Bug#1053483: hash-slinger: diff for NMU version 3.1-1.2

[anarcat]

Control: tags 1053483 + pending

Dear maintainer,

I've prepared an NMU for hash-slinger (versioned as 3.1-1.2) and
uploaded it to DELAYED/10. Please feel free to tell me if I
should delay it longer.

I didn't find a recent copy of the source code on Salsa as well,
otherwise I would have submitted this as a MR there as well.

I also plan on issuing a stable release update for this once the NMU
lands in testing. Let me know if I should delay this as well.

My work on this issue is tracked in this bug report and our internal
tracker here as well:

https://gitlab.torproject.org/tpo/tpa/team/-/issues/41350

Regards.


-- 
diff -Nru hash-slinger-3.1/debian/changelog hash-slinger-3.1/debian/changelog
--- hash-slinger-3.1/debian/changelog	2022-02-10 01:03:46.0 -0500
+++ hash-slinger-3.1/debian/changelog	2023-10-05 10:37:58.0 -0400
@@ -1,3 +1,10 @@
+hash-slinger (3.1-1.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Bug fix: "tlsa can produce invalid records" (Closes: #1053483)
+
+ -- Antoine Beaupré   Thu, 05 Oct 2023 10:37:58 -0400
+
 hash-slinger (3.1-1.1) unstable; urgency=low
 
   * Non-maintainer upload.
diff -Nru hash-slinger-3.1/debian/patches/0001-fix-generic-TLSA-record-generation.patch hash-slinger-3.1/debian/patches/0001-fix-generic-TLSA-record-generation.patch
--- hash-slinger-3.1/debian/patches/0001-fix-generic-TLSA-record-generation.patch	1969-12-31 19:00:00.0 -0500
+++ hash-slinger-3.1/debian/patches/0001-fix-generic-TLSA-record-generation.patch	2023-10-05 10:36:07.0 -0400
@@ -0,0 +1,34 @@
+From e3bec6e2a6b1bda7c52b4c585474fd7cc23ab643 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Charaoui?= 
+Date: Wed, 4 Oct 2023 22:05:26 -0400
+Subject: [PATCH] fix generic TLSA record generation
+Applied-Upstream: https://github.com/letoams/hash-slinger/commit/0bb0dba91c51d367d9a37297f13e07f33c01bfdc
+
+It seems like the calculation for the TLSA record never really worked,
+as we're doing float division here on the `len()` field. In our case,
+that field returned `35.0` which is not valid in our environment.
+
+Doing an integer division gives the correct result in most cases, I
+believe.
+
+Closes: #45
+---
+ tlsa | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tlsa b/tlsa
+index cea7230..ec97150 100755
+--- a/tlsa
 b/tlsa
+@@ -513,7 +513,7 @@ class TLSARecord:
+ 	def getRecord(self, generic=False):
+ 		"""Returns the RR string of this TLSARecord, either in rfc (default) or generic format"""
+ 		if generic:
+-			return '%s IN TYPE52 \# %s %s%s%s%s' % (self.name, (len(self.cert)/2)+3 , self._toHex(self.usage), self._toHex(self.selector), self._toHex(self.mtype), self.cert)
++			return '%s IN TYPE52 \# %s %s%s%s%s' % (self.name, (len(self.cert)//2)+3 , self._toHex(self.usage), self._toHex(self.selector), self._toHex(self.mtype), self.cert)
+ 		return '%s IN TLSA %s %s %s %s' % (self.name, self.usage, self.selector, self.mtype, self.cert)
+ 
+ 	def _toHex(self, val):
+-- 
+2.39.2
+
diff -Nru hash-slinger-3.1/debian/patches/series hash-slinger-3.1/debian/patches/series
--- hash-slinger-3.1/debian/patches/series	2021-02-14 11:40:02.0 -0500
+++ hash-slinger-3.1/debian/patches/series	2023-10-05 10:36:07.0 -0400
@@ -1 +1,2 @@
 0001-Debian-default-root.key-resides-in-usr-share-dns-roo.patch
+0001-fix-generic-TLSA-record-generation.patch


signature.asc
Description: PGP signature

Bug#1032287: python-qrencode: diff for NMU version 1.2-5.1

[anarcat]

Control: tags 1032287 + pending

Dear maintainer,

I've prepared an NMU for python-qrencode (versioned as 1.2-5.1) and
uploaded it to DELAYED/10. Please feel free to tell me if I
should delay it longer.

Regards.


-- 
diff -Nru python-qrencode-1.2/debian/changelog python-qrencode-1.2/debian/changelog
--- python-qrencode-1.2/debian/changelog	2019-08-30 08:31:57.0 -0400
+++ python-qrencode-1.2/debian/changelog	2023-03-02 22:19:32.0 -0500
@@ -1,3 +1,10 @@
+python-qrencode (1.2-5.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * fix crash in Python 3.10 (Closes: #1032287)
+
+ -- Antoine Beaupré   Thu, 02 Mar 2023 22:19:32 -0500
+
 python-qrencode (1.2-5) unstable; urgency=medium
 
   * Drop Python 2 support (Closes: #938112).
diff -Nru python-qrencode-1.2/debian/patches/python3-10-port.patch python-qrencode-1.2/debian/patches/python3-10-port.patch
--- python-qrencode-1.2/debian/patches/python3-10-port.patch	1969-12-31 19:00:00.0 -0500
+++ python-qrencode-1.2/debian/patches/python3-10-port.patch	2023-03-02 22:19:28.0 -0500
@@ -0,0 +1,13 @@
+Description: adapt to changes in Python 3.10
+Author: anar...@debian.org
+Origin: Debian
+Forwarded: no
+Last-Update: 2023-03-03
+
+--- python-qrencode-1.2.orig/qr_encode.c
 python-qrencode-1.2/qr_encode.c
+@@ -1,3 +1,4 @@
++#define PY_SSIZE_T_CLEAN
+ #include 
+ #include 
+ #include 
diff -Nru python-qrencode-1.2/debian/patches/series python-qrencode-1.2/debian/patches/series
--- python-qrencode-1.2/debian/patches/series	1969-12-31 19:00:00.0 -0500
+++ python-qrencode-1.2/debian/patches/series	2023-03-02 22:18:59.0 -0500
@@ -0,0 +1 @@
+python3-10-port.patch


signature.asc
Description: PGP signature

Bug#987008: grub2: diff for NMU version 2.06-8.1

[anarcat]

Control: tags 987008 + pending

Dear maintainer,

I've prepared an NMU for grub2 (versioned as 2.06-8.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Note that the package was uploaded to *experimental*, not unstable, as
an extra precaution. Let me know if you will followup with an unstable
update or I should.

A copy of the package is also available at:

https://people.debian.org/~anarcat/debian/sid/grub2_2.06-8.1_amd64.changes

(and yes, I am aware this makes it possible to bypass the DELAYED queue,
which is partly why it's targeting experimental.)

Regards.

a.
diff -Nru grub2-2.06/debian/changelog grub2-2.06/debian/changelog
--- grub2-2.06/debian/changelog	2023-02-08 20:09:00.0 -0500
+++ grub2-2.06/debian/changelog	2023-02-25 15:16:55.0 -0500
@@ -1,3 +1,11 @@
+grub2 (2.06-8.1) experimental; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix an issue where a logical volume rename would lead grub to fail to
+boot (Closes: #987008)
+
+ -- Antoine Beaupré   Sat, 25 Feb 2023 15:16:55 -0500
+
 grub2 (2.06-8) unstable; urgency=medium
 
   [ Steve McIntyre ]
diff -Nru grub2-2.06/debian/patches/987008-lvrename-boot-fail.patch grub2-2.06/debian/patches/987008-lvrename-boot-fail.patch
--- grub2-2.06/debian/patches/987008-lvrename-boot-fail.patch	1969-12-31 19:00:00.0 -0500
+++ grub2-2.06/debian/patches/987008-lvrename-boot-fail.patch	2023-02-25 15:16:55.0 -0500
@@ -0,0 +1,35 @@
+Description: fix renamed LV detection
+  It looks like the detection of the LVM logical volumes fails in
+  certain edge conditions. In particular, it was reported that
+  renaming an LV will make grub fail to boot from the system as it
+  cannot properly detect it anymore.
+  .
+  I have looked at the code surrounding the patch and cannot claim to
+  understand the entire function here, as it is huge and quite
+  cryptic. But it seems sane: the `ptr` we're inspecting here starts
+  at the `rlocn->offset`, but we were adding `mda_size` to the
+  (somewhat) unrelated metadatabuf instead. Now we're marking the
+  `mda_end` correctly, based on the rlocn->offsite and ->size.
+  .
+  I have not tested this myself as the test setup is quite involved,
+  but it seems others (e.g. "Hoyer, David" )
+  have tested the patch and confirmed it worked.
+Author: Rogier 
+Origin: other
+Bug: https://savannah.gnu.org/bugs/index.php?61620
+Bug-Debian: https://bugs.debian.org/987008
+Forwarded: https://savannah.gnu.org/bugs/index.php?61620
+Reviewed-By: Antoine Beaupré
+Last-Update: 2023-02-25
+
+--- grub2-2.06.orig/grub-core/disk/lvm.c
 grub2-2.06/grub-core/disk/lvm.c
+@@ -290,7 +290,7 @@ grub_lvm_detect (grub_disk_t disk,
+ 
+   p = q = (char *)ptr;
+ 
+-  if (grub_add ((grub_size_t)metadatabuf, (grub_size_t)mda_size, &ptr))
++  if (grub_add (ptr, (grub_size_t)grub_le_to_cpu64 (rlocn->size), &ptr))
+ goto error_parsing_metadata;
+ 
+   mda_end = (char *)ptr;
diff -Nru grub2-2.06/debian/patches/series grub2-2.06/debian/patches/series
--- grub2-2.06/debian/patches/series	2023-02-08 20:09:00.0 -0500
+++ grub2-2.06/debian/patches/series	2023-02-25 15:09:36.0 -0500
@@ -114,3 +114,4 @@
 grub_mkconfig_restore_umask.patch
 ignore_checksum_seed_incompat_feature.patch
 ignore_the_large_dir_incompat_feature.patch
+987008-lvrename-boot-fail.patch


signature.asc
Description: PGP signature

Bug#988074: trocla: diff for NMU version 0.3.0-0.1

[anarcat]

Package: trocla
Version: 0.2.3-1
Severity: normal
Tags: patch  pending

Dear maintainer,

I've prepared an NMU for trocla (versioned as 0.3.0-0.1) and
uploaded it to DELAYED/10. Please feel free to tell me if I
should delay it longer.

I also uploaded it to experimental, given that we're in a freeze, as a
precaution, in case you want to just cherry-pick the two patches to just
fix the RC bugs. But considering that 0.2.3 is pretty broken, I suspect
that wouldn't be a good idea anyways.

Note that this diff includes a pile of changes that had accumulated in
the git repository on salsa and are therefore not only my changes. My
work may be more easily reviewed here:

https://salsa.debian.org/anarcat/trocla/-/commits/debian/experimental/

You can also see the pipeline has been fixed by those commits here:

https://salsa.debian.org/anarcat/trocla/-/pipelines/251950

Regards.
diff -Nru trocla-0.2.3/bin/trocla trocla-0.3.0/bin/trocla
--- trocla-0.2.3/bin/trocla	2016-03-01 15:40:25.0 -0500
+++ trocla-0.3.0/bin/trocla	2021-05-04 15:31:47.0 -0400
@@ -47,18 +47,20 @@
 end.parse!
 
 def create(options)
-  Trocla.new(options.delete(:config_file)).password(
+  [ Trocla.new(options.delete(:config_file)).password(
 options.delete(:trocla_key),
 options.delete(:trocla_format),
 options.merge(YAML.load(options.delete(:other_options).shift.to_s)||{})
-  )
+  ) , 0 ]
 end
 
 def get(options)
-  Trocla.new(options.delete(:config_file)).get_password(
+  res = Trocla.new(options.delete(:config_file)).get_password(
 options.delete(:trocla_key),
-options.delete(:trocla_format)
+options.delete(:trocla_format),
+options.merge(YAML.load(options.delete(:other_options).shift.to_s)||{})
   )
+  [ res, res.nil? ? 1 : 0 ]
 end
 def set(options)
   if options.delete(:ask_password)
@@ -67,7 +69,7 @@
 pwd2 = ask('Repeat password: ') { |q| q.echo = 'x' }.to_s
 unless password == pwd2
   STDERR.puts 'Passwords did not match, exiting!'
-  exit 1
+  return [ nil, 1 ]
 end
   else
 password = options.delete(:password) || STDIN.read.chomp
@@ -78,29 +80,29 @@
   value = if no_format
 password
   else
-trocla.formats(format).format(password, options.delete(:other_options).shift.to_s)
+trocla.formats(format).format(password, (YAML.load(options.delete(:other_options).shift.to_s)||{}))
   end
   trocla.set_password(
 options.delete(:trocla_key),
 format,
 value
   )
-  ''
+  [ '', 0 ]
 end
 
 def reset(options)
-  Trocla.new(options.delete(:config_file)).reset_password(
+  [ Trocla.new(options.delete(:config_file)).reset_password(
 options.delete(:trocla_key),
 options.delete(:trocla_format),
 options.merge(YAML.load(options.delete(:other_options).shift.to_s)||{})
-  )
+  ), 0 ]
 end
 
 def delete(options)
-  Trocla.new(options.delete(:config_file)).delete_password(
+  [ Trocla.new(options.delete(:config_file)).delete_password(
 options.delete(:trocla_key),
 options.delete(:trocla_format)
-  )
+  ), 0 ]
 end
 
 def formats(options)
@@ -125,7 +127,8 @@
 options[:other_options] = ARGV
 check_format(options[:trocla_format]) unless ['delete','formats'].include?(action)
 begin
-  if result = send(action,options)
+  result, excode = send(action,options)
+  if result
 puts result.is_a?(String) ? result : result.inspect
   end
 rescue Exception => e
@@ -136,6 +139,7 @@
   raise e if options[:trace]
   exit 1
 end
+exit excode.nil? ? 0 : excode
 else
 STDERR.puts "Please supply one of the following actions: #{actions.join(', ')}"
 STDERR.puts "Use #{$0} --help to get a list of options for these actions"
diff -Nru trocla-0.2.3/CHANGELOG.md trocla-0.3.0/CHANGELOG.md
--- trocla-0.2.3/CHANGELOG.md	2016-03-01 15:40:25.0 -0500
+++ trocla-0.3.0/CHANGELOG.md	2021-05-04 15:31:47.0 -0400
@@ -1,5 +1,14 @@
 # Changelog
 
+## to 0.3.0
+
+* Add open method to be able to immediately close a trocla store after using it - thanks martinpfeiffer
+* Add typesafe charset - thanks hggh
+* Support cost option for bcrypt
+* address concurrency corner cases, when 2 concurrent threads or even processes
+  are currently calculating the same (expensive) format.
+* parse additional options on cli (#39 & #46) - thanks fe80
+
 ## to 0.2.3
 
 1. Add extended CA validity profiles
diff -Nru trocla-0.2.3/debian/changelog trocla-0.3.0/debian/changelog
--- trocla-0.2.3/debian/changelog	2016-03-01 16:05:19.0 -0500
+++ trocla-0.3.0/debian/changelog	2021-05-04 15:32:32.0 -0400
@@ -1,3 +1,39 @@
+trocla (0.3.0-0.1) experimental; urgency=medium
+
+  [ Antoine Beaupré ]
+  * Non-maintainer upload.
+  * New upstream release (Closes: #974697)
+  * Remove no-pending_for patch: dependency packaged in Debian and added
+to Build-Depends.
+  * remove fix_version.patch: just s

Bug#826675: rapid-photo-downloader: Wrong sort order

[anarcat]

Control: tag -1 moreinfo

On Tue, Jun 07, 2016 at 09:40:07PM +0200, Christian von Kietzell wrote:
> Package: rapid-photo-downloader
> Version: 0.4.11-1
> Severity: normal
> 
> Dear Maintainer,
> 
> rpd sorts the files to import incorrectly, resulting in file numbering that
> isn't chronological (with respect to the files to import). Its internally used
> modification time, which files are sorted by, is only accurate to full
> seconds. I checked this by printing the filename and modification time in
> scan.py.
> "touch"-ing all files in (filename) order and sleeping at least one second in
> between calls makes rpd sort them correctly.
> 
> Usually, this isn't really a problem when photos are downloaded from a memory
> card directly. If you bulk-copy them to a different directory first, it's
> easily triggered, though. On the other hand I can see how the same behaviour
> might come about with cameras with high framerates and photos shot in burst
> mode.

Hi!

This bug report is pretty old, could you try again with the latest
release in testing? A lot of changes went in RPD since then, and I
wonder if this is still a problem.

Otherwise, I would also argue that if you copy files before RPD
processes them, you're kind of doing it wrong. :) RPD is the thing
that's designed to copy them...

a.


signature.asc
Description: PGP signature

Bug#807990: oath-toolkit: diff for NMU version 2.6.1-1.4

[anarcat]

[this is a resend: the prevous version had the wrong date in
debian/changelog]

Dear maintainer,

I've prepared an NMU for oath-toolkit (versioned as 2.6.1-1.4) and
uploaded it to DELAYED/10. Please feel free to tell me if I
should delay it longer.

Regards.


-- 
diff -Nru oath-toolkit-2.6.1/debian/changelog oath-toolkit-2.6.1/debian/changelog
--- oath-toolkit-2.6.1/debian/changelog	2019-02-09 10:39:41.0 -0500
+++ oath-toolkit-2.6.1/debian/changelog	2016-08-20 09:51:41.0 -0400
@@ -1,3 +1,11 @@
+oath-toolkit (2.6.1-1.4) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * patch: fail gracefully for missing users (Closes: #807990)
+  * push to salsa
+
+ -- Antoine Beaupré   Sat, 20 Aug 2016 09:51:41 -0400
+
 oath-toolkit (2.6.1-1.3) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru oath-toolkit-2.6.1/debian/control oath-toolkit-2.6.1/debian/control
--- oath-toolkit-2.6.1/debian/control	2018-06-22 13:48:52.0 -0400
+++ oath-toolkit-2.6.1/debian/control	2016-08-20 09:51:41.0 -0400
@@ -6,8 +6,8 @@
 Build-Depends: cdbs, debhelper (>= 7.0.0), libpam0g-dev, datefudge, gtk-doc-tools, dblatex, libxml2-utils, libxmlsec1-dev, dh-autoreconf
 Standards-Version: 3.9.6
 Homepage: http://www.nongnu.org/oath-toolkit/
-Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/oath-toolkit.git
-Vcs-Git: git://anonscm.debian.org/collab-maint/oath-toolkit.git
+Vcs-Browser: https://salsa.debian.org/debian/oath-toolkit
+Vcs-Git: https://salsa.debian.org/debian/oath-toolkit.git
 
 Package: liboath-dev
 Section: libdevel
diff -Nru oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missing-users.patch oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missing-users.patch
--- oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missing-users.patch	1969-12-31 19:00:00.0 -0500
+++ oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missing-users.patch	2016-08-20 09:51:41.0 -0400
@@ -0,0 +1,83 @@
+From 509c4cda7e08384d7cd16dfdb3917b4373f1e36e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= 
+Date: Mon, 1 Aug 2016 12:25:10 -0400
+Subject: [PATCH] fail gracefully for missing users
+
+when the pam module is enabled, it forces *all* users to immediately
+start using OATH, or they can't login at all.
+
+a more progressive approach would seem more reasonable to me,
+especially since each user need to get an admin user to update the
+central file for them.
+
+this patch adds an early check to the users file and makes sure the
+user exists before prompting for a password.
+
+if the user is missing, it exits early with a standard error code
+(PAM_USER_UNKNOWN) which can then be ignored in the PAM configuration
+(as shown in the README file). this leaves the policy decision up to
+the admin (and defaults to "fail closed").
+
+if the user is present, the code path remains the same except the
+usersfile is scanned twice, which may be a performance penalty on very
+slow filesystems or very large files. the only workaround I can think
+of for this would be to load the whole file into memory, but this
+could have significant memory impact on large files.
+
+the function used (`oath_authenticate_usersfile`) is a little overkill
+as it actually goes and tries to authenticate the user with an empty
+password. this is harmless because the file isn't updated if the OTP
+is incorrect and because no warning is sent to syslog.
+
+a possible improvement on this would be to have a warning shown to the
+user inciting them to configure OATH or to warn them about a possible
+typo in their username before they enter their regular passphrase
+---
+ pam_oath/README |  2 +-
+ pam_oath/pam_oath.c | 17 +
+ 2 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/pam_oath/README b/pam_oath/README
+index bef4265..24b9f8b 100644
+--- a/pam_oath/README
 b/pam_oath/README
+@@ -23,7 +23,7 @@ window open before making any changes!
+ 
+ -
+ # head -1 /etc/pam.d/su
+-auth requisite pam_oath.so debug usersfile=/etc/users.oath window=20
++auth [user_unknown=ignore success=ok] pam_oath.so debug usersfile=/etc/users.oath window=20
+ #
+ -
+ 
+diff --git a/pam_oath/pam_oath.c b/pam_oath/pam_oath.c
+index 2820318..25a3452 100644
+--- a/pam_oath/pam_oath.c
 b/pam_oath/pam_oath.c
+@@ -162,6 +162,23 @@ pam_sm_authenticate (pam_handle_t * pamh,
+ }
+   DBG (("get user returned: %s", user));
+ 
++  // quick check to skip unconfigured users before prompting for password
++  {
++time_t last_otp;
++otp[0] = '\0';
++rc = oath_authenticate_usersfile (cfg.usersfile,
++  user,
++  otp, cfg.window, onlypasswd, &last_otp);
++
++DBG (("authenticate first pass rc %d (%s: %s) last otp %s", rc,
++  oath_strerror_name (rc) ? oath_strerror_name (rc) : "UNKNOWN",
++  oath_strerror (rc), ctime (&last_otp)));
++if (rc == OATH_

Bug#807990: oath-toolkit: diff for NMU version 2.6.1-1.4

[anarcat]

Control: tags 807990 + pending

Dear maintainer,

I've prepared an NMU for oath-toolkit (versioned as 2.6.1-1.4) and
uploaded it to DELAYED/10. Please feel free to tell me if I
should delay it longer.

Regards.
diff -Nru oath-toolkit-2.6.1/debian/changelog oath-toolkit-2.6.1/debian/changelog
--- oath-toolkit-2.6.1/debian/changelog	2019-02-09 10:39:41.0 -0500
+++ oath-toolkit-2.6.1/debian/changelog	2016-08-20 09:51:41.0 -0400
@@ -1,3 +1,11 @@
+oath-toolkit (2.6.1-1.4) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * patch: fail gracefully for missing users (Closes: #807990)
+  * push to salsa
+
+ -- Antoine Beaupré   Sat, 20 Aug 2016 09:51:41 -0400
+
 oath-toolkit (2.6.1-1.3) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru oath-toolkit-2.6.1/debian/control oath-toolkit-2.6.1/debian/control
--- oath-toolkit-2.6.1/debian/control	2018-06-22 13:48:52.0 -0400
+++ oath-toolkit-2.6.1/debian/control	2016-08-20 09:51:41.0 -0400
@@ -6,8 +6,8 @@
 Build-Depends: cdbs, debhelper (>= 7.0.0), libpam0g-dev, datefudge, gtk-doc-tools, dblatex, libxml2-utils, libxmlsec1-dev, dh-autoreconf
 Standards-Version: 3.9.6
 Homepage: http://www.nongnu.org/oath-toolkit/
-Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/oath-toolkit.git
-Vcs-Git: git://anonscm.debian.org/collab-maint/oath-toolkit.git
+Vcs-Browser: https://salsa.debian.org/debian/oath-toolkit
+Vcs-Git: https://salsa.debian.org/debian/oath-toolkit.git
 
 Package: liboath-dev
 Section: libdevel
diff -Nru oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missing-users.patch oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missing-users.patch
--- oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missing-users.patch	1969-12-31 19:00:00.0 -0500
+++ oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missing-users.patch	2016-08-20 09:51:41.0 -0400
@@ -0,0 +1,83 @@
+From 509c4cda7e08384d7cd16dfdb3917b4373f1e36e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= 
+Date: Mon, 1 Aug 2016 12:25:10 -0400
+Subject: [PATCH] fail gracefully for missing users
+
+when the pam module is enabled, it forces *all* users to immediately
+start using OATH, or they can't login at all.
+
+a more progressive approach would seem more reasonable to me,
+especially since each user need to get an admin user to update the
+central file for them.
+
+this patch adds an early check to the users file and makes sure the
+user exists before prompting for a password.
+
+if the user is missing, it exits early with a standard error code
+(PAM_USER_UNKNOWN) which can then be ignored in the PAM configuration
+(as shown in the README file). this leaves the policy decision up to
+the admin (and defaults to "fail closed").
+
+if the user is present, the code path remains the same except the
+usersfile is scanned twice, which may be a performance penalty on very
+slow filesystems or very large files. the only workaround I can think
+of for this would be to load the whole file into memory, but this
+could have significant memory impact on large files.
+
+the function used (`oath_authenticate_usersfile`) is a little overkill
+as it actually goes and tries to authenticate the user with an empty
+password. this is harmless because the file isn't updated if the OTP
+is incorrect and because no warning is sent to syslog.
+
+a possible improvement on this would be to have a warning shown to the
+user inciting them to configure OATH or to warn them about a possible
+typo in their username before they enter their regular passphrase
+---
+ pam_oath/README |  2 +-
+ pam_oath/pam_oath.c | 17 +
+ 2 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/pam_oath/README b/pam_oath/README
+index bef4265..24b9f8b 100644
+--- a/pam_oath/README
 b/pam_oath/README
+@@ -23,7 +23,7 @@ window open before making any changes!
+ 
+ -
+ # head -1 /etc/pam.d/su
+-auth requisite pam_oath.so debug usersfile=/etc/users.oath window=20
++auth [user_unknown=ignore success=ok] pam_oath.so debug usersfile=/etc/users.oath window=20
+ #
+ -
+ 
+diff --git a/pam_oath/pam_oath.c b/pam_oath/pam_oath.c
+index 2820318..25a3452 100644
+--- a/pam_oath/pam_oath.c
 b/pam_oath/pam_oath.c
+@@ -162,6 +162,23 @@ pam_sm_authenticate (pam_handle_t * pamh,
+ }
+   DBG (("get user returned: %s", user));
+ 
++  // quick check to skip unconfigured users before prompting for password
++  {
++time_t last_otp;
++otp[0] = '\0';
++rc = oath_authenticate_usersfile (cfg.usersfile,
++  user,
++  otp, cfg.window, onlypasswd, &last_otp);
++
++DBG (("authenticate first pass rc %d (%s: %s) last otp %s", rc,
++  oath_strerror_name (rc) ? oath_strerror_name (rc) : "UNKNOWN",
++  oath_strerror (rc), ctime (&last_otp)));
++if (rc == OATH_UNKNOWN_USER)
++  {
++return PAM_USER_UNKN

Bug#930440: RFP: podman -- Library and tool for running OCI-based containers in Pods

[anarcat]

Control: tags -1 +pending

On Wed, Jun 12, 2019 at 08:26:22PM +0200, Varac wrote:
> * Package name: podman

I just want to mention that it seems podman has entered NEW:

https://ftp-master.debian.org/new/libpod_1.6.4+dfsg-1.html

The last dependency that was missing (#948113) is also waiting there:

https://ftp-master.debian.org/new/golang-github-checkpoint-restore-go-criu_3.11-1.html

This is great news! Can't wait to see this awesome project available in
Debian...

Congratulations to everyone on all their hard work. Let's hope this can
converge on a good, standard set of packages that will satisfy everyone
involved! I, for one, will look at replacing Docker with podman in the
near future on my infrastructure. :)

A.


signature.asc
Description: PGP signature

Bug#944986: ITP: emacs-wgrep -- edit multiple files simultaneously in Emacs using grep buffers--pattern editing

[anarcat]

On Sun, Nov 17, 2019 at 07:39:49PM -0500, Nicholas D Steeves wrote:
> Package: wnpp
> Severity: wishlist
> Owner: Nicholas D Steeves 
> Control: tag + moreinfo
> 
> Package name: emacs-wgrep
> Version : 2.3.0
> Upstream Author : Masahiro Hayashi 
> URL : https://github.com/mhayashi1120/Emacs-wgrep
> License : GPL-3+
> Programming Lang: Emacs LISP
> Description : edit multiple files simultaneously in Emacs using grep 
> buffers--pattern editing

I heard through the grapevine (#debian-til, specifically) that there's a
similar project for the silver searcher (ag):

https://github.com/syohex/emacs-helm-ag

a.
-- 
The individual has always had to struggle to keep from being overwhelmed
by the tribe. If you try it, you will be lonely often, and sometimes
frightened. But no price is too high to pay for the privilege of owning
yourself.- Friedrich Nietzsche

Bug#936043: ITP: gitbatch -- Manage git repositories in one place

[anarcat]

On Thu, Aug 29, 2019 at 01:28:57PM +0200, Dawid Dziurla wrote:
>  Managing multiple git repositories is easier than ever. Often one would end
>  up working on many directories and manually pulling updates etc. To make
>  this routine faster, gitbatch was created, a simple tool to handle this job.
>  Although the focus is batch jobs, one can still do de facto micro management 
> of
>  git repositories (e.g add/reset, stash, commit etc.)
> 
> Useful tool for managing multiple git repositiories at once.
> Does not need additional dependencies, only those already in archive.

Oh. My. God. This looks gorgeous. Do you need any help?

On Thu, Aug 29, 2019 at 03:23:23PM +, Dmitry Bogatov wrote:
> Sounds like `myrepos'. What `gitbatch' does that is not possible with
> `myrepos'?

On Thu, Aug 29, 2019 at 09:36:01AM -0700, Don Armstrong wrote:
> It would be interesting to know how gitbatch compares to myrepos, as
> they seem to be operating in the same or similar spaces.

On Fri, Aug 30, 2019 at 12:54:43AM +0100, Ben Hutchings wrote:
> We already have "mr", which can do this for git and several other
> version control systems.  Does gitbatch offer anything new?

Did you look at the website? Did you look at the demo?

Just look at it!

https://asciinema.org/a/lxoZT6Z8fSliIEebWSPVIY8ct

This thing looks AWESOME! Don't get me wrong: I've been using myrepos
for years now and I'm a fan. But gitbatch just blew my mind: it does all
that mr does, but interactively, and with a new TUI!

Can't wait to see that land.

A.

-- 
Ou bien Dieu voudrait supprimer le mal, mais il ne le peut pas
Ou bien Dieu pourrait supprimer le mal, mais il ne le veut pas.
- Sébastien Faure


signature.asc
Description: PGP signature

Bug#942114: ganeti-instance-debootstrap: diff for NMU version 0.16-6.1

[anarcat]

Control: tags 942114 + pending

Dear maintainer,

I've prepared an NMU for ganeti-instance-debootstrap (versioned as 0.16-6.1) and
uploaded it to DELAYED/02. Please feel free to tell me if I
should delay it longer.

Regards.
diff -Nru ganeti-instance-debootstrap-0.16/debian/changelog ganeti-instance-debootstrap-0.16/debian/changelog
--- ganeti-instance-debootstrap-0.16/debian/changelog	2018-06-20 06:57:18.0 -0400
+++ ganeti-instance-debootstrap-0.16/debian/changelog	2019-11-01 19:01:50.0 -0400
@@ -1,3 +1,10 @@
+ganeti-instance-debootstrap (0.16-6.1) unstable; urgency=medium
+
+  * Non-maintainer upload
+  * add patch to respect linux caps (Closes: #942114)
+
+ -- Antoine Beaupré   Fri, 01 Nov 2019 19:01:50 -0400
+
 ganeti-instance-debootstrap (0.16-6) unstable; urgency=medium
 
   * Bump Standards-Version to 4.1.4; no changes needed
diff -Nru ganeti-instance-debootstrap-0.16/debian/patches/respect-Linux-capabilities-7-in-cache.patch ganeti-instance-debootstrap-0.16/debian/patches/respect-Linux-capabilities-7-in-cache.patch
--- ganeti-instance-debootstrap-0.16/debian/patches/respect-Linux-capabilities-7-in-cache.patch	1969-12-31 19:00:00.0 -0500
+++ ganeti-instance-debootstrap-0.16/debian/patches/respect-Linux-capabilities-7-in-cache.patch	2019-11-01 19:01:50.0 -0400
@@ -0,0 +1,48 @@
+From cd34bcc48a2af92f484535b81fba2d46dad1dbb6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= 
+Date: Thu, 10 Oct 2019 11:07:51 -0400
+Subject: [PATCH] respect Linux capabilities(7) in cache
+
+The default GNU tar configuration does not carry fancy extended
+attributes and that is where, among other things, stuff like Linux
+capabilities(7) are stored. This is kind of important because that's
+how ping(8) works for regular users.
+
+We shove --selinux and --acls in there while we're at it, because why
+not. We never know what the future might bring, and it seems
+silly *not* to create a complete archive.
+
+Note that --xattrs-include='*' is important because, by default, GNU
+tar will not include capabilities /even/ if --xattrs is specified on
+the commandline, see this bug report for details:
+
+https://bugzilla.redhat.com/show_bug.cgi?id=771927
+---
+ create | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/create b/create
+index 607bab2..7526e71 100755
+--- a/create
 b/create
+@@ -83,7 +83,7 @@ if [ "$CLEAN_CACHE" -a -d "$CACHE_DIR" ]; then
+ fi
+ 
+ if [ -f "$CACHE_FILE" ]; then
+-  tar xf "$CACHE_FILE" -C $TMPDIR
++  tar --acls --selinux --xattrs --xattrs-include='*' -x -f "$CACHE_FILE" -C $TMPDIR
+ else
+   if [ "$PROXY" ]; then
+ export http_proxy="$PROXY"
+@@ -109,7 +109,7 @@ else
+ 
+   if [ "$GENERATE_CACHE" = "yes" ]; then
+ TMP_CACHE=`mktemp "${CACHE_FILE}.XX"`
+-tar cf "$TMP_CACHE" -C $TMPDIR .
++tar --acls --selinux --xattrs --xattrs-include='*' -c -f "$TMP_CACHE" -C $TMPDIR .
+ mv -f "$TMP_CACHE" "$CACHE_FILE"
+   fi
+ fi
+-- 
+2.20.1
+
diff -Nru ganeti-instance-debootstrap-0.16/debian/patches/series ganeti-instance-debootstrap-0.16/debian/patches/series
--- ganeti-instance-debootstrap-0.16/debian/patches/series	2018-06-20 06:57:18.0 -0400
+++ ganeti-instance-debootstrap-0.16/debian/patches/series	2019-11-01 19:01:50.0 -0400
@@ -1 +1,2 @@
+respect-Linux-capabilities-7-in-cache.patch
 fix-sfdisk-BLKRRPART.patch


signature.asc
Description: PGP signature

Bug#941638: docopt: diff for NMU version 0.6.2-2.1

[anarcat]

Control: tags 941638 + pending

Dear maintainer,

I've prepared an NMU for docopt (versioned as 0.6.2-2.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards.
diff -Nru docopt-0.6.2/debian/changelog docopt-0.6.2/debian/changelog
--- docopt-0.6.2/debian/changelog	2018-08-17 10:16:51.0 -0400
+++ docopt-0.6.2/debian/changelog	2019-10-11 00:57:20.0 -0400
@@ -1,3 +1,16 @@
+docopt (0.6.2-2.1) unstable; urgency=medium
+
+  [ Matthias Klose ]
+  * Don't run the Python2 autopkg tests. python-schema is gone.
+
+  [ Ondřej Nový ]
+  * d/copyright: Use https protocol in Format field
+
+  [ Antoine Beaupré ]
+  * Non-maintainer upload to ship Klose's patch (Closes: #941638)
+
+ -- Antoine Beaupré   Fri, 11 Oct 2019 00:57:20 -0400
+
 docopt (0.6.2-2) unstable; urgency=medium
 
   * [d/control] Remove obsolete X-Python-Version
diff -Nru docopt-0.6.2/debian/copyright docopt-0.6.2/debian/copyright
--- docopt-0.6.2/debian/copyright	2018-08-17 10:16:51.0 -0400
+++ docopt-0.6.2/debian/copyright	2019-10-11 00:57:20.0 -0400
@@ -1,4 +1,4 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: docopt
 Upstream-Contact: Vladimir Keleshev 
 Source: https://github.com/docopt/docopt
diff -Nru docopt-0.6.2/debian/gitlab-ci.yml docopt-0.6.2/debian/gitlab-ci.yml
--- docopt-0.6.2/debian/gitlab-ci.yml	2018-08-17 10:16:51.0 -0400
+++ docopt-0.6.2/debian/gitlab-ci.yml	2019-10-11 00:57:20.0 -0400
@@ -1,71 +1,16 @@
-# Warning! This file is autogenerated by salsa pipeline bot. Any change made
-# over this document will be lost. Customization and changes must be made over
-# the template yaml.
-variables:
-  DEBFULLNAME: "Salsa Pipeline"
-  DEBEMAIL: ""
-  DEBIAN_FRONTEND: noninteractive
-  WORKING_DIR: ./debian/output
+include: https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
 
-stages:
-  - build
-  - test
+build:
+extends: .build-unstable
 
-image: debian:unstable
+reprotest:
+extends: .test-reprotest
 
-build package:
-  stage: build
-  image: registry.salsa.debian.org/salsa-ci-team/images/gbp
-  artifacts:
-expire_in: 180 day
-name: "$CI_BUILD_NAME"
-paths:
-- ${WORKING_DIR}/
-  script:
-- apt-get update
-- eatmydata apt-get build-dep -y .
-- gbp pull --ignore-branch
-- gbp buildpackage --git-ignore-branch --git-export-dir=${WORKING_DIR} -us -uc
+lintian:
+extends: .test-lintian
 
-run autopkgtest:
-  stage: test
-  image: registry.salsa.debian.org/salsa-ci-team/images/autopkgtest
-  script:
-- eatmydata autopkgtest -U ${WORKING_DIR}/*.deb -- null
+autopkgtest:
+extends: .test-autopkgtest
 
-run lintian:
-  stage: test
-  image: registry.salsa.debian.org/salsa-ci-team/images/lintian
-  script:
-- lintian -iI ${WORKING_DIR}/*.changes
-
-run reprotest:
-  stage: test
-  image: registry.salsa.debian.org/salsa-ci-team/images/reprotest
-  artifacts:
-name: "$CI_BUILD_NAME"
-expire_in: 180 day
-paths:
-  - ./reprotest.log
-when: always
-  script:
-- apt-get update
-- eatmydata apt-get build-dep -y .
-- export DEB_BUILD_OPTIONS=nocheck
-- eatmydata reprotest . -- null &> reprotest.log
-
-run piuparts:
-  stage: test
-  image: registry.salsa.debian.org/salsa-ci-team/images/piuparts
-  services:
-- docker:dind
-  script:
-- CHROOT_PATH=/tmp/debian-unstable
-- CONTAINER_ID=$(docker run --rm -d debian:unstable sleep infinity)
-- docker exec ${CONTAINER_ID} bash -c "apt-get update && apt-get install eatmydata -y"
-- mkdir -p ${CHROOT_PATH}
-- docker export ${CONTAINER_ID} | tar -C ${CHROOT_PATH} -xf -
-- mknod -m 666 ${CHROOT_PATH}/dev/urandom c 1 9
-- piuparts --hard-link -e ${CHROOT_PATH} ${WORKING_DIR}/*.deb
-# End of include
- Below starts the local customization ###
+piuparts:
+extends: .test-piuparts
diff -Nru docopt-0.6.2/debian/gitlab-ci.yml.tpl docopt-0.6.2/debian/gitlab-ci.yml.tpl
--- docopt-0.6.2/debian/gitlab-ci.yml.tpl	2018-08-17 10:16:51.0 -0400
+++ docopt-0.6.2/debian/gitlab-ci.yml.tpl	1969-12-31 19:00:00.0 -0500
@@ -1,3 +0,0 @@
-include: https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
-
-# end of salsa pipeline bot parser
diff -Nru docopt-0.6.2/debian/tests/control docopt-0.6.2/debian/tests/control
--- docopt-0.6.2/debian/tests/control	2018-08-17 10:16:51.0 -0400
+++ docopt-0.6.2/debian/tests/control	2019-10-11 00:57:20.0 -0400
@@ -2,5 +2,3 @@
 Depends: @,
  python3-pytest,
  python3-schema,
- python-pytest,
- python-schema,
diff -Nru docopt-0.6.2/debian/tests/run_examples docopt-0.6.2/debian/tests/run_examples
--- docopt-0.6.2/debian/tests/run_examples	2018-08-17 10:16:51.0 -0400
+++ docopt-0.6.2/debian/tests/run_examples	2019-10-11 00:57:20.

Bug#930080: solarized-emacs: diff for NMU version 1.3.0-0.1~exp0

[anarcat]

Package: solarized-emacs
Version: 1.2.2-4
Severity: normal
Tags: patch  pending

Dear maintainer,

I've prepared an NMU for solarized-emacs (versioned as 1.3.0-0.1~exp0) and
uploaded it to DELAYED/10. Please feel free to tell me if I
should delay it longer.

Regards.


-- 
diff -Nru solarized-emacs-1.2.2/child-theme-example/themes/my-solarized-dark-theme.el solarized-emacs-1.3.0/child-theme-example/themes/my-solarized-dark-theme.el
--- solarized-emacs-1.2.2/child-theme-example/themes/my-solarized-dark-theme.el	2015-07-06 13:28:07.0 -0400
+++ solarized-emacs-1.3.0/child-theme-example/themes/my-solarized-dark-theme.el	2019-06-06 11:20:58.0 -0400
@@ -3,7 +3,7 @@
 
 ;; This files needs to be places iside the custom-theme-load-path list
 
-(deftheme my-solarized-dark "The light variant of the Solarized colour theme")
+(deftheme my-solarized-dark "The dark variant of the Solarized colour theme")
 (create-solarized-theme 'dark 'my-solarized-dark 'my-solarized-theme)
 
 (provide-theme 'my-solarized-dark)
diff -Nru solarized-emacs-1.2.2/debian/changelog solarized-emacs-1.3.0/debian/changelog
--- solarized-emacs-1.2.2/debian/changelog	2019-02-02 04:46:04.0 -0500
+++ solarized-emacs-1.3.0/debian/changelog	2019-06-06 11:21:07.0 -0400
@@ -1,3 +1,10 @@
+solarized-emacs (1.3.0-0.1~exp0) experimental; urgency=medium
+
+  * Non-maintainer upload.
+  * New upstream release.
+
+ -- Antoine Beaupré   Thu, 06 Jun 2019 11:21:07 -0400
+
 solarized-emacs (1.2.2-4) unstable; urgency=medium
 
   * Migrate to dh 12
diff -Nru solarized-emacs-1.2.2/debian/patches/0001-remove-badges.diff solarized-emacs-1.3.0/debian/patches/0001-remove-badges.diff
--- solarized-emacs-1.2.2/debian/patches/0001-remove-badges.diff	2019-02-02 04:46:04.0 -0500
+++ solarized-emacs-1.3.0/debian/patches/0001-remove-badges.diff	2019-06-06 11:21:07.0 -0400
@@ -4,14 +4,16 @@
 This patch removes badges icons from README files. These icons are intended
 rather for developers and are loaded from several external web sites.
 
 a/README.md
-+++ b/README.md
+Index: b/README.md
+===
+--- a/README.md	2019-06-06 11:22:15.534788629 -0400
 b/README.md	2019-06-06 11:22:29.978725995 -0400
 @@ -1,8 +1,3 @@
 -[![License GPL 3][badge-license]](http://www.gnu.org/licenses/gpl-3.0.txt)
 -[![MELPA](http://melpa.org/packages/solarized-theme-badge.svg)](http://melpa.org/#/solarized-theme)
 -[![MELPA Stable](http://stable.melpa.org/packages/solarized-theme-badge.svg)](http://stable.melpa.org/#/solarized-theme)
 -[![Join the chat at https://gitter.im/bbatsov/solarized-emacs](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/bbatsov/solarized-emacs?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
 -
- ## Solarized for Emacs
+ # Solarized for Emacs
  
  Solarized for Emacs is an Emacs port of the [Solarized theme for vim](http://ethanschoonover.com/solarized),
diff -Nru solarized-emacs-1.2.2/debian/patches/0002-remove-dependency-on-dash-elpa-package.diff solarized-emacs-1.3.0/debian/patches/0002-remove-dependency-on-dash-elpa-package.diff
--- solarized-emacs-1.2.2/debian/patches/0002-remove-dependency-on-dash-elpa-package.diff	2019-02-02 04:46:04.0 -0500
+++ solarized-emacs-1.3.0/debian/patches/0002-remove-dependency-on-dash-elpa-package.diff	1969-12-31 19:00:00.0 -0500
@@ -1,14 +0,0 @@
-From: Lev Lamberov 
-Subject: Remove dependency on dash.el
-
-This patch removes dependency on dash.el, since that package is not yet known
-to elpa.
-
 a/solarized-theme-pkg.el
-+++ b/solarized-theme-pkg.el
-@@ -2,4 +2,4 @@
-   "solarized-theme"
-   "1.2.2"
-   "The Solarized color theme, ported to Emacs."
--  '((dash "2.6.0")))
-+  '())
diff -Nru solarized-emacs-1.2.2/debian/patches/series solarized-emacs-1.3.0/debian/patches/series
--- solarized-emacs-1.2.2/debian/patches/series	2019-02-02 04:46:04.0 -0500
+++ solarized-emacs-1.3.0/debian/patches/series	2019-06-06 11:21:07.0 -0400
@@ -1,2 +1 @@
 0001-remove-badges.diff
-0002-remove-dependency-on-dash-elpa-package.diff
diff -Nru solarized-emacs-1.2.2/.gitignore solarized-emacs-1.3.0/.gitignore
--- solarized-emacs-1.2.2/.gitignore	1969-12-31 19:00:00.0 -0500
+++ solarized-emacs-1.3.0/.gitignore	2019-06-06 11:20:58.0 -0400
@@ -0,0 +1 @@
+*.elc
diff -Nru solarized-emacs-1.2.2/README.md solarized-emacs-1.3.0/README.md
--- solarized-emacs-1.2.2/README.md	2015-07-06 13:28:07.0 -0400
+++ solarized-emacs-1.3.0/README.md	2019-06-06 11:20:58.0 -0400
@@ -3,11 +3,13 @@
 [![MELPA Stable](http://stable.melpa.org/packages/solarized-theme-badge.svg)](http://stable.melpa.org/#/solarized-theme)
 [![Join the chat at https://gitter.im/bbatsov/solarized-emacs](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/bbatsov/solarized-emacs?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
 
-## Solarized for Emacs
+# Solari

Bug#887750: pam-python: diff for NMU version 1.0.6-1.1

[anarcat]

Dear maintainer,

I've prepared an NMU for pam-python (versioned as 1.0.6-1.1) and
uploaded it to DELAYED/0. Please feel free to tell me if I
should delay it longer.

Regards.

-- 
diff -Nru pam-python-1.0.6/debian/changelog pam-python-1.0.6/debian/changelog
--- pam-python-1.0.6/debian/changelog	2016-08-27 07:37:03.0 -0400
+++ pam-python-1.0.6/debian/changelog	2019-01-19 15:14:26.0 -0500
@@ -1,3 +1,11 @@
+pam-python (1.0.6-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix build with glibc 2.26, thanks to Adrian Bunk (Closes: #887750).
+  * Fix build with GCC 8
+
+ -- Antoine Beaupré   Sat, 19 Jan 2019 15:14:26 -0500
+
 pam-python (1.0.6-1) unstable; urgency=low
 
   * New upstream.
diff -Nru pam-python-1.0.6/debian/patches/fix-function-types.patch pam-python-1.0.6/debian/patches/fix-function-types.patch
--- pam-python-1.0.6/debian/patches/fix-function-types.patch	1969-12-31 19:00:00.0 -0500
+++ pam-python-1.0.6/debian/patches/fix-function-types.patch	2019-01-19 15:14:26.0 -0500
@@ -0,0 +1,96 @@
+From 12869142411f7a85d438971792cd75095f140f28 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= 
+Date: Sat, 19 Jan 2019 16:00:52 -0500
+Subject: [PATCH] fix build with -Wcast-function-type -Werror on gcc8
+
+New versions of gcc8 will fail to build from source on Python
+declarations because of the hairy cast we're doing there, example:
+
+pam_python.c:1355:19: error: cast between incompatible function types from 'PyObject * (*)(PyObject *, PyObject *, PyObject *)' {aka 'struct _object * (*)(struct _object *, struct _object *, struct _object *)'} to 'PyObject * (*)(PyObject *, PyObject *)' {aka 'struct _object * (*)(struct _object *, struct _object *)'} [-Werror=cast-function-type]
+
+This fix comes form the upstream cpython implementation:
+
+https://github.com/python/cpython/commit/62be74290aca26d16f3f55ece7ff6dad14e60e8d#diff-c3cf251f16d5a03a9e7d4639f2d6f998
+---
+ src/pam_python.c | 30 +++---
+ 1 file changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/src/pam_python.c b/src/pam_python.c
+index e01ee68..654f0aa 100644
+--- a/src/pam_python.c
 b/src/pam_python.c
+@@ -317,7 +317,7 @@ static PyMethodDef SyslogFile_Methods[] =
+ {
+   {
+ "write",
+-(PyCFunction)SyslogFile_write,
++(PyCFunction)(void(*)(void))SyslogFile_write,
+ METH_VARARGS|METH_KEYWORDS,
+ 0
+   },
+@@ -1349,16 +1349,16 @@ static PyObject* PamEnv_values(
+ 
+ static PyMethodDef PamEnv_Methods[] =
+ {
+-  {"__contains__",  (PyCFunction)PamEnv_has_key,METH_VARARGS|METH_KEYWORDS, 0},
+-  {"__getitem__",   (PyCFunction)PamEnv_getitem,METH_VARARGS|METH_KEYWORDS, 0},
+-  {"get",	(PyCFunction)PamEnv_get,	METH_VARARGS|METH_KEYWORDS, 0},
+-  {"has_key",	(PyCFunction)PamEnv_has_key,METH_VARARGS|METH_KEYWORDS, 0},
+-  {"items",	(PyCFunction)PamEnv_items,	METH_VARARGS|METH_KEYWORDS, 0},
+-  {"iteritems",	(PyCFunction)PamEnv_iteritems,METH_VARARGS|METH_KEYWORDS, 0},
+-  {"iterkeys",	(PyCFunction)PamEnv_iterkeys,METH_VARARGS|METH_KEYWORDS, 0},
+-  {"itervalues",(PyCFunction)PamEnv_itervalues,METH_VARARGS|METH_KEYWORDS, 0},
+-  {"keys",	(PyCFunction)PamEnv_keys,	METH_VARARGS|METH_KEYWORDS, 0},
+-  {"values",	(PyCFunction)PamEnv_values,	METH_VARARGS|METH_KEYWORDS, 0},
++  {"__contains__",  (PyCFunction)(void(*)(void))PamEnv_has_key,METH_VARARGS|METH_KEYWORDS, 0},
++  {"__getitem__",   (PyCFunction)(void(*)(void))PamEnv_getitem,METH_VARARGS|METH_KEYWORDS, 0},
++  {"get",	(PyCFunction)(void(*)(void))PamEnv_get,	METH_VARARGS|METH_KEYWORDS, 0},
++  {"has_key",	(PyCFunction)(void(*)(void))PamEnv_has_key,METH_VARARGS|METH_KEYWORDS, 0},
++  {"items",	(PyCFunction)(void(*)(void))PamEnv_items,	METH_VARARGS|METH_KEYWORDS, 0},
++  {"iteritems",	(PyCFunction)(void(*)(void))PamEnv_iteritems,METH_VARARGS|METH_KEYWORDS, 0},
++  {"iterkeys",	(PyCFunction)(void(*)(void))PamEnv_iterkeys,METH_VARARGS|METH_KEYWORDS, 0},
++  {"itervalues",(PyCFunction)(void(*)(void))PamEnv_itervalues,METH_VARARGS|METH_KEYWORDS, 0},
++  {"keys",	(PyCFunction)(void(*)(void))PamEnv_keys,	METH_VARARGS|METH_KEYWORDS, 0},
++  {"values",	(PyCFunction)(void(*)(void))PamEnv_values,	METH_VARARGS|METH_KEYWORDS, 0},
+   {0,0,0,0}	/* Sentinel */
+ };
+ 
+@@ -2029,7 +2029,7 @@ static PyMethodDef PamHandle_Methods[] =
+ {
+   {
+ "conversation",
+-(PyCFunction)PamHandle_conversation,
++(PyCFunction)(void(*)(void))PamHandle_conversation,
+ METH_VARARGS|METH_KEYWORDS,
+ MODULE_NAME "." PAMHANDLE_NAME "." "conversation(prompts)\n"
+ "  Ask the application to issue the prompts to the user and return the\n"
+@@ -2039,7 +2039,7 @@ static PyMethodDef PamHandle_Methods[] =
+   },
+   {
+ "fail_delay",
+-(PyCFunction)PamHandle_fail_delay,
++(PyCFunction)(void(*)(void))PamHandle_fail_delay,
+ METH_VARARGS|METH_KEYWORDS,
+ MODULE_NAME "." PAMHANDLE_NAME "." "fail_delay(micro_sec)\n"
+  

Bug#917492: fam: diff for NMU version 2.7.0-17.3

[anarcat]

Control: tags 917492 + pending

Dear maintainer,

I've prepared an NMU for fam (versioned as 2.7.0-17.3) and
uploaded it to DELAYED/0. Please feel free to tell me if I
should delay it longer.

Regards.

-- 
diff -u fam-2.7.0/debian/changelog fam-2.7.0/debian/changelog
--- fam-2.7.0/debian/changelog
+++ fam-2.7.0/debian/changelog
@@ -1,3 +1,11 @@
+fam (2.7.0-17.3) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Fix build failure with recent glibc ('minor' was not declared in this
+scope), thanks to Logan Rosen (Closes: #917492).
+
+ -- Antoine Beaupré   Sat, 19 Jan 2019 13:58:08 -0500
+
 fam (2.7.0-17.2) unstable; urgency=medium
 
   * Non-maintainer upload.
only in patch2:
unchanged:
--- fam-2.7.0.orig/.pc/.quilt_patches
+++ fam-2.7.0/.pc/.quilt_patches
@@ -0,0 +1 @@
+debian/patches
only in patch2:
unchanged:
--- fam-2.7.0.orig/.pc/.quilt_series
+++ fam-2.7.0/.pc/.quilt_series
@@ -0,0 +1 @@
+series
only in patch2:
unchanged:
--- fam-2.7.0.orig/.pc/.version
+++ fam-2.7.0/.pc/.version
@@ -0,0 +1 @@
+2
only in patch2:
unchanged:
--- fam-2.7.0.orig/debian/patches/19_glibc_2.28.patch
+++ fam-2.7.0/debian/patches/19_glibc_2.28.patch
@@ -0,0 +1,17 @@
+## Description: Fix FTBFS against glibc 2.28
+## Origin/Author: Logan Rosen 
+## Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917492
+diff -Nur -x '*.orig' -x '*~' fam-2.7.0/build-tree/fam-2.7.0/src/DNotify.c++ fam-2.7.0.new/build-tree/fam-2.7.0/src/DNotify.c++
+--- fam-2.7.0/src/DNotify.c++	2019-01-08 23:35:20.513574095 -0500
 fam-2.7.0/src/DNotify.c++	2019-01-08 23:36:37.568605429 -0500
+@@ -36,6 +36,10 @@
+ #include 
+ #include 
+ 
++#ifdef __GNU_LIBRARY__
++#include 
++#endif
++
+ #include "DNotify.h"
+ 
+ #include "Interest.h"


signature.asc
Description: PGP signature

Bug#919217: Acknowledgement (Missing dependency on devscripts)

[anarcat]

tags 919217 +pendingo
user debian-rele...@lists.debian.org
usertag 919217 + bsp-2019-01-ca-montreal   
thanks

On Mon, Jan 14, 2019 at 09:27:08PM +0100, Jeroen Dekkers wrote:
> Control: tag -1 +patch
> 
> https://salsa.debian.org/jelmer/lintian-brush/merge_requests/1

That MR was accepted and jelmer will upload the package this weekend.

A.

Bug#903698: sphinxbase: build appears broken for multiple python3 versions

[anarcat]

user debian-rele...@lists.debian.org
usertag nn + bsp-2019-01-ca-montreal   
tags -1 -patch +moreinfo
thank you

On Thu, Jan 03, 2019 at 10:16:13AM +0100, Samuel Thibault wrote:
> Oops, this bug was erroneously closed because its mention was remaining
> in the sphinxbase changelog.

So after reviewing this bug during the montreal BSP, I'm a little
confused - it shows up in the "sponsor" UDD dashboard because it's
marked as affecting buster and sid but with a patch.

Yet, I don't see a recent patch that will fix the issue in dh-python.
I'm not even sure there *is* an issue in dh-python at all anymore...

Could someone summarize the current state of this bug report?

Thanks!

-- 
Be yourself. Everyone else is already taken!
- Oscar Wilde


signature.asc
Description: PGP signature

Bug#915307: magic-wormhole FTBFS with Python 3.7

[anarcat]

Control: fixed 915307 0.11.2-1

I believe the latest upstream release fixes that, or at least it
compiles here in a sid schroot with py 3.7.

I meant to fix this in the changelog but forgot about it before doing
the upload... :/

Thanks for the heads up though!


signature.asc
Description: PGP signature

Bug#880220: Fixed in upload

[anarcat]

Control: found 880220 2017.11.24~bpo9+1

I have version 2017.11.24~bpo9+1 installed here, and the global trust
anchor is still installed.

# dpkg -L leap-archive-keyring | grep trusted.gpg.d/
/etc/apt/trusted.gpg.d/leap-archive.gpg
/etc/apt/trusted.gpg.d/leap-experimental-archive.gpg

So this bug has not correctly been fixed, or a regression was
introduced.

A.

On Wed, Nov 08, 2017 at 09:16:20AM -0500, micah anderson wrote:
> Version: 2007.11.08
> thanks
> 
> This issue was resolved in the most recent upload,
> micah

-- 
Either you're with us or you're with the terrorist state.


signature.asc
Description: PGP signature

Bug#807866: RFP: github-hub -- hub helps you win at git

[anarcat]

Control: unblock 807866 by 819936

On Mon, Aug 22, 2016 at 11:13:05AM +1200, Olly Betts wrote:
> So it looks like it's just github.com/octokit/go-octokit/octokit that is
> needed now (ITP is https://bugs.debian.org/819936 so marking that bug as
> blocking this, and Cc-ing the owner of that ITP so they're aware).

And that dependency was now removed. So what's blocking packaging now?

It would be pretty awesome to have this in Debian! I use this every
day...

a.


signature.asc
Description: PGP signature

Bug#889281: dokuwiki: CVE-2017-18123: reflected file download vulnerability

[anarcat]

Hi,

I have tested an update of the jessie package and things seem to work
fine after merging the patch from upstream during a smoketest of a clean
jessie VM.

Attached is the debdiff to complete the update.

A.
diff -Nru dokuwiki-0.0.20140505.a+dfsg/debian/changelog 
dokuwiki-0.0.20140505.a+dfsg/debian/changelog
--- dokuwiki-0.0.20140505.a+dfsg/debian/changelog   2015-03-22 
13:50:07.0 -0400
+++ dokuwiki-0.0.20140505.a+dfsg/debian/changelog   2018-06-07 
15:25:55.0 -0400
@@ -1,3 +1,11 @@
+dokuwiki (0.0.20140505.a+dfsg-4+deb8u1) jessie-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * CVE-2017-18123: fix remote code execution through reflected file
+download
+
+ -- Antoine Beaupré   Thu, 07 Jun 2018 15:25:55 -0400
+
 dokuwiki (0.0.20140505.a+dfsg-4) testing-proposed-updates; urgency=high
 
   * debian/patches: security fix, from upstream hotfix release
diff -Nru 
dokuwiki-0.0.20140505.a+dfsg/debian/patches/CVE-2017-18123-2f65d86.patch 
dokuwiki-0.0.20140505.a+dfsg/debian/patches/CVE-2017-18123-2f65d86.patch
--- dokuwiki-0.0.20140505.a+dfsg/debian/patches/CVE-2017-18123-2f65d86.patch
1969-12-31 19:00:00.0 -0500
+++ dokuwiki-0.0.20140505.a+dfsg/debian/patches/CVE-2017-18123-2f65d86.patch
2018-06-07 15:25:35.0 -0400
@@ -0,0 +1,25 @@
+From 238b8e878ad48f370903465192b57c2072f65d86 Mon Sep 17 00:00:00 2001
+From: Andreas Gohr 
+Date: Tue, 27 Jun 2017 15:04:23 +0200
+Subject: [PATCH] filter special chars from ajax call parameter. fixes #2019
+
+---
+ lib/exe/ajax.php | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/exe/ajax.php b/lib/exe/ajax.php
+index b3e9a618f5..9f9db5391a 100644
+--- a/lib/exe/ajax.php
 b/lib/exe/ajax.php
+@@ -15,9 +15,9 @@
+ 
+ //call the requested function
+ if($INPUT->post->has('call')){
+-$call = $INPUT->post->str('call');
++$call = $INPUT->post->filter('utf8_stripspecials')->str('call');
+ }else if($INPUT->get->has('call')){
+-$call = $INPUT->get->str('call');
++$call = $INPUT->get->filter('utf8_stripspecials')->str('call');
+ }else{
+ exit;
+ }
diff -Nru dokuwiki-0.0.20140505.a+dfsg/debian/patches/series 
dokuwiki-0.0.20140505.a+dfsg/debian/patches/series
--- dokuwiki-0.0.20140505.a+dfsg/debian/patches/series  2015-03-22 
13:48:40.0 -0400
+++ dokuwiki-0.0.20140505.a+dfsg/debian/patches/series  2018-06-07 
15:25:35.0 -0400
@@ -5,3 +5,4 @@
 soften_email_validator.diff
 use_packaged_jquery.diff
 cve-2015-2172_check_permissions_in_rpc.patch
+CVE-2017-18123-2f65d86.patch


signature.asc
Description: PGP signature

Bug#885699: smokeping: symbolic link to smokeping.cgi missing

[anarcat]

Control: tags -1 +pending
Control: severity -1 normal

On Fri, Dec 29, 2017 at 10:48:43AM +0100, Sigbjorn Kjetland wrote:
> Dear Maintainer,
> 
>* What led up to the situation?
> I am installing smokeping on a new server to replace old smokeping server
>  I have configured and restarted smokeping like in previous server
>  but web GUI did not work. Error was 403 forbidden.
>  fcgi not working and I have limited knowledge so i didn't go that route.
>* What exactly did you do (or not do) that was effective (or
>  ineffective)?
> I added these 3 lines to apache config file:
> /etc/apache2/conf-enabled/smokeping.conf
> Options Indexes FollowSymLinks ExecCGI
> AddHandler cgi-script .cgi
> DirectoryIndex index.html smokeping.cgi
> 
> There was no working fcgi file and no cgi file so I linked the cgi as
> below
> 
> ln -s /usr/lib/cgi-bin/smokeping.cgi
> /usr/share/smokeping/www/smokeping.cgi

Hi!

Sorry for the delays.

This problem actually happens in earlier releases as well - it is
expected you visit /smokeping/smokeping.cgi and not /smokeping/...
Furthermore, this hardly is a release-critical bug, in my opinion, so I
will downgrade this to normal.

Still, it seems reasonable to have a DirectoryIndex. In our tests here
(Debian stretch), it seems that just adding that line was sufficient to
resolve the issue completely. This will be resolved in the next upload.

Thanks for the bug report!

A.


signature.asc
Description: PGP signature

Bug#705369: gnutls support broken in charybdis

[anarcat]

GnuTLS support is still broken in charybdis. On irc.indymedia.org, we
couldn't link servers with gnutls - we'd get all sorts of errors like
"Read error: Error in the pull function". Our experience was documented
here:

https://we.riseup.net/ircd/outage-20170202

So I reopened this issue and marked unstable as affected.

An upcoming upload should fix the issue by switching to the mbedtls
backend, which behaved better (so far) in our tests. There's code in the
debian/rules file to switch backends, as documented in
debian/README.source.

A.

Bug#860287: libosip2: CVE-2016-10324 CVE-2016-10325 CVE-2016-10326 CVE-2017-7853

[anarcat]

Control: fixed -1 4.1.0-2.1
Control: tags -1 +pending

I have made a NMU (diff in #860345) to fix this in sid/stretch, the
patches apply fairly cleanly, and since it's the same version in jessie,
it should be trivial to backport there...

I forgot to mention the bug # in the NMU, unfortunately...

A.

Bug#860345: libosip2: diff for NMU version 4.1.0-2.1

[anarcat]

Package: libosip2
Version: 4.1.0-2
Severity: normal
Tags: patch pending

Dear maintainer,

I've prepared an NMU for libosip2 (versioned as 4.1.0-2.1) and
uploaded it to DELAYED/3. Please feel free to tell me if I
should delay it longer.

Regards.

-- 
diff -Nru libosip2-4.1.0/debian/changelog libosip2-4.1.0/debian/changelog
--- libosip2-4.1.0/debian/changelog	2014-06-25 07:55:15.0 -0400
+++ libosip2-4.1.0/debian/changelog	2017-04-14 16:23:31.0 -0400
@@ -1,3 +1,23 @@
+libosip2 (4.1.0-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2016-10324: In libosip2 in GNU oSIP 4.1.0, a malformed SIP message
+can lead to a heap buffer overflow in the osip_clrncpy() function
+defined in osipparser2/osip_port.c.
+  * CVE-2016-10325: In libosip2 in GNU oSIP 4.1.0, a malformed SIP message
+can lead to a heap buffer overflow in the _osip_message_to_str()
+function defined in osipparser2/osip_message_to_str.c, resulting in a
+remote DoS.
+  * CVE-2016-10326: In libosip2 in GNU oSIP 4.1.0, a malformed SIP message
+can lead to a heap buffer overflow in the osip_body_to_str() function
+defined in osipparser2/osip_body.c, resulting in a remote DoS.
+  * CVE-2017-7853: In libosip2 in GNU oSIP 5.0.0, a malformed SIP message
+can lead to a heap buffer overflow in the msg_osip_body_parse()
+function defined in osipparser2/osip_message_parse.c, resulting in a
+remote DoS.
+
+ -- Antoine Beaupré   Fri, 14 Apr 2017 16:21:21 -0400
+
 libosip2 (4.1.0-2) unstable; urgency=low
 
   * Upload to unstable - coordinated through debian-release
diff -Nru libosip2-4.1.0/debian/patches/CVE-2016-10324.patch libosip2-4.1.0/debian/patches/CVE-2016-10324.patch
--- libosip2-4.1.0/debian/patches/CVE-2016-10324.patch	1969-12-31 19:00:00.0 -0500
+++ libosip2-4.1.0/debian/patches/CVE-2016-10324.patch	2017-04-14 16:26:51.0 -0400
@@ -0,0 +1,24 @@
+From 7e0793e15e21f68337e130c67b031ca38edf055f Mon Sep 17 00:00:00 2001
+From: Aymeric Moizard 
+Date: Mon, 5 Sep 2016 15:01:53 +0200
+Subject:  * fix bug report: sr #109133: Heap buffer overflow in utility
+ function *osip_clrncpy*https://savannah.gnu.org/support/?109133
+
+---
+ src/osipparser2/osip_port.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/src/osipparser2/osip_port.c
 b/src/osipparser2/osip_port.c
+@@ -1462,8 +1462,10 @@ osip_clrncpy (char *dst, const char *src
+   char *p;
+   size_t spaceless_length;
+ 
+-  if (src == NULL)
++  if (src == NULL || len == 0) {
++*dst = '\0';
+ return NULL;
++  }
+ 
+   /* find the start of relevant text */
+   pbeg = src;
diff -Nru libosip2-4.1.0/debian/patches/CVE-2016-10325.patch libosip2-4.1.0/debian/patches/CVE-2016-10325.patch
--- libosip2-4.1.0/debian/patches/CVE-2016-10325.patch	1969-12-31 19:00:00.0 -0500
+++ libosip2-4.1.0/debian/patches/CVE-2016-10325.patch	2017-04-14 16:26:54.0 -0400
@@ -0,0 +1,26 @@
+From 1d9fb1d3a71cc85ef95352e549b140c706cf8696 Mon Sep 17 00:00:00 2001
+From: Aymeric Moizard 
+Date: Sat, 3 Sep 2016 15:29:34 +0200
+Subject:   * fix bug report: sr #109131: Heap buffer overflow in
+ `_osip_message_to_str` https://savannah.gnu.org/support/?109131
+
+---
+ src/osipparser2/osip_message_to_str.c | 7 +++
+ 1 file changed, 7 insertions(+)
+
+--- a/src/osipparser2/osip_message_to_str.c
 b/src/osipparser2/osip_message_to_str.c
+@@ -378,6 +378,13 @@ _osip_message_to_str (osip_message_t * s
+ /* A start-line isn't required for message/sipfrag parts. */
+   }
+   else {
++size_t message_len = strlen(tmp);
++if (_osip_message_realloc (&message, dest, message_len + 3, &malloc_size) < 0) {
++  osip_free (tmp);
++  *dest = NULL;
++  return OSIP_NOMEM;
++}
++
+ message = osip_str_append (message, tmp);
+ osip_free (tmp);
+ message = osip_strn_append (message, CRLF, 2);
diff -Nru libosip2-4.1.0/debian/patches/CVE-2016-10326.patch libosip2-4.1.0/debian/patches/CVE-2016-10326.patch
--- libosip2-4.1.0/debian/patches/CVE-2016-10326.patch	1969-12-31 19:00:00.0 -0500
+++ libosip2-4.1.0/debian/patches/CVE-2016-10326.patch	2017-04-14 16:26:56.0 -0400
@@ -0,0 +1,27 @@
+From b9dd097b5b24f5ee54b0a8739e59641cd51b6ead Mon Sep 17 00:00:00 2001
+From: Aymeric Moizard 
+Date: Sat, 3 Sep 2016 15:58:06 +0200
+Subject:  * fix bug report: sr #109132: Heap buffer overflow in
+ *osip_body_to_str*https://savannah.gnu.org/support/index.php?109132
+
+---
+ src/osipparser2/osip_body.c | 8 
+ 1 file changed, 8 insertions(+)
+
+--- a/src/osipparser2/osip_body.c
 b/src/osipparser2/osip_body.c
+@@ -417,6 +417,14 @@ osip_body_to_str (const osip_body_t * bo
+   }
+ 
+   if ((osip_list_size (body->headers) > 0) || (body->content_type != NULL)) {
++if (length < tmp_body - ptr + 3) {
++  size_t len;
++
++  len = tmp_body - ptr;
++  length = length + 3 + body->length; /* add body->length, to avoid calling realloc often */
++  ptr = osip_realloc (ptr

Bug#857992: openjdk-8-jre-headless: please add Breaks: tzdata-java

[anarcat]

user debian-rele...@lists.debian.org
usertags 857992 bsp-2017-04-ca-montreal
thanks

On Mon, Apr 10, 2017 at 12:28:07PM +0200, Andreas Beckmann wrote:
> Control: severity -1 serious
> 
> On 2017-03-17 00:33, Andreas Beckmann wrote:
> > I haven't rebuilt openjdk-8 to test whether this actually works (and
> > don't have the tiem to so now).
> 
> I just rebuilt openjdk-8 with that Breaks added and it fixed this
> previously failing upgrade path.

I have tried to do a NMU for this and failed to build OpenJDK through
pdebuild:

 -> Creating pbuilder-satisfydepends-dummy package
Package: pbuilder-satisfydepends-dummy
Version: 0.invalid.0
Architecture: amd64
Maintainer: Debian Pbuilder Team 
Description: Dummy package to satisfy dependencies with aptitude - created by 
pbuilder
 This package was created automatically by pbuilder to satisfy the
 build-dependencies of the package being currently built.
Depends: debhelper (>= 9), quilt, m4, lsb-release, zip, unzip, sharutils, gawk, 
cpio, pkg-config, procps, wdiff, fastjar (>= 2:0.96-0ubuntu2), autoconf (>= 
2.69), automake, autotools-dev, ant, ant-optional, g++-6, openjdk-8-jdk | 
openjdk-7-jdk, libxtst-dev, libxi-dev, libxt-dev, libxaw7-dev, libxrender-dev, 
libcups2-dev, libasound2-dev, liblcms2-dev, libfreetype6-dev (>= 2.2.1), 
libgtk2.0-dev, libxinerama-dev, libkrb5-dev, xsltproc, libpcsclite-dev, 
libffi-dev, zlib1g-dev, libattr1-dev, libpng-dev, libjpeg-dev, libgif-dev, 
libpulse-dev (>= 0.9.12), systemtap-sdt-dev, libnss3-dev (>= 2:3.17.1), tzdata, 
mauve, jtreg, xvfb, xauth, xfonts-base, libgl1-mesa-dri, twm | metacity, twm | 
dbus-x11, x11-xkb-utils, time, openjdk-8-jdk-headless , dpkg-dev (>= 
1.17.14)
dpkg-deb: error: parsing file 
'/tmp/satisfydepends-aptitude/pbuilder-satisfydepends-dummy/DEBIAN/control' 
near line 8 package 'pbuilder-satisfydepends-dummy':
 'Depends' field, syntax error after reference to package 
'openjdk-8-jdk-headless'
E: pbuilder-satisfydepends failed.

I couldn't even build a source-only package there..

So I'm giving up on this - but I'll not that there is a
${tzdata:Depends} in the headless package that may be the cause of the
problems here...

I also wonder if that affects other binary packages in openjdk, but
considering tzdata is present only in the headless version, that
shouldn't be an issue...

A.

Bug#859655: golang-go.crypto: CVE-2017-3204

[anarcat]

Control: user -1 debian-rele...@lists.debian.org
Control: usertags -1 bsp-2017-04-ca-montreal
Control: tags -1 +patch

I looked into this during the Montreal BSP, and it's unclear what we
should do here, considering there has been multiple new uploads since
the stretch freeze. 

The patch is pretty long:

https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991

... and there's no way to just backport it into stretch at this point
(IIRC).

So I'm wondering if the next step here would not just be to ask for an
exception to unblock this for stretch, or just tell the release team to
just ignore this and drop the package from stretch.

Let me know,

A.

-- 
Celui qui ne connaît pas l'histoire est condamné à la revivre.
- Karl Marx

Bug#850168: lintian should have checks for manual pages to see if they have an EXAMPlES section

[anarcat]

Control: severity -1 wishlist

I agree!

I often find myself frustrated by more obscure bits of software where I
would love to see some EXAMPLES sections to help me get started.

Maybe this could be a "Informative" or "Pedantic" level instead of
"Warning"? It certainly shouldn't be at the "Error" level, or at least
not worse than the current "manpage missing" message.

Thanks!

-- 
If it's important for you, you'll find a way.
If it's not, you'll find an excuse.
- Unknown


signature.asc
Description: Digital signature

Bug#848508: LANG=C wormhole :/

[anarcat]

On Tue, Jan 03, 2017 at 02:03:44PM -0500, Daniel Kahn Gillmor wrote:
> Control: forwarded 848508 https://github.com/warner/magic-wormhole/issues/127
> 
> It'd be really nice for wormhole to stay on python 3 -- i would like to
> be able to run a system free of python2 in the near future, and i'd also
> like to be able to have wormhole available.

I'd like to have Debian free of Python2 as well, but it is not going to
happen in stretch, not by a long shot.

> I've forwarded the debian bug report upstream to see whether Brian has
> any suggested resolution.

Great, thanks!

> but I note that once we're talking about wormhole using non-ASCII
> wordlists (see https://github.com/warner/magic-wormhole/issues/26),
> "LANG=C wormhole receive" is going to be a buggy invocation no matter
> what anyway.

I'm happy to follow whatever upstream decides, but I'd like to point out
that this is not just a feature request ("non-ASCII wordlist", which can
be supported fine even if we go back to py2 btw), but an actual bug
("fails to work").

> I'm inclined to just say "don't do that" on debian systems, where we
> expect C.UTF-8 to be available anyway.

C.UTF-8 is necessarily available on all Debian systems, let alone the
default. In fact, I believe the default locale, on Debian systems, is
still C. Having our package fail to work in that locale breaks the
Principle Of Least Astonishment.

I still believe the simplest fix, in the short term, is to revert back
packaging to Python2. We could (and should, anyways) provide both
python2 and python3 bindings for the magic-wormhole *libraries* and make
the binary use the python2 libraries until the click bug is fixed or
Debian defaults to a UTF-8 locale.

Until then, we are, by default, not working at all unless the user
does an extra configuration. I think this is an unacceptable situation
and a bug that should be fixed.

Failing that, someone should mark this bug as unfixed and just close
this issue. I certainly wouldn't do that myself as I believe this is a
bug that we should work around until Click does the right thing.

Not everyone is a unicode geek like we are. ;)

A.

-- 
I worry about my child and the Internet all the time, even though
she's too young to have logged on yet. Here's what I worry about. I
worry that 10 or 15 years from now, she will come to me and say
'Daddy, where were you when they took freedom of the press away from
the Internet?'   - Mike Godwin, Electronic Frontier Foundation


signature.asc
Description: Digital signature

Bug#810506: Upload of linux-grsec to jessie-backports?

[anarcat]

On Mon, Apr 25, 2016 at 08:19:42AM +0200, Yves-Alexis Perez wrote:
> On lun., 2016-04-25 at 05:45 +, Amarildo Júnior wrote:
> > Any news?
> 
> Stay tuned? As already said I was waiting on the kernel to become eligible for
> migration. This happened two days ago, so I'll prepare a jessie-backport
> upload. But you're not forced to stop breathing in the meantime.

It's been a few months and the package is still not in stretch, partly
because of this bug (but also because of #835949).

It is also considered bad practice to upload a package to backports if
it is not in testing yet, especially if it's destined to be packaged
there...

It would be great to settle this before the stretch freeze, which is
coming real soon now (soft freeze on jan 5th would block this, iirc):

https://release.debian.org/

A.

-- 
I've got to design so you can put it together out of garbage cans. In
part because that's what I started from, but mostly because I don’t
trust the industrial structure—they might decide to suppress us
weirdos and try to deny us the parts we need.
   - Lee Felsenstein


signature.asc
Description: Digital signature

Bug#845196: closed by Bastien Roucariès (Bug#845196: fixed in imagemagick 8:6.8.9.9-5+deb8u6)

[anarcat]

I believe the fix for Bug#845196 is incomplete, at least in stable. It
does ship with this patch:

https://github.com/ImageMagick/ImageMagick/commit/1be809ae06f2fcb094836960edb707f81422e964

but not this one:

https://github.com/ImageMagick/ImageMagick/commit/933e96f01a8c889c7bf5ffd30020e86a02a046e7

so it is missing one fputc check in convert.

a.


signature.asc
Description: Digital signature

Bug#848139: CVE-2016-8707 ImageMagick Convert Tiff Adobe Deflate Code Execution Vulnerability

[anarcat]

Here's a patch for wheezy, which may be useful for jessie if, like
wheezy, it lacks the ReadYCCKMethod case.


From e5fd9ab1b70b2edd06de8efb606e04482cb9a2f0 Mon Sep 17 00:00:00 2001
From: Cristy 
Date: Thu, 1 Dec 2016 20:06:50 -0500
Subject: [PATCH] Fix possible buffer overflow when writing compressed TIFFS

---
 ChangeLog |  2 ++
 coders/tiff.c | 34 +++---
 2 files changed, 21 insertions(+), 15 deletions(-)

Patch was modified to remove ReadYCCKMethod case because absent from wheezy.

--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,8 @@
 
 2012-06-26  6.7.7-10 Glenn Randers-Pehrson 
   * Don't attempt to use Z_RLE compression strategy with old zlib (prior to
+  * Fix possible buffer overflow when writing compressed TIFFS (vulnerability
+report from Cisco Talos, CVE-2016-8707).
 zlib-1.2.0) that does not support it.
   * Increase PLTE chunk length to accommodate background color in indexed PNG
 (reference www.imagemagick.org/discourse-server/viewtopic.php?f=1&t=21288).
--- a/coders/tiff.c
+++ b/coders/tiff.c
@@ -866,7 +866,7 @@ static Image *ReadTIFFImage(const ImageI
 width;
 
   unsigned char
-*pixels;
+*tiff_pixels;
 
   /*
 Open image.
@@ -1223,7 +1223,13 @@ static Image *ReadTIFFImage(const ImageI
   method=ReadTileMethod;
 quantum_info->endian=LSBEndian;
 quantum_type=RGBQuantum;
-pixels=GetQuantumPixels(quantum_info);
+tiff_pixels=(unsigned char *) AcquireMagickMemory(TIFFScanlineSize(tiff)+
+  sizeof(uint32));
+if (tiff_pixels == (unsigned char *) NULL)
+  {
+TIFFClose(tiff);
+ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+  }
 switch (method)
 {
   case ReadSingleSampleMethod:
@@ -1294,7 +1300,6 @@ static Image *ReadTIFFImage(const ImageI
 TIFFClose(tiff);
 ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
   }
-pixels=GetQuantumPixels(quantum_info);
 for (y=0; y < (ssize_t) image->rows; y++)
 {
   int
@@ -1303,14 +1308,14 @@ static Image *ReadTIFFImage(const ImageI
   register PixelPacket
 *restrict q;
 
-  status=TIFFReadPixels(tiff,bits_per_sample,0,y,(char *) pixels);
+  status=TIFFReadPixels(tiff,bits_per_sample,0,y,(char *) tiff_pixels);
   if (status == -1)
 break;
   q=QueueAuthenticPixels(image,0,y,image->columns,1,exception);
   if (q == (PixelPacket *) NULL)
 break;
   length=ImportQuantumPixels(image,(CacheView *) NULL,quantum_info,
-quantum_type,pixels,exception);
+quantum_type,tiff_pixels,exception);
   (void) length;
   if (SyncAuthenticPixels(image,exception) == MagickFalse)
 break;
@@ -1352,7 +1357,6 @@ static Image *ReadTIFFImage(const ImageI
 TIFFClose(tiff);
 ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
   }
-pixels=GetQuantumPixels(quantum_info);
 for (y=0; y < (ssize_t) image->rows; y++)
 {
   int
@@ -1361,14 +1365,14 @@ static Image *ReadTIFFImage(const ImageI
   register PixelPacket
 *restrict q;
 
-  status=TIFFReadPixels(tiff,bits_per_sample,0,y,(char *) pixels);
+  status=TIFFReadPixels(tiff,bits_per_sample,0,y,(char *) tiff_pixels);
   if (status == -1)
 break;
   q=QueueAuthenticPixels(image,0,y,image->columns,1,exception);
   if (q == (PixelPacket *) NULL)
 break;
   length=ImportQuantumPixels(image,(CacheView *) NULL,quantum_info,
-quantum_type,pixels,exception);
+quantum_type,tiff_pixels,exception);
   if (SyncAuthenticPixels(image,exception) == MagickFalse)
 break;
   if (image->previous == (Image *) NULL)
@@ -1397,7 +1401,7 @@ static Image *ReadTIFFImage(const ImageI
   status;
 
 status=TIFFReadPixels(tiff,bits_per_sample,(tsample_t) i,y,(char *)
-  pixels);
+  tiff_pixels);
 if (status == -1)
   break;
 q=GetAuthenticPixels(image,0,y,image->columns,1,exception);
@@ -1423,7 +1427,7 @@ static Image *ReadTIFFImage(const ImageI
 default: quantum_type=UndefinedQuantum; break;
   }
 length=ImportQuantumPixels(image,(CacheView *) NULL,quantum_info,
-  quantum_type,pixels,exception);
+  quantum_type,tiff_pixels,exception);
 if (SyncAuthenticPixels(image,exception) == MagickFalse)
   break;
   }
@@ -1460,13 +1464,13 @@ static Image *ReadTIFFImage(const ImageI
 break;
   if (i == 0)
 {
-  if (TIFFReadRGBAStrip(tiff,(tstrip_t) y,(uint32 *) pixels) == 0)
+  if (TIFFReadRGBAStrip(tiff,(tstrip_t) y,(uint32 *) tiff_pixels) == 0)
 break;
 

Bug#842388: RFP: zcash -- an implementation of the "Zerocash" protocol

[anarcat]

There are packages here it seems:

https://github.com/zcash/zcash/wiki/Debian-binary-packages

It seems their apt repo is down, however...


signature.asc
Description: Digital signature

Bug#824670: ITP: dnsdiag -- DNS Diagnostics and Performance Measurement Tools

[anarcat]

Glad to see some progress on this.

