Bug#1077854: libcurl4t64: SIGPIPE leaks in some cases

[Raphaël Halimi]

Package: libcurl4t64
Version: 8.9.1-1
Severity: critical
Affects: transmission-daemon transmission-gtk

Dear maintainers,

Please look at the upstream bug :

https://github.com/curl/curl/issues/14344

On my system, this makes transmission-gtk crash unexpectedly after a 
short time, without any error message.


According to [1], it also affects transmission-daemon.

[1] https://github.com/transmission/transmission/issues/7035

Setting severity to critical because it affects other packages (and to 
trigger apt-listbugs for people who use it).


Regards,

--
Raphaël Halimi

Bug#1077765: openssh: can't be started by ssh.socket anymore

[Raphaël Halimi]

Le 02/08/2024 à 00:12, Colin Watson a écrit :

My best guess is that this has something to do with the refactoring of
sshd into a listener binary and a per-session binary, which touched the
re-exec path that's also involved in socket activation.  I'll try to
figure it out, but it may take a little while.

I think we should probably also add an autopkgtest for the socket
activation case.  Since it's not the default and not otherwise
automatically tested right now, it's easy for it to break accidentally.


Dear maintainers,

I confirm that this new upload fixes the problem.

Thank you for acting so quickly ! :)

Regards,

--
Raphaël Halimi

Bug#1077765: openssh: can't be started by ssh.socket anymore

[Raphaël Halimi]

Package: openssh
Version: 1:9.8p1-1
Severity: serious

Dear maintainers,

Since the latest openssh upgrade, ssh.socket service can't start 
ssh.service.


It fails with the error message "fatal: Cannot bind any address", and 
gives up after 5 tries (which is expected), leaving the machine unreachable.


ssh.service on its own starts normally.

This is a regression, as previous versions of ssh.socket were able to 
start the service without problems.


A simple workaround is to disable ssh.socket and enable ssh.service, but 
it would be nice to have systemd socket activation working again.


Severity set to serious since it can render machine where ssh.socket is 
enabled unreachable after an upgrade (before ssh.service is restarted, 
which needs physical access).


Regards,

--
Raphaël Halimi

Bug#1068591: systemd-container: doesn't list a default package for default-dbus-system-bus dependency

[Raphaël Halimi]

Le 07/04/2024 à 19:34, Michael Biebl a écrit :

As you correctly noticed, this is a bug/fault in debootstrap.
I don't think individual packages should work around that, so I'm 
included to close this as wontfix (or reassign/merge to debootstrap).


Fair enough, I understand. Do you want me to reassign it ?

Fwiw, you might use an alternative debootstrap tool like mmdebstrap 
which works properly in that regard.


I didn't know about this tool. Thanks for the tip :)

Regards,

--
Raphaël Halimi

Bug#1068591: systemd-container: doesn't list a default package for default-dbus-system-bus dependency

[Raphaël Halimi]

Package: systemd-container
Version: 249.6-1
Severity: minor

Dear developers,

systemd-container lists "default-dbus-system-bus | dbus-system-bus" as a 
dependency. This is usually correct since APT is smart enough to resolve 
the dependency, but that's not the case with debootstrap.


Since systemd-container is usually needed in systemd-nspawn containers, 
it should be installed at debootstrap time, but currently, running 
debootstrap with "--include=systemd-container" fails because no D-Bus 
implementation is pulled in as dependency. It used to work in versions 
older than 249.6-1 (before the dependency was changed from the real 
"dbus" package to "default-dbus-system-bus | dbus-system-bus" virtual 
packages, so it may qualify as a regression). Using 
"--include=systemd-container,dbus" (or dbus-broker) works.


Could the real dbus package (since it's currently the default D-Bus 
implementation in Debian) be listed as an alternative dependency (and 
ideally, in bookworm too) ?


Note 1: one could think that it's debootstrap's fault for not resolving 
dependencies on virtual packages; indeed, it has already been reported 
several times (#878961, merged with #827602 and #931760; as well as 
Launchpad #86536) unfortunately never fixed yet; but, IMHO, since 
systemd-container is usually needed in systemd-nspawn containers, and 
(except for the host) is usually installed via debootstrap, it makes it 
kind of a special case, in the sense that systemd (as a whole) should 
take care that systemd-nspawn containers can be built and started easily.


Note 2: dbus-broker has the reputation of being better than dbus on 
various points, and could be considered as a clever choice for 
containers, but systemd-container currently lists 
"default-dbus-system-bus" as first alternative, which is provided by "dbus".


Regards,

--
Raphaël Halimi

Bug#772523: preseeding get_domain using DHCP is broken

[Raphaël Halimi]

(sorry, accidental Ctrl+Enter...)

With Bookworm, it totally broke.

If the preseeding happens after netcfg (url=...), when setting the 
hostname from the kernel parameters, d-i keeps it, but does not get the 
domain from DHCP as before; only setting both a hostname and a domain 
name makes things work (but now keeps the domain from the kernel 
parameters, which may be more appropriate).


If the preseeding happens before netcfg (file=...), whatever hostname 
and/or domain is set in the kernel paramaters, and whatever domain the 
DHCP sends, d-i uses the values from the preseed file 
(unassigned-hostname and unassigned-domain).


So, currently, the only way to make things work with an installation 
medium, is to unset both netcfg/get_hostname and netcfg/get_domain in 
the preseed file, and set hostname and domain in the kernel parameters.


(for convenience, I attached a text file in markdown format with the 
results of these tests).


This is a big change from the behavior of previous netcfg versions (I 
use preseeding since Wheezy, both with PXE or installation media), and 
this new behavior makes things more complicated: before, we just 
configured bogus values in the preseed file, and if the machine was not 
registered in the DNS but the DHCP provided a valid domain name, 
specifying a hostname in the kernel parameters was sufficient. Now, we 
have to specify both the hostname and the domain name in the kernel 
command line (think of non-QWERTY keyboards...), and this makes me 
consider this a severe regression.


It also partly contradicts the various documentations (like the ones 
mentioned above).


I sincerely hope this will be fixed in a forthcoming point release.

Feel free to ask me if you need to test stuff, I have a suitable 
environment to test preseeding for both PXE or installation media.


Best regards,

--
Raphaël HalimiBullseye


netcfg before preseed (url=...)


### cmdline: none
hostname=debian, no domain name

### cmdline: hostname=
hostname from cmdline, domain from DHCP

### cmdline: hostname=, domain=
hostname from cmdline, domain from DHCP (different from cmdline)

preseed before netcfg (file=...)


### cmdline: none
hostname and domain from preseed file (unassigned-hostname, unassigned-domain)

### cmdline: hostname=
hostname from cmdline, domain from DHCP

### cmdline: hostname=, domain=
hostname from cmdline, domain from DHCP (different from cmdline)

Bookworm


netcfg before preseed (url=...)


### cmdline: none
hostname=debian, no domain name

### cmdline: hostname=
hostname from cmdline, no domain

### cmdline: hostname=, domain=
hostname and domain from cmdline

preseed before netcfg (file=...)


### cmdline: none
hostname and domain from preseed file (unassigned-hostname, unassigned-domain)

### cmdline: hostname=
hostname and domain from preseed file (unassigned-hostname, unassigned-domain)

### cmdline: hostname=, domain=
hostname and domain from preseed file (unassigned-hostname, unassigned-domain)

Bug#1060897: furo: documentation generated with Debian's furo package doesn't work standalone

[Raphaël Hertzog]

Package: furo
Version: 2023.09.10+dfsg-2
Severity: important
X-Debbugs-Cc: raph...@freexian.com

Hello Georges,

I was trying to use "furo" (as packaged in Debian) to build the debusine
documentation but I figured out that multiple things were not working
right:
https://hertzog.pages.debian.net/-/debusine/-/jobs/5153568/artifacts/docs/_build/html/index.html

- I have unwanted margins around the page, that's because "normalize.css"
  is not found, the Debian package hardcodes
  "/javascript/normalize.css/normalize.css" as the path... it's totally
  unreasonable to make that assumption for random documentation. It's
  great to reuse the Debian packaged version, but it should be reused in a
  way where it gets duplicated in the generated documentation so that
  the documentation is self-contained.

- the dark/light theme switcher is hidden because I have a ".no-js" class
  that is not removed by _static/scripts/furo.js because that script fails
  on the first import line (Uncaught SyntaxError: import declarations may
  only appear at top level of a module). This line has been patched
  by the Debian packaging, but I'm not sure if the change is the source of
  the problem.

Cheers,

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.6.8-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages furo depends on:
ii  node-normalize.css  8.0.1-5
ii  python3 3.11.6-1
ii  python3-bs4 4.12.2-2
ii  python3-pygments2.15.1+dfsg-1
ii  python3-sphinx  7.2.6-3
ii  sphinx-basic-ng 1.0.0~beta2-1

furo recommends no packages.

furo suggests no packages.

-- no debconf information

Bug#1058758: Still not fixed for ThinkPad Compact USB Keyboard with TrackPoint (not II)

[Raphaël Halimi]

Dear developers,

Unfortunately, after upgrading kernel to 6.6.8 on my Sid desktop (at 
home), I still witness the bug (middle click performed when releasing 
middle button after wheel emulation) with my ThinkPad Compact USB 
Keyboard with TrackPoint (old model, not II).


Those spurious clicks are very annoying, since they can open links in 
new tabs when scrolling in Firefox, or pasting text when scrolling in 
terminals, or other unwanted stuff.


A also have this problem at work, on a Bookworm desktop.

Why did those recent patches ([1], [2], [3] oldest is two months old) 
end up in a stable release's kernel ? They clearly cause a very annoying 
regression, on a fairly high number of installations (statistically, old 
ThinkPad Compact USB Keyboard is probably much more widespread than the 
recent ThinkPad TrackPoint Keyboard II).


[1] 
https://github.com/torvalds/linux/commit/46a0a2c96f0f47628190f122c2e3d879e590bcbe
[2] 
https://github.com/torvalds/linux/commit/2f2bd7cbd1d1548137b351040dc4e037d18cdfdc
[3] 
https://github.com/torvalds/linux/commit/43527a0094c10dfbf0d5a2e7979395a38de3ff65


Would it be possible to revert them at least in Bookworm's kernel, until 
they're stabilized and working for all ThinkPad keyboards ?


Regards,

--
Raphaël Halimi

Bug#1042818: firmware-amd-graphics: GPU freezes, monitors not working with kernel 6.0 and version 20230625-1

[Raphaël Gomès]

Package: firmware-amd-graphics
Followup-For: Bug #1042818
X-Debbugs-Cc: alphar...@gmail.com

Dear Maintainer,

I think the most relevant new information is that after installing
20230625-1 from 20230515-3 on kernel version 6.0.0-2, I had the random
freezes mentioned above.

Also, only my DP monitor would output anything, and my wayland compositor
would try to make sense of them in a loop, leading to a very unresponsive
system (freezes, missed keystrokes, repeated keystrokes) and other things
like keyboard settings not being applied because the config reload process
got interrupted.

I tried upgrading to linux 6.5.0-5, which didn't do anything. Still on that
version, I manually installed 20230515-4 (instead of the original -3, but
I don't think this makes a difference) and everything is working fine.

The workaround for drm kernel parameters did not work for me unfortunately.

Thanks,
Raphaël Gomès

-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.5.0-5-amd64 (SMP w/32 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

firmware-amd-graphics depends on no packages.

firmware-amd-graphics recommends no packages.

Versions of packages firmware-amd-graphics suggests:
ii  initramfs-tools  0.142

-- debconf-show failed

Bug#1054564: apache2: mod_proxy_connect insecure default server-wide AllowCONNECT value

[Raphaël Droz]

Package: apache2
Version: 2.4.56-1~deb11u2
Severity: normal
X-Debbugs-Cc: raphael.d...@gmail.com

Dear Maintainer,

# Context

For years, one of my SSL vhost (on :443) has been relying mod_proxy_http to 
(safely)
 forward some requests to a backend, acting as a reverse-proxy.
```
# Something like
ProxyRequests   On
SSLProxyEngine  On
RewriteRule ^/.well-known/.*$ "https://gitlab-foobar/%{REQUEST_URI}; [P,L]
```


Recently, I experienced the need to (safely) forward some requests (from 
another server I own)
 through this server (because of some network/geoblocking problem).
I enabled `mod_proxy_connect` and (safely) configured a forward-proxy on :80 
(using `Require valid-user / ip`).
```
# Something like
ProxyRequests On
Authtype Basic
AuthUserFile ...

p  Require valid-user
  Require ip ...

```


# Problem

While this :80 forward-proxy vhost was secure, I later discovered, that 
 the original (and almost forgotten) vhost had incidentally become an 
open-proxy (!)

The reasons are:
- mod_proxy_connect is globally enabled (affects all vhosts)
- AllowCONNECT defaults to "443 563" (affects all vhosts)


Said otherwise, *any* secure reverse-proxy vhost configuration become de-facto
 an insecure open forward-proxy vhost as soon as `mod_proxy_connect` is 
globally enabled.

This sounds contrary to best security practices.
(and I bet more than one server out there is silently affected by this 
insecure-by-default
configuration)


# Proposed solution

I suggest to add a server-wide `AllowCONNECT 0` directive inside
`/etc/apache2/mods-available/proxy_connect.load` (virtually disabling CONNECT)
so that individual vhosts relying on it would have to explicitely set the value 
at the vhost-level.

It would be more logical (scope/side-effects) and avoid holes being punched 
into existing
 (and otherwise secure) reverse-proxy vhosts.


# Additional notes
To cap it all my proxy-enabled vhost was the first one (lexicographically
speaking) making it the destination of all the random internet SSL traffic 
scanners.


Google-friendly list of typical log messages that should raise flags:
> AH00898: Connect to remote machine blocked returned by...
> AH00939: CONNECT: attempt to connect to ...:443 (...) failed
> AH10221: proxy: CONNECT: client flushing failed (-102)
> AH10221: proxy: CONNECT: origin flushing failed (-102)


-- Package-specific info:

-- System Information:
Debian Release: bullseye
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.2.0-35-generic (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apache2 depends on:
ii  apache2-bin  2.4.56-1~deb11u2
ii  apache2-data 2.4.56-1~deb11u2
ii  apache2-utils2.4.56-1~deb11u2

Versions of packages apache2 recommends:
pn  ssl-cert  

Versions of packages apache2 suggests:
pn  apache2-doc   
pn  apache2-suexec-pristine | apache2-suexec  

Versions of packages apache2 is related to:
ii  apache2  2.4.56-1~deb11u2
ii  apache2-bin  2.4.56-1~deb11u2

-- Configuration Files:
/etc/apache2/apache2.conf changed [not included]

-- no debconf information

-- 
GPG id: 0xF41572CEBD4218F4

Bug#1054532: autopkgtest: allow use of an alternate APT solver

[Raphaël Hertzog]

Package: autopkgtest
Version: 5.30
Severity: wishlist
X-Debbugs-Cc: raph...@freexian.com

The current way to schedule autopkgtest tests on reverse dependencies
prior to testing migration is not really satisfying:
- it relies entirely on APT pinning
- you don't have any control on the version used

While working on autopkgtest's integration in debusine, I tried to improve 
this by submitting the precise version of the updated package that I want
to validate on the command line (together with the .deb of the package
providing the autopkgtests). That works well as the packages gets
integrated in the local apt repository prepared.

However this doesn't work when the updated package has dependencies that
can only be solved in the extra repository. The requirement to use
--apt-default-release to stick to the base release means that apt will
refuse to install the dependencies from any other repository (unless we
use --pin-packages to increase their priority).

FTR here are the tries we made to reach that conclusion:
https://salsa.debian.org/freexian-team/debusine/-/issues/188

I'm looking for a solution where we don't have to do that analysis of the
dependency tree to figure out the set of deb that must be selected. It might
not be a big issue in the context of britney, but it's definitely a
showstopper in many other contexts.

Until apt gets improved (which might happen in time for trixie as juliank
told me he has plans to work on a better solver for APT), the best
solution is likely to make it possible to use an external APT solver in
that special case, just like buildd are doing for experimental builds.

In 
https://salsa.debian.org/freexian-team/debusine/-/merge_requests/300/diffs#note_434295
Paul Gevers said he considered the aspcud resolver but he decided against
as it's not the default. I agree that it should not be the default but I
still think that we should be able to opt-in to that solution for such
tests where we want to run a mixed environment and not have to provide
the exact combination of packages that have to be taken from the extra
repository.

This requires to install apt-cudf and aspcud in the image and then use a
command line like this (see man apt-cudf):
# apt-get --solver aspcud -o APT::Solver::Strict-Pinning=false -o 
APT::Solver::aspcud::Preferences="-count(solution,APT-Release:~/[an]=$extra,/),-removed,-changed,-new"
 install $package

I used a regex matching APT-Release here to match both codename (n=) and 
suites/archive (a=) and I anchored with the trailing comma to be sure to match 
the full name. FTR the APT-Release field looks like this in the EDSP data 
structure:

APT-Release: v=12.2,o=Debian,a=stable,n=bookworm,l=Debian,c=main,b=amd64
or
APT-Release: o=Debian,a=unstable,n=sid,l=Debian,c=main,b=amd64

If we have multiple extra repositories, we will likely want to have $extra
be a regex like "(codename1|codename2)".

Note that this is not tested and just based on my personal research so far.

For reference, the buildd are using the following criteria for solving
build deps of experimental packages:
https://salsa.debian.org/dsa-team/mirror/dsa-puppet/-/blob/production/modules/buildd/templates/sbuild.conf.erb
$aspcud_criteria = 
'-count(solution,APT-Release:=/experimental/),-removed,-changed,-new';

Thanks for considering!

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.5.0-2-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages autopkgtest depends on:
ii  apt-utils   2.7.6
ii  libdpkg-perl1.22.0
ii  mawk1.3.4.20230808-1
ii  procps  2:4.0.4-2
ii  python3 3.11.4-5+b1
ii  python3-debian  0.1.49

Versions of packages autopkgtest recommends:
ii  autodep8  0.28
ii  fakeroot  1.32.1-1

Versions of packages autopkgtest suggests:
pn  docker.io
pn  fakemachine  
pn  lxc  
pn  lxd  
ii  ovmf 2023.05-2
pn  ovmf-ia32
ii  podman   4.6.2+ds1-4
ii  python3-distro-info  1.5
ii  qemu-efi-aarch64 2023.05-2
ii  qemu-efi-arm 2023.05-2
ii  qemu-system  1:8.1.2+ds-1
ii  qemu-utils   1:8.1.2+ds-1
ii  schroot  1.6.13-3+b2
ii  util-linux   2.39.2-4
ii  vmdb20.27+really.0.26-1
ii  zerofree 1.1.1-1

-- no debconf information

Bug#1052510: abook: double free detected in tcache 2

[Raphaël]

> On Sat, Sep 23, 2023 at 04:53:18PM +0200, Alejandro Colomar wrote:
> > Package: abook
> > Version: 0.6.1-3
> > Severity: normal
> > Tags: upstream
> > X-Debbugs-Cc: a...@kernel.org
> > 
> > Dear Maintainer,
> > 
> > abook(1) is freeing twice.

https://sourceforge.net/p/abook/git/ci/b897f8a0d8e02bcd0b8d0296b4893d2b35d6de5a/

Bug#1053892: lintian: Stop emitting masked tags

[Raphaël Hertzog]

Package: lintian
Version: 2.116.3
Severity: wishlist
X-Debbugs-Cc: raph...@freexian.com

I just discovered the existence of masked tags and of the "Screen"
mechanism to exclude some tags. I also notice that they are
displayed together with overriden tags when you use --show-overrides.
Yet they are very different.

I believe that a tag that lintian decided to suppress should simply never be
emitted, not even as a masked tag. Thus I would suggest to stop emitting
masked tags.

But if you disagree with this, it might make sense to offer the
possibility to handle masked tags separately from overriden tags.

