Bug#704528: Please include new resolvconf hook script which handles multiple postfix instances

[Scott Kitterman]

On Tue, 23 May 2017 01:39:54 -0400 Scott Kitterman  
wrote:
> On Tue, 2 Apr 2013 15:32:44 +0200 Thomas Hood  wrote:
> > Package: postfix
> > Version: 2.9.6-2
> > Severity: wishlist
> > Tags: patch
> > 
> > Attached is a new resolvconf update hook script
> > (/etc/resolvconf/update-libc.d/postfix) which handles multiple postfix
> > instances. Please include it instead of the existing script.
> > 
> > Thanks to Patrik Båt for writing this.
> 
> I think that as of 3.1.4-5, this is not needed any longer when using the 
> default init system.  Please check and let us know if you think differently.
> 
> Scott K

I think 7 years is long enough to wait, so closing.  If this is still an 
issue, please file a new bug with current information.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1074759: O: aiodns -- Asynchronous DNS resolver library for Python 3

[Scott Kitterman]

Package: wnpp
Severity: normal
X-Debbugs-Cc: aio...@packages.debian.org, debian-pyt...@lists.debian.org
Control: affects -1 + src:aiodns

I intend to orphan the aiodns package.

The package description is:
 aiodns provides a simple way for doing asynchronous DNS resolutions with a
 synchronous looking interface, using pycares.

I am no longer interested in maintaining this package and the other
theorectical uploader is long inactive.

Scott K

Bug#1074758: O: pycares -- Python interface for c-ares (common documentation)

[Scott Kitterman]

Package: wnpp
Severity: normal
X-Debbugs-Cc: pyca...@packages.debian.org, debian-pyt...@lists.debian.org
Control: affects -1 + src:pycares

I intend to orphan the pycares package.

The package description is:
 pycares is a Python 3 module which provides an interface to c-ares. c-ares is
 a C library that performs DNS requests and name resolutions asynchronously.

I no longer have interest in maintaining it and the other theorectical
uploader is long inactive.

Scott K

Bug#1073869: RM: python-zxcvbn -- ROM; Unmaintained, depends on obsolete libs

[Scott Kitterman]

Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: python-zxc...@packages.debian.org, team-pyt...@tracker.debian.org
Control: affects -1 + src:python-zxcvbn


This depends on pypdf2 which has been removed from Testing and will be
removed from the archive.  It appears unmaintained both in Debian and
upstream.

Scott K

Bug#1070718: ITP: python-gfloat -- Python module of generic floating point encode/decode logic

[Scott Kitterman]

Package: wnpp
Severity: wishlist
Owner: Scott Kitterman 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: python-gfloat
  Version : 0.1
  Upstream Contact: Andrew Fitzgibbon 
* URL : https://github.com/graphcore-research/gfloat
* License : Expat
  Programming Lang: Python
  Description : Python module of generic floating point encode/decode logic

 An implementation of generic floating point encode/decode logic, handling
 various current and proposed floating point types:
 .
   - IEEE 754: Binary16, Binary32
   - OCP Float8: E5M2, E4M3
   - IEEE WG P3109: P{p} for p in 1..7
   - OCP MX Formats: E2M1, M2M3, E3M2, E8M0, INT8, and the MX block formats.
 .
 The library favours readability and extensibility over speed - for fast
 implementations of these datatypes see, for example, ml_dtypes, bitstring, MX
 PyTorch Emulation Library.

I intend to maintain this as part of the Debian Python Team.  It's
needed to run tests for the newest version of python-bitstring.

Scott K

Bug#1070638: kde-spectacle: Build-depends on NBS libkcolorpicker-dev

[Scott Kitterman]

On Mon, 06 May 2024 10:33:54 -0400 Scott Kitterman  
wrote:
> Source: kde-spectacle
> Version: 22.12.3-1
> Severity: serious
> Tags: ftbfs
> Justification: fails to build from source (but built successfully in the 
past)
> 
> Once kcolorpicker is decrufted, this package will FTBFS.  Please update
> your build-depends.

Also libkimageannotator-dev needs updating.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1070638: kde-spectacle: Build-depends on NBS libkcolorpicker-dev

[Scott Kitterman]

Source: kde-spectacle
Version: 22.12.3-1
Severity: serious
Tags: ftbfs
Justification: fails to build from source (but built successfully in the past)

Once kcolorpicker is decrufted, this package will FTBFS.  Please update
your build-depends.

Scott K

Bug#1070116: python-zeep: Build-depends on NBS libraries libxmlsec1 and libxmlsec1-openssl

[Scott Kitterman]

Source: python-zeep
Version: 4.2.1-1
Severity: serious
Tags: ftbfs
Justification: fails to build from source

Once xmlsec1 is decrufted, python-zeep will FTBFS.  The build-depends
need to be updated to libxmlsec1t64 and libxmlsec1t64-openssl.

Scott K

Bug#1070062: waylandpp: Missing build-depends libwayland-egl1-mesa

[Scott Kitterman]

Source: waylandpp
Version: 1.0.0-4
Severity: serious
Tags: ftbfs
Justification: fails to build from source (but built successfully in the past)

The libwayland-egl1-mesa package was a transitional package for libegl1 and
libwayland-egl1 and has been removed.  You will need to update your
build-depends appropriately.

Scott K

Bug#1069986: dublin-traceroute: Manual build-depends on NBS package libtins4.0

[Scott Kitterman]

Source: dublin-traceroute
Version: 0.4.2-2
Severity: serious
Tags: ftbfs
Justification: fails to build from source (but built successfully in the past)

The package has a manual build-depends on libtins4.0, which is NBS.  It
has been renamed libtins4.5.  Once it is decrufted, this package will
FTBFS.

Scott K

Bug#1069985: python-cobra: Manual build-depends on NBS package libsbml5

[Scott Kitterman]

Source: python-cobra
Version: 0.26.2-1
Severity: serious
Tags: ftbfs
Justification: fails to build from source (but built successfully in the past)

The package build-depends on the NBS package libsbml5.  It has been
renamed libsbml5t64.  Once the package is decrufted, this one will
FTBFS.

Please update your build-depends.

Scott K

Bug#1069984: alire: Build-depends on NBS package libgnatcoll21-dev

[Scott Kitterman]

Source: alire
Version: 1.2.1-1
Severity: serious
Tags: ftbfs
Justification: fails to build from source (but built successfully in the past)

The package libgnatcoll21-dev has been renamed to libgnatcoll-dev.  Once
libgnatcoll21-dev is decfufted, it will FTBFS.  Please update your build
depends.

Scott K

Bug#1069983: dwarf-fortress: Manual build-depends on NBS package libgtk2.0-0

[Scott Kitterman]

Source: dwarf-fortress
Version: 0.47.04+dfsg1-1
Severity: serious
Tags: ftbfs
Justification: fails to build from source

The package has a manual build-depends on libgtk2.0-0, which has been
replaced by libgtk2.0-0t64.  Once it has been decrufted, the package
will no longer build.

Scott K

Bug#1069982: theli: Manual build-depends on NBS package libcurl4

[Scott Kitterman]

Source: theli
Version: 3.1.4-1
Severity: serious
Tags: ftbfs
Justification: fails to build from source (but built successfully in the past)

Once libcurl4 is decrufted, the package will no longer build.  The
libcurl4 package has been replaced by libcurl4t64.

Scott K

Bug#1069963: python-nbxmpp: Build-depends on NBS package libglib2.0-0

[Scott Kitterman]

Source: python-nbxmpp
Version: 4.5.4-1
Severity: serious
Tags: ftbfs
Justification: fails to build from source

This package has a hard coded build-depends on libglib2.0-0, which is
NBS and the package will FTBFS once it is decrufted.  It was renamed
libglib2.0-0t64 as part of the 64 bit time transition.

Please update your build-depends.

Scott K

Bug#1069004: casacore-data-services: Hard coded build-depends on decrufted lib libcasa-meas7

[Scott Kitterman]

Package: casacore-data-services
Version: 2-4
Severity: serious
Tags: ftbfs
Justification: fails to build from source (but built successfully in the past)

Will now FTBFS due to missing build-depends.

Scott K

Bug#1065623: reverse dependencies

[Scott Kitterman]

On Mon, 25 Mar 2024 18:48:44 + (UTC) Thorsten Alteholz 
 wrote:
> Control: tags -1 + moreinfo
> 
> Hi,
> 
> there are reverse dependencies that need to be taken care of:
> 
> 
> Checking reverse dependencies...
> # Broken Depends:
> baresip: baresip-x11
> 
> # Broken Build-Depends:
> baresip: libomxil-bellagio-dev
> kodi: libomxil-bellagio-dev
> vlc: libomxil-bellagio-dev
> 
> 
> In case they matter, this needs to be addressed first. Please remove the 
> moreinfo tag once that is done.
> 
>Thorsten

Baresip is not resolved in Unstable.  Please don't remove the moreinfo tag 
again until ALL the rdepends are taken care of.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1063772: postfix-mysql upgrade add map in dynamicmaps.cf after postfix restart

[Scott Kitterman]

The next postfix upload to unstable should address this by using a trigger to 
restart postfix any time one of the map type packages is configured.

Scott K

Bug#1029735: pypdf2 is deprecated, please move from python3-pypdf2 to python3-pypdf

[Scott Kitterman]

On Sun, 21 Jan 2024 12:09:30 -0500 Scott Kitterman  
wrote:

> As we approach the first anniversary for this bug, an update:
> 
> I've recently adopted pypdf and pypdf2 into the Debian Python Team in 
response 
> to an RFA for both packages.  As these are somewhat security sensitive 
> packages (among my first acts after adopting the packages was to upload 
> proposed updates for both to address minor security issues in Bookworm in 
the 
> next point release - same bug in both), I do not think we should release 
> pypdf2 in Trixie and have filed an RC bug to that effect.
> 
> If you want this package to be in Trixie, you will need to use pypdf instead 
> of pypdf2.

Now that pypdf2 has been removed from Trixie, bumping to serious.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1029738: pypdf2 is deprecated, please move from python3-pypdf2 to python3-pypdf

[Scott Kitterman]

On Sun, 21 Jan 2024 12:19:23 -0500 Scott Kitterman  
wrote:

> As we approach the first anniversary for this bug, an update:
> 
> I've recently adopted pypdf and pypdf2 into the Debian Python Team in 
response 
> to an RFA for both packages.  As these are somewhat security sensitive 
> packages (among my first acts after adopting the packages was to upload 
> proposed updates for both to address minor security issues in Bookworm in 
the 
> next point release - same bug in both), I do not think we should release 
> pypdf2 in Trixie and have filed an RC bug to that effect.
> 
> If you want this package to be in Trixie, you will need to use pypdf instead 
> of pypdf2.

Now that pypdf2 is removed from Trixie, bumping to serious.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1061261: odoo: Uses deprecated/to be removed PyPDF2

[Scott Kitterman]

On Sun, 21 Jan 2024 12:17:53 -0500 Scott Kitterman  
wrote:

> I've recently adopted pypdf and pypdf2 into the Debian Python Team in 
response to an RFA for both packages.  As these are somewhat security 
sensitive packages (among my first acts after adopting the packages was to 
upload proposed updates for both to address minor security issues in Bookworm 
in the next point release - same bug in both), I do not think we should 
release pypdf2 in Trixie and have filed an RC bug to that effect.
> 
> If you want this package to be in Trixie, you will need to use pypdf instead 
of pypdf2.

Now that pypdf2 is removed from Trixie, updating to serious.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1029734: pypdf2 is deprecated, please move from python3-pypdf2 to python3-pypdf

[Scott Kitterman]

On Sun, 21 Jan 2024 12:08:35 -0500 Scott Kitterman  
wrote:

> As we approach the first anniversary for this bug, an update:
> 
> I've recently adopted pypdf and pypdf2 into the Debian Python Team in 
response 
> to an RFA for both packages.  As these are somewhat security sensitive 
> packages (among my first acts after adopting the packages was to upload 
> proposed updates for both to address minor security issues in Bookworm in 
the 
> next point release - same bug in both), I do not think we should release 
> pypdf2 in Trixie and have filed an RC bug to that effect.
> 
> If you want this package to be in Trixie, you will need to use pypdf instead 
> of pypdf2.

Now that pypdf2 has been removed from Trixie, bumping to serious.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1029733: pypdf2 is deprecated, please move from python3-pypdf2 to python3-pypdf

[Scott Kitterman]

On Sun, 21 Jan 2024 12:07:19 -0500 Scott Kitterman  
wrote:
> As we approach the first anniversary for this bug, an update:
> 
> I've recently adopted pypdf and pypdf2 into the Debian Python Team in 
response 
> to an RFA for both packages.  As these are somewhat security sensitive 
> packages (among my first acts after adopting the packages was to upload 
> proposed updates for both to address minor security issues in Bookworm in 
the 
> next point release - same bug in both), I do not think we should release 
> pypdf2 in Trixie and have filed an RC bug to that effect.
> 
> If you want this package to be in Trixie, you will need to use pypdf instead 
> of pypdf2.

Now that pypdf2 is removed from Trixie, bumping to serious.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1061264: ocrmypdf: Uses deprecated/to be removed pypdf2 in autopkgtest

[Scott Kitterman]

On Sun, 21 Jan 2024 13:14:34 -0500 Scott Kitterman  
wrote:
> Source: ocrmypdf
> Version: 15.2.0+dfsg1-1
> Severity: wishlist
> 
> I've recently adopted pypdf and pypdf2 into the Debian Python Team in 
response to an RFA for both packages.  As these are somewhat security 
sensitive packages (among my first acts after adopting the packages was to 
upload proposed updates for both to address minor security issues in Bookworm 
in the next point release - same bug in both), I do not think we should 
release pypdf2 in Trixie and have filed an RC bug to that effect.
> 
> ocrmypdf uses the package in debian/tests/control.  Please update to use
> python3-pypdf insteadm.

Pypdf2 has been removed from testing, so this is now serious.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1067051: python3-fs: Switch from appdirs to platformdirs

[Scott Kitterman]

Package: python3-fs
Version: 2.4.16-2
Severity: important

Python3-fs uses python3-appdirs, which is dead upstream.  It is being
replaced by python3-platformdirs.  As a maintainer of appdirs, I would
prefer that we do not release Trixie with appdirs.  As far as I can
tell, python3-fs is the only critical package that uses it, so if
python3-fs were ported to platformdirs, it could be removed.

I investigated and it's more than just s/appdirs/platformdirs// for some
reason (mostly that is all that's needed to port to platformdirs).
Upstream for fs looks pretty dead, so it may be a long wait for an
upstream solution.

Scott K

Bug#1066838: hplip: Files remain after purge

[Scott Kitterman]

Package: hplip
Version: 3.22.10+dfsg0-2
Severity: important

After removing and then purging hplip, the __pycache__ directories
remain.

# apt purge hplip
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages will be REMOVED:
  hplip*
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
(Reading database ... 358577 files and directories currently installed.)
Purging configuration files for hplip (3.22.10+dfsg0-2) ...
Processing triggers for dbus (1.14.10-1~deb12u1) ...