It seems that the patches for dnspython have all been merged upstream
and that dnsdiag now uses dnspython cleanly:

https://github.com/farrokhi/dnsdiag/issues/17#issuecomment-254445188

I believe this removes the last blocker you have documented for
packaging this.

Good luck with the packaging, let me know if you need help!

a.
-- 
Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are, by
definition, not smart enough to debug it.
- Brian W. Kernighan


signature.asc
Description: Digital signature

Bug#837591:

[anarcat]

On Wed, Sep 14, 2016 at 10:27:06PM +0200, Tobias Frost wrote:
> Actually, whether deleting a user on purge or not is disputed.
> https://wiki.debian.org/AccountHandlingInMaintainerScripts
> 
> (I wouldn't say this is RC, but I let the maintainer decide if it
> should be downgraded)

Understood.

On Wed, Sep 14, 2016 at 11:21:07PM +0200, Neil Muller wrote:
> Removing support for user deletion was specifically asked for when the
> package was adopted into PAPT. I also don't see any compelling reason
> to re-add it from policy, so I'm downgrading this bug.

Right.

> If there are files being left after the package is purged, please
> provide details.

Well, that's the thing. I wasn't very clear in my original report, but I
can't think of files that irker could leave behind that we don't also
want to remove. Logfiles, maybe, but those are not created by default
anyways, AFAIK.

So removing the user is harmless, and would make the package cleaner.

Thanks.

A.


signature.asc
Description: Digital signature

Bug#774992: O: linkchecker -- check websites and HTML documents for broken links

[anarcat]

I may be interested in collaboratively maintaining this, if we can get
upstream development to resume.

Otherwise I'm tempted to just give up and point people towards
w3c-checker.

A.

-- 
C'est avec les pierres de la loi qu'on a bâti les prisons,
et avec les briques de la religion, les bordels.
- William Blake


signature.asc
Description: Digital signature

Bug#773970: Monkeyscan fails at launch

[anarcat]

Control: tags 773970 +fixed-upstream
Control: fixed 773970 2.1.0

I overlooked that bug report when creating the changelog. This was fixed
in the recent 2.1.0 release.

A.


signature.asc
Description: Digital signature

Bug#784602: [PATCH] make monkeysign build reproducibly

[anarcat]

Control: fixed 784602 2.1.0
Control: tags 784602 fixed-upstream

Thanks Daniel and intri for the patch and feedback. This was fixed in
the 2.1.0 release, I just overlooked that bug in the release process...

What I actually did was that I just ripped out the timestamp code from
the manpage generation process, which was rebuilt based on the new
argparse code. Unfortunately, that means loss of functionality and the
manpage is not as great as it was before.

We are considering other ways of maintaining the manpage, maybe through
Sphinx directly:

https://0xacab.org/monkeysphere/monkeysign/issues/47

... which would hopefully *not* trigger this issue again. :)

Cheers,

A.

-- 
You Are What You Is
- Frank Zappa


signature.asc
Description: Digital signature

Bug#647883: lists ${distro_codename}-updates but needs stable-updates

[anarcat]

Control: fixed 647883 0.83.3.1

On Tue, Nov 08, 2011 at 12:00:26PM +0100, Michael Vogt wrote:
> On Mon, Nov 07, 2011 at 10:53:12AM +0100, Philipp Kern wrote:
> > The commented-out example for squeeze-updates (${distro_codename}-updates)
> > provided by unattended-upgrades does not work.  You actually need to specify
> > stable-updates to get automatic upgrades.
>  
> Thanks for your bugreport.
> 
> I pushed this fix to
> http://anonscm.debian.org/bzr/apt/unattended-upgrades/debian-squeeze/  
> and it will need a proposed-updates upload.

It looks like you forgot to close this bug report. I believe this was
actually fixed in 0.83.3.1:

https://github.com/mvo5/unattended-upgrades/commit/9a2afa59502b34a5941ee6d1f72294f4494d129a
 
On Tue, Dec 20, 2011 at 11:47:52AM +0200, Teodor MICU wrote:
> This bug look very much like #618336.

... which has been marked as resolved.

> If it doesn't worth the trouble for a backport to 'stable' maybe close it?

We are now 5 years later. I would assume it is too late for a backport
and we can just close this bug report.

Sorry for the delays everyone, it looks like the BTS needs a lot of
triage for unattended-upgrades... volunteers? :)

A.

-- 
Tu connaîtras la vérité de ton chemin à ce qui te rend heureux.
- Aristote


signature.asc
Description: Digital signature

Bug#832758: irkerd.service runs irkerd as root (should run as user "irker")

[anarcat]

Control: tags -1 +pending
Control: forwarded https://gitlab.com/esr/irker/merge_requests/15

The following patch should fix that problem:

commit 1980b7cb4239463b581579cc39480774d3e2d2fe
Author: Antoine Beaupré 
Date:   Mon Sep 12 12:01:44 2016 -0400

run daemon as the irker user (Close: #832758)

this is an improvement upon the default .service file. it requires a
irker user to be created, something which is automatically handled by
the debian package, but should be handled by other distributions when
deploying the .service file.

there are obvious dangers in running irkerd as root: a compromise
would be catastrophic, and since it runs on public servers that are
traditionnally pretty hostile (IRC), it seems critical that rights of
the daemon be limited.

diff --git a/irkerd.service b/irkerd.service
index d19378b..82f39b0 100644
--- a/irkerd.service
+++ b/irkerd.service
@@ -7,6 +7,7 @@ Requires=network.target
 
 [Service]
 ExecStart=/usr/bin/irkerd
+User=irker
 
 [Install]
 WantedBy=multi-user.target

I have forwarded it upstream as well.

A.


signature.asc
Description: Digital signature

Bug#837589: irker: diff for NMU version 2.18+dfsg-1.1

[anarcat]

Package: irker
Version: 2.18+dfsg-1
Severity: normal
Tags: patch pending

[Replace XX with correct value]
Dear maintainer,

I've prepared an NMU for irker (versioned as 2.18+dfsg-1.1) and
uploaded it to DELAYED/10. Please feel free to tell me if I
should delay it longer.

Regards.
diff -Nru irker-2.18+dfsg/debian/changelog irker-2.18+dfsg/debian/changelog
--- irker-2.18+dfsg/debian/changelog	2016-06-18 04:54:48.0 -0400
+++ irker-2.18+dfsg/debian/changelog	2016-09-12 12:09:50.0 -0400
@@ -1,3 +1,12 @@
+irker (2.18+dfsg-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * new patches to the .service file:
+* run daemon as the irker used (Closes: #832758)
+* properly import environment from /etc/defaults (Closes: #832322)
+
+ -- Antoine Beaupré   Mon, 12 Sep 2016 11:59:26 -0400
+
 irker (2.18+dfsg-1) unstable; urgency=low
 
   * Update to latest upstream release.
diff -Nru irker-2.18+dfsg/debian/patches/0008-user-service.patch irker-2.18+dfsg/debian/patches/0008-user-service.patch
--- irker-2.18+dfsg/debian/patches/0008-user-service.patch	1969-12-31 19:00:00.0 -0500
+++ irker-2.18+dfsg/debian/patches/0008-user-service.patch	2016-09-12 12:04:51.0 -0400
@@ -0,0 +1,28 @@
+commit 1980b7cb4239463b581579cc39480774d3e2d2fe
+Author: Antoine Beaupré 
+Date:   Mon Sep 12 12:01:44 2016 -0400
+
+run daemon as the irker user (Close: #832758)
+
+this is an improvement upon the default .service file. it requires a
+irker user to be created, something which is automatically handled by
+the debian package, but should be handled by other distributions when
+deploying the .service file.
+
+there are obvious dangers in running irkerd as root: a compromise
+would be catastrophic, and since it runs on public servers that are
+traditionnally pretty hostile (IRC), it seems critical that rights of
+the daemon be limited.
+
+diff --git a/irkerd.service b/irkerd.service
+index d19378b..82f39b0 100644
+--- a/irkerd.service
 b/irkerd.service
+@@ -7,6 +7,7 @@ Requires=network.target
+ 
+ [Service]
+ ExecStart=/usr/bin/irkerd
++User=irker
+ 
+ [Install]
+ WantedBy=multi-user.target
diff -Nru irker-2.18+dfsg/debian/patches/0009-env-service.patch irker-2.18+dfsg/debian/patches/0009-env-service.patch
--- irker-2.18+dfsg/debian/patches/0009-env-service.patch	1969-12-31 19:00:00.0 -0500
+++ irker-2.18+dfsg/debian/patches/0009-env-service.patch	2016-09-12 12:08:44.0 -0400
@@ -0,0 +1,14 @@
+diff --git a/irkerd.service b/irkerd.service
+index 82f39b0..f4cd45b 100644
+--- a/irkerd.service
 b/irkerd.service
+@@ -6,7 +6,8 @@ Description=irker daemon
+ Requires=network.target
+ 
+ [Service]
+-ExecStart=/usr/bin/irkerd
++EnvironmentFile=-/etc/default/irker
++ExecStart=/usr/bin/irkerd $IRKER_OPTIONS
+ User=irker
+ 
+ [Install]
diff -Nru irker-2.18+dfsg/debian/patches/series irker-2.18+dfsg/debian/patches/series
--- irker-2.18+dfsg/debian/patches/series	2016-03-17 18:42:26.0 -0400
+++ irker-2.18+dfsg/debian/patches/series	2016-09-12 12:08:55.0 -0400
@@ -2,3 +2,5 @@
 0005-author-name.patch
 0006-alias-service.patch
 0007-irkerhook-git.patch
+0008-user-service.patch
+0009-env-service.patch


signature.asc
Description: Digital signature

Bug#832322: irker: Irker is ignoring startup options defined in /etc/default/irker.

[anarcat]

Control: tags -1 +patch +pending

The following patch should fix that problem:

diff --git a/irkerd.service b/irkerd.service
index 82f39b0..f4cd45b 100644
--- a/irkerd.service
+++ b/irkerd.service
@@ -6,7 +6,8 @@ Description=irker daemon
 Requires=network.target
 
 [Service]
-ExecStart=/usr/bin/irkerd
+EnvironmentFile=-/etc/default/irker
+ExecStart=/usr/bin/irkerd $IRKER_OPTIONS
 User=irker
 
 [Install]

Note that this is rolled on top of the patch for #832758.


signature.asc
Description: Digital signature

Bug#736548: monkeysign: Reports "key is expired, cannot sign" on non-expired key

[anarcat]

Control: tags -1 +confirmed -help +pending

On Fri, Jan 24, 2014 at 09:24:42PM +0100, Emilien Klein wrote:
> When trying to sign this particular key (2BEF0A33), I get the error message 
> that the key is expired.
> This key is not expired
> I've been in contact with the key owner, who acknoledged that one ID had 
> indeed been revoqued, but that the main key is still active.

On Sat, Jan 25, 2014 at 06:08:20PM +0100, Andreas Rütten wrote:
> I can confirm this behaviour with this two keys:
> 
> pub  4096R/29299233 2011-11-11
>Fingerprint=4B84 4C8F B6EB 4194 29F5  EBEC 5764 07A6 2929 9233 

Thanks. I have added that key to our test rig and wrote a unit test that
confirms the problem:

https://0xacab.org/monkeysphere/monkeysign/commit/03fc176fe804fe96b3c4ccd9ffcafaf0350b0c10

On Sat, Jul 16, 2016 at 05:31:15PM -0400, Jerome Charaoui wrote:
> tag patch
> thanks
> 
> This ugly little patch appears to fix the problem for me.

... and I have merged jerome's patch which fixes the failed unit test
here:

https://0xacab.org/monkeysphere/monkeysign/commit/65a986bf66b9c81cc13ab3cd51fda5a84121b01f

This will be fixed in the next upload.

Thank you for your patience and detailed reports.

A.


signature.asc
Description: Digital signature

Bug#725061: RFE: monkeysign should provide a --from option

[anarcat]

Control: tags -1 +wontfix +moreinfo

On Tue, Oct 01, 2013 at 01:33:45AM +0200, Kristian Fiskerstrand wrote:
> In order to specify the sending address a --from option should be added,
> alternatively, if a UID containing an email address exists in the
> signing key this could be used as the sending address for emails.

Hmm... how does that differ from the --user option exactly?

Here is how the "From" logic is determined right now:

https://0xacab.org/monkeysphere/monkeysign/blob/2.x/monkeysign/ui.py#L343

Ie. either we take it straight from --user, or we use the first UID of
the chosen key.

This ensures we send an email with a From that matches the signing key.

That assumes we do *explicitely* not want to send email with a From that
matches the signing key.

That assumption may be incorrect. I'd love to hear the reasoning behind
it in that case.

Thanks, and sorry for the delay.

A.
-- 
A genius is someone who discovers that the stone that falls and the
moon that doesn't fall represent one and the same phenomenon.
 - Ernesto Sabato


signature.asc
Description: Digital signature

Bug#760139: expiry date in epoch time is not human readable

[anarcat]

Control: tags -1 +patch +pending

A patch was provided for this (yaay!) here:

https://lists.riseup.net/www/arc/monkeysphere/2016-06/msg2.html

It has been applied to the 2.x branch.

Thanks for the report!


signature.asc
Description: Digital signature

Bug#766129: monkeysign tells me that it's going to sign with a key I revoked in 2009

[anarcat]

Control: retitle -1 monkeysign should not use revoked keys to make signatures
Control: tags -1 +confirmed +patch
Control: severity -1 important

Actually, I just realized there's a patch for this here:

https://lists.riseup.net/www/arc/monkeysphere/2015-02/msg9.html

I kept on being confused because there's a bunch of similar issues here:

* monkeysign *signs* revoked keys (#723763)
* monkeysign signs *with* revoked keys (this issue)
* monkeysign signs *expired* keys (#736548)
* *monkeyscan* offers to sign with revoked keys (#773896)

... and so on.

-- 
The history of any one part of the earth, like the life of a soldier,
consists of long periods of boredom and short periods of terror.
   - British geologist Derek V. Ager


signature.asc
Description: Digital signature

Bug#723763: monkeysign should not sign revoked uids

[anarcat]

On Thu, Sep 01, 2016 at 11:11:57AM -0400, Antoine Beaupré wrote:
> On 2016-08-01 17:53:11, Antoine Beaupré wrote:
> > Control: tags -1 +moreinfo
> >
> > Could you provide unit tests coverage for this and verify that the tests
> > pass after the patch is applied?
> 
> Also, after discussing with the Geysigning people, it seems that I
> missed another patch that was already made here:
> 
> https://lists.riseup.net/www/arc/monkeysphere/2015-02/msg9.html
> 
> It seems that his patchset is a little more complete, although it still
> doesn't feature unit tests, which I would prefer to have before merging
> this in.
> 
> Please consider reviewing his work before going forward - it seems that
> running --list-keys twice is necessary, unless we're running GPG 2.1
> (which I am starting to think we should depend on :/).

Sigh... disregard that - the above patches make sure that we don't sign
*with* revoked keys - a different issue (which I'll track in #766129).

a.
-- 
L'homme construit des maisons parce qu'il est vivant, mais il écrit des
livres parce qu'il se sait mortel.
- Daniel Pennac, Comme un roman


signature.asc
Description: Digital signature

Bug#780393: Monkeyscan shows wrong fingerprint

[anarcat]

Control: tags -1 +moreinfo +unreproducible

On Fri, Mar 13, 2015 at 10:26:25AM +0100, Dimitri Dhuyvetter wrote:
> Package: monkeysign
> 
> When I scan a QR code I made outside of Monkeysig, which contains the
> string "openpgp4fpr:6FC84DA08920932D34DDCBCD188E3F108C693450" Monkeysign
> shows me this message:
> > Signing the following key
> > 
> > pub  [unknown] 4096R/D4E5573D 1412669072 [expiry: 1475741072]
> > Fingerprint = 7699 3358 A023 D4C7 460E  CD23 E690 607D D4E5 573D
> > uid 1  [unknown] Dimitri Dhuyvetter 
> > uid 2  [unknown] Dimitri Dhuyvetter 
> > uid 3  [unknown] Dimitri Dhuyvetter 
> > sub   4096R/D4E5573D 1412669072 [expiry: 1475741072]
> > 
> > 
> > Sign all identities? [y/N] 
> 
> This should be
> > sec   4096R/0x188E3F108C693450 2014-10-07 [expires: 2016-10-06]
> >   Key fingerprint = 6FC8 4DA0 8920 932D 34DD  CBCD 188E 3F10 8C69 3450
> > uidDimitri Dhuyvetter 
> > uidDimitri Dhuyvetter 
> > uidDimitri Dhuyvetter 
> > uidDimitri Dhuyvetter 
> > ssb   4096R/0xE690607DD4E5573D 2014-10-07
> 
> Or short ID 0x8C693450

That is really strange. I cannot reproduce this here, obviously:

$ monkeysign --local 6FC84DA08920932D34DDCBCD188E3F108C693450
Préparation à la signature de cette clé:

pub  [unknown] 4096R/7B75921E 1243621534 [expiry: 1496357973]
Fingerprint = 8DC9 01CE 6414 6C04 8AD5  0FBB 7921 5252 7B75 921E
uid 1  [unknown] Antoine Beaupré (home address) 
uid 2  [unknown] Antoine Beaupré (work) 
sub   2048R/EE02855A 1342743455
sub   4096R/9C5A5581 1243622183

La clé suivante sera certifiée

pub  [unknown] 4096R/8C693450 1412669072 [expiry: 1475741072]
Fingerprint = 6FC8 4DA0 8920 932D 34DD  CBCD 188E 3F10 8C69 3450
uid 1  [unknown] Dimitri Dhuyvetter 
uid 2  [unknown] Dimitri Dhuyvetter 
uid 3  [unknown] Dimitri Dhuyvetter 
uid 4  [unknown] Dimitri Dhuyvetter 
uid 5  [unknown] Dimitri Dhuyvetter 
sub   4096R/D4E5573D 1412669072 [expiry: 1475741072]

What is interesting is that if I try the other fingerprint that you
originally found, I get this:


$ monkeysign --local 7699 3358 A023 D4C7 460E  CD23 E690 607D D4E5 573D
Préparation à la signature de cette clé:

pub  [unknown] 4096R/7B75921E 1243621534 [expiry: 1496357973]
Fingerprint = 8DC9 01CE 6414 6C04 8AD5  0FBB 7921 5252 7B75 921E
uid 1  [unknown] Antoine Beaupré (home address) 
uid 2  [unknown] Antoine Beaupré (work) 
sub   2048R/EE02855A 1342743455
sub   4096R/9C5A5581 1243622183

La clé suivante sera certifiée

pub  [unknown] 4096R/8C693450 1412669072 [expiry: 1475741072]
Fingerprint = 6FC8 4DA0 8920 932D 34DD  CBCD 188E 3F10 8C69 3450
uid 1  [unknown] Dimitri Dhuyvetter 
uid 2  [unknown] Dimitri Dhuyvetter 
uid 3  [unknown] Dimitri Dhuyvetter 
uid 4  [unknown] Dimitri Dhuyvetter 
uid 5  [unknown] Dimitri Dhuyvetter 
sub   4096R/D4E5573D 1412669072 [expiry: 1475741072]

ie. it signs the same key! When I import your key from the keyservers, I
find can export your key using that other fingerprint:

$ gpg --export -a '76993358A023D4C7460ECD23E690607DD4E5573D' | gpg 
pub  4096R/188E3F108C693450 2014-10-07 Dimitri Dhuyvetter 
uidDimitri Dhuyvetter 
uidDimitri Dhuyvetter 
uidDimitri Dhuyvetter 
uidDimitri Dhuyvetter 
sub  4096R/E690607DD4E5573D 2014-10-07 [expire : 2016-10-06]
 
I cannot find key 76993358A023D4C7460ECD23E690607DD4E5573D anywhere on
the keyservers.