(Again this is a followup from a discussion here
https://salsa.debian.org/freexian-team/debusine/-/merge_requests/300#note_434002)

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.5.0-1-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages lintian depends on:
ii  binutils2.41-5
ii  bzip2   1.0.8-5+b1
ii  diffstat1.65-1
ii  dpkg1.22.0
ii  dpkg-dev1.22.0
ii  file1:5.45-2
ii  gettext 0.21-13+b1
ii  gpg 2.2.40-1.1
ii  intltool-debian 0.35.0+20060710.6
ii  iso-codes   4.15.0-1
ii  libapt-pkg-perl 0.1.40+b2
ii  libarchive-zip-perl 1.68-1
ii  libberkeleydb-perl  0.64-2+b1
ii  libcapture-tiny-perl0.48-2
ii  libclass-xsaccessor-perl1.19-4+b1
ii  libclone-perl   0.46-1
ii  libconfig-tiny-perl 2.29-1
ii  libconst-fast-perl  0.014-2
ii  libcpanel-json-xs-perl  4.37-1
ii  libdata-dpath-perl  0.58-2
ii  libdata-validate-domain-perl0.10-1.1
ii  libdata-validate-uri-perl   0.07-2
ii  libdevel-size-perl  0.83-2+b1
pn  libdigest-sha-perl  
ii  libdpkg-perl1.22.0
ii  libemail-address-xs-perl1.05-1+b1
ii  libencode-perl  3.19-1+b1
ii  libfile-basedir-perl0.09-2
ii  libfile-find-rule-perl  0.34-3
ii  libfont-ttf-perl1.06-2
ii  libhtml-html5-entities-perl 0.004-3
ii  libhtml-tokeparser-simple-perl  3.16-4
ii  libio-interactive-perl  1.023-2
ii  libipc-run3-perl0.048-3
ii  libjson-maybexs-perl1.004005-1
ii  liblist-compare-perl0.55-2
ii  liblist-someutils-perl  0.59-1
ii  liblist-utilsby-perl0.12-2
ii  libmldbm-perl   2.05-4
ii  libmoo-perl 2.005005-1
ii  libmoox-aliases-perl0.001006-2
ii  libnamespace-clean-perl 0.27-2
ii  libpath-tiny-perl   0.144-1
ii  libperlio-gzip-perl 0.20-1+b1
ii  libperlio-utf8-strict-perl  0.010-1
ii  libproc-processtable-perl   0.636-1
ii  libregexp-wildcards-perl1.05-3
ii  libsereal-decoder-perl  5.004+ds-1
ii  libsereal-encoder-perl  5.004+ds-1
ii  libsort-versions-perl   1.62-3
ii  libsyntax-keyword-try-perl  0.29-1
ii  libterm-readkey-perl2.38-2+b1
ii  libtext-levenshteinxs-perl  0.03-5+b1
ii  libtext-markdown-discount-perl  0.16-1
ii  libtext-xslate-perl 3.5.9-1+b2
ii  libtime-duration-perl   1.21-2
ii  libtime-moment-perl 0.44-2+b1
ii  libtimedate-perl2.3300-2
ii  libunicode-utf8-perl0.62-2
ii  liburi-perl 5.21-1
ii  libwww-mechanize-perl   2.17-1
ii  libwww-perl 6.72-1
ii  libxml-libxml-perl  2.0207+dfsg+really+2.0134-1+b1
ii  libyaml-libyaml-perl0.86+ds-1
ii  lzip [lzip-decompressor]1.23-6
ii  lzop1.04-2
ii  man-db  2.12.0-1
ii  patchutils  0.4.2-1
ii  perl [libencode-perl]   5.36.0-9
ii  t1utils 1.41-4
ii  unzip   6.0-28
ii  xz-utils5.4.4-0.1

lintian recommends no packages.

Versions of packages lintian suggests:
ii  binutils-multiarch 2.41-5
ii  libtext-template-perl  1.61-1

-- no debconf information

Bug#1053891: lintian: Document the existence of classification tags in the manual page

[Raphaël Hertzog]

Package: lintian
Version: 2.116.3
Severity: wishlist
X-Debbugs-Cc: raph...@freexian.com

Hello,

the conversation in
https://salsa.debian.org/freexian-team/debusine/-/merge_requests/300#note_434002
led me to realize that as a simple lintian user reading the manual page,
you can't discover the existence of classification tags and you can't
figure out the syntax to enable the display of those tags.

Please improve the manual page to explain what classification tags are,
that they are considered like normal tags with a priority lower than
everything else and that you can enable them with "--display-level
+=classification".

BTW in general, the whole explanation about --display-level is pretty
confusing, it's not clear to me what "S|C|S/C" is supposed to mean for
instance. And there's no global sorted list of usable severity so
it's hard to predict the result of --display-level '>=classification'.

Cheers,

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.5.0-1-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages lintian depends on:
ii  binutils2.41-5
ii  bzip2   1.0.8-5+b1
ii  diffstat1.65-1
ii  dpkg1.22.0
ii  dpkg-dev1.22.0
ii  file1:5.45-2
ii  gettext 0.21-13+b1
ii  gpg 2.2.40-1.1
ii  intltool-debian 0.35.0+20060710.6
ii  iso-codes   4.15.0-1
ii  libapt-pkg-perl 0.1.40+b2
ii  libarchive-zip-perl 1.68-1
ii  libberkeleydb-perl  0.64-2+b1
ii  libcapture-tiny-perl0.48-2
ii  libclass-xsaccessor-perl1.19-4+b1
ii  libclone-perl   0.46-1
ii  libconfig-tiny-perl 2.29-1
ii  libconst-fast-perl  0.014-2
ii  libcpanel-json-xs-perl  4.37-1
ii  libdata-dpath-perl  0.58-2
ii  libdata-validate-domain-perl0.10-1.1
ii  libdata-validate-uri-perl   0.07-2
ii  libdevel-size-perl  0.83-2+b1
pn  libdigest-sha-perl  
ii  libdpkg-perl1.22.0
ii  libemail-address-xs-perl1.05-1+b1
ii  libencode-perl  3.19-1+b1
ii  libfile-basedir-perl0.09-2
ii  libfile-find-rule-perl  0.34-3
ii  libfont-ttf-perl1.06-2
ii  libhtml-html5-entities-perl 0.004-3
ii  libhtml-tokeparser-simple-perl  3.16-4
ii  libio-interactive-perl  1.023-2
ii  libipc-run3-perl0.048-3
ii  libjson-maybexs-perl1.004005-1
ii  liblist-compare-perl0.55-2
ii  liblist-someutils-perl  0.59-1
ii  liblist-utilsby-perl0.12-2
ii  libmldbm-perl   2.05-4
ii  libmoo-perl 2.005005-1
ii  libmoox-aliases-perl0.001006-2
ii  libnamespace-clean-perl 0.27-2
ii  libpath-tiny-perl   0.144-1
ii  libperlio-gzip-perl 0.20-1+b1
ii  libperlio-utf8-strict-perl  0.010-1
ii  libproc-processtable-perl   0.636-1
ii  libregexp-wildcards-perl1.05-3
ii  libsereal-decoder-perl  5.004+ds-1
ii  libsereal-encoder-perl  5.004+ds-1
ii  libsort-versions-perl   1.62-3
ii  libsyntax-keyword-try-perl  0.29-1
ii  libterm-readkey-perl2.38-2+b1
ii  libtext-levenshteinxs-perl  0.03-5+b1
ii  libtext-markdown-discount-perl  0.16-1
ii  libtext-xslate-perl 3.5.9-1+b2
ii  libtime-duration-perl   1.21-2
ii  libtime-moment-perl 0.44-2+b1
ii  libtimedate-perl2.3300-2
ii  libunicode-utf8-perl0.62-2
ii  liburi-perl 5.21-1
ii  libwww-mechanize-perl   2.17-1
ii  libwww-perl 6.72-1
ii  libxml-libxml-perl  2.0207+dfsg+really+2.0134-1+b1
ii  libyaml-libyaml-perl0.86+ds-1
ii  lzip [lzip-decompressor]1.23-6
ii  lzop1.04-2
ii  man-db  2.12.0-1
ii  patchutils  0.4.2-1
ii  perl [libencode-perl]   5.36.0-9
ii  t1utils 1.41-4
ii  unzip   6.0-28
ii  xz-utils5.4.4-0.1

lintian recommends no packages.

Versions of packages lintian suggests:
ii  binutils-multiarch 2.41-5
ii  libtext-template-perl  1.61-1

-- no debconf information

Bug#1053789: sbuild: should support --env=VAR=VALUE command line option like autopkgtest

[Raphaël Hertzog]

Package: sbuild
Version: 0.85.3
Severity: wishlist
X-Debbugs-Cc: raph...@freexian.com

Hello,

it would be nice if sbuild supported the --env=VAR=VALUE command line
option like autopkgtest:

   --env=VAR=value
  Set arbitrary environment variable in the build and test.
  Can be specified multiple times.

I know that sbuild keeps the current environment but it does filter it and
getting rid of the filter requires setting up a configuration file I
assume. A bit complicated compared to the expressivenes of the above
command line option that clearly says "yes I want that variable".

This suggestion is the result of some design work in debusine where
we want to make it easy for Debian developers to experiment with
changes that can affect many packages. And we believe that the possibility
of setting up an arbitrary environment variable is important in that
context.

https://salsa.debian.org/freexian-team/debusine/-/issues/180

Thank you for considering that idea!

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.5.0-1-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages sbuild depends on:
ii  adduser 3.137
ii  libsbuild-perl  0.85.3
ii  perl5.36.0-9

Versions of packages sbuild recommends:
ii  autopkgtest  5.30
ii  debootstrap  1.0.132
ii  schroot  1.6.13-3+b2
ii  uidmap   1:4.13+dfsg1-2

Versions of packages sbuild suggests:
pn  deborphan  
ii  e2fsprogs  1.47.0-2+b1
ii  kmod   30+20230601-2
ii  wget   1.21.4-1+b1

-- no debconf information

Bug#1051229: tlp 1.6 doesn't conflict with power-profile-daemon anymore

[Raphaël Halimi]

Control: tags -1 wontfix
Control: close -1

Dear Sebastien,

Thanks for your suggestion and your patch, but I prefer to follow 
upstream's advice and keep the conflict in place to disallow 
co-installation of TLP and PPD.


Regards,

--
Raphaël Halimi

Bug#1028897: fontconfig: wrong name for the Noto monospace font

[Raphaël Halimi]

Le 20/08/2023 à 22:15, Gunnar Hjalmarsson a écrit :

Thus, the default font for the "Monospace" alias will depend on the
installed packages.


That's always the case, isn't it? The output of "fc-match" or "fc-match 
mono" depends on a combo of available fonts and the font configuration.


Yes, but what I meant was that it's a change from before 2.14, when 
configuration and dependencies made sure that everyone had the same 
default (DejaVu Sans Mono).


Regards,

--
Raphaël Halimi

Bug#1028897: fontconfig: wrong name for the Noto monospace font

[Raphaël Halimi]

Le 20/08/2023 à 12:33, Gunnar Hjalmarsson a écrit :

So, I just downloaded NotoSansMono-Regular.ttf from its new home [1]
(the old repository in the Debian copyright file has been archived),
opened it in font-viewer and... Sadly, the spacing is still
"Proportional" and not "Monospace" :(


Thanks for doing that. So we will probably need to live with it for the 
foreseeable future. And yes, it's a bit sad.


No problem :)

Anyway, I'm now convinced that the status of Noto Sans Moto motivates a 
change of the default monospace font in Debian. Well, you and I haven't 
agreed on what to put there instead, so how about a compromise where we 
pick both? :)


https://salsa.debian.org/freedesktop-team/fontconfig/-/commit/6fae069d


As I understand it, this will make fontconfig select DejaVu Sans Mono on 
most desktop installations (since libreoffice depends on both sets), and 
Noto Mono on a handful of installations, namely, minimal installations 
which will have only fonts-noto-{core,mono} installed, and not 
fonts-dejavu-{core,mono}.


Thus, the default font for the "Monospace" alias will depend on the 
installed packages. At least, since Noto Sans Mono is listed after Noto 
Mono, and since they're both shipped by the same package, the latter 
will never be selected, which will fix the core of the problem - huge 
and hard-to-read terminals.


I'm okay with that. Thanks for fixing it :)

While I still hesitate, since the change affects so many users, I have 
decided to act. After all we are in the beginning of the trixie 
development cycle, so there is plenty of time to change it later. By 
making the change in unstable and testing, we expose it to the users. 
Many will probably not even notice and some will like it. And if some 
users disapprove of the change, the broader discussion we haven't had 
may happen later.


Yes, let's see what users think of the change. I have good hope that 
most people will be satisfied.



Thanks for your perseverance!


You're welcome :)

Regards,

--
Raphaël Halimi

Bug#1028897: fontconfig: wrong name for the Noto monospace font

[Raphaël Halimi]

Le 19/08/2023 à 16:04, Gunnar Hjalmarsson a écrit :
As you may have seen, I submitted <https://bugs.debian.org/1050043> and 
fixed it. Thanks for mentioning it!


Yes I saw that, you CC'd me ; and thank you for acting on this problem. 
Seeing that the time I spend on writing detailed e-mails to the BTS is 
not in vain, is very much appreciated :)



On 2023-08-17 15:34, Raphaël Halimi wrote:

IMHO, if Debian wants to follow the upstream fontconfig default to
use the Noto fonts, the system should work without the DejaVu
packages installed, so it would make more sense to patch fontconfig
to use Noto Mono as a default and keep the "Noto look" across the
whole system, than to go back to DejaVu Sans Mono.


As regards "Noto look", and despite of the name "Noto Mono", personally 
I think that DejaVu Sans Mono aligns better with Noto Sans/Serif than 
Noto Mono does. Look at the letter 'g', for instance.


Also:

* If Debian would change the default monospace font, we would not follow 
upstream. That's true whether we would pick Noto Mono or DejaVu Sans Mono.


As I said, having a "pure" Noto set or a mix of Noto and DejaVu set by 
default is a personal opinion (I did state "IMHO") and I admit I didn't 
compare those fonts thoroughly to see which one of Noto (Sans) Mono or 
DejaVu Sans Mono goes better with Noto Sans/Serif. I took a guess purely 
based on the fact that fonts distributed as parts of the same set are 
supposed to go along.


Since you're part of the team who maintains the package, I won't discuss 
your decision on that point (but I'd still prefer full-Noto or 
full-DejaVu over a mix of both, although I agree this may be a purely 
psychological bias).


* There were reasons why I broke out DejaVu Sans Mono to its own 
package. :) Given that change, it's possible to install 
fonts-dejavu-mono without installing fonts-dejavu-core.


This remark made me read the Debian changelog and query #1043271. Thanks 
for clarifying that.



For those reasons I disagree with the quoted statement.


As I said, we have a divergence of opinion, but as the maintainer of 
this package, you have the final word.


Another question is if the Noto Sans Mono deficiency is important enough 
to motivate a Debian level change in this respect. I don't know. 
@Fabian, I sent this reply to you as well in the hope to broaden the 
discussion a bit.


Here, I don't agree ; not on bringing more people in the discussion (the 
more thinking minds, the wiser the final decision will be), but on the 
very problem itself: did you see the screenshots I provided ? Won't you 
agree that the current default configuration is ugly, whether with Gnome 
Terminal or XTerm ?


(I know that for XTerm it's not really the "default configuration" since 
it uses bitmap fonts by default, but still, I consider the font resolved 
by the "Monospace" alias for TrueType fonts to be some kind of default).


It's worth mentioning that the fonts-noto packages in Debian ship almost 
3 years old fonts. An update to latest upstream would be highly 
desirable. Possibly Noto Sans Mono has improved.


I didn't know that. Thanks for mentioning it.

So, I just downloaded NotoSansMono-Regular.ttf from its new home [1] 
(the old repository in the Debian copyright file has been archived), 
opened it in font-viewer and... Sadly, the spacing is still 
"Proportional" and not "Monospace" :(


[1] 
https://github.com/notofonts/notofonts.github.io/blob/main/fonts/NotoSansMono/hinted/ttf/NotoSansMono-Regular.ttf


After all this time, I seriously doubt that that Google intends to fix 
that. Maybe we could open an issue in the new Github repository ? My 
hopes are not high, though. I'm afraid it will be ignored like the ones 
before.


Regards,

--
Raphaël Halimi

Bug#1042004: systemd: systemd-run evaluates variables enclosed between single quotes

[Raphaël Halimi]

Package: systemd
Version: 254~rc1-2
Affects: pbuilder

Dear maintainers,

Yesterday I tried to build a package with pbuilder and it resulted in an 
error when trying to satisfy build dependencies:


Referenced but unset environment variable evaluates to an empty string: 
Version

dpkg-query: error in show format: may not be empty string

/usr/lib/pbuilder/pbuilder-satisfydepends-apt checks for apt's version 
with the function package_version_is_older_than, which is defined in 
/usr/lib/pbuilder/pbuilder-modules:


dpkg --compare-versions "$($CHROOTEXEC dpkg-query -W 
--showformat='${Version}' "$1")" lt "$2"


CHROOTEXEC is defined in /usr/lib/pbuilder/pbuilder-checkparams:

CHROOTEXEC="chroot $BUILDPLACE "

And then (if systemd is running and its version is greater than 215) :

systemctl_run=(
  systemd-run
  --quiet
  --scope
  --description="pbuilder_${PBUILDER_OPERATION}${1:+_"$(basename "$1")"}"
  --slice="$SYSTEMD_SLICE"
)
CHROOTEXEC="${systemctl_run[*]} $CHROOTEXEC"

So the resulting systemd-run command evaluates '${Version}' (in the 
dpkg-query command) to an empty string. It shouldn't be evaluated since 
it's enclosed between single quotes.


Downgrading systemd to version 253.5-1 fixes the problem.

Regards,

--
Raphaël Halimi

Bug#1036617: ITP: python-procset -- pure Python implementation of the interval set data structure

[Raphaël Bleuse]

Package: wnpp
Severity: wishlist
Owner: Raphaël Bleuse 
X-Debbugs-Cc: debian-de...@lists.debian.org, c...@research.bleuse.net

* Package name: python-procset
  Version : 1.0-1
  Upstream Contact: Raphaël Bleuse 
* URL : https://gitlab.inria.fr/bleuse/procset.py
* License : LGPL
  Programming Lang: Python
  Description : pure Python implementation of the interval set data 
structure

An interval set is a memory-efficient representation of closed-interval
sets.
A ProcSet is an hybrid between a set and a list of indexes.
More precisely, a ProcSet object is an ordered collection of unique
non-negative int.
It supports most of set operations: notably membership testing,
mathematical operations such as intersection, union, and (symmetric)
difference; with the additional ability to access its elements by
position.

Such a data structure is used when managing sets of resources, and is
especially useful when writing schedulers.

Bug#1036034: plymouth: tribar theme should be treated as other text themes

[Raphaël Halimi]

Package: plymouth
Version: 0.9.5-3
Tags: patch

Dear developer,

Plymouth ships text themes, and graphical themes in a separate 
plymouth-themes package, which have many more dependencies.


Installing only plymouth (without plymouth-themes) and selecting the 
tribar theme currently makes update-initramfs fail because it can't find 
the file /etc/fonts/fonts.conf (shipped with fontconfig-config), which 
tribar doesn't need at all, since it's a actually a text theme 
(correctly shipped with the main plymouth package, and not in the 
plymouth-themes package).


This probably stayed off the radar since plymouth is rarely installed on 
a system without a desktop (and thus, no fonts). That's why the 
probability to mess up the initramfs is quite low, but it's nevertheless 
a possibility.


This can be easily fixed by adding tribar to the dependencies test in 
the initramfs hook (see provided patch).


I tested it in a VM on a standard headless system (bullseye), with and 
without encrypted root; the text prompts for entering the passphrase and 
reporting success or failure are correctly displayed.


Regards,

--
Raphaël Halimi--- debian/local/plymouth.hook.orig	2023-02-01 18:20:20.0 +0100
+++ debian/local/plymouth.hook	2023-05-13 19:49:20.260777891 +0200
@@ -86,7 +86,7 @@
 fi
 
 case "${THEME_NAME}" in
-	text|details)
+	text|details|tribar)
 
 		;;
 

Bug#1034233: tlp: dh_installsystemd doesn't handle files in /usr/lib/systemd/system

[Raphaël Halimi]

Control: fixed -1 1.5.0-2
Control: thanks

Forgot to mention the closed bug in the changelog.

--
Raphaël Halimi

Bug#1034384: unblock: tlp/1.5.0-2

[Raphaël Halimi]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: t...@packages.debian.org
Control: affects -1 + src:tlp

Please unblock package tlp

[ Reason ]
The 1.5.0-1 version includes a systemd service file in /usr/lib/systemd, 
which is not detected by debhelper during package build, so the sections 
that are normally automatically added in the maintainer scripts to 
enable the service are not added. See bug #1034233 for more information.


(sadly, as I write this, I just realized I forgot to mention the 
"Closes" field in the changelog; I'll have to close the bug manually).


[ Impact ]
If the unblock isn't granted, a user installing TLP for the first time 
on Bookworm won't have it enabled during install, and will have to 
enable the service manually (it seems that users who upgrade from a 
version which had the service previously enabled are not affected).


[ Tests ]
I tested installing the package on my Bookworm laptop, and also 
upgrading from current Bookworm version, and it works as expected.


[ Risks ]
I don't believe there are any risks involved.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock tlp/1.5.0-2

Regards,

--
Raphaël Halimi[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files in second .deb but not in first
-
-rw-r--r--  root/root   /lib/systemd/system/tlp.service
-rw-r--r--  root/root   /lib/udev/rules.d/85-tlp.rules
-rwxr-xr-x  root/root   /lib/elogind/system-sleep/49-tlp-sleep
-rwxr-xr-x  root/root   /lib/systemd/system-sleep/tlp
-rwxr-xr-x  root/root   /lib/udev/tlp-usb-udev

Files in first .deb but not in second
-
-rw-r--r--  root/root   /usr/lib/systemd/system/tlp.service
-rw-r--r--  root/root   /usr/lib/udev/rules.d/85-tlp.rules
-rwxr-xr-x  root/root   /usr/lib/elogind/system-sleep/49-tlp-sleep
-rwxr-xr-x  root/root   /usr/lib/systemd/system-sleep/tlp
-rwxr-xr-x  root/root   /usr/lib/udev/tlp-usb-udev

Control files: lines which differ (wdiff format)

Installed-Size: [-577-] {+575+}
Version: [-1.5.0-1-] {+1.5.0-2+}
[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files in second .deb but not in first
-
-rw-r--r--  root/root   /lib/udev/rules.d/85-tlp-rdw.rules
-rwxr-xr-x  root/root   /lib/udev/tlp-rdw-udev

Files in first .deb but not in second
-
-rw-r--r--  root/root   /usr/lib/udev/rules.d/85-tlp-rdw.rules
-rwxr-xr-x  root/root   /usr/lib/udev/tlp-rdw-udev

Control files: lines which differ (wdiff format)

Depends: network-manager, tlp (= [-1.5.0-1)-] {+1.5.0-2)+}
Version: [-1.5.0-1-] {+1.5.0-2+}

Bug#1034233: tlp: dh_installsystemd doesn't handle files in /usr/lib/systemd/system

[Raphaël Halimi]

Hi,

@Laurent, thank you for highlighting this.