# ls -R /usr/share/hplip/
/usr/share/hplip/:
base  copier  fax  installer  pcard  prnt  __pycache__  scan  ui5

/usr/share/hplip/base:
pexpect  __pycache__

/usr/share/hplip/base/pexpect:
__pycache__

/usr/share/hplip/base/pexpect/__pycache__:

/usr/share/hplip/base/__pycache__:

/usr/share/hplip/copier:
__pycache__

/usr/share/hplip/copier/__pycache__:

/usr/share/hplip/fax:
__pycache__

/usr/share/hplip/fax/__pycache__:

/usr/share/hplip/installer:
__pycache__

/usr/share/hplip/installer/__pycache__:

/usr/share/hplip/pcard:
__pycache__

/usr/share/hplip/pcard/__pycache__:

/usr/share/hplip/prnt:
__pycache__

/usr/share/hplip/prnt/__pycache__:

/usr/share/hplip/__pycache__:

/usr/share/hplip/scan:
__pycache__

/usr/share/hplip/scan/__pycache__:

/usr/share/hplip/ui5:
__pycache__

/usr/share/hplip/ui5/__pycache__:

Scott K


-- System Information:
Debian Release: 12.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-18-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages hplip depends on:
ii  adduser3.134
ii  cups   2.4.2-3+deb12u5
pn  hplip-data 
ii  libc6  2.36-9+deb12u4
ii  libcups2   2.4.2-3+deb12u5
ii  libdbus-1-31.14.10-1~deb12u1
ii  libhpmud0  3.22.10+dfsg0-2
ii  libpython3.11  3.11.2-6
pn  libsane-hpaio  
ii  libsane1   1.2.1-2
ii  lsb-base   11.6
ii  printer-driver-hpcups  3.22.10+dfsg0-2
ii  python33.11.2-1+b1
ii  python3-dbus   1.3.2-4+b1
ii  python3-gi 3.42.2-3+b1
pn  python3-pexpect
ii  python3-pil9.4.0-1.1+b1
pn  python3-reportlab  
ii  sysvinit-utils [lsb-base]  3.06-4
ii  wget   1.21.3-1+b2
ii  xz-utils   5.4.1-0.2

Versions of packages hplip recommends:
ii  avahi-daemon  0.8-10
ii  policykit-1   122-3
ii  printer-driver-postscript-hp  3.22.10+dfsg0-2
ii  sane-utils1.2.1-2

Versions of packages hplip suggests:
pn  hplip-doc  
pn  hplip-gui  
ii  python3-notify20.3-5
ii  system-config-printer  1.5.18-1

Bug#1063771: Also needed for aioquic

[Scott Kitterman]

This is starting to affect a lot of things.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1065312: RM: deborphan -- ROM; missing too many dpkg features, thus broken and unreliable

[Scott Kitterman]

On March 10, 2024 3:23:32 PM UTC, "Martin-Éric Racine" 
 wrote:
>On Sat, 2 Mar 2024 18:40:13 +0100 Chris Hofstaedtler  wrote:
>> * Christoph Biedl  [240302 17:02]:
>> > Chris Hofstaedtler wrote...
>> >
>> > > please remove deborphan. It is stuck, featurewise, in a very old time
>> > > and does not support many currently available dpkg features properly
>> > > (multi-arch, versioned provides, etc).
>> >
>> > FWIW, deborphan is part of my regular workflow, and while you claim
>> > it has defects, it works for me pretty well.
>>
>> It works "well" if you use it in very limited usecases, yes (like I
>> did). It doesn't seem to work well for a lot of people using more of
>> the "features" it has.
>
>Just because it doesn't work for everyone is not a remotely good
>enough reason to ask for its removal. It works for most people. don't
>break it for them.
>
>> The t64 transition will apparently make deborphan mostly useless in
>> trixie.
>>
>> > [..]
>> > So: What are the alternatives? How do they work? Are they a drop-in
>> > replacment or do they introduce new dependencies? Are there feature that
>> > will be no longer supported?
>>
>> release-notes recommends:
>> https://www.debian.org/releases/stable/amd64/release-notes/ch-upgrading.en.html#removing-non-debian-packages
>
>Which has nothing to do with what was asked.
>
>> Some people seem to recommend debfoster.
>
>Which really doesn't provide similar functionality.
>
>> > Leaving users in the void about this is just bad style.
>
>I totally agree. Not wanting to maintain it is a shitty reason for
>asking for its removal. If you don't wanna maintain is, just orphan
>it.


It's really a maintainer call if that's appropriate.  So far no one has jumped 
up to ask if they can take over the package.

Scott K

Bug#1065158: postfix: FTBFS: missing build-dep on libnsl-dev

[Scott Kitterman]

On Fri, 01 Mar 2024 11:33:37 +0100 Aurelien Jarno  wrote:
> Source: postfix
> Version: 3.8.5-1
> Severity: serious
> Tags: ftbfs
> Justification: fails to build from source (but built successfully in the 
past)
> User: debian-gl...@lists.debian.org
> Usertags: libnsl-dev
> 
> Dear maintainer,
> 
> Starting with glibc 2.31, support for NIS (libnsl library) has been
> moved to a separate libnsl2 package. In order to allow a smooth
> transition, a libnsl-dev has been added to the libc6-dev package.
> 
> This dependency has been temporarily dropped in the 2.37-15.1 NMU, as
> part of the 64-bit time_t transition. This causes postfix to FTBFS in
> sid with:
> 
> | gcc -fPIC -I. -I../../include -DDEBIAN -DHAS_PCRE=2 -DHAS_LDAP -
DUSE_LDAP_SASL -DHAS_SQLITE -DMYORIGIN_FROM_FILE -DHAS_CDB -DHAS_LMDB -
DHAS_MYSQL -I/usr/include/mysql -DHAS_PGSQL -I/usr/include/postgresql -
DHAS_SQLITE -DHAS_SSL -I/usr/include/openssl -DUSE_SASL_AUTH -I/usr/include/
sasl -DUSE_CYRUS_SASL -DUSE_TLS -DHAS_DEV_URANDOM -DDEF_DAEMON_DIR=\"/usr/lib/
postfix/sbin\" -DDEF_HTML_DIR=\"/usr/share/doc/postfix/html\" -
DDEF_MANPAGE_DIR=\"/usr/share/man\" -DDEF_README_DIR=\"/usr/share/doc/postfix\" 
-DUSE_DYNAMIC_LIBS -DUSE_DYNAMIC_MAPS -Wmissing-prototypes -Wformat -Wno-
comment -fno-common -fPIC  -Wdate-time -D_FORTIFY_SOURCE=2 -U_FORTIFY_SOURCE -
D_FORTIFY_SOURCE=3 -g -O2 -ffile-prefix-map=/<>=. -flto=auto -ffat-
lto-objects -fstack-protector-strong -fstack-clash-protection -Wformat -
Werror=format-security -fcf-protection -flto=auto -ffat-lto-objects 
-Wl,-z,relro 
-Wl,-z,now -I. -DLINUX6 -c dict_nis.c
> | dict_nis.c:42:10: fatal error: rpcsvc/ypclnt.h: No such file or directory
> |42 | #include 
> |   |  ^
> | compilation terminated.
> | make: *** [Makefile:220: dict_nis.o] Error 1
> | make: *** Waiting for unfinished jobs
> | make: Leaving directory '/<>/src/util'
> | make[2]: *** [Makefile:114: update] Error 1
> | make[2]: Leaving directory '/<>'
> | dh_auto_build: error: make -j3 "INSTALL=install --strip-program=true" 
returned exit code 2
> | make[1]: *** [debian/rules:90: override_dh_auto_build] Error 25
> | make[1]: Leaving directory '/<>'
> | make: *** [debian/rules:63: binary] Error 2
> 
> This could be fixed by adding an explicit Build-Depends on libnsl-dev.
> The glibc change will likely be reverted in the short term, but given
> its a change we want to do for Trixie, this will only lower the severity
> of the bug.

This doesn't currently cause a FTBFS in Testing and it's fixed in Unstable, so 
lowering severity to important.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1065743: bullseye-pu: package postfix/3.5.24-0+deb11u1

[Scott Kitterman]

stfix SMTP server response with an empty
+  authentication failure reason. File: smtpd/smtpd_sasl_glue.c.
+- Bugfix (defect introduced: Postfix 3.1, date: 20151128):
+  "postqueue -j" produced broken JSON when escaping a control
+  character as \u. Found during code maintenance. File:
+  postqueue/showq_json.c.
+- Cleanup: posttls-finger certificate match expectations for
+  all TLS security levels, including warnings for levels that
+  don't implement certificate matching. Viktor Dukhovni.
+  File: posttls-finger.c. 
+- Bugfix (defect introduced: Postfix 2.3): after prepending
+  a message header with a Postfix access table PREPEND action,
+  a Milter request to delete or update an existing header
+  could have no effect, or it could target the wrong instance
+  of an existing header. Root cause: the fix dated 20141018
+  for the Postfix Milter client was incomplete. The client
+  did correctly hide the first, Postfix-generated, Received:
+  header when sending message header information to a Milter
+  with the smfi_header() application callback function, but
+  it was still hiding the first header (instead of the first
+  Received: header) when handling requests from a Milter to
+  delete or update an existing header. Problem report by
+  Carlos Velasco. This change was verified to have no effect
+  on requests from a Milter to add or insert a header. File:
+  cleanup/cleanup_milter.c.
+- Workaround: tlsmgr logfile spam. Some OS lies under load:
+  it says that a socket is readable, then it says that the
+  socket has unread data, and then it says that read returns
+  EOF, causing Postfix to spam the log with a warning message.
+  File: tlsmgr/tlsmgr.c.
+- Bugfix (defect introduced: Postfix 3.4): the SMTP server's
+  BDAT command handler could be tricked to read $message_size_limit
+  bytes into memory. Found during code maintenance. File:
+  smtpd/smtpd.c.
+- Performance: eliminate worst-case behavior where the queue
+  manager defers delivery to all destinations over a specific
+  delivery transport, after only a single delivery agent
+  failure. The scheduler now throttles one destination, and
+  allows deliveries to other destinations to keep making
+  progress. Files: *qmgr/qmgr_deliver.c.
+- Safety: drop and log over-size DNS responses resulting in
+  more than 100 records. This 20x larger than the number of
+  server addresses that the Postfix SMTP client is willing
+  to consider when delivering mail, and is well below the
+  number of records that could cause a tail recursion crash
+  in dns_rr_append() as reported by Toshifumi Sakaguchi. This
+  also limits the number of DNS requests from check_*_*_access
+  restrictions. Files: dns/dns.h, dns/dns_lookup.c, dns/dns_rr.c,
+  dns/test_dns_lookup.c, posttls-finger/posttls-finger.c,
+  smtp/smtp_addr.c, smtpd/smtpd_check.c.
+
+ -- Scott Kitterman   Sat, 09 Mar 2024 10:38:51 -0500
+
 postfix (3.5.24-0+deb11u1) bullseye; urgency=medium
 
   [Wietse Venema]
diff -Nru postfix-3.5.24/HISTORY postfix-3.5.25/HISTORY
--- postfix-3.5.24/HISTORY  2024-01-19 14:16:32.0 -0500
+++ postfix-3.5.25/HISTORY  2024-02-27 15:58:22.0 -0500
@@ -25433,3 +25433,83 @@
Files: mantools/postlink, proto/postconf.proto,
global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h,
smtpd/smtpd.c, smtpd/smtpd_check.[hc].
+
+20231102
+
+   Bugfix (defect introduced: Postfix 2.3, date 20051222): the
+   Dovecot auth client did not reset the 'reason' from  a
+   previous Dovecot auth service response, before parsing the
+   next Dovecot auth server response in the same SMTP session.
+   Reported by Stephan Bosch, File: xsasl/xsasl_dovecot_server.c.
+
+20231105
+
+   Cleanup: Postfix SMTP server response with an empty
+   authentication failure reason. File: smtpd/smtpd_sasl_glue.c.
+
+20231208
+
+   Bugfix (defect introduced: Postfix 3.1, date: 20151128):
+   "postqueue -j" produced broken JSON when escaping a control
+   character as \u. Found during code maintenance. File:
+   postqueue/showq_json.c.
+
+20231211
+
+   Cleanup: posttls-finger certificate match expectations for
+   all TLS security levels, including warnings for levels that
+   don't implement certificate matching. Viktor Dukhovni.
+   File: posttls-finger.c.
+
+20231213
+
+   Bugfix (defect introduced: Postfix 2.3): after prepending
+   a message header with a Postfix access table PREPEND action,
+   a Milter request to delete or update an existing header
+   could have no effect, or it could target the wrong instance
+   of an existing header. Root cause: the fix dated 20141018
+   for the Postfix Milter client was incomplete. The client
+   did correctly hid

Bug#1065562: bookworm-pu: package postfix/3.7.10-0+deb12u1

[Scott Kitterman]

  - Bugfix (defect introduced: Postfix 3.1, date: 20151128):
+  "postqueue -j" produced broken JSON when escaping a control
+  character as \u. Found during code maintenance. File:
+  postqueue/showq_json.c.
+- Cleanup: posttls-finger certificate match expectations for
+  all TLS security levels, including warnings for levels that
+  don't implement certificate matching. Viktor Dukhovni.
+  File: posttls-finger.c.
+- Bugfix (defect introduced: Postfix 2.3): after prepending
+  a message header with a Postfix access table PREPEND action,
+  a Milter request to delete or update an existing header
+  could have no effect, or it could target the wrong instance
+  of an existing header. Root cause: the fix dated 20141018
+  for the Postfix Milter client was incomplete. The client
+  did correctly hide the first, Postfix-generated, Received:
+  header when sending message header information to a Milter
+  with the smfi_header() application callback function, but
+  it was still hiding the first header (instead of the first
+  Received: header) when handling requests from a Milter to
+  delete or update an existing header. Problem report by
+  Carlos Velasco. This change was verified to have no effect
+  on requests from a Milter to add or insert a header. File:
+  cleanup/cleanup_milter.c.
+- Workaround: tlsmgr logfile spam. Some OS lies under load:
+  it says that a socket is readable, then it says that the
+  socket has unread data, and then it says that read returns
+  EOF, causing Postfix to spam the log with a warning message.
+  File: tlsmgr/tlsmgr.c.
+- Bugfix (defect introduced: Postfix 3.4): the SMTP server's
+  BDAT command handler could be tricked to read $message_size_limit
+  bytes into memory. Found during code maintenance. File:
+  smtpd/smtpd.c.
+- Performance: eliminate worst-case behavior where the queue
+  manager defers delivery to all destinations over a specific
+  delivery transport, after only a single delivery agent
+  failure. The scheduler now throttles one destination, and
+  allows deliveries to other destinations to keep making
+  progress. Files: *qmgr/qmgr_deliver.c.
+- Safety: drop and log over-size DNS responses resulting in
+  more than 100 records. This 20x larger than the number of
+  server addresses that the Postfix SMTP client is willing
+  to consider when delivering mail, and is well below the
+  number of records that could cause a tail recursion crash
+  in dns_rr_append() as reported by Toshifumi Sakaguchi. This
+  also limits the number of DNS requests from check_*_*_access
+  restrictions. Files: dns/dns.h, dns/dns_lookup.c, dns/dns_rr.c,
+  dns/test_dns_lookup.c, posttls-finger/posttls-finger.c,
+  smtp/smtp_addr.c, smtpd/smtpd_check.c. 
+
+ -- Scott Kitterman   Wed, 06 Mar 2024 10:10:14 -0500
+
 postfix (3.7.10-0+deb12u1) bookworm; urgency=medium
 
   [Wietse Venema]
diff -Nru postfix-3.7.10/HISTORY postfix-3.7.11/HISTORY
--- postfix-3.7.10/HISTORY  2024-01-19 11:52:30.0 -0500
+++ postfix-3.7.11/HISTORY  2024-02-27 15:58:54.0 -0500
@@ -26681,3 +26681,83 @@
Files: mantools/postlink, proto/postconf.proto,
global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h,
smtpd/smtpd.c, smtpd/smtpd_check.[hc].
+
+20231102
+
+   Bugfix (defect introduced: Postfix 2.3, date 20051222): the
+   Dovecot auth client did not reset the 'reason' from  a
+   previous Dovecot auth service response, before parsing the
+   next Dovecot auth server response in the same SMTP session.
+   Reported by Stephan Bosch, File: xsasl/xsasl_dovecot_server.c.
+
+20231105
+
+   Cleanup: Postfix SMTP server response with an empty
+   authentication failure reason. File: smtpd/smtpd_sasl_glue.c.
+
+20231208
+
+   Bugfix (defect introduced: Postfix 3.1, date: 20151128):
+   "postqueue -j" produced broken JSON when escaping a control
+   character as \u. Found during code maintenance. File:
+   postqueue/showq_json.c.
+
+20231211
+
+   Cleanup: posttls-finger certificate match expectations for
+   all TLS security levels, including warnings for levels that
+   don't implement certificate matching. Viktor Dukhovni.
+   File: posttls-finger.c.
+
+20231213
+
+   Bugfix (defect introduced: Postfix 2.3): after prepending
+   a message header with a Postfix access table PREPEND action,
+   a Milter request to delete or update an existing header
+   could have no effect, or it could target the wrong instance
+   of an existing header. Root cause: the fix dated 20141018
+   for the Postfix Milter client was incomplete. The client
+   did correctly hide the first, Postfix-generated, Received:
+   header when sending message header information to a Milte

Bug#1065312: RM: deborphan -- ROM; missing too many dpkg features, thus broken and unreliable

[Scott Kitterman]

Generally in the FTP Team we trust maintainer's judgement when it comes to 
deciding if a package should be removed rather than orphaned and left to rot.

I looked and it's been about 5 years since anyone other than Chris has uploaded 
the package and he's the only human maintainer.

It is both a feature and a bug that in Debian, we're all volunteers and can 
choose how we volunteer.

I don't see anyone volunteering to step up and take over, so in the end, the 
maintainer's judgement is what has to control.

Scott K

Bug#1063476: the sanesecurity configuration is not suitable for a release

[Scott Kitterman]

On Fri, 16 Feb 2024 09:17:40 -0500 Scott Kitterman  
wrote:
> On Thu, 8 Feb 2024 19:35:50 +0100 Marco d'Itri  wrote:
> > Source: fangfrisch
> > Version: 1.7.0-1
> > Severity: grave
> > Tags: upstream
> > 
> > Control: forwarded -1 https://github.com/rseichter/fangfrisch/issues/30
> > 
> > The sanesecurity section of default configuration, if enabled, relies on 
> > an unofficial HTTP mirror which is seriously overloaded and probably 
> > seriously expensive for their operators, since it is located in 
> > Australia.
> > The only other known HTTP mirror is mentioned on 
> > https://wiki.gentoo.org/wiki/ClamAV_Unofficial_Signatures, with a vague 
> > note about it being available to the public.
> > 
> > Until fangfrisch will implement rsync support, I do not think that it is 
> > safe to include fangfrisch in a Debian release due to the possible 
> > effect on unsuspecting third party mirrors.
> > 
> > This has also been discussed upstream:
> > https://github.com/rseichter/fangfrisch/issues/30
> 
> I don't know that I'd call this fixed upstream, since the package is not 
> directly using rsync, but the fact that he's now rsyncing from sanesecurity 
> and running his own mirror is progress (that only person he can DoS is 
> himself) is progress.
> 
> If we update to 1.8.0, I don't think we should mark this bug done, but it 
> might be reasonable to change the severity to Important.  What do you think?

Upon further reflection, I'm going to mark this as done in 1.8.0.  The specific 
issue raised in the bug is resolved.  Direct support for rsync would be 
better, but I think we've cleared this particular hurdle for releasability.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1063771: Please update to version 42, needed for new dnspython

[Scott Kitterman]

On Tue, 13 Feb 2024 18:30:42 -0500 Scott Kitterman  
wrote:
> On Tue, 13 Feb 2024 10:16:23 +0100 Jérémy Lal  wrote:
> > Will do, but right now there are a bunch of rust dependencies that need to
> > be upgraded.
> 
> Thanks,

I got a one release reprieve from the dnspython upstream, so I'm good with 
version 41, for now, but will definitely need 42 for the next release, which is 
nominally in a few months.

Appreciate your work on the package.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1063771: Please update to version 42, needed for new dnspython

[Scott Kitterman]

On Tue, 13 Feb 2024 10:16:23 +0100 Jérémy Lal  wrote:
> Will do, but right now there are a bunch of rust dependencies that need to
> be upgraded.

Thanks,

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1063821: bullseye-pu: package python-dnslib/0.9.14-1

[Scott Kitterman]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu


[ Reason ]
Address no-dsa CVE.  CVE-2022-22846

[ Impact ]
Continued vulnerability to minor issue.

[ Tests ]
Package has tests which are run via autopkgtest and during the build.
Both pass locally with the added patch.

[ Risks ]
Risk is minimal.  Patch is from upstream and has been around for awhile
without known issues.  Change is trivial.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Add verify that the ID value in a DNS reply matches an ID value in a query.

[ Other info ]
I've only ever used this for running local tests to mock DNS responses,
which is not a case that's at risk for this issue, but it did occur to
me others may use it differently, so probably better to fix it.

Scott K
diff -Nru python-dnslib-0.9.14/debian/changelog 
python-dnslib-0.9.14/debian/changelog
--- python-dnslib-0.9.14/debian/changelog   2020-06-10 00:51:44.0 
-0400
+++ python-dnslib-0.9.14/debian/changelog   2024-02-12 19:43:55.0 
-0500
@@ -1,3 +1,9 @@
+python-dnslib (0.9.14-1+deb11u1) bullseye; urgency=medium
+
+  * Add d/p/0002-Validate-TXID-in-client.py.patch to address CVE-2022-22846
+
+ -- Scott Kitterman   Mon, 12 Feb 2024 19:43:55 -0500
+
 python-dnslib (0.9.14-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru 
python-dnslib-0.9.14/debian/patches/0002-Validate-TXID-in-client.py.patch 
python-dnslib-0.9.14/debian/patches/0002-Validate-TXID-in-client.py.patch
--- python-dnslib-0.9.14/debian/patches/0002-Validate-TXID-in-client.py.patch   
1969-12-31 19:00:00.0 -0500
+++ python-dnslib-0.9.14/debian/patches/0002-Validate-TXID-in-client.py.patch   
2024-02-12 19:42:50.0 -0500
@@ -0,0 +1,24 @@
+From: Scott Kitterman 
+Date: Sat, 12 Feb 2024 19:41:26 -0500
+Subject: Validate TXID in client.py
+Fixes CVE-2022-22846
+Origin: backport, 
https://github.com/paulc/dnslib/commit/76e8677699ed098387d502c57980f58da642aeba
+
+---
+ dnslib/client.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/dnslib/client.py b/dnslib/client.py
+index 628ea81..09572b6 100644
+--- a/dnslib/client.py
 b/dnslib/client.py
+@@ -76,6 +76,9 @@ if __name__ == '__main__':
+ a_pkt = q.send(address,port,tcp=args.tcp)
+ a = DNSRecord.parse(a_pkt)
+ 
++if q.header.id != a.header.id:
++raise DNSError('Response transaction id does not match query 
transaction id')
++
+ if a.header.tc and args.noretry == False:
+ # Truncated - retry in TCP mode
+ a_pkt = q.send(address,port,tcp=True)
diff -Nru python-dnslib-0.9.14/debian/patches/series 
python-dnslib-0.9.14/debian/patches/series
--- python-dnslib-0.9.14/debian/patches/series  2020-06-10 00:50:31.0 
-0400
+++ python-dnslib-0.9.14/debian/patches/series  2024-02-12 19:43:55.0 
-0500
@@ -1 +1,2 @@
 0001-Only-run-tests-for-python3.patch
+0002-Validate-TXID-in-client.py.patch

Bug#1063771: python-cryptography: Please update to version 42, needed for new dnspython

[Scott Kitterman]

Source: python-cryptography
Version: 41.0.7-3
Severity: wishlist

There is a new dnspython release candidate out, 2.6.0~rc1.  Typically,
final releases follow in a few weeks.  It has a hard requirement for
version 42 to continue to support dnssec, which is important.

It would be great if you could update the package so we can update
dnspython without losing dnssec support.

Thanks,

Scott K

Bug#1063752: custodian: Inappriate maintainer address

[Scott Kitterman]

Source: custodian
Version: 2024.1.9-2
Severity: serious
Justification: Policy 3.3

Policy 3.3 says that maintainer addresses must accept mail from Debian
role accounts.  This one, apparently, does not:

From:   debichem-devel-ow...@alioth-lists.debian.net
To: ftpmas...@ftp-master.debian.org
Sender: Debichem-devel 

List-Id:Debichem development list 

Date:   2/11/24 10:10 PM
Spam Status:Spamassassin 
You are not allowed to post to this mailing list From: a domain which
publishes a DMARC policy of reject or quarantine, and your message has
been automatically rejected.  If you think that your messages are
being rejected in error, contact the mailing list owner at
debichem-devel-ow...@alioth-lists.debian.net.

Scott K

Bug#1063723: bullseye-pu: package pypdf2/1.26.0-4

[Scott Kitterman]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
Fixes two no-DSA CVE issues.

[ Impact ]
Continued low level security risk.

[ Tests ]
None that are run in the Debian package or autopkgtest.

[ Risks ]
Risk is low.  Code changes are relatively simple and were provided by
upstream.  These same two patches were previously released for LTS with
no known issues.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
  * Forward-port CVE fixes by LTS team
- CVE-2023-36810: Quadratic runtime with malformed PDF missing xref marker.
- Fix CVE-2022-24859:
Sebastian Krause discovered that manipulated inline images can force
PyPDF2, a pure Python PDF library, into an infinite loop, if a
maliciously crafted PDF file is processed.

[ Other info ]
This may show up as an NMU (lintian things so), but I'm the maintainer
now for Testing/Unstable.  I chose not to update the maintainer fields
in this update to keep it minimal to address the issues.

Scott K
diff -Nru pypdf2-1.26.0/debian/changelog pypdf2-1.26.0/debian/changelog
--- pypdf2-1.26.0/debian/changelog  2020-01-19 03:08:58.0 -0500
+++ pypdf2-1.26.0/debian/changelog  2024-02-11 13:50:22.0 -0500
@@ -1,3 +1,14 @@
+pypdf2 (1.26.0-4+deb11u1) bullseye; urgency=medium
+
+  * Forward-port CVE fixes by LTS team
+- CVE-2023-36810: Quadratic runtime with malformed PDF missing xref marker.
+- Fix CVE-2022-24859:
+Sebastian Krause discovered that manipulated inline images can force
+PyPDF2, a pure Python PDF library, into an infinite loop, if a
+maliciously crafted PDF file is processed.
+
+ -- Scott Kitterman   Sun, 11 Feb 2024 13:50:22 -0500
+
 pypdf2 (1.26.0-4) unstable; urgency=medium
 
   * Remove Python 2 from build dependencies (closes: #937505).
diff -Nru 
pypdf2-1.26.0/debian/patches/0001-MAINT-Quadratic-runtime-while-parsing-reduced-to-lin.patch
 
pypdf2-1.26.0/debian/patches/0001-MAINT-Quadratic-runtime-while-parsing-reduced-to-lin.patch
--- 
pypdf2-1.26.0/debian/patches/0001-MAINT-Quadratic-runtime-while-parsing-reduced-to-lin.patch
1969-12-31 19:00:00.0 -0500
+++ 
pypdf2-1.26.0/debian/patches/0001-MAINT-Quadratic-runtime-while-parsing-reduced-to-lin.patch
2024-02-11 13:49:50.0 -0500
@@ -0,0 +1,50 @@
+From 82ee233ea82a40c626e95a191fe2d52c745db870 Mon Sep 17 00:00:00 2001
+From: dsk7 
+Date: Sat, 23 Apr 2022 19:12:13 +0200
+Subject: MAINT: Quadratic runtime while parsing reduced to linear  (#808)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When the PdfFileReader tries to find the xref marker, the readNextEndLine 
methods builds a so called line by reading byte-for-byte. Every time a new byte 
is read, it is concatenated with the currently read line. This leads to 
quadratic runtime O(n²) behavior as Python strings (also byte-strings) are 
immutable and have to be copied where n is the size of the file.
+For files where the xref marker can not be found at the end this takes a 
enormous amount of time:
+
+* 1mb of zeros at the end: 45.54 seconds
+* 2mb of zeros at the end: 357.04 seconds
+(measured on a laptop made in 2015)
+
+This pull request changes the relevant section of the code to become linear 
runtime O(n), leading to a run time of less then a second for both cases 
mentioned above. Furthermore this PR adds a regression test.
+---
+ PyPDF2/pdf.py | 8 
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/PyPDF2/pdf.py b/PyPDF2/pdf.py
+index 9979414..8b355e0 100644
+--- a/PyPDF2/pdf.py
 b/PyPDF2/pdf.py
+@@ -1930,7 +1930,7 @@ class PdfFileReader(object):
+ def readNextEndLine(self, stream):
+ debug = False
+ if debug: print(">>readNextEndLine")
+-line = b_("")
++line_parts = []
+ while True:
+ # Prevent infinite loops in malformed PDFs
+ if stream.tell() == 0:
+@@ -1957,10 +1957,10 @@ class PdfFileReader(object):
+ break
+ else:
+ if debug: print("  x is neither")
+-line = x + line
+-if debug: print(("  RNEL line:", line))
++line_parts.append(x)
+ if debug: print("leaving RNEL")
+-return line
++line_parts.reverse()
++return b"".join(line_parts)
+ 
+ def decrypt(self, password):
+ """
+-- 
+2.30.2
+
diff -Nru pypdf2-1.26.0/debian/patches/CVE-2022-24859.patch 
pypdf2-1.26.0/debian/patches/CVE-2022-24859.patch
--- pypdf2-1.26.0/debian/patches/CVE-2022-24859.patch   1969-12-31 
19:00:00.0 -0500
+++ pypdf2-1.26.0/debian/patches/C

Bug#1060934: pycountry: FTBFS: dh_auto_test: error: pybuild --test -i python{version} -p "3.12 3.11" returned exit code 13

[Scott Kitterman]

It's been a couple of weeks and no action upstream.  I'll plan on uploading 
this unless you'd rather I hold off for some reason.

Scott K

On Wed, 24 Jan 2024 16:56:30 -0500 Scott Kitterman  
wrote:
> On Tue, 16 Jan 2024 20:41:58 +0100 Lucas Nussbaum  wrote:
> > Source: pycountry
> > Version: 23.12.11+ds1-1
> > Severity: serious
> > Justification: FTBFS
> > Tags: trixie sid ftbfs
> > User: lu...@debian.org
> > Usertags: ftbfs-20240115 ftbfs-trixie
> > 
> > Hi,
> > 
> > During a rebuild of all packages in sid, your package failed to build
> > on amd64.
> 
> This is due to changes in the recent iso-codes upload.  the patch below fixes 
> it so it should work with either version:
> 
> --- pycountry-23.12.11+ds1.orig/src/pycountry/__init__.py
> +++ pycountry-23.12.11+ds1/src/pycountry/__init__.py
> @@ -169,7 +169,8 @@ class SubdivisionHierarchy(pycountry.db.
>  kw["parent_code"] = None
>  super().__init__(**kw)
>  self.country_code = self.code.split("-")[0]
> -if self.parent_code is not None:
> +if (self.parent_code is not None and
> +self.country_code != self.parent_code.split("-")[0]):
>  self.parent_code = f"{self.country_code}-{self.parent_code}"
>  
>  @property
> 
> Please let me know if you don't want an NMU.  This will eventually cause 
> xml2rfc to be removed, so I'll NMU at some point unless you want to take 
care 
> of it first (thanks if you do).
> 
> Scott K
=<2567281.9CzbHMAgVU@zini-1880>

signature.asc
Description: This is a digitally signed message part.

Bug#1063348: O: pdfkit

[Scott Kitterman]

Package: wnpp
Severity: normal
X-Debbugs-Cc: debian-pyt...@lists.debian.org
Control: affects -1 src:pdfkit

I am no longer interested in this package and no else in the Debian
Python Team expressed interest it taking it over, so orphaning.

The package itself is in reasonable shape.  Upstream includes the
following warning in the Git version of the package README:

This library has been deprecated to match the wkhtmltopdf project status.

Scott K

Bug#1063317: O: django-anymail

[Scott Kitterman]

Package: wnpp
Severity: normal
X-Debbugs-Cc: debian-pyt...@lists.debian.org
Control: affects -1 src:django-anymail

I'm no longer interested in the package and no one from the Debian
Python Team expressed interest in it, so orphaning.

I've updated the package to the current upstream and updated for the
switch to hatchling, so that package is in good shape for now.  Upstream
is moderately active.

Scott K

Bug#1063171: O: python-sparkpost

[Scott Kitterman]

Package: wnpp
Severity: normal
X-Debbugs-Cc: debian-pyt...@lists.debian.org
Control: affects -1 src:python-sparkpost

I'm no longer interested in the package (it was only packaged to support
django-anymail, which is also about to be orphaned).