> I've attached the QR in question, so you can test it out yourself.

I do not see the qrcode in attachment, nor in the URL you mentionned in
that other post, could you send it again?

> I'm not sure which version of Monkeysign or Monkeyscan I have, I
> installed it today from Ubuntu repos.
> I am running Ubuntu 14.03 LTS

You are likely running 1.1, according to this:

http://packages.ubuntu.com/monkeysign

You may want to try a newer version.

A.

-- 
One has a moral responsibility to disobey unjust laws.
- Martin Luther King, Jr.


signature.asc
Description: Digital signature

Bug#773896: monkeyscan: identity menu has no indicator for expired keys

[anarcat]

Control: tags -1 confirmed
Control: retitle -1 monkeyscan: do not offer to sign with revoked keys

On Tue, Jan 20, 2015 at 12:29:36PM -0800, Vagrant Cascadian wrote:
> On 2014-12-24, Paul Wise wrote:
> > I have an expired key in my local keyring but monkeyscan doesn't
> > indicate that it is expired in the menu. I would expect the menu item to
> > be either greyed or crossed out or not be visible in the Identity menu
> > at all. I don't have any revoked keys but I would expect those to have
> > an indicator too, probably a different one to expired keys. Probably
> > greyed out for expired keys and crossed out for revoked keys.
> 
> I can confirm it also shows revoked keys. To add insult to injury, it
> defaults to using a revoked key for me...

This is because we can't tell if secret keys are revoked, blame GPG
<2.1 and see #723763.

But yeah, even if we could tell, the UI doesn't deal with that at all -
we should just not show those keys at all.

Regarding the default that is wrong, that is also documented, in
#766129.

A.

-- 
The history of any one part of the earth, like the life of a soldier,
consists of long periods of boredom and short periods of terror.
   - British geologist Derek V. Ager


signature.asc
Description: Digital signature

Bug#760717: monkeysign chokes when gpg wants user to run with --check-trustdb

[anarcat]

Control: severity -1 wishlist
Control: tags -1 +confirmed +help
Control: retitle -1 monkeysign should deal with --no-auto-check-trustdb 
configurations

On Sun, Sep 07, 2014 at 03:53:18AM -0400, Gabriel Filion wrote:
> with current master (commit 5a8d12914a8d4388c6543056098276f6e756e483)
> when I try to sign a key, gpg emits an error message about needing to
> run with --check-trustdb, and apparently monkeysign is choking on this
> output with the following debug info:

it seems that you have --no-auto-check-trustdb in your gpg.conf, is that
correct?

i am tempted to just ignore this as an unsupported configuration for
now.

but it certainly doesn't warrant the current severity at least. ;)

i would welcome patches that would ignore that piece of dialog. unit
tests to reproduce this issue would also be appreciated!

thanks for the bug report!

a.
-- 
The destiny of Earthseed is to take root among the stars.
- Octavia Butler


signature.asc
Description: Digital signature

Bug#823104: monkeysign: Twice confused by package description

[anarcat]

Control: tags -1 moreinfo
Control: severity -1 wishlist

On Sat, Apr 30, 2016 at 09:50:01PM +0200, Holger Levsen wrote:
> Package: monkeysign
> Version: 2.0.2
> Severity: normal
> 
> Hi,
> 
> I've read the package description and while I like the funny tone, I
> also find it confusing for two reasons:
> 
> 1.)
> 
>  monkeysign is a tool to overhaul the OpenPGP keysigning experience
>  and bring it closer to something that most primates can understand.
> [...]
>  Monkeysign is the commandline signing software.
> 
> -> most primates can't understand commandline software?!

That is correct. What do you find find confusing here?

> 2.) 
> 
>  The project makes use of cheap digital cameras and the type of bar
>  code known as a QRcode to provide a human-friendly yet still-secure
>  keysigning experience.
> [...]
>  Monkeysign is the commandline signing software, a caff
>  replacement.
> 
> -> is it a caff replacement or does it rely on QRcodes?

It's funny that you quote only the first sentence of that paragraph, the
full paragraph is:

 Monkeysign is the commandline signing software, a caff
 replacement. Monkeyscan is the graphical user interface that scans
 qrcodes.

So Monkeysign is the caff replacement, and monkeyscan is the GUI.
 
> Please clarify the package description to make these things
> clear(er).

I would appreciate a suggestion on how to phrase this better. With the
above, I am not sure I can find a proper formulation that would be
satisfactory.

> Also it might be appropriate to explain that monkeysign is a
> commandline tool, just like caff or pius… (and that only monkeyscan
> does all the monkey QR stuff and therefore has a gui…)

Again, I felt that the last paragraph did exactly that.

> Also, I'm kinda surprised that I have recommends enabled and get this
> after installing monkeysign:
> 
> $ monkeyscan some modules missing for scanning functionality: No
> module named zbar

That seems like a completely different issue...

python-zbar and python-zbarpygtk and both in Recommends - are they
installed on your computer?

A.

-- 
Il est sage de nous réconcilier avec notre adolescence ; haїr, mépriser,
nier ou simplement oublier l’adolescent que nous fûmes est en soi une
attitude adolescente.
- Daniel Pennac, Comme un roman


signature.asc
Description: Digital signature

Bug#736629: UnicodeDecodeError: 'utf8' codec can't decode byte 0xf6

[anarcat]

Control: severity -1 minor
Control: found -1 2.0.2

It looks like Dennis' key has an invalid encoding, even in gpg:


$ gpg --search-keys allsp...@planetcyborg.de
gpg: recherche de « allsp...@planetcyborg.de » sur le serveur hkp 
pool.sks-keyservers.net
(1) Dennis Boerm 
  2048 bit RSA key 287992D55C7E48CE, créé : 2014-06-16 (révoquée)
(2) Dennis Börm 
Dennis Börm 
Dennis Börm 
Dennis Börm 
Dennis Börm 
  4096 bit RSA key DF87C73A6F432148, créé : 2014-04-25
(3) Dennis Boerm 
Dennis Boerm 
Dennis B\xf6\x72m 
Dennis Börm 
Dennis Boerm 
Dennis Boerm 
Dennis Boerm 
Dennis Börm 
Dennis Boerm 
  2048 bit RSA key ECAA37C45C7E48CE, créé : 2009-09-15
Keys 1-3 of 3 for "allsp...@planetcyborg.de".  Entrez le ou les nombres, 
(S)uivant, ou (Q)uitter > 

I am not sure what we should do with this - an exception certainly isn't
great, but how do you certify corrupt data anyways?

A.


signature.asc
Description: Digital signature

Bug#736120: Update on bug#736120

[anarcat]

Control: tags -1 -moreinfo +unreproducible

On Sat, Dec 13, 2014 at 05:39:13PM +0100, Emilien Klein wrote:
> Hi,
> 
> Using version 2.0.2 on a sid box, with the same key that I used in
> post#2, I do get a different traceback, which seems unrelated:
> 
> 
> Really sign key? [y/N] y
> command: ['gpg', '--command-fd', '0', '--with-fingerprint',
> '--list-options',
> 'show-sig-subpackets,show-uid-validity,show-unusable-uids,show-unusable-subkeys,show-keyring,show-sig-expire',
> '--status-fd', '2', '--quiet', '--batch', '--fixed-list-mode',
> '--no-tty', '--with-colons', '--use-agent', '--secret-keyring',
> '/home/emilien/.gnupg/secring.gpg', '--homedir', '/tmp/pygpg-s5Sx9O',
> '--sign-key', 'Stefano Zacchiroli ']
> SKIPPED: [GNUPG:] KEYEXPIRED 1417438220
> Traceback (most recent call last):
>   File "/usr/bin/monkeysign", line 41, in 
> u.main()
>   File "/usr/lib/python2.7/dist-packages/monkeysign/cli.py", line 70, in
> main
> self.sign_key()
>   File "/usr/lib/python2.7/dist-packages/monkeysign/ui.py", line 305, in
> sign_key
> if not self.tmpkeyring.sign_key(pattern, alluids):
>   File "/usr/lib/python2.7/dist-packages/monkeysign/gpg.py", line 482,
> in sign_key
> raise GpgRuntimeError(self.context.returncode, _('cannot select uid
> for signing: %s') % e.found().decode('utf-8'))
> monkeysign.gpg.GpgRuntimeError: [Errno 0] cannot select uid for signing:
> [GNUPG:] KEYEXPIRED 1417438220
> 
> 
> The weird thing is that neither my key (I just signed 3 other keys
> without issues) nor the key that I'm signing have expired.

This definitely look like #736548:

monkeysign: Reports "key is expired, cannot sign" on non-expired key
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736548

> As I don't know if this traceback occurs before or after the place where
> the original issue occurred, I can't really confirm if the issue is fixed.

Right. You could try the patch available above to see if it fixes the
problem for you.

> Let me know if I can provide extra information for you to reproduce.

I am tempted to just close this bug report at this point - I have Zack's
key in the test suite and it passes. If you can reproduce, remove the
tag and send me another backtrace.

Sorry for the delays, BTW... and thanks for following up!

-- 


signature.asc
Description: Digital signature

Bug#834524: init-system-helpers: does not own /etc/rc?.d

[anarcat]

On Wed, Aug 17, 2016 at 12:08:05AM +0200, Michael Biebl wrote:
> Am 16.08.2016 um 19:12 schrieb Ferenc Wágner:
> > Package: init-system-helpers
> > Version: 1.25
> > Severity: normal
> > 
> > Hi,
> > 
> > Recently both my daemon packages started to exhibit this piuparts error:
> > 
> > ERROR: FAIL: Package purging left files on system:
> >   /etc/rc2.d/not owned
> >   /etc/rc3.d/not owned
> >   /etc/rc4.d/not owned
> >   /etc/rc5.d/not owned
> > 
> > I think this is the result of sysv-rc losing its Essential flag, which means
> > it isn't present in minimal chroots (like those used by piuparts) anymore.
> > On the other hand, init-system-helpers imported update-rc.d in version 1.25,
> > and I think /etc/rc?.d is created by update-rc.d (but never removed).  All
> > this results in piuparts failures in recently tested daemon packages.
> > 
> > If the above analysis is correct, please fix this.
> 
> Fix what exactly?

I am not sure what the fix is either, but it breaks Piuparts (#834766)
for a *lot* of packages:

https://piuparts.debian.org/sid/unowned_files_after_purge_error.html

arguably, not all those matches are due to this specific bug, but at
this point, any package that ships a daemon with dh_installinit (and
that's a lot of packages!) are now yielding piuparts errors all over the
place (e.g. postfix, openssh-server, apache2 all now fail piuparts).

This bug is marked as "pending", with a patch. Would that fix piuparts?
If so, I would highly recommend uploading the new version ASAP to keep
people like me from looking all over the place to figure out what broke
in their packages.

If not, it would be great to have some way forward. Punting the issue in
Piuparts' backyard may work, but I think it would be nice to get rid of
those old directories on systems that do not have init.d files
anymore...

Thanks!

A.


signature.asc
Description: Digital signature

Bug#833854: sks: no longer logs to /var/log/sks/

[anarcat]

On Tue, Aug 09, 2016 at 09:23:51PM +0200, Christoph Anton Mitterer wrote:
> On Tue, 2016-08-09 at 12:06 -0400, Daniel Kahn Gillmor wrote:
> > it'd also likely fix this piuparts failure for sks itself at least:
> > 
> >  https://piuparts.debian.org/sid/fail/sks_1.1.6-1.log
> > 
> > 0m26.6s ERROR: FAIL: Package purging left files on system:
> >   /etc/rc1.d/    not owned
> >   /etc/rc2.d/    not owned
> >   /etc/rc3.d/    not owned
> >   /etc/rc4.d/    not owned
> >   /etc/rc5.d/    not owned
> > 
> > 0m26.7s ERROR: FAIL: Installation and purging test.
> 
> Kinda strange... here these packages are sysv-rc owned... if they're
> left over, than somewhere is a bug (dpkg-helper scripts? init-helper-
> scripts?)

Did you have any other ideas on how to fix this? I'm seeing similar
problems with charybdis, and i'm starting to believe this is a larger
problem than just our two packages:

https://piuparts.debian.org/sid/unowned_files_after_purge_error.html

Charybdis's log is here:

https://piuparts.debian.org/sid/fail/charybdis_3.5.2p1-2.log

Actually, I got pointed towards this bug which seems to be common, in
piuparts:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=834766

So this doesn't seem to be sks at all.

(I found this bug googling for the piuparts error message so i figured
i would mention it here for future seekers of truth.)

A.

-- 
L'ennui avec la grande famille humaine, c'est que tout le monde veut
en être le père.
- Mafalda


signature.asc
Description: Digital signature

Bug#834766: piuparts: unowned rcX.d

[anarcat]

On Thu, Aug 18, 2016 at 07:38:37PM +, Holger Levsen wrote:
> package: piuparts
> severity: important
> version: 0.72
> x-debbugs-cc: Antonio Radici 
> 
> On Wed, Aug 17, 2016 at 06:59:16AM +, Antonio Radici wrote:
> > Hi there,
> > I recently uploaded a new version of cfengine3 and I got an error from 
> > piuparts,
> > the log is here:
> > https://piuparts.debian.org/sid/fail/cfengine3_3.7.4-2.log
> > 
> > From what I can see it seems that /etc/rcX.d directories are unowned after 
> > the
> > purge, the new version did not introduce a change to the init script so I 
> > was
> > wondering if something has changed in the way init scripts are handled or 
> > there
> > is something in particular that I'm missing
> > 
> > Thanks a lot in advance!
> 
> thanks for your report, Antonio!
> 
> I'm quite busy right now and will try to look into this next week. Help &
> patches much welcome!

This seems to be a bug with the init-system-helpers package, which ships
update-rc.d but doesn't cleanup those directories on removal, see
#834524.

Not sure it's a problem with Piuparts...

A.


signature.asc
Description: Digital signature

Bug#806034: gmpc: FTBFS when built with dpkg-buildpackage -A (No such file or directory)

[anarcat]

On Wed, Aug 03, 2016 at 07:55:10AM +0100, Simon McVittie wrote:
> On Sun, 29 May 2016 at 15:12:12 +0200, Etienne Millon wrote:
> > Here's a patch that fixes the issue.
> 
> Please prepare a proposed upload, I'd be happy to sponsor it.
> 
> Alternatively, if you intend for pkg-mpd team members to be able to upload
> this package without it being an NMU, please set the team as the Maintainer
> with yourself in Uploaders, or add the team to Uploaders if you want to be
> considered the primary maintainer. The canonical spelling seems to be
> "mpd maintainers ".

Hi!

Thanks for the offer Simon, I have made an upload to mark me and etienne
as uploaders and MPD as the maintainer team. I hope everything is in
order!

a.
-- 
I know where I am going, and I know the truth,
and I do not have to be what you want me to be.
I am free to be what I want.
 - Muhammad Ali


signature.asc
Description: Digital signature

Bug#781180: Please add new youtube-dl in jessie-updates

[anarcat]

Control: severity -1 grave
Control: fixed -1 2016.02.22-1~bpo8+1

On Mon, Apr 27, 2015 at 10:16:25PM -0300, Rogério Brito wrote:
> Hi.
> 
> On Apr 27 2015, transylvania wrote:
> > Thanks for maintaining youtube-dl.
> 
> You're welcome.

+1 :)

> > Since youtube-dl is one of those programs like clamav that needs to be
> > kept up to date with upstream quite frequently in order to be consistently
> > useful,
> 
> Yes, I agree.
> 
> > please could you arrange for the version you've added to unstable to be
> > added to jessie-updates?
> 
> Yes, I can do that, but I would first need to know the procedure to perform
> such updates. Since I am a bit short on time, can you contact the stable
> release team and let them know about the user's needs?

Is this still a thing?

The procedure for stable updates is here:

https://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable

Basically, we need to file a bug to release.debian.org including the
patch we want to apply to the package to fix the bug. Considering there
are fairly large changes between stable and testing, I am not sure the
change would be accepted.

But then again, this bug makes the youtube package basically useless in
stable so it should either be removed from stable, or updated to the
testing version. I have bumped the bug severity accordingly.

I am using the backports version, which works well, but the point of
backports is not to provide such critical bugfixes, but backport special
functionalities that do not warrant a full stable update.

I will file a bug against release.debian.org to start that conversation.

A.
-- 
Voter, c'est abdiquer
- Élisée Reclus


signature.asc
Description: Digital signature

Bug#760787: Please try these

[anarcat]

On Sun, Apr 24, 2016 at 09:13:09PM +0200, Richard Hartmann wrote:
> Hi,
> 
> feel free to use
> dediserver.eu/misc/git-annex_6.20160418-1~bpo8+1_amd64.deb until its
> "real" package migrated into testing.

The package did migrate to testing now, can the backport be updated?

Thanks!

-- 
Les plus beaux chants sont les chants de revendications
Le vers doit faire l'amour dans la tête des populations.
À l'école de la poésie, on n'apprend pas: on se bat!
- Léo Ferré, "Préface"


signature.asc
Description: Digital signature

Bug#833090: ITP: magic-wormhole -- Securely and simply transfer data between computers

[anarcat]

On Tue, Aug 02, 2016 at 06:52:03PM -0700, Jameson Graef Rollins wrote:
> On Tue, Aug 02 2016, Fredrik Alströmer  wrote:
> > I would object slightly to calling it "securely", from what I can tell by a
> > quick glance at the code, the data is relayed through the authors private
> > server. The pass phrases seem to be fairly limited (chosen from a 512-entry
> > dictionary iiuc), simply spamming the the public endpoint with passwords
> > should net you something cool sooner or later.
> 
> Hi, Fredrik.  Thanks for the comments.
> 
> The fact that data is relayed through the author's private server should
> not compromise integrity of the data, since the data is actually
> encrypted end-to-end.  The package also includes the server program
> itself so users can set up their own server rather than use the one
> provided by the author.
> 
> The upstream author has attempted to explain the compromises involved in
> using relatively low-entropy password for the initial key exchange:
> 
> http://www.lothar.com/%7Ewarner/MagicWormhole-PyCon2016.pdf
> https://youtu.be/dgnikoiau68
> 
> > Also, as a comment in the code suggests, the server might disappear at any
> > time so it's not intended for wide adoption.
> 
> My intention is to put the package in experimental, so that we can gain
> deployment experience.
> 
> I don't think that any of the concerns that you express should preclude
> us putting the package into experimental.

I'd go even further and say this should be shipped as part of regular
Debian releases, ie. just push it to unstable.

We still ship FTP daemons that serve files without passwords and use
cleartext by default.

Jamie, I'd be happy to co-maintain this!

A.

-- 
Semantics is the gravity of abstraction.


signature.asc
Description: Digital signature

Bug#818977: removing or updating libmowgli?

[anarcat]

On Tue, Jul 05, 2016 at 04:33:15PM +0200, Andrew Shadura wrote:
> On 03/05/16 20:22, Antoine Beaupré wrote:
> > This issue is now fixed.
> 
> Yes, and I have uploaded 2.1.0 to Debian.

Cool, thanks!

> > However, to fix this in sid, we'll need to setup a transition for
> > libmowgli. This seems overkill, to say the least, since atheme is, as
> > far as I know, the only package depending on libmowgli.
> 
> At the moment yes. libmowgli should probably go away.

Okay, do you want to orphan the package, should I file for removal, or
how do we proceed?

> > Why are we keeping those two separate anyways? It's not as if there's a
> > lot of things that use libmowgli out there. In the whole existence of
> > the package, *nothing* came up that reused the library.
> 
> In the past, libguess and audacious used libmowgli, but both then
> stopped doing so.

Oooh... i was wondering which packages that might have been. :)

I have now uploaded atheme 7.2.6, which links against debian's
libmowgli. let me know if you take measures to remove it from sid so i
can upload a new package...

thanks for following up!

PS: btw, i missed your message because I wasn't cc'd in your reply...

-- 
A riot is the language of the unheard.
 - Martin Luther King, Jr.


signature.asc
Description: Digital signature

Bug#754972: ITP: percol -- adds flavor of interactive filtering to the traditional pipe concept of UNIX shell

[anarcat]

On Fri, Aug 28, 2015 at 10:29:02AM +0900, Kozo Nishida wrote:
> Hi Antoine,
> 
> Sorry for the late reply, and thank you for your kindness.
> 
> I first submit percol debian package on https://mentors.debian.net/

Hello,

I am not sure if you uploaded the said package to mentors.debian.net,
but it doesn't show up there right now. Packages do expire after a
while, so it's possible you uploaded it and I just missed it.