@Andreas, the solution you suggested seems nice but ideally I'd rather 
keep build-dependencies to a minimal (currently there's only debhelper), 
so I prefer to revert usrmerge related changes introduced in 1.5, even 
if it means that I'll have to re-introduce them during Trixie's 
development cycle.


Regards,

--
Raphaël Halimi

Bug#1028897: fontconfig-config: default latin fonts changed from DejaVu to Noto

[Raphaël Halimi]

reassign 1028897 fontconfig
retitle 1028897 fontconfig: wrong name for the Noto monospace font
merge 1028897 1028643
tags 1028897 patch
thanks

--
Raphaël Halimi
Description: Fix default monospace font
 With Fontconfig 2.14, upstream made the Noto fonts default, but used "Noto
 Sans Mono" as the default font for the monospace family, which exists, but is
 actually not a monospace font. The right name is "Noto Mono".
Author: Raphaël Halimi 
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1028897
Forwarded: no
Last-Update: 2023-01-14
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/conf.d/60-latin.conf
+++ b/conf.d/60-latin.conf
@@ -35,7 +35,7 @@
 	
 		monospace
 		
-			Noto Sans Mono
+			Noto Mono
 			DejaVu Sans Mono
 			Inconsolata
 			Andale Mono

Bug#1028897: fontconfig-config: default latin fonts changed from DejaVu to Noto

[Raphaël Halimi]

reassign -1 fontconfig
retitle -1 fontconfig: wrong name for the Noto monospace font
merge -1 1028643
tags -1 patch
thanks

Le 14/01/2023 à 19:45, Raphaël Halimi a écrit :

If you wish to keep DejaVu as default, here is a simple patch to do that.


Ok, scratch this patch. I know that Debian don't like to diverge from 
upstream (and I'm a maintainer myself), so this was not a good idea. 
Moreover, the change from DejaVu to Noto was not the root cause of the 
problem.


The problem is that the monospace Noto font is actually "Noto Mono" and 
not "Noto Sans Mono" (probably a typo on upstream's part).


If you use a font manager you'll see that there is indeed a font called 
"Noto Sans Mono", but if you filter them out to list only the monospace 
fonts, you can see that there's no font called "Noto Sans Mono" among 
them, but there is one called "Noto Mono".


Using this one (which I now believe is the "real" monospace font from 
Noto) as default for the monospace family does fix both Xterm and 
gnome-terminal (and probably other terminals too).


This new patch fixes what I think is actually a bug (and which probably 
needs to be forwarded to upstream).


Regards,

--
Raphaël Halimi
Description: Fix default monospace font
 With Fontconfig 2.14, upstream made the Noto fonts default, but used "Noto
 Sans Mono" as the default font for the monospace family, which exists, but is
 actually not a monospace font. The right name is "Noto Mono".
Author: Raphaël Halimi 
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1028897
Forwarded: no
Last-Update: 2023-01-14
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/conf.d/60-latin.conf
+++ b/conf.d/60-latin.conf
@@ -35,7 +35,7 @@
 	
 		monospace
 		
-			Noto Sans Mono
+			Noto Mono
 			DejaVu Sans Mono
 			Inconsolata
 			Andale Mono

Bug#1028897: fontconfig-config: default latin fonts changed from DejaVu to Noto

[Raphaël Halimi]

reassign -1 fontconfig
merge -1 1028643
tags -1 patch
thanks

Sorry, I checked the bugs reported against fontconfig-config before 
filing this one, I didn't think to check fontconfig also.


If you wish to keep DejaVu as default, here is a simple patch to do that.

Regards,

--
Raphaël HalimiDescription: Keep DejaVu fonts as default for latin languages
 With Fontconfig 2.14, upstream made the Noto fonts the default for serif,
 sans-serif and monospace families for latin languages. This patch simply
 undoes this change.
Author: Raphaël Halimi 
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1028897
Forwarded: not-needed
Last-Update: 2023-01-14
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/conf.d/60-latin.conf
+++ b/conf.d/60-latin.conf
@@ -5,8 +5,8 @@
 	
 		serif
 		
-			Noto Serif
 			DejaVu Serif
+			Noto Serif
 			Times New Roman
 			Thorndale AMT
 			Luxi Serif
@@ -18,8 +18,8 @@
 	
 		sans-serif
 		
-			Noto Sans
 			DejaVu Sans
+			Noto Sans
 			Verdana
 			Arial
 			Albany AMT
@@ -35,8 +35,8 @@
 	
 		monospace
 		
-			Noto Sans Mono
 			DejaVu Sans Mono
+			Noto Sans Mono
 			Inconsolata
 			Andale Mono
 			Courier New

Bug#1028897: fontconfig-config: default latin fonts changed from DejaVu to Noto

[Raphaël Halimi]

Package: fontconfig-config
Version: 2.14.1-3

Dear developers,

In the recent upgrade from fontconfig 2.13 to 2.14, the default latin 
fonts changed from DejaVu to Noto, in the file 
"/usr/share/fontconfig/conf.avail/60-latin.conf".


The default fonts in Debian is still supposed to be DejaVu, as stated in 
the debconf template :


"Select 'Native' if you mostly use DejaVu (the default in Debian)"

The difference is very slight for the serif and sans families used in 
most graphical applications like Firefox or Thunderbird, but for the 
monospace family, it makes terminals look ugly : gnome-terminal handles 
the spacing somewhat right, but the resulting window is square-shaped, 
far from what one could be accustomed to; and in Xterm (if configured to 
use whatever TrueType font aliased to "Monospace") it's even worse, it 
handles the spacing completely wrong, resulting in over-spaced 
characters and a comically large shaped window.


I don't know if this change is intentional (to follow upstream 
configuration) or if it's an overlook; of course feel free to close the 
bug as wontfix if the change is intentional (and maybe update the 
debconf template), but if that's the case, please at least mention 
somewhere the "right" way to revert that change, as it's not intuitive.


I created "/etc/fonts/conf.avail/60-latin.conf" which switches DejaVu 
and Noto to make the former the default, and I initially thought that 
re-configuring the package would pick up the file by itself (seeing that 
the filename is the same, the file in "/etc" superseding the one in 
"/usr", like other tools usually do), but it's not the case, and I had 
to symlink it manually in "/etc/fonts/conf.d", overwriting the original 
one linking to "/usr/share/fontconfig/conf.avail/60-latin.conf", which 
belongs to the package. Is that the correct way of changing default 
fontconfig settings ?


Regards,

--
Raphaël Halimi

Bug#1025902: tlp: Battery charge thresholds are ignored

[Raphaël Halimi]

Hi again,

I contacted the upstream developer and he'd like you to open an issue 
there directly.


The project page is at https://github.com/linrunner/TLP

For starters he needs the output of :

$ tlp-stat --cdiff -s -b

Once you've done that, please reply here with the address of the issue 
report, I'll link them in the BTS.


Regards,

--
Raphaël Halimi

Bug#1028233: xz-utils: tries to overwrite files in manpages-fr (4.16.0-3~bpo11+1)

[Raphaël Halimi]

Package: xz-utils
Version: 5.4.0-0.1

Dear developer,

I'm not sure if it's the right place to report the bug since it involves 
a conflict with a backport.


Today I tried to upgrade a Bullseye laptop to Bookworm.

The upgrade crashed with xz-utils trying to overwrite 
/usr/share/man/fr/man1/xz.1.gz which belonged to manpages-fr from 
backports (4.16.0-3~bpo11+1).


After running dpkg --force-overwrite (it's the only way I know of in 
such situations), a whole bunch of manual pages were overwritten :


/usr/share/man/fr/man1/xz.1.gz
/usr/share/man/fr/man1/xzdiff.1.gz
/usr/share/man/fr/man1/xzless.1.gz
/usr/share/man/fr/man1/xzmore.1.gz
/usr/share/man/fr/man1/lzcat.1.gz
/usr/share/man/fr/man1/lzcmp.1.gz
/usr/share/man/fr/man1/lzdiff.1.gz
/usr/share/man/fr/man1/lzless.1.gz
/usr/share/man/fr/man1/lzma.1.gz
/usr/share/man/fr/man1/lzmore.1.gz
/usr/share/man/fr/man1/unlzma.1.gz
/usr/share/man/fr/man1/unxz.1.gz
/usr/share/man/fr/man1/xzcat.1.gz
/usr/share/man/fr/man1/xzcmp.1.gz

I don't see a clean solution to ensure a smooth upgrade for people who 
have installed this backport. Maybe coordinate with manpages-fr 
maintainer and release updated backports for both packages, before 
Bookworm is released ?


Regards,

--
Raphaël Halimi

Bug#1028229: libwmf-0.2-7-gtk: tries to overwrite file in libwmf0.2-7-gtk

[Raphaël Halimi]

Package: libwmf-0.2-7-gtk
Version: 0.2.12-5

Dear developer,

Today I tried to upgrade a Bullseye laptop to Bookworm.

The upgrade crashed with libwmf-0.2-7-gtk trying to overwrite 
/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/io-wmf.so which 
belonged to libwmf0.2-7-gtk (0.2.8.4-17).


Judging by the packages names I guess libwmf-0.2-7-gtk is supposed to 
replace libwmf0.2-7-gtk; it seems the break and replace on libwmf0.2-7 
(<< 0.2.8.4-12) is too restrictive and should be extended (add 
libwmf0.2-7-gtk and update the version to the last one shipping this file).


Regards,

--
Raphaël Halimi

Bug#1025902: tlp: Battery charge thresholds are ignored

[Raphaël Halimi]

Le 08/01/2023 à 14:18, Benedikt Ahrens a écrit :

