Bug#863626: unblock: dns-root-data/2017041101

2017-05-29 Thread Ondřej Surý 
Hi Jonathan,

my mistake. Somehow I thought the 2017020200 has been already unblocked
for testing.

I did the 2017041101 build and unblock bug in parallel, and I have just
uploaded the package to unstable.

So for the 2015052300+h+1 -> 2017020200 changes:

* This fixes FTBFS because:
  a) ICANN/IANA doesn't provide OpenPGP signatures anymore
  b) The parsing was broken with introduction of second key

This includes changes in d/rules + new parse-root-anchors.sh script.

* Several dead-upstream ICANN files were removed from the package:
 - draft-icann-dnssec-trust-anchor.html
 - draft-icann-dnssec-trust-anchor.txt
 - icannbundle.p12
 - icann.pgp
 - root-anchors.p7s

(e.g. in fact it was a removal of ICANN-copyright document)

The licensing on ICANN files was acked by ftp-masters as OK.

$ diffstat dns-root-data_2017020200.debdiff

 /home/ondrej/tmp/wrtzCZn7bu/dns-root-data-2017020200/icann.pgp   
 |binary
 /home/ondrej/tmp/wrtzCZn7bu/dns-root-data-2017020200/icannbundle.p12 
 |binary
 /home/ondrej/tmp/wrtzCZn7bu/dns-root-data-2017020200/root-anchors.p7s
 |binary
 dns-root-data-2017020200/debian/changelog |
   14 
 dns-root-data-2017020200/debian/control   |
5 
 dns-root-data-2017020200/debian/dns-root-data.docs|
2 
 dns-root-data-2017020200/debian/rules |
   18 
 dns-root-data-2017020200/draft-icann-dnssec-trust-anchor.html |
  555 -
 dns-root-data-2017020200/draft-icann-dnssec-trust-anchor.txt  |
  560 --
 dns-root-data-2017020200/icannbundle.pem  |
  200 +--
 dns-root-data-2017020200/parse-root-anchors.sh|
   25 
 dns-root-data-2017020200/root-anchors.asc |
7 
 dns-root-data-2017020200/root-anchors.xml |
8 
 dns-root-data-2017020200/root.hints   |
8 
 dns-root-data-2017020200/root.key |
3 
 15 files changed, 117 insertions(+), 1288 deletions(-)

Cheers,
-- 
Ondřej Surý 
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver

On Mon, May 29, 2017, at 14:47, Jonathan Wiltshire wrote:
> Control: tag -1 moreinfo
> 
> On Mon, May 29, 2017 at 02:17:30PM +0200, Ondřej Surý wrote:
> > the 2017041101 update of dns-root-data package contains:
> > 
> > - fixes to parse_root_data.sh script to unfail the non-dash
> >   shells - closes RC bug #862252 (use printf instead of echo command)
> > - update root.hints to 2017041101 version (no other change then version 
> > though)
> > - update root.key and d/rules to strip any timestamp, so the build is
> >   more or less reproducible (the get_orig_source still depends on
> >   upstream data at the time of the build, but it should be more
> >   reliable)
> > - little fixes to parse_root_data.sh script, as suggested by shellcheck:
> >   + use read -r instead of read on xml2 output data
> >   + use [:upper:]/[:lower:] instead of [A-Z]/[a-z] as tr argument
> >   + use [ a ] || [ b ] syntax instead of [ a -o b ]
> 
> This does not seem to reflect unstable right now; you have:
> 
> dns-root-data | 2015052300+h+1 | testing | source, all
> dns-root-data | 2017020200 | unstable| source, all
> 
> The delta therefore includes many more changes, including addition of an
> ICANN-copyright document with no (obvious) distribution license.
> 
> The RC bug that your request fixes is also still open, which will block
> migration anyway.
> 
> Thanks,
> 
> -- 
> Jonathan Wiltshire  j...@debian.org
> Debian Developer http://people.debian.org/~jmw
> 
> 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
> 


