Bug#1075775: please package new upstream release 2.6.0 or greater to possibly support many new transit providers

[John Scott]

Source: railway-gtk
Version: 2.4.0-4
Severity: wishlist

Hi friends,

New versions of Railway appear to have added support for not only new transit 
routes, but also new services to discover transit routes. The current packaged 
version is geared towards rail travel in Europe, but it appears that the new 
version should be capable of public transportation more broadly, especially in 
the United States. Given that Google Maps alternatives such as OpenStreetMap 
are already uncommon in the US, I think this new upstream release could be a 
giant leap forward in breaking up the monoculture.
At least for the large American bus network around me, it doesn't seem like 
there's any practical way to navigate it using free software. There are plans 
to change it, but for now public transit support in GNOME Maps is basically a 
patchwork that (I think) only covers a single US city. Thus I think that 
letting users get their feet wet with possibilities will also motivate 
discussions for the rest of the ecosystem to improve.

I'm a Debian Maintainer for unrelated packages and have made small merge 
requests to GNOME packages before, so although it would be ambitious, please 
let me know if you'd like me to try this.

Thanks

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unreleased'), (500, 
'testing-debug'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, arm64

Kernel: Linux 6.8.12-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_USER, TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

-- no debconf information


signature.asc
Description: This is a digitally signed message part


smime.p7s
Description: S/MIME cryptographic signature

Bug#1042913: freecad: TechDraw workbench: part corner vertices and circle centers not showing up, unable to attach for draw dimensions

[Scott MacKenzie]

Package: freecad
Version: 0.20.2+dfsg1-4
Followup-For: Bug #1042913
X-Debbugs-Cc: larri...@inbox.lv

Dear Maintainer,

I see this problem exactly as described.
I downloaded/ran FreeCAD_0.20.2-2022-12-27-conda-Linux-x86_64-py310.AppImage 
and the problem does not appear to exist in upstream.
I am eagerly awaiting the efforts of the smarter people.

Regards,
Scott.

-- System Information:
Debian Release: 12.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-22-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages freecad depends on:
ii  freecad-python3  0.20.2+dfsg1-4

Versions of packages freecad recommends:
ii  calculix-ccx  2.20-1
ii  graphviz  2.42.2-7+b3

Versions of packages freecad suggests:
pn  povray  

-- no debconf information

Bug#1074759: O: aiodns -- Asynchronous DNS resolver library for Python 3

[Scott Kitterman]

Package: wnpp
Severity: normal
X-Debbugs-Cc: aio...@packages.debian.org, debian-pyt...@lists.debian.org
Control: affects -1 + src:aiodns

I intend to orphan the aiodns package.

The package description is:
 aiodns provides a simple way for doing asynchronous DNS resolutions with a
 synchronous looking interface, using pycares.

I am no longer interested in maintaining this package and the other
theorectical uploader is long inactive.

Scott K

Bug#1074758: O: pycares -- Python interface for c-ares (common documentation)

[Scott Kitterman]

Package: wnpp
Severity: normal
X-Debbugs-Cc: pyca...@packages.debian.org, debian-pyt...@lists.debian.org
Control: affects -1 + src:pycares

I intend to orphan the pycares package.

The package description is:
 pycares is a Python 3 module which provides an interface to c-ares. c-ares is
 a C library that performs DNS requests and name resolutions asynchronously.

I no longer have interest in maintaining it and the other theorectical
uploader is long inactive.

Scott K

Bug#1074497: wiki.debian.org: NVIDIA Optimus: Still necessary to avoid the intel Xorg driver?

[Scott MacKenzie]

Package: wiki.debian.org
Severity: minor
X-Debbugs-Cc: larri...@inbox.lv

Dear Maintainer,

'.. Also make sure that the outdated xserver-xorg-video-intel package is not 
installed. The "modesetting" xorg driver has superseded it and will be used in 
this configuration.'

I have Debian 12.5 (i.e. current as of June 2024) but I have the intel driver 
installed.  When I try to use apt to install the modesetting driver, I get a 
redirect to xserver-xorg-core and the result that everything is already 
up-to-date.

Has the modesetting driver been withdrawn and superseded by the original 
drivers?  Does the wiki need an update?

Regards,
Scott.

Bug#1074429: xml-security-c: CVE-2024-34580

[Cantor, Scott]

TL;DR,

This is not a vulnerability, it's a default that people don't like that 
required a minor update to change, and that wasn't going to happen. The code 
has been formally retired at Apache and forked for the Shibboleth Project's 
use, and there will be some form of official indication of that at some point 
later this summer.

> The following vulnerability was published for xml-security-c.

It is not a vulnerability, and should never have been published as one. It's a 
default that people don't like. I don't like a lot of defaults in lots of 
software but that doesn't make them vulnerabilities.

> NOTE: the supplier disputes this CVE Record on the grounds
> that they are | implementing the specification "correctly"
> and are not "at fault."

Yes, because those are the facts. The scare quotes are unnecessary, as is the 
entire CVE.

> Not sure what to make out of this?  It seems the use of xml
>-security-sec within Shibboleth continues to be supported,
> but otherwise the library is deemed deprecated, so maybe
> this should at least be made explicit in the package
> description?

The mess around this invalid CVE led to my finally putting my foot down and 
demanding that we either retire the code or somebody else show up to help 
maintain it. Nobody did, so the Apache project retired that version of the 
library.

The Shbboleth Project has forked the codebase for its own use since we were the 
only maintainers. It is effectively in the same state in terms of support as 
the xmltooling and opensaml libraries: they're for the Shibboleth SP's use and 
any other uses are not relevant to the maintainers of the code and bugs or 
requests that do not impact the SP will not be prioritized.

Our needs are far less general than the original library's, so taking it over 
allows us to potentially do new releases that strip out a lot of code and 
attack surface, and to make different decisions in regard to API compatibility 
than could be made when it was a general-purpose tool.

The code was only recently converted to git and we are still in the process of 
getting it in place and deciding what to do with it. I have no idea how the 
retirement is going to be managed from the Apache side. Something needs to be 
done with the wiki, etc., but none of that has been determined.

Once the code is fully in place, I was planning to drop a note to the Debian 
packaging list for Shibboleth to note the change, as if the packaging 
continues, it should likely pull from our copy rather than the old one.

I don't have an opinion really about what to do with the package. I'm not about 
to rename it because that's more work for me, not less. I could understand the 
feeling on the Debian side being different about the need to delineate the 
transition and retire the original package since it's unmaintained.

-- Scott

Bug#1074146: Confirmation that Poppler's CVE-2024-6239 affects Buster and all subsequent releases

[John Scott]

Control: found -1 poppler/0.71.0-5+deb10u3
Control: found -1 poppler/20.09.0-3.1+deb11u1
Control: found -1 poppler/22.12.0-2
Control: found -1 poppler/24.06.0-2

Since I couldn't find detailed information from upstream, I'd like to confirm 
that I was able to reproduce the crash on Buster, Bullseye, Bookworm, and 
experimental, and so the Security Tracker information is accurate. I am 
therefore updating the bug to indicate this as a courtesy to BTS users.

Please note that the vulnerable code and its fix are exclusive to the pdfinfo 
utility in the poppler-utils binary package; the library is not affected. It 
might would be helpful if this bug were assigned to that binary package, but 
it's not my place to make that determination. I don't maintain this package, 
but do pitch in occasionally and keep a close eye on it.

Thanks and please let me know if I can be of any assistance.
-- 
 Homepage https://johnscott.me
着 Contact info
• as a vCard: https://johnscott.me/me/me.vcf
• as an LDAP directory entry: 
ldap://johnscott.me/CN=John%20Scott,DC=johnscott,DC=me


signature.asc
Description: This is a digitally signed message part


smime.p7s
Description: S/MIME cryptographic signature

Bug#1073869: RM: python-zxcvbn -- ROM; Unmaintained, depends on obsolete libs

[Scott Kitterman]

Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: python-zxc...@packages.debian.org, team-pyt...@tracker.debian.org
Control: affects -1 + src:python-zxcvbn


This depends on pypdf2 which has been removed from Testing and will be
removed from the archive.  It appears unmaintained both in Debian and
upstream.

Scott K

Bug#635834: Revisiting inclusion of AcroTeX/eForms in TeX Live in light of advancements in libre PDF readers

[John Scott]

Hello,

I must disclaim that I've not used these packages yet and would welcome being 
informed if I'm mistaken.

It looks like both TeX Live and Debian have had reservations about shipping 
AcroTeX and eForms because at the time it was considered, the only PDF readers 
that appeared to support the features were proprietary ones. However, it seems 
that free PDF viewers have made great strides in the past several years 
especially in supporting these advanced features, so I think their inclusion in 
the standard distribution should be reconsidered.

Free PDF viewers, especially Okular with the Poppler backend, have gained 
support for many of the features that have been standardized, including non-XFA 
forms, digital/cryptographic signature support, and JavaScript, all things that 
eForms appears to assist in making. There are probably still some things that 
AcroTeX and eForms can do that only proprietary readers support, but unless 
software patents muddy the waters, it seems like this can improve in client 
software at any time.

Frankly I'm itching to use this functionality in my documents, but as a strong 
advocate for free software as well, I'd like to be informed if there are any 
freedom or distribution issues remaining.

Thanks,
John

P.S. I'm having trouble subscribing, so please CC me on replies.

-- 
Homepage: https://johnscott.me
Contact info:
as a vCard: https://johnscott.me/me/me.vcf
or as an LDAP directory entry: 
ldap://johnscott.me/CN=John%20Scott,DC=johnscott,DC=me


signature.asc
Description: This is a digitally signed message part


smime.p7s
Description: S/MIME cryptographic signature

Bug#1071548: nmu: libwx-perl_1:0.9932-8+b7

[Scott Talbert]

Control: reopen -1

On Tue, 21 May 2024, Emilio Pozuelo Monfort wrote:


On 21/05/2024 01:21, Scott Talbert wrote:

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: libwx-p...@packages.debian.org
Control: affects -1 + src:libwx-perl
User: release.debian@packages.debian.org
Usertags: binnmu

nmu libwx-perl_1:0.9932-8+b7 . ANY . unstable . -m "Rebuild with 
wxwidgets3.2 (3.2.5+dfsg-1)"


(Please schedule this to rebuild after the corresponding 
libalien-wxwidgets-perl binNMU.)


Scheduled.


This one needs another binNMU also, depwaited on libalien-wxwidgets-perl 
0.69+dfsg-6+b9.


Thanks,
Scott

Bug#1071547: nmu: libalien-wxwidgets-perl_0.69+dfsg-6+b7

[Scott Talbert]

Control: reopen -1

On Tue, 21 May 2024, Emilio Pozuelo Monfort wrote:


On 21/05/2024 01:20, Scott Talbert wrote:

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: libalien-wxwidgets-p...@packages.debian.org
Control: affects -1 + src:libalien-wxwidgets-perl
User: release.debian@packages.debian.org
Usertags: binnmu

nmu libalien-wxwidgets-perl_0.69+dfsg-6+b7 . ANY . unstable . -m "Rebuild 
for wxwidgets3.2 (3.2.5+dfsg-1)"


(Please schedule this to rebuild with wxwidgets3.2 (3.2.5+dfsg-1))


Scheduled.


Hello,

Unfortunately, it seems this was scheduled to execute immediately, rather 
than wait for wxwidgets3.2 (3.2.5+dfsg-1).  So we're going to need another 
binNMU now that wx has been uploaded.


Regards,
Scott

Bug#1071548: nmu: libwx-perl_1:0.9932-8+b7

[Scott Talbert]

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: libwx-p...@packages.debian.org
Control: affects -1 + src:libwx-perl
User: release.debian@packages.debian.org
Usertags: binnmu

nmu libwx-perl_1:0.9932-8+b7 . ANY . unstable . -m "Rebuild with wxwidgets3.2 
(3.2.5+dfsg-1)"

(Please schedule this to rebuild after the corresponding 
libalien-wxwidgets-perl binNMU.)

Bug#1071547: nmu: libalien-wxwidgets-perl_0.69+dfsg-6+b7

[Scott Talbert]

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: libalien-wxwidgets-p...@packages.debian.org
Control: affects -1 + src:libalien-wxwidgets-perl
User: release.debian@packages.debian.org
Usertags: binnmu

nmu libalien-wxwidgets-perl_0.69+dfsg-6+b7 . ANY . unstable . -m "Rebuild for 
wxwidgets3.2 (3.2.5+dfsg-1)"

(Please schedule this to rebuild with wxwidgets3.2 (3.2.5+dfsg-1))

Bug#1071488: udisks2: Syslog filled with "Error probing device: Error sending ATA command IDENTIFY DEVICE to '/dev/sdx': Unexpected sense data returned:"

[Scott Ward]

Package: udisks2
Version: 2.9.4-4
Severity: normal

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
 ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?

*** End of the template - remove these template lines ***


-- System Information:
Debian Release: 12.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-21-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages udisks2 depends on:
ii  dbus   1.14.10-1~deb12u1
ii  libacl12.3.1-3
ii  libatasmart4   0.19-5
ii  libblockdev-fs22.28-2
ii  libblockdev-loop2  2.28-2
ii  libblockdev-part2  2.28-2
ii  libblockdev-swap2  2.28-2
ii  libblockdev-utils2 2.28-2
ii  libblockdev2   2.28-2
ii  libc6  2.36-9+deb12u7
ii  libglib2.0-0   2.74.6-2+deb12u2
ii  libgudev-1.0-0 237-2
ii  libmount1  2.38.1-5+deb12u1
ii  libpolkit-agent-1-0122-3
ii  libpolkit-gobject-1-0  122-3
ii  libsystemd0252.22-1~deb12u1
ii  libudisks2-0   2.9.4-4
ii  libuuid1   2.38.1-5+deb12u1
ii  parted 3.5-3
ii  udev   252.22-1~deb12u1

Versions of packages udisks2 recommends:
ii  dosfstools   4.2-1
ii  e2fsprogs1.47.0-2
ii  eject2.38.1-5+deb12u1
ii  exfatprogs   1.2.0-1+deb12u1
ii  libblockdev-crypto2  2.28-2
ii  libpam-systemd   252.22-1~deb12u1
ii  ntfs-3g  1:2022.10.3-1+b1
ii  polkitd  122-3

Versions of packages udisks2 suggests:
pn  btrfs-progs  
pn  f2fs-tools   
pn  libblockdev-mdraid2  
ii  mdadm4.2-5
ii  nilfs-tools  2.2.9-1
pn  reiserfsprogs
pn  udftools 
pn  udisks2-bcache   
pn  udisks2-btrfs
pn  udisks2-lvm2 
pn  udisks2-zram 
pn  xfsprogs 

-- no debconf information

This started happening after I upgraded from Debian 11 to Debian 12.  This copy 
of Debian is running as a VM under VMWare ESXi and I have a number of USB hard 
drives connected to it.   This message is coming from two of them, one a 
Western Digital and one an older Buffalo.  
I've seen this bug reported in other venues (i.e. other distributions) but it 
never seems to get fixed, although in one report it looks like a maintainer 
said they were simply going
to supress the message, which would be good.  The message appears at about 6 
minute intervals and is several individual lines which makes filtering it out 
with grep difficult. 
Here is an example of the message:

May 20 01:00:50 lhNAS udisksd[65284]: Error probing device: Error sending ATA 
command IDENTIFY DEVICE to '/dev/sdm': Unexpected sense data returned:
  : f0 00 01 00  50 00 01 0a  80 00 00 
00  00 1d 00 00P...
  0010: 00 00 00 00  00 00 00 00  00 00 00 
00  00 00 00 00
   (g-io-error-quark, 0)

Reports in other venues say the issue is most common with Western Digital 
drives.   I've tried changing the loglevel in /etc/udisks2/udisks2.conf but 
that doesn't stop the 
messages even when set to the "Alert" level.   
 
Functionality isn't affected, but if you have a number of hard drives causing 
this message to be put out every 6 minutes it gets very difficult to find 
anything else in the log,
especially since you have to use multiple filters to get rid of them all.   
This message should be eliminated or set to notice level and the loglevel 
directive in the
config file then needs to be fixed to actaully affect messages going into the 
syslog.  

Bug#1070718: ITP: python-gfloat -- Python module of generic floating point encode/decode logic

[Scott Kitterman]

Package: wnpp
Severity: wishlist
Owner: Scott Kitterman 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: python-gfloat
  Version : 0.1
  Upstream Contact: Andrew Fitzgibbon 
* URL : https://github.com/graphcore-research/gfloat
* License : Expat
  Programming Lang: Python
  Description : Python module of generic floating point encode/decode logic

 An implementation of generic floating point encode/decode logic, handling
 various current and proposed floating point types:
 .
   - IEEE 754: Binary16, Binary32
   - OCP Float8: E5M2, E4M3
   - IEEE WG P3109: P{p} for p in 1..7
   - OCP MX Formats: E2M1, M2M3, E3M2, E8M0, INT8, and the MX block formats.
 .
 The library favours readability and extensibility over speed - for fast
 implementations of these datatypes see, for example, ml_dtypes, bitstring, MX
 PyTorch Emulation Library.

I intend to maintain this as part of the Debian Python Team.  It's
needed to run tests for the newest version of python-bitstring.

Scott K

Bug#1070638: kde-spectacle: Build-depends on NBS libkcolorpicker-dev

[Scott Kitterman]

On Mon, 06 May 2024 10:33:54 -0400 Scott Kitterman  
wrote:
> Source: kde-spectacle
> Version: 22.12.3-1
> Severity: serious
> Tags: ftbfs
> Justification: fails to build from source (but built successfully in the 
past)
> 
> Once kcolorpicker is decrufted, this package will FTBFS.  Please update
> your build-depends.

Also libkimageannotator-dev needs updating.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1070638: kde-spectacle: Build-depends on NBS libkcolorpicker-dev

[Scott Kitterman]

Source: kde-spectacle
Version: 22.12.3-1
Severity: serious
Tags: ftbfs
Justification: fails to build from source (but built successfully in the past)

Once kcolorpicker is decrufted, this package will FTBFS.  Please update
your build-depends.

Scott K

Bug#1070130: python3-pycurl: SSL path issues - upstream bug

[Scott Talbert]

On Tue, 30 Apr 2024, i...@fernandolucas.info wrote:


Package: python3-pycurl
Version: 7.45.3-2
Severity: grave
Tags: upstream
Justification: renders package unusable

Dear Maintainer,

Please consider

https://github.com/pycurl/pycurl/issues/834
pycurl 7.45.3 wheel not working for https in debian/ubuntu systems

I confirm that the debian package for 7.45.3 fails sometimes to handle SSL 
connections,
meanwhile 7.45.2 works properly always.

Mabye it can be manually patched, or skip version 7.45.3 for debian.


Are you having problems with the Debian packaged version of pycurl, or 
with the pycurl wheel from upstream?  If the you're having problems with 
the packaged version of pycurl, can you please explain how to reproduce 
the problem?


Thanks,
Scott

Bug#1070116: python-zeep: Build-depends on NBS libraries libxmlsec1 and libxmlsec1-openssl

[Scott Kitterman]

Source: python-zeep
Version: 4.2.1-1
Severity: serious
Tags: ftbfs
Justification: fails to build from source

Once xmlsec1 is decrufted, python-zeep will FTBFS.  The build-depends
need to be updated to libxmlsec1t64 and libxmlsec1t64-openssl.

Scott K

Bug#1070062: waylandpp: Missing build-depends libwayland-egl1-mesa

[Scott Kitterman]

Source: waylandpp
Version: 1.0.0-4
Severity: serious
Tags: ftbfs
Justification: fails to build from source (but built successfully in the past)

The libwayland-egl1-mesa package was a transitional package for libegl1 and
libwayland-egl1 and has been removed.  You will need to update your
build-depends appropriately.

Scott K

Bug#1069986: dublin-traceroute: Manual build-depends on NBS package libtins4.0

[Scott Kitterman]

Source: dublin-traceroute
Version: 0.4.2-2
Severity: serious
Tags: ftbfs
Justification: fails to build from source (but built successfully in the past)

The package has a manual build-depends on libtins4.0, which is NBS.  It
has been renamed libtins4.5.  Once it is decrufted, this package will
FTBFS.

Scott K

Bug#1069985: python-cobra: Manual build-depends on NBS package libsbml5

[Scott Kitterman]

Source: python-cobra
Version: 0.26.2-1
Severity: serious
Tags: ftbfs
Justification: fails to build from source (but built successfully in the past)

The package build-depends on the NBS package libsbml5.  It has been
renamed libsbml5t64.  Once the package is decrufted, this one will
FTBFS.

Please update your build-depends.

Scott K

Bug#1069984: alire: Build-depends on NBS package libgnatcoll21-dev

[Scott Kitterman]

Source: alire
Version: 1.2.1-1
Severity: serious
Tags: ftbfs
Justification: fails to build from source (but built successfully in the past)

The package libgnatcoll21-dev has been renamed to libgnatcoll-dev.  Once
libgnatcoll21-dev is decfufted, it will FTBFS.  Please update your build
depends.

Scott K

Bug#1069983: dwarf-fortress: Manual build-depends on NBS package libgtk2.0-0

[Scott Kitterman]

Source: dwarf-fortress
Version: 0.47.04+dfsg1-1
Severity: serious
Tags: ftbfs
Justification: fails to build from source

The package has a manual build-depends on libgtk2.0-0, which has been
replaced by libgtk2.0-0t64.  Once it has been decrufted, the package
will no longer build.

Scott K

Bug#1069982: theli: Manual build-depends on NBS package libcurl4

[Scott Kitterman]

Source: theli
Version: 3.1.4-1
Severity: serious
Tags: ftbfs
Justification: fails to build from source (but built successfully in the past)

Once libcurl4 is decrufted, the package will no longer build.  The
libcurl4 package has been replaced by libcurl4t64.

Scott K

Bug#1069963: python-nbxmpp: Build-depends on NBS package libglib2.0-0

[Scott Kitterman]

Source: python-nbxmpp
Version: 4.5.4-1
Severity: serious
Tags: ftbfs
Justification: fails to build from source

This package has a hard coded build-depends on libglib2.0-0, which is
NBS and the package will FTBFS once it is decrufted.  It was renamed
libglib2.0-0t64 as part of the 64 bit time transition.

Please update your build-depends.

Scott K

Bug#1069004: casacore-data-services: Hard coded build-depends on decrufted lib libcasa-meas7

[Scott Kitterman]

Package: casacore-data-services
Version: 2-4
Severity: serious
Tags: ftbfs
Justification: fails to build from source (but built successfully in the past)

Will now FTBFS due to missing build-depends.

Scott K

Bug#1065623: reverse dependencies

[Scott Kitterman]

On Mon, 25 Mar 2024 18:48:44 + (UTC) Thorsten Alteholz 
 wrote:
> Control: tags -1 + moreinfo
> 
> Hi,
> 
> there are reverse dependencies that need to be taken care of:
> 
> 
> Checking reverse dependencies...
> # Broken Depends:
> baresip: baresip-x11
> 
> # Broken Build-Depends:
> baresip: libomxil-bellagio-dev
> kodi: libomxil-bellagio-dev
> vlc: libomxil-bellagio-dev
> 
> 
> In case they matter, this needs to be addressed first. Please remove the 
> moreinfo tag once that is done.
> 
>Thorsten

Baresip is not resolved in Unstable.  Please don't remove the moreinfo tag 
again until ALL the rdepends are taken care of.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1068868: ITP: python3-pyzmq -- Python bindings for 0MQ

[Cody Scott]

Package: wnpp
Severity: wishlist
Owner: Cody Scott 
X-Debbugs-Cc: debian-de...@lists.debian.org, cody.sc...@giatec.ca

* Package name: python3-pyzmq
  Version : 25.1.2
  Upstream Contact: ZeroMQ 
* URL : https://pyzmq.readthedocs.io/en/latest/
* License : BSD
  Programming Lang: Python
  Description : Python bindings for 0MQ


This will be used by Python applications that use ZeroMQ.

There doesn't appear to be any other Python bindings for ZeroMQ.

I plan to maintain it and I'm looking for a sponsor.

Bug#1068863: ITP: python3-atcom -- A tool which makes AT communication easier.

[Cody Scott]

Package: wnpp
Severity: wishlist
Owner: Cody Scott 
X-Debbugs-Cc: debian-de...@lists.debian.org, cody.sc...@giatec.ca

* Package name: python3-atcom
  Version : 0.4.3
  Upstream Contact: Sixfab 
* URL : https://pypi.org/project/atcom/
* License : Apache Version 2.0
  Programming Lang: Python
  Description : A tool which makes AT communication easier.


This is a Python package that provides utilities to use cellular modems.
I am using it in a travelling device.

There appears to be an alternative that I haven't used.
https://pypi.org/project/atcom/

I plan to maintain it.

Bug#1068517: kate: request to backport patch for upstream bug 476307

[Robert Scott]

Package: kate
Version: 4:22.12.3-1
Severity: normal

Dear Maintainer,


Upstream bug https://bugs.kde.org/show_bug.cgi?id=476307 has been reported 
resolved by MR https://invent.kde.org/utilities/kate/-/merge_requests/1441

It would be extremely helpful if you were able to pull the patch back to 
bookworm, or at least ensure the fix is included in the next stable, as
the bug causes me pain every day.


-- System Information:
Debian Release: 12.5
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-18-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN, TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages kate depends on:
ii  kate5-data   4:22.12.3-1
ii  kio  5.103.0-1
ii  ktexteditor-katepart 5.103.0-1.1
ii  libc62.36-9+deb12u4
ii  libkf5activities55.103.0-1
ii  libkf5bookmarks5 5.103.0-1
ii  libkf5completion55.103.0-1
ii  libkf5configcore55.103.0-2
ii  libkf5configgui5 5.103.0-2
ii  libkf5configwidgets5 5.103.0-1
ii  libkf5coreaddons55.103.0-1
ii  libkf5crash5 5.103.0-1
ii  libkf5dbusaddons55.103.0-1
ii  libkf5guiaddons5 5.103.0-1
ii  libkf5i18n5  5.103.0-1
ii  libkf5iconthemes55.103.0-1
ii  libkf5jobwidgets55.103.0-1
ii  libkf5kiocore5   5.103.0-1
ii  libkf5kiofilewidgets55.103.0-1
ii  libkf5kiogui55.103.0-1
ii  libkf5kiowidgets55.103.0-1
ii  libkf5newstuff5  5.103.0-1
ii  libkf5newstuffcore5  5.103.0-1
ii  libkf5newstuffwidgets5   5.103.0-1
ii  libkf5parts5 5.103.0-1
ii  libkf5service-bin5.103.0-1
ii  libkf5service5   5.103.0-1
ii  libkf5syntaxhighlighting55.103.0-3
ii  libkf5texteditor55.103.0-1.1
ii  libkf5textwidgets5   5.103.0-1
ii  libkf5wallet-bin 5.103.0-1
ii  libkf5wallet55.103.0-1
ii  libkf5widgetsaddons5 5.103.0-1
ii  libkf5windowsystem5  5.103.0-1
ii  libkf5xmlgui55.103.0-1
ii  libkuserfeedbackcore11.2.0-2
ii  libkuserfeedbackwidgets1 1.2.0-2
ii  libqt5concurrent55.15.8+dfsg-11
ii  libqt5core5a 5.15.8+dfsg-11
ii  libqt5dbus5  5.15.8+dfsg-11
ii  libqt5gui5   5.15.8+dfsg-11
ii  libqt5network5   5.15.8+dfsg-11
ii  libqt5sql5   5.15.8+dfsg-11
ii  libqt5widgets5   5.15.8+dfsg-11
ii  libqt5xml5   5.15.8+dfsg-11
ii  libstdc++6   12.2.0-14
ii  plasma-framework 5.103.0-1+deb12u1
ii  qml-module-org-kde-kquickcontrolsaddons  5.103.0-1
ii  qml-module-qtquick-layouts   5.15.8+dfsg-3
ii  qml-module-qtquick2  5.15.8+dfsg-3

Versions of packages kate recommends:
ii  sonnet-plugins  5.103.0-1

Versions of packages kate suggests:
pn  darcs
pn  exuberant-ctags  
ii  git  1:2.39.2-1.1
ii  khelpcenter  4:22.12.3-1
ii  konsole-kpart4:22.12.3-1
ii  mercurial6.3.2-1
pn  subversion   

-- no debconf information

Bug#1063772: postfix-mysql upgrade add map in dynamicmaps.cf after postfix restart

[Scott Kitterman]

The next postfix upload to unstable should address this by using a trigger to 
restart postfix any time one of the map type packages is configured.

Scott K

Bug#1029735: pypdf2 is deprecated, please move from python3-pypdf2 to python3-pypdf

[Scott Kitterman]

On Sun, 21 Jan 2024 12:09:30 -0500 Scott Kitterman  
wrote:

> As we approach the first anniversary for this bug, an update:
> 
> I've recently adopted pypdf and pypdf2 into the Debian Python Team in 
response 
> to an RFA for both packages.  As these are somewhat security sensitive 
> packages (among my first acts after adopting the packages was to upload 
> proposed updates for both to address minor security issues in Bookworm in 
the 
> next point release - same bug in both), I do not think we should release 
> pypdf2 in Trixie and have filed an RC bug to that effect.
> 
> If you want this package to be in Trixie, you will need to use pypdf instead 
> of pypdf2.

Now that pypdf2 has been removed from Trixie, bumping to serious.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1029738: pypdf2 is deprecated, please move from python3-pypdf2 to python3-pypdf

[Scott Kitterman]

On Sun, 21 Jan 2024 12:19:23 -0500 Scott Kitterman  
wrote:

> As we approach the first anniversary for this bug, an update:
> 
> I've recently adopted pypdf and pypdf2 into the Debian Python Team in 
response 
> to an RFA for both packages.  As these are somewhat security sensitive 
> packages (among my first acts after adopting the packages was to upload 
> proposed updates for both to address minor security issues in Bookworm in 
the 
> next point release - same bug in both), I do not think we should release 
> pypdf2 in Trixie and have filed an RC bug to that effect.
> 
> If you want this package to be in Trixie, you will need to use pypdf instead 
> of pypdf2.

Now that pypdf2 is removed from Trixie, bumping to serious.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1061261: odoo: Uses deprecated/to be removed PyPDF2

[Scott Kitterman]

On Sun, 21 Jan 2024 12:17:53 -0500 Scott Kitterman  
wrote:

> I've recently adopted pypdf and pypdf2 into the Debian Python Team in 
response to an RFA for both packages.  As these are somewhat security 
sensitive packages (among my first acts after adopting the packages was to 
upload proposed updates for both to address minor security issues in Bookworm 
in the next point release - same bug in both), I do not think we should 
release pypdf2 in Trixie and have filed an RC bug to that effect.
> 
> If you want this package to be in Trixie, you will need to use pypdf instead 
of pypdf2.

Now that pypdf2 is removed from Trixie, updating to serious.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1029734: pypdf2 is deprecated, please move from python3-pypdf2 to python3-pypdf

[Scott Kitterman]

On Sun, 21 Jan 2024 12:08:35 -0500 Scott Kitterman  
wrote:

> As we approach the first anniversary for this bug, an update:
> 
> I've recently adopted pypdf and pypdf2 into the Debian Python Team in 
response 
> to an RFA for both packages.  As these are somewhat security sensitive 
> packages (among my first acts after adopting the packages was to upload 
> proposed updates for both to address minor security issues in Bookworm in 
the 
> next point release - same bug in both), I do not think we should release 
> pypdf2 in Trixie and have filed an RC bug to that effect.
> 
> If you want this package to be in Trixie, you will need to use pypdf instead 
> of pypdf2.

Now that pypdf2 has been removed from Trixie, bumping to serious.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1029733: pypdf2 is deprecated, please move from python3-pypdf2 to python3-pypdf

[Scott Kitterman]

On Sun, 21 Jan 2024 12:07:19 -0500 Scott Kitterman  
wrote:
> As we approach the first anniversary for this bug, an update:
> 
> I've recently adopted pypdf and pypdf2 into the Debian Python Team in 
response 
> to an RFA for both packages.  As these are somewhat security sensitive 
> packages (among my first acts after adopting the packages was to upload 
> proposed updates for both to address minor security issues in Bookworm in 
the 
> next point release - same bug in both), I do not think we should release 
> pypdf2 in Trixie and have filed an RC bug to that effect.
> 
> If you want this package to be in Trixie, you will need to use pypdf instead 
> of pypdf2.