Dear Raphaël,

Thanks a lot for your advice. The change you propose does not solve the
problem:

```
tpacpi-bat.BAT0.startThreshold  =  0 [%]
tpacpi-bat.BAT0.stopThreshold   =    100 [%]
tpacpi-bat.BAT0.forceDischarge  =  0


Sorry, I didn't realize that the thresholds were at 0% and 100% 
(although it was written in your first report) ; they should be at 96% 
and 100%.


Maybe your laptop is too recent and not supported yet.

Please undo all the changes and revert to natacpi. I'll try to see that 
with upstream.


Regards,

--
Raphaël Halimi

Bug#1025902: tlp: Battery charge thresholds are ignored

[Raphaël Halimi]

Le 07/01/2023 à 17:07, Benedikt Ahrens a écrit :

What model of ThinkPad do you have ?


I have a T14 G3.


It's a fairly recent model (February 2022), I can't say if it's not 
supported by thinkpad_acpi yet, but trying good old acpi_call may be 
worth it. Bear in mind that I'm only the package maintainer, not the 
main developer, so I'm really not sure if it's the cause of the problem.



Maybe the natacpi driver doesn't work and you need another one.


I don't know how to switch to another driver. Would you be able to point
me to documentation on how to do that?


Make sure you install the kernel headers package matching your kernel 
(probably linux-headers-amd64), and then install acpi-call-dkms. It 
should build the module automatically. Then try to load it :


$ sudo modprobe acpi_call

...and tell TLP to use it by disabling natacpi (which supersedes 
tpacpi-bat). To do so, change the value of the NATACPI_ENABLE to 0 in 
tlp.conf. Restart tlp, and see if it solves your problem.


If loading the module says something like "Operation not permitted", it 
means secure boot is enabled and you have to create a key pair, enroll 
it in the MOK (machine owner keys), and sign the module with it. It's 
far outside of the scope of TLP, so in the meantime, for the purpose of 
testing, just reboot into BIOS and disable secure boot.


Regards,

--
Raphaël Halimi

Bug#1025902: tlp: Battery charge thresholds are ignored

[Raphaël Halimi]

Le 07/01/2023 à 14:04, Benedikt Ahrens a écrit :

Dear Raphaël,

Thanks a  lot for your advice.

I have uncommented the corresponding lines in the configuration file
(which I am sending in attachment). However, the output of `tlp-stat -b`
still shows no change to the charge thresholds, even after reboot:


What model of ThinkPad do you have ?

Maybe the natacpi driver doesn't work and you need another one.

Regards,

--
Raphaël Halimi

Bug#1027276: apt: "apt install" should run "apt update" when some repositories metadata have not been fetched

[Raphaël Hertzog]

Package: apt
Version: 2.5.4
Severity: wishlist
User: de...@kali.org
Usertags: origin-kali
X-Debbugs-Cc: arna...@kali.org, raph...@offensive-security.com

Hello,

there are many cases where apt will not have fetched any repository
information yet:
- first run of a container (no metadata fetched to keep container small)
- when the user has manually added a new repository to sources.list
- when running from a live image
- other kind of fresh installation without network

In those situations, itt would be nice if apt could be smarter than this:

┌──(root㉿carbon)-[/work]
└─# apt install nano
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Package nano is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Package 'nano' has no installation candidate

Apt could, for instance, inform the user that some repository information
is missing and propose to run it for them.

# apt install nano
Apt is lacking metadata for some repositories. The missing metadata
can be downloaded by running "apt update".
Do you want to execute this command? [Y/n/q]
Get:1 
[...]
Fetched 41.8 MB in 15s (2782 kB/s)
The following NEW packages will be installed:
  nano
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
[...]

Typing "q" would "quit" the whole process. "Y" would run apt update and
then follow with the requested installation. "n" would skip apt update and
still try to perform the installation.

-- System Information:
Debian Release: bookworm/sid
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'unstable'), (500, 'testing'), 
(500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.0.0-6-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apt depends on:
ii  adduser 3.129
ii  base-passwd 3.6.1
ii  debian-archive-keyring  2021.1.1
ii  gpgv2.2.40-1
ii  libapt-pkg6.0   2.5.4
ii  libc6   2.36-6
ii  libgcc-s1   12.2.0-9.1
ii  libgnutls30 3.7.8-4
ii  libseccomp2 2.5.4-1+b2
ii  libstdc++6  12.2.0-9.1
ii  libsystemd0 252.3-1

Versions of packages apt recommends:
ii  ca-certificates  20211016

Versions of packages apt suggests:
ii  apt-doc 2.5.4
ii  aptitude0.8.13-5
ii  dpkg-dev1.21.12
ii  gnupg   2.2.40-1
ii  powermgmt-base  1.37
ii  synaptic0.91.2

-- no debconf information

Bug#1025902: tlp: Battery charge thresholds are ignored

[Raphaël Halimi]

Hi,

Sorry for the late answer, the e-mail from the BTS fell into my spam folder.

Usually, in configuration files, a hash symbol (#) indicates a comment, 
and is ignored by the software.


It seems that you didn't un-comment the lines when modifying the charge 
thresholds. Remove the # symbol in front of the lines you modified (the 
ones starting with START_CHARGE_THRESH and STOP_CHARGE_THRESH) and it 
should work.


Regards,

--
Raphaël Halimi

Bug#1022704: ccache: broken in cross-architecture chroot

[Raphaël Halimi]

Le 25/10/2022 à 18:40, Joel Rosdahl a écrit :

Thanks!

Now I understand the problem and will work on a fix.

The issue is sharing the inode cache file between architectures. A workaround is
to either use separate temporary directories for the architectures (or different
cache directories when the temporary directory defaults to the cache directory,
which is the case for you), or to disable the inode cache by setting

 inode_cache = false

in the config file.


Hi,

I'm glad I could help you despite my lack of knowledge in this area.

I confirm that disabling the inode cache does work, I'll use this 
workaround while waiting for a fixed version to be released. Thanks !


Regards,

--
Raphaël Halimi

Bug#1022704: ccache: broken in cross-architecture chroot

[Raphaël Halimi]

Le 24/10/2022 à 20:17, Joel Rosdahl a écrit :

On Mon, Oct 24, 2022, at 15:26, Raphaël Halimi wrote:

Install pbuilder on an amd64 host and prepare an i386 chroot. Then, try to
build a package in it (I was rebuilding timidity). It should hang during the
configure phase.


I've never used pbuilder before, but I've tried creating an i386 chroot now,
setting CCACHEDIR according to pbuilderrc(5).

I then built timidity multiple times with "pdebuild --architecture i386", but it
works fine for me every time. I've checked that ccache 4.7.1-1 is being used and
that the ccache directory is being utilized. I'm afraid I'll need more help to
track this down.


That's weird. Before filing the bug, I tried to recreate my build 
environment in a brand new VM, and I observed the same behavior. Maybe 
the problem lies in my configuration ? Regarding ccache, I just set it 
to /var/cache/pbuilder/ccache (some packages failed to build when I 
initially put it in ~/.ccache, permissions problems I think, because 
pbuilder makes files in there owned by 1234).



1. When you say that it systematically hangs, can you check which process is
hanging and what it hangs on, e.g. using strace?


I don't know how to use strace. Could you please direct me ?


2. Would it be possible for you to set CCACHE_LOGFILE (or log_file in
ccache.conf in the ccache directory) to a file inside the pbuilder chroot 
and
then publish the created log file?


I'll try to do that. The file does not exist on my machine; do I just 
need to create /var/cache/pbuilder/ccache/ccache.conf containing a 
single line "log_file=..." or is there something else to do ?


Regards,

--
Raphaël Halimi

Bug#1022704: ccache: broken in cross-architecture chroot

[Raphaël Halimi]

Le 24/10/2022 à 14:31, Joel Rosdahl a écrit :

Can you give me more some detailed hints on how I can reproduce the issue?



Install pbuilder on an amd64 host and prepare an i386 chroot. Then, try 
to build a package in it (I was rebuilding timidity). It should hang 
during the configure phase.


I have a complicated setup with several chroots, custom pbuilderrc, sudo 
snippets to let some environment variables pass, etc etc; but, from 
memory, this should work :


sudo pbuilder create --architecture i386

apt-get source somepackage (preferably something using autotools)
cd somepackage
sudo pdebuild --architecture i386

Regards,

--
Raphaël Halimi

Bug#1022704: ccache: broken in cross-architecture chroot

[Raphaël Halimi]

Le 24/10/2022 à 13:38, Joel Rosdahl a écrit :

Hi Raphaël,

Could you test if ccache 4.7.1-1 improves the situation?


I also tested it, it's broken too.

Regards,

--
Raphaël Halimi

Bug#1022704: ccache: broken in cross-architecture chroot

[Raphaël Halimi]

Package: ccache
Version: 4.7-1

Dear maintainer,

I use pbuilder to build package both for native architecture (amd64) and 
foreign architectures (i386, armhf).


Since upgrading ccache in Debian Sid to 4.7-1, package building 
systematically hangs during the configure phase (checking for this, 
checking for that, etc) for foreign architectures.


It always happen, but not necessarily for the same files, although it's 
usually while checking for stdio.h or stdlib.h.


Downgrading to 4.6.3-1 in the chroot solves the problem, both for i386 
and armhf.


Regards,

--
Raphaël Halimi

Bug#1020614: openbox-menu: cannot find icons with dots in their name

[Raphaël Halimi]

Package: openbox-menu
Version: 0.8.0+hg20161009-3.1
Severity: minor
Tags: patch

Dear fellow developer,

openbox-menu contains a few lines of code to remove file extensions in 
icon names found in desktop files. It removes everything after the last 
dot, which prevents gtk_icon_theme_lookup_icon() to find an icon if its 
name contains a dot, which is the case in more and more applications, 
for example nearly all GNOME applications, Remmina, Wireshark or even XTerm.


Moreover, it seems that nowadays gtk_icon_theme_lookup_icon() is 
perfectly capable to retrieve icons which contain a file extension.


The provided patch removes the few lines of code which remove file 
extensions before the gtk_icon_theme_lookup_icon() query, allowing 
openbox-menu to correctly retrieve all icons.


Regards,

--
Raphaël HalimiDescription: Don't remove file extensions in icon names
 It seems that nowadays gtk_icon_theme_lookup_icon() is perfectly capable to
 retrieve icons which contain a file extension, so removing them is not needed
 anymore. Removing everything after the last dot prevented to find icons which
 contained a dot in their name, and more packages have such icons  for example
 nearly all GNOME applications, Remmina, Wireshark or even XTerm. 
Author: Raphaël Halimi 
Last-Update: 2022-09-24
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/src/utils.c
+++ b/src/utils.c
@@ -189,7 +189,6 @@
 {
 	GtkIconInfo *icon_info = NULL;
 	gchar *icon = NULL;
-	gchar *tmp_name = NULL;
 
 	const gchar *name = menu_cache_item_get_icon (MENU_CACHE_ITEM(item));
 
@@ -198,16 +197,11 @@
 		if (g_path_is_absolute (name))
 			return g_strdup (name);
 
-		/*  We remove the file extension as gtk_icon_theme_lookup_icon can't
-		 *  lookup a theme icon for, ie, 'geany.png'. It has to be 'geany'.
-		 */
-		tmp_name = strndup (name, strrchr (name, '.') - name);
 	#ifdef WITH_SVG
-		icon_info = gtk_icon_theme_lookup_icon (icon_theme, tmp_name, 16, GTK_ICON_LOOKUP_GENERIC_FALLBACK);
+		icon_info = gtk_icon_theme_lookup_icon (icon_theme, name, 16, GTK_ICON_LOOKUP_GENERIC_FALLBACK);
 	#else
-		icon_info = gtk_icon_theme_lookup_icon (icon_theme, tmp_name, 16, GTK_ICON_LOOKUP_NO_SVG | GTK_ICON_LOOKUP_GENERIC_FALLBACK);
+		icon_info = gtk_icon_theme_lookup_icon (icon_theme, name, 16, GTK_ICON_LOOKUP_NO_SVG | GTK_ICON_LOOKUP_GENERIC_FALLBACK);
 	#endif
-		g_free (tmp_name);
 	}
 
 	if (!icon_info) /* 2nd fallback */

Bug#1020330: pipewire-pulse: Conflict with pulseaudio is badly resolved by apt full-upgrade

[Raphaël Hertzog]

Package: pipewire-pulse
Version: 0.3.58-1
Severity: important
X-Debbugs-Cc: raph...@freexian.com, seb...@debian.org, de...@lists.debian.org

APT will not let me upgrade pipewire-pulse to the latest version because
I have gnome-core installed. It will prefer to deinstall pipewire-pulse:

$ sudo apt full-upgrade
[...]
The following packages were automatically installed and are no longer required:
  libappstream-glib8 libatk1.0-data libmalcontent-ui-0-0 
libnautilus-extension1a libqpdf28
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
  nautilus-extension-brasero pipewire-pulse
The following packages have been kept back:
  python3-twisted-bin tryton-client
The following packages will be upgraded:
  gstreamer1.0-pipewire libpipewire-0.3-0 libpipewire-0.3-modules 
libspa-0.2-modules nautilus
  nautilus-data pipewire pipewire-bin
8 upgraded, 0 newly installed, 2 to remove and 2 not upgraded.
Need to get 3958 kB of archives.
After this operation, 938 kB disk space will be freed.
Do you want to continue? [Y/n] n

If I try to force install pipewire-pulse, it will propose to remove
gnome-core:
$ LANG=C sudo apt install pipewire-pulse
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  hyphen-en-us libappstream-glib8 libatk1.0-data libbox2d2 libfreehand-0.1-1 
libgsf-bin
  libmalcontent-ui-0-0 libmspub-0.1-1 libpagemaker-0.0-0 
libproxy1-plugin-gsettings
  libproxy1-plugin-networkmanager libproxy1-plugin-webkit libqpdf28 
libqxp-0.0-0 libreoffice-draw
  libreoffice-gnome libreoffice-impress libzmf-0.0-0 mythes-en-us
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
  gstreamer1.0-pipewire libldacbt-abr2 libpipewire-0.3-0 
libpipewire-0.3-modules libspa-0.2-bluetooth
  libspa-0.2-modules pipewire pipewire-bin
The following packages will be REMOVED:
  gnome gnome-core pulseaudio pulseaudio-module-bluetooth task-gnome-desktop
The following NEW packages will be installed:
  libldacbt-abr2 libspa-0.2-bluetooth
The following packages will be upgraded:
  gstreamer1.0-pipewire libpipewire-0.3-0 libpipewire-0.3-modules 
libspa-0.2-modules pipewire
  pipewire-bin pipewire-pulse
7 upgraded, 2 newly installed, 5 to remove and 4 not upgraded.
Need to get 1993 kB of archives.
After this operation, 5930 kB disk space will be freed.
Do you want to continue? [Y/n] n

The only way to get the latest version is to manually provide the working
solution by indicating that we also need libspa-0.2-bluetooth (to satisfy
gnome-core's "pulseaudio-module-bluetooth | libspa-0.2-bluetooth" together
with its "pulseaudio | pipewire-pulse").

$ LANG=C sudo apt install pipewire-pulse libspa-0.2-bluetooth
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libappstream-glib8 libatk1.0-data libmalcontent-ui-0-0 libqpdf28
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
  gstreamer1.0-pipewire libldacbt-abr2 libpipewire-0.3-0 
libpipewire-0.3-modules libspa-0.2-modules
  pipewire pipewire-bin
The following packages will be REMOVED:
  pulseaudio pulseaudio-module-bluetooth
The following NEW packages will be installed:
  libldacbt-abr2 libspa-0.2-bluetooth
The following packages will be upgraded:
  gstreamer1.0-pipewire libpipewire-0.3-0 libpipewire-0.3-modules 
libspa-0.2-modules pipewire
  pipewire-bin pipewire-pulse
7 upgraded, 2 newly installed, 2 to remove and 4 not upgraded.
Need to get 1993 kB of archives.
After this operation, 5848 kB disk space will be freed.
Do you want to continue? [Y/n]

That looks like it will be a disaster for users doing a dist upgrade.
But I'm not sure what we can do about it.

-- System Information:
Debian Release: bookworm/sid
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'unstable'), (500, 'testing'), 
(500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.19.0-1-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages pipewire-pulse depends on:
ii  init-system-helpers  1.65.2
ii  pipewire 0.3.57-1

pipewire-pulse recommends no packages.

Versions of packages pipewire-pulse suggests:
pn  libspa-0.2-bluetooth  
ii  pulseaudio-utils  15.0+dfsg1-4+b1

-- no debconf information

Bug#1018288: waagent: Debian specific patch breaks kali support

[Raphaël Hertzog]

Package: waagent
Version: 2.7.3.0-1
Severity: important
User: de...@kali.org
Usertags: origin-kali

Hello,

this patch broke kali support:
https://salsa.debian.org/cloud-team/waagent/-/commit/dd8f1771d89bd255f96938f080b02b889da79ad7

The import of "DebianOSBaseUtil" has been dropped while it's clearly used
further down the road:

if distro_name == "kali":
return DebianOSBaseUtil()

Please re-add the import statement. There's a merge request lying around
since one year:
https://salsa.debian.org/cloud-team/waagent/-/merge_requests/3

But that merge request restores it in the wrong order so that would still
keep a diff compared to upstream. I have ask the MR submitter to update
it.

Cheers,

-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.18.0-3-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages waagent depends on:
ii  bind9-host [host]  1:9.18.6-1
ii  ca-certificates20211016
ii  eject  2.38.1-1
ii  fdisk  2.38.1-1
ii  iptables   1.8.8-1
ii  net-tools  1.60+git20181103.0eebece-1
ii  openssh-server 1:9.0p1-1+b1
ii  openssl3.0.5-2
ii  parted 3.5-1
ii  python33.10.6-1
ii  python3-distro 1.7.0-1
ii  python3-pkg-resources  59.6.0-1.2
ii  sudo   1.9.11p3-1
ii  util-linux 2.38.1-1

waagent recommends no packages.

waagent suggests no packages.

Bug#939904: Temporary network disruption during upgrade

[Raphaël Halimi]

Le 21/08/2022 à 00:41, Luca Boccassi a écrit :

Yes I noticed the same thing when building images, this cross-device
check is a true annoyance and can't seem to find a workaround :-/


I can't find a solution, so unfortunately it looks like we have to
resort to maintainer scripts, which is awful but I can't think of
anything else:

https://salsa.debian.org/systemd-team/systemd/-/merge_requests/164


Sorry to annoy you again, but... Why not just leave /etc/resolv.conf 
alone ? After all, shouldn't it be the user's choice to link it against 
/run/systemd/resolve/stub-resolv.conf, /run/systemd/resolve/resolv.conf, 
or just manage it manually ?


Plus, it would solve both problems I mentioned before.

Regards,

--
Raphaël Halimi

Bug#1017713: systemd: upgrade breaks DNS resolution in some cases

[Raphaël Halimi]

Package: systemd
Version: 251.3-2~exp1
Severity: critical

(filing the bug as critical since it "makes unrelated software on the 
system (or the whole system) break", feel free to downgrade)


Dear developers,

A recent update of systemd splits systemd-resolved in its own package, 
and the new systemd-resolved is not installed by default, thus, during 
the upgrade, the systemd-resolved service is stopped and removed (which 
seems to be the intended behavior).


In the (admittedly probably rare) case where systemd-resolved's stub 
resolver was already in use beforehand (meaning, /etc/resolv.conf was 
already symlinked to /run/systemd/resolve/stub-resolv.conf), the upgrade 
completely breaks DNS resolution, since the file (which remains in 
/run/systemd/resolve) lists 127.0.0.53 as the only nameserver, which 
doesn't respond anymore since the systemd-resolved service was stopped.


The breakage lasts until the user manually fixes it by installing 
systemd-resolved, but this simple operation may be tricky, because 
there's no DNS resolution anymore and apt will fail to download the new 
package, unless the user manually creates a temporary /etc/resolv.conf 
file listing a working name server, or symlinks /etc/resolv.conf to 
/run/systemd/resolve/resolv.conf instead (which also remains in /run 
after the service is stopped, and doesn't use the stub resolver since 
this file, unlike stub-resolv.conf, lists the upstream name servers).


One possible solution would be to check in the maintainer scripts if the 
stub resolver is already in use (in other terms, if /etc/resolv.conf is 
a symlink to /run/systemd/resolve/stub-resolv.conf), and, if it's the 
case, do what's described above (symlink /etc/resolv.conf to 
/run/systemd/resolve/resolv.conf instead, thus bypassing the stub 
resolver). This would keep DNS resolution working (until the next 
reboot, that is), but the user will at least have the time to read the 
NEWS entry, and act accordingly.


Regards,

--
Raphaël Halimi

Bug#1017714: systemd-resolved: deletes /etc/resolv.conf after package removal

[Raphaël Halimi]

Package: systemd-resolved
Version: 251.3-2~exp1
Severity: critical

(filing the bug as critical since it "makes unrelated software on the 
system (or the whole system) break", feel free to downgrade)


Dear developers,

The new systemd-resolved package takes over /etc/resolv.conf, and 
unconditionally makes it a symlink it to 
/run/systemd/resolve/stub-resolv.conf. Moreover, after the package is 
removed, the symlink is also removed, leaving the system with no 
/etc/resolv.conf, and thus, a broken DNS resolution.


/etc/resolv.conf is not considered as a conffile since technically, it 
doesn't belong to any package (and is not listed as a conffile by 
systemd-resolved, which treats it as a normal file), but if it's 
considered as a configuration file (it's located in /etc after all), I 
believe this behavior severely transgresses Debian Policy 10.7.3 on both 
points ("local changes must be preserved during a package upgrade" and 
"configuration files must be preserved when the package is removed").


One (conservative) solution would be to not touch /etc/resolv.conf at 
all, leaving the users create the symlink to 
/run/systemd/resolve/stub-resolv.conf (or 
/run/systemd/resolve/resolv.conf) themselves. This would solve both 
transgressions at once. One could argue that it wouldn't make sense to 
install systemd-resolved and not use it in /etc/resolv.conf, but the 
service would still provide the bus and glibc APIs.


If /etc/resolv.conf is not considered a configuration file, and this new 
behavior does not transgresses the Debian Policy, then the package 
should at least leave the system with a working /etc/resolv.conf file 
after removal, for example by copying the contents of 
/run/systemd/resolve/resolv.conf (optionally stripping comments and 
empty lines) in maintainers scripts.


Regards,

--
Raphaël Halimi

Bug#939904: Temporary network disruption during upgrade