This is an interface to a proprietary mail service.  The company was
acquired in 2021 and nothing has happened with the package upstream
since then.

The package itself is in reasonably good condition.  There is one Python
3.12 related issue that will be addressed in the upload that orphans the
package.

Scott K

Bug#1063033: O: django-wkhtmltopdf

[Scott Kitterman]

Package: wnpp
Severity: normal
X-Debbugs-Cc: debian-pyt...@lists.debian.org
Control: affects -1 src:django-wkhtmltopdf

I no longer use this package and no one in the Debian Python Team
expressed any interest in it, so orphaning.

At this time, the package is in reasonably good shape and does not
generally require a lot of attention.  It's not clear if upstream is
dead or moving slowly.

Scott K

Bug#1062938: RM: clamav-unofficial-sigs -- ROM; Unmaintained and obsolete, replaced by fangfrisch

[Scott Kitterman]

Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: pkg-clamav-de...@lists.alioth.debian.org

Long dead upstream and only minimally maintained in Debian.  Not working
well, if at all, anymore.  The fangfrisch package is a maintained
alternative that is now it the archive.

Request coordinated with pabs via IRC.

Scott K

Bug#1061625: bullseye-pu: package postfix/3.5.23-0+deb11u1

[Scott Kitterman]

bility, local clients are excluded by
+   default with "smtpd_forbid_bare_newline_exclusions =
+   $mynetworks".
+   Files: mantools/postlink, proto/postconf.proto,
+   global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h,
+   smtpd/smtpd.c, smtpd/smtpd_check.[hc].
+
+ -- Scott Kitterman   Sat, 27 Jan 2024 10:21:04 -0500
+
 postfix (3.5.23-0+deb11u1) bullseye; urgency=medium
 
   [Wietse Venema]
diff -Nru postfix-3.5.23/HISTORY postfix-3.5.24/HISTORY
--- postfix-3.5.23/HISTORY  2023-12-22 13:55:36.0 -0500
+++ postfix-3.5.24/HISTORY  2024-01-19 14:16:32.0 -0500
@@ -25400,16 +25400,36 @@
a configured recipient delimiter value. Reported by Tod
A. Sandman. Files: proto/postconf.proto, local/local_expand.c.
 
-20231221
+20240109
 
-   Security: with "smtpd_forbid_bare_newline = yes" (default
-   "no" for Postfix < 3.9), reply with "Error: bare 
-   received" and disconnect when an SMTP client sends a line
-   ending in , violating the RFC 5321 requirement that
-   lines must end in . This prevents SMTP smuggling
-   attacks that target a recipient at a Postfix server. For
-   backwards compatibility, local clients are excluded by
+   Security (outbound SMTP smuggling): with the default setting
+   "cleanup_replace_stray_cr_lf = yes" Postfix will replace
+   stray  or  characters in message content with a
+   space character. This prevents Postfix from enabling
+   outbound (remote) SMTP smuggling, and it also makes evaluation
+   of Postfix-added DKIM etc. signatures independent from how
+   a remote mail server handles stray  or  characters.
+   Files: global/mail_params.h, cleanup/cleanup.c,
+   cleanup/cleanup_message.c, mantools/postlink, proto/postconf.proto.
+
+20240112
+
+   Security (inbound SMTP smuggling): with "smtpd_forbid_bare_newline
+   = normalize" (default "no" for Postfix < 3.9), the Postfix
+   SMTP server requires the standard End-of-DATA sequence
+   ., and otherwise allows command or message
+   content lines ending in the non-standard , processing
+   them as if the client sent the standard .
+
+   The alternative setting, "smtpd_forbid_bare_newline = reject"
+   will reject any command or message that contains a bare
+   , and is more likely to cause problems with legitimate
+   clients.
+
+   For backwards compatibility, local clients are excluded by
default with "smtpd_forbid_bare_newline_exclusions =
-   $mynetworks". Files: mantools/postlink, proto/postconf.proto,
+   $mynetworks".
+
+   Files: mantools/postlink, proto/postconf.proto,
global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h,
-   smtpd/smtpd.c.
+   smtpd/smtpd.c, smtpd/smtpd_check.[hc].
diff -Nru postfix-3.5.23/html/cleanup.8.html postfix-3.5.24/html/cleanup.8.html
--- postfix-3.5.23/html/cleanup.8.html  2019-11-09 19:00:16.0 -0500
+++ postfix-3.5.24/html/cleanup.8.html  2024-01-19 14:27:01.0 -0500
@@ -146,6 +146,16 @@
   The set of characters that Postfix will remove from message con-
   tent.
 
+   Available in Postfix version 3.9, 3.8.5, 3.7.10,  3.6.14,  3.5.24,  and
+   later:
+
+   cleanup_replace_stray_cr_lf
 (yes)
+  Replace  each  stray  CR  or LF character in 
message content
+  with a space character, to prevent outbound SMTP smuggling,  and
+  to make the evaluation of Postfix-added DKIM or other signatures
+  independent from how a remote mail server handles  such  charac-
+  ters.
+
 BEFORE QUEUE MILTER CONTROLS
As of version 2.3, Postfix supports the Sendmail version 8 Milter (mail
filter) protocol. When mail is not received via  the  smtpd(8)  server,
diff -Nru postfix-3.5.23/html/postconf.5.html 
postfix-3.5.24/html/postconf.5.html
--- postfix-3.5.23/html/postconf.5.html 2023-12-22 13:58:15.0 -0500
+++ postfix-3.5.24/html/postconf.5.html 2024-01-21 17:27:31.0 -0500
@@ -1444,6 +1444,40 @@
 
 
 
+cleanup_replace_stray_cr_lf
+(default: yes)
+
+ Replace each stray CR or LF character in message
+content with a space character, to prevent outbound SMTP smuggling,
+and to make the evaluation of Postfix-added DKIM or other signatures
+independent from how a remote mail server handles such characters.
+
+
+ SMTP does not allow such characters unless they are part of a
+CRLF sequence, and different mail systems handle
+such stray characters in an implementation-dependent manner. Stray
+CR or LF characters could be used for outbound
+SMTP smuggling, where an attacker uses a Postfix server to send
+message content with a non-standard End-of-DATA sequence that
+triggers inbound SMTP smuggling at a remote SMTP server.
+
+ The replacement happens before all other conten

Bug#1061624: bookworm-pu: package postfix/3.7.9-0+deb12u1

[Scott Kitterman]

s are excluded by
+  default with "smtpd_forbid_bare_newline_exclusions =
+  $mynetworks".
+  Files: mantools/postlink, proto/postconf.proto,
+  global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h,
+  smtpd/smtpd.c, smtpd/smtpd_check.[hc].
+
+ -- Scott Kitterman   Fri, 26 Jan 2024 18:44:58 -0500
+
 postfix (3.7.9-0+deb12u1) bookworm; urgency=medium
 
   [Wietse Venema]
diff -Nru postfix-3.7.9/HISTORY postfix-3.7.10/HISTORY
--- postfix-3.7.9/HISTORY   2023-12-21 21:01:13.0 -0500
+++ postfix-3.7.10/HISTORY  2024-01-19 11:52:30.0 -0500
@@ -26648,16 +26648,36 @@
a configured recipient delimiter value. Reported by Tod
A. Sandman. Files: proto/postconf.proto, local/local_expand.c.
 
-20231221
+20240109
 
-   Security: with "smtpd_forbid_bare_newline = yes" (default
-   "no" for Postfix < 3.9), reply with "Error: bare 
-   received" and disconnect when an SMTP client sends a line
-   ending in , violating the RFC 5321 requirement that
-   lines must end in . This prevents SMTP smuggling
-   attacks that target a recipient at a Postfix server. For
-   backwards compatibility, local clients are excluded by
+   Security (outbound SMTP smuggling): with the default setting
+   "cleanup_replace_stray_cr_lf = yes" Postfix will replace
+   stray  or  characters in message content with a
+   space character. This prevents Postfix from enabling
+   outbound (remote) SMTP smuggling, and it also makes evaluation
+   of Postfix-added DKIM etc. signatures independent from how
+   a remote mail server handles stray  or  characters.
+   Files: global/mail_params.h, cleanup/cleanup.c,
+   cleanup/cleanup_message.c, mantools/postlink, proto/postconf.proto.
+
+20240112
+
+   Security (inbound SMTP smuggling): with "smtpd_forbid_bare_newline
+   = normalize" (default "no" for Postfix < 3.9), the Postfix
+   SMTP server requires the standard End-of-DATA sequence
+   ., and otherwise allows command or message
+   content lines ending in the non-standard , processing
+   them as if the client sent the standard .
+
+   The alternative setting, "smtpd_forbid_bare_newline = reject"
+   will reject any command or message that contains a bare
+   , and is more likely to cause problems with legitimate
+   clients.
+
+   For backwards compatibility, local clients are excluded by
default with "smtpd_forbid_bare_newline_exclusions =
-   $mynetworks". Files: mantools/postlink, proto/postconf.proto,
+   $mynetworks".
+
+   Files: mantools/postlink, proto/postconf.proto,
global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h,
-   smtpd/smtpd.c.
+   smtpd/smtpd.c, smtpd/smtpd_check.[hc].
diff -Nru postfix-3.7.9/html/cleanup.8.html postfix-3.7.10/html/cleanup.8.html
--- postfix-3.7.9/html/cleanup.8.html   2021-12-23 17:24:55.0 -0500
+++ postfix-3.7.10/html/cleanup.8.html  2024-01-19 12:18:33.0 -0500
@@ -159,6 +159,16 @@
   The set of characters that Postfix will remove from message con-
   tent.
 
+   Available in Postfix version 3.9, 3.8.5, 3.7.10,  3.6.14,  3.5.24,  and
+   later:
+
+   cleanup_replace_stray_cr_lf
 (yes)
+  Replace  each  stray  CR  or LF character in 
message content
+  with a space character, to prevent outbound SMTP smuggling,  and
+  to make the evaluation of Postfix-added DKIM or other signatures
+  independent from how a remote mail server handles  such  charac-
+  ters.
+
 BEFORE QUEUE MILTER CONTROLS
As of version 2.3, Postfix supports the Sendmail version 8 Milter (mail
filter)  protocol.  When  mail is not received via the smtpd(8) server,
diff -Nru postfix-3.7.9/html/postconf.5.html postfix-3.7.10/html/postconf.5.html
--- postfix-3.7.9/html/postconf.5.html  2023-12-22 12:06:57.0 -0500
+++ postfix-3.7.10/html/postconf.5.html 2024-01-21 17:26:25.0 -0500
@@ -1453,6 +1453,40 @@
 
 
 
+cleanup_replace_stray_cr_lf
+(default: yes)
+
+ Replace each stray CR or LF character in message
+content with a space character, to prevent outbound SMTP smuggling,
+and to make the evaluation of Postfix-added DKIM or other signatures
+independent from how a remote mail server handles such characters.
+
+
+ SMTP does not allow such characters unless they are part of a
+CRLF sequence, and different mail systems handle
+such stray characters in an implementation-dependent manner. Stray
+CR or LF characters could be used for outbound
+SMTP smuggling, where an attacker uses a Postfix server to send
+message content with a non-standard End-of-DATA sequence that
+triggers inbound SMTP smuggling at a remote SMTP server.
+
+ The replacement happens before all other content management,
+and before P

Bug#1060934: pycountry: FTBFS: dh_auto_test: error: pybuild --test -i python{version} -p "3.12 3.11" returned exit code 13

[Scott Kitterman]

On Tue, 16 Jan 2024 20:41:58 +0100 Lucas Nussbaum  wrote:
> Source: pycountry
> Version: 23.12.11+ds1-1
> Severity: serious
> Justification: FTBFS
> Tags: trixie sid ftbfs
> User: lu...@debian.org
> Usertags: ftbfs-20240115 ftbfs-trixie
> 
> Hi,
> 
> During a rebuild of all packages in sid, your package failed to build
> on amd64.

This is due to changes in the recent iso-codes upload.  the patch below fixes 
it so it should work with either version:

--- pycountry-23.12.11+ds1.orig/src/pycountry/__init__.py
+++ pycountry-23.12.11+ds1/src/pycountry/__init__.py
@@ -169,7 +169,8 @@ class SubdivisionHierarchy(pycountry.db.
 kw["parent_code"] = None
 super().__init__(**kw)
 self.country_code = self.code.split("-")[0]
-if self.parent_code is not None:
+if (self.parent_code is not None and
+self.country_code != self.parent_code.split("-")[0]):
 self.parent_code = f"{self.country_code}-{self.parent_code}"
 
 @property

Please let me know if you don't want an NMU.  This will eventually cause 
xml2rfc to be removed, so I'll NMU at some point unless you want to take care 
of it first (thanks if you do).

Scott K


signature.asc
Description: This is a digitally signed message part.

Bug#1061447: O: django-maintenancemode

[Scott Kitterman]

Package: wnpp
Severity: normal
X-Debbugs-Cc: debian-pyt...@lists.debian.org
Control: affects -1 src:django-maintenancemode

Orphaning the package on behalf of the Debian Python Team as the sole
uploader (no one else on the team expressed interest in taking over and
I no longer use the package).

The package itself is in reasonable shape.  Upstream is mostly dean, so
if you take over this package, expect to have to do more than just
package new upstream releases.

Scott K

Bug#1061324: lmdb: Move doxygen to B-D-I

[Scott Kitterman]

Source: lmdb
Version: 0.9.31-1
Severity: normal

It looks like doxygen is only needed for building the arch all lmdb-doc
package, so it could be moved from Build-Depends to Build-Depends-Indep.
While this is a pretty minor issue, I think it would be better and it
would at least allow lmdb to be built on archs which don't have doxygen
(currently only hurd-amd64, but it's been others in the past).

Scott K

Bug#1061265: rst2pdf: Uses deprecated/to be removed pypdf2

[Scott Kitterman]

On January 22, 2024 10:11:50 AM UTC, Rob Allen  wrote:
>Hi,
>
>I’m the one of the leads on rst2pdf itself.
>
>Is there anything you want me to do related to this?
>
>Regards,
>
>Rob

Thank you for being interested in its status in Debian.  No.  My understanding 
is that all this needs is for the maintainer in Debian to update the package to 
the most current release.

The next Debian release is likely at least a year and a half from now, so 
there's plenty of time.  

Scott K

Bug#1061265: rst2pdf: Uses deprecated/to be removed pypdf2

[Scott Kitterman]

Source: rst2pdf
Version: 0.99-1
Severity: wishlist

rst2pdf declares a requirement for python3-pypdf2 in
Build-Depends-Indep.

I've recently adopted pypdf and pypdf2 into the Debian Python Team in response 
to an RFA for both packages.  As these are somewhat security sensitive packages 
(among my first acts after adopting the packages was to upload proposed updates 
for both to address minor security issues in Bookworm in the next point release 
- same bug in both), I do not think we should release pypdf2 in Trixie and have 
filed an RC bug to that effect.

It looks like the current upstream release has already been ported to
use python3-pypdf (which is really pypdf3).  Please update your package.

Scott K

Bug#1061264: ocrmypdf: Uses deprecated/to be removed pypdf2 in autopkgtest

[Scott Kitterman]

Source: ocrmypdf
Version: 15.2.0+dfsg1-1
Severity: wishlist

I've recently adopted pypdf and pypdf2 into the Debian Python Team in response 
to an RFA for both packages.  As these are somewhat security sensitive packages 
(among my first acts after adopting the packages was to upload proposed updates 
for both to address minor security issues in Bookworm in the next point release 
- same bug in both), I do not think we should release pypdf2 in Trixie and have 
filed an RC bug to that effect.

ocrmypdf uses the package in debian/tests/control.  Please update to use
python3-pypdf insteadm.