Now that pypdf2 is removed from Trixie, bumping to serious.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1061264: ocrmypdf: Uses deprecated/to be removed pypdf2 in autopkgtest

[Scott Kitterman]

On Sun, 21 Jan 2024 13:14:34 -0500 Scott Kitterman  
wrote:
> Source: ocrmypdf
> Version: 15.2.0+dfsg1-1
> Severity: wishlist
> 
> I've recently adopted pypdf and pypdf2 into the Debian Python Team in 
response to an RFA for both packages.  As these are somewhat security 
sensitive packages (among my first acts after adopting the packages was to 
upload proposed updates for both to address minor security issues in Bookworm 
in the next point release - same bug in both), I do not think we should 
release pypdf2 in Trixie and have filed an RC bug to that effect.
> 
> ocrmypdf uses the package in debian/tests/control.  Please update to use
> python3-pypdf insteadm.

Pypdf2 has been removed from testing, so this is now serious.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1066962: wxwidgets3.2: 1 testsuite failed on loong64

[Scott Talbert]

On Sat, 16 Mar 2024 15:21:57 +0800 zhangdandan
 wrote:
> Source: wxwidgets3.2
> Version: 3.2.4+dfsg-3.1
> Severity: serious
> Tags: help
> User: debian-loonga...@lists.debian.org
> Usertags: loong64
> 
> Dear maintainers,
> 
> The following test failed on the loongarch64 architecture, compiled
20 
> hours ago (March 16th).
> ```
> -
--
> URLTestCase
>    GetInputStream
> -
--
> ./uris/url.cpp:37
>
...

> 
> ./uris/url.cpp:89: FAILED:
>    REQUIRE( in_stream )
> with expansion:
>    0
> 
>
===

> test cases: 312 | 311 passed | 1 failed
> assertions: 1230238 | 1230237 passed | 1 failed
> 
> make[1]: *** [debian/rules:89: override_dh_auto_test] Error 1
> make[1]: Leaving directory '/<>'
> make: *** [debian/rules:22: binary-arch] Error 2
> dpkg-buildpackage: error: debian/rules binary-arch subprocess
returned 
> exit status 2
> ```
> The full build log can be found at 
>
https://buildd.debian.org/status/package.php?p=wxwidgets3.2=sid.
> 
> I have reproduced the above testsuite issues on my local loong64
rootfs 
> environment.
> After analyzing, I don't think this error has anything to do with 
> architecture.
> So please focus on this test case failure.
> 
> thanks,
> Dandan Zhang

Hello,

This particular test is supposed to be skipped if the build host
doesn't have network connectivity.  Does the loong64 buildd have
network connectivity (unlike the other buildd's)?

Unfortunately, there doesn't appear to be a loong64 porterbox, so I'm
unable to look into why this is failing.

Regards,
Scott 

Bug#1067051: python3-fs: Switch from appdirs to platformdirs

[Scott Kitterman]

Package: python3-fs
Version: 2.4.16-2
Severity: important

Python3-fs uses python3-appdirs, which is dead upstream.  It is being
replaced by python3-platformdirs.  As a maintainer of appdirs, I would
prefer that we do not release Trixie with appdirs.  As far as I can
tell, python3-fs is the only critical package that uses it, so if
python3-fs were ported to platformdirs, it could be removed.

I investigated and it's more than just s/appdirs/platformdirs// for some
reason (mostly that is all that's needed to port to platformdirs).
Upstream for fs looks pretty dead, so it may be a long wait for an
upstream solution.

Scott K

Bug#1066838: hplip: Files remain after purge

[Scott Kitterman]

Package: hplip
Version: 3.22.10+dfsg0-2
Severity: important

After removing and then purging hplip, the __pycache__ directories
remain.

# apt purge hplip
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages will be REMOVED:
  hplip*
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
(Reading database ... 358577 files and directories currently installed.)
Purging configuration files for hplip (3.22.10+dfsg0-2) ...
Processing triggers for dbus (1.14.10-1~deb12u1) ...

# ls -R /usr/share/hplip/
/usr/share/hplip/:
base  copier  fax  installer  pcard  prnt  __pycache__  scan  ui5

/usr/share/hplip/base:
pexpect  __pycache__

/usr/share/hplip/base/pexpect:
__pycache__

/usr/share/hplip/base/pexpect/__pycache__:

/usr/share/hplip/base/__pycache__:

/usr/share/hplip/copier:
__pycache__

/usr/share/hplip/copier/__pycache__:

/usr/share/hplip/fax:
__pycache__

/usr/share/hplip/fax/__pycache__:

/usr/share/hplip/installer:
__pycache__

/usr/share/hplip/installer/__pycache__:

/usr/share/hplip/pcard:
__pycache__

/usr/share/hplip/pcard/__pycache__:

/usr/share/hplip/prnt:
__pycache__

/usr/share/hplip/prnt/__pycache__:

/usr/share/hplip/__pycache__:

/usr/share/hplip/scan:
__pycache__

/usr/share/hplip/scan/__pycache__:

/usr/share/hplip/ui5:
__pycache__

/usr/share/hplip/ui5/__pycache__:

Scott K


-- System Information:
Debian Release: 12.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-18-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages hplip depends on:
ii  adduser3.134
ii  cups   2.4.2-3+deb12u5
pn  hplip-data 
ii  libc6  2.36-9+deb12u4
ii  libcups2   2.4.2-3+deb12u5
ii  libdbus-1-31.14.10-1~deb12u1
ii  libhpmud0  3.22.10+dfsg0-2
ii  libpython3.11  3.11.2-6
pn  libsane-hpaio  
ii  libsane1   1.2.1-2
ii  lsb-base   11.6
ii  printer-driver-hpcups  3.22.10+dfsg0-2
ii  python33.11.2-1+b1
ii  python3-dbus   1.3.2-4+b1
ii  python3-gi 3.42.2-3+b1
pn  python3-pexpect
ii  python3-pil9.4.0-1.1+b1
pn  python3-reportlab  
ii  sysvinit-utils [lsb-base]  3.06-4
ii  wget   1.21.3-1+b2
ii  xz-utils   5.4.1-0.2

Versions of packages hplip recommends:
ii  avahi-daemon  0.8-10
ii  policykit-1   122-3
ii  printer-driver-postscript-hp  3.22.10+dfsg0-2
ii  sane-utils1.2.1-2

Versions of packages hplip suggests:
pn  hplip-doc  
pn  hplip-gui  
ii  python3-notify20.3-5
ii  system-config-printer  1.5.18-1

Bug#1063771: Also needed for aioquic

[Scott Kitterman]

This is starting to affect a lot of things.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1065312: RM: deborphan -- ROM; missing too many dpkg features, thus broken and unreliable

[Scott Kitterman]

On March 10, 2024 3:23:32 PM UTC, "Martin-Éric Racine" 
 wrote:
>On Sat, 2 Mar 2024 18:40:13 +0100 Chris Hofstaedtler  wrote:
>> * Christoph Biedl  [240302 17:02]:
>> > Chris Hofstaedtler wrote...
>> >
>> > > please remove deborphan. It is stuck, featurewise, in a very old time
>> > > and does not support many currently available dpkg features properly
>> > > (multi-arch, versioned provides, etc).
>> >
>> > FWIW, deborphan is part of my regular workflow, and while you claim
>> > it has defects, it works for me pretty well.
>>
>> It works "well" if you use it in very limited usecases, yes (like I
>> did). It doesn't seem to work well for a lot of people using more of
>> the "features" it has.
>
>Just because it doesn't work for everyone is not a remotely good
>enough reason to ask for its removal. It works for most people. don't
>break it for them.
>
>> The t64 transition will apparently make deborphan mostly useless in
>> trixie.
>>
>> > [..]
>> > So: What are the alternatives? How do they work? Are they a drop-in
>> > replacment or do they introduce new dependencies? Are there feature that
>> > will be no longer supported?
>>
>> release-notes recommends:
>> https://www.debian.org/releases/stable/amd64/release-notes/ch-upgrading.en.html#removing-non-debian-packages
>
>Which has nothing to do with what was asked.
>
>> Some people seem to recommend debfoster.
>
>Which really doesn't provide similar functionality.
>
>> > Leaving users in the void about this is just bad style.
>
>I totally agree. Not wanting to maintain it is a shitty reason for
>asking for its removal. If you don't wanna maintain is, just orphan
>it.


It's really a maintainer call if that's appropriate.  So far no one has jumped 
up to ask if they can take over the package.

Scott K

Bug#1065158: postfix: FTBFS: missing build-dep on libnsl-dev

[Scott Kitterman]

On Fri, 01 Mar 2024 11:33:37 +0100 Aurelien Jarno  wrote:
> Source: postfix
> Version: 3.8.5-1
> Severity: serious
> Tags: ftbfs
> Justification: fails to build from source (but built successfully in the 
past)
> User: debian-gl...@lists.debian.org
> Usertags: libnsl-dev
> 
> Dear maintainer,
> 
> Starting with glibc 2.31, support for NIS (libnsl library) has been
> moved to a separate libnsl2 package. In order to allow a smooth
> transition, a libnsl-dev has been added to the libc6-dev package.
> 
> This dependency has been temporarily dropped in the 2.37-15.1 NMU, as
> part of the 64-bit time_t transition. This causes postfix to FTBFS in
> sid with:
> 
> | gcc -fPIC -I. -I../../include -DDEBIAN -DHAS_PCRE=2 -DHAS_LDAP -
DUSE_LDAP_SASL -DHAS_SQLITE -DMYORIGIN_FROM_FILE -DHAS_CDB -DHAS_LMDB -
DHAS_MYSQL -I/usr/include/mysql -DHAS_PGSQL -I/usr/include/postgresql -
DHAS_SQLITE -DHAS_SSL -I/usr/include/openssl -DUSE_SASL_AUTH -I/usr/include/
sasl -DUSE_CYRUS_SASL -DUSE_TLS -DHAS_DEV_URANDOM -DDEF_DAEMON_DIR=\"/usr/lib/
postfix/sbin\" -DDEF_HTML_DIR=\"/usr/share/doc/postfix/html\" -
DDEF_MANPAGE_DIR=\"/usr/share/man\" -DDEF_README_DIR=\"/usr/share/doc/postfix\" 
-DUSE_DYNAMIC_LIBS -DUSE_DYNAMIC_MAPS -Wmissing-prototypes -Wformat -Wno-
comment -fno-common -fPIC  -Wdate-time -D_FORTIFY_SOURCE=2 -U_FORTIFY_SOURCE -
D_FORTIFY_SOURCE=3 -g -O2 -ffile-prefix-map=/<>=. -flto=auto -ffat-
lto-objects -fstack-protector-strong -fstack-clash-protection -Wformat -
Werror=format-security -fcf-protection -flto=auto -ffat-lto-objects 
-Wl,-z,relro 
-Wl,-z,now -I. -DLINUX6 -c dict_nis.c
> | dict_nis.c:42:10: fatal error: rpcsvc/ypclnt.h: No such file or directory
> |42 | #include 
> |   |  ^
> | compilation terminated.
> | make: *** [Makefile:220: dict_nis.o] Error 1
> | make: *** Waiting for unfinished jobs
> | make: Leaving directory '/<>/src/util'
> | make[2]: *** [Makefile:114: update] Error 1
> | make[2]: Leaving directory '/<>'
> | dh_auto_build: error: make -j3 "INSTALL=install --strip-program=true" 
returned exit code 2
> | make[1]: *** [debian/rules:90: override_dh_auto_build] Error 25
> | make[1]: Leaving directory '/<>'
> | make: *** [debian/rules:63: binary] Error 2
> 
> This could be fixed by adding an explicit Build-Depends on libnsl-dev.
> The glibc change will likely be reverted in the short term, but given
> its a change we want to do for Trixie, this will only lower the severity
> of the bug.

This doesn't currently cause a FTBFS in Testing and it's fixed in Unstable, so 
lowering severity to important.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1065743: bullseye-pu: package postfix/3.5.24-0+deb11u1

[Scott Kitterman]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: post...@packages.debian.org
Control: affects -1 + src:postfix

[ Reason ]
Usual postfix maintenance update.  Note that this is the final planned
update for postfix 3.5.

[ Impact ]
Users continue to have the bugs that this update fixes.

[ Tests ]
The package has an autopkgtest, which passes.  Additionally, I have it
installed on one server and have tested that it works.

[ Risks ]
Risk is very low.  Upstream has an excellent record for post-release
updates and the changes are small.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
- Bugfix (defect introduced: Postfix 2.3, date 20051222): the
  Dovecot auth client did not reset the 'reason' from  a
  previous Dovecot auth service response, before parsing the
  next Dovecot auth server response in the same SMTP session.
  Reported by Stephan Bosch, File: xsasl/xsasl_dovecot_server.c.
- Cleanup: Postfix SMTP server response with an empty
  authentication failure reason. File: smtpd/smtpd_sasl_glue.c.
- Bugfix (defect introduced: Postfix 3.1, date: 20151128):
  "postqueue -j" produced broken JSON when escaping a control
  character as \u. Found during code maintenance. File:
  postqueue/showq_json.c.
- Cleanup: posttls-finger certificate match expectations for
  all TLS security levels, including warnings for levels that
  don't implement certificate matching. Viktor Dukhovni.
  File: posttls-finger.c.  
- Bugfix (defect introduced: Postfix 2.3): after prepending
  a message header with a Postfix access table PREPEND action,
  a Milter request to delete or update an existing header
  could have no effect, or it could target the wrong instance
  of an existing header. Root cause: the fix dated 20141018
  for the Postfix Milter client was incomplete. The client
  did correctly hide the first, Postfix-generated, Received:
  header when sending message header information to a Milter
  with the smfi_header() application callback function, but
  it was still hiding the first header (instead of the first
  Received: header) when handling requests from a Milter to
  delete or update an existing header. Problem report by
  Carlos Velasco. This change was verified to have no effect
  on requests from a Milter to add or insert a header. File:
  cleanup/cleanup_milter.c.
- Workaround: tlsmgr logfile spam. Some OS lies under load:
  it says that a socket is readable, then it says that the
  socket has unread data, and then it says that read returns
  EOF, causing Postfix to spam the log with a warning message.
  File: tlsmgr/tlsmgr.c.
- Bugfix (defect introduced: Postfix 3.4): the SMTP server's
  BDAT command handler could be tricked to read $message_size_limit
  bytes into memory. Found during code maintenance. File:
  smtpd/smtpd.c.
- Performance: eliminate worst-case behavior where the queue
  manager defers delivery to all destinations over a specific
  delivery transport, after only a single delivery agent
  failure. The scheduler now throttles one destination, and
  allows deliveries to other destinations to keep making
  progress. Files: *qmgr/qmgr_deliver.c.
- Safety: drop and log over-size DNS responses resulting in
  more than 100 records. This 20x larger than the number of
  server addresses that the Postfix SMTP client is willing
  to consider when delivering mail, and is well below the
  number of records that could cause a tail recursion crash
  in dns_rr_append() as reported by Toshifumi Sakaguchi. This
  also limits the number of DNS requests from check_*_*_access
  restrictions. Files: dns/dns.h, dns/dns_lookup.c, dns/dns_rr.c,
  dns/test_dns_lookup.c, posttls-finger/posttls-finger.c,
  smtp/smtp_addr.c, smtpd/smtpd_check.c.

[ Other info ]
Changes are already in Unstable in 3.8.6 and uploaded pending SRM review
for bookworm (3.7.9).

Scott K
diff -Nru postfix-3.5.24/debian/changelog postfix-3.5.25/debian/changelog
--- postfix-3.5.24/debian/changelog 2024-01-27 10:21:04.0 -0500
+++ postfix-3.5.25/debian/changelog 2024-03-09 10:38:51.0 -0500
@@ -1,3 +1,66 @@
+postfix (3.5.25-0+deb11u1) bullseye; urgency=medium
+
+  [Wietse Venema]
+
+  * 3.5.25
+- Bugfix (defect introduced: Postfix 2.3, date 20051222): the
+  Dovecot auth client did not reset the 'reason' from  a
+  previous Dovecot auth service response, before parsing the
+  next Dovecot auth server response in the same SMTP session.
+  Reported by Stephan Bosch, File: xsasl/xsasl_dovecot_server.c.
+- Cleanup: Po

Bug#1065562: bookworm-pu: package postfix/3.7.10-0+deb12u1

[Scott Kitterman]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: post...@packages.debian.org
Control: affects -1 + src:postfix

[ Reason ]
Standard postfix post-release update

[ Impact ]
They will still have the bugs that are fixed by this update.

[ Tests ]
There is an autopkgtest, which passes locally.  I also have the package
in production on one server and it is running fine.

