Bug#982894:

[Jason Perrin]

I have seen exactly the same problem (on AWS EC2 too), so I'm definitely
interested in a fix for this. Leaving /etc/resolv.conf unmodified if the
disk is full seems perfect as a fix!

Bug#951255: redis-server: TLS not configured in build, some configuration options do not work by default without it

[Jason Perrin]

Package: redis-server
Version: 5:6.0~rc1-1
Severity: normal

Dear Maintainer,

So one of the big new features in Redis 6.x is native TLS support, which I'm
pretty excited about! I tried it out with the version of this package in
experimental, and it worked but did need a couple tweaks to the package build
to enable TLS within the build (given in the patch at the bottom).

This was the error previously when the option is specified in the config file
but isn't actually allowed since it isn't compiled with TLS support
(https://github.com/antirez/redis/blob/6.0-rc1/src/config.c#L2259-L2273):

Feb 13 01:53:45 hostname systemd[1]: Starting Advanced key-value store...
Feb 13 01:53:45 hostname redis-server[15510]: *** FATAL CONFIG FILE ERROR ***
Feb 13 01:53:45 hostname redis-server[15510]: Reading the
configuration file, at line 1375
Feb 13 01:53:45 hostname redis-server[15510]: >>> 'tls-port 6378'
Feb 13 01:53:45 hostname redis-server[15510]: Bad directive or wrong
number of arguments
Feb 13 01:53:45 hostname systemd[1]: redis-server.service: Control
process exited, code=exited, status=1/FAILURE
Feb 13 01:53:45 hostname systemd[1]: redis-server.service: Failed with
result 'exit-code'.
Feb 13 01:53:45 hostname systemd[1]: Failed to start Advanced key-value store.

The only config modification I did was to add "tls-port 6378" at the bottom of
/etc/redis/redis.conf, to get redis to fully work I did need to add more
options like tls-cert-file and tls-key-file, but just adding the port was
enough to reproduce the issue.

This is my patch to debian/rules to build with TLS support (adding the variable
to just override_dh_auto_build didn't actually add it properly, my guess is
that it's needed in multiple different targets). I also needed to add
libssl-dev as a build dependency and added the --tls options and tcl-tls as per
the TLS docs (https://github.com/antirez/redis/blob/6.0/TLS.md). I've
also tested this manually by doing a build, making sure all the tests
that are run there pass, and installing redis on a host and setting up
some basic TLS configuration. I did get a few errors within the tests,
but they don't all appear to be related (the TLS ones likely are though):

!!! WARNING The following tests failed:

*** [err]: Active defrag in tests/unit/memefficiency.tcl
defrag not started.
*** [err]: Active defrag big keys in tests/unit/memefficiency.tcl
defrag not started.
*** [err]: TLS: Verify tls-protocols behaves as expected in tests/unit/tls.tcl
Expected 'I/O error reading reply' to match 'PONG' (context: type eval
line 10 cmd {assert_match {PONG} $e} proc ::test)

Here's my patch:

diff --git a/debian/control b/debian/control
index a83d91e..6eff968 100644
--- a/debian/control
+++ b/debian/control
@@ -8,10 +8,12 @@ Build-Depends:
  libhiredis-dev (>= 0.14.0),
  libjemalloc-dev [linux-any],
  liblua5.1-dev,
+ libssl-dev,
  lua-bitop-dev,
  lua-cjson-dev,
  procps ,
  tcl ,
+ tcl-tls ,
 Standards-Version: 4.4.1
 Homepage: https://redis.io/
 Vcs-Git: https://salsa.debian.org/lamby/pkg-redis.git
diff --git a/debian/rules b/debian/rules
index 1e7819d..4cbec71 100755
--- a/debian/rules
+++ b/debian/rules
@@ -17,6 +17,7 @@ LUA_LDFLAGS = $(addprefix
-llua5.1-,$(LUA_LIBS_DEBIAN)) $(addprefix ../deps/lua/
 export CFLAGS CPPFLAGS LDFLAGS
 export DEB_BUILD_MAINT_OPTIONS = hardening=+all
 export DEB_LDFLAGS_MAINT_APPEND = -Wl,-no-as-needed -ldl -latomic
$(LUA_LDFLAGS)
+export BUILD_TLS=yes

 ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
NUMJOBS = $(patsubst parallel=%,%,$(filter
parallel=%,$(DEB_BUILD_OPTIONS)))
@@ -48,9 +49,11 @@ override_dh_auto_build: debian/lua_libs_debian.c

 override_dh_auto_test:
 ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
-   # Avoid race conditions in upstream testsuite.
-   ./runtest --clients 1 || true
-   ./runtest-cluster || true
+   # Generate a root CA and server certificate for testing
+   ./utils/gen-test-certs.sh
+   # Avoid race conditions in upstream testsuite
+   ./runtest --clients 1 --tls || true
+   ./runtest-cluster --tls || true
./runtest-sentinel || true
 endif

Bug#914540: [20181124] mirrors.ocf.berkeley.edu: out of date, ftpsync-version

[Jason Perrin]

Hi Peter,

Thanks a lot for letting us know we are out of date!

We've switched our upstream mirror and are syncing again now.

We'll make sure to update our ftpsync version too, it's been on our roadmap
for a while now but just hasn't been done yet, so we'll look into that as
soon as we can.

Cheers,
Jason

On Sat, Nov 24, 2018 at 7:39 AM Peter Palfrader  wrote:

> Package: mirrors
> User: mirr...@packages.debian.org
> Usertags: mirror-problems
>
> Hi!
>
> It seems http://mirrors.ocf.berkeley.edu/debian/
> is out of date
>
> https://mirror-master.debian.org/status/mirror-info/mirrors.ocf.berkeley.edu.html
>
> Please investigate.
>
> o If you sync off kernel.org, you might want to pick a different site
>   (do not use ftp.*.debian.org names, only http is guaranteed at
>those names and they do switch around.)
>   https://mirror-master.debian.org/status/mirror-hierarchy.html might help
>   you pick.
>
> o Also, maybe update your ftpsync version.
>   http://ftp.debian.org/debian/project/ftpsync/ftpsync-current.tar.gz
>
> Cheers,
> --
> |  .''`.   ** Debian **
>   Peter Palfrader   | : :' :  The  universal
>  https://www.palfrader.org/ | `. `'  Operating System
> |   `-https://www.debian.org/
>

Bug#900612: apache2-suexec-pristine: Packaging steps undo setting of setuid bit

[Jason Perrin]

Hi Stefan,

You're absolutely right, I was building the package as root inside a
docker container, mostly as a one-off kind of build to add some
debugging information. I tried using fakeroot instead, and it masked
the problem as you mentioned, as the file at the end still has the
setuid bit, even though it has changed group (and the same happens if
the owner is changed):

jvperrin@fireball:~$ fakeroot /bin/bash
root@fireball:~# touch test.txt
root@fireball:~# ls -l test.txt
-rw-r--r-- 1 root root 0 Jun  2 13:08 test.txt
root@fireball:~# chmod 4754 test.txt
root@fireball:~# ls -l test.txt
-rwsr-xr-- 1 root root 0 Jun  2 13:08 test.txt*
root@fireball:~# chgrp nogroup test.txt
root@fireball:~# ls -l test.txt
-rwsr-xr-- 1 root nogroup 0 Jun  2 13:08 test.txt*

If I do the same without fakeroot, it loses the setuid bit (as it should):

jvperrin@fireball:~$ sudo -i
root@fireball:~# touch test.txt
root@fireball:~# ls -l test.txt
-rw-r--r-- 1 root root 0 Jun  2 13:11 test.txt
root@fireball:~# chmod 4754 test.txt
root@fireball:~# ls -l test.txt
-rwsr-xr-- 1 root root 0 Jun  2 13:11 test.txt*
root@fireball:~# chgrp nogroup test.txt
root@fireball:~# ls -l test.txt
-rwxr-xr-- 1 root nogroup 0 Jun  2 13:11 test.txt*

This suggests to me that this is indeed a problem with fakeroot, not
with this package, although I do still think the patch I included on
this bug report could be helpful as it wouldn't change the behavior
when it fakeroot and fixes the issue if anyone else is building
manually outside of fakeroot. Looking at fakeroot's bug reports, it's
already been reported almost a decade ago
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=497109). It hasn't
had any activity since then, so that's unfortunate, I'll try and
follow up there. Thank you for your help, that was very useful!
On Sat, Jun 2, 2018 at 1:35 AM Stefan Fritsch  wrote:
>
> On Saturday, 2 June 2018 02:06:10 CEST Jason Perrin wrote:
>
> > This appears to be a problem in the source for this package, on the master
> > branch, as well as on separate branches for different distros:
> > https://salsa.debian.org/apache-team/apache2/blob/master/debian/rules#L148-1
> > 53 I'm not sure how this has worked properly to produce packages, since the
> > last change to that section was 6 years ago, so I'm a bit confused on that
> > point.
>
>
> That's weird because it seems all distributed packages in the last 6 years
> have the correct permissions. Do you build the package as root? Usually
> packages are built as non-root user using fakeroot. Maybe fakeroot is not
> being faithful to the real kernel behavior and hides the bug.
>
> Cheers,
> Stefan
>
>
>

Bug#900612: apache2-suexec-pristine: Packaging steps undo setting of setuid bit

[Jason Perrin]

Package: apache2-suexec-pristine
Version: 2.4.25-3+deb9u4
Severity: normal
Tags: patch
Justification: fails to build from source (but built successfully in the past)

Dear Maintainer,

When building the apache2-suexec-pristine (and apache2-suexec-custom) packages
from source, I expected the built .deb packages to contain setuid binaries
(at /usr/lib/apache2/suexec-pristine and /usr/lib/apache2/suexec-custom
respectively). However, when packaging was done, the packages contained
binaries with the permissions 0754, not 4754, as set in the debian/rules file.