Bug#1029740: pypdf2 is deprecated, please move from python3-pypdf2 to python3-pypdf

[Scott Kitterman]

On Fri, 27 Jan 2023 00:26:31 +0100 Mathias Behrle  wrote:
> tag -1 pending
> 
> API changes were already considered in
> https://foss.heptapod.net/tryton/tryton/-/merge_requests/25
> https://foss.heptapod.net/tryton/tryton/-/merge_requests/27
> and Tryton packages should be fit for any version 1, 2, 3 of pypdf.
> 
> We are waiting for backports of the fixes to 6.0. We will anyway include them
> for bookworm. As we are maintaining backports for bullseye and buster we 
will
> stick for now with python3-pypdf2, until python3-pypdf will be available as
> backport in the targeted Debian releases.

As we approach the first anniversary for this bug, an update:

I've recently adopted pypdf and pypdf2 into the Debian Python Team in response 
to an RFA for both packages.  As these are somewhat security sensitive 
packages (among my first acts after adopting the packages was to upload 
proposed updates for both to address minor security issues in Bookworm in the 
next point release - same bug in both), I do not think we should release 
pypdf2 in Trixie and have filed an RC bug to that effect.

If you want this package to be in Trixie, you will need to use pypdf instead 
of pypdf2.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1029739: pypdf2 is deprecated, please move from python3-pypdf2 to python3-pypdf

[Scott Kitterman]

On Thu, 26 Jan 2023 16:39:39 -0500 Daniel Kahn Gillmor  
wrote:
 
> As noted in https://bugs.debian.org/1028559, upstream for the PyPDF2
> Python module has moved to the "pypdf" namespace.
> 
> Correspondingly, there is a new python3-pypdf package in debian
> unstable.
> 
> The packages listed above all currently depend on (or recommend) PyPDF2,
> but probably should move to the updated version.  When all these bug
> reports are closed, we can consider removing the pypdf2 source package
> and python3-pypdf2 from debian.
> 
> The migration should be relatively straightforward; much of the API
> remains the same, just under the "pypdf" module name instead of the
> "PyPDF2" module name.  Where the API differs, the version of PyPDF2
> currently in debian testing/unstable (2.12.1-3) emits a
> PendingDeprecationWarning wherever a piece of the API will break.
> 
> For example:
> 
>foo.py:76: PendingDeprecationWarning: getObject is deprecated and will be 
removed in PyPDF2 3.0.0. Use get_object instead.
> 
> (PyPDF2 version 3.x is basically a terminal version of PyPDF2, and pypdf
> takes over from 3.1.x onward; PyPDF2 version 3.x will not enter debian,
> as it is an API break from 2.x, and pypdf 3.x supercedes it)

As we approach the first anniversary for this bug, an update:

I've recently adopted pypdf and pypdf2 into the Debian Python Team in response 
to an RFA for both packages.  As these are somewhat security sensitive 
packages (among my first acts after adopting the packages was to upload 
proposed updates for both to address minor security issues in Bookworm in the 
next point release - same bug in both), I do not think we should release 
pypdf2 in Trixie and have filed an RC bug to that effect.

If you want this package to be in Trixie, you will need to use pypdf instead 
of pypdf2.  There is a new upstream release that supports this transition, but 
packaging it will be non-trivial.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1029735: pypdf2 is deprecated, please move from python3-pypdf2 to python3-pypdf

[Scott Kitterman]

On Thu, 26 Jan 2023 16:39:39 -0500 Daniel Kahn Gillmor  
wrote:
> As noted in https://bugs.debian.org/1028559, upstream for the PyPDF2
> Python module has moved to the "pypdf" namespace.
> 
> Correspondingly, there is a new python3-pypdf package in debian
> unstable.
> 
> The packages listed above all currently depend on (or recommend) PyPDF2,
> but probably should move to the updated version.  When all these bug
> reports are closed, we can consider removing the pypdf2 source package
> and python3-pypdf2 from debian.
> 
> The migration should be relatively straightforward; much of the API
> remains the same, just under the "pypdf" module name instead of the
> "PyPDF2" module name.  Where the API differs, the version of PyPDF2
> currently in debian testing/unstable (2.12.1-3) emits a
> PendingDeprecationWarning wherever a piece of the API will break.
> 
> For example:
> 
>foo.py:76: PendingDeprecationWarning: getObject is deprecated and will be 
removed in PyPDF2 3.0.0. Use get_object instead.
> 
> (PyPDF2 version 3.x is basically a terminal version of PyPDF2, and pypdf
> takes over from 3.1.x onward; PyPDF2 version 3.x will not enter debian,
> as it is an API break from 2.x, and pypdf 3.x supercedes it)
> 
> To transition a given package:
> 
>  - run tests with as complete coverage as possible and note the
>PendingDeprecation warnings
> 
>  - for each warning, patch the upstream line as recommended
> 
>  - ensure that the tests pass without PendingDeprecationWarnings
> 
>  - convert from "PyPDF2" to "pypdf" on any import or scoped reference in
>python
> 
>  - update dependency indicators in upstream metadata annotations
>(e.g. pyproject.toml, setup.cfg, etc)
> 
>  - update dependency indicators in debian packaging (from python3-pypdf2
>to python3-pypdf).
> 
>  - run the tests again

As we approach the first anniversary for this bug, an update:

I've recently adopted pypdf and pypdf2 into the Debian Python Team in response 
to an RFA for both packages.  As these are somewhat security sensitive 
packages (among my first acts after adopting the packages was to upload 
proposed updates for both to address minor security issues in Bookworm in the 
next point release - same bug in both), I do not think we should release 
pypdf2 in Trixie and have filed an RC bug to that effect.

If you want this package to be in Trixie, you will need to use pypdf instead 
of pypdf2.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1029738: pypdf2 is deprecated, please move from python3-pypdf2 to python3-pypdf

[Scott Kitterman]

On Thu, 26 Jan 2023 16:39:39 -0500 Daniel Kahn Gillmor  
wrote:

> As noted in https://bugs.debian.org/1028559, upstream for the PyPDF2
> Python module has moved to the "pypdf" namespace.
> 
> Correspondingly, there is a new python3-pypdf package in debian
> unstable.
> 
> The packages listed above all currently depend on (or recommend) PyPDF2,
> but probably should move to the updated version.  When all these bug
> reports are closed, we can consider removing the pypdf2 source package
> and python3-pypdf2 from debian.
> 
> The migration should be relatively straightforward; much of the API
> remains the same, just under the "pypdf" module name instead of the
> "PyPDF2" module name.  Where the API differs, the version of PyPDF2
> currently in debian testing/unstable (2.12.1-3) emits a
> PendingDeprecationWarning wherever a piece of the API will break.
> 
> For example:
> 
>foo.py:76: PendingDeprecationWarning: getObject is deprecated and will be 
removed in PyPDF2 3.0.0. Use get_object instead.
> 
> (PyPDF2 version 3.x is basically a terminal version of PyPDF2, and pypdf
> takes over from 3.1.x onward; PyPDF2 version 3.x will not enter debian,
> as it is an API break from 2.x, and pypdf 3.x supercedes it)
> 
> To transition a given package:
> 
>  - run tests with as complete coverage as possible and note the
>PendingDeprecation warnings
> 
>  - for each warning, patch the upstream line as recommended
> 
>  - ensure that the tests pass without PendingDeprecationWarnings
> 
>  - convert from "PyPDF2" to "pypdf" on any import or scoped reference in
>python
> 
>  - update dependency indicators in upstream metadata annotations
>(e.g. pyproject.toml, setup.cfg, etc)
> 
>  - update dependency indicators in debian packaging (from python3-pypdf2
>to python3-pypdf).
> 
>  - run the tests again

As we approach the first anniversary for this bug, an update:

I've recently adopted pypdf and pypdf2 into the Debian Python Team in response 
to an RFA for both packages.  As these are somewhat security sensitive 
packages (among my first acts after adopting the packages was to upload 
proposed updates for both to address minor security issues in Bookworm in the 
next point release - same bug in both), I do not think we should release 
pypdf2 in Trixie and have filed an RC bug to that effect.

If you want this package to be in Trixie, you will need to use pypdf instead 
of pypdf2.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1029733: pypdf2 is deprecated, please move from python3-pypdf2 to python3-pypdf

[Scott Kitterman]

On Thu, 26 Jan 2023 16:39:39 -0500 Daniel Kahn Gillmor  
wrote:

> As noted in https://bugs.debian.org/1028559, upstream for the PyPDF2
> Python module has moved to the "pypdf" namespace.
> 
> Correspondingly, there is a new python3-pypdf package in debian
> unstable.
> 
> The packages listed above all currently depend on (or recommend) PyPDF2,
> but probably should move to the updated version.  When all these bug
> reports are closed, we can consider removing the pypdf2 source package
> and python3-pypdf2 from debian.
> 
> The migration should be relatively straightforward; much of the API
> remains the same, just under the "pypdf" module name instead of the
> "PyPDF2" module name.  Where the API differs, the version of PyPDF2
> currently in debian testing/unstable (2.12.1-3) emits a
> PendingDeprecationWarning wherever a piece of the API will break.
> 
> For example:
> 
>foo.py:76: PendingDeprecationWarning: getObject is deprecated and will be 
removed in PyPDF2 3.0.0. Use get_object instead.
> 
> (PyPDF2 version 3.x is basically a terminal version of PyPDF2, and pypdf
> takes over from 3.1.x onward; PyPDF2 version 3.x will not enter debian,
> as it is an API break from 2.x, and pypdf 3.x supercedes it)
> 
> To transition a given package:
> 
>  - run tests with as complete coverage as possible and note the
>PendingDeprecation warnings
> 
>  - for each warning, patch the upstream line as recommended
> 
>  - ensure that the tests pass without PendingDeprecationWarnings
> 
>  - convert from "PyPDF2" to "pypdf" on any import or scoped reference in
>python
> 
>  - update dependency indicators in upstream metadata annotations
>(e.g. pyproject.toml, setup.cfg, etc)
> 
>  - update dependency indicators in debian packaging (from python3-pypdf2
>to python3-pypdf).
> 
>  - run the tests again

As we approach the first anniversary for this bug, an update:

I've recently adopted pypdf and pypdf2 into the Debian Python Team in response 
to an RFA for both packages.  As these are somewhat security sensitive 
packages (among my first acts after adopting the packages was to upload 
proposed updates for both to address minor security issues in Bookworm in the 
next point release - same bug in both), I do not think we should release 
pypdf2 in Trixie and have filed an RC bug to that effect.

If you want this package to be in Trixie, you will need to use pypdf instead 
of pypdf2.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1029734: pypdf2 is deprecated, please move from python3-pypdf2 to python3-pypdf

[Scott Kitterman]

On Thu, 26 Jan 2023 16:39:39 -0500 Daniel Kahn Gillmor  
wrote:
> As noted in https://bugs.debian.org/1028559, upstream for the PyPDF2
> Python module has moved to the "pypdf" namespace.
> 
> Correspondingly, there is a new python3-pypdf package in debian
> unstable.
> 
> The packages listed above all currently depend on (or recommend) PyPDF2,
> but probably should move to the updated version.  When all these bug
> reports are closed, we can consider removing the pypdf2 source package
> and python3-pypdf2 from debian.
> 
> The migration should be relatively straightforward; much of the API
> remains the same, just under the "pypdf" module name instead of the
> "PyPDF2" module name.  Where the API differs, the version of PyPDF2
> currently in debian testing/unstable (2.12.1-3) emits a
> PendingDeprecationWarning wherever a piece of the API will break.
> 
> For example:
> 
>foo.py:76: PendingDeprecationWarning: getObject is deprecated and will be 
removed in PyPDF2 3.0.0. Use get_object instead.
> 
> (PyPDF2 version 3.x is basically a terminal version of PyPDF2, and pypdf
> takes over from 3.1.x onward; PyPDF2 version 3.x will not enter debian,
> as it is an API break from 2.x, and pypdf 3.x supercedes it)
> 
> To transition a given package:
> 
>  - run tests with as complete coverage as possible and note the
>PendingDeprecation warnings
> 
>  - for each warning, patch the upstream line as recommended
> 
>  - ensure that the tests pass without PendingDeprecationWarnings
> 
>  - convert from "PyPDF2" to "pypdf" on any import or scoped reference in
>python
> 
>  - update dependency indicators in upstream metadata annotations
>(e.g. pyproject.toml, setup.cfg, etc)
> 
>  - update dependency indicators in debian packaging (from python3-pypdf2
>to python3-pypdf).
> 
>  - run the tests again

As we approach the first anniversary for this bug, an update:

I've recently adopted pypdf and pypdf2 into the Debian Python Team in response 
to an RFA for both packages.  As these are somewhat security sensitive 
packages (among my first acts after adopting the packages was to upload 
proposed updates for both to address minor security issues in Bookworm in the 
next point release - same bug in both), I do not think we should release 
pypdf2 in Trixie and have filed an RC bug to that effect.

If you want this package to be in Trixie, you will need to use pypdf instead 
of pypdf2.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1061261: odoo: Uses deprecated/to be removed PyPDF2

[Scott Kitterman]

Source: odoo
Version: 16.0.0+dfsg.2-2
Severity: wishlist

The odoo package has recently added a dependency on python3-pypdf2.  Last 
January the following bug was filed against all packages using python3-pypdf2:

As noted in https://bugs.debian.org/1028559, upstream for the PyPDF2 Python 
module has moved to the "pypdf" namespace.

Correspondingly, there is a new python3-pypdf package in debian unstable.

The packages listed above all currently depend on (or recommend) PyPDF2, but 
probably should move to the updated version.  When all these bug reports are 
closed, we can consider removing the pypdf2 source package and python3-pypdf2 
from debian.

The migration should be relatively straightforward; much of the API remains the 
same, just under the "pypdf" module name instead of the "PyPDF2" module name.  
Where the API differs, the version of PyPDF2 currently in debian 
testing/unstable (2.12.1-3) emits a 
PendingDeprecationWarning wherever a piece of the API will break.

For example:

   foo.py:76: PendingDeprecationWarning: getObject is deprecated and will be 
removed in PyPDF2 3.0.0. Use get_object instead.

(PyPDF2 version 3.x is basically a terminal version of PyPDF2, and pypdf takes 
over from 3.1.x onward; PyPDF2 version 3.x will not enter debian, as it is an 
API break from 2.x, and pypdf 3.x supercedes it)

To transition a given package:

 - run tests with as complete coverage as possible and note the 
   PendingDeprecation warnings

 - for each warning, patch the upstream line as recommended

 - ensure that the tests pass without PendingDeprecationWarnings

 - convert from "PyPDF2" to "pypdf" on any import or scoped reference in
   python

 - update dependency indicators in upstream metadata annotations
   (e.g. pyproject.toml, setup.cfg, etc)

 - update dependency indicators in debian packaging (from python3-pypdf2
   to python3-pypdf).

 - run the tests again
 
I'm currently in the process of updating all these bugs with:

As we approach the first anniversary for this bug, an update:

I've recently adopted pypdf and pypdf2 into the Debian Python Team in response 
to an RFA for both packages.  As these are somewhat security sensitive packages 
(among my first acts after adopting the packages was to upload proposed updates 
for both to address minor security issues in Bookworm in the next point release 
- same bug in both), I do not think we should release pypdf2 in Trixie and have 
filed an RC bug to that effect.

If you want this package to be in Trixie, you will need to use pypdf instead of 
pypdf2.

Scott K

Bug#1060917: postfix-mysql broken in 3.7.9, results in unsupported dictionary type

[Scott Kitterman]

On Wed, 17 Jan 2024 09:05:47 -0500 Scott Kitterman  
wrote:
> On Wednesday, January 17, 2024 9:03:29 AM EST Richard Rosner wrote:
> > I've updated all mariadb packages to 10.11.6 and all postfix packages.
> > Everything still working.
> >  
> Excellent news.  Thanks for testing.

Postfix packages in bookworm-proposed-updates have been rebuilt against the new 
mariadb, so I think this can be closed now.  If anyone runs into this problem 
with the packages from bookworm-updates/stable-updates, install the rebuilt 
version from bookworm/stable-proposed-updates.  After the next point release, 
this will be entirely OBE.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1061162: pypdf2: Do not release with Trixie

[Scott Kitterman]

Source: pypdf2
Version: 2.12.1-4
Severity: serious
Tags: upstream
Justification: Maintainer opinion

PyPDF2 has been replaced by pypdf upstream.  We should not release this
package with Trixie.  Rdepends should be either ported or removed.

Scott K

Bug#1061161: bookworm-pu: package pypdf2/2.12.1-3

[Scott Kitterman]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
CVE fix.

[ Impact ]
Users still vulernable to security issue.

[ Tests ]
Upstream has an extensive test suite, although we don't include a test
specifically for this issue.  All tests pass on bookworm locally.

[ Risks ]
Risk is negligible.  Code is trivial.  Fix has been available for 8
months upstream.  The same code is in pypdf and there have been no
issues reported with it (stable update for it is pending as well).

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Add a patch to apply the upstream fix for the issue.

[ Other info ]
This looks like an NMU in bookworm, but I just adopted the package.  I
did not include the maintainer changes in the stble-update since that
seemed to get beyone a minimal fix.

Scott K
diff -Nru pypdf2-2.12.1/debian/changelog pypdf2-2.12.1/debian/changelog
--- pypdf2-2.12.1/debian/changelog  2023-01-13 16:38:55.0 -0500
+++ pypdf2-2.12.1/debian/changelog  2024-01-19 17:32:34.0 -0500
@@ -1,3 +1,12 @@
+pypdf2 (2.12.1-3+deb12u1) bookworm; urgency=medium
+
+  * Prevent infinite loop when no character follows after a comment (Closes:
+#1040339)
+- Addresses CVE-2023-36464
+- Add d/p/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
+
+ -- Scott Kitterman   Fri, 19 Jan 2024 17:32:34 -0500
+
 pypdf2 (2.12.1-3) unstable; urgency=medium
 
   * disable two more network tests
diff -Nru 
pypdf2-2.12.1/debian/patches/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
 
pypdf2-2.12.1/debian/patches/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
--- 
pypdf2-2.12.1/debian/patches/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
1969-12-31 19:00:00.0 -0500
+++ 
pypdf2-2.12.1/debian/patches/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
2024-01-19 17:30:16.0 -0500
@@ -0,0 +1,21 @@
+From: Scott Kitterman 
+Date: Mon, 15 Jan 2024 11:34:11 -0500
+Subject: Prevent infinite loop when no character follows after a comment
+https://security-tracker.debian.org/tracker/CVE-2023-36464
+---
+ PyPDF2/generic/_data_structures.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: pypdf/PyPDF2/generic/_data_structures.py
+===
+--- pypdf.orig/PyPDF2/generic/_data_structures.py
 pypdf/PyPDF2/generic/_data_structures.py
+@@ -733,7 +733,7 @@ class ContentStream(DecodedStreamObject)
+ # encountering a comment -- but read_object assumes that
+ # following the comment must be the object we're trying to
+ # read.  In this case, it could be an operator instead.
+-while peek not in (b"\r", b"\n"):
++while peek not in (b"\r", b"\n", b""):
+ peek = stream.read(1)
+ else:
+ operands.append(read_object(stream, None, 
self.forced_encoding))
diff -Nru pypdf2-2.12.1/debian/patches/series 
pypdf2-2.12.1/debian/patches/series
--- pypdf2-2.12.1/debian/patches/series 2023-01-13 16:38:30.0 -0500
+++ pypdf2-2.12.1/debian/patches/series 2024-01-19 17:30:16.0 -0500
@@ -1 +1,2 @@
 disable-network-tests.patch
+0003-Prevent-infinite-loop-when-no-character-follows-afte.patch

Bug#1060851: bookworm-pu: package pypdf/3.4.1-1

[Scott Kitterman]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu

(Please provide enough information to help the release team
to judge the request efficiently. E.g. by filling in the
sections below.)

[ Reason ]
This upload adds a patch to address CVE-2023-36464.  It was assessed by
the security team as no-dsa, so I think we ought to fix it in a stable
update.

[ Impact ]
Users remain vulnerable to the DoS attack described in the CVE.

[ Tests ]
There is a pypdf test suite that runs during package build and
autopkgtest.  Upstream did add a test for this issue, but since it
requires test assets not available in Debian, I did not include it in
the patch.

[ Risks ]
Code is trivial and the risk of regression is negligible.  This is the
exact fix upstream used.  The fix has been in the wild for 8 months, so
I think if it was going to cause a problem, we'd know by now.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Added the upstream change to fix the CVE (only the change to
pypdf/generic/_data_structures.py is relevant):
https://github.com/py-pdf/pypdf/commit/b0e5c689df689ab173df84dacd77b6fc3c161932

Updated gbp.conf to point at the bookworm branch

[ Other info ]
This will look like an NMU in tools that look at stable.  I just adopted
the package due to the original maintainer's RFA and have uploaded to
unstable (including this fix).  I elected not to change the maintainer
in this upload since that didn't fit with a minimal change in stable.

Scott K
diff -Nru pypdf-3.4.1/debian/changelog pypdf-3.4.1/debian/changelog
--- pypdf-3.4.1/debian/changelog2023-02-14 16:58:00.0 -0500
+++ pypdf-3.4.1/debian/changelog2024-01-15 11:28:43.0 -0500
@@ -1,3 +1,13 @@
+pypdf (3.4.1-1+deb12u1) bookworm; urgency=medium
+
+  * Update debian/gbp.conf to point at bookworm branch
+  * Prevent infinite loop when no character follows after a comment (Closes:
+#1040338)
+- Addresses CVE-2023-36464
+- Add d/p/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
+
+ -- Scott Kitterman   Mon, 15 Jan 2024 11:28:43 -0500
+
 pypdf (3.4.1-1) unstable; urgency=medium
 
   * New upstream version 3.4.1
diff -Nru pypdf-3.4.1/debian/gbp.conf pypdf-3.4.1/debian/gbp.conf
--- pypdf-3.4.1/debian/gbp.conf 2023-02-14 16:58:00.0 -0500
+++ pypdf-3.4.1/debian/gbp.conf 2024-01-15 11:28:20.0 -0500
@@ -1,3 +1,3 @@
 [DEFAULT]
-debian-branch = debian/unstable
+debian-branch = debian/bookworm
 pristine-tar = True
diff -Nru 
pypdf-3.4.1/debian/patches/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
 
pypdf-3.4.1/debian/patches/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
--- 
pypdf-3.4.1/debian/patches/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
  1969-12-31 19:00:00.0 -0500
+++ 
pypdf-3.4.1/debian/patches/0003-Prevent-infinite-loop-when-no-character-follows-afte.patch
  2024-01-15 11:28:43.0 -0500
@@ -0,0 +1,21 @@
+From: Scott Kitterman 
+Date: Mon, 15 Jan 2024 11:34:11 -0500
+Subject: Prevent infinite loop when no character follows after a comment
+https://security-tracker.debian.org/tracker/CVE-2023-36464
+---
+ pypdf/generic/_data_structures.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pypdf/generic/_data_structures.py 
b/pypdf/generic/_data_structures.py
+index bb2e028..524d4e0 100644
+--- a/pypdf/generic/_data_structures.py
 b/pypdf/generic/_data_structures.py
+@@ -979,7 +979,7 @@ class ContentStream(DecodedStreamObject):
+ # encountering a comment -- but read_object assumes that
+ # following the comment must be the object we're trying to
+ # read.  In this case, it could be an operator instead.
+-while peek not in (b"\r", b"\n"):
++while peek not in (b"\r", b"\n", b""):
+ peek = stream.read(1)
+ else:
+ operands.append(read_object(stream, None, 
self.forced_encoding))
diff -Nru pypdf-3.4.1/debian/patches/series pypdf-3.4.1/debian/patches/series
--- pypdf-3.4.1/debian/patches/series   2023-02-14 16:58:00.0 -0500
+++ pypdf-3.4.1/debian/patches/series   2024-01-15 11:28:43.0 -0500
@@ -1,2 +1,3 @@
 0001-Use-formal-Cryptodome-namespace.patch
 0002-mark-new-external-tests-appropriately.patch
+0003-Prevent-infinite-loop-when-no-character-follows-afte.patch

Bug#1060463: O: django-impersonate -- Django module for superusers to impersonate accounts

[Scott Kitterman]

Package: wnpp
Severity: normal
X-Debbugs-Cc: debian-pyt...@lists.debian.org
Control: affects -1 src:django-impersonate

Orphaning the package on behalf of the Debian Python Team as the sole
uploader (no one else on the team expressed interest in taking over and
I no longer use the package).

Currently the package is in good shape.  There is a new upstream release
available, which I will include in the upload that changes the maintainer to
Debian QA Group.

Scott K

Bug#1060427: python3-appdirs: Do not release with trixie

[Scott Kitterman]

Package: python3-appdirs
Version: 1.4.4-4
Severity: serious
Justification: maintainer determination

This is dead upstream and easily replacable with platformdirs.  Rather
than release trixie with appdirs, remaining users should port to
platformdirs instead.

Scott K

Bug#1060406: O: django-organizations -- Django groups and multi-user account management module

[Scott Kitterman]

Package: wnpp
Severity: normal
X-Debbugs-Cc: debian-pyt...@lists.debian.org
Control: affects -1 src:django-organizations

Orphaning the package on behalf of the Debian Python Team as the sole
uploader (no one else on the team expressed interest in taking over and
I no longer use the package).

Currently the package is in good shape.  There is a new upstream release
available, which I will probably include in the upload that changes the
maintainer to Debian QA Group.

Scott K

Bug#1059230: Stable Updates Available

[Scott Kitterman]

Updated packages are available from stable/oldstable-updates.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1059230: Proposed Postfix SUA Text

[Scott Kitterman]

Looks good to me.

Thanks,

Scott K

On December 29, 2023 11:29:21 AM UTC, Jonathan Wiltshire  
wrote:
>On Thu, Dec 28, 2023 at 03:31:55PM -0500, Scott Kitterman wrote:
>> Postfix is a High-performance mail transport agent.
>> 
>> Upstream published versions 3.5.23 and 3.7.9.
>> 
>> These are bug-fix releases. The changes are not currently required for 
>> operation, but upstream strongly recommends that users update.
>> 
>> Changes since 3.5.18 and 3.7.6 currently in bullseye and bookworm include 
>> fixes 
>> for multiple implementation defects identified since these packages were 
>> last 
>> updated, see debian/changelog for details.  Of particular note is a new 
>> optional feature to prevent 'SMTP Smuggling' attacks.  It is disabled by 
>> default.  A configuration change is required to enable this protection [1].
>> 
>> If you use postfix, we recommend that you install this update.
>> 
>> [1] https://www.postfix.org/smtp-smuggling.html
>
>The important part is the CVE fix with config change requirement, no? How
>about this, rephrasing to shift the emphasis:
>
>| Postfix is a high-performance mail transport agent.
>| 
>| This update consists of recommended upstream bug fixes since the versions
>| in bullseye and bookworm. In particular, a fix for CVE-2023-51764 (SMTP
>| smuggling) requires a configuration change to take full effect.
>| 
>| The configuration change is not done automatically to avoid causing
>| issues with existing installations. Users should consult the relevant
>| Postfix documentation [1] before setting "smtpd_forbid_bare_newline = yes"
>| in the main.cf file.
>| 
>|  1: https://www.postfix.org/smtp-smuggling.html
>
>If you are able to comment before 13:00 UTC I can get it out this
>afternoon.
>
>Thanks,
>
>

Bug#1059230: Proposed Postfix SUA Text

[Scott Kitterman]

Postfix is a High-performance mail transport agent.

Upstream published versions 3.5.23 and 3.7.9.

These are bug-fix releases. The changes are not currently required for 
operation, but upstream strongly recommends that users update.

Changes since 3.5.18 and 3.7.6 currently in bullseye and bookworm include fixes 
for multiple implementation defects identified since these packages were last 
updated, see debian/changelog for details.  Of particular note is a new 
optional feature to prevent 'SMTP Smuggling' attacks.  It is disabled by 
default.  A configuration change is required to enable this protection [1].

If you use postfix, we recommend that you install this update.

[1] https://www.postfix.org/smtp-smuggling.html

signature.asc
Description: This is a digitally signed message part.

Bug#1059500: bullseye-pu: package postfix/3.5.18-0+deb11u1

[Scott Kitterman]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
This is another of the regular postfix maintenance updates.  It
encompasses five upstream updates (3.5.19 - 3.5.23) because
life intervened and I got behind.  This one is of particular importance/
urgency since it includes a new setting to address CVE-2023-51764.

[ Impact ]
Bugs remain unfixed, CVE-2023-51764 unresolved.

[ Tests ]
There is a high level autopkgtest.

[ Risks ]
Risks are low.  These have all been released as part of upstream
maintenance and no regressions have been reported.  There are no changes
in Debian packaging.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
  * 3.5.19
- Portability: the EVP_get_digestbyname change broke OpenSSL
  1.0.2 support. File: tls/tls.h.
- Bugfix (introduced: Postfix 3.4): the posttls-finger command
  failed to detect that a connection was resumed in the case
  that a server did not return a certificate. Viktor Dukhovni.
  File: posttls-finger/posttls-finger.c.
- Workaround: OpenSSL 3.x EVP_get_cipherbyname() can return
  lazily-bound handles. Postfix now checks that the expected
  functionality will be available instead of failing later.
  Fix by Viktor Dukhovni. File: tls/tls_server.c.
- Bugfix (introduced: Postfix 3.5): check_ccert_access did
  not parse inline map specifications. Report and fix by Sean
  Gallagher. File: global/map_search.c.
- Safety: the long form "{ name = value }" in import_environment
  or export_environment is not documented, but accepted, and
  it was stored in the process environment as the invalid
  form "name = value", thus not setting or overriding an entry
  for "name". This form is now stored as the expected
  "name=value". Found during code maintenance. Also refined
  the "missing attribute name" detection. Files: clean_env.c,
  split_nameval.c.
   -  Bugfix (introduced: Postfix 3.2): the MySQL client could
  return "not found" instead of "error" during the time that
  all MySQL server connections were turned down after error.
  Found during code maintenance. File: global/dict_mysql.c.
  * 3.5.20
- Bugfix (defect introduced: Postfix 1.0): the command "postconf
  .. name=v1 .. name=v2 .." (multiple instances of the same
  parameter name) created multiple name=value entries with
  the same parameter name. It now logs a warning and skips
  the earlier update. Found during code maintenance. File:
  postconf/postconf_edit.c
- Bugfix (defect introduced: Postfix 3.3): the command "postconf
  -M name1/type1='name2 type2 ...'" died with a segmentation
  violation when the request matched multiple master.cf
  entries. The master.cf file was not damaged. Problem reported
  by SATOH Fumiyasu. File: postconf/postconf_master.c.
- Bugfix (defect introduced: Postfix 2.11): the command
  "postconf -M name1/type1='name2 type2 ...'" could add a
  service definition to master.cf that conflicted with an
  already existing service definition. It now replaces all
  existing service definitions that match the service pattern
  'name1/type1' or the service name and type in 'name2 type2
  ...' with a single service definition 'name2 type2 ...'.
  Problem reported by SATOH Fumiyasu. File: postconf/postconf_edit.c.
- Bitrot: preliminary support for OpenSSL configuration files,
  primarily OpenSSL 1.1.1b and later. This introduces new
  parameters "tls_config_file" and "tls_config_name", which
  can be used to limit collateral damage from OS distributions
  that crank up security to 11, increasing the number of
  plaintext email deliveries. Details are in the postconf(5)
  manpage under "tls_config_file" and "tls_config_name".
  Viktor Dukhovni. Files: mantools/postlink, proto/postconf.proto,
  global/mail_params.h, posttls-finger/posttls-finger.c,
  smtp/smtp.c, smtp/smtp_proto.c, tls/tls_client.c, tls/tls.h,
  tls/tls_misc.c, tls/tls_proxy_client_print.c,
  tls/tls_proxy_client_scan.c, tls/tls_proxy.h, tls/tls_server.c,
  tlsproxy/tlsproxy.c.
- Cleanup: use TLS_CLIENT_PARAMS to pass the OpensSSL 'init'
  configurations. This information is independent from the
  client or server TLS context, and therefore does not belong
  in tls_*_init() or tls_*_start() calls. The tlsproxy(8)
  server uses TLS_CLIENT_PARAMS to report differences between
  its own global TLS settings, and those from its clients.
  Files: posttls-finger/posttls-finger.c, smtp/smtp.c,
  smtp/smtp_proto.c, tls/tls.h, tls/tls_proxy_client_misc.c,
  tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c,
  