[ Risks ]
Risk is low.  Changes are relatively minor and are as released by
upstream, which has an excellent track record for such things.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
  * 3.7.11
- Bugfix (defect introduced: Postfix 2.3, date 20051222): the
  Dovecot auth client did not reset the 'reason' from  a
  previous Dovecot auth service response, before parsing the
  next Dovecot auth server response in the same SMTP session.
  Reported by Stephan Bosch, File: xsasl/xsasl_dovecot_server.c.
- Cleanup: Postfix SMTP server response with an empty
  authentication failure reason. File: smtpd/smtpd_sasl_glue.c.
- Bugfix (defect introduced: Postfix 3.1, date: 20151128):
  "postqueue -j" produced broken JSON when escaping a control
  character as \u. Found during code maintenance. File:
  postqueue/showq_json.c.
- Cleanup: posttls-finger certificate match expectations for
  all TLS security levels, including warnings for levels that
  don't implement certificate matching. Viktor Dukhovni.
  File: posttls-finger.c.
- Bugfix (defect introduced: Postfix 2.3): after prepending
  a message header with a Postfix access table PREPEND action,
  a Milter request to delete or update an existing header
  could have no effect, or it could target the wrong instance
  of an existing header. Root cause: the fix dated 20141018
  for the Postfix Milter client was incomplete. The client
  did correctly hide the first, Postfix-generated, Received:
  header when sending message header information to a Milter
  with the smfi_header() application callback function, but
  it was still hiding the first header (instead of the first
  Received: header) when handling requests from a Milter to
  delete or update an existing header. Problem report by
  Carlos Velasco. This change was verified to have no effect
  on requests from a Milter to add or insert a header. File:
  cleanup/cleanup_milter.c.
- Workaround: tlsmgr logfile spam. Some OS lies under load:
  it says that a socket is readable, then it says that the
  socket has unread data, and then it says that read returns
  EOF, causing Postfix to spam the log with a warning message.
  File: tlsmgr/tlsmgr.c.
- Bugfix (defect introduced: Postfix 3.4): the SMTP server's
  BDAT command handler could be tricked to read $message_size_limit
  bytes into memory. Found during code maintenance. File:
  smtpd/smtpd.c.
- Performance: eliminate worst-case behavior where the queue
  manager defers delivery to all destinations over a specific
  delivery transport, after only a single delivery agent
  failure. The scheduler now throttles one destination, and
  allows deliveries to other destinations to keep making
  progress. Files: *qmgr/qmgr_deliver.c.
- Safety: drop and log over-size DNS responses resulting in
  more than 100 records. This 20x larger than the number of
  server addresses that the Postfix SMTP client is willing
  to consider when delivering mail, and is well below the
  number of records that could cause a tail recursion crash
  in dns_rr_append() as reported by Toshifumi Sakaguchi. This
  also limits the number of DNS requests from check_*_*_access
  restrictions. Files: dns/dns.h, dns/dns_lookup.c, dns/dns_rr.c,
  dns/test_dns_lookup.c, posttls-finger/posttls-finger.c,
  smtp/smtp_addr.c, smtpd/smtpd_check.c.

[ Other info ]
N/A

Scott K
diff -Nru postfix-3.7.10/debian/changelog postfix-3.7.11/debian/changelog
--- postfix-3.7.10/debian/changelog 2024-01-26 18:44:58.0 -0500
+++ postfix-3.7.11/debian/changelog 2024-03-06 10:10:14.0 -0500
@@ -1,3 +1,66 @@
+postfix (3.7.11-0+deb12u1) bookworm; urgency=medium
+
+  [Wietse Venema]
+
+  * 3.7.11
+- Bugfix (defect introduced: Postfix 2.3, date 20051222): the
+  Dovecot auth client did not reset the 'reason' from  a
+  previous Dovecot auth service response, before parsing the
+  next Dovecot auth server response in the same SMTP session.
+  Reported by Stephan Bosch, File: xsasl/xsasl_dovecot_server.c.
+- Cleanup: Postfix SMTP server response with an empty
+  authentication failure reason. File: smtpd/smtpd_sasl_glue.c.
+  

Bug#1065312: RM: deborphan -- ROM; missing too many dpkg features, thus broken and unreliable

[Scott Kitterman]

Generally in the FTP Team we trust maintainer's judgement when it comes to 
deciding if a package should be removed rather than orphaned and left to rot.

I looked and it's been about 5 years since anyone other than Chris has uploaded 
the package and he's the only human maintainer.

It is both a feature and a bug that in Debian, we're all volunteers and can 
choose how we volunteer.

I don't see anyone volunteering to step up and take over, so in the end, the 
maintainer's judgement is what has to control.

Scott K

Bug#1065007: pycurl: Please reconsider SSL choice (OpenSSL instead of GnuTLS)

[Scott Talbert]

On Wed, 28 Feb 2024, Boyuan Yang wrote:


Source: pycurl
Version: 7.45.2-7
Severity: normal
X-Debbugs-CC: s...@techie.net

Dear Debian pycurl maintainer,

I was made aware of issues encountered by multiple users due to pycurl using
GnuTLS instead of OpenSSL. Reviewing https://bugs.debian.org/515200 , it looks 
like the
only reason of not using OpenSSL is the old OpenSSL licensing issue in the past.

With OpenSSL 3.0 and later, linking against OpenSSL is obviously no longer 
problematic
due to license switching to Apache-2.0. As a result, I am once again requesting 
using
OpenSSL for SSL implementation for pycurl or at least adding an option for 
users to select.

Currently I believe several options exist:

1) Switch the default package python3-pycurl to use OpenSSL.
2) Add a new binary package python3-pycurl-openssl, which is linked to OpenSSL.
3) Add binary packages python3-pycurl-openssl and python3-pycurl-gnutls, and let
python3-pycurl to be an empty dependency package that may default to a certain
implementation of your choice.

In any case, the binary packages providing the same files and the same
functionalities shall mutually conflict with each other.

If you need patches for any of the choices, please let me know. Please also let 
me
know if you have any comments. If needed, I can make package uploads via Team 
upload.
Thanks!


Thanks for CC'ing me on the bug report.

I don't have any objections to rebuilding pycurl with openssl.  I don't 
see a lot of value in having the added complexity of building both 
versions, so I'm fine with just switching to openssl.  I'm in the middle 
of a new upstream release right now, but I'll plan to switch it after 
that.


Scott

Bug#1064284: [pcp] Bug#1064284: pcp: NMU diff for 64-bit time_t transition

[Nathan Scott]

Hi Steve,

On Tue, Feb 20, 2024 at 3:11 PM Steve Langasek  wrote:
> [...]
> To ensure that inconsistent combinations of libraries with their
> reverse-dependencies are never installed together, it is necessary to
> have a library transition, which is most easily done by renaming the
> runtime library package.
>
> Since turning on 64-bit time_t is being handled centrally through a change
> to the default dpkg-buildflags (https://bugs.debian.org/1037136), it is
> important that libraries affected by this ABI change all be uploaded close
> together in time.  Therefore I have prepared a 0-day NMU for pcp
> which will initially be uploaded to experimental if possible, then to
> unstable after packages have cleared binary NEW.
>
> Please find the patch for this NMU attached.
>
> If you have any concerns about this patch, please reach out ASAP.

Thanks for preparing the patch, sorry for not getting back to you
sooner (I've been away).

I have discussed with other PCP maintainers and we'd prefer an
approach where we simply exclude PCP from the few remaining 32 bit
platforms, from the next major release onward.  This is consistent
with the approach taken with other distributions and avoids the
package name mangling and general user confusion that will result for
our packages.

> [...] if information
> becomes available that your package should not be included in the transition,
> there is time for us to amend the planned uploads.

cheers.

--
Nathan

Bug#1063476: the sanesecurity configuration is not suitable for a release

[Scott Kitterman]

On Fri, 16 Feb 2024 09:17:40 -0500 Scott Kitterman  
wrote:
> On Thu, 8 Feb 2024 19:35:50 +0100 Marco d'Itri  wrote:
> > Source: fangfrisch
> > Version: 1.7.0-1
> > Severity: grave
> > Tags: upstream
> > 
> > Control: forwarded -1 https://github.com/rseichter/fangfrisch/issues/30
> > 
> > The sanesecurity section of default configuration, if enabled, relies on 
> > an unofficial HTTP mirror which is seriously overloaded and probably 
> > seriously expensive for their operators, since it is located in 
> > Australia.
> > The only other known HTTP mirror is mentioned on 
> > https://wiki.gentoo.org/wiki/ClamAV_Unofficial_Signatures, with a vague 
> > note about it being available to the public.
> > 
> > Until fangfrisch will implement rsync support, I do not think that it is 
> > safe to include fangfrisch in a Debian release due to the possible 
> > effect on unsuspecting third party mirrors.
> > 
> > This has also been discussed upstream:
> > https://github.com/rseichter/fangfrisch/issues/30
> 
> I don't know that I'd call this fixed upstream, since the package is not 
> directly using rsync, but the fact that he's now rsyncing from sanesecurity 
> and running his own mirror is progress (that only person he can DoS is 
> himself) is progress.
> 
> If we update to 1.8.0, I don't think we should mark this bug done, but it 
> might be reasonable to change the severity to Important.  What do you think?

Upon further reflection, I'm going to mark this as done in 1.8.0.  The specific 
issue raised in the bug is resolved.  Direct support for rsync would be 
better, but I think we've cleared this particular hurdle for releasability.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1063771: Please update to version 42, needed for new dnspython

[Scott Kitterman]

On Tue, 13 Feb 2024 18:30:42 -0500 Scott Kitterman  
wrote:
> On Tue, 13 Feb 2024 10:16:23 +0100 Jérémy Lal  wrote:
> > Will do, but right now there are a bunch of rust dependencies that need to
> > be upgraded.
> 
> Thanks,

I got a one release reprieve from the dnspython upstream, so I'm good with 
version 41, for now, but will definitely need 42 for the next release, which is 
nominally in a few months.

Appreciate your work on the package.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1063771: Please update to version 42, needed for new dnspython

[Scott Kitterman]

On Tue, 13 Feb 2024 10:16:23 +0100 Jérémy Lal  wrote:
> Will do, but right now there are a bunch of rust dependencies that need to
> be upgraded.

Thanks,

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1063821: bullseye-pu: package python-dnslib/0.9.14-1

[Scott Kitterman]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu


[ Reason ]
Address no-dsa CVE.  CVE-2022-22846

[ Impact ]
Continued vulnerability to minor issue.

[ Tests ]
Package has tests which are run via autopkgtest and during the build.
Both pass locally with the added patch.

[ Risks ]
Risk is minimal.  Patch is from upstream and has been around for awhile
without known issues.  Change is trivial.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Add verify that the ID value in a DNS reply matches an ID value in a query.

[ Other info ]
I've only ever used this for running local tests to mock DNS responses,
which is not a case that's at risk for this issue, but it did occur to
me others may use it differently, so probably better to fix it.

Scott K
diff -Nru python-dnslib-0.9.14/debian/changelog 
python-dnslib-0.9.14/debian/changelog
--- python-dnslib-0.9.14/debian/changelog   2020-06-10 00:51:44.0 
-0400
+++ python-dnslib-0.9.14/debian/changelog   2024-02-12 19:43:55.0 
-0500
@@ -1,3 +1,9 @@
+python-dnslib (0.9.14-1+deb11u1) bullseye; urgency=medium
+
+  * Add d/p/0002-Validate-TXID-in-client.py.patch to address CVE-2022-22846
+
+ -- Scott Kitterman   Mon, 12 Feb 2024 19:43:55 -0500
+
 python-dnslib (0.9.14-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru 
python-dnslib-0.9.14/debian/patches/0002-Validate-TXID-in-client.py.patch 
python-dnslib-0.9.14/debian/patches/0002-Validate-TXID-in-client.py.patch
--- python-dnslib-0.9.14/debian/patches/0002-Validate-TXID-in-client.py.patch   
1969-12-31 19:00:00.0 -0500
+++ python-dnslib-0.9.14/debian/patches/0002-Validate-TXID-in-client.py.patch   
2024-02-12 19:42:50.0 -0500
@@ -0,0 +1,24 @@
+From: Scott Kitterman 
+Date: Sat, 12 Feb 2024 19:41:26 -0500
+Subject: Validate TXID in client.py
+Fixes CVE-2022-22846
+Origin: backport, 
https://github.com/paulc/dnslib/commit/76e8677699ed098387d502c57980f58da642aeba
+
+---
+ dnslib/client.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/dnslib/client.py b/dnslib/client.py
+index 628ea81..09572b6 100644
+--- a/dnslib/client.py
 b/dnslib/client.py
+@@ -76,6 +76,9 @@ if __name__ == '__main__':
+ a_pkt = q.send(address,port,tcp=args.tcp)
+ a = DNSRecord.parse(a_pkt)
+ 
++if q.header.id != a.header.id:
++raise DNSError('Response transaction id does not match query 
transaction id')
++
+ if a.header.tc and args.noretry == False:
+ # Truncated - retry in TCP mode
+ a_pkt = q.send(address,port,tcp=True)
diff -Nru python-dnslib-0.9.14/debian/patches/series 
python-dnslib-0.9.14/debian/patches/series
--- python-dnslib-0.9.14/debian/patches/series  2020-06-10 00:50:31.0 
-0400
+++ python-dnslib-0.9.14/debian/patches/series  2024-02-12 19:43:55.0 
-0500
@@ -1 +1,2 @@
 0001-Only-run-tests-for-python3.patch
+0002-Validate-TXID-in-client.py.patch

Bug#1063771: python-cryptography: Please update to version 42, needed for new dnspython

[Scott Kitterman]

Source: python-cryptography
Version: 41.0.7-3
Severity: wishlist

There is a new dnspython release candidate out, 2.6.0~rc1.  Typically,
final releases follow in a few weeks.  It has a hard requirement for
version 42 to continue to support dnssec, which is important.

It would be great if you could update the package so we can update
dnspython without losing dnssec support.

Thanks,

Scott K

Bug#1063752: custodian: Inappriate maintainer address

[Scott Kitterman]

Source: custodian
Version: 2024.1.9-2
Severity: serious
Justification: Policy 3.3

Policy 3.3 says that maintainer addresses must accept mail from Debian
role accounts.  This one, apparently, does not:

From:   debichem-devel-ow...@alioth-lists.debian.net
To: ftpmas...@ftp-master.debian.org
Sender: Debichem-devel 

List-Id:Debichem development list 

Date:   2/11/24 10:10 PM
Spam Status:Spamassassin 
You are not allowed to post to this mailing list From: a domain which
publishes a DMARC policy of reject or quarantine, and your message has
been automatically rejected.  If you think that your messages are
being rejected in error, contact the mailing list owner at
debichem-devel-ow...@alioth-lists.debian.net.

Scott K

Bug#1063462: pycurl: FTBFS during tests: GnuTLS recv error (-110): The TLS connection was non-properly terminated

[Scott Talbert]

Control: reassign -1 src:curl 8.6.0-1
Control: affects -1 src:pycurl

On Thu, 8 Feb 2024, Emanuele Rocca wrote:


Source: pycurl
Version: 7.45.2-7
Severity: serious
Justification: fails to build from source (but built successfully in the past)
Tags: sid trixie ftbfs

Dear Maintainer,

pycurl currently fails to build from source on amd64 and arm64 with the
following error:

=== FAILURES ===
__ CertinfoTest.test_request_without_certinfo __

self = 

   @util.min_libcurl(7, 19, 1)
   @util.only_ssl
   def test_request_without_certinfo(self):
   self.curl.setopt(pycurl.URL, 'https://localhost:8383/success')
   sio = util.BytesIO()
   self.curl.setopt(pycurl.WRITEFUNCTION, sio.write)
   # self signed certificate
   self.curl.setopt(pycurl.SSL_VERIFYPEER, 0)

  self.curl.perform()

E   pycurl.error: (56, 'GnuTLS recv error (-110): The TLS connection was 
non-properly terminated.')

tests/certinfo_test.py:34: error
=== warnings summary ===
../../../usr/lib/python3/dist-packages/bottle.py:38
 /usr/lib/python3/dist-packages/bottle.py:38: DeprecationWarning: 'cgi' is 
deprecated and slated for removal in Python 3.13
   import base64, cgi, email.utils, functools, hmac, itertools, mimetypes,\

-- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html
===Flaky Test Report===
=== short test summary info 
FAILED tests/certinfo_test.py::CertinfoTest::test_request_without_certinfo - ...
= 1 failed, 404 passed, 19 skipped, 5 deselected, 1 warning in 15.80s ==


This is a regression in curl 8.6.0.  It has already been fixed/reverted 
upstream: 
https://github.com/curl/curl/commit/ed09a99af57200643d5ae001e815eeab9ffe3f84


Cherry-picking that commit should fix the issue.

Regards,
Scott

Bug#1063723: bullseye-pu: package pypdf2/1.26.0-4

[Scott Kitterman]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
Fixes two no-DSA CVE issues.

[ Impact ]
Continued low level security risk.

[ Tests ]
None that are run in the Debian package or autopkgtest.

[ Risks ]
Risk is low.  Code changes are relatively simple and were provided by
upstream.  These same two patches were previously released for LTS with
no known issues.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
  * Forward-port CVE fixes by LTS team
- CVE-2023-36810: Quadratic runtime with malformed PDF missing xref marker.
- Fix CVE-2022-24859:
Sebastian Krause discovered that manipulated inline images can force
PyPDF2, a pure Python PDF library, into an infinite loop, if a
maliciously crafted PDF file is processed.

[ Other info ]
This may show up as an NMU (lintian things so), but I'm the maintainer
now for Testing/Unstable.  I chose not to update the maintainer fields
in this update to keep it minimal to address the issues.

Scott K
diff -Nru pypdf2-1.26.0/debian/changelog pypdf2-1.26.0/debian/changelog
--- pypdf2-1.26.0/debian/changelog  2020-01-19 03:08:58.0 -0500
+++ pypdf2-1.26.0/debian/changelog  2024-02-11 13:50:22.0 -0500
@@ -1,3 +1,14 @@
+pypdf2 (1.26.0-4+deb11u1) bullseye; urgency=medium
+
+  * Forward-port CVE fixes by LTS team
+- CVE-2023-36810: Quadratic runtime with malformed PDF missing xref marker.
+- Fix CVE-2022-24859:
+Sebastian Krause discovered that manipulated inline images can force
+PyPDF2, a pure Python PDF library, into an infinite loop, if a
+maliciously crafted PDF file is processed.
+
+ -- Scott Kitterman   Sun, 11 Feb 2024 13:50:22 -0500
+
 pypdf2 (1.26.0-4) unstable; urgency=medium
 
   * Remove Python 2 from build dependencies (closes: #937505).
diff -Nru 
pypdf2-1.26.0/debian/patches/0001-MAINT-Quadratic-runtime-while-parsing-reduced-to-lin.patch
 
pypdf2-1.26.0/debian/patches/0001-MAINT-Quadratic-runtime-while-parsing-reduced-to-lin.patch
--- 
pypdf2-1.26.0/debian/patches/0001-MAINT-Quadratic-runtime-while-parsing-reduced-to-lin.patch
1969-12-31 19:00:00.0 -0500
+++ 
pypdf2-1.26.0/debian/patches/0001-MAINT-Quadratic-runtime-while-parsing-reduced-to-lin.patch
2024-02-11 13:49:50.0 -0500
@@ -0,0 +1,50 @@
+From 82ee233ea82a40c626e95a191fe2d52c745db870 Mon Sep 17 00:00:00 2001
+From: dsk7 
+Date: Sat, 23 Apr 2022 19:12:13 +0200
+Subject: MAINT: Quadratic runtime while parsing reduced to linear  (#808)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When the PdfFileReader tries to find the xref marker, the readNextEndLine 
methods builds a so called line by reading byte-for-byte. Every time a new byte 
is read, it is concatenated with the currently read line. This leads to 
quadratic runtime O(n²) behavior as Python strings (also byte-strings) are 
immutable and have to be copied where n is the size of the file.
+For files where the xref marker can not be found at the end this takes a 
enormous amount of time:
+
+* 1mb of zeros at the end: 45.54 seconds
+* 2mb of zeros at the end: 357.04 seconds
+(measured on a laptop made in 2015)
+
+This pull request changes the relevant section of the code to become linear 
runtime O(n), leading to a run time of less then a second for both cases 
mentioned above. Furthermore this PR adds a regression test.
+---
+ PyPDF2/pdf.py | 8 
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/PyPDF2/pdf.py b/PyPDF2/pdf.py
+index 9979414..8b355e0 100644
+--- a/PyPDF2/pdf.py
 b/PyPDF2/pdf.py
+@@ -1930,7 +1930,7 @@ class PdfFileReader(object):
+ def readNextEndLine(self, stream):
+ debug = False
+ if debug: print(">>readNextEndLine")
+-line = b_("")
++line_parts = []
+ while True:
+ # Prevent infinite loops in malformed PDFs
+ if stream.tell() == 0:
+@@ -1957,10 +1957,10 @@ class PdfFileReader(object):
+ break
+ else:
+ if debug: print("  x is neither")
+-line = x + line
+-if debug: print(("  RNEL line:", line))
++line_parts.append(x)
+ if debug: print("leaving RNEL")
+-return line
++line_parts.reverse()
++return b"".join(line_parts)
+ 
+ def decrypt(self, password):
+ """
+-- 
+2.30.2
+
diff -Nru pypdf2-1.26.0/debian/patches/CVE-2022-24859.patch 
pypdf2-1.26.0/debian/patches/CVE-2022-24859.patch
--- pypdf2-1.26.0/debian/patches/CVE-2022-24859.patch   1969-12-31 
19:00:00.0 -0500
+++ pypdf2-1.26.0/debian/patches/C

Bug#1060934: pycountry: FTBFS: dh_auto_test: error: pybuild --test -i python{version} -p "3.12 3.11" returned exit code 13

[Scott Kitterman]

It's been a couple of weeks and no action upstream.  I'll plan on uploading 
this unless you'd rather I hold off for some reason.

Scott K

On Wed, 24 Jan 2024 16:56:30 -0500 Scott Kitterman  
wrote:
> On Tue, 16 Jan 2024 20:41:58 +0100 Lucas Nussbaum  wrote:
> > Source: pycountry
> > Version: 23.12.11+ds1-1
> > Severity: serious
> > Justification: FTBFS
> > Tags: trixie sid ftbfs
> > User: lu...@debian.org
> > Usertags: ftbfs-20240115 ftbfs-trixie
> > 
> > Hi,
> > 
> > During a rebuild of all packages in sid, your package failed to build
> > on amd64.
> 
> This is due to changes in the recent iso-codes upload.  the patch below fixes 
> it so it should work with either version:
> 
> --- pycountry-23.12.11+ds1.orig/src/pycountry/__init__.py
> +++ pycountry-23.12.11+ds1/src/pycountry/__init__.py
> @@ -169,7 +169,8 @@ class SubdivisionHierarchy(pycountry.db.
>  kw["parent_code"] = None
>  super().__init__(**kw)
>  self.country_code = self.code.split("-")[0]
> -if self.parent_code is not None:
> +if (self.parent_code is not None and
> +self.country_code != self.parent_code.split("-")[0]):
>  self.parent_code = f"{self.country_code}-{self.parent_code}"
>  
>  @property
> 
> Please let me know if you don't want an NMU.  This will eventually cause 
> xml2rfc to be removed, so I'll NMU at some point unless you want to take 
care 
> of it first (thanks if you do).
> 
> Scott K
=<2567281.9CzbHMAgVU@zini-1880>

signature.asc
Description: This is a digitally signed message part.

Bug#1063321: libwxgtk3.2-1t64 has an undeclared file conflict

[Scott Talbert]

On Fri, 9 Feb 2024, Scott Talbert wrote:


On Tue, 6 Feb 2024, Helmut Grohne wrote:


Package: libwxgtk3.2-1t64
Version: 3.2.4+dfsg-3.1~exp1
Severity: serious
User: debian...@lists.debian.org
Usertags: fileconflict
Control: affects -1 + libwxgtk-gl3.2-1 libwxgtk-gl3.2-1t64 
libwxgtk-media3.2-1 libwxgtk-media3.2-1t64 libwxgtk-webview3.2-1 
libwxgtk-webview3.2-1t64

X-Debbugs-Cc: vor...@debian.org

libwxgtk3.2-1t64 has an undeclared file conflict. This may result in an
unpack error from dpkg.


Hello Steve,

Are you planning on fixing this, or would you like me to?  If the latter, how 
would you like the fix submitted before this is uploaded to unstable?


Sending to your vor...@dodds.net as your mail server rejected the mail 
sent through debian.org with some sort of SPF error.  Probably something 
the debian server is doing?


Scott

Bug#1063321: libwxgtk3.2-1t64 has an undeclared file conflict

[Scott Talbert]

On Tue, 6 Feb 2024, Helmut Grohne wrote:


Package: libwxgtk3.2-1t64
Version: 3.2.4+dfsg-3.1~exp1
Severity: serious
User: debian...@lists.debian.org
Usertags: fileconflict
Control: affects -1 + libwxgtk-gl3.2-1 libwxgtk-gl3.2-1t64 libwxgtk-media3.2-1 
libwxgtk-media3.2-1t64 libwxgtk-webview3.2-1 libwxgtk-webview3.2-1t64
X-Debbugs-Cc: vor...@debian.org

libwxgtk3.2-1t64 has an undeclared file conflict. This may result in an
unpack error from dpkg.


Hello Steve,

Are you planning on fixing this, or would you like me to?  If the latter, 
how would you like the fix submitted before this is uploaded to unstable?


Regards,
Scott

Bug#1063348: O: pdfkit

[Scott Kitterman]

Package: wnpp
Severity: normal
X-Debbugs-Cc: debian-pyt...@lists.debian.org
Control: affects -1 src:pdfkit

I am no longer interested in this package and no else in the Debian
Python Team expressed interest it taking it over, so orphaning.

The package itself is in reasonable shape.  Upstream includes the
following warning in the Git version of the package README:

This library has been deprecated to match the wkhtmltopdf project status.

Scott K

Bug#1063317: O: django-anymail

[Scott Kitterman]

Package: wnpp
Severity: normal
X-Debbugs-Cc: debian-pyt...@lists.debian.org
Control: affects -1 src:django-anymail

I'm no longer interested in the package and no one from the Debian
Python Team expressed interest in it, so orphaning.

I've updated the package to the current upstream and updated for the
switch to hatchling, so that package is in good shape for now.  Upstream
is moderately active.

Scott K

Bug#1063171: O: python-sparkpost

[Scott Kitterman]

Package: wnpp
Severity: normal
X-Debbugs-Cc: debian-pyt...@lists.debian.org
Control: affects -1 src:python-sparkpost

I'm no longer interested in the package (it was only packaged to support
django-anymail, which is also about to be orphaned).

This is an interface to a proprietary mail service.  The company was
acquired in 2021 and nothing has happened with the package upstream
since then.

The package itself is in reasonably good condition.  There is one Python
3.12 related issue that will be addressed in the upload that orphans the
package.

Scott K

Bug#1063033: O: django-wkhtmltopdf

[Scott Kitterman]

Package: wnpp
Severity: normal
X-Debbugs-Cc: debian-pyt...@lists.debian.org
Control: affects -1 src:django-wkhtmltopdf

I no longer use this package and no one in the Debian Python Team
expressed any interest in it, so orphaning.

At this time, the package is in reasonably good shape and does not
generally require a lot of attention.  It's not clear if upstream is
dead or moving slowly.

Scott K

Bug#1062938: RM: clamav-unofficial-sigs -- ROM; Unmaintained and obsolete, replaced by fangfrisch

[Scott Kitterman]

Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: pkg-clamav-de...@lists.alioth.debian.org

Long dead upstream and only minimally maintained in Debian.  Not working
well, if at all, anymore.  The fangfrisch package is a maintained
alternative that is now it the archive.

Request coordinated with pabs via IRC.

Scott K

Bug#1041754: [pcp] Bug#1041754: pcp: ships empty directory /usr/lib/pkgconfig

[Nathan Scott]

https://github.com/performancecopilot/pcp/pull/1874

Bug#1041754: pcp: ships empty directory /usr/lib/pkgconfig

[Nathan Scott]

On Mon, Jan 1, 2024 at 1:47 AM Chris Hofstaedtler  wrote:
> [..]
>
> I see you've uploaded two new upstream versions since this bug was
> filed. Is there anything blocking inclusion of Helmut's patch?
>

Thank you for the reminder and thanks for the patch Helmut.
I'll get this into the next update (pcp-6.2.0 expected late next week).

cheers.

--
Nathan

Bug#1052866: python-plaster: FTBFS: dh_auto_test: error: pybuild --test --test-pytest -i python{version} -p 3.11 returned exit code 13

[Scott Talbert]

On Sun, 28 Jan 2024, Andreas Tille wrote:


Hi,

I upgraded python-plaster to latest upstream - but this did not changed
the test suite error.


I suspect the issue is because dh-python is clobbering the *.egg-info 
directories in the tests directory during the 'clean' target.


While this is helpful in a lot of cases, it would be nice if there was a 
way to opt out of this behavior.


Scott

Bug#1042325: python-miio: FTBFS: dh_auto_test: error: pybuild --test --test-pytest -i python{version} -p 3.11 returned exit code 13

[Scott Talbert]

On Sat, 27 Jan 2024, Andreas Tille wrote:


Control: tags -1 help

Hi,

I upgraded python-miio in Git.  Unfortunately there are some test suite 
errors[1]
Any help would be welcome
Andreas.


Fixed.

Bug#1061625: bullseye-pu: package postfix/3.5.23-0+deb11u1

[Scott Kitterman]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
This is the next in our normal postfix maintenance releases.  It
consists soley of updates to the SMTP Smuggling processing that were
released near the end of December.  I think it would be better to get
this in now for the next point release so that the fixes that most of
our users see are the final form.

[ Impact ]
Users will have the older version of the SMTP Smuggling fixes which mean
they are unable to sanitize outbound mail and then will have to consider
the inbound processing changes later instead of all at once.

[ Tests ]
The package has a reasonably extensive autopkgtest, although it does not
have specific tests for SMTP Smuggling, it does ensure the changes do
not cause regressions.  The tests pass when run locally.  Additionally,
I have installed the package on one of my servers to verified it is
still working as expected.

[ Risks ]
Risk is negligible.  No changes from the upstream release and upstream
is known to be very careful.  The risk is primarily on not updating as
there are changes (backward compatible, so there's no issue if someone
already dealt with SMTP Smuggling based on the December release) in how
some of the related controls work.  If we don't update, then behavior on
Debian will differ from user expectations.  The alternative would be to
hold this until the next point release, which I don't think would be a
good idea.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
-  Security (outbound SMTP smuggling): with the default setting
   "cleanup_replace_stray_cr_lf = yes" Postfix will replace
   stray  or  characters in message content with a
   space character. This prevents Postfix from enabling
   outbound (remote) SMTP smuggling, and it also makes evaluation
   of Postfix-added DKIM etc. signatures independent from how
   a remote mail server handles stray  or  characters.
   Files: global/mail_params.h, cleanup/cleanup.c,
   cleanup/cleanup_message.c, mantools/postlink, proto/postconf.proto.
 - Security (inbound SMTP smuggling): with "smtpd_forbid_bare_newline
   = normalize" (default "no" for Postfix < 3.9), the Postfix
   SMTP server requires the standard End-of-DATA sequence
   ., and otherwise allows command or message
   content lines ending in the non-standard , processing
   them as if the client sent the standard .
   The alternative setting, "smtpd_forbid_bare_newline = reject"
   will reject any command or message that contains a bare
   , and is more likely to cause problems with legitimate
   clients.
   For backwards compatibility, local clients are excluded by
   default with "smtpd_forbid_bare_newline_exclusions =
   $mynetworks".
   Files: mantools/postlink, proto/postconf.proto,
   global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h,
   smtpd/smtpd.c, smtpd/smtpd_check.[hc].

[ Other info ]
I do not think an SUA is required for this update.  The capability
provided by the December SUA is sufficient until the next point release.