[Raphaël Halimi]

Le 18/08/2022 à 21:29, Luca Boccassi a écrit :

Going for a custom setup means sometimes there is, sometimes there's
not. It's always a tradeoff. This breaking change means there's now a
supported way to run resolved, and it's the easiest possible way for
all those that weren't using it before, which is the majority given
there was no support and no integration before.


I'll still file two separate bugs, one against systemd for the DNS 
resolution breakage after the upgrade, and the other one against 
systemd-resolved for the removal of /etc/resolv.conf after the package 
is removed. Even if you think there's no problem here, I don't agree and 
I think those are bugs, and serious ones at that.


I'll file them just for the record, so feel free to immediately close 
them as wontfix, I won't mind.


Regards,

--
Raphaël Halimi

Bug#939904: Temporary network disruption during upgrade

[Raphaël Halimi]

Le 18/08/2022 à 16:59, Luca Boccassi a écrit :

No, custom and unsupported setups are unsupported. Compatibility is
provided for default environments, anything outside of it can and will
break at any given time, and it's not really feasible to do otherwise
given the uncountable amount of possible permutations. This time
there's a clear and unambiguos NEWS entry with a notification, which
doesn't even always happen.


What I meant is that I thought systemd-networkd (which partly relies on 
systemd-resolved) was considered supported since it was shipped with 
systemd and thus installed by default (unlike, for example, netplan), 
albeit not enabled.


Should I understand that the only supported way to configure the network 
in Debian is ifupdown with a plain /etc/resolv.conf file, and everything 
outside of this scope is considered custom and thus, unsupported ? I'm 
not being ironical here, it's a legitimate question.



Wrong, I always receive e-mails with news as well as changelogs during
upgrades, with the more recent examples being on July 13, 22 and 25. I
don't know why it didn't work this time, but I can hardly believe that
it's apt-listchanges' fault.


And yet it is, and it's been a known issue for quite some time:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977422


OK, you're right on this point, I didn't know that. Apologies. But it 
also means that other sysadmins will be in the same case too when the 
upgrade will take place (when bookworm is released, or when systemd 
251.3-2 will be backported to bullseye) and will have their DNS 
resolution temporarily broken after the upgrade.


But I guess you'll probably argue that it's their fault for using 
systemd-resolved.



I think you don't understand my position: I don't care about resolvconf
or openresolv, I just want to use systemd-resolved (not the systemd
resolvconf interface, but the systemd-resolved service itself!) and
avoid breakage during upgrades for all users.

Look, I'm just trying to help here. You made a change, it has serious
consequences for systemd-resolved users, and I hinted them to you,
that's all. I think this is a bad change, but that's another matter.
Being obtuse and condescending won't help.


Name-calling won't help either.


Right, but at least admit that you're being a bit harsh to me since the 
beginning of this thread, rejecting all my arguments and refusing to see 
the problem here, basically saying that the resulting breakage is not 
your fault and systemd-resolved users brought it on themselves by using 
it because it's "unsupported".


Again, I don't care about resolvconf or openresolv, I care about 
sysadmins who use systemd-networkd/resolved on their servers or 
containers, and I'm just trying to avoid problems for them as well as 
for myself in the future.


systemd brought a lot of controversy when it was adopted in Debian, and 
I myself was amongst the people who were quite unhappy when it happened 
(I still think that Jessie was too soon, it was not mature enough, but 
that's another story).


Now that we started to familiarize with its different parts and all in 
all find it very convenient that they're installed by default, you 
slowly remove them one by one (systemd-machined, systemd-timesyncd, 
systemd-boot, and now systemd-resolved... Which will be the next ?), 
forcing us sysadmins to constantly update our automated installation 
procedures (debian-installer hooks, ansible/puppet recipes, container 
images, etc etc), and defeating the very purpose of systemd to be "a 
suite of basic building blocks for a Linux system" that we finally embraced.


It's almost as if you want to discourage us to use the non-init-related 
parts of systemd.


Regards,

--
Raphaël Halimi

Bug#939904: Temporary network disruption during upgrade

[Raphaël Halimi]

Le 18/08/2022 à 16:20, Luca Boccassi a écrit :

No, it is not, because no integration nor support was provided before.
It was an inhert and disabled service and binary.
The NEWS file covers the change adequately for custom setups. Custom
setups are always at risk of breakage.


I agree that it was not enabled by default, but it was shipped by 
systemd, with a stable interface, and as such, it was available for the 
admin to use it if he/she wished. Breaking DNS resolution after an 
upgrade is not a serious bug in your opinion ?



That would make it de-facto the default resolver on Debian, and we
really don't want that at this stage. There appears to be some bug in
apt-listchanges when showing changelogs is enabled making it skip NEWS
files if a changelog for the same version was already displayed, and
there's not much we can do about it, it's a problem to be solved by
apt-listchanges.


Wrong, I always receive e-mails with news as well as changelogs during 
upgrades, with the more recent examples being on July 13, 22 and 25. I 
don't know why it didn't work this time, but I can hardly believe that 
it's apt-listchanges' fault.



Absolutely not, the alternatives system is a gigantic mess that should
have never existed in the first place. If you want to use openresolv,
install openresolv and remove resolved.


I think you don't understand my position: I don't care about resolvconf 
or openresolv, I just want to use systemd-resolved (not the systemd 
resolvconf interface, but the systemd-resolved service itself!) and 
avoid breakage during upgrades for all users.


Look, I'm just trying to help here. You made a change, it has serious 
consequences for systemd-resolved users, and I hinted them to you, 
that's all. I think this is a bad change, but that's another matter. 
Being obtuse and condescending won't help.


Regards,

--
Raphaël Halimi

Bug#939904: Temporary network disruption during upgrade

[Raphaël Halimi]

Le 17/08/2022 à 00:36, Luca Boccassi a écrit :

Personally I see this as a regression, since resolved used to be part of
systemd and thus readily available without installing additional packages.


No support was provided before for resolved, it was completely inhert,
hence it is not a regression. It is a change in behaviour, and thus
noted in the NEWS file as expected.


Yes, but this goal could be achieved by letting resolved in the main
systemd package, and splitting only systemd-resolvconf in its own package.



Having a single-file-package that is confusing and harder to find is
not something we want to do, unless there are extremely compelling
reasons for it. Supporting resolvconf is not one.


Could you at least address the temporary break in DNS resolution ? This 
is still a serious bug, which would deserve its own bug with priority 
grave (if not critical). Since systemd-resolved is mainly used on 
servers, it could result in a very bad surprise for sysadmins when 
bookworm is released.


Perhaps it could be fixed by promoting systemd-resolved to a recommends 
(instead of suggests) in systemd, so that it's installed during the 
upgrade ? Or don't stop the service if /etc/resolv.conf is symlinked to 
/run/systemd/resolve/stub-resolv.conf, so that the admin has the time to 
read the NEWS entry (which, again, didn't work on my system, whereas it 
was supposed to be sent in an e-mail by apt-listchanges), and install 
systemd-resolved before rebooting ?


Also, I understand that you don't wish to revert your changes, but is 
there a reason why resolvconf, openresolv and thus systemd-resolved 
could coexist thanks to the alternatives system ? I know it would be 
more work for maintainers of those three packages, but IMHO it would be 
worth the effort.


And, last but not the least, I see that /etc/resolv.conf is now part of 
systemd-resolved files, which means that it would be deleted when the 
systemd-resolved package is removed from the system. I think it would 
also deserve its own bug with some high priority.


Regards,

--
Raphaël Halimi

Bug#939904: Temporary network disruption during upgrade

[Raphaël Halimi]

Le 16/08/2022 à 22:59, Luca Boccassi a écrit :

You want resolved? Install the resolved package. Don't want resolved?
Don't install the package.


Personally I see this as a regression, since resolved used to be part of 
systemd and thus readily available without installing additional packages.



We do no want to support combining resolved with resolvconf - and in
fact, the setup with conflicts+provides is exactly like other packages
like openresolv are set up.


Yes, but this goal could be achieved by letting resolved in the main 
systemd package, and splitting only systemd-resolvconf in its own package.


Regards,

--
Raphaël Halimi

Bug#939904: Temporary network disruption during upgrade

[Raphaël Halimi]

Dear developers,

I just upgraded a sid system and I noticed that the network was broken 
on this machine.


I suppose the reason is that I had systemd-resolved enabled and 
/etc/resolv.conf was symlinked to the stub resolver 
(/run/systemd/resolve/stub-resolv.conf), and since the systemd-resolved 
service had disappeared and didn't respond anymore on 127.0.0.53, the 
system was left with a broken DNS resolution.


On a side note, the changelog says that an entry was added in 
NEWS.Debian to warn user of the change, but it wasn't displayed during 
the upgrade (this is weird, I know). I had to read the changelog to 
understand what was going on.


And finally, my opinion:

After reading the mail thread in this bug report, I thought the plan was 
to separate systemd-resolvconf (as Arch did, IIUC), not the entire 
systemd-resolved service.


IMHO this is a **very** bad idea, and not only because of the broken DNS 
resolution broken after the upgrade in some cases... The whole point of 
systemd-resolved is that it's included in systemd (so basically in every 
Linux system nowadays) and, alongside systemd-networkd, provides an 
entire network configuration/management stack, without the need to 
install optional packages, but most importantly, standard across all 
distributions (no need to learn and/or master ifupdown, sysconfig, 
netplan, whatever, etc).


If it's not too late, I strongly suggest to reintegrate systemd-resolved 
in the main systemd package (as it was before), and split only 
systemd-resolvconf.


Best regards,

--
Raphaël Halimi

Bug#1016370: RM: python-django-jsonfield -- ROM; Abandoned upstream, replaced by native Django field

[Raphaël Hertzog]

Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: hert...@debian.org

Hello,

please remove python-django-jsonfield from unstable. Django 3.2 already
provides a generic JSONField similar to what's provided in
python-django-jsonfield:
https://docs.djangoproject.com/en/3.2/ref/models/fields/#jsonfield

Given this, python-django-jsonfield is no longer maintained upstream
and should replaced by the above field.

Everybody should switch to the Django native field.

There are no reverse dependencies in unstable.

Thank you,
  Raphaël Hertzog.

Bug#1014376: openvpn: Using unreleased version with backwards incompatible changes is not a good idea

[Raphaël Hertzog]

Package: openvpn
Version: 2.6.0~git20220518+dco-2
Severity: important
User: de...@kali.org
Usertags: origin-kali
X-Debbugs-Cc: raph...@freexian.com

Hello Bernhard,

as Kali is based on Debian testing, our users started to experience
the git snapshot of OpenVPN that you uploaded. Unfortunately, we got
multiple reports that their VPN break because many VPN services ship .opvn
files that rely on --cipher.

At the same time, it's not really reasonable to expect (commercial)
services to be ready for a version of OpenVPN that is not released yet.

Upstream OpenVPN contributors are blaming Debian/Kali for this choice:
https://forums.openvpn.net/viewtopic.php?p=107165#p107154

As such I really believe that this git snapshot should have stayed in
experimental. Why was it uploaded to unstable before its upstream
release?

I assume it was due to OpenSSL 3 becoming the default. However I notice
that upstream released 2.5.7 on May 31 that adds limited support of
OpenSSL 3.x. Can we switch back to 2.5.7 until 2.6 is released upstream?

(We will likely do this in Kali with a version like 2.6.0~really2.5.7)

If we don't want to switch back to 2.5.x, it might make sense to
temporarily revert the backwards incompatible change
that breaks most people's setup, I'm speaking of this commit:
https://github.com/OpenVPN/openvpn/commit/65f6da8eeb84fbcea357765e13fa73d0169a143c

It seems to be the change that is causing most issues.

Thank you for maintaining such an important package!

Bug#1012563: wireplumber: right click broken in firefox 100.0.2-1

[Raphaël Hertzog]

Package: wireplumber
Version: 0.4.10-2
Severity: important
X-Debbugs-Cc: hert...@debian.org, gland...@debian.org, 
team+pkg-mozi...@tracker.debian.org
Control: affects -1 firefox

Hello,

Following the recommendation of
https://tracker.debian.org/news/1329911/accepted-pipewire-media-session-041-3-source-into-unstable/
I installed "wireplumber". But after having switched, Firefox started to
behave strangely: any time that I would "right click" on a link or a
field, or anywhere where you can expect the right click to open a
contextual menu, it would "freeze" for a varying number of seconds and
it would not display the contextual menu once the freeze was over.

I switched back to pipewire-media-session and I created
/usr/share/pipewire/media-session.d/with-pulseaudio to get the sound back
and it works again now.

I'm not sure how both behaviour are related, but they seem to clearly be
related.

When I had the issue, I tried to open "about:support", it also triggered
one of those freezes but in the end I was able to see that firefox was
using "alsa" as audio-backend.

Now that I switched back to "pipewire-media-session" and that firefox is
now behaving correctly, I see that it uses the "pulse-rust" audio backend.

So somehow, wireplumber + pipewire-pulse is not properly
detected as something that can be controlled with the "pulse-rust" audio
backend when it likely should be that way...

I don't know if this needs a fix in firefox or in wireplumber. I'm
assigning it wireplumber for a start but I have cced Mike Hommey (the
firefox maintainer).

Thank you all for your great work on those packages!

-- System Information:
Debian Release: bookworm/sid
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'oldoldstable'), (500, 
'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.17.0-3-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages wireplumber depends on:
ii  init-system-helpers   1.63
ii  libc6 2.33-7
ii  libglib2.0-0  2.72.2-2
ii  libpipewire-0.3-0 0.3.51-1+b1
pn  libwireplumber-0.4-0  
ii  pipewire  0.3.51-1+b1

Versions of packages wireplumber recommends:
ii  pipewire-pulse  0.3.51-1+b1

Versions of packages wireplumber suggests:
pn  libspa-0.2-bluetooth  

Bug#1012241: dia: depends on libgtk2.0-dev

[Raphaël Halimi]

Package: dia
Version: 0.97.3+git20220525-1
Severity: minor

Hi,

The new dia package depends on libgtk2.0-dev, which itself depends on 
other headers packages, resulting in nearly 70 new packages to install 
on an upgrade of dia.


I may be wrong but I thought that binary packages are not supposed to 
depend on headers packages. I think this should be fixed.


Regards,

--
Raphaël Halimi


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1011292: openssh-client: scp -O should be doable with a configuration file entry (in ~/.ssh/config)

[Raphaël Hertzog]

Package: openssh-client
Version: 1:9.0p1-1+b1
Severity: wishlist
Tags: upstream
X-Debbugs-Cc: raph...@freexian.com

dput and dput-ng are using "scp" and don't offer any simple way to
configure command line parameters and the switch to "sftp-behind-the-back"
broke dput for me with some targets (cf #1011063).

I would have liked to be able to add something like this in ~/.ssh/config:

Host deb.freexian.com
UseLegacyScp true

And be done with it. But there's no such option. It would be nice if
upstream could implement this.

-- System Information:
Debian Release: bookworm/sid
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'oldoldstable'), (500, 
'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.17.0-1-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-client depends on:
ii  adduser   3.121
ii  dpkg  1.21.7
ii  libc6 2.33-7
ii  libedit2  3.1-20210910-1
ii  libfido2-11.11.0-1+b1
ii  libgssapi-krb5-2  1.19.2-2+b2
ii  libselinux1   3.3-1+b2
ii  libssl3   3.0.3-4
ii  passwd1:4.11.1+dfsg1-2
ii  zlib1g1:1.2.11.dfsg-4

Versions of packages openssh-client recommends:
ii  xauth  1:1.1.1-1

Versions of packages openssh-client suggests:
pn  keychain 
pn  libpam-ssh   
pn  monkeysphere 
ii  ssh-askpass-gnome [ssh-askpass]  1:9.0p1-1+b1

-- no debconf information

Bug#1011291: dput: scp upload method can break due to implicit sftp usage

[Raphaël Hertzog]

Source: dput
Version: 1.1.0
Severity: important
X-Debbugs-Cc: raph...@freexian.com

This is the equivalent of #1011063 for dput instead of dput-ng.

When you run dput with openssh >= 9, and when dput is configured to use
"scp", "scp" will rely on the sftp protocol to do its job (unless you
pass the -O command line parameter).

When the server side has configured a forced command to restrict scp to a
specific directory (which is a good practice given scp's deficiencies),
then scp will badly fail.

Here's an example script that is configured with a ForceCommand associated
to the SSH key used for upload:

#!/bin/sh

case "$SSH_ORIGINAL_COMMAND" in
scp\ *)
exec scp -p -d -t /srv/deb.freexian.com/extended-lts/incoming
;;
chmod\ *)
find /srv/deb.freexian.com/extended-lts/incoming -user 
$(whoami) -type f | xargs --no-run-if-empty chmod 0644
exit 0
;;
*)
echo "ERROR: Forbidden command: $SSH_ORIGINAL_COMMAND"
echo "This SSH access can only be used to upload Debian 
packages."
exit 1
;;
esac


A recent scp will call /usr/lib/sftp-server as the remote command and the
case will match the third case and the sftp protocol will be confused by
the answer.

There's no good way to tweak that script to force sftp-server to be
restricted to a specific directory.

So either you switch to always "sftp" and do some other setup to restrict
sftp (with the Chroot directive), or you switch to "always plain scp"
by passing -O when you call scp.

Thus I'm suggesting that dput starts passing -O to scp when it detects a
recent OpenSSH. Or at least that it offers a way to pass command line
options to scp.

AfAIK ssh_config_options does not work for this. I's not an option that
can be passed to "-o" and it's really specific to scp and not to ssh
(which also gets called for the chmod IIRC).

Note that my "proper" fix to this regression has been to force usage of
sftp and to restrict sftp-server to a chroot, but dput has no support of
sftp so I had to switch to dput-ng. It would certainly makes sense for
dput to gain an sftp method!

Cheers,

-- System Information:
Debian Release: bookworm/sid
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'oldoldstable'), (500, 
'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.17.0-1-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#1008773: ftpsync: Using commands with parameters as hooks breaks ftpsync on bullseye/debian 11

[Raphaël Hertzog]

Package: ftpsync
Version: 20180513+nmu1
Severity: important
User: de...@kali.org
Usertags: origin-kali
X-Debbugs-Cc: hert...@debian.org
Control: affects -1 mirrors

In Kali we have started to switch some mirrors to Debian 11 and ftpsync
started to fail with errors like this:

Apr 01 06:19:32 poseidon ftpsync-kali[191329]: Mirrorsync start
Apr 01 06:19:32 poseidon ftpsync-kali[191329]: We got pushed from 192.99.45.140
/home/archvsync/bin/ftpsync: line 276: local: `--regex=^.*\.hook1$': not a 
valid identifier
/home/archvsync/bin/ftpsync: line 276: local: `--arg=kali': not a valid 
identifier
/home/archvsync/bin/ftpsync: line 276: local: `/home/archvsync/hooks': not a 
valid identifier
Apr 01 06:19:32 poseidon ftpsync-kali[191329]: Mirrorsync done with errors

Our ftpsync.conf contains entries like this:

## Configure hooks
HOOK1="run-parts --regex=^.*\\.hook1\$ --arg=kali /home/archvsync/hooks"
HOOK2="run-parts --regex=^.*\\.hook2\$ --arg=kali /home/archvsync/hooks"
HOOK3="run-parts --regex=^.*\\.hook3\$ --arg=kali /home/archvsync/hooks"
HOOK4="run-parts --regex=^.*\\.hook4\$ --arg=kali /home/archvsync/hooks"
HOOK5="run-parts --regex=^.*\\.hook5\$ --arg=kali /home/archvsync/hooks"

>From a quick glance, it looks like the bash version in bullseye doesn't
like some construct. Here's a minimal reproducer:

$ cat ~/tmp/test.sh
#!/bin/bash

set -e
set -u
set -E

hook () {
ARGS='HOOK[@]'
local "${!ARGS}"
echo "HOOKSCR='$HOOKSCR'"
}

HOOK1="run-parts --regex=^.*\\.hook1\$ --arg=kali /home/archvsync/hooks"

HOOK=(
HOOKNR=1
HOOKSCR=${HOOK1}
)
hook $HOOK

In buster it works fine:
$ bash ~/tmp/test.sh
HOOKSCR='run-parts --regex=^.*\.hook1$ --arg=kali /home/archvsync/hooks'
$ echo $?
0

In bullseye it fails:
$ bash ~/tmp/test.sh
/home/rhertzog/tmp/test.sh: line 9: local: `--regex=^.*\.hook1$': not a valid 
identifier
/home/rhertzog/tmp/test.sh: line 9: local: `--arg=kali': not a valid identifier
/home/rhertzog/tmp/test.sh: line 9: local: `/home/archvsync/hooks': not a valid 
identifier
$ echo $?
1

It seems that you can quote the variable assignation for HOOKSCR and it
works again:
HOOK=(
HOOKNR=1
HOOKSCR="${HOOK1}"
)

$ bash ~/tmp/test.sh
HOOKSCR='run-parts --regex=^.*\.hook1$ --arg=kali /home/archvsync/hooks'

-- System Information:
Debian Release: bookworm/sid
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'oldoldstable'), (500, 
'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.16.0-5-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ftpsync depends on:
ii  postfix [mail-transport-agent]  3.6.4-1+b1
ii  rsync   3.2.3-8

Versions of packages ftpsync recommends:
ii  curl  7.82.0-2

ftpsync suggests no packages.

-- no debconf information

Bug#1005812: dkms: modules are not deleted anymore when a kernel package is removed

[Raphaël Halimi]

Package: dkms
Version: 2.8.7-2
Severity: important
Tags: patch

Hi,

Due to two typos in /etc/kernel/prerm.d/dkms, modules built with DKMS 
are not deleted anymore when a kernel package is removed.


The script fails to build the two variables "$name" and "$vers" because 
the final pipe to "cut -d" is put outside the backquotes. The call to 
"dkms remove" then fails with an error.


Attached is a small patch to fix the problem in the prerm script.

It would also be nice to advise users (with a note on package upgrade 
for example) to clean up old leftover modules, or even better, run a 
script to do it automatically (basically the logic would list the 
installed modules with dkms status, and clear them if that's the only 
file left in /lib/modules//). I can write it for you if 
you want.


Regards,

--
Raphaël Halimi
--- /etc/kernel/prerm.d/dkms.orig	2021-10-01 11:34:34.0 +0200
+++ /etc/kernel/prerm.d/dkms	2022-02-15 15:19:49.616611838 +0100
@@ -13,8 +13,8 @@
 
 if [ -x /usr/sbin/dkms ]; then
 while read line; do
-   name=`echo "$line" | awk '{print $1}' | sed 's/,$//'` | cut -d'/' -f1
-   vers=`echo "$line" | awk '{print $1}' | sed 's/,$//'` | cut -d'/' -f2
+   name=`echo "$line" | awk '{print $1}' | sed 's/,$//' | cut -d'/' -f1`
+   vers=`echo "$line" | awk '{print $1}' | sed 's/,$//' | cut -d'/' -f2`
arch=`echo "$line" | awk '{print $3}' | sed 's/:$//'`
echo "dkms: removing: $name $vers ($inst_kern) ($arch)" >&2
dkms remove -m $name -v $vers -k $inst_kern -a $arch


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1005375: tlp: External screen does not work when connected to laptop

[Raphaël Halimi]

Le 12/02/2022 à 11:17, Matthias Brennwald a écrit :

Dear Maintainer,

After I installed TLP on my laptop, the external screen connected via USB-C
docking station did not work anymore. Once I uninstalled TLP and a cold-reboot,
the screen came back and worked again normally.


Hi,

Please take a look at the configuration file. Did you try whitelisting 
your screen in with the option "USB_DENYLIST=" ?


Regards,

--
Raphaël Halimi


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1005159: xrdp: please also source ~/.profile in startwm.sh

[Raphaël Halimi]

Package: xrdp
Version: 0.9.17-2
Severity: normal
Tags: patch

Hi,

/etc/xrdp/startwm.sh doesn't source $HOME/.profile, which results in
$HOME/.local/bin not being in $PATH when a terminal is opened (most
terminals execute non-login shells by default).

GDM does it in /etc/gdm3/Xsession, and I guess it's also implicitly done
by startx too (since a console login is a login shell, so ~/.profile
would be sourced, and $PATH would be inherited by terminals opened in
the X server started by startx; I didn't test this but this seems 
logical), so I think it's safe.


I tried on my PC by directly modifying /etc/xrdp/startwm.sh and this
worked as intended, with no visible side-effects.

Thanks !

Regards,

--
Raphaël Halimi
From c8fdd8a7f3f151fd9269e59b57ba7280afcee360 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Halimi?= 
Date: Mon, 7 Feb 2022 20:35:10 +0100
Subject: [PATCH] startwm.sh: source ~/.profile too

---
 debian/startwm.sh | 4 
 1 file changed, 4 insertions(+)

diff --git a/debian/startwm.sh b/debian/startwm.sh
index 3127740a..a1d08c1a 100755
--- a/debian/startwm.sh
+++ b/debian/startwm.sh
@@ -10,5 +10,9 @@ if test -r /etc/profile; then
 	. /etc/profile
 fi
 
+if test -r $HOME/.profile; then
+	. $HOME/.profile
+fi
+
 test -x /etc/X11/Xsession && exec /etc/X11/Xsession
 exec /bin/sh /etc/X11/Xsession
-- 
2.34.1



OpenPGP_signature
Description: OpenPGP digital signature

Bug#1005132: drf-yasg-nonfree: File conflicts between two different 1.20.1-1 versions

[Raphaël Hertzog]

Source: drf-yasg-nonfree
Version: 1.20.1-1
Severity: serious
User: de...@kali.org
Usertags: origin-kali

drf-yasg-nonfree 1.20.1-1 was uploaded as source only on January 23th,
the lack of binaries ended up in the package being removed by dak's 
auto-cruft. Then the maintainer rebuilt a new source package while keeping
the 1.20.1-1 version and uploaded it again.

deb.debian.org is a CDN and keeps in cache the package files for a very
long time because they are supposed to be immutable so if you try to
download drf-yasg-nonfree from deb.debian.org you get the first version
of the package while the metadata refers to the second version and as
such you get a checksum error (as I did in Kali, while trying to mirror
bookworm):

Wrong checksum during receive of
'http://deb.debian.org/debian/pool/non-free/d/drf-yasg-nonfree/drf-yasg-nonfree_1.20.1-1.dsc':
md5 expected: 5c87ae878afc6adf6708439e2a0b4e97, got: 
63c6925011f77e02306f451036181a13
sha256 expected: 
2b3265636ef93b490b633cee9897c8462fb1cb42d1fb65226fb5a8601631ecd9, got:
834fa39b7b970704f936fc2a293ca47f9efc1939a62f5a33fcd0cea4e4a0767c
size expected: 2467, got: 2434

This bug is just a request to upload 1.20.1-2 to get rid of this
inconsistency that will last in deb.debian.org for as long as we don't
upload a new version.

The package has been temporarily removed from testing by Julien Cristau
to make sure that mirroring bookworm out of deb.debian.org will work
again shortly.

-- System Information:
Debian Release: bookworm/sid
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'oldoldstable'), (500, 
'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.15.0-3-amd64 (SMP w/16 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#1003927: debian-cd: Move grub-theme for UEFI boot from debian-cd to debian-installer?

[Raphaël Hertzog]

Package: debian-cd,debian-installer
Severity: wishlist
User: de...@kali.org
Usertags: origin-kali
X-Debbugs-Cc: raph...@offensive-security.com

Hello,

we were trying to harmonize our grub theme across all of Kali and we
(re-)discovered that for installer images, the grub theme is actually
handled at the debian-cd level (./data/$RELEASE/grub-theme.in used by
tools/boot/$RELEASE/boot-x86).

I believe that a derivative distribution should not have to fork debian-cd
to be able to customize the grub theme. It would be much more logical if
debian-cd reused files from debian-installer also for all its handling of
grub for UEFI boot. That's why this bug is filed against both packages
together, we really need some coordination here.

Note that this move would also help to fix #982496 where we ask arm64 boot
to make use of the grub theme.

I don't have any concrete proposal or patch but I wanted to have this
properly recorded. For now in Kali we have worked around this limitation
in our build scripts to not have to fork debian-cd and still ship our
own theme:
https://gitlab.com/kalilinux/build-scripts/live-build-config/-/commit/bb399b8bf63635f53d2ab546f41d1924a5c84467

Given that d-i already provides syslinux configuration files, couldn't it
also provide grub configuration files instead of letting debian-cd do its
own grub port of those files?

Cheers,
  Raphaël.

Bug#1003478: python-django: cannot import name 'RequestSite' from partially initialized module 'django.contrib.sites.requests' (most likely due to a circular import)

[Raphaël Hertzog]

Source: python-django
Version: 2:2.2.25-1~deb11u1
Severity: important
Tags: patch
X-Debbugs-Cc: hert...@debian.org

Hello,

Ever since we upgraded tracker.debian.org to Debian 11, I started to get
occasional failures like shown in the traceback below.

File "/usr/lib/python3/dist-packages/django/core/handlers/exception.py" in inner
  34. response = get_response(request)

File "/usr/lib/python3/dist-packages/django/core/handlers/base.py" in 
_get_response
  115. response = self.process_exception_by_middleware(e, 
request)

File "/usr/lib/python3/dist-packages/django/core/handlers/base.py" in 
_get_response
  113. response = wrapped_callback(request, *callback_args, 
**callback_kwargs)

File "/usr/lib/python3/dist-packages/django/contrib/syndication/views.py" in 
__call__
  39. feedgen = self.get_feed(obj, request)

File "/usr/lib/python3/dist-packages/django/contrib/syndication/views.py" in 
get_feed
  127. current_site = get_current_site(request)

File "/usr/lib/python3/dist-packages/django/contrib/sites/shortcuts.py" in 
get_current_site
  15. from .requests import RequestSite

Exception Type: ImportError at /pkg/gdb/rss
Exception Value: cannot import name 'RequestSite' from partially initialized 
module 'django.contrib.sites.requests' (most likely due to a circular import)
(/usr/lib/python3/dist-packages/django/contrib/sites/requests.py)

I filed this upstream at https://code.djangoproject.com/ticket/33420 and I
was told that this has been fixed recently in the main branch with this
commit:
https://code.djangoproject.com/changeset/78163d1ac4407d59bfc5fdf1f84f2dbbb2ed3443/

But this has not been backported to older branches and it would be nice to
see this fixed in Debian stable (and bullseye-backport for 3.2) for the
benefit of tracker.debian.org and other Django packaged applications.

Cheers,

-- System Information:
Debian Release: bookworm/sid
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'oldoldstable'), (500, 
'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.15.0-2-amd64 (SMP w/16 CPU threads)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#1002819: autopkgtest: --pin-packages assumes that the release has a "Suite" name

[Raphaël Hertzog]

Package: autopkgtest
Version: 5.19
Severity: normal
User: de...@kali.org
Usertags: origin-kali
X-Debbugs-Cc: hert...@debian.org

Usage of --pin-packages=kali-dev=src:foo results in a file like this
in /etc/apt/preferences.d/autopkgtest-kali-dev

Package:  foo
Pin: release a=kali-dev
Pin-Priority: 995

Unfortunately the "a=kali-dev" only matches on the "Suite" or "Archive"
field in the Release file, and not on the "Codename" field (which in my
caces was the only field available).

I noticed that /etc/apt/preferences.d/autopkgtest-default-release uses
another syntax that seems to cover more cases:

Package: *
Pin: release kali-rolling
Pin-Priority: 990

However that syntax doesn't seem to be documented in apt_preferences.
If it's correct and allows to check on either of the 3 fields, then
we should likely use the same syntax in both files.

Otherwise I would like to suggest to create two entries, one with
"Pin: release a=foo" and one with "Pin: release n=foo" so that
we are sure to match on any of the 3 fields.

Cheers,

-- System Information:
Debian Release: bookworm/sid
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'oldoldstable'), (500, 
'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.15.0-2-amd64 (SMP w/16 CPU threads)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages autopkgtest depends on:
ii  apt-utils   2.3.13
ii  libdpkg-perl1.21.1
ii  procps  2:3.3.17-5
ii  python3 3.9.8-1
ii  python3-debian  0.1.42

Versions of packages autopkgtest recommends:
ii  autodep8  0.25

Versions of packages autopkgtest suggests:
pn  fakemachine   
pn  lxc   
pn  lxd   
ii  ovmf  2021.11-1
pn  ovmf-ia32 
pn  qemu-efi-aarch64  
pn  qemu-efi-arm  
pn  qemu-system   
ii  qemu-utils1:6.1+dfsg-8+b2
ii  schroot   1.6.10-12
ii  vmdb2 0.24-1

-- no debconf information

Bug#998319: tryton-server: Should provide a ready-to-use production-grade server config

[Raphaël Hertzog]

Package: tryton-server
Version: 5.0.39-1
Severity: normal
X-Debbugs-Cc: raph...@freexian.com

When I deployed tryton-server, I simply followed the advice of
README.Debian and relied on the provided systemd service file
but now after having filed https://bugs.tryton.org/issue10921
I realize that it's (no longer?) the recommended way of deploying
the tryton server.

It would be nice if the Debian package could document a production-grade
way to deploy it and if it could provide everything required to make this
trivial (maybe some apache/nginx config snippet that we can include in a
new virtual host to configure the WSGI handler, or similar).

-- System Information:
Debian Release: bookworm/sid
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'oldoldstable'), (500, 
'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.14.0-2-amd64 (SMP w/16 CPU threads)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages tryton-server depends on:
ii  adduser3.118
ii  init-system-helpers1.60
ii  lsb-base   11.1.0
pn  python 
pn  python-dateutil
pn  python-genshi  
pn  python-lxml
pn  python-pkg-resources   
pn  python-polib   
pn  python-relatorio   
pn  python-sql 
pn  python-werkzeug
pn  python-wrapt   
ii  python33.9.2-3
ii  python3-bcrypt 3.2.0-1
ii  python3-dateutil   2.8.1-6
pn  python3-genshi 
ii  python3-lxml   4.6.3+dfsg-1
pn  python3-passlib
ii  python3-pkg-resources  58.2.0-1
pn  python3-polib  
pn  python3-relatorio  
pn  python3-sql
pn  python3-werkzeug   
ii  python3-wrapt  1.12.1-4+b1

Versions of packages tryton-server recommends:
ii  libreoffice-calc 1:7.2.2-1
ii  libreoffice-writer   1:7.2.2-1
ii  postgresql   14+231
pn  python-bcrypt
pn  python-levenshtein   
pn  python-psycopg2  
pn  python-pydot 
pn  python3-gevent   
ii  python3-html2text2020.1.16-1
ii  python3-levenshtein  0.12.2-2
ii  python3-pil  8.3.2-1
ii  python3-psycopg2 2.9.1-1
ii  python3-pydot1.4.2-1
pn  python3-weasyprint   
ii  ssl-cert 1.1.0+nmu1
ii  unoconv  0.7-2

Versions of packages tryton-server suggests:
ii  postgresql-client-13 [postgresql-client]  13.4-3
ii  postgresql-client-14 [postgresql-client]  14.0-1
pn  python-sphinx 
ii  python3-sphinx4.2.0-5
hi  tryton-client 5.0.33-1
pn  tryton-modules-all
pn  tryton-server-doc 

Bug#996776: RM: logidee-tools -- ROM; no longer maintained and no longer used

[Raphaël Hertzog]

Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: hert...@debian.org

The logidee tools are no longer maintained by anybody and I kept them
alive for as long as I had some use for them but the Logidée company
that created them is no longer using them and nobody else in Debian
is using them either (me included).

The package is currently affected by an RC bug that I don't intend
to fix.

Please remove logidee-tools from Debian.

Thank you.

Bug#996703: RM: gnome-shell-timer -- ROM; No upstream maintainer

[Raphaël Hertzog]

Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: hert...@debian.org

The upstream maintainer has abandoned this extension a long time ago. I
kept it alive for as long as I was using it but I'm no longer using it
as there's a better maintained alternative (though I haven't packaged it):
https://github.com/blackjackshellac/kitchenTimer
https://extensions.gnome.org/extension/3955/kitchen-timer/ 

So please remove gnome-shell-timer from Debian.

Thank you.

Bug#994808: atftpd: Impossible to upgrade from 0.7.git20210202-3

[Raphaël Hertzog]

Package: atftpd
Version: 0.7.git20210202-3
Severity: important
User: de...@kali.org
Usertags: origin-kali
X-Debbugs-Cc: hert...@debian.org

Hello,

In 0.7.git20210202-4 you fixed the syntax of /etc/default/atftpd but
anyone that installed -1, -2 or -3 has a failed upgrade due to this syntax
mistake. And the error message is very misleading for casual users
and thus not trivial to fix:

Preconfiguring packages ...
/tmp/atftpd.config.b3vwmj: 3: /etc/default/atftpd: 69: not found
atftpd failed to preconfigure, with exit status 127
[...]
Setting up atftpd (0.7.git20210202-4+b1) ...
/var/lib/dpkg/info/atftpd.config: 3: /etc/default/atftpd: 69: not found
dpkg: error processing package atftpd (--configure):
 installed atftpd package post-installation script subprocess returned error 
exit status 127


Unfortunately, the version -3 reached Debian testing (some simple
autopkgtest could have avoided this) and was thus released as part of Kali
and we have many users that have thus installed -3.

Can we please include some upgrade code that detects the broken case and
fix it up?

Thank you in advance.

-- System Information:
Debian Release: bookworm/sid
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'oldoldstable'), (500, 
'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-8-amd64 (SMP w/16 CPU threads)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages atftpd depends on:
ii  debconf [debconf-2.0]  1.5.77
ii  init-system-helpers1.60
ii  libc6  2.32-4
ii  libpcre3   2:8.39-13
ii  libwrap0   7.6.q-31
ii  lsb-base   11.1.0
ii  tcpd   7.6.q-31
ii  update-inetd   4.51

Versions of packages atftpd recommends:
ii  openbsd-inetd [inet-superserver]  0.20160825-5

Versions of packages atftpd suggests:
ii  logrotate  3.18.1-2

Bug#992966: simple-cdd: fails to validate Release file with a good signature and a signature that can't be checked

[Raphaël Hertzog]

Package: simple-cdd
Version: 0.6.8
Severity: normal
X-Debbugs-Cc: raph...@freexian.com

Right now if you try to use simple-cdd on a stretch or buster system (to
build stretch/buster images), you get failures like this one:

> 2021-08-24 10:45:08 ERROR verify gpg signature exited with code 2
> 2021-08-24 10:45:08 ERROR Last 3 lines of standard error:
> 2021-08-24 10:45:08 ERROR verify gpg signature: gpg: Signature made Tue 24 
> Aug 2021 09:21:34 AM CDT
> 2021-08-24 10:45:08 ERROR verify gpg signature: gpg:using RSA 
> key A7236886F3CCCAAD148A27F80E98404D386FA1D9
> 2021-08-24 10:45:08 ERROR verify gpg signature: gpg: Can't check signature: 
> No public key
> 2021-08-24 10:45:08 ERROR Signature verification failed on ['gpg', '--batch', 
> '--no-default-keyring', '--keyring', 
> '/usr/share/keyrings/debian-archive-keyring.gpg', '--keyring', 
> '/srv/install/simple-cdd/.gnupg/pubring.gpg', '--verify', 
> '/srv/install/simple-cdd/tmp/mirror/extrafiles']
> FAILURE:  build-simple-cdd failed, exiting

The problem is that the Release file (and the extrafiles) of stretch and
buster is signed by 4 keys, including the recently added keys for
bullseye. But /usr/share/keyrings/debian-archive-keyring.gpg in
stretch/buster does not (yet) contain the new key and simple-cdd uses `gpg
--verify` which fails with error code 2 as soon as a single signature
can't be verified.

But simple-cdd should fail only if none of the signatures can't be
verified or if some signature fails to verify while the key is present
(a bit like APT does it...). But the absence of a key should not result in
a failure provided that the other signatures are working.

Elements of proof:

$ wget http://debian.backend.mirrors.debian.org/debian/dists/stretch/Release
$ wget http://debian.backend.mirrors.debian.org/debian/dists/stretch/Release.gpg
$ LANG=C gpg --keyring 
/srv/chroots/buster-amd64/usr/share/keyrings/debian-archive-keyring.gpg 
--verify Release.gpg Release
gpg: Signature made Sat Aug 14 09:43:24 2021 CEST
gpg:using RSA key 16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC
gpg: Good signature from "Debian Archive Automatic Signing Key (9/stretch) 
" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to the owner.
Primary key fingerprint: E1CF 20DD FFE4 B89E 8026  58F1 E0B1 1894 F66A EC98
 Subkey fingerprint: 16E9 0B3F DF65 EDE3 AA7F  323C 04EE 7237 B7D4 53EC
gpg: Signature made Sat Aug 14 09:43:25 2021 CEST
gpg:using RSA key 0146DC6D4A0B2914BDED34DB648ACFD622F3D138
gpg: Good signature from "Debian Archive Automatic Signing Key (10/buster) 
" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to the owner.
Primary key fingerprint: 80D1 5823 B7FD 1561 F9F7  BCDD DC30 D7C2 3CBB ABEE
 Subkey fingerprint: 0146 DC6D 4A0B 2914 BDED  34DB 648A CFD6 22F3 D138
gpg: Signature made Sat Aug 14 10:46:19 2021 CEST
gpg:using RSA key A7236886F3CCCAAD148A27F80E98404D386FA1D9
gpg: Can't check signature: No public key
gpg: Signature made Sat Aug 14 10:26:43 2021 CEST
gpg:using RSA key 067E3C456BAE240ACEE88F6FEF0F382A1A7B6500
gpg:issuer "debian-rele...@lists.debian.org"
gpg: Good signature from "Debian Stable Release Key (9/stretch) 
" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to the owner.
Primary key fingerprint: 067E 3C45 6BAE 240A CEE8  8F6F EF0F 382A 1A7B 6500
$ echo $?
2
$ LANG=C gpg --keyring 
/srv/chroots/buster-amd64/usr/share/keyrings/debian-archive-keyring.gpg 
--with-subkey-fingerprints --list-keys A7236886F3CCCAAD148A27F80E98404D386FA1D9
gpg: error reading key: No public key
$ LANG=C gpg --keyring /usr/share/keyrings/debian-archive-keyring.gpg 
--with-subkey-fingerprints --list-keys A7236886F3CCCAAD148A27F80E98404D386FA1D9
pub   rsa4096 2021-01-17 [SC] [expires: 2029-01-15]
  1F89983E0081FDE018F3CC9673A4F27B8DD47936
uid   [ unknown] Debian Archive Automatic Signing Key (11/bullseye) 

sub   rsa4096 2021-01-17 [S] [expires: 2029-01-15]
  A7236886F3CCCAAD148A27F80E98404D386FA1D9



-- System Information:
Debian Release: 11.0
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'oldoldstable'), (500, 
'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-8-amd64 (SMP w/16 CPU threads)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages simple-cdd depends on:
ii  dctrl-tools 2.24-3+b1
ii  debian-cd   3.1.35
ii  lsb-release 11.1.0
ii  python3 3.9.2-3
ii  python3-simple-cdd  0.6.8
ii  reprepro

Bug#991167: ftpsync: Please document how to contribute

[Raphaël Hertzog]

Package: ftpsync
Version: 20180513+nmu1
Severity: wishlist
User: de...@kali.org
Usertags: origin-kali
X-Debbugs-Cc: raph...@offensive-security.com

Looking at the README in https://salsa.debian.org/mirror-team/archvsync
I saw no instructions on how to contribute, nor any indication of where
bugs are welcome.

It would be nice to tell users that found an issue that they can file bugs
in the Debian BTS and that they can submit merge requests for patches (or
that they can send patch to the BTS if that's your preference).

IMO it would make sense to allow GitLab issues on the project too for
"upstream change", but YMMV.

-- System Information:
Debian Release: 11.0
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'unstable'), (500, 'testing'), 
(500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-7-amd64 (SMP w/16 CPU threads)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ftpsync depends on:
ii  postfix [mail-transport-agent]  3.5.6-1+b1
ii  rsync   3.2.3-4

Versions of packages ftpsync recommends:
ii  curl  7.74.0-1.3+b1

ftpsync suggests no packages.

-- no debconf information

