Bug#983876: unblock: otrs2/6.0.32-1
Hi Am 16.03.21 um 20:28 schrieb Paul Gevers: Control: tags -1 moreinfo Hi Patrick, On 15-03-2021 15:12, Patrick Matthäi wrote: reopen #983876 thanks Am 02.03.21 um 19:38 schrieb Paul Gevers: Hi Patrick, On 02-03-2021 16:58, Patrick Matthäi wrote: I just uploaded the otrs2 6.0.32 package to experimental. Could I have your ACK for bullseye? :-) otrs2 is neither a key package [1], nor listed on the (build-)essential list [1]. As long as you follow the soft freeze rules [3] and ensure that the package migrates before the start of the hard freeze (12-03-2021), there is nothing for us to unblock. I'm wondering if and suspect that you are asking our permission to upload a new upstream source. It's hardly doable for us to do that for all packages in Debian, so we expect you honor the freeze rules and make the judgement yourself if a new upstream version for your package is appropriate at this state. Paul [1] https://udd.debian.org/cgi-bin/key_packages.yaml.cgi [2] https://release.debian.org/bullseye/essential-and-build-essential.txt [3] https://release.debian.org/bullseye/freeze_policy.html#soft Hi, I uploaded the release to unstable just one hour after your mail and there were still 10 days for the package to migrate. But the migration process was not done before the freeze so now I need an unblock: * Migration status for otrs2 (6.0.30-2 to 6.0.32-2): BLOCKED: Needs an approval (either due to a freeze, the source suite or a manual hint) * Too young, only 12 of 20 days old Now it needs also 10 days more, but in two days 6.0.30 should be AUTORMed from testing :( The diff is not reviewable: 5637 files changed, 151250 insertions(+), 29937 deletions(-) If you think you can provide a diff that can be reviewed, please provide one, but please show how you filtered the diff too. Paul I have attached a filtered diff. Steps to reproduce: 1) find otrs2-6.0.32/ -type f -exec sed 's/Copyright (C) 2001-2021 OTRS AG/Copyright (C) 2001-2020 OTRS AG/g' -i {} \; To filter out copyright changes on most files (a few small ones are still in the diff) 2) diff -Naur otrs2-6.0.30/ otrs2-6.0.32/ -x ckeditor-4.7.0 -x ckeditor-4.16.0 -x "*.png" -x "*.po" -x ARCHIVE -x development -x Selenium -x spec -x auto_build -x CHANGES.md -x .pc -x .gitignore -x .github -x AUTHORS.md -x CONTRIBUTING.md -x README.md -x RELEASE -x .mailmap -x .otrs-ci.yml -x database -x test -x .weblate Many changes are not relevant for Debian (readme files, test, auto_build, spec, development, .github etc), many other changes are just product name changes, also in database. ckeditor is relevant for this release, but.. 3) all other changes are mostly only removing the not working "OTRS Business" solution stuff and updating the ckeditor to 4.16.0, which is security relevant This is the filtered diffstat: Kernel/Config/Defaults.pm | 2 Kernel/Config/Files/XML/Calendar.xml | 2 Kernel/Config/Files/XML/Framework.xml | 63 +++- Kernel/Config/Files/XML/Ticket.xml | 18 Kernel/Modules/AdminDynamicField.pm | 20 - Kernel/Modules/AgentTicketZoom.pm | 12 --- Kernel/Modules/PictureUpload.pm | 3 Kernel/Output/HTML/Notification/AgentOTRSBusiness.pm | 16 Kernel/Output/HTML/Notification/PackageManagerCheckNotVerifiedPackages.pm | 53 -- Kernel/Output/HTML/Templates/Standard/AdminAppointmentNotificationEvent.tt | 8 -- Kernel/Output/HTML/Templates/Standard/AdminCloudServices.tt | 8 -- Kernel/Output/HTML/Templates/Standard/AdminDynamicField.tt | 32 Kernel/Output/HTML/Templates/Standard/AdminGenericInterfaceWebservice.tt | 14 --- Kernel/Output/HTML/Templates/Standard/AdminNotificationEvent.tt | 8 -- Kernel/Output/HTML/Templates/Standard/AdminPackageManager.tt | 47 +--- Kernel/Output/HTML/Templates/Standard/AdminProcessManagement.tt | 11 -- Kernel/Output/HTML/Templates/Standard/AdminSystemConfiguration.tt | 2 Kernel/Output/HTML/Templates/Standard/AdminSystemConfigurationDeployment.tt | 9 +- Kernel/Output/HTML/Templates/Standard/AgentAppointmentEdit.tt | 6 - Kernel/Output/HTML/Templates/Standard/Copyright.tt | 4 - Kernel/Output/HTML/Templates/Standard/CustomerFooter.tt | 13 --- Kernel/Output/HTML/Templates/Standard/Error.tt | 36 - Kernel/Output/HTML/Templates/Standard/Footer.tt | 13 --- Kernel/Output/HTML/Templates/Standard/Header.tt | 5 - Kernel/Output/HTML/Templates/Standard/Installer.tt | 75 ++-- Kernel/Output/HTML/Templates/Standard/InstallerFinish.tt | 7 - Kernel/Output/HTML/Templates/Standard/SystemConfiguration/SettingsList.tt | 4 - Kernel/Output/HTML/Templates/Standard/SystemConfiguration/Sidebar/OTRSBusinessTeaser.tt | 19 - Kernel/Output/HTML/TicketMenu/TeaserAttachmentView.pm | 31 Kernel/Output/PDF/Ticket.pm | 33 +++- Kernel/System/CommunicationChannel.pm | 6 - Kernel/System/Console/Command/Dev/UnitTest/Run.pm |
Bug#983876: unblock: otrs2/6.0.32-1