Scott K
diff -Nru postfix-3.5.23/debian/changelog postfix-3.5.24/debian/changelog
--- postfix-3.5.23/debian/changelog 2023-12-26 16:07:38.0 -0500
+++ postfix-3.5.24/debian/changelog 2024-01-27 10:21:04.0 -0500
@@ -1,3 +1,36 @@
+postfix (3.5.24-0+deb11u1) bullseye; urgency=medium
+
+  [Wietse Venema]
+
+  * 3.5.24
+-  Security (outbound SMTP smuggling): with the default setting
+   "cleanup_replace_stray_cr_lf = yes" Postfix will replace
+   stray  or  characters in message content with a
+   space character. This prevents Postfix from enabling
+   outbound (remote) SMTP smuggling, and it also makes evaluation
+   of Postfix-added DKIM etc. signatures independent from how
+   a remote mail server handles stray  or  characters.
+   Files: global/mail_params.h, cleanup/cleanup.c,
+   cleanup/cleanup_message.c, mantools/postlink, proto/postconf.proto.
+ - Security (inbound SMTP smuggling): with "smtpd_forbid_bare_newline
+   = normalize" (default "no" for Postfix < 3.9), the Postfix
+   SMTP server requires the standard End-of-DATA sequence
+   ., and otherwise allows command or message
+   content lines ending in the non-standard , processing
+   them as if the client sent the standard .
+   The alternative setting, "smtpd_forbid_bare_newline = reject"
+   will reject any command or message that contains a bare
+   , and is more likely to cause problems with legitimate
+   clients.
+   For backwards compati

Bug#1061624: bookworm-pu: package postfix/3.7.9-0+deb12u1

[Scott Kitterman]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
This is the next in our normal postfix maintenance releases.  It
consists soley of updates to the SMTP Smuggling processing that were
released near the end of December.  I think it would be better to get
this in now for the next point release so that the fixes that most of
our users see are the final form.

[ Impact ]
Users will have the older version of the SMTP Smuggling fixes which mean
they are unable to sanitize outbound mail and then will have to consider
the inbound processing changes later instead of all at once.

[ Tests ]
The package has a reasonably extensive autopkgtest, although it does not
have specific tests for SMTP Smuggling, it does ensure the changes do
not cause regressions.  The tests pass when run locally.  Additionally,
I have installed the package on one of my servers to verified it is
still working as expected.

[ Risks ]
Risk is negligible.  No changes from the upstream release and upstream
is known to be very careful.  The risk is primarily on not updating as
there are changes (backward compatible, so there's no issue if someone
already dealt with SMTP Smuggling based on the December release) in how
some of the related controls work.  If we don't update, then behavior on
Debian will differ from user expectations.  The alternative would be to
hold this until the next point release, which I don't think would be a
good idea.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
-  Security (outbound SMTP smuggling): with the default setting
   "cleanup_replace_stray_cr_lf = yes" Postfix will replace
   stray  or  characters in message content with a
   space character. This prevents Postfix from enabling
   outbound (remote) SMTP smuggling, and it also makes evaluation
   of Postfix-added DKIM etc. signatures independent from how
   a remote mail server handles stray  or  characters.
   Files: global/mail_params.h, cleanup/cleanup.c,
   cleanup/cleanup_message.c, mantools/postlink, proto/postconf.proto.
 - Security (inbound SMTP smuggling): with "smtpd_forbid_bare_newline
   = normalize" (default "no" for Postfix < 3.9), the Postfix
   SMTP server requires the standard End-of-DATA sequence
   ., and otherwise allows command or message
   content lines ending in the non-standard , processing
   them as if the client sent the standard .
   The alternative setting, "smtpd_forbid_bare_newline = reject"
   will reject any command or message that contains a bare
   , and is more likely to cause problems with legitimate
   clients.
   For backwards compatibility, local clients are excluded by
   default with "smtpd_forbid_bare_newline_exclusions =
   $mynetworks".
   Files: mantools/postlink, proto/postconf.proto,
   global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h,
   smtpd/smtpd.c, smtpd/smtpd_check.[hc].

[ Other info ]
I do not think an SUA is required for this update.  The capability
provided by the December SUA is sufficient until the next point release.

Scott K
diff -Nru postfix-3.7.9/debian/changelog postfix-3.7.10/debian/changelog
--- postfix-3.7.9/debian/changelog  2023-12-24 12:33:24.0 -0500
+++ postfix-3.7.10/debian/changelog 2024-01-26 18:44:58.0 -0500
@@ -1,3 +1,36 @@
+postfix (3.7.10-0+deb12u1) bookworm; urgency=medium
+
+  [Wietse Venema]
+
+  * 3.7.10
+- Security (outbound SMTP smuggling): with the default setting
+  "cleanup_replace_stray_cr_lf = yes" Postfix will replace
+  stray  or  characters in message content with a
+  space character. This prevents Postfix from enabling
+  outbound (remote) SMTP smuggling, and it also makes evaluation
+  of Postfix-added DKIM etc. signatures independent from how
+  a remote mail server handles stray  or  characters.
+  Files: global/mail_params.h, cleanup/cleanup.c,
+  cleanup/cleanup_message.c, mantools/postlink, proto/postconf.proto.
+- Security (inbound SMTP smuggling): with "smtpd_forbid_bare_newline
+  = normalize" (default "no" for Postfix < 3.9), the Postfix
+  SMTP server requires the standard End-of-DATA sequence
+  ., and otherwise allows command or message
+  content lines ending in the non-standard , processing
+  them as if the client sent the standard .
+  The alternative setting, "smtpd_forbid_bare_newline = reject"
+  will reject any command or message that contains a bare
+  , and is more likely to cause problems with legitimate
+  clients.
+  For backwards compatibility, local client

Bug#1060934: pycountry: FTBFS: dh_auto_test: error: pybuild --test -i python{version} -p "3.12 3.11" returned exit code 13

[Scott Kitterman]

On Tue, 16 Jan 2024 20:41:58 +0100 Lucas Nussbaum  wrote:
> Source: pycountry
> Version: 23.12.11+ds1-1
> Severity: serious
> Justification: FTBFS
> Tags: trixie sid ftbfs
> User: lu...@debian.org
> Usertags: ftbfs-20240115 ftbfs-trixie
> 
> Hi,
> 
> During a rebuild of all packages in sid, your package failed to build
> on amd64.

This is due to changes in the recent iso-codes upload.  the patch below fixes 
it so it should work with either version:

--- pycountry-23.12.11+ds1.orig/src/pycountry/__init__.py
+++ pycountry-23.12.11+ds1/src/pycountry/__init__.py
@@ -169,7 +169,8 @@ class SubdivisionHierarchy(pycountry.db.
 kw["parent_code"] = None
 super().__init__(**kw)
 self.country_code = self.code.split("-")[0]
-if self.parent_code is not None:
+if (self.parent_code is not None and
+self.country_code != self.parent_code.split("-")[0]):
 self.parent_code = f"{self.country_code}-{self.parent_code}"
 
 @property

Please let me know if you don't want an NMU.  This will eventually cause 
xml2rfc to be removed, so I'll NMU at some point unless you want to take care 
of it first (thanks if you do).

Scott K


signature.asc
Description: This is a digitally signed message part.

Bug#1061447: O: django-maintenancemode

[Scott Kitterman]

Package: wnpp
Severity: normal
X-Debbugs-Cc: debian-pyt...@lists.debian.org
Control: affects -1 src:django-maintenancemode

Orphaning the package on behalf of the Debian Python Team as the sole
uploader (no one else on the team expressed interest in taking over and
I no longer use the package).

The package itself is in reasonable shape.  Upstream is mostly dean, so
if you take over this package, expect to have to do more than just
package new upstream releases.

Scott K

Bug#1060711: python3-wxgtk4.0: Library dependency too lenient

[Scott Talbert]

On Mon, 22 Jan 2024, Matthias Urlichs wrote:


On 17.01.24 15:01, Scott Talbert wrote:

On Wed, 17 Jan 2024, Matthias Urlichs wrote:


On 16.01.24 23:58, Scott Talbert wrote:
Do I understand correctly that you installed the python3-wxgtk4.0 
4.2.1+dfsg-3
binary package from Debian Testing into a Debian 12 system and that's how 
you encountered this error? 


Yes. So? Mix+match from stable+testing is rather common when you're 
developing stuff, and Policy 3.5 doesn't say "umm well that only applies 
for dependencies from the same release".


Sorry, but that's not generally supported, at least for wxWidgets related 
packages.  Sometimes we change compile options and other things that change 
the ABI.



I noticed …

However, perhaps you misunderstood. I'm not asking for "support mix and match 
of wx*-related packages". I'm asking for "support mix+match between releases; 
if and when that doesn't work, please set the dependencies so that the user 
can't install a mix-and-match system in the first place".


I didn't misunderstand - you're asking for mis+match of wx-related (to 
include wxWidgets and wxPython) packages between releases, which isn't 
supported.  wxPython is a Python wrapper for wxWidgets, so it is by 
necessity tightly coupled with wxWidgets.  I'll try to find a way to 
tighten wxPython's dependency on be >= the wxWidgets it was compiled with.


See also: https://lists.debian.org/debian-devel/2024/01/msg00266.html — NB, 
please disregard my snarky "go away" pseudo-quote there. That was not 
intended to reflect your reply here.


Yes, I saw that.

Scott

Bug#1061324: lmdb: Move doxygen to B-D-I

[Scott Kitterman]

Source: lmdb
Version: 0.9.31-1
Severity: normal

It looks like doxygen is only needed for building the arch all lmdb-doc
package, so it could be moved from Build-Depends to Build-Depends-Indep.
While this is a pretty minor issue, I think it would be better and it
would at least allow lmdb to be built on archs which don't have doxygen
(currently only hurd-amd64, but it's been others in the past).

Scott K

Bug#1061265: rst2pdf: Uses deprecated/to be removed pypdf2

[Scott Kitterman]

On January 22, 2024 10:11:50 AM UTC, Rob Allen  wrote:
>Hi,
>
>I’m the one of the leads on rst2pdf itself.
>
>Is there anything you want me to do related to this?
>
>Regards,
>
>Rob

Thank you for being interested in its status in Debian.  No.  My understanding 
is that all this needs is for the maintainer in Debian to update the package to 
the most current release.

The next Debian release is likely at least a year and a half from now, so 
there's plenty of time.  

Scott K

Bug#1061265: rst2pdf: Uses deprecated/to be removed pypdf2

[Scott Kitterman]

Source: rst2pdf
Version: 0.99-1
Severity: wishlist

rst2pdf declares a requirement for python3-pypdf2 in
Build-Depends-Indep.

I've recently adopted pypdf and pypdf2 into the Debian Python Team in response 
to an RFA for both packages.  As these are somewhat security sensitive packages 
(among my first acts after adopting the packages was to upload proposed updates 
for both to address minor security issues in Bookworm in the next point release 
- same bug in both), I do not think we should release pypdf2 in Trixie and have 
filed an RC bug to that effect.

It looks like the current upstream release has already been ported to
use python3-pypdf (which is really pypdf3).  Please update your package.

Scott K

Bug#1061264: ocrmypdf: Uses deprecated/to be removed pypdf2 in autopkgtest

[Scott Kitterman]

Source: ocrmypdf
Version: 15.2.0+dfsg1-1
Severity: wishlist

I've recently adopted pypdf and pypdf2 into the Debian Python Team in response 
to an RFA for both packages.  As these are somewhat security sensitive packages 
(among my first acts after adopting the packages was to upload proposed updates 
for both to address minor security issues in Bookworm in the next point release 
- same bug in both), I do not think we should release pypdf2 in Trixie and have 
filed an RC bug to that effect.

ocrmypdf uses the package in debian/tests/control.  Please update to use
python3-pypdf insteadm.

Bug#1029740: pypdf2 is deprecated, please move from python3-pypdf2 to python3-pypdf

[Scott Kitterman]

On Fri, 27 Jan 2023 00:26:31 +0100 Mathias Behrle  wrote:
> tag -1 pending
> 
> API changes were already considered in
> https://foss.heptapod.net/tryton/tryton/-/merge_requests/25
> https://foss.heptapod.net/tryton/tryton/-/merge_requests/27
> and Tryton packages should be fit for any version 1, 2, 3 of pypdf.
> 
> We are waiting for backports of the fixes to 6.0. We will anyway include them
> for bookworm. As we are maintaining backports for bullseye and buster we 
will
> stick for now with python3-pypdf2, until python3-pypdf will be available as
> backport in the targeted Debian releases.

As we approach the first anniversary for this bug, an update:

I've recently adopted pypdf and pypdf2 into the Debian Python Team in response 
to an RFA for both packages.  As these are somewhat security sensitive 
packages (among my first acts after adopting the packages was to upload 
proposed updates for both to address minor security issues in Bookworm in the 
next point release - same bug in both), I do not think we should release 
pypdf2 in Trixie and have filed an RC bug to that effect.

If you want this package to be in Trixie, you will need to use pypdf instead 
of pypdf2.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1029739: pypdf2 is deprecated, please move from python3-pypdf2 to python3-pypdf

[Scott Kitterman]

On Thu, 26 Jan 2023 16:39:39 -0500 Daniel Kahn Gillmor  
wrote:
 
> As noted in https://bugs.debian.org/1028559, upstream for the PyPDF2
> Python module has moved to the "pypdf" namespace.
> 
> Correspondingly, there is a new python3-pypdf package in debian
> unstable.
> 
> The packages listed above all currently depend on (or recommend) PyPDF2,
> but probably should move to the updated version.  When all these bug
> reports are closed, we can consider removing the pypdf2 source package
> and python3-pypdf2 from debian.
> 
> The migration should be relatively straightforward; much of the API
> remains the same, just under the "pypdf" module name instead of the
> "PyPDF2" module name.  Where the API differs, the version of PyPDF2
> currently in debian testing/unstable (2.12.1-3) emits a
> PendingDeprecationWarning wherever a piece of the API will break.
> 
> For example:
> 
>foo.py:76: PendingDeprecationWarning: getObject is deprecated and will be 
removed in PyPDF2 3.0.0. Use get_object instead.
> 
> (PyPDF2 version 3.x is basically a terminal version of PyPDF2, and pypdf
> takes over from 3.1.x onward; PyPDF2 version 3.x will not enter debian,
> as it is an API break from 2.x, and pypdf 3.x supercedes it)

As we approach the first anniversary for this bug, an update:

I've recently adopted pypdf and pypdf2 into the Debian Python Team in response 
to an RFA for both packages.  As these are somewhat security sensitive 
packages (among my first acts after adopting the packages was to upload 
proposed updates for both to address minor security issues in Bookworm in the 
next point release - same bug in both), I do not think we should release 
pypdf2 in Trixie and have filed an RC bug to that effect.

If you want this package to be in Trixie, you will need to use pypdf instead 
of pypdf2.  There is a new upstream release that supports this transition, but 
packaging it will be non-trivial.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1029735: pypdf2 is deprecated, please move from python3-pypdf2 to python3-pypdf

[Scott Kitterman]

On Thu, 26 Jan 2023 16:39:39 -0500 Daniel Kahn Gillmor  
wrote:
> As noted in https://bugs.debian.org/1028559, upstream for the PyPDF2
> Python module has moved to the "pypdf" namespace.
> 
> Correspondingly, there is a new python3-pypdf package in debian
> unstable.
> 
> The packages listed above all currently depend on (or recommend) PyPDF2,
> but probably should move to the updated version.  When all these bug
> reports are closed, we can consider removing the pypdf2 source package
> and python3-pypdf2 from debian.
> 
> The migration should be relatively straightforward; much of the API
> remains the same, just under the "pypdf" module name instead of the
> "PyPDF2" module name.  Where the API differs, the version of PyPDF2
> currently in debian testing/unstable (2.12.1-3) emits a
> PendingDeprecationWarning wherever a piece of the API will break.
> 
> For example:
> 
>foo.py:76: PendingDeprecationWarning: getObject is deprecated and will be 
removed in PyPDF2 3.0.0. Use get_object instead.
> 
> (PyPDF2 version 3.x is basically a terminal version of PyPDF2, and pypdf
> takes over from 3.1.x onward; PyPDF2 version 3.x will not enter debian,
> as it is an API break from 2.x, and pypdf 3.x supercedes it)
> 
> To transition a given package:
> 
>  - run tests with as complete coverage as possible and note the
>PendingDeprecation warnings
> 
>  - for each warning, patch the upstream line as recommended
> 
>  - ensure that the tests pass without PendingDeprecationWarnings
> 
>  - convert from "PyPDF2" to "pypdf" on any import or scoped reference in
>python
> 
>  - update dependency indicators in upstream metadata annotations
>(e.g. pyproject.toml, setup.cfg, etc)
> 
>  - update dependency indicators in debian packaging (from python3-pypdf2
>to python3-pypdf).
> 
>  - run the tests again

As we approach the first anniversary for this bug, an update:

I've recently adopted pypdf and pypdf2 into the Debian Python Team in response 
to an RFA for both packages.  As these are somewhat security sensitive 
packages (among my first acts after adopting the packages was to upload 
proposed updates for both to address minor security issues in Bookworm in the 
next point release - same bug in both), I do not think we should release 
pypdf2 in Trixie and have filed an RC bug to that effect.