Looking into this more, it appears that chgrp (through the chown system call)
clears the setuid bit (and all bits in the first octet of permissions) when it
is run, so the steps in override_dh_fixperms-arch end up removing the setuid
bit when chgrp is run after chmod.

This appears to be a problem in the source for this package, on the master
branch, as well as on separate branches for different distros:
https://salsa.debian.org/apache-team/apache2/blob/master/debian/rules#L148-153
I'm not sure how this has worked properly to produce packages, since the last
change to that section was 6 years ago, so I'm a bit confused on that point.

Here is a patch to fix the setting of the setuid bit in both packages by just
moving the chmod to after chgrp has already run:

--- debian/rules
+++ debian/rules
@@ -146,11 +146,11 @@ override_dh_install: clean-config-vars-stamp \

 override_dh_fixperms-arch:
# standard suexec
-   chmod 4754 
debian/apache2-suexec-pristine/usr/lib/apache2/suexec-pristine
chgrp www-data 
debian/apache2-suexec-pristine/usr/lib/apache2/suexec-pristine
+   chmod 4754 
debian/apache2-suexec-pristine/usr/lib/apache2/suexec-pristine
# configurable suexec
-   chmod 4754 debian/apache2-suexec-custom/usr/lib/apache2/suexec-custom
chgrp www-data 
debian/apache2-suexec-custom/usr/lib/apache2/suexec-custom
+   chmod 4754 debian/apache2-suexec-custom/usr/lib/apache2/suexec-custom
dh_fixperms -a -Xusr/lib/apache2/suexec-custom 
-Xusr/lib/apache2/suexec-pristine
chown -R www-data:www-data 
debian/apache2/var/cache/apache2/mod_cache_disk
chown root:adm debian/apache2/var/log/apache2


-- System Information:
Debian Release: 9.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set 
to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#838752: mirror listing update for mirrors.ocf.berkeley.edu

[Jason Perrin]

Package: mirrors
Severity: minor
User: mirr...@packages.debian.org
Usertags: mirror-list

Submission-Type: update
Site: mirrors.ocf.berkeley.edu
Type: leaf
Archive-architecture: ALL amd64 arm64 armel armhf hurd-i386 i386 kfreebsd-amd64 
kfreebsd-i386 mips mips64el mipsel powerpc ppc64el s390x 
Archive-ftp: /debian/
Archive-http: /debian/
Archive-rsync: debian/
CDImage-ftp: /debian-cd/
CDImage-http: /debian-cd/
CDImage-rsync: debian-cd/
IPv6: yes
Archive-upstream: mirrors.kernel.org
CDImage-upstream: mirrors.kernel.org
Updates: four
Maintainer: Jason Perrin 
Country: US United States
Location: Berkeley, CA
Sponsor: Open Computing Facility https://www.ocf.berkeley.edu
Comment: Hi,
 
 Could you update our listing (mirrors.ocf.berkeley.edu) to include all 
architectures? Currently we are missing a few that we support:
 
 arm64 mips64el ppc64el s390
 
 Also, could you please add us back to the httpredir list? We seem to have been 
dropped from the list according to http://httpredir.debian.org/report.txt, but 
we successfully perform a two-step sync and our trace 
(http://mirrors.ocf.berkeley.edu/debian/project/trace/mirrors.ocf.berkeley.edu) 
says we are up to date.
 
 Thanks as always!
 
 Jason

Bug#638699: [Pkg-xfce-devel] Bug#638699: exo-open fails to open a filename with a hash (#)

[Jason Perrin]

This has been fixed in release 0.10.7-1 (available in stretch). The
core issue here was that exo-open did not properly escape filenames
before sending them to gobject/glib, so files with a number sign (#)
in their name would get cut off, due to glib removing what it saw as a
URI fragment. This was reported in
https://bugzilla.xfce.org/show_bug.cgi?id=9912 and fixed with
http://git.xfce.org/xfce/exo/commit/?id=6faf134307a8f651c09931ae4f7017ce141f6320,
so this issue should be resolved.

On Sun, 21 Aug 2011 10:13:50 +0200 Mathias Brodala  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hi.
>
> Baruch Even, 21.08.2011 09:40:
> > Package: exo-utils
>
> This should be blamed on gobject/glib.
>
> > Trying to open a doc file that is named: /tmp/a#.doc with the command:
> > exo-open /tmp/a#.doc
> > This fails with the message:
> > Failed to open URI "file:///tmp/a#.doc".
> > Error stating file '/tmp/a': No such file or directory.
>
> Most likely related to this one:
>
> https://bugzilla.gnome.org/show_bug.cgi?id=655194
> (gio.File ignores uri fragments on file:// URIs)
>
> There’s nothing exo can do here except wait for gobject/glib to fix this
> issue.
>
>
> Regards, Mathias
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk5QvjYACgkQYfUFJ3ewsJgOGACfQJ+pzHOMUtbQrkobemF9Nv6K
> gCoAoJ61V30cNWYyS4OO9ASgHwz1Fgt3
> =sF7F
> -END PGP SIGNATURE-
>
>
>