Considering how long it took for me to reply here, maybe it would be
better if you put the package somewhere else where I have time to review
it before it gets removed... Please do keep me in CC when replying so
that I see your reply!

thanks,

a.

-- 
Every time I see an adult on a bicycle I no longer despair for the
future of the human race.
 - H. G. Wells


signature.asc
Description: Digital signature

Bug#825301: More details

[anarcat]

On Fri, May 27, 2016 at 10:17:45AM +, S y s C o / lz wrote:
> Hi,
> 
> the problem shows up when the user clicks on the link 'Search' for a database 
> (not a table).
> 
> http:///phpmyadmin/db_search.php?db=apecchampi&server=1&token=x

I have built new packages that should fix this bug available here:

https://people.debian.org/~anarcat/debian/wheezy-lts/

Will test and upload myself by the end of the day.

Sorry for the trouble.

A.


signature.asc
Description: Digital signature

Bug#804384: smokeping: README.Debian quite outdated

[anarcat]

On Sat, Nov 07, 2015 at 10:28:55PM +, Jonathan Dowland wrote:
> Package: smokeping
> Version: 2.6.11-1
> Severity: normal
> 
> hi,
> 
> /usr/share/doc/smokeping/README.Debian is quite outdated now:

Yes, it is.

> > After installing the package you have to edit the file 
> > /etc/smokeping/config to set your preferences. You can follow
> > the example provided.
> 
> the config file now is just a list of includes of other files,
> there is no longer really an example to follow.

Hmm... well, what's wrong with following those include files?

> > ln -s /etc/smokeping/apache2.conf /etc/apache2/conf.d/smokeping
> > invoke-rc.d apache2 restart
> 
> I see #760474 already reported complains that the above is not right because
> conf.d no longer exists; however, now /etc/smokeping/apache2.conf is gone
> too.

I simply removed that reference from the README and reshuffled it a bit.

> Finally it would be quite nice to include lighttpd/fastcgi auto-configuration.

Please file this as a seperate wishlist.

Patches are, obviously, welcome. :) I need help maintaining this
package...

A.
-- 
Advertisers, not governments, are the primary censors of media content 
in the United States today.
- C. Edwin Baker


signature.asc
Description: Digital signature

Bug#730674: ITP: piwik -- web analytics software

[anarcat]

On Fri, Jul 25, 2014 at 09:08:42PM +0200, Daniel Baumann wrote:
> i'm not going to do it after all.

On Wed, Mar 12, 2014 at 05:11:39PM +0100, Daniel Baumann wrote:
> after having worked on #609521 already a couple of years ago, i'll
> finally got to it now and am finishing up the last remaining things.
> 
> the preliminary packaging is available at
> http://daniel-baumann.ch/gitweb/?p=debian/packages/piwik.git

So obviously this repo is gone.

Did anyone get the chance to clone a copy of it? It's not on the
internet archive or anywhere i can see.

It seems that upstream has its own debian package now:

https://github.com/piwik/piwik-package

Maybe that could be of interest here?

A.

-- 
Les écrivains qui ont recours à leurs doigts pour savoir s'ils ont leur
compte de pieds ne sont pas des poètes, ce sont des dactylographes.
- Léo Ferré, "Préface"


signature.asc
Description: Digital signature

Bug#813313: [planet-venus] fails on SNI enabled websites

[anarcat]

Control: forwarded -1 https://github.com/jcgregorio/httplib2/issues/233 

On Wed, Feb 10, 2016 at 01:05:59AM +0100, Jakub Wilk wrote:
> * anarcat , 2016-02-09, 09:33:
> >This is typical of Python apps that depend only on urllib and so on.
> 
> Not really. Python's stdlib supports SNI since 2.7.9, which was the first
> version that enabled certificate verification by default, and what's in
> jessie.
> 
> Here the culrprit is httplib2: [...]

You're right of course. Here's the upstream bug:

https://github.com/jcgregorio/httplib2/issues/233

httplib2 folks say that the problem doesn't appear in Python3, so maybe
Venus could run in Py3k? I actually doubt it, considering that software
hasn't been updated since well, 2010 or so...

The number of failed hosts keeps on growing in the meantime:

$ grep -c 'Server presented certificate that does not match host' planet.log.0
22

Note that those are not all let's encrypt certs, but they are probably
mostly SNI.

Those wishing to reproduce the issue can follow the instructions on the
wiki page here:

https://wiki.debian.org/PlanetDebian#test

Or simply run the bootstrap script:

http://anonscm.debian.org/viewvc/planet-debian/trunk/planet-bootstrap.sh?view=co&content-type=text%2Fplain

The faulty code in planet venus itself is in planet/spider.py, around
line 300, in the httpThread function. It *looks* like it could be fairly
easy to convert it to requests, as the API usage is fairly superficial.

A.


signature.asc
Description: Digital signature

Bug#798500: drush will be removed from Debian

[anarcat]

Hi,

In #823767, I have requested from the FTP-masters that Drush be removed
from Debian. In the ~9 months since it was orphaned, no one stepped up
to start maintaining the Drush package, let alone update it to a current
version. There was some movement on the Ubuntu side of things (also in
CC), but it seems it didn't end up going anywhere.

It seems clear to me no one is available to do that task and having an
outdated version of Drush in Debian is hurting both projects for no good
reason. At least that is the constant feedback I receive, both privately
and through the above bug reports.

So unless someone steps up *now* to tell the FTP-masters to stop, it
will be removed as soon as they take a look at bug #823767.

Thanks for your attention, and sorry for the wide {B,}CC.

A.

-- 
Le pouvoir n'est pas à conquérir, il est à détruire
- Jean-François Brient, de la servitude moderne


signature.asc
Description: Digital signature

Bug#685734: dpkg should manage system users and groups

[anarcat]

On Fri, Aug 24, 2012 at 07:23:57AM +0200, Harald Dunkel wrote:
> It would be very nice if dpkg could manage system users and groups
> created for each package.
> 
> At the moment I've got GID 105 for dbus on host A, while 105 is
> used for saned on host B (just as an example). This is a severe
> problem when A's root partition is visible somehow on B, e.g.
> on a central backup server, or on an LXC server managing the
> client rootfs in its own name space.
> 
> I would like to tell dpkg to use GID 105 for the dbus package on
> all systems. If there is a conflict with an existing entry in
> /etc/passwd or /etc/group, then it should refuse to install.

I have another use case for this: root-less .deb installs. While *in
general* one needs root to run `dpkg -i`, most packages (75%) don't
*actually* need arbitrary code to be ran as root to be installed[1].

By making user creation declarative, we could lower that number quite a
bit, I believe. 

So my use case here is to reduce the attack surface for intrusions
through untrusted .debs. I have documented various attack vectors here:

https://wiki.debian.org/UntrustedDebs

... and this is clearly one of them. :)

A.

[1]: 
https://nthykier.wordpress.com/2016/04/26/putting-debian-packages-in-labelled-boxes/


signature.asc
Description: Digital signature

Bug#817286: Simplify testing access for packages on security-master

[anarcat]

On Wed, Mar 09, 2016 at 07:41:57PM +0100, Moritz Muehlenhoff wrote:
> Package: ftp.debian.org
> Severity: wishlist
> 
> This was discussed at one of the past security team meetings, but
> there was never a bug for that:
> 
> (This is a first high level view, the exact requirements can be hashed
> out later.)
> 
> It would be great to have a simple (single command) method to simplify
> testing security updates. Right now these need to copied manually to
> the respective test hosts. If it's not available via apt, this is a
> problem for many people since they are unable to find out which binary
> packages are installed and how to update them via dpkg.
> 
> There should be a method to allow
> - publishing a public security issue to a permanent staging repository
>   ala jessie-security-staging, which people can keep in their apt source
> 
> - publishing an non-public security issue to a protected apt
>   repository to simplify testing for members of the security team

I am not very familiar with the internals of DAK, but to me this should
be setup similarly to how the stable-proposed-updates currently are
setup. Couldn't there be a suite before "security" in dak?

For those, like me, who are struggling to keep in RAM all those suites,
I've updated the flow diagram that madduck made a while back, so now it
looks like this:

https://wiki.debian.org/DebianReleases#Workflow

There's probably a bunch of mistakes there, it's in the wrong place
(moinmoin wiki that doesn't keep revisions instead of real docs
somewhere) but i had to stop shaving yaks at *some* point.

A.

-- 
It is a miracle that curiosity survives formal education
- Albert Einstein


signature.asc
Description: Digital signature

Bug#760787: Please provide a backport of latest release

[anarcat]

Control: found -1 5.20151208-1~bpo8+1
Control: found -1 5.20141125

This is still an issue for me. I'm looking at a workaround for this bug:

https://git-annex.branchable.com/bugs/git_annex_get_fails_from_read-only_repository/

.. and it seems it needs at least a 2016 version to get this fix.

Can we get a new backport uploaded?

Thanks!

-- 
The history of any one part of the earth, like the life of a soldier,
consists of long periods of boredom and short periods of terror.
   - British geologist Derek V. Ager


signature.asc
Description: Digital signature

Bug#807735: gmpc-plugins: FTBFS: libmpd-internal.h:210:10: error: expected identifier or '(' before '__extension__'

[anarcat]

Control: tags -1 +patch

So how about just disabling jamendo as a quick fix?

--- debian/rules.orig   2016-04-13 11:29:24.570556456 -0400
+++ debian/rules2016-04-13 11:29:26.214556530 -0400
@@ -9,7 +9,7 @@
dh $@ --with autoreconf

 override_dh_auto_configure:
-   dh_auto_configure -- --disable-lyricwiki
+   dh_auto_configure -- --disable-lyricwiki --disable-jamendo

 override_dh_strip:
dh_strip $(DEB_DH_STRIP_ARGS)

-- 
Choose a job you love and you will never have to work a day in your
life.
 - Confucius


signature.asc
Description: Digital signature

Bug#820378: Ensure users report bugs in BTS and not to upstream directly

[anarcat]

I think this patch is a great idea!

Unfortunately, there is no obvious way to file a bug from the URL used:

https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=xscreensaver;dist=unstable

(that is the target of the redirection.)

We are doing a poor job at helping people file bugs, generally. I
usually point people to:

https://www.debian.org/Bugs/Reporting

but that's a little horrible as well...

Not sure what the best fix is here, but pointing people to
bugs.d.o/xscreensaver will certainly not help our users. :)

A.

PS: great job on that other bug report btw, Tormod. :)

-- 
If builders built houses the way programmers built programs,
The first woodpecker to come along would destroy civilization.
- Gerald Weinberg


signature.asc
Description: Digital signature

Bug#507682: Adjustable averaging window for rate display

[anarcat]

Control: fixed -1 1.2.0-1

Hi,

You may like to know this is now a feature in pv 1.2.0.

Sorry for the (very) delayed response - I actually had a confirmation of
this from upstream in 2014 but forgot to document it here.

A.

On Wed, Dec 03, 2008 at 10:40:33AM -0500, Anthony DeRobertis wrote:
> Package: pv
> Version: 1.1.4-1
> Severity: wishlist
> File: /usr/bin/pv
> 
> It appears that pv always averages the transfer rate over the display
> interval. It'd be nice if that could be controlled seperately. Right
> now, if you have very bursty data (for example, lzcat receiving
> compressed data from the network, writing uncompressed to disk), you
> have to use a very long update interval, on the order of a minute, to
> get a reasonable rate estimate. It'd be nice to keep the 1s update
> interval, but take the average over a longer period.
> 
> It'd be awesome if pv recognized bursty data and adjusted the averaging
> itself, but that's way more than I expect.
> 
> -- System Information:
> Debian Release: lenny/sid
>   APT prefers testing
>   APT policy: (500, 'testing'), (100, 'unstable')
> Architecture: i386 (i686)
> 
> Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
> 
> Versions of packages pv depends on:
> ii  libc6 2.7-16 GNU C Library: Shared libraries
> 
> pv recommends no packages.
> 
> Versions of packages pv suggests:
> ii  doc-base  0.8.16 utilities to manage online 
> documen
> 
> -- no debconf information
> 
> 

-- 
Education is the most powerful weapon which we can use to change the
world.
   - Nelson Mandela


signature.asc
Description: Digital signature

Bug#470995: where is the source??

[anarcat]

4 years later, still no debian package... a little embarrassing!

It looks like the source is here now:

https://vote.debian.org/~secretary/devotee.git/

A.


signature.asc
Description: Digital signature

Bug#799292: ITP: mailman3 -- Mailman3 mailing list manager suite

[anarcat]

Any progress here?


signature.asc
Description: Digital signature

Bug#818510: upgrade-reports: excellent upgrade experience on Lenovo E431

[anarcat]

Package: upgrade-reports
Severity: minor

I just upgraded my friend's laptop from the latest Wheezy to the latest Jessie
without a hitch! 

Things went really smoothly. I changed the sources.list by hand, ran apt-get
upgrade; apt-get dist-upgrade and everything went almost perfectly.

For some reason, db5.1-util and unoconv were not correctly upgraded on
dist-upgrade. Running dist-upgrade fixed the latter, but not the former. I
eneded up just purging db5.1-util.

autoremove didn't catch everything: a bunch of packages were "obsolete"
according to aptitude and I had to remove those by hand. it would be nice if
the upgrade process would cover those as well. this includes python 2.6, the
older kernel, openjdk 6, gcc 4.6 and a bunch more random libs that clutter the
system.

otherwise everything seems to be going well so far. the user's only complaint
so far is that the minimize button is gone from gnome, but she figured out she
can click on the window in the window list to achieve the same result.

mission accomplished! although ideally, *she* would have been able to do the
upgrade herself. maybe next time!

a.

PS: this is not really a bug report, more of a "good job" to whoever is
receiving those messages. :) of course if you think some bug reports should be
open for specific issues, I'll be glad to follow any pointer!

-- System Information:
Debian Release: 8.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#749887: Status update

[anarcat]

Ping! Any progress here? 

When can we hope to see this in NEW or mentors?

Should we be reviewing the package?

Can't wait! :)

-- 
Every one of us is, in the cosmic perspective, precious. If a human
disagrees with you, let him live. In a hundred billion galaxies, you
will not find another.  - Carl Sagan


signature.asc
Description: Digital signature

Bug#814543: ITP: asset-collector -- collect information about the used hardware/software

[anarcat]

On 2016-02-12 14:02:53, Benjamin Drung wrote:
> I started writing the asset-collector, because I found no other tool for
> this purpose (correct me if I am wrong). I invite everyone who is
> interested in this topic to join the project.

Hmm... it seems to me there are already a bunch of tools that do similar
stuff. Of course there's dmidecode, but that's only part of what you are
trying to do. Yet I can't help but think this could be part of one of
those projects instead:

http://glpi-project.org/
http://www.ocsinventory-ng.org/
http://machdb.org/
http://www.onecmdb.org/

Anything specific your tool plans to do that is not covered above?

And is the source code available yet?

-- 
That's the kind of society I want to build. I want a guarantee - with
physics and mathematics, not with laws - that we can give ourselves
real privacy of personal communications.
 - John Gilmore

Bug#792916: RFP: keybase-client a client to access keybase services

[anarcat]

FWIW, keybase is now written in go and the main client is here:

https://github.com/keybase/client

there's a debian package available upstream:

https://keybase.io/download
https://keybase.io/docs/the_app/install_linux

... and the source for that seems to be partly here:

https://github.com/keybase/client/tree/master/packaging/linux/deb

I am not sure keybase itself is such a good thing: they have weird
practices like encouraging people to store the private key on the server
and so on. But it's an interesting project and certainly has its place
in Debian.

a.


signature.asc
Description: Digital signature

Bug#816788: borgbackup-doc: api.html build embeds datetime and i/o charset, thus making package unreproducible

[anarcat]

https://github.com/borgbackup/borg/issues/399

It would be useful to contribute / share information with upstream
regarding this here. 

A.

-- 
Dr. King’s major assumption was that if you are nonviolent, if you
suffer, your opponent will see your suffering and will be moved to
change his heart. He only made one fallacious assumption: In order for
nonviolence to work, your opponent must have a conscience. The United
States has none.
- Stokely Carmichael


signature.asc
Description: Digital signature

Bug#813313: raising severity to important

[anarcat]

On Tue, Feb 09, 2016 at 03:24:03PM +0100, Holger Levsen wrote:
> control: severity -1 important

This is typical of Python apps that depend only on urllib and so on. I
have had the same problem in the sopel IRC bot and solved it by
switching to using the Requests library:

https://github.com/sopel-irc/sopel/pull/988

requests is so simple to use that the change makes the code actually
easier to read and shorter, not to mention faster..

a.


signature.asc
Description: Digital signature

Bug#804698: RFP: muchsync -- synchronize maildirs and notmuch databases

[anarcat]

On Tue, Nov 10, 2015 at 11:24:27AM -0500, Antoine Beaupré wrote:
>  * it works! or at least i think it does: i'm testing it right now

Actually, it doesn't work: I sent an email to the upstream author about
this and to the notmuch mailing list, but basically, here it eats up all
memory before being killed by the OOM-killer. (~11GB of mail).

A.

-- 
It will be a great day when our schools get all the money they need
and the air force has to hold a bake sale to buy a bomber.
- Unknown

Bug#812401: cpio: CVE-2016-2037: out-of-bounds write

[anarcat]

I can't actually reproduce with the test case provided on oss-security:

(gdb) run -i < ../overflow.cpio
Starting program: /bin/cpio -i < ../overflow.cpio
[Thread debugging using libthread_db enabled]
Using host libthread_db library
"/lib/x86_64-linux-gnu/libthread_db.so.1".
/bin/cpio: Malformed number000
/bin/cpio: warning: skipped 8 bytes of junk
/bin/cpio: Substituting `.' for empty member name
/bin/cpio: . not created: newer or same age version exists
/bin/cpio: premature end of file
[Inferior 1 (process 191) exited with code 02]

Did i miss anything?


signature.asc
Description: Digital signature

Bug#809136: borgbackup: Mention API incompatibilities in README

[anarcat]

On Mon, Jan 11, 2016 at 01:46:48PM +0100, Danny Edel wrote:
[...]
> Please state whether you think this (write README and hope user actually
> reads it) is an appropriate solution to the compatibility problem,
> meaning we could close the bug this way.
[...]
> [2]:
> https://anonscm.debian.org/cgit/collab-maint/borgbackup.git/tree/debian/README.Debian

The readme is not quite accurate: *some* borg versions are actually
compatible across the network. It's only on the 0.29 boundary that there
is a problem.

It also refers to a non-existent backport, but i guess we can trust this
will come to fruitition soon. :)

Otherwise i do think this bug can be closed now.

a.

-- 
Si les triangles avaient un Dieu, ils lui donneraient trois côtés.
- Montesquieu, Lettres persanes


signature.asc
Description: Digital signature

Bug#807826: redmine: CVE-2015-8537: Data disclosure in atom feed

[anarcat]

And of course I forgot the patch:

diff --git a/app/views/journals/index.builder b/app/views/journals/index.builder
index a81ff98..7d90346 100644
--- a/app/views/journals/index.builder
+++ b/app/views/journals/index.builder
@@ -19,7 +19,7 @@ xml.feed "xmlns" => "http://www.w3.org/2005/Atom"; do
   end
   xml.content "type" => "html" do
 xml.text! ''
-details_to_strings(change.details, false).each do |string|
+details_to_strings(change.visible_details, false).each do |string|
   xml.text! '' + string + ''
 end
 xml.text! ''

Fairly trivial, and should be portable to all current versions. This is
basically 7e423fb4538247d59e01958c48b491f196a1de56 but stripping the
tests to ease backporting.

Not tested.


signature.asc
Description: Digital signature

Bug#807826: redmine: CVE-2015-8537: Data disclosure in atom feed

[anarcat]

Control: notfound -1 1.0.1-2
Control: notfound -1 1.0.1-2+deb6u11
Control: found -1 1.1.2-2~bpo60+1

I have review the Redmine code for CVE-2015-8537 and it turns out the
vulnerable code is not present in 1.0.1, but is present in 1.1 and 1.4
which makes everything from squeeze-backports and up vulnerable.

A.