Bug#1059402: bookworm-pu: package postfix/3.7.6-0+deb12u2

[Scott Kitterman]

   class/type value
+*.one.example   IN CNAME *.other.example
+*.other.example IN A 10.0.0.1
+*.other.example IN TLSA  ..certificate info...
+  Such syntax is blesed in RFC 1034 section 4.3.3.
+  This problem was reported first in the context of TLSA
+  record lookups. Files: util/valid_hostname.[hc],
+  * 3.7.8
+- Bugfix (defect introduced Postfix 2.5, 20080104): the Postfix
+  SMTP server was waiting for a client command instead of
+  replying immediately, after a client certificate verification
+  error in TLS wrappermode. Reported by Andreas Kinzler. File:
+  smtpd/smtpd.c.
+- Usability: the Postfix SMTP server now attempts to log the
+  SASL username after authentication failure. In Postfix
+  logging, this appends ", sasl_username=xxx" after the reason
+  for SASL authentication failure. The logging replaces an
+  unavailable reason with "(reason unavailable)", and replaces
+  an unavailable sasl_username with "(unavailable)". Based
+  on code by Jozsef Kadlecsik. Files: xsasl/xsasl_server.c,
+  xsasl/xsasl_cyrus_server.c, smtpd/smtpd_sasl_glue.c.
+- Bugfix (defect introduced: Postfix 2.11): in forward_path,
+  the expression ${recipient_delimiter} would expand to an
+  empty string when a recipient address had no recipient
+  delimiter. Fixed by restoring Postfix 2.10 behavior to use
+  a configured recipient delimiter value. Reported by Tod
+  A. Sandman. Files: proto/postconf.proto, local/local_expand.c.
+  * 3.7.9 (Closes: #1059230)
+- Addresses CVE-2023-51764, requires configuration change
+- Security: with "smtpd_forbid_bare_newline = yes" (default
+  "no" for Postfix < 3.9), reply with "Error: bare 
+  received" and disconnect when an SMTP client sends a line
+  ending in , violating the RFC 5321 requirement that
+  lines must end in . This prevents SMTP smuggling
+  attacks that target a recipient at a Postfix server. For
+  backwards compatibility, local clients are excluded by
+  default with "smtpd_forbid_bare_newline_exclusions =
+  $mynetworks". Files: mantools/postlink, proto/postconf.proto,
+  global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h,
+
+ -- Scott Kitterman   Sun, 24 Dec 2023 12:33:24 -0500
+
 postfix (3.7.6-0+deb12u2) bookworm; urgency=medium
 
   * Correct regression that caused postfix set-permissions to fail (Closes:
diff -Nru postfix-3.7.6/HISTORY postfix-3.7.9/HISTORY
--- postfix-3.7.6/HISTORY   2023-06-05 15:59:49.0 -0400
+++ postfix-3.7.9/HISTORY   2023-12-21 21:01:13.0 -0500
@@ -26594,3 +26594,70 @@
(default: no) to disconnect remote SMTP clients that violate
RFC 2920 (or 5321) command pipelining constraints. Files:
global/mail_params.h, smtpd/smtpd.c, proto/postconf.proto.
+
+20230815
+
+   Bugfix (bug introduced: 20140218): when opportunistic TLS fails
+   during or after the handshake, don't require that a probe
+   message spent a minimum time-in-queue before falling back to
+   plaintext. Problem reported by Serg. File: smtp/smtp.h.
+
+20230819
+
+   Bugfix (defect introduced: 19980207): the valid_hostname()
+   check in the Postfix DNS client library was blocking unusual
+   but legitimate wildcard names (*.name) in some DNS lookup
+   results and lookup requests. Examples:
+
+name  class/type value
+*.one.example   IN CNAME *.other.example
+*.other.example IN A 10.0.0.1
+*.other.example IN TLSA  ..certificate info...
+
+   Such syntax is blesed in RFC 1034 section 4.3.3.
+
+   This problem was reported first in the context of TLSA
+   record lookups. Files: util/valid_hostname.[hc],
+   dns/dns_lookup.c.
+
+20230929
+
+   Bugfix (defect introduced Postfix 2.5, 20080104): the Postfix
+   SMTP server was waiting for a client command instead of
+   replying immediately, after a client certificate verification
+   error in TLS wrappermode. Reported by Andreas Kinzler. File:
+   smtpd/smtpd.c.
+
+20231006
+
+   Usability: the Postfix SMTP server now attempts to log the
+   SASL username after authentication failure. In Postfix
+   logging, this appends ", sasl_username=xxx" after the reason
+   for SASL authentication failure. The logging replaces an
+   unavailable reason with "(reason unavailable)", and replaces
+   an unavailable sasl_username with "(unavailable)". Based
+   on code by Jozsef Kadlecsik. Files: xsasl/xsasl_server.c,
+   xsasl/xsasl_cyrus_server.c, smtpd/smtpd_sasl_glue.c.
+
+20231026
+
+   Bugfix (defect introduced: Postfix 2.11): in forward_path,
+   the expression ${recipient_delimiter} would expand to an
+   empty string when a recipient address had no recipient
+ 

Bug#1054485: postfix: diff for NMU version 3.8.2-1.1

[Scott Kitterman]

On Monday, December 18, 2023 7:31:47 PM EST Chris Hofstaedtler wrote:
> Control: tags 1054485 + patch
> Control: tags 1054485 + pending
> 
> Dear maintainer,
> 
> I've prepared an NMU for postfix (versioned as 3.8.2-1.1) and
> uploaded it to DELAYED/7. Please feel free to tell me if I
> should delay it longer. Better, upload yourself in the meantime.
> 
> Best,
> Chris

Thank you for preparing this.  I've just done a maintainer upload with this 
change as well as a new upstream release. 

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1059230: postfix: SMTP Smuggling attack

[Scott Kitterman]

On Thursday, December 21, 2023 11:57:21 AM EST Salvatore Bonaccorso wrote:
> Source: postfix
> Version: 3.8.2-1
> Severity: important
> Tags: security upstream
> Forwarded:
> https://www.mail-archive.com/postfix-users@postfix.org/msg100901.html
> X-Debbugs-Cc: car...@debian.org, Debian Security Team
>  Control: found -1 3.7.6-0+deb12u2
> Control: found -1 3.5.18-0+deb11u1
> Control: found -1 3.4.23-0+deb10u1
> 
> Hi
> 
> There was a SMTP smuggling vulerability reported, for which in some
> Postfix versions at least already exists short term mitiations in form
> of "smtpd_forbid_unauth_pipelining = yes".
> 
> Details via:
> 
> https://www.mail-archive.com/postfix-users@postfix.org/msg100901.html
> https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwid
> e/

See https://www.postfix.org/smtp-smuggling.html for the most recent 
information.

The mitigation is available for stable, but not yet oldstable.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1053215: ITP: needrestart-gui -- web interface for needrestart

[Scott Kitterman]

On September 29, 2023 11:57:52 AM UTC, Thomas Goirand  wrote:
>Package: wnpp
>Severity: wishlist
>Owner: Thomas Goirand 
>X-Debbugs-Cc: debian-de...@lists.debian.org
>
>* Package name: needrestart-gui
>  Version : 0.0.1
>  Upstream Contact: Axel Jacquet 
>* URL : 
>https://salsa.debian.org/openstack-team/third-party/needrestart-gui
>* License : most-permissive
>  Programming Lang: Python
>  Description : web interface for needrestart
>
> This package provides a Python implementation to monitor services and provides
> a GUI to show their status and package versions. It uses in the background the
> needrestart package.
>
Is this for any service that needs restart or just for Openstack services?  If 
it's the latter (and glancing at the code, it seems it might be) then that 
ought to be in the package description.

Scott K

Bug#1050053: xml2rfc: recommends empty package fonts-noto-unhinted

[Scott Kitterman]

On September 15, 2023 5:37:23 AM UTC, Jonas Smedegaard  wrote:
>Scott Kitterman wrote:
>>> Please change the dependency to the appropriate package instead.
>>> Thank you.
>> Which one is that?  I can't find any indication in the package what
>> replaced it.
>
>The binary package fonts-noto-unhinted is currently empty because it
>contained only fonts lacking hinting, and currently all fonts provided
>from same source package are available with hinting.
>
>So I would turn the question around: Do xml2rfc require fonts without
>hinting, or does it require certain specific fonts which formerly
>existed only without hinting?

Unhinted is what the upstream documentation specifies:

https://salsa.debian.org/debian/pkg-xml2rfc/-/blob/debian/sid/README.md

Scott K

Bug#1050683: pep517: Should not be released with Trixie

[Scott Kitterman]

Source: pep517
Severity: serious
Justification: Maintainer opinion

This package has been replace by python-pyproject-hooks and should not
be in Trixie.

Scott K

Bug#1049372: RM: gio-sharp -- RoQA; depends on gtk2; dead upstream; low popcon

[Scott Kitterman]

On Sat, 26 Aug 2023 09:21:21 +0200 Bastian Germann  wrote:
> Control: tags -1 - moreinfo
> 
> Am 26.08.23 um 01:18 schrieb Scott Kitterman:
> > Checking reverse dependencies...
> > # Broken Depends:
> > smuxi: smuxi-frontend-gnome
> > 
> > Dependency problem found.
> 
> That package is gone now.

Thanks.  I don't know why, but this one didn't show up before (or I missed 
it):

Checking reverse dependencies...
# Broken Build-Depends:
golang-github-twstrike-gotk3adapter: libgio-cil

Dependency problem found.

This also needs to be addressed.  Once again, please remove the moreinfo tag 
once it's resolved.

Scott K

Bug#1050491: Bug#1049876: Bug#1050491: RM: bbhash [armel armhf i386 mipsel powerpc Buildd exposure stats hurd-i386 hppa sh4] -- ROM; Does not build on 32bit architectures

[Scott Kitterman]

On August 25, 2023 10:58:03 AM UTC, Andreas Tille  wrote:
>Am Fri, Aug 25, 2023 at 09:46:43AM + schrieb Graham Inggs:
>> 
>> Andreas, what 32-bit builds?  bbhash has never built on 32-bit architectures.
>
>Good question - I was not properly looking at the build matrix.
>Sorry for the noise
> 
>> Emanuele, since when is this RC?
>
>I'm tempted to close this bug since its at best wishlist but there
>is no point at all to provide this package for 32bit.

If you want to keep it, reassign it back to the package.  As a rm bug it should 
definitely be closed.

Scott K

Bug#1043002: pdm: Please replace python3-pep517 with python3-pyproject-hooks in Depends/Build-Depends

[Scott Kitterman]

On Friday, August 18, 2023 9:33:48 AM EDT Andreas Tille wrote:
> Hi Scott,
> 
> Am Fri, Aug 18, 2023 at 01:15:18PM + schrieb Scott Kitterman:
> > On August 18, 2023 1:04:26 PM UTC, Andreas Tille  wrote:
> > >> In Debian terms, it's not the preferred form for modification, so it's
> > >> not source.  In this regard DFSG goes farther than some software
> > >> licenses.> >
> > >I think the point Jeroen wanted to make is that these are actually
> > >source file archives which "by chance" are featuring a .whl extension
> > >rather than a .zip extension.
> > 
> > A wheel is not the preferred form for modification.  They're not wheels by
> > chance at all.
> Yes, thanks to Jeroen's hint I realised this as well and I agree that
> this is a nasty way to hide the fact that the files are actually source
> archives.

They aren't.

> However, you confirmed yourself that future_fstrings is an exception and
> comes with source and thus does not violate DFSG.  The only difference
> I personally can see is that the archives are just hiding what they are.
> We could simply add do some
>for whl in *.whl ; do ln -s $whl $(basename .whl).zip ; done
> and we have source archives that are obviously what they are.
> 
> > From a DFSG perspective,
> 
> Hmmm, the only thing where I can draw a violation of the DFSG is that
> there are no d/copyright entries for the source code that is hidden
> inside these *.whl files.  Otherwise its "just" duplicated code (in most
> cases) which is definitely not nice but IMHO not a violation of DFSG.
> 
The disagreement here is that Python wheels aren't source.  DFSG #2 requires 
the source be present and these aren't it.  If you look at the WAF entry in 
the FTP team reject FAQ, this is similar.  The FTP team view has long been 
that DFSG #2 means the actual preferred form for modification.

> > the most straightforward approach is to build-depend on the relevant
> > Debian packages and build any needed wheels from that.
> Do avoid source code duplication I'm willing to do that.  Yes, I
> perfectly agree that its pretty ugly (I'm just a bit unsure about
> the DFSG violation).  I'm wondering whether a simple
> 
>zip whl.zip /path/to/python/files ; mv whl.zip whl.whl
> 
> will be something that can replace the current packages.  I think
> we also need to patch the tests to fit the version numbers (if
> we do not want to cheat and simply use the version numbers of the
> original whl files to avoid patching).

Perhaps, but there are nuances to the wheel format.  Please use Wheel to 
generate them.

> >  It won't necessarily get you the same version as upstream uses, but it's
> >  definitely DFSG compliant.
> We also might symlink our resulting whl files with the version number
> pdm upstream might expect in their tests.  The question is, whether all
> this effort might break the tests in some way and we might end up with
> endless patching by at the same time loosing the chance to discuss with
> upstream.  But it might be time to discuss the issue with upstream
> anyway.

Perhaps.  If it were me, what I'd do is locate the missing tarballs and stash 
them in debian/missing-sources/ and worry about more complex solutions later.  
Once you're done that, you've met DSFG #2 and there's no need to strip the 
wheels from the binary.

It's not super maintainable, but it will allow you to focos on getting the 
tests working as upstream ships them without any Debian customizations that 
might cause Debian specific failures.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1043002: pdm: Please replace python3-pep517 with python3-pyproject-hooks in Depends/Build-Depends

[Scott Kitterman]

On August 18, 2023 1:04:26 PM UTC, Andreas Tille  wrote:
>Hi Scott,
>
>Am Tue, Aug 15, 2023 at 02:18:35PM + schrieb Scott Kitterman:
>> >They are zip files containing python source code. It is possible to include
>> >compiled C extensions in wheels, but I checked and these wheels are all pure
>> >python, so no binary blobs are included.
>> 
>> In Debian terms, it's not the preferred form for modification, so it's not 
>> source.  In this regard DFSG goes farther than some software licenses.
>
>I think the point Jeroen wanted to make is that these are actually
>source file archives which "by chance" are featuring a .whl extension
>rather than a .zip extension.

A wheel is not the preferred form for modification.  They're not wheels by 
chance at all.

From a DFSG perspective, the most straightforward approach is to build-depend 
on the relevant Debian packages and build any needed wheels from that.  It 
won't necessarily get you the same version as upstream uses, but it's 
definitely DFSG compliant.

Scott K

Bug#1043002: pdm: Please replace python3-pep517 with python3-pyproject-hooks in Depends/Build-Depends

[Scott Kitterman]

pdm is the last remaining blocker for pep517 removal.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1043002: pdm: Please replace python3-pep517 with python3-pyproject-hooks in Depends/Build-Depends

[Scott Kitterman]

On August 15, 2023 1:51:54 PM UTC, Jeroen Dekkers  wrote:
>On Tue, 15 Aug 2023 15:08:11 +0200,
>Scott Kitterman wrote:
>>
>> On Tuesday, August 15, 2023 3:53:07 AM EDT Andreas Tille wrote:
>> > Hi Scott,
>> >
>> > Am Mon, Aug 14, 2023 at 02:06:42PM + schrieb Scott Kitterman:
>> >
>> > > those are all binary without source.  That's a problem.
>> >
>> > Given your role as ftpmaster you definitely have more experience than I
>> > in this field.  I personally was thinking more in the line of binary
>> > data we can not avoid in some cases.  This is a bit in the line with
>> > Rdata decision[1] where those binary data files are documented in
>> > debian/README.source.
>> >
>> > My point is just: If we remove those data files (which are IMHO harmless
>> > since these are not executd but used as input in tests - please correct
>> > me if I'm wrong) we can not test the package.  Removing the files
>> > prevents testing and thus we can not know whether the package we deliver
>> > will work.  I've actually shown that not all tests are working but
>> > stopped investigating this further.
>>
>> Even if they are used as data (I didn't check), they are, in fact, binary
>> blobs of code by our definition and that requires the corresponding source.
>
>They are zip files containing python source code. It is possible to include
>compiled C extensions in wheels, but I checked and these wheels are all pure
>python, so no binary blobs are included.