If you want this package to be in Trixie, you will need to use pypdf instead 
of pypdf2.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1029738: pypdf2 is deprecated, please move from python3-pypdf2 to python3-pypdf

[Scott Kitterman]

On Thu, 26 Jan 2023 16:39:39 -0500 Daniel Kahn Gillmor  
wrote:

> As noted in https://bugs.debian.org/1028559, upstream for the PyPDF2
> Python module has moved to the "pypdf" namespace.
> 
> Correspondingly, there is a new python3-pypdf package in debian
> unstable.
> 
> The packages listed above all currently depend on (or recommend) PyPDF2,
> but probably should move to the updated version.  When all these bug
> reports are closed, we can consider removing the pypdf2 source package
> and python3-pypdf2 from debian.
> 
> The migration should be relatively straightforward; much of the API
> remains the same, just under the "pypdf" module name instead of the
> "PyPDF2" module name.  Where the API differs, the version of PyPDF2
> currently in debian testing/unstable (2.12.1-3) emits a
> PendingDeprecationWarning wherever a piece of the API will break.
> 
> For example:
> 
>foo.py:76: PendingDeprecationWarning: getObject is deprecated and will be 
removed in PyPDF2 3.0.0. Use get_object instead.
> 
> (PyPDF2 version 3.x is basically a terminal version of PyPDF2, and pypdf
> takes over from 3.1.x onward; PyPDF2 version 3.x will not enter debian,
> as it is an API break from 2.x, and pypdf 3.x supercedes it)
> 
> To transition a given package:
> 
>  - run tests with as complete coverage as possible and note the
>PendingDeprecation warnings
> 
>  - for each warning, patch the upstream line as recommended
> 
>  - ensure that the tests pass without PendingDeprecationWarnings
> 
>  - convert from "PyPDF2" to "pypdf" on any import or scoped reference in
>python
> 
>  - update dependency indicators in upstream metadata annotations
>(e.g. pyproject.toml, setup.cfg, etc)
> 
>  - update dependency indicators in debian packaging (from python3-pypdf2
>to python3-pypdf).
> 
>  - run the tests again

As we approach the first anniversary for this bug, an update:

I've recently adopted pypdf and pypdf2 into the Debian Python Team in response 
to an RFA for both packages.  As these are somewhat security sensitive 
packages (among my first acts after adopting the packages was to upload 
proposed updates for both to address minor security issues in Bookworm in the 
next point release - same bug in both), I do not think we should release 
pypdf2 in Trixie and have filed an RC bug to that effect.

If you want this package to be in Trixie, you will need to use pypdf instead 
of pypdf2.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1029733: pypdf2 is deprecated, please move from python3-pypdf2 to python3-pypdf

[Scott Kitterman]

On Thu, 26 Jan 2023 16:39:39 -0500 Daniel Kahn Gillmor  
wrote:

> As noted in https://bugs.debian.org/1028559, upstream for the PyPDF2
> Python module has moved to the "pypdf" namespace.
> 
> Correspondingly, there is a new python3-pypdf package in debian
> unstable.
> 
> The packages listed above all currently depend on (or recommend) PyPDF2,
> but probably should move to the updated version.  When all these bug
> reports are closed, we can consider removing the pypdf2 source package
> and python3-pypdf2 from debian.
> 
> The migration should be relatively straightforward; much of the API
> remains the same, just under the "pypdf" module name instead of the
> "PyPDF2" module name.  Where the API differs, the version of PyPDF2
> currently in debian testing/unstable (2.12.1-3) emits a
> PendingDeprecationWarning wherever a piece of the API will break.
> 
> For example:
> 
>foo.py:76: PendingDeprecationWarning: getObject is deprecated and will be 
removed in PyPDF2 3.0.0. Use get_object instead.
> 
> (PyPDF2 version 3.x is basically a terminal version of PyPDF2, and pypdf
> takes over from 3.1.x onward; PyPDF2 version 3.x will not enter debian,
> as it is an API break from 2.x, and pypdf 3.x supercedes it)
> 
> To transition a given package:
> 
>  - run tests with as complete coverage as possible and note the
>PendingDeprecation warnings
> 
>  - for each warning, patch the upstream line as recommended
> 
>  - ensure that the tests pass without PendingDeprecationWarnings
> 
>  - convert from "PyPDF2" to "pypdf" on any import or scoped reference in
>python
> 
>  - update dependency indicators in upstream metadata annotations
>(e.g. pyproject.toml, setup.cfg, etc)
> 
>  - update dependency indicators in debian packaging (from python3-pypdf2
>to python3-pypdf).
> 
>  - run the tests again

As we approach the first anniversary for this bug, an update:

I've recently adopted pypdf and pypdf2 into the Debian Python Team in response 
to an RFA for both packages.  As these are somewhat security sensitive 
packages (among my first acts after adopting the packages was to upload 
proposed updates for both to address minor security issues in Bookworm in the 
next point release - same bug in both), I do not think we should release 
pypdf2 in Trixie and have filed an RC bug to that effect.

If you want this package to be in Trixie, you will need to use pypdf instead 
of pypdf2.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1029734: pypdf2 is deprecated, please move from python3-pypdf2 to python3-pypdf

[Scott Kitterman]

On Thu, 26 Jan 2023 16:39:39 -0500 Daniel Kahn Gillmor  
wrote:
> As noted in https://bugs.debian.org/1028559, upstream for the PyPDF2
> Python module has moved to the "pypdf" namespace.
> 
> Correspondingly, there is a new python3-pypdf package in debian
> unstable.
> 
> The packages listed above all currently depend on (or recommend) PyPDF2,
> but probably should move to the updated version.  When all these bug
> reports are closed, we can consider removing the pypdf2 source package
> and python3-pypdf2 from debian.
> 
> The migration should be relatively straightforward; much of the API
> remains the same, just under the "pypdf" module name instead of the
> "PyPDF2" module name.  Where the API differs, the version of PyPDF2
> currently in debian testing/unstable (2.12.1-3) emits a
> PendingDeprecationWarning wherever a piece of the API will break.
> 
> For example:
> 
>foo.py:76: PendingDeprecationWarning: getObject is deprecated and will be 
removed in PyPDF2 3.0.0. Use get_object instead.
> 
> (PyPDF2 version 3.x is basically a terminal version of PyPDF2, and pypdf
> takes over from 3.1.x onward; PyPDF2 version 3.x will not enter debian,
> as it is an API break from 2.x, and pypdf 3.x supercedes it)
> 
> To transition a given package:
> 
>  - run tests with as complete coverage as possible and note the
>PendingDeprecation warnings
> 
>  - for each warning, patch the upstream line as recommended
> 
>  - ensure that the tests pass without PendingDeprecationWarnings
> 
>  - convert from "PyPDF2" to "pypdf" on any import or scoped reference in
>python
> 
>  - update dependency indicators in upstream metadata annotations
>(e.g. pyproject.toml, setup.cfg, etc)
> 
>  - update dependency indicators in debian packaging (from python3-pypdf2
>to python3-pypdf).
> 
>  - run the tests again

As we approach the first anniversary for this bug, an update:

I've recently adopted pypdf and pypdf2 into the Debian Python Team in response 
to an RFA for both packages.  As these are somewhat security sensitive 
packages (among my first acts after adopting the packages was to upload 
proposed updates for both to address minor security issues in Bookworm in the 
next point release - same bug in both), I do not think we should release 
pypdf2 in Trixie and have filed an RC bug to that effect.

If you want this package to be in Trixie, you will need to use pypdf instead 
of pypdf2.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1061261: odoo: Uses deprecated/to be removed PyPDF2

[Scott Kitterman]

Source: odoo
Version: 16.0.0+dfsg.2-2
Severity: wishlist

The odoo package has recently added a dependency on python3-pypdf2.  Last 
January the following bug was filed against all packages using python3-pypdf2:

As noted in https://bugs.debian.org/1028559, upstream for the PyPDF2 Python 
module has moved to the "pypdf" namespace.

Correspondingly, there is a new python3-pypdf package in debian unstable.

The packages listed above all currently depend on (or recommend) PyPDF2, but 
probably should move to the updated version.  When all these bug reports are 
closed, we can consider removing the pypdf2 source package and python3-pypdf2 
from debian.

The migration should be relatively straightforward; much of the API remains the 
same, just under the "pypdf" module name instead of the "PyPDF2" module name.  
Where the API differs, the version of PyPDF2 currently in debian 
testing/unstable (2.12.1-3) emits a 
PendingDeprecationWarning wherever a piece of the API will break.

For example:

   foo.py:76: PendingDeprecationWarning: getObject is deprecated and will be 
removed in PyPDF2 3.0.0. Use get_object instead.

(PyPDF2 version 3.x is basically a terminal version of PyPDF2, and pypdf takes 
over from 3.1.x onward; PyPDF2 version 3.x will not enter debian, as it is an 
API break from 2.x, and pypdf 3.x supercedes it)

To transition a given package:

 - run tests with as complete coverage as possible and note the 
   PendingDeprecation warnings

 - for each warning, patch the upstream line as recommended

 - ensure that the tests pass without PendingDeprecationWarnings

 - convert from "PyPDF2" to "pypdf" on any import or scoped reference in
   python

 - update dependency indicators in upstream metadata annotations
   (e.g. pyproject.toml, setup.cfg, etc)

 - update dependency indicators in debian packaging (from python3-pypdf2
   to python3-pypdf).

 - run the tests again
 
I'm currently in the process of updating all these bugs with:

As we approach the first anniversary for this bug, an update:

I've recently adopted pypdf and pypdf2 into the Debian Python Team in response 
to an RFA for both packages.  As these are somewhat security sensitive packages 
(among my first acts after adopting the packages was to upload proposed updates 
for both to address minor security issues in Bookworm in the next point release 
- same bug in both), I do not think we should release pypdf2 in Trixie and have 
filed an RC bug to that effect.

If you want this package to be in Trixie, you will need to use pypdf instead of 
pypdf2.

Scott K

Bug#1060917: postfix-mysql broken in 3.7.9, results in unsupported dictionary type

[Scott Kitterman]

On Wed, 17 Jan 2024 09:05:47 -0500 Scott Kitterman  
wrote:
> On Wednesday, January 17, 2024 9:03:29 AM EST Richard Rosner wrote:
> > I've updated all mariadb packages to 10.11.6 and all postfix packages.
> > Everything still working.
> >  
> Excellent news.  Thanks for testing.

Postfix packages in bookworm-proposed-updates have been rebuilt against the new 
mariadb, so I think this can be closed now.  If anyone runs into this problem 
with the packages from bookworm-updates/stable-updates, install the rebuilt 
version from bookworm/stable-proposed-updates.  After the next point release, 
this will be entirely OBE.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1061162: pypdf2: Do not release with Trixie

[Scott Kitterman]

Source: pypdf2
Version: 2.12.1-4
Severity: serious
Tags: upstream
Justification: Maintainer opinion

PyPDF2 has been replaced by pypdf upstream.  We should not release this
package with Trixie.  Rdepends should be either ported or removed.

Scott K

Bug#1061161: bookworm-pu: package pypdf2/2.12.1-3

[Scott Kitterman]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
CVE fix.

[ Impact ]
Users still vulernable to security issue.

[ Tests ]
Upstream has an extensive test suite, although we don't include a test
specifically for this issue.  All tests pass on bookworm locally.

[ Risks ]
Risk is negligible.  Code is trivial.  Fix has been available for 8
months upstream.  The same code is in pypdf and there have been no
issues reported with it (stable update for it is pending as well).

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Add a patch to apply the upstream fix for the issue.

[ Other info ]
This looks like an NMU in bookworm, but I just adopted the package.  I
did not include the maintainer changes in the stble-update since that
seemed to get beyone a minimal fix.

Scott K
diff -Nru pypdf2-2.12.1/debian/changelog pypdf2-2.12.1/debian/changelog
--- pypdf2-2.12.1/debian/changelog  2023-01-13 16:38:55.0 -0500
+++ pypdf2-2.12.1/debian/changelog  2024-01-19 17:32:34.0 -0500
@@ -1,3 +1,12 @@
+pypdf2 (2.12.1-3+deb12u1) bookworm; urgency=medium
+
+  * Prevent infinite loop when no character follows after a comment (Closes:
+#1040339)
+- Addresses CVE-2023-36464
+- Add d/p/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
+
+ -- Scott Kitterman   Fri, 19 Jan 2024 17:32:34 -0500
+
 pypdf2 (2.12.1-3) unstable; urgency=medium
 
   * disable two more network tests
diff -Nru 
pypdf2-2.12.1/debian/patches/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
 
pypdf2-2.12.1/debian/patches/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
--- 
pypdf2-2.12.1/debian/patches/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
1969-12-31 19:00:00.0 -0500
+++ 
pypdf2-2.12.1/debian/patches/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
2024-01-19 17:30:16.0 -0500
@@ -0,0 +1,21 @@
+From: Scott Kitterman 
+Date: Mon, 15 Jan 2024 11:34:11 -0500
+Subject: Prevent infinite loop when no character follows after a comment
+https://security-tracker.debian.org/tracker/CVE-2023-36464
+---
+ PyPDF2/generic/_data_structures.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: pypdf/PyPDF2/generic/_data_structures.py
+===
+--- pypdf.orig/PyPDF2/generic/_data_structures.py
 pypdf/PyPDF2/generic/_data_structures.py
+@@ -733,7 +733,7 @@ class ContentStream(DecodedStreamObject)
+ # encountering a comment -- but read_object assumes that
+ # following the comment must be the object we're trying to
+ # read.  In this case, it could be an operator instead.
+-while peek not in (b"\r", b"\n"):
++while peek not in (b"\r", b"\n", b""):
+ peek = stream.read(1)
+ else:
+ operands.append(read_object(stream, None, 
self.forced_encoding))
diff -Nru pypdf2-2.12.1/debian/patches/series 
pypdf2-2.12.1/debian/patches/series
--- pypdf2-2.12.1/debian/patches/series 2023-01-13 16:38:30.0 -0500
+++ pypdf2-2.12.1/debian/patches/series 2024-01-19 17:30:16.0 -0500
@@ -1 +1,2 @@
 disable-network-tests.patch
+0003-Prevent-infinite-loop-when-no-character-follows-afte.patch

Bug#1060708: python3-wxgtk4.0: Package doesn't import

[Scott Talbert]

On Sat, 13 Jan 2024, Matthias Urlichs wrote:


Package: python3-wxgtk4.0
Version: 4.2.0+dfsg-3
Severity: important
X-Debbugs-Cc: sm...@smurf.noris.de


/usr/lib/python3/dist-packages/wx/__init__.py contains:

 from wx.core import *
 del core
 del wx

This doesn't work on my system. "wx.core" does *not* export a symbol named
"core", thus the "del core" fails.

Deleting the "del core" part fixes the problem.

-- System Information:
Debian Release: 12.4
 APT prefers stable
 APT policy: (750, 'stable'), (700, 'testing'), (650, 'oldstable'), (600, 
'oldoldstable'), (500, 'stable-security'), (500, 'oldstable-security'), (500, 
'unstable'), (300, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, arm64

Kernel: Linux 6.1.0-10-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_USER
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages python3-wxgtk4.0 depends on:
ii  libc62.36-9+deb12u3
ii  libgcc-s112.2.0-14
ii  libstdc++6   13.2.0-9
ii  libwxbase3.2-1   3.2.4+dfsg-1
ii  libwxgtk-gl3.2-1 3.2.4+dfsg-1
ii  libwxgtk3.2-13.2.2+dfsg-2
ii  python3 [python3-supported-min]  3.11.2-1+b1
ii  python3-numpy1:1.24.2-1
ii  python3-pil  9.4.0-1.1+b1
ii  python3-six  1.16.0-4


Can you provide any additional details that may be relevant to reproducing 
this problem?  I'm going to assume this is probably related to your other 
bug where you seem to be mixing and matching packages from testing and 
bookworm?