-- 
Thousands of candles can be lit from a single candle
And the life of the candle will not be shortened.
Happiness never decreases by being shared.
 - Buddha


signature.asc
Description: Digital signature

Bug#638422: url changed

[anarcat]

The project is now at:

https://github.com/rfrail3/tuptime

I have tried to run this from the source, and it's pretty cool:

$ tuptime
System startups:3   since   15:49:13 2015-08-07
System shutdowns:   1 ok   -   1 bad
System uptime:  100.0 %   -   107 days, 7 hours, 27 minutes and 26 
seconds
System downtime:0.0 %   -   1 minute and 47 seconds
System life:107 days, 7 hours, 29 minutes and 14 seconds

Largest uptime: 94 days, 6 hours, 15 minutes and 48 seconds   from   
15:49:13 2015-08-07
Shortest uptime:2 days, 12 hours, 59 minutes and 15 seconds   from   
21:05:49 2015-11-09
Average uptime: 35 days, 18 hours, 29 minutes and 9 seconds

Largest downtime:   58 seconds   from   10:05:04 2015-11-12
Shortest downtime:  48 seconds   from   21:05:01 2015-11-09
Average downtime:   36 seconds

Current uptime: 10 days, 12 hours, 12 minutes and 24 seconds   since   
10:06:03 2015-11-12

The source tree is prtty weird however. Instead of having the usual
`debian/` directory, there's a `deb-package` one, with the `.deb` *in
the git repo!*

I have reported that issue here:

https://github.com/rfrail3/tuptime/issues/11

Hopefully, this may enlighten us on how the .deb was created and maybe
we could reuse that...

-- 
The problem is not a lack of highly educated workers, the problem is a
lack of highly educated workers willing to work for the minimum wage or
lower in the U.S. Costs are driving outsourcing, not the quality of
American schools.   - Scott Kirwin, IT Professionals Association

Bug#753648: [Pkg-utopia-maintainers] Bug#753648: Bug#753648: network-manager: Connecting to an encrypted WLAN fails with `received an invalid or unencryptable secret`

[anarcat]

I can confirm this behaviour here.

I am running only nm-applet (on top of course of the system-wide
NetworkManager daemon). Sometimes, out of the blue, some networks won't
work. For example here, i have an internal *and* external wifi card. NM
can connect to network "foo" fine with the internal card, but the
external card yields this error:

nov 08 21:37:18 angela NetworkManager[921]:  Activation (wlan1) starting 
connection 'foo'
nov 08 21:37:18 angela NetworkManager[921]:  Activation (wlan1) Stage 1 
of 5 (Device Prepare) scheduled...
nov 08 21:37:18 angela NetworkManager[921]:  Activation (wlan1) Stage 1 
of 5 (Device Prepare) started...
nov 08 21:37:18 angela NetworkManager[921]:  (wlan1): device state 
change: disconnected -> prepare (reason 'none') [30 40 0]
nov 08 21:37:19 angela NetworkManager[921]:  Activation (wlan1) Stage 2 
of 5 (Device Configure) scheduled...
nov 08 21:37:19 angela NetworkManager[921]:  Activation (wlan1) Stage 1 
of 5 (Device Prepare) complete.
nov 08 21:37:19 angela NetworkManager[921]:  Activation (wlan1) Stage 2 
of 5 (Device Configure) starting...
nov 08 21:37:19 angela NetworkManager[921]:  (wlan1): device state 
change: prepare -> config (reason 'none') [40 50 0]
nov 08 21:37:19 angela NetworkManager[921]:  Activation (wlan1/wireless): 
access point 'foo' has security, but secrets are required.
nov 08 21:37:19 angela NetworkManager[921]:  (wlan1): device state 
change: config -> need-auth (reason 'none') [50 60 0]
nov 08 21:37:19 angela NetworkManager[921]:  Activation (wlan1) Stage 2 
of 5 (Device Configure) complete.
nov 08 21:37:19 angela NetworkManager[921]:  No agents were available for 
this request.
nov 08 21:37:19 angela NetworkManager[921]:  (wlan1): device state 
change: need-auth -> failed (reason 'no-secrets') [60 120 7]
nov 08 21:37:19 angela NetworkManager[921]:  Activation (wlan1) failed 
for connection 'foo'
nov 08 21:37:19 angela NetworkManager[921]:  (wlan1): device state 
change: failed -> disconnected (reason 'none') [120 30 0]
nov 08 21:37:19 angela NetworkManager[921]:  (wlan1): deactivating device 
(reason 'none') [0]

What's odd is that it works with the internal card fine. I tried
removing items from the config, they are recreated when using the
internal card (which is also odd).

This bug looks like those as well:

https://bbs.archlinux.org/viewtopic.php?id=203374
http://forum.xfce.org/viewtopic.php?id=7458
http://ubuntuforums.org/showthread.php?t=1973863

so it is probably not debian specific, but seems common with non-Gnome
setup (e.g. XFCE above).

Oddly enough here, restarting `nm-applet` fixes the problem. It prompts
me for my gnome-keyring passphrase (which i never setup, i believe), i
dismiss that dialog and then things work fine.

really odd.

A.

Bug#792096: borg packaging

[anarcat]

Hi folks,

So what's holding up the package now?

I understand Mark's position, and I don't think the team's efforts
should be distracted at this stage. :)

Please keep going! The msgpack package was updated, so I am not sure why
this is not pushed ahead now!

Cheers,

A.


signature.asc
Description: Digital signature

Bug#762385: ITP: mailpile -- a modern fast web-mail client with user-friendly encryption and privacy features.

[anarcat]

On Sun, Sep 21, 2014 at 06:21:58PM +, u wrote:
> Package: wnpp
> Severity: wishlist
> Owner: Ulrike Uhlig 
> 
> * Package name: wnpp
>   Version: 0.4.0
>   Upstream Author: Mailpile Team 
> * URL: https://mailpile.is
> * License: AGPL v3
>   Programming Lang: Python
> 
> Mailpile is a modern, fast web-mail client with user-friendly encryption
> and privacy features.
> Mailpile's primary user interface is web-based, but it also has a basic
> command-line interface and an API for developers. Using web technology
> for the interface allows Mailpile to function both as a local desktop
> application (accessed by visiting localhost in the browser) or a remote
> web-mail on a personal server or VPS.

What's the status on this ITP?

Relevant upstream docs i found were:

https://github.com/mailpile/Mailpile/wiki/Getting-started-on-linux
https://www.mailpile.is/download/

a.

-- 
The problem is not a lack of highly educated workers, the problem is a
lack of highly educated workers willing to work for the minimum wage or
lower in the U.S. Costs are driving outsourcing, not the quality of
American schools.   - Scott Kirwin, IT Professionals Association


signature.asc
Description: Digital signature

Bug#739860: ITP: tox -- easy to use all-in-one communication platform

[anarcat]

Hi all,

First off, sorry for the large CC list, but it seems in order to try to
collect all the efforts here into one and put this into shape. This ITP
is blocking the entry of toxcore in Debian, and I think that's a
shame... We should already have this in Debian now!

Here are the different efforts that has been reported here:

On Sun, Feb 23, 2014 at 12:19:24PM +0100, Bartosz Feński wrote:
> Package: wnpp

Bartosz, do you have anything published here?

On Fri, Jul 04, 2014 at 05:28:11PM -0500, Mike Dupont wrote:
> I started on packaging today
> https://github.com/h4ck3rm1k3/toxcore

Mike, did you look at the work Gaffa did?

On Mon, Oct 20, 2014 at 11:19:31AM -0400, Alexandre Viau wrote:
> I intend to create a repository on collab-maint. It will be using the
> gbp recommended layout.

Was that repository created?

On Tue, Nov 25, 2014 at 03:56:21PM +0100, gaffa wrote:
> The packages are available on mentors.debian.net[1].
> 
> https://mentors.debian.net/packages/uploader/gaffa%40folkemagt.dk

That package is gone (understandably), is there another copy somewhere?

It seems to me, at this point, that someone should take the work Mike
did, merge this with gaffa's, and push this on collab-maint, or
*somewhere*!

Also you should consider examining the work that was done upstream
already; a Debian package archive is available here:

https://pkg.tox.chat

once that is all merged, then gaffa or anyone can find a mentor to
upload this, i'm happy to volunteer for that part.

On Thu, Jun 11, 2015 at 05:27:36PM +0200, Tzafrir Cohen wrote:
> Right now it seems that the software is changing too fast and should not
> go to Unstable (though may go into Experimental).
> 
> However Upstream's policy regarding ABI/API stability (or lack thereof)
> is not promising:
> 
> https://github.com/irungentoo/toxcore/issues/1353#issuecomment-104950787

as for this well, we'll just have to deal with this if we want it in
debian. i'd suggest a version number like "0~YYYMMDD.gitXXX" for
now, until upstream figures out that release engineering thing (which,
yes, is scary).

but that shouldn't keep this from hitting unstable. at worse, file an RC
bug to keep it from migrating to testing, with the reasons (e.g.
"upstream doesn't want to", "changes to fast", or whatever). that way
it's clear why it's not in a stable release, yet people can try it out.

thanks!

a.


signature.asc
Description: Digital signature

Bug#749664: horst: Conflicting declarations of function main_input to cause undefined behaviour

[anarcat]

Control: fixed -1 4.0-1

On Thu, May 29, 2014 at 12:55:30AM +0100, Michael Tautschnig wrote:
[...]
> The wrong declaration here
> 
> http://sources.debian.net/src/horst/3.0-2/display.c?hl=46#L46
> 
> will cause arbitrary truncation for values larger than 127 or any negative
> values; yet even for values that fit this range big endian systems will end up
> with an arbitrary argument value as the byte location is wrong.

Hi.

I believe this was fixed in version 4.0.

A.

-- 
C'est trop facile quand les guerres sont finies
D'aller gueuler que c'était la dernière
Amis bourgeois vous me faites envie
Ne voyez vous pas donc point vos cimetières?
- Jaques Brel


signature.asc
Description: Digital signature

Bug#717834: Fwd: Kill DEHS

[anarcat]

On Thu, Jul 25, 2013 at 05:01:46PM +0300, anatoly techtonik wrote:
> Package: qa.debian.org
> 
> DEHS service at http://dehs.alioth.debian.org/ looks alive, but in
> fact it is dead and its database is offline for almost two years,
> which is shown by multiple reports in ML over that time
> http://lists.alioth.debian.org/pipermail/dehs-devel/
> 
> It's time to kill it so that it won't confuse people anymore, and
> redirect people from http://wiki.debian.org/DEHS to something like:
> 
> 1. ROSA Upstream Tracker - see it in action -
> http://upstream-tracker.org/updates/rosa/2012/ - it is GPL'ed, so it
> should be easy to port it to Debian.

This now says it is unmaintained:

http://upstream.rosalinux.ru/

"Unfortunately, we cannot support the service anymore. Sorry for
inconvenience. The suitable replacement for this tool will be available
at github.com/lvc soon. ROSA Laboratory, 21 July 2015. "

The database itself says "has been generated on 2014-09-04"... so is
probably not a good way forward.

> 2. http://people.ubuntuwire.org/~lucas/merges.html

I am not sure how that helps.

> 3. http://duck.debian.net

Maybe?

> 4. Anything else?

So what's the solution here?

Should we bug duck people to implement this?

UDD seems to help here, but it does much more than this...

I am using the latter now, in combination with feed2imap:

- name: Debian todo
  url: 
https://udd.debian.org/dmd/?email1=anarcat%40debian.org&email2=&email3=&packages=&ignpackages=&format=rss#todo
  target: [ *target, debian-udd-todo ]

A.
-- 
Every one of us is, in the cosmic perspective, precious. If a human
disagrees with you, let him live. In a hundred billion galaxies, you
will not find another.  - Carl Sagan


signature.asc
Description: Digital signature

Bug#794678: msgpack-python: please update to the latest upstream version

[anarcat]

On Wed, Aug 12, 2015 at 11:17:21PM +0200, Marc Haber wrote:
> On Wed, Aug 05, 2015 at 04:10:56PM +, Gianfranco Costamagna wrote:
> > Hi, in order to have the latest w3af in Debian, a new msgpack-python >= 
> > 0.4.4
> > is needed, can you please update it?
> 
> Current version is 0.4.6, which is needed by borgbackup. Please update
> ;-)

I would encourage a NMU at this stage, since there seems to be no
response from the maintainer team...

Oh, and it seems the watch file isn't working, because this hasn't
detected the new package:

https://tracker.debian.org/pkg/msgpack-python

https://qa.debian.org/cgi-bin/watchfile-error.cgi?package=msgpack-python

There's a redirector available that you should be using:

https://wiki.debian.org/debian/watch#PyPI

https://pypi.debian.net/msgpack-python/watch

https://wiki.debian.org/Python/LibraryStyleGuide#debian.2Fwatch

Cheers,

A.
-- 
I would defend the liberty of consenting adult creationists to practice
whatever intellectual perversions they like in the privacy of their own
homes; but it is also necessary to protect the young and innocent.
- Arthur C. Clarke


signature.asc
Description: Digital signature

Bug#792096: borg packaging

[anarcat]

On Thu, Aug 13, 2015 at 12:04:02PM +, Gianfranco Costamagna wrote:
> Am I in?

Sure you can join! Do you have access to collab-maint?

https://wiki.debian.org/Alioth/PackagingProject

Do you need a sponsor to upload a package?

Marc, do you want to setup a more detailed packaging team? Others
proposed joining the python app packaging team:

https://wiki.debian.org/Teams/PythonAppsPackagingTeam

or a new team can be made:

https://wiki.debian.org/Teams

Or just multiple Uploaders can be specified in the control file:

https://www.debian.org/doc/debian-policy/ch-binary.html#s-maintainer

> On Wed, Aug 05, 2015 at 04:10:56PM +, Gianfranco Costamagna wrote:
> 
> > Hi, in order to have the latest w3af in Debian, a new msgpack-python >= 
> > 0.4.4
> > is needed, can you please update it?
> 
> Current version is 0.4.6, which is needed by borgbackup. Please update
> ;-)

... indeed...

a.
-- 
Men often become what they believe themselves to be. If I believe I
cannot do something, it makes me incapable of doing it. But when I
believe I can, then I acquire the ability to do it even if I didn't
have it in the beginning.
 - Mahatma Gandhi


signature.asc
Description: Digital signature

Bug#695878: new mutt-kz package

[anarcat]

On Wed, Jun 17, 2015 at 10:52:16AM +0200, Alberto Garcia wrote:
> On Wed, Jun 17, 2015 at 10:45:28AM +0200, Víctor M. Jáquez L. wrote:
> 
> > > Other than that, the package looks much better now. I still
> > > haven't checked all little details, though, but I think this is
> > > almost ready for uploading.
> > > 
> > > Do we have an ITP bug for mutt-kz? I haven't found it.
> > 
> > I haven't posted a ITP bug. I'll do it.
> 
> I've seen that Clint sponsored the current package.
> 
> Clint, doesn't this need an ITP first? Is it enough with the RFP
> (#698672)?

I believe the RFP is sufficient, and that the package's changelog should
close the RFP.

Can't wait to start using mutt again. :)

A.

-- 
Un éducateur dans l'âme ne prend rien au sérieux que par rapport
à ses disciples -- soi-même non excepté.
- Nietzsche, "Par delà le bien et le mal"


signature.asc
Description: Digital signature

Bug#448638: RFP: i2p -- I2P is an anonymizing network

[anarcat]

On Wed, Nov 26, 2014 at 02:56:58AM +, kytv wrote:
> 
> Control: retitle -1 ITP: i2p -- I2P is an anonymizing network
> Control: owner -1 killyou...@i2pmail.org
> 
> 
> intrigeri wrote:
> > kytv wrote (20 Nov 2014 03:08:58 GMT) :
> >> On Mon, 17 Nov 2014 12:01:12 + (UTC)
> >> intrigeri  wrote:
> > 
> >>> Now that you've started contributing to Debian, maybe you would be
> >>> interested in maintaining I2P directly in there? This would make the
> >>> Tails release process and source tree a bit simpler :)
> > 
> >> Yes, I would certainly be willing to do so.
> > 
> > \o/
> > 
> > I think the next formal step is to retitle this bug to ITP and set
> > yourself as the owner, then :)
> 
> Let's see if I did it correctly...

Looks like you did! :)

Now, the next step is to actually upload the package, is this something
that's coming soon?

Thanks!

a.

-- 
I'm sorry if any of you are catholic. I'm not sorry if you're
offended, I'm actually just sorry by the fact that you're catholic
 - Bill Hicks


signature.asc
Description: Digital signature

Bug#695878: new mutt-kz package

[anarcat]

On Sun, Sep 07, 2014 at 10:43:26PM +0200, Stefano Zacchiroli wrote:
> Heya, +1 as well on the desire of having mutt-kz in Debian.

+1 as well...
 
> Has anyone verified with the security team if either approach would be
> acceptable for them?
> 
> What's the opinion of the Mutt maintainer on the two approaches?

No idea about either, but either upload should probably close #698672
(the RFP for mutt-kz I opened without knowing about this bug) when done.

I'd be curious to hear if there is any progress here as well now...

Cheers!

-- 
A man is none the less a slave because he is allowed to choose a new
master once in a term of years.
 - Lysander Spooner


signature.asc
Description: Digital signature

Bug#698672: RFP: mutt-kz -- text-based mailreader supporting MIME, GPG, PGP and threading, with notmuch support

[anarcat]

Here, note that there's a discussion about integrating this directly
into the mutt package, here:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695878

a.

-- 
La mer, cette grande unificatrice, est l'unique espoir de l'homme.
Aujourd'hui plus que jamais auparavant, ce vieux dicton dit
littéralement ceci: nous sommes tous dans le même bateau.
- Jacques Yves Cousteau - Océanographe


signature.asc
Description: Digital signature

Bug#538067: status of the opencpn PPA for inclusion in Debian

[anarcat]

On Wed, Jan 07, 2015 at 08:52:55PM -0600, Pavel Kalian wrote:
> Hi...

Hi Pavel,

> I'm an upstream developer and managing the PPA on Launchpad.

Thanks for chiming in! It's certainly a good way to try to resolve this
in the long run. :)

(and sorry for the delay, i wasn't in cc to the bug report so i didn't
see you reply until today.)

> It certainly is more messy than needs to be, but it serves it's purpose,
> which is to get the packages to the user in a way he can digest...

Yeah, and I can certainly appreciate that! I certainly appreciate
instructions on how to use this in jessie, for example. :)

For the record, on Jessie, i am able to install the package from the
Trusty PPA here:

deb http://ppa.launchpad.net/opencpn/opencpn/ubuntu trusty main

I do need to install wxwidgets from sid however, as mentionned in the
upstream instructions.

I would have been able to install the wxwidgets packages from wheezy
(which seems like a better option than sid IMHO) if the dependencies
were a little more relaxed (>= 2.8.12.1 instead of >= 2.8.12.1+dfsg).
Unless of course that's an actual hard dependency requirement.

> With the upcoming 4.0 release I have modularized the packages to certain
> extent, separating the docs, tide data and GSHHS shorelines as they are
> logical components.

That's great news. I haven't reviewed the result but that seems like a
huge improvement already.

> I currently do no effort to clean the .orig sources off stuff not needed
> on Linux, but it is on my list past the release.

Frankly, I don't think it's that critical. The most important point
right now is to ensure there are sources for all the binaries provided
with the package.

Code deduplication is a "should", not a "must" in Debian, IIRC,
especially if there are actually no other copies!

> We've put some effort into clarifying the license info etc. over time to
> make packaging for Debian possible, but without further feedback from
> you, finishing it in an acceptable way will keep having low priority -
> we simply lack manpower to study the requirements in-depth.

Understood. That seems perfectly reasonable. From what I understand,
most of the actual licensing issues are gone. According to a quick
review I did in october, all that was necessary was to remove copies of
wxwidgets, the .git directory, zlib, bzip and tinyxml. I believe those
were probably all "convenience copies of code" (ch. 4.13 in the debian
policy):

http://www.debian.org/doc/debian-policy/ch-source.html#s-embeddedfiles

So creating a tarball without those *should* be done, but it's not
absolutely necessary, unless there are still (for example) DLLs without
source. What is necessary however is the built package
should *not* use the convenience copies but link to the existing
libraries, to make security upgrades easy and (basically) possible.

Another nice thing would be to build against wxwidgets 3.0: is that
possible at all? A quick search led me to believe it is how opencpn is
compiled in Windows and OSX... Since jessie doesn't ship with 2.8
anymore (for reasons I cannot fathom), compiling against 3.0 means it
would be possible to backport to jessie and even, in fact, all the way
back to wheezy and squeeze, since those also have wxwidget 3.0
backports!

> Thanks for trying to clean up our mess

Well, to be fair, it's an amazing work you guys are doing. I'm just
sitting on the sidelines ranting that my computer isn't working the way
it should be. Sorry about that. :)

I hope my feedback here still has some use, and certainly hope to see
opencpn land in Debian at some point.

And to be real clear, I would be happy to sponsor your package once it:

 1. doesn't compile against convenience copies
 2. doesn't ship binaries without source
 3. builds against 3.x (optional)
 4. doesn't ship convenience copies of code (optional)
 
Do you think the current package fits those requirements?

In fact, I will need this package running in production fairly soon, so
it would make sense for me to push again in that direction. :)

Sorry we missed jessie. We can still make it to backports though. ;)

Hold fast,

A.


signature.asc
Description: Digital signature