In Debian terms, it's not the preferred form for modification, so it's not 
source.  In this regard DFSG goes farther than some software licenses.

Scott K

Bug#1043002: pdm: Please replace python3-pep517 with python3-pyproject-hooks in Depends/Build-Depends

[Scott Kitterman]

On Tuesday, August 15, 2023 3:53:07 AM EDT Andreas Tille wrote:
> Hi Scott,
> 
> Am Mon, Aug 14, 2023 at 02:06:42PM + schrieb Scott Kitterman:
> > >Before I upload I'd like to ask for reviewing this patch and opinions
> > >about the test suite errors.  While these possibly occure in previous
> > >versions (which I did not tested) we might consider ignoring just the
> > >failing tests.  I need to admit that I did not went through the list of
> > >single failures - may be there is a chance of easy fixes for some of
> > >them.  I simply wanted to discuss the reintroduction of the artifacts
> > >and my patch first.
> > 
> > With the exception of future_fstrings
> 
> I think there is also the souce for demo included.
> 
> > those are all binary without source.  That's a problem.
> 
> Given your role as ftpmaster you definitely have more experience than I
> in this field.  I personally was thinking more in the line of binary
> data we can not avoid in some cases.  This is a bit in the line with
> Rdata decision[1] where those binary data files are documented in
> debian/README.source.
> 
> My point is just: If we remove those data files (which are IMHO harmless
> since these are not executd but used as input in tests - please correct
> me if I'm wrong) we can not test the package.  Removing the files
> prevents testing and thus we can not know whether the package we deliver
> will work.  I've actually shown that not all tests are working but
> stopped investigating this further.

Even if they are used as data (I didn't check), they are, in fact, binary 
blobs of code by our definition and that requires the corresponding source.

> > It's probably okay if you add the corresponding source somewhere in the
> > package.
> We probably have some source packages inside Debian - may be in
> different versions.  I need to admit that I intended to do a "quick fix
> of a simple bug that affects some Debian Med packages" but realised that
> I'm possibly opening a can of worms.  The simplest solution to fulfill
> my needs would be probably to revert my change to run the tests and be
> done.  However, I'm not sure whetherr this is in the interest of the
> users of this package.  I'm absolutely not able time-wise to povide
> sources and reconstruct all those *.whl files *and* in addition track
> down the test suite errors.  This is a team package and if the team
> decides we should go without testing I can do an according upload.
> However, my prefered path would to document the issue of some binary
> data properly an test what upstream expects to be tested.

i think this is definitely more complicated than you want to take on casually.  
I don't think it's required to actually rebuild the wheels.  If you provide 
the source, the DFSG is happy.  You have to be able to rebuild it, but you 
aren't required to do it.

It might, however, be simpler in the long run to just depend on those packages 
and build wheels from those (a Debian binary package has enough in it 
generally to build a wheel from it).

I agree it'd be better in the long run to run the tests, but that may be more 
than you want to take on right now.

Scott K



signature.asc
Description: This is a digitally signed message part.

Bug#1043002: pdm: Please replace python3-pep517 with python3-pyproject-hooks in Depends/Build-Depends

[Scott Kitterman]

On August 14, 2023 12:28:30 PM UTC, Andreas Tille  wrote:
>Control: tags -1 pending
>
>Hi,
>
>I've fixed the issue reported in this bug[1].
>
>In addition I've took the chance to upload pdm to its latest upstream
>version.  When doing so I realised that build time tests are basically
>ignored.  This was mainly due to the removal of artefacts that are used
>for testing.  I admit I do not see any reason to remove those data
>files - in Debian R team this kind of data files which is just used for
>testing is accepted.  Thus I took the freedom to re-introduce these
>files and was running the tests in d/rules.  Unfortunately there is
>quite a number of tests failing
>
>   54 failed, 620 passed, 1 xfailed, 3 rerun in 228.94s (0:03:48) 
> 
>
>(see Salsa CI[2])
>
>I'd like to stress that to run those tests at all I needed a patch[3]
>since BaseProvider can't be simply imported from findpython.
>
>Before I upload I'd like to ask for reviewing this patch and opinions
>about the test suite errors.  While these possibly occure in previous
>versions (which I did not tested) we might consider ignoring just the
>failing tests.  I need to admit that I did not went through the list of
>single failures - may be there is a chance of easy fixes for some of
>them.  I simply wanted to discuss the reintroduction of the artifacts
>and my patch first.
>
With the exception of future_fstrings those are all binary without source.  
That's a problem.  It's probably okay if you add the corresponding source 
somewhere in the package.

I do think it's odd that pdm would need poetry-core in its test suit.

Scott K

Bug#1023512: Naming of python binary packages

[Scott Kitterman]

On Friday, August 11, 2023 10:49:00 AM EDT Stefano Rivera wrote:
> My vote would be strongly towards maintaining the status quo of the
> policy-defined names.
> 
> I don't see any strong argument for changing this.

Fully agreed.  In addition to the reasons you listed, renaming a lot of 
packages would require a trip through New.  I think we have enough backlog 
there without renaming a bunch of packages for a not very good reason.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1043002: pdm: Please replace python3-pep517 with python3-pyproject-hooks in Depends/Build-Depends

[Scott Kitterman]

On Thu, 03 Aug 2023 23:52:10 -0400 Scott Kitterman  
wrote:
> Source: pdm
> Version: 2.2.1+ds1-1
> Severity: important
> 
> The python3-pep517 package has been replaced by python3-pyproject-hooks.
> Please update your package depends and build-depends (this may required
> a new upstream release - I did check and the current upstream release
> supports using pyproject-hooks).
> 
> Once I request removal, I'll raise the severity of this to serious.  I
> expect that by next week we'll be down to only two or three packages
> left that use pep517, so I'll probably request it then.  If you need
> more time to update this package, I can wait, please let me know.

RM has been requested (See #1043255).  Bumping to serious.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1042965: py7zr: Remove unneeded build-depends on deprecate pep517

[Scott Kitterman]

On Thu, 03 Aug 2023 08:02:16 -0400 Scott Kitterman  
wrote:
> Source: py7zr
> Version: 0.11.3+dfsg-5
> Severity: important
> Tags: patch
> 
> The pep517 package has been superceded by python-pyproject-hooks.  It
> looks like this package added a build-depends on python3-pep517
> relatively early in our fielding of the ability to build Debian packages
> based on pyproject.toml.  This build dependency is no longer needed and
> can be simply removed.
> 
> I did test that the package built without it.  See the attached patch.
> I am happy to address this as a team upload if you would prefer.  I will
> soon be requesting removal of the pep517 package and I intend to bump
> the severity of this when I do if it's not resolved by then.

RM has been requested (See #1043255).  Bumping to serious.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1042869: sniffles: Please update to newer version without python3-pep517 requirement

[Scott Kitterman]

On Tue, 01 Aug 2023 22:36:34 -0400 Scott Kitterman  
wrote:
> Source: sniffles
> Version: 2.0.7-1
> Severity: important
> 
> Currently sniffles build-depends on python3-pep517.  This package has
> been replaced upstream by python3-pyproject-hooks, which is now in
> Debian.  As a result, python3-pep517 will be removed soon.
> 
> There appears to be a newer version of sniffles that does not use
> python3-pep517 (I did not check if the current version acutally requires
> it of the the build-depend is unneeded).  Please upgrade to the newer
> version or otherwise remove the build-depends on python3-pep517.
> 
> Once I file the rm bug for it, I'll increase this to serious, so please
> address it now.

RM has been requested (See #1043255).  Bumping to serious.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1043255: RM: pep517 -- ROM; Obsolete, replaced by python-pyproject-hooks

[Scott Kitterman]

Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: debian-pyt...@lists.debian.org

Python-pyproject-hooks has replaced pep517, so it should be removed once
there are no more reverse Build-Depends.  Most packages have been
updated and bugs have been filed for the three remaining.

Scott K

Bug#1030290: Should have been RC

[Scott Kitterman]

Bumped severity to serious as the package is not working at all.  Although 
fixed in Unstable, it still affects Stable and should be fixed there as well.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1030835: ITP: ruff -- linter for Python, written in Rust

[Scott Kitterman]

On Wed, 08 Feb 2023 01:00:19 + James Addison  wrote:
> Package: wnpp
> Severity: wishlist
> Owner: James Addison 
> X-Debbugs-Cc: debian-de...@lists.debian.org
> 
> * Package name: ruff
>   Version : 0.0.243
>   Upstream Contact: Charlie Marsh
> * URL : https://github.com/charliermarsh/ruff/
> * License : MIT
>   Programming Lang: Rust
>   Description : linter for Python, written in Rust
> 
> Ruff is a linter for Python that includes implementations of many common
> checks implemented by flake8, flake8 plugins, and pylint.

It appears the original reporter is no longer active in Debian (Salsa account 
deactivated), so converting to RFP.  It would be nice to see this, but I do 
not intend to package it.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1043002: pdm: Please replace python3-pep517 with python3-pyproject-hooks in Depends/Build-Depends

[Scott Kitterman]

Source: pdm
Version: 2.2.1+ds1-1
Severity: important

The python3-pep517 package has been replaced by python3-pyproject-hooks.
Please update your package depends and build-depends (this may required
a new upstream release - I did check and the current upstream release
supports using pyproject-hooks).

Once I request removal, I'll raise the severity of this to serious.  I
expect that by next week we'll be down to only two or three packages
left that use pep517, so I'll probably request it then.  If you need
more time to update this package, I can wait, please let me know.

Scott K

Bug#1042965: py7zr: Remove unneeded build-depends on deprecate pep517

[Scott Kitterman]

Source: py7zr
Version: 0.11.3+dfsg-5
Severity: important
Tags: patch

The pep517 package has been superceded by python-pyproject-hooks.  It
looks like this package added a build-depends on python3-pep517
relatively early in our fielding of the ability to build Debian packages
based on pyproject.toml.  This build dependency is no longer needed and
can be simply removed.

I did test that the package built without it.  See the attached patch.
I am happy to address this as a team upload if you would prefer.  I will
soon be requesting removal of the pep517 package and I intend to bump
the severity of this when I do if it's not resolved by then.

Scott K
diff -Nru py7zr-0.11.3+dfsg/debian/changelog py7zr-0.11.3+dfsg/debian/changelog
--- py7zr-0.11.3+dfsg/debian/changelog  2023-03-25 18:50:07.0 -0400
+++ py7zr-0.11.3+dfsg/debian/changelog  2023-08-02 10:11:34.0 -0400
@@ -1,3 +1,10 @@
+py7zr (0.11.3+dfsg-6) unstable; urgency=medium
+
+  * Team upload.
+  * Drop build-depends on python3-pep517, deprecated, no longer needed
+
+ -- Scott Kitterman   Wed, 02 Aug 2023 10:11:34 -0400
+
 py7zr (0.11.3+dfsg-5) unstable; urgency=medium
 
   [ YOKOTA Hiroshi ]
diff -Nru py7zr-0.11.3+dfsg/debian/control py7zr-0.11.3+dfsg/debian/control
--- py7zr-0.11.3+dfsg/debian/control2023-03-25 18:50:07.0 -0400
+++ py7zr-0.11.3+dfsg/debian/control2023-08-02 10:06:35.0 -0400
@@ -6,7 +6,6 @@
 Build-Depends: debhelper-compat (= 13),
pybuild-plugin-pyproject,
python3-all-dev,
-   python3-pep517,
python3-pyannotate ,
python3-pycryptodome ,
python3-pytest ,

Bug#1042869: sniffles: Please update to newer version without python3-pep517 requirement

[Scott Kitterman]

Source: sniffles
Version: 2.0.7-1
Severity: important

Currently sniffles build-depends on python3-pep517.  This package has
been replaced upstream by python3-pyproject-hooks, which is now in
Debian.  As a result, python3-pep517 will be removed soon.

There appears to be a newer version of sniffles that does not use
python3-pep517 (I did not check if the current version acutally requires
it of the the build-depend is unneeded).  Please upgrade to the newer
version or otherwise remove the build-depends on python3-pep517.

Once I file the rm bug for it, I'll increase this to serious, so please
address it now.

Thanks,

Scott K

Bug#1042541: ITP: libmozilla-publicsuffix-perl -- Perl interface to the Mozilla Public Suffix List

[Scott Kitterman]

On July 31, 2023 2:30:33 PM UTC, gregor herrmann  wrote:
>On Sun, 30 Jul 2023 14:47:28 +0200, gregor herrmann wrote:
>
>> So in the end I guess we need to patch lib/Mozilla/PublicSuffix.pm to
>> read /usr/share/publicsuffix/effective_tld_names.dat dynamically …
>
>Done (in git) now.
>
>Thanks again for pointing me in the right direction :)
>
Sounds great.  Approximately all language environments have or will soon have 
an interface to the PSL.  Many of the issues are common across the different 
language implementations.  Glad I could help.

Scott K

Bug#1042541: ITP: libmozilla-publicsuffix-perl -- Perl interface to the Mozilla Public Suffix List

[Scott Kitterman]

On July 30, 2023 2:30:29 AM UTC, gregor herrmann  wrote:
>On Sun, 30 Jul 2023 02:06:03 +0000, Scott Kitterman wrote:
>
>> Debian provides a system PSL in the publicsuffix package. Please
>> depend on and use that rather than the bundled copy or the facility
>> the package provides for downloading a newer version.
>
>Thanks for the pointer.
>
>I'm now build-depending on publicsuffix and copying effective_tld_names.dat
>from the publicsuffix package over the shipped version in
>override_dh_auto_configure.
>(The perl bindings in /usr/share/perl5/Mozilla/PublicSuffix.pm are
>generated from effective_tld_names.dat at configure time.)

The publicsuffix package is often updated.  If you do it that way, you won't 
get the new version without rebuilding the package.  I'd suggest using Depends 
and installing a symlink to the file it provides, so you always get the current 
version's data.

Scott K

Bug#1042541: ITP: libmozilla-publicsuffix-perl -- Perl interface to the Mozilla Public Suffix List

[Scott Kitterman]

Debian provides a system PSL in the publicsuffix package.  Please depend on and 
use that rather than the bundled copy or the facility the package provides for 
downloading a newer version.

Scott K

Bug#1041538: dh-python: Unhelpful inclusion of optional packages in Depends

[Scott Kitterman]

On Friday, July 28, 2023 3:42:50 PM EDT Emmanuel Arias wrote:
> Control: reassign -1 poetry-core
> 
> Hi,
> 
> Sorry for this delay. Yes as you mentioned Scott, you need to add the
> optional dependency in the extras section, not only marked it as
> optional=true.
> 
> Poetry documentation[0] is not very explicit with that.
> 
> There's an issue open [1]. I can work in a patch to at least raise an
> exception o message when a dependency is marked as optional and is not
> added to extras. But I agree that mark a deps as optional and then is
> not optional is confusing.
> 
> [0] https://python-poetry.org/docs/pyproject/#extras
> [1] https://github.com/python-poetry/poetry/issues/2357

Thanks,

For this particular package I pointed this out to upstream and it's fixed in 
their latest bug fix update.  They were quite surprised that marking a 
dependency optional didn't actually do anything, so I think it would be good 
to get poetry to handle this better.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1042465: python3-hypercorn: Aioquic now in the archive, so please update Recommends/Suggests

[Scott Kitterman]

Package: python3-hypercorn
Version: 0.14.4-1
Severity: normal

As of today, aioquic (python3-aioquic) is in the archive, so it might be
good to update either the package Recommends or Suggests to take
advantage of this.  I seen it's already mentioned in the package
description.

Scott K