Bug#991166: ftpsync: Contents* and dep11/* metadata are incorrectly updated in stage1

[Raphaël Hertzog]

Package: ftpsync
Version: 20180513+nmu1
Severity: important
User: de...@kali.org
Usertags: origin-kali
X-Debbugs-Cc: raph...@offensive-security.com

In Kali we encountered many failed "apt update" with a mirror that was
slow to update and it always failed due to invalid checksums on
"Contents-amd64.gz".

Looking more closely, I discovered that "ftpsync" was not really kept
up-to-date with other files that are listed in the Release file and that
should be updated in stage 2 instead of stage 1.

I noticed in particular that dep11/* should also be handled like we
do for "i18n/*". And we might want to do it also for MD5SUMS/SHA256SUMS
files of debian-installer... although updates there are not very frequent.

Thank you in advance!

-- System Information:
Debian Release: 11.0
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'unstable'), (500, 'testing'), 
(500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-7-amd64 (SMP w/16 CPU threads)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ftpsync depends on:
ii  postfix [mail-transport-agent]  3.5.6-1+b1
ii  rsync   3.2.3-4

Versions of packages ftpsync recommends:
ii  curl  7.74.0-1.3+b1

ftpsync suggests no packages.

-- no debconf information

Bug#990281: APT make duplicate HTTP requests with mirrorbits

[Raphaël Hertzog]

Package: apt
Version: 2.2.3
Severity: important
User: de...@kali.org
Usertags: origin-kali
X-Debbugs-Cc: hert...@debian.org
Control: found -1 apt/2.3.6

Hi,

in Kali we have been testing "mirrorbits" as a replacement for
"mirrorbrain". Our current mirrorbrain setup runs on http.kali.org
and mirrorbits runs on http-staging.kali.org.

We have seen strange behaviour from APT with mirrorbits where APT
seems to send some HTTP requests multiple times. Whereas with mirrorbrain,
it's fine.

$ cat /etc/apt/sources.list
deb http://http-staging.kali.org/kali kali-rolling main contrib non-free
$ apt install --dry-run aria2

The following additional packages will be installed:
  libaria2-0 libsqlite3-0 libssh2-1
The following NEW packages will be installed:
  aria2 libaria2-0 libsqlite3-0 libssh2-1
0 upgraded, 4 newly installed, 0 to remove.

$ sudo apt -y -d -q -o Debug::Acquire::http=true install aria2 2>&1 | grep -A1 
^GET
GET /kali/pool/main/s/sqlite3/libsqlite3-0_3.34.1-3_amd64.deb HTTP/1.1
Host: http-staging.kali.org
--
GET /pub/Linux/kali/pool/main/s/sqlite3/libsqlite3-0_3.34.1-3_amd64.deb HTTP/1.1
Host: ftp.jaist.ac.jp
--
GET /kali/pool/main/libs/libssh2/libssh2-1_1.9.0-2_amd64.deb HTTP/1.1
Host: http-staging.kali.org
--
GET /kali/pool/main/a/aria2/libaria2-0_1.35.0-3_amd64.deb HTTP/1.1
Host: http-staging.kali.org
--
GET /kali/pool/main/a/aria2/aria2_1.35.0-3_amd64.deb HTTP/1.1
Host: http-staging.kali.org
--
GET /kali/pool/main/a/aria2/libaria2-0_1.35.0-3_amd64.deb HTTP/1.1
Host: http-staging.kali.org
--
GET /kali/pool/main/a/aria2/aria2_1.35.0-3_amd64.deb HTTP/1.1
Host: http-staging.kali.org
--
GET /pub/Linux/kali/pool/main/libs/libssh2/libssh2-1_1.9.0-2_amd64.deb HTTP/1.1
Host: ftp.jaist.ac.jp
--
GET /kali/pool/main/a/aria2/libaria2-0_1.35.0-3_amd64.deb HTTP/1.1
Host: mirror.anigil.com
--
GET /kali/pool/main/a/aria2/aria2_1.35.0-3_amd64.deb HTTP/1.1
Host: http-staging.kali.org
--
GET /kali/pool/main/a/aria2/aria2_1.35.0-3_amd64.deb HTTP/1.1
Host: mirror.anigil.com


As you can see, APT seems to send the same HTTP request to mirrorbits
multiple times, but the final download happens only once per file.
Depending on the exact case, we get fewer duplicate requests, but it's
easily reproducible.

We tried to compare the HTTP headers returned by the two servers and
mirrorbits/nginx sets those headers in addition to the usual ones when it
sends its redirect answer (compared to mirrorbrain/apache):

Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-cache

I have also reproduced the issue with apt 2.3.6 in unstable.

If you want to reproduce, just tweak your sources.list and install
http://http.kali.org/pool/main/k/kali-archive-keyring/kali-archive-keyring_2020.2_all.deb
to have the kali archive key to authenticate the repository.

-- System Information:
Distributor ID: Kali
Description:Kali GNU/Linux Rolling
Release:2021.1
Codename:   kali-rolling
Architecture: x86_64

Kernel: Linux 5.10.0-7-amd64 (SMP w/16 CPU threads)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

Versions of packages apt depends on:
ii  adduser 3.118
ii  debian-archive-keyring  2019.1
ii  gpgv2.2.20-1
ii  libapt-pkg6.0   2.1.18
ii  libc6   2.31-9
ii  libgcc-s1   10.2.1-6
ii  libgnutls30 3.7.0-5
ii  libseccomp2 2.5.1-1
ii  libstdc++6  10.2.1-6
ii  libsystemd0 247.2-5

Versions of packages apt recommends:
ii  ca-certificates  20210119

Versions of packages apt suggests:
pn  apt-doc  
pn  aptitude | synaptic | wajig  
ii  dpkg-dev 1.20.7.1kali1
ii  gnupg2.2.20-1
pn  powermgmt-base   

-- no debconf information

Bug#964906: Same problem here, but not systematic

[Raphaël Plasson]

I have the same problem on two of my servers (both with similar 
configuration, debian buster with backports), both with a btrfs raid-1 
on /root.


In my case, initramfs indeed fails to mount /root, but performing a 
'btrfs device scan' followed by a manual mount to /root directly on the 
initramfs prompts solves the problem.


However, this problem is not systematically met. Even on the same 
server, the root may be correctly mounted after a reboot.


Maybe there is a race condition, so that the 
'/usr/share/initramfs-tools/scripts/local-premount/btrfs' may not be 
launched at the right moment?


Hoping this information can help.

Bug#986843: smuxi-engine: Crash when editing server information

[Raphaël Hertzog]

Package: smuxi-engine
Version: 1.1-1
Severity: important
X-Debbugs-Cc: hert...@debian.org

I'm trying to edit server information through the gnome frontend and when
I validate the changes I get this crash:


Exception Type:
System.ArgumentNullException

Exception Message:
Value cannot be null.
Parameter name: value

Exception StackTrace:
  at Smuxi.Engine.UserConfig.Set (System.String key, System.Object value) 
[0x00079] in /build/smuxi-gSW6uG/smuxi-1.1/src/Engine/Config/UserConfig.cs:159
  at Smuxi.Engine.UserConfig.set_Item (System.String key, System.Object value) 
[0x4] in /build/smuxi-gSW6uG/smuxi-1.1/src/Engine/Config/UserConfig.cs:101
  at (wrapper remoting-invoke-with-check) 
Smuxi.Engine.UserConfig.set_Item(string,object)
  at Smuxi.Engine.ServerModel.Save (Smuxi.Engine.UserConfig config) [0x00135] 
in /build/smuxi-gSW6uG/smuxi-1.1/src/Engine/Config/ServerModel.cs:232
  at Smuxi.Engine.ServerListController.SetServer (Smuxi.Engine.ServerModel 
server) [0x00029] in 
/build/smuxi-gSW6uG/smuxi-1.1/src/Engine/Config/ServerListController.cs:178
  at Smuxi.Frontend.Gnome.ServerListView.Edit (Smuxi.Engine.ServerModel server) 
[0x0006e] in 
/build/smuxi-gSW6uG/smuxi-1.1/src/Frontend-GNOME/Preferences/ServerListView.cs:183
  at Smuxi.Frontend.Gnome.ServerListView.OnEditButtonClicked (System.Object 
sender, System.EventArgs e) [0x0002a] in 
/build/smuxi-gSW6uG/smuxi-1.1/src/Frontend-GNOME/Preferences/ServerListView.cs:256


I have attached the screenshot of the screen with the data that I'm
saving.

I do use a ssh connection between the engine and the frontend. The
engine side is running smuxi-engine 1.0.7-5.

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'unstable'), (500, 'testing'), 
(500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-5-amd64 (SMP w/16 CPU threads)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages smuxi-engine depends on:
ii  liblog4net1.2-cil1.2.10+dfsg-7.1
ii  libmono-corlib4.5-cil6.8.0.105+dfsg-3
ii  libmono-posix4.0-cil 6.8.0.105+dfsg-3
ii  libmono-sqlite4.0-cil6.8.0.105+dfsg-3
ii  libmono-system-core4.0-cil   6.8.0.105+dfsg-3
ii  libmono-system-data-linq4.0-cil  6.8.0.105+dfsg-3
ii  libmono-system-data4.0-cil   6.8.0.105+dfsg-3
ii  libmono-system-drawing4.0-cil6.8.0.105+dfsg-3
ii  libmono-system-runtime-serialization4.0-cil  6.8.0.105+dfsg-3
ii  libmono-system-runtime4.0-cil6.8.0.105+dfsg-3
ii  libmono-system-web4.0-cil6.8.0.105+dfsg-3
ii  libmono-system-xml-linq4.0-cil   6.8.0.105+dfsg-3
ii  libmono-system-xml4.0-cil6.8.0.105+dfsg-3
ii  libmono-system4.0-cil6.8.0.105+dfsg-3
ii  libnini1.1-cil   1.1.0+dfsg.2-5.1
ii  mono-runtime 6.8.0.105+dfsg-3

smuxi-engine recommends no packages.

Versions of packages smuxi-engine suggests:
pn  oidentd | ident-server  

-- no debconf information

Bug#984547: isenkramd failure with with "TypeError: argument should be integer or bytes-like object, not 'str'"

[Raphaël Hertzog]

Package: isenkram
Version: 0.45
Severity: serious
X-Debbugs-Cc: hert...@debian.org

I saw this in my logs:
mars 04 20:22:14 t14-buxy isenkramd.desktop[3020]: Traceback (most recent call 
last):
mars 04 20:22:14 t14-buxy isenkramd.desktop[3020]:   File "/usr/bin/isenkramd", 
line 400, in uevent_callback
mars 04 20:22:14 t14-buxy isenkramd.desktop[3020]: if not 
is_pkg_installed(pkg):
mars 04 20:22:14 t14-buxy isenkramd.desktop[3020]:   File "/usr/bin/isenkramd", 
line 340, in is_pkg_installed
mars 04 20:22:14 t14-buxy isenkramd.desktop[3020]: if 0 == line.find("ii "):
mars 04 20:22:14 t14-buxy isenkramd.desktop[3020]: TypeError: argument should 
be integer or bytes-like object, not 'str'

It looks like that the package was not fully tested in a Python 3 context
as this is a common failure when you mix binary content and text content.

Cheers,

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 
'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-3-amd64 (SMP w/16 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages isenkram depends on:
ii  gir1.2-gtk-3.0 3.24.24-3
ii  gir1.2-gudev-1.0   234-1
ii  gir1.2-notify-0.7  0.7.9-3
ii  gir1.2-packagekitglib-1.0  1.2.2-2
ii  isenkram-cli   0.45
ii  packagekit 1.2.2-2
ii  python33.9.1-1
ii  python3-gi 3.38.0-2

isenkram recommends no packages.

isenkram suggests no packages.

-- no debconf information

Bug#982562: general: Storing upstream signatures next to upstream tarballs is problematic

[Raphaël Hertzog]

Package: general
Severity: normal
User: de...@kali.org
Usertags: origin-kali
X-Debbugs-Cc: hert...@debian.org, debian-d...@lists.debian.org
Control: affects -1 ftp.debian.org dpkg-dev

Hi people,

After having been bitten (in Kali) by failures to import Debian packages
because a PGP signature file has been modified [1], this lead me to think
about this problem space and I concluded that the way we are storing
such signatures is not appropriate.

Those files are not really meant to be immutable:
- signing keys can expire and be revoked, upstream might want to update
  signatures of already released tarballs
- the set of "upstream release managers" might evolve over time and the
  official signature to use might change...

If we assume that the archive is meant to store immutable content
under a given filename (and to me that requirement seems to be a good
idea), then we should question ourselves whether we really want to store
those signatures in a filename that's associated to the upstream version.
They should either be tied to the Debian revision (so that they can change
over time without any new upstream release) or be incorporated in the
Debian tarball.

After all the key to verify those signatures is already stored in the
Debian tarball (when you use the uscan feature to verify those
signatures), so why not store the signature there as well?

I originally filed this in https://bugs.debian.org/949962 against
ftp.debian.org but the bug got closed because it's not really the
responsibility of ftpmasters to change this. So I'm starting a wider
discussion to gather feedback of all interested parties (at least
Guillem as dpkg maintainer). I won't drive this much further but
I wanted to have it properly recorded and considered.

Cheers,

[1] For details it happened in dbus-glib:
https://snapshot.debian.org/package/dbus-glib/0.110-2/ -> it has .asc file
https://snapshot.debian.org/package/dbus-glib/0.110-3/ -> no .asc
https://snapshot.debian.org/package/dbus-glib/0.110-4/ -> no .asc
https://snapshot.debian.org/package/dbus-glib/0.110-5/ -> it has a
different .asc file

Bug#982496: debian-cd: Support grub theme on arm64

[Raphaël Hertzog]

Package: debian-cd
Version: 3.1.33
Severity: wishlist
User: de...@kali.org
Usertags: origin-kali
X-Debbugs-Cc: raph...@offensive-security.com

We're working on getting Kali to work as a VM on the Apple M1 and so we
are trying to build arm64 installer images with simple-cdd (and thus
debina-cd). In this process, Steev Klimaszewski 
discovered that the grub configuration used for the EFI boot on arm64 does
not take advantage of any theming, contrary to amd64/i386.

It would be nice if we could fix this by enabling the grub theme
everywhere. However this doesn't look entirely trivial as the theming
is handled through a mixture of code in tools/boot/bullseye/boot-x86
and tools/boot/bullseye/parse_isolinux, and arm64 is not relying on
isolinux at all.

Steve, your input is thus most welcome.

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 
'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-3-amd64 (SMP w/16 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages debian-cd depends on:
ii  apt2.1.18
ii  bc 1.07.1-2+b2
ii  bzip2  1.0.8-4
ii  cpp4:10.2.1-1
ii  curl   7.74.0-1
ii  dctrl-tools [grep-dctrl]   2.24-3+b1
ii  dpkg-dev   1.20.7.1
ii  genisoimage9:1.1.11-3.2
pn  libcompress-zlib-perl  
pn  libdigest-md5-perl 
ii  libdpkg-perl   1.20.7.1
ii  lynx   2.9.0dev.6-1
ii  make   4.3-4
ii  perl [libdigest-sha-perl]  5.32.1-2
ii  tofrodos   1.7.13+ds-5
ii  wget   1.21-1+b1
ii  xorriso1.5.2-1

Versions of packages debian-cd recommends:
ii  dosfstools   4.1-2
ii  hfsutils 3.2.6-15
ii  isolinux 3:6.04~git20190206.bf6db5b4+dfsg1-3
ii  mtools   4.0.26-1
ii  netpbm   2:10.0-15.3+b2
ii  syslinux-common  3:6.04~git20190206.bf6db5b4+dfsg1-3
ii  syslinux-utils   3:6.04~git20190206.bf6db5b4+dfsg1-3

debian-cd suggests no packages.

-- no debconf information

Bug#981007: systemd: default syscall-filter list is incomplete for i386 and breaks tar

[Raphaël Hertzog]

Package: systemd
Version: 241-7~deb10u5
Severity: important
Tags: patch upstream
User: de...@kali.org
Usertags: origin-kali
Control: fixed -1 systemd/244.1-1

We are running dist-upgrade tests within systemd-nspawn containers
and since we upgraded to buster, our i386 tests, running on an amd64
host machine, are failing with messages like this one:

---
Fetched 7044 MB in 1617d 11h 20min 34s (50 B/s)
tar: ./control: Cannot utime: Operation not permitted
tar: ./md5sums: Cannot utime: Operation not permitted
tar: ./shlibs: Cannot utime: Operation not permitted
tar: ./symbols: Cannot utime: Operation not permitted
tar: ./triggers: Cannot utime: Operation not permitted
tar: .: Cannot utime: Operation not permitted
tar: Exiting with failure status due to previous errors
dpkg-deb: error: tar subprocess returned error exit status 2
---

Thanks to https://bugzilla.redhat.com/show_bug.cgi?id=1770154 I understood
that this is actually related to the lack of some system calls
in the default whitelist maintained by systemd.

This has been fixed with this upstream pull request:
https://github.com/systemd/systemd/pull/13975

So this issue is only affecting the stable version 241-7~deb10u5.
The version in buster-backports is fine, as is the version in
testing/unstable.

But it would still be nice if this could be fixed via a point release.

Thanks for maintaining systemd!

Bug#979233: lshw-gtk: Drop recommends on menu

[Raphaël Hertzog]

Package: lshw-gtk
Version: 02.18.85-0.5
Severity: normal

Please drop the recommends on "menu". AFAIK the menu package does not add any
functionality to your application. Applications should not
depend/recommend menu, only window managers or desktop that benefit from
the menu system should trigger its installation.

Thank you!

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-1-amd64 (SMP w/16 CPU threads)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages lshw-gtk depends on:
ii  libc6   2.31-6
ii  libgcc-s1   10.2.1-3
ii  libgdk-pixbuf2.0-0  2.40.2-2
ii  libglib2.0-02.66.4-1
ii  libgtk2.0-0 2.24.33-1
ii  libstdc++6  10.2.1-3

Versions of packages lshw-gtk recommends:
pn  menu  
ii  pciutils  1:3.7.0-5
ii  usbutils  1:013-1

lshw-gtk suggests no packages.

-- no debconf information

Bug#977355: UserWarning: cannot parse package relationship "i", returning it raw

[Raphaël Hertzog]

Package: python3-debian
Version: 0.1.35
Severity: normal

The package tracker started to generate annoying messages in its cron job:

/usr/lib/python3/dist-packages/debian/deb822.py:1403: UserWarning: cannot parse 
package
relationship "i", returning it raw
  ' relationship "%s", returning it raw' % raw)

This is due to a buggy package containing a dependency on "i" (it's
libmagics++-dev, bug filed already) but I don't see any reason for deb822
to fail on this dependency. It's a very short package name that we should
likely not allow in Debian but I don't a reason to not be able to parse
it (in particular when nothing else in the build machinery choked on that
dependency, starting with dpkg-gencontrol).

Please update the __dep_RE regex to accept single-character dependencies:

   1421 __dep_RE = re.compile(
   1422 r'^\s*(?P[a-zA-Z0-9.+\-]{2,})'

Cheers,

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 
'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages python3-debian depends on:
ii  python3  3.9.0-4
ii  python3-chardet  3.0.4-7
ii  python3-six  1.15.0-2

Versions of packages python3-debian recommends:
ii  python3-apt  2.1.7

Versions of packages python3-debian suggests:
ii  gpgv  2.2.20-1

-- no debconf information

Bug#976823: uscan: have an official way to document that there's no upstream source anymore

[Raphaël Hertzog]

Package: devscripts
Version: 2.20.5
Severity: wishlist
User: de...@kali.org
Usertags: origin-kali
X-Debbugs-Cc: jel...@debian.org

There are cases where there's no upstream source anymore so we have
nothing to put into debian/watch (either because there never was a real
upstream or because the upstream repository disappeared). At the same
time, the lack of debian/watch might just mean that someone forgot to
create the file. So what I usually do is that I create a debian/watch
file documenting the fact that I can't put anything in it... but the
result is that uscan will fail and tools like the janitor bot that try to
import a new upstream release will log an error, drawing the attention of
developers on this specific package.

Example:
$ cat debian/watch 
version=3
# This is just a script that was posted on a website. No download available.
$ uscan --report; echo $?
1

It would be better if there was a way to document that there's no upstream
source and let uscan succeed while printing a warning. Maybe with a
specific optional flag say "no-upstream".

Desired result:
$ cat debian/wa
version=4
opts=no-upstream
$ uscan --report; echo $?
uscan info: no upstream sources are known, skipping without failing
0

Thank you for considering this request!

Bug#976372: gnome-shell-xrdesktop: FTBFS and is not built against latest libmutter

[Raphaël Hertzog]

Package: gnome-shell-xrdesktop
Version: 3.36.1-2
Severity: serious
Justification: FTBFS
User: de...@kali.org
Usertags: origin-kali

I noticed gnome-shell-xrdesktop depends on libmutter-6-0 which is obsolete
in unstable. I wanted to rebuild the package to have it link against a
newer mutter version but the package failed to build for me:

PKG_CONFIG_PATH:
Called `/usr/bin/pkg-config --modversion xrdesktop-0.14` -> 1

CMake binary for MachineChoice.BUILD is not cached
None of 'CMAKE' are defined in the environment, not changing global flags.
CMake binary missing from cross or native file, or env var undefined.
Trying a default CMake fallback at cmake
Did not find CMake 'cmake'
Found CMake: NO
No CMake binary for machine 0 not found. Giving up.
Run-time dependency xrdesktop-0.14 found: NO (tried pkgconfig)

../meson.build:107:0: ERROR: Dependency "xrdesktop-0.14" not found, tried 
pkgconfig
dh_auto_configure: error: cd obj-x86_64-linux-gnu && LC_ALL=C.UTF-8 meson .. 
--wrap-mode=nodownload --buildtype=plain --prefix=/usr --sysconfdir=/etc 
--localstatedir=/var --libdir=lib/x86_64-linux-gnu --libdir=/usr/lib 
-Dbash_completion=true -Denable-networkmanager=yes -Denable-systemd=yes 
returned exit code 1
make[1]: *** [debian/rules:26: override_dh_auto_configure] Error 25
make[1]: Leaving directory '/<>'
make: *** [debian/rules:17: binary] Error 2
dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 
'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gnome-shell-xrdesktop depends on:
ii  dconf-gsettings-backend [gsettings-backend]  0.38.0-1
ii  evolution-data-server3.38.1-2
ii  gir1.2-accountsservice-1.0   0.6.55-3
ii  gir1.2-atspi-2.0 2.38.0-2
ii  gir1.2-freedesktop   1.66.1-1+b1
ii  gir1.2-gcr-3 3.38.0-1
ii  gir1.2-gdesktopenums-3.0 3.38.0-2
ii  gir1.2-gdm-1.0   3.38.2-1
ii  gir1.2-geoclue-2.0   2.5.6-1
ii  gir1.2-glib-2.0  1.66.1-1+b1
ii  gir1.2-gnomebluetooth-1.03.34.3-2
ii  gir1.2-gnomedesktop-3.0  3.38.2-1
ii  gir1.2-gtk-3.0   3.24.23-3
ii  gir1.2-gweather-3.0  3.36.1-1
ii  gir1.2-ibus-1.0  1.5.23-1
pn  gir1.2-mutter-6  
ii  gir1.2-nm-1.01.27.91-2
ii  gir1.2-nma-1.0   1.8.30-1
ii  gir1.2-pango-1.0 1.46.2-3
ii  gir1.2-polkit-1.00.105-29
ii  gir1.2-rsvg-2.0  2.50.2+dfsg-1
ii  gir1.2-soup-2.4  2.72.0-2
ii  gir1.2-upowerglib-1.00.99.11-2
ii  gjs  1.66.1-1
ii  gnome-backgrounds3.38.0-1
ii  gnome-settings-daemon3.38.1-2
pn  gnome-shell-common-xrdesktop 
ii  gsettings-desktop-schemas3.38.0-2
ii  libatk-bridge2.0-0   2.38.0-1
ii  libatk1.0-0  2.36.0-2
ii  libc62.31-4
ii  libcairo21.16.0-4
ii  libecal-2.0-13.38.1-2
pn  libedataserver-1.2-24
ii  libgcr-base-3-1  3.38.0-1
ii  libgdk-pixbuf2.0-0   2.40.0+dfsg-8
ii  libgirepository-1.0-11.66.1-1+b1
ii  libgjs0g 1.66.1-1
ii  libgles2 1.3.2-1
ii  libglib2.0-0 2.66.3-1
ii  libglib2.0-bin   2.66.3-1
ii  libgnome-autoar-0-0  0.2.4-2
ii  libgnome-desktop-3-193.38.2-1
ii  libgraphene-1.0-01.10.2-1
ii  libgstreamer1.0-01.18.1-1
ii  libgtk-3-0   3.24.23-3
pn  libgulkan-0.14-0 
ii  libical3 3.0.8-2
pn  libinputsynth-0.13-0 
ii  libjson-glib-1.0-0   1.6.0-1
pn  libmutter-6-0
ii  libnm0   

Bug#976083: lintian: reports spelling-error-in-changelog for duplicate word even when punctuation and empty line separate two words

[Raphaël Hertzog]