dns-root-data_2017020200.dsc
Description: Binary data


dns-root-data_2017020200.debdiff
Description: Binary data

Bug#863626: unblock: dns-root-data/2017041101

2017-05-29 Thread Jonathan Wiltshire 
Control: tag -1 moreinfo

On Mon, May 29, 2017 at 02:17:30PM +0200, Ondřej Surý wrote:
> the 2017041101 update of dns-root-data package contains:
> 
> - fixes to parse_root_data.sh script to unfail the non-dash
>   shells - closes RC bug #862252 (use printf instead of echo command)
> - update root.hints to 2017041101 version (no other change then version 
> though)
> - update root.key and d/rules to strip any timestamp, so the build is
>   more or less reproducible (the get_orig_source still depends on
>   upstream data at the time of the build, but it should be more
>   reliable)
> - little fixes to parse_root_data.sh script, as suggested by shellcheck:
>   + use read -r instead of read on xml2 output data
>   + use [:upper:]/[:lower:] instead of [A-Z]/[a-z] as tr argument
>   + use [ a ] || [ b ] syntax instead of [ a -o b ]

This does not seem to reflect unstable right now; you have:

dns-root-data | 2015052300+h+1 | testing | source, all
dns-root-data | 2017020200 | unstable| source, all

The delta therefore includes many more changes, including addition of an
ICANN-copyright document with no (obvious) distribution license.

The RC bug that your request fixes is also still open, which will block
migration anyway.

Thanks,

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Bug#863626: unblock: dns-root-data/2017041101

2017-05-29 Thread Ondřej Surý 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package dns-root-data

Dear release team,

the 2017041101 update of dns-root-data package contains:

- fixes to parse_root_data.sh script to unfail the non-dash
  shells - closes RC bug #862252 (use printf instead of echo command)
- update root.hints to 2017041101 version (no other change then version though)
- update root.key and d/rules to strip any timestamp, so the build is
  more or less reproducible (the get_orig_source still depends on
  upstream data at the time of the build, but it should be more
  reliable)
- little fixes to parse_root_data.sh script, as suggested by shellcheck:
  + use read -r instead of read on xml2 output data
  + use [:upper:]/[:lower:] instead of [A-Z]/[a-z] as tr argument
  + use [ a ] || [ b ] syntax instead of [ a -o b ]

unblock dns-root-data/2017041101

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 
'experimental')
Architecture: amd64
 (x86_64)

Kernel: Linux 4.4.0-67-generic (SMP w/24 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 3.0 (native)
Source: dns-root-data
Binary: dns-root-data
Architecture: all
Version: 2017041101
Maintainer: Debian DNS Maintainers 
Uploaders: Ondřej Surý , Robert Edmonds 
Homepage: https://data.iana.org/root-anchors/
Standards-Version: 3.9.6
Vcs-Browser: http://git.debian.org/?p=pkg-dns/dns-root-data.git;a=summary
Vcs-Git: git://git.debian.org/pkg-dns/dns-root-data.git
Build-Depends: debhelper (>= 8.0.0), unbound-anchor, openssl, ldnsutils, xml2
Package-List:
 dns-root-data deb misc optional arch=all
Checksums-Sha1:
 36bfc25763062a4ccc784ced1d821faf8a3f442e 14316 dns-root-data_2017041101.tar.xz
Checksums-Sha256:
 c88bb15f1e16dba1a525928e190999fdc70b16d06e40f2aa9c7b81c4740c30d5 14316 
dns-root-data_2017041101.tar.xz
Files:
 4982844cb0e3b0223fdc93bf9671adc3 14316 dns-root-data_2017041101.tar.xz

-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEMLkz2A/OPZgaLTj7DJm3DvT8uwcFAlksENtfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDMw
QjkzM0Q4MEZDRTNEOTgxQTJEMzhGQjBDOTlCNzBFRjRGQ0JCMDcACgkQDJm3DvT8
uwf1vA/9HNXfzN7Z8tUuDm40HsXrCR6vK1KfGpcsoYkqZtyqEnkCSwCjzBCpuXzd
IO9bVVzQaUkzvxVK8Gq0hJaKri7BUKmgRTg9v8MmcIoqmmyi3TIxU5NFUbTgFwaj
qy47bq/gNVJUrYGQJssSE70fHv1iCwWT3Y3xHNdNJfkjiOqIgqgJwB7RzXcPZjgF
ZqzUWelV6vDUE1OsOCo2a8hLRGZa11qK/mbZ8eBhYOwVzf6S/z/tZ7L2y2oUEC3J
u2et1PweqCmQPNC2Xs9KRya9XdFBuMRt4x3EPHygG0u8sziioVaHeNgfNP66gU2g
FlADNfrgS7KLTwXlfHkJ1JLW5/9Zbce3HFdfNGBwESxWSPLJRhCVcycN3N/71T/h
aycV57+hG+rHGOsCdNa9c79KrriikrokBilA31NDmOH77wk6g88EhYtvG7TRbd3S
sCAYPdk06aIAz2V8nMOXATag5iLRrtdlcJaqvmpfB2NyrXWXOlgb0mTc912ACY6B
seDPD3OAmVG5ubOUkBSMyQj7tabjOKkHu+ioYOs3AEYVyIlFxfvle4GwPb6XLaze
gaf5ECU4UdZb/7ARKcX3PEL/UQXxIH3F7CExliqQZ/kqqXD0nWcS16I/BuW+YkwP
86k6ofr1/oxiHbdkFEQvSAocbv2GN74jO2R1Q6p7ptv7K4Ey8Og=
=pbH7
-END PGP SIGNATURE-
diff -Nru dns-root-data-2017020200/debian/changelog 
dns-root-data-2017041101/debian/changelog
--- dns-root-data-2017020200/debian/changelog   2017-03-22 09:06:08.0 
+0100
+++ dns-root-data-2017041101/debian/changelog   2017-05-29 14:05:37.0 
+0200
@@ -1,3 +1,12 @@
+dns-root-data (2017041101) unstable; urgency=medium
+
+  * Fix parse-root-anchors.sh in non-dash shells (Closes: #862252)
+  * Update to 2017041101 version of root zone
+  * Remove timestamps from root.key to make the build reproducible
+  * Shell syntax cleanup
+
+ -- Ondřej Surý   Mon, 29 May 2017 14:05:37 +0200
+
 dns-root-data (2017020200) unstable; urgency=medium
 
   * Update to 2016102001 version of the root.zone
diff -Nru dns-root-data-2017020200/debian/rules 
dns-root-data-2017041101/debian/rules
--- dns-root-data-2017020200/debian/rules   2017-03-22 09:06:08.0 
+0100
+++ dns-root-data-2017041101/debian/rules   2017-05-29 14:05:37.0 
+0200
@@ -32,6 +32,6 @@
/usr/sbin/unbound-anchor \
-a $(CURDIR)/root-auto.key \
-c $(CURDIR)/icannbundle.pem || echo "Check the root-auto.key"
-   < root-auto.key grep -Ev "^($$|;)" > root.key
+   < root-auto.key grep -Ev "^($$|;)" | sed -e 's/ ;;count=.*//' > root.key
rm root-auto.key
wget -O $(CURDIR)/root.hints "http://www.internic.net/domain/named.root;
diff -Nru dns-root-data-2017020200/parse-root-anchors.sh 
dns-root-data-2017041101/parse-root-anchors.sh
--- dns-root-data-2017020200/parse-root-anchors.sh  2017-03-22 
09:06:08.0 +0100
+++ dns-root-data-2017041101/parse-root-anchors.sh  2017-05-29 
14:05:37.0 +0200
@@ -5,19 +5,19 @@
 TTL=172800
 
 export