Scott

Bug#1060711: python3-wxgtk4.0: Library dependency too lenient

[Scott Talbert]

On Sat, 13 Jan 2024, Matthias Urlichs wrote:


Package: python3-wxgtk4.0
Version: 4.2.1+dfsg-3
Severity: normal
X-Debbugs-Cc: sm...@smurf.noris.de

Installing the version from Testing says


import wx.core

Traceback (most recent call last):
 File "", line 1, in 
 File "/usr/lib/python3/dist-packages/wx/__init__.py", line 17, in 
   from wx.core import *
 File "/usr/lib/python3/dist-packages/wx/core.py", line 12, in 
   from ._core import *
ImportError: 
/usr/lib/python3/dist-packages/wx/_core.cpython-311-x86_64-linux-gnu.so: 
undefined symbol: _ZN13wxRadioButtonD2Ev, version WXU_3.2




due to its dependency on libwxgtk3.2-1, which apparently needs to be >=
3.2.4 instead of 3.2.2.

Semantic versioning appears to be overrated. :-(


Hello Matthias,

Do I understand correctly that you installed the python3-wxgtk4.0 4.2.1+dfsg-3
binary package from Debian Testing into a Debian 12 system and that's how 
you encountered this error?


Scott

Bug#1060851: bookworm-pu: package pypdf/3.4.1-1

[Scott Kitterman]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu

(Please provide enough information to help the release team
to judge the request efficiently. E.g. by filling in the
sections below.)

[ Reason ]
This upload adds a patch to address CVE-2023-36464.  It was assessed by
the security team as no-dsa, so I think we ought to fix it in a stable
update.

[ Impact ]
Users remain vulnerable to the DoS attack described in the CVE.

[ Tests ]
There is a pypdf test suite that runs during package build and
autopkgtest.  Upstream did add a test for this issue, but since it
requires test assets not available in Debian, I did not include it in
the patch.

[ Risks ]
Code is trivial and the risk of regression is negligible.  This is the
exact fix upstream used.  The fix has been in the wild for 8 months, so
I think if it was going to cause a problem, we'd know by now.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Added the upstream change to fix the CVE (only the change to
pypdf/generic/_data_structures.py is relevant):
https://github.com/py-pdf/pypdf/commit/b0e5c689df689ab173df84dacd77b6fc3c161932

Updated gbp.conf to point at the bookworm branch

[ Other info ]
This will look like an NMU in tools that look at stable.  I just adopted
the package due to the original maintainer's RFA and have uploaded to
unstable (including this fix).  I elected not to change the maintainer
in this upload since that didn't fit with a minimal change in stable.

Scott K
diff -Nru pypdf-3.4.1/debian/changelog pypdf-3.4.1/debian/changelog
--- pypdf-3.4.1/debian/changelog2023-02-14 16:58:00.0 -0500
+++ pypdf-3.4.1/debian/changelog2024-01-15 11:28:43.0 -0500
@@ -1,3 +1,13 @@
+pypdf (3.4.1-1+deb12u1) bookworm; urgency=medium
+
+  * Update debian/gbp.conf to point at bookworm branch
+  * Prevent infinite loop when no character follows after a comment (Closes:
+#1040338)
+- Addresses CVE-2023-36464
+- Add d/p/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
+
+ -- Scott Kitterman   Mon, 15 Jan 2024 11:28:43 -0500
+
 pypdf (3.4.1-1) unstable; urgency=medium
 
   * New upstream version 3.4.1
diff -Nru pypdf-3.4.1/debian/gbp.conf pypdf-3.4.1/debian/gbp.conf
--- pypdf-3.4.1/debian/gbp.conf 2023-02-14 16:58:00.0 -0500
+++ pypdf-3.4.1/debian/gbp.conf 2024-01-15 11:28:20.0 -0500
@@ -1,3 +1,3 @@
 [DEFAULT]
-debian-branch = debian/unstable
+debian-branch = debian/bookworm
 pristine-tar = True
diff -Nru 
pypdf-3.4.1/debian/patches/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
 
pypdf-3.4.1/debian/patches/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
--- 
pypdf-3.4.1/debian/patches/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
  1969-12-31 19:00:00.0 -0500
+++ 
pypdf-3.4.1/debian/patches/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
  2024-01-15 11:28:43.0 -0500
@@ -0,0 +1,21 @@
+From: Scott Kitterman 
+Date: Mon, 15 Jan 2024 11:34:11 -0500
+Subject: Prevent infinite loop when no character follows after a comment
+https://security-tracker.debian.org/tracker/CVE-2023-36464
+---
+ pypdf/generic/_data_structures.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pypdf/generic/_data_structures.py 
b/pypdf/generic/_data_structures.py
+index bb2e028..524d4e0 100644
+--- a/pypdf/generic/_data_structures.py
 b/pypdf/generic/_data_structures.py
+@@ -979,7 +979,7 @@ class ContentStream(DecodedStreamObject):
+ # encountering a comment -- but read_object assumes that
+ # following the comment must be the object we're trying to
+ # read.  In this case, it could be an operator instead.
+-while peek not in (b"\r", b"\n"):
++while peek not in (b"\r", b"\n", b""):
+ peek = stream.read(1)
+ else:
+ operands.append(read_object(stream, None, 
self.forced_encoding))
diff -Nru pypdf-3.4.1/debian/patches/series pypdf-3.4.1/debian/patches/series
--- pypdf-3.4.1/debian/patches/series   2023-02-14 16:58:00.0 -0500
+++ pypdf-3.4.1/debian/patches/series   2024-01-15 11:28:43.0 -0500
@@ -1,2 +1,3 @@
 0001-Use-formal-Cryptodome-namespace.patch
 0002-mark-new-external-tests-appropriately.patch
+0003-Prevent-infinite-loop-when-no-character-follows-afte.patch

Bug#1060814: inetutils-ftpd: No inetd dependency

[Scott]

Package: inetutils-ftpd
Version: 2:2.0-1+deb11u
Severity: minor

Dear Maintainer,

   * What led up to the situation?

    installed package, then attempted to open connection, received 
no reply from ftpd service


   * What exactly did you do (or not do) that was effective (or
 ineffective)?

    determined no inetd installed
    selected ftpd-ssl package which depends on openbsd-inetd

   * What was the outcome of this action?

    received reply from ftpd service

-- System Information:
Debian Release: 11.8
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), 
(500, 'oldstable')

Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-20-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE 
not set

Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages inetutils-ftpd depends on:
ii  libc6    2.31-13+deb11u7
ii  libcrypt1    1:4.4.18-4
ii  libpam0g 1.4.0-9+deb11u1
ii  libwrap0 7.6.q-31
ii  netbase  6.3
ii  rsyslog [system-log-daemon]  8.2102.0-2+deb11u1

inetutils-ftpd recommends no packages.

inetutils-ftpd suggests no packages.

Bug#1060463: O: django-impersonate -- Django module for superusers to impersonate accounts

[Scott Kitterman]

Package: wnpp
Severity: normal
X-Debbugs-Cc: debian-pyt...@lists.debian.org
Control: affects -1 src:django-impersonate

Orphaning the package on behalf of the Debian Python Team as the sole
uploader (no one else on the team expressed interest in taking over and
I no longer use the package).

Currently the package is in good shape.  There is a new upstream release
available, which I will include in the upload that changes the maintainer to
Debian QA Group.

Scott K

Bug#1060427: python3-appdirs: Do not release with trixie

[Scott Kitterman]

Package: python3-appdirs
Version: 1.4.4-4
Severity: serious
Justification: maintainer determination

This is dead upstream and easily replacable with platformdirs.  Rather
than release trixie with appdirs, remaining users should port to
platformdirs instead.

Scott K

Bug#1060406: O: django-organizations -- Django groups and multi-user account management module

[Scott Kitterman]

Package: wnpp
Severity: normal
X-Debbugs-Cc: debian-pyt...@lists.debian.org
Control: affects -1 src:django-organizations

Orphaning the package on behalf of the Debian Python Team as the sole
uploader (no one else on the team expressed interest in taking over and
I no longer use the package).

Currently the package is in good shape.  There is a new upstream release
available, which I will probably include in the upload that changes the
maintainer to Debian QA Group.

Scott K

Bug#1057852: haskell-pandoc: please upgrade to at least v3.1.2

[Scott Talbert]

On Sat, 09 Dec 2023 17:16:41 +0100 Jonas Smedegaard 
wrote:
> Source: haskell-pandoc
> Version: 3.0.1-3
> Severity: normal
> Tags: upstream
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> Pandoc 3.0.1 is almost a year old.
> 
> It seems that upgrading to 3.1.2 involves no upgrades to any of its
> dependencies, and upgrading further involves only few dependencies:
> 
>   * upgrade to 3.1.2
>   * upgrade to 3.1.3
> when needed Haskell libraries are in Debian:
> + typst >= 0.1  && < 0.2
>   * upgrade to 3.1.4
> when needed Haskell libraries are in Debian:
> + crypton-connection    >= 0.3.1    && < 0.4
>   * upgrade to 3.1.6.2
> when needed Haskell libraries are in Debian:
> + typst >= 0.3.2.0  && < 0.3.3

Replying here as per your request.

Unfortunately, updating to haskell-pandoc 3.1.2 does not involve
updating no dependencies - it requires an update to pandoc-lua-engine,
which requires adding two new packages, isocline and hslua-repl.  I
went ahead and added these packages, as well as typst, so we should be
able to update to 3.1.3 soon.  Adding crypton-connection is going to be
a bit more challenging as it requires an update to tls, which is used
by several other packages, so I'm not sure if that's going to be easy.

BTW, you didn't really address my question about updating the version
of src:haskell-pandoc in relation to the version of src:pandoc (having
nothing to do with the dependencies of src:haskell-pandoc).  Just the
version number.

Scott

Bug#1059230: Stable Updates Available

[Scott Kitterman]

Updated packages are available from stable/oldstable-updates.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1059230: Proposed Postfix SUA Text

[Scott Kitterman]

Looks good to me.

Thanks,

Scott K

On December 29, 2023 11:29:21 AM UTC, Jonathan Wiltshire  
wrote:
>On Thu, Dec 28, 2023 at 03:31:55PM -0500, Scott Kitterman wrote:
>> Postfix is a High-performance mail transport agent.
>> 
>> Upstream published versions 3.5.23 and 3.7.9.
>> 
>> These are bug-fix releases. The changes are not currently required for 
>> operation, but upstream strongly recommends that users update.
>> 
>> Changes since 3.5.18 and 3.7.6 currently in bullseye and bookworm include 
>> fixes 
>> for multiple implementation defects identified since these packages were 
>> last 
>> updated, see debian/changelog for details.  Of particular note is a new 
>> optional feature to prevent 'SMTP Smuggling' attacks.  It is disabled by 
>> default.  A configuration change is required to enable this protection [1].
>> 
>> If you use postfix, we recommend that you install this update.
>> 
>> [1] https://www.postfix.org/smtp-smuggling.html
>
>The important part is the CVE fix with config change requirement, no? How
>about this, rephrasing to shift the emphasis:
>
>| Postfix is a high-performance mail transport agent.
>| 
>| This update consists of recommended upstream bug fixes since the versions
>| in bullseye and bookworm. In particular, a fix for CVE-2023-51764 (SMTP
>| smuggling) requires a configuration change to take full effect.
>| 
>| The configuration change is not done automatically to avoid causing
>| issues with existing installations. Users should consult the relevant
>| Postfix documentation [1] before setting "smtpd_forbid_bare_newline = yes"
>| in the main.cf file.
>| 
>|  1: https://www.postfix.org/smtp-smuggling.html
>
>If you are able to comment before 13:00 UTC I can get it out this
>afternoon.
>
>Thanks,
>
>

Bug#1059230: Proposed Postfix SUA Text

[Scott Kitterman]

Postfix is a High-performance mail transport agent.

Upstream published versions 3.5.23 and 3.7.9.

These are bug-fix releases. The changes are not currently required for 
operation, but upstream strongly recommends that users update.

Changes since 3.5.18 and 3.7.6 currently in bullseye and bookworm include fixes 
for multiple implementation defects identified since these packages were last 
updated, see debian/changelog for details.  Of particular note is a new 
optional feature to prevent 'SMTP Smuggling' attacks.  It is disabled by 
default.  A configuration change is required to enable this protection [1].

If you use postfix, we recommend that you install this update.

[1] https://www.postfix.org/smtp-smuggling.html

signature.asc
Description: This is a digitally signed message part.

Bug#1059500: bullseye-pu: package postfix/3.5.18-0+deb11u1

[Scott Kitterman]

  smtp/smtp_proto.c, tls/tls.h, tls/tls_proxy_client_misc.c,
  tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c,
  tls/tls_proxy.h, tlsproxy/tlsproxy.c.
- Cleanup: reverted cosmetic-only changes to minimize the
  patch footprint for OpenSSL INI file support; updated daemon
  manpages with the new tls_config_file and tls_config_name
  configuration parameters. Files: smtp/smtp.c, smtpd/smtpd.c,
  tls/tls_client.c, tls/tls.h, tls/tls_server.c, tlsproxy/tlsproxy.c,
- Cleanup: made OpenSSL 'default' INI file support error
  handling consistent with OpenSSL default behavior. Viktor
  Dukhovni. Files: proto/postconf.proto, tls/tls_misc.c.
- Backwards compatibility for stable releases that originally
  had no OpenSSL INI support. Skip the new OpenSSL INI support
  code, unless the Postfix configuration actually specifies
  non-default tls_config_xxx settings. File: tls/tls_misc.c.
- Cleanup: added a multiple initialization guard in the
  tls_library_init() function, and made an initialization
  error sticky. File: tls/tls_misc.c.
- Security: new parameter smtpd_forbid_unauth_pipelining
  (default: no) to disconnect remote SMTP clients that violate
  RFC 2920 (or 5321) command pipelining constraints. Files:
  global/mail_params.h, smtpd/smtpd.c, proto/postconf.proto.
  * 3.5.21
- Bugfix (bug introduced: 20140218): when opportunistic TLS fails
  during or after the handshake, don't require that a probe
  message spent a minimum time-in-queue before falling back to
  plaintext. Problem reported by Serg. File: smtp/smtp.h.
- Bugfix (defect introduced: 19980207): the valid_hostname()
  check in the Postfix DNS client library was blocking unusual
  but legitimate wildcard names (*.name) in some DNS lookup
  results and lookup requests. Examples:
 name  class/type value
   *.one.example   IN CNAME *.other.example
   *.other.example IN A 10.0.0.1
   *.other.example IN TLSA  ..certificate info...
  Such syntax is blesed in RFC 1034 section 4.3.3.
  This problem was reported first in the context of TLSA
  record lookups. Files: util/valid_hostname.[hc],
  dns/dns_lookup.c.
  * 3.5.22
- Bugfix (defect introduced Postfix 2.5, 20080104): the Postfix
  SMTP server was waiting for a client command instead of
  replying immediately, after a client certificate verification
  error in TLS wrappermode. Reported by Andreas Kinzler. File:
  smtpd/smtpd.c.
- Usability: the Postfix SMTP server now attempts to log the
  SASL username after authentication failure. In Postfix
  logging, this appends ", sasl_username=xxx" after the reason
  for SASL authentication failure. The logging replaces an
  unavailable reason with "(reason unavailable)", and replaces
  an unavailable sasl_username with "(unavailable)". Based
  on code by Jozsef Kadlecsik. Files: xsasl/xsasl_server.c,
  xsasl/xsasl_cyrus_server.c, smtpd/smtpd_sasl_glue.c.
- Bugfix (defect introduced: Postfix 2.11): in forward_path,
  the expression ${recipient_delimiter} would expand to an
  empty string when a recipient address had no recipient
  delimiter. Fixed by restoring Postfix 2.10 behavior to use
  a configured recipient delimiter value. Reported by Tod
  A. Sandman. Files: proto/postconf.proto, local/local_expand.c.
  * 3.5.23 (Closes: #1059230)
- Addresses CVE-2023-51764, requires configuration change
- Security: with "smtpd_forbid_bare_newline = yes" (default
  "no" for Postfix < 3.9), reply with "Error: bare 
  received" and disconnect when an SMTP client sends a line
  ending in , violating the RFC 5321 requirement that
  lines must end in . This prevents SMTP smuggling
  attacks that target a recipient at a Postfix server. For
  backwards compatibility, local clients are excluded by
  default with "smtpd_forbid_bare_newline_exclusions =
  $mynetworks". Files: mantools/postlink, proto/postconf.proto,
  global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h,

[ Other info ]
The bulk of the diff is dcoumentation updates related to the documented
code changes.  The actual code changes start ~ line 2100 in the diff.

The CVE fix requires a configuration change, which is not set be default
as it would likely break some configuratins.  We should be sure to
mention that in the SUA.

Scott K