Package: lintian
Version: 2.103.0
Severity: normal

I have this warning:
W: ccrypt: spelling-error-in-changelog Debian Debian (duplicate word) Debian

And I believe it matches this part of the changelog entry:
  * Configure git-buildpackage for Debian

  [ Debian Janitor ]

For me, it should not report this duplicate word. The empty line (and even
the square bracket) should be enough to not trigger the duplicate word
warning.

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 
'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages lintian depends on:
ii  binutils2.35.1-3
ii  bzip2   1.0.8-4
ii  diffstat1.63-1
ii  dpkg1.20.5
ii  dpkg-dev1.20.5
ii  file1:5.39-3
ii  gettext 0.19.8.1-10
ii  gpg 2.2.20-1
ii  intltool-debian 0.35.0+20060710.5
ii  libapt-pkg-perl 0.1.36+b4
ii  libarchive-zip-perl 1.68-1
ii  libcapture-tiny-perl0.48-1
ii  libclass-xsaccessor-perl1.19-3+b6
ii  libclone-perl   0.45-1+b1
ii  libconfig-tiny-perl 2.24-1
ii  libcpanel-json-xs-perl  4.25-1+b1
ii  libdata-dpath-perl  0.58-1
ii  libdata-validate-domain-perl0.10-1
ii  libdevel-size-perl  0.83-1+b2
ii  libdpkg-perl1.20.5
ii  libemail-address-xs-perl1.04-1+b3
ii  libfile-basedir-perl0.08-1
ii  libfile-find-rule-perl  0.34-1
ii  libfont-ttf-perl1.06-1
ii  libhtml-html5-entities-perl 0.004-1
ii  libipc-run3-perl0.048-2
ii  libjson-maybexs-perl1.004003-1
ii  liblist-compare-perl0.55-1
ii  liblist-moreutils-perl  0.416-1+b6
ii  liblist-utilsby-perl0.11-1
ii  libmoo-perl 2.004003-1
ii  libmoox-aliases-perl0.001006-1
ii  libnamespace-clean-perl 0.27-1
ii  libpath-tiny-perl   0.114-1
ii  libperlio-gzip-perl 0.19-1+b7
ii  libproc-processtable-perl   0.59-2+b1
ii  libsereal-decoder-perl  4.018+ds-1+b1
ii  libsereal-encoder-perl  4.018+ds-1+b1
ii  libtext-glob-perl   0.11-1
ii  libtext-levenshteinxs-perl  0.03-4+b8
ii  libtext-markdown-discount-perl  0.12-1+b1
ii  libtext-xslate-perl 3.5.8-1+b1
ii  libtime-duration-perl   1.21-1
ii  libtime-moment-perl 0.44-1+b3
ii  libtimedate-perl2.3300-1
ii  libtry-tiny-perl0.30-1
ii  libtype-tiny-perl   1.012000-1
ii  libunicode-utf8-perl0.62-1+b2
ii  liburi-perl 5.05-1
ii  libxml-libxml-perl  2.0134+dfsg-2+b1
ii  libyaml-libyaml-perl0.82+repack-1+b1
ii  lzip1.21-8
ii  lzop1.04-2
ii  man-db  2.9.3-2
ii  patchutils  0.4.2-1
ii  perl [libdigest-sha-perl]   5.32.0-5
ii  t1utils 1.41-4
ii  unzip   6.0-25
ii  xz-utils5.2.4-1+b1

lintian recommends no packages.

Versions of packages lintian suggests:
pn  binutils-multiarch 
ii  libtext-template-perl  1.59-1

-- no debconf information

Bug#976073: sbuild: support "podman" as chroot mode and provide a sbuild-create-oci command (built on top of buildah)

[Raphaël Hertzog]

Package: sbuild
Version: 0.80.0
Severity: wishlist
X-Debbugs-Cc: debian-de...@lists.debian.org

I know that multiple developers started using podman and buildah to manage
containers where they build their Debian packages. With user namespace
supports, this allows rootless building (like the "unshare" chroot
mode)... you don't even need root to setup the "build chroot" since those
are containers that you can download (or rebuild if you prefer).

Thus it would be nice if sbuild had a "podman" chroot mode where it could
use podman containers to build the packages.

A "sbuild-create-oci" command would also be helpful to build the various
container images, either from scratch (so that you don't have to trust
images that you download) or on top of pre-existing OCI images (to
save time and effort). That command should not be hard to build on top
of buildah.

Some links:
http://tauware.blogspot.com/2020/04/building-packages-with-buildah-in-debian.html
https://developers.redhat.com/blog/2019/02/21/podman-and-buildah-for-docker-users/

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 
'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages sbuild depends on:
ii  adduser 3.118
ii  libsbuild-perl  0.80.0
ii  perl5.32.0-5

Versions of packages sbuild recommends:
ii  autopkgtest  5.15
ii  debootstrap  1.0.123
ii  schroot  1.6.10-11

Versions of packages sbuild suggests:
pn  deborphan  
ii  e2fsprogs  1.45.6-1
ii  kmod   27+20200310-2
ii  wget   1.20.3-1+b3

-- no debconf information

Bug#975974: ITP: gnome-shell-extension-hamster -- GNOME Shell extension for the Hamster Time Tracker

[Raphaël Hertzog]

Package: wnpp
Severity: wishlist
Owner: Raphaël Hertzog 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: gnome-shell-extension-hamster
  Version : 0.10.0+git20200509
  Upstream Author : Hamster Project
* URL : https://github.com/projecthamster/hamster-shell-extension
* License : GPL-3+
  Programming Lang: Javascript
  Description : GNOME Shell extension for the Hamster Time Tracker

The package will be maintained together with hamster-time-tracker in
https://salsa.debian.org/projecthamster-team/

Bug#972726: dh-python: uninstallable when python-is-python2 is installed

[Raphaël Hertzog]

Package: dh-python
Version: 4.20200925
Followup-For: Bug #972726
User: de...@kali.org
Usertags: origin-kali

I made the same observation today. It seems to me that the breaks
was a bit too large. You can likely keep the same effect by using a
versioned breaks that would not conflict with the provides of
python-is-python2.

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 
'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages dh-python depends on:
ii  python33.8.6-1
ii  python3-distutils  3.8.6-1

dh-python recommends no packages.

Versions of packages dh-python suggests:
ii  dpkg-dev  1.20.5
ii  libdpkg-perl  1.20.5

-- no debconf information

Bug#973861: apt: http acquire method still failing with "Undetermined error" or "Data left in the buffer"

[Raphaël Hertzog]

Package: apt
Version: 2.1.11
Severity: important
User: de...@kali.org
Usertags: origin-kali

Hello,

while the frequence of the error has really decreased since the last set
of fixes, we still have occasional failures where apt ends
up with "Undetermined error" or "Data left in the buffer".

It's pretty annoying for APT to be unreliable in that way.

The last case that triggered this bug for us in Kali was within a net-install
in d-i:

[...]
Nov  5 23:15:48 in-target: Err:2130 http://kali.download/kali kali-rolling/main 
amd64 llvm-10 amd64 1:10.0.1-6
Nov  5 23:15:48 in-target:   Undetermined Error [IP: 104.18.102.100 80]
[...]
Nov  5 23:16:14 in-target: Fetched 2,651 MB in 5min 20s (8,274 kB/s)
Nov  5 23:16:14 in-target: E: Failed to fetch 
http://kali.download/kali/pool/main/l/llvm-toolchain-10/llvm-10_10.0.1-6_amd64.deb
  Undetermined Error [IP: 104.18.102.100 80]
Nov  5 23:16:14 in-target: E: Unable to fetch some archives, maybe run apt-get 
update or try with --fix-missing?
Nov  5 23:16:14 in-target: tasksel: apt-get failed (100)

To try to reproduce it I invite you to configure a sources.lists with
kali.download as mirror. Do this on a server with a very good connection.

deb http://kali.download/kali kali-rolling main contrib non-free

And try to run this in a loop until you reproduce it:
# apt --download-only install kali-linux-large
# apt clean

It took me two tries to reproduce it... I had a download rate of more than
50MB/s.

I tried to reproduce it with debugging options enabled:
# while true; do apt -y --download-only install kali-linux-large -o 
Debug::Acquire::http=true -o Debug::pkgAcquire::Worker=true 2>log || break; apt 
clean; done

And I managed to reproduce it too but after a dozen of tries this time.
The log file is huge but it failed with this:
E: Failed to fetch 
http://kali.download/kali/pool/main/h/highlight.js/libjs-highlight.js_9.12.0+dfsg1-5_all.deb
  Undetermined Error [IP: 104.18.102.100 80]

And here are the lines that seem relevant for that specific file:

 -> 
http:600%20URI%20Acquire%0aURI:%20http://kali.download/kali/pool/main/h/highlight.js/libjs-highlight.js_9.12.0+dfsg1-5_all.deb%0aFilename:%20/var/cache/apt/archives/partial/libjs-highlight.js_9.12.0+dfsg1-5_all.deb%0aExpected-SHA256:%202347b5fd2bb741cf87f01b4243e591d094445227bea63de5d53555752b322a45%0aExpected-SHA1:%20c465af27c6a567320661436f509043587735f996%0aExpected-MD5Sum:%206d11858477ba16d6b2ffb2d518dd2735%0aExpected-Checksum-FileSize:%20300172%0aTarget-Repo-URI:%20http://kali.download/kali/%0aTarget-Site:%20http://kali.download/kali%0aTarget-Release:%20kali-rolling%0aTarget-Base-URI:%20http://kali.download/kali/%0aTarget-Component:%20main%0aTarget-Codename:%20kali-rolling%0aTarget-Suite:%20kali-rolling%0aTarget-Architecture:%20all%0aTarget-Type:%20deb%0a%0a
 <- 
http:102%20Status%0aURI:%20http://kali.download/kali/pool/main/x/xorg-sgml-doctools/xorg-sgml-doctools_1.11-1_all.deb%0aMessage:%20Waiting%20for%20headers
GET /kali/pool/main/h/highlight.js/libjs-highlight.js_9.12.0%2bdfsg1-5_all.deb 
HTTP/1.1^M
Host: kali.download^M
User-Agent: Debian APT-HTTP/1.3 (2.1.11)^M
^M
[...]
 <- 
http:102%20Status%0aURI:%20http://kali.download/kali/pool/main/h/highlight.js/libjs-highlight.js_9.12.0+dfsg1-5_all.deb%0aMessage:%20Waiting%20for%20headers
GET 
/kali/pool/main/i/imagemagick/libmagickcore-6.q16-6-extra_6.9.11.24%2bdfsg-1%2bb1_amd64.deb
 HTTP/1.1^M
Host: kali.download^M
User-Agent: Debian APT-HTTP/1.3 (2.1.11)^M
^M

Answer for: 
http://kali.download/kali/pool/main/h/highlight.js/libjs-highlight.js_9.12.0+dfsg1-5_all.deb
HTTP/1.1 200 OK^M
Date: Fri, 06 Nov 2020 08:10:09 GMT^M
Content-Type: application/octet-stream^M
Content-Length: 300172^M
Connection: close^M
Set-Cookie: __cfduid=dcd44a60d11f41fb354d70f7609be4f1a1604650209; expires=Sun, 
06-Dec-20 08:10:09 GMT; path=/; domain=.kali.download; HttpOnly; SameSite=Lax^M
Last-Modified: Sun, 29 Dec 2019 15:40:32 GMT^M
ETag: "5e08c8f0-4948c"^M
Expires: Mon, 04 Nov 2030 08:10:09 GMT^M
Cache-Control: public, max-age=31536^M
CF-Cache-Status: HIT^M
Age: 264899^M
Accept-Ranges: bytes^M
cf-request-id: 063e342a5da30f222e81^M
Server: cloudflare^M
CF-RAY: 5edd5623cfbda30f-ORD^M
^M
 <- 
http:200%20URI%20Start%0aLast-Modified:%20Sun,%2029%20Dec%202019%2015:40:32%20+%0aSize:%20300172%0aURI:%20http://kali.download/kali/pool/main/h/highlight.js/libjs-highlight.js_9.12.0+dfsg1-5_all.deb
 <- 
http:400%20URI%20Failure%0aTransient-Failure:%20true%0aMessage:%20Undetermined%20Error%20[IP:%20104.18.102.100%2080]%0aURI:%20http://kali.download/kali/pool/main/h/highlight.js/libjs-highlight.js_9.12.0+dfsg1-5_all.deb
 -> 

Bug#971744: libvorbisidec: multiple architectures not coinstallable

[Raphaël Halimi]

Package: libvorbisidec
Version: 1.2.1+git20180316-6
Tags: patch

Dear developers,

Multiple architectures of library libvorbisidec1 are not coinstallable.

I tried to rebuild the package with just adding "Multi-Arch: same" in 
debian/control and the resulting amd64 and i386 packages could be 
installed together without any problem.


Please consider releasing a new multi-arch friendly version of the 
package. I attached a small patch to this bug report.


Regards,

--
Raphaël Halimi
From 9454bc7cca407213672dee2c42dc98171cc38faf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Halimi?= 
Date: Tue, 6 Oct 2020 13:13:09 +0200
Subject: [PATCH] Add Multi-Arch: same

---
 debian/control | 1 +
 1 file changed, 1 insertion(+)

diff --git a/debian/control b/debian/control
index c63ebcb..0db469c 100644
--- a/debian/control
+++ b/debian/control
@@ -27,6 +27,7 @@ Description: Integer-only Ogg Vorbis decoder, AKA "tremor" (Development Files)
 Package: libvorbisidec1
 Architecture: any
 Depends: ${shlibs:Depends}, ${misc:Depends}
+Multi-Arch: same
 Description: Integer-only Ogg Vorbis decoder, AKA "tremor"
  libvorbisidec is an Ogg Vorbis audio decoder (also known as
  "tremor"), implemented with no floating point arithmetic.  This makes
-- 
2.28.0



OpenPGP_0x4D99F6660A59827B.asc
Description: application/pgp-keys


OpenPGP_signature
Description: OpenPGP digital signature

Bug#970694: numba: FTBFS: unsat-dependency: python3-llvmlite:amd64 (< 0.34)

[Raphaël Plasson]

Note that this problem does hit the python3-numba package (and not only 
the src:numba) as it requires python3-llvmlite (<< 0.34). An `apt 
upgrade` doesn't touch the python3-llvmlite on my machines, and an `apt 
full-upgrade` would update python3-llvmlite and remove python3-numba. I 
thus assume than python3-numba is now uninstallable on sid.


Shouldn't this bug be opened also for python3-numba, as this package is 
likely to appear as uninstallable in the present state?


Raphaël


> Source: numba
> Version: 0.50.1-2
> Severity: serious
> Tags: ftbfs sid bullseye
> Justification: fails to build from source (but built successfully in 
the past)

>
> numba has unsatisfiable build dependencies:
> | report:
> | -
> | package: sbuild-build-depends-main-dummy
> | version: 0.invalid.0
> | architecture: amd64
> | status: broken
> | reasons:
> | -
> | missing:
> | pkg:
> | package: sbuild-build-depends-main-dummy
> | version: 0.invalid.0
> | architecture: amd64
> | unsat-dependency: python3-llvmlite:amd64 (< 0.34)
>
> python3-llvmlite is now at version 0.34.0-1.
>
> Cheers
> --
> Sebastian Ramacher

Bug#970749: nautilus-dropbox: New upstream release available

[Raphaël Hertzog]

Package: nautilus-dropbox
Version: 2019.02.14-1
Severity: wishlist

Version 2020.03.04 is available in the upstream git repository:
https://github.com/dropbox/nautilus-dropbox/tags

It would be nice to have this version packaged.

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 
'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages nautilus-dropbox depends on:
ii  gir1.2-gdkpixbuf-2.0 2.40.0+dfsg-5
ii  gir1.2-gtk-3.0   3.24.22-1
ii  libc62.31-3
ii  libglib2.0-0 2.64.4-1
ii  libgtk-3-0   3.24.22-1
ii  libnautilus-extension1a  3.36.3-1
ii  procps   2:3.3.16-5
ii  python3  3.8.2-3
ii  python3-gi   3.36.1-1

Versions of packages nautilus-dropbox recommends:
ii  python3-gpg  1.14.0-1

Versions of packages nautilus-dropbox suggests:
ii  nautilus  3.36.3-1

-- no debconf information

Bug#970692: dovecot-core: fts_solr plugin failure

[Raphaël Walther]

On Mon, 21 Sep 2020 10:43:43 -0700, Noah Meyerhans wrote:
> Thanks for this report.  If we're able to provide builds with this patch
> backported, will you be able to validate that the issue is resolved?  If
> so, we should be able to get this fixed in an upcoming buster point
> release.

Yes, this is a bug I can reproduce.

Bug#970692: dovecot-core: fts_solr plugin failure

[Raphaël Walther]

Package: dovecot-core
Version: 2.3.4.1-5+deb10u4
Severity: important
Tags: upstream

Dear Maintainer,


The search via the solr_plugin fails frequently on rather big accounts with 
that error:
Error: fts_solr: received invalid uid '0'

The search via imap timeout after 10 seconds.

"Based on the XML response above, I investigated this problem thoroughly 
and determined that this is a pretty severe bug in the Solr XML response 
parsing code. This occurs only when the response is rather large and the 
boundary between two read chunks falls in the middle of a numeric value 
(that happens to end in '0')."
https://dovecot.org/pipermail/dovecot/2019-October/117290.html

This is fixed in 2.3.11.3+dfsg1-2

There is this patch that was released in 2.3.10.

https://github.com/dovecot/core/commit/74c98d2a18cc9ec0edae7f887605a0959d05c8c5#diff-05c64532f105f533f1b96575f101cb81


-- System Information:
Debian Release: 10.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-10-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages dovecot-core depends on:
ii  adduser  3.118
ii  libapparmor1 2.13.2-10
ii  libbz2-1.0   1.0.6-9.2~deb10u1
ii  libc62.28-10
ii  libexttextcat-2.0-0  3.4.5-1
ii  libicu63 63.1-6+deb10u1
ii  liblua5.3-0  5.3.3-1.1
ii  liblz4-1 1.8.3-1
ii  liblzma5 5.2.4-1
ii  libpam-runtime   1.3.1-5
ii  libpam0g 1.3.1-5
ii  libsodium23  1.0.17-1
ii  libssl1.11.1.1d-0+deb10u3
ii  libstemmer0d 0+svn585-1+b2
ii  libwrap0 7.6.q-28
ii  lsb-base 10.2019051400
ii  openssl  1.1.1d-0+deb10u3
ii  ssl-cert 1.0.39
ii  ucf  3.0038+nmu1
ii  zlib1g   1:1.2.11.dfsg-1

Bug#969813: make attempts to execute a directory found on PATH (fixed upstream)

[Raphaël Rigo]

Package: make
Version: 4.3-4
Severity: normal
Tags: upstream patch

Dear Maintainer,

the current version of make in Debian is affected by the following bug:

https://savannah.gnu.org/bugs/index.php?57962

in which the PATH resolution does not check if the file to execute is
actually a directory.

This bug has been fixed in upstream's gnulib:

http://git.savannah.gnu.org/cgit/gnulib.git/commit/lib/findprog-in.c?id=6e6abd0cdfe4bb96f6412aebc511f10bf254a820

which unfortunately did not make it into Debian's make package.

Could you please update make with this fix ?

Regards,
Raphaël

Bug#969458: perl crash in eval command trying a failing require statement

[Raphaël Hertzog]

Package: perl
Version: 5.30.3-4
Severity: important
User: de...@kali.org
Usertags: origin-kali
X-Debbugs-Cc: debian-d...@lists.debian.org
Control: found -1 5.32.0-2

In Kali, any source package build started to fail with a mysterious
error:
> dpkg-buildpackage: error: dpkg-source -b . subprocess returned exit status 127

After quite some investigation, I tracked this down to perl exiting with
that error code in the middle of an eval statement that should have failed:
https://sources.debian.org/src/dpkg/1.20.5/scripts/Dpkg/Vendor.pm/#L166

The $name tried is "Kali" and we don't ship any Dpkg::Vendor::Kali. The
code should fallback to Dpkg::Vendor::Debian and this works a few times
but after multiples calls, at some point it no longer works and the
require statement in the eval block just never returns, it seems to crash
the perl interpreter.

You can easily reproduce this on an up-to-date testing or unstable system
with dpkg 1.20.5 (that version is failing, the former version we had
in Kali was 1.19.7 and it was not triggering this issue):

$ sudo tee /etc/dpkg/origins/kali >/dev/null < Vendor: Kali
> Vendor-URL: https://www.kali.org/
> Parent: debian
> Bugs: https://bugs.kali.org/
> END
$ sudo ln -sf kali /etc/dpkg/origins/default
$ apt source hello
[...]
$ cd hello-*
$ dpkg-buildpackage -S
[...]
 dpkg-source -b .
dpkg-source: info: using source format '3.0 (quilt)'
dpkg-source: info: building hello using existing ./hello_2.10.orig.tar.gz
dpkg-buildpackage: error: dpkg-source -b . subprocess returned exit status 127


Note that I only reproduce this with "3.0 (quilt)" source packages. Native
packages have different code paths likely involving fewer calls to
run_vendor_hook() and the problem can't be reproduced with such a source
package.

I can also reproduce the bug with version 5.32.0-2 available in
experimental.

FWIW I'm working around this issue in Kali with the attached patch but
this really smells like a bug in perl, thus I'm reporting it here.

Guillem, I believe the attached patch should be applied to dpkg in any
case as it's a small optimization that avoids running the evaled code too
often.

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 
'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.7.0-3-amd64 (SMP w/4 CPU threads)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages perl depends on:
ii  dpkg   1.20.5
ii  libperl5.305.30.3-4
ii  perl-base  5.30.3-4
ii  perl-modules-5.30  5.30.3-4

Versions of packages perl recommends:
ii  netbase  6.1

Versions of packages perl suggests:
pn  libtap-harness-archive-perl  
ii  libterm-readline-gnu-perl1.36-2+b1
ii  make 4.3-4
ii  perl-doc 5.30.3-4

-- no debconf information
>From 75631da697b9d2c5b3ff2c54bc225fc55d3ab9c2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Hertzog?= 
Date: Thu, 3 Sep 2020 11:26:58 +0200
Subject: [PATCH] Work-around a perl crash during any package build

Somehow perl doesn't like the multiple execution of the eval code that tries
to "require Dpkg::Vendor::Kali;" and at some point perl just exits with
an error code of 127 when it tries to execute this line of code. When
it happens, the eval doesn't return.

To avoid the multiple execution of this code, we cache the result of the
lookup made on the parent vendor as the good result for the current
vendor as well.

There's likely some bug in perl here and somehow the update from
dpkg 1.19.7 to dpkg 1.20.5 started to trigger that bug.
---
 scripts/Dpkg/Vendor.pm | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/scripts/Dpkg/Vendor.pm b/scripts/Dpkg/Vendor.pm
index 196159156..5b8f66fd8 100644
--- a/scripts/Dpkg/Vendor.pm
+++ b/scripts/Dpkg/Vendor.pm
@@ -174,10 +174,12 @@ sub get_vendor_object {
 
 my $info = get_vendor_info($vendor);
 if (defined $info and defined $info->{'Parent'}) {
-return get_vendor_object($info->{'Parent'});
+$obj = get_vendor_object($info->{'Parent'});
 } else {
-return get_vendor_object('Default');
+$obj = get_vendor_object('Default');
 }
+$OBJECT_CACHE{$vendor} = $obj;
+return $obj;
 }
 
 =item run_vendor_hook($hookid, @params)
-- 
2.28.0

Bug#969173: RM: openvas openvas-libraries openvas-cli openvas-manager -- ROM; replaced by gvm

[Raphaël Hertzog]

Package: ftp.debian.org
Severity: normal
User: de...@kali.org
Usertags: origin-kali
X-Debbugs-Cc: debian-security-to...@lists.debian.org

Hello,

GVM is replacing OpenVAS and a bunch of source packages have been
renamed or are obsolete.

Please remove the following source packages from unstable:
* openvas(replaced by gvm)
* openvas-libraries  (replaced by gvm-libs)
* openvas-cli(obsolete)
* openvas-manager(replaced by gvmd)

Thank you!

Bug#930919: dovecot: dsync broken for sieve filters

[Raphaël Walther]

On Wed, 26 Aug 2020 11:25:50 -0700, Noah Meyerhans wrote:
…
> I suspect we'll also want the next commit on that file, 
> https://github.com/dovecot/pigeonhole/commit/382b1eacdf587cd7d20a260e19a29a4d958bf98e

Indeed, I also think these two commits should be included:

commit 382b1eacdf587cd7d20a260e19a29a4d958bf98e
Author: Timo Sirainen 
Date:   Wed Jul 17 12:33:09 2019 +0300

doveadm-sieve: Shared attribute iteration shouldn't list Sieve scripts

Trying to get them as shared instead of as private resulted in failure.

commit 0e91911d22d43621c820d7f5b28be671050fd290
Author: Aki Tuomi 
Date:   Mon May 27 09:43:25 2019 +0300

doveadm-sieve: Fix script synchronization

When dsyncing, this codepath is always called with prefix "".
There is no point checking the prefix at all.

Broken in 479c5e57046dec76078597df844daccbfc0eb75f


I rebuilded the packages on my side. That would be nice to see this bug fixed
in buster release.

-- 
infomaniak
Raphaël Walther | Administrateur système
Rue Eugène-Marziano 25, 1227 Genève
Swiss Made| ISO 27001 14001 50001



signature.asc
Description: PGP signature