Control: tags -1 moreinfo Hi Patrick, On 15-03-2021 15:12, Patrick Matthäi wrote: > reopen #983876 > thanks > > Am 02.03.21 um 19:38 schrieb Paul Gevers: >> Hi Patrick, >> >> On 02-03-2021 16:58, Patrick Matthäi wrote: >>> I just uploaded the otrs2 6.0.32 package to experimental. Could I have >>> your ACK for bullseye? :-) >> otrs2 is neither a key package [1], nor listed on the (build-)essential >> list [1]. As long as you follow the soft freeze rules [3] and ensure >> that the package migrates before the start of the hard freeze >> (12-03-2021), there is nothing for us to unblock. I'm wondering if and >> suspect that you are asking our permission to upload a new upstream >> source. It's hardly doable for us to do that for all packages in Debian, >> so we expect you honor the freeze rules and make the judgement yourself >> if a new upstream version for your package is appropriate at this state. >> >> Paul >> >> [1] https://udd.debian.org/cgi-bin/key_packages.yaml.cgi >> [2] https://release.debian.org/bullseye/essential-and-build-essential.txt >> [3] https://release.debian.org/bullseye/freeze_policy.html#soft >> > Hi, > > I uploaded the release to unstable just one hour after your mail and > there were still 10 days for the package to migrate. But the migration > process was not done before the freeze so now I need an unblock: > > * Migration status for otrs2 (6.0.30-2 to 6.0.32-2): BLOCKED: Needs an > approval (either due to a freeze, the source suite or a manual hint) > * Too young, only 12 of 20 days old > > Now it needs also 10 days more, but in two days 6.0.30 should be > AUTORMed from testing :( > The diff is not reviewable: 5637 files changed, 151250 insertions(+), 29937 deletions(-) If you think you can provide a diff that can be reviewed, please provide one, but please show how you filtered the diff too. Paul OpenPGP_signature Description: OpenPGP digital signature
Bug#983876: unblock: otrs2/6.0.32-1
reopen #983876 thanks Am 02.03.21 um 19:38 schrieb Paul Gevers: Hi Patrick, On 02-03-2021 16:58, Patrick Matthäi wrote: I just uploaded the otrs2 6.0.32 package to experimental. Could I have your ACK for bullseye? :-) otrs2 is neither a key package [1], nor listed on the (build-)essential list [1]. As long as you follow the soft freeze rules [3] and ensure that the package migrates before the start of the hard freeze (12-03-2021), there is nothing for us to unblock. I'm wondering if and suspect that you are asking our permission to upload a new upstream source. It's hardly doable for us to do that for all packages in Debian, so we expect you honor the freeze rules and make the judgement yourself if a new upstream version for your package is appropriate at this state. Paul [1] https://udd.debian.org/cgi-bin/key_packages.yaml.cgi [2] https://release.debian.org/bullseye/essential-and-build-essential.txt [3] https://release.debian.org/bullseye/freeze_policy.html#soft Hi, I uploaded the release to unstable just one hour after your mail and there were still 10 days for the package to migrate. But the migration process was not done before the freeze so now I need an unblock: * Migration status for otrs2 (6.0.30-2 to 6.0.32-2): BLOCKED: Needs an approval (either due to a freeze, the source suite or a manual hint) * Too young, only 12 of 20 days old Now it needs also 10 days more, but in two days 6.0.30 should be AUTORMed from testing :(
Bug#983876: unblock: otrs2/6.0.32-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hello release team, I try to citize from my mails to the security team:, it's about #982927: Yesterday I had a videocall with the owner and lead developer of OTOBO. They want to support me keeping the otrs2 source package in a good shape for Bullseye, so that users of the package dont have to worry now. Kicking the package out of Debian would not be optimal. They also showed me https://github.com/znuny/Znuny (https://www.znuny.com/) - they also forked OTRS CE 6 and fixing bugs and security bugs, also all known open bugs in CVE/Debian atm. So the plan would be now: * Switch the source of the otrs2 package to the znuny one, so that we have releases based on an open(source) maintained safe codebase => can I get the go from you for that? * otrs packaging at all is obsolete for bullseye+1. I will package otobo, also with otobo support, and we will work on a easy way so that users later can migrate from otrs to otobo We also spoke about the open security issues, there is indeed one in the CKEditor, but: #980891: They way otrs uses this library it should not be possible to attack the user, mostly only the attacker himself #982586: Thats a wrong information from the OTRS AG, because it does not affect otrs 6 CE. It depends on that you use an external interface, which is available in OTRS 7 and 8 (not free) and maybe in the not-free otrs 6 package via addon, but not in the community edition, which is also packaged in Debian. XX itself is not helpful at all anymore and just wrote me ** I hope switching as fast as possible to the znuny fork for the otrs2 source package is also an option for you, I dont want to release bullseye without it - I just uploaded the otrs2 6.0.32 package to experimental. Could I have your ACK for bullseye? :-) -- System Information: Debian Release: 10.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-14-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled