanks, it works for me too so I added this to salsa and CI confirms
we're free of lintian warnings/infos ᕕ( ᐛ )ᕗ

https://salsa.debian.org/jruzicka/lua-binaryheap/-/jobs/1178434#L27

I also signed all commits in debian/master as you suggested elsewhere.

> Cheers,
>
>  -- Santiago
>
> (*) I need to stop working late.
I concur, workaholism is dangerous you know...


Cheers,
Jakub



signature.asc
Description: OpenPGP digital signature

Bug#974080: ITP: lua-binaryheap -- Binary heap implementation in lua

[Jakub Ružička]

On 11/17/20 4:41 PM, Santiago Ruano Rincón wrote:
> El 09/11/20 a las 13:31, Jakub Ružička escribió:
>> Package: wnpp
>> Severity: wishlist
>> Owner: Jakub Ružička 
>>
>> * Package name: lua-binaryheap
>>   Version : 0.4
>>   Upstream Author : Thijs Schreijer 
>> * URL : https://github.com/Tieske/binaryheap.lua
>> * License : MIT
>>   Programming Lang: lua
>>   Description : binary heap implementation in lua
>>
>> binaryheap.lua is a binary heap (binary tree) implementaion in lua.
>>
> ...
>
> Jakub, thanks for packaging lua-binaryheap.
Thanks for fast respone, Santiago :)
>
> Two lintian "major" comments from your current repo:
>
> W: lua-binaryheap source: ancient-standards-version 3.9.8 (released 
> 2016-04-06) (current is 4.5.0)
> W: lua-binaryheap source: package-uses-deprecated-debhelper-compat-version 9
>
> Do you have any reason for that standards-version and
> debhelper-compat-version?
Upstream packages support older distros including ubuntu xenial so it's
just a leftover - I've updated these to current.
>
> These other lintian minor warnings could be easily fixed:
>
> I: lua-binaryheap: capitalization-error-in-description lua Lua
> I: lua-binaryheap source: debian-watch-file-is-missing
> I: lua-binaryheap source: vcs-field-not-canonical Vcs-Git
>
> Could you please consider them?
I've fixed all of them except debian-watch-file-is-missing because
upstream is using one the weirdest version tag scheme I've witnessed
(version_0v4) and I'm not familiar with watch files enough to solve this
efficiently.

I've pushed fixed debian/master and you can see lintian output in CI:

https://salsa.debian.org/jruzicka/lua-binaryheap/-/jobs/1176088#L27

Thank you for Salsa CI suggestion and help with enabling it. I like it
and I'll probably use it for other packages too.


Cheers,
Jakub



signature.asc
Description: OpenPGP digital signature

Bug#974080: ITP: lua-binaryheap -- Binary heap implementation in lua

[Jakub Ružička]

Package: wnpp
Severity: wishlist
Owner: Jakub Ružička 

* Package name: lua-binaryheap
  Version : 0.4
  Upstream Author : Thijs Schreijer 
* URL : https://github.com/Tieske/binaryheap.lua
* License : MIT
  Programming Lang: lua
  Description : binary heap implementation in lua

binaryheap.lua is a binary heap (binary tree) implementaion in lua.

- lua-binaryheap package is a missing requirement of lua-http package which is
  already included in Debian as described in bug #958665
- this package is an indirect requirement of Knot Resolver which I intend to
  package for Debian. upstream Knot Resolver package repos currntly use custom
  lua-binaryheap package which I use as a base for the Debian package.
- binaryheap.lua is a small and focused project which started in 2015 with
  last activity in 2019 so I assume it's stable/mature with changes unlikely
  thus it should be easy to maintain.
- I'm not a debian Dev but I try to become Maintainer with active sponsor as
  a part of Debian DNS team. I'm willing to maintain the package in forseeable
  future, especially as I expect minimal or no changes.

Bug#587976: fails to open image from URI

[Jakub Ružička]

Anything including file:/// doesn't work.

For example: http://www.debian.org/Pics/openlogo-50.png



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#524630: fixed

[Jakub Ružička]

Adding forgotten

Screen  0   Screen 0 0

to ServerLayout solves the problem, but this behaviour(crash on missing option
in config file) is not nice.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org