Bug#850967: Clarify /usr/bin/foo should not be hardcoded even in upstream parts

[Didier 'OdyX' Raboud]

Dear Ian,

while I see where you come from, and can empathize with some of your points, I 
think that Daniel's following of upstream practices in using full paths is 
both fairly common, and a valid practice in Debian Packages.

Le mercredi, 11 janvier 2017, 17.13:44 h CET Ian Jackson a écrit :
> I would like the TC to:
> 
>  * Declare that Debian policy should be clarified to say that programs
>in Debian (not just maintainer scripts) should not hardcode the
>location of the binaries in /{usr/,}{bin,sbin} they execute.

Asking the TC to declare the above seems _very_ premature to me. In 
particular, in the frame of §6.3.6, I don't think enough efforts have been put 
in resolving this via consensus. Rather, I think it _is_ a resolved issue 
(over the course of years), but that you happen to disagree with the 
consensus.

>  * Say that this applies even when the program needs to find pieces of
>the same (or closely related) package.

Reading this literally (which is what the Debian Policy is for), this would 
ask the Debian project to patch literally all its archive. For instance, that 
covers literally all shebang lines.

>  * Provide an informal opinion that this policy ought to apply to
>gpg-agent as requested in #850657.

I went and read #850657, and found myself agreeing with all points made by 
Daniel: if you want a gnupg that runs your custom gpg-agent for debugging 
purposes, building a patched src:gnupg is there for you; we provide source for 
a reason.

All-in-all, I think that the decisions you would like the TC to issue would be 
against the project's consensus, and (which is more important for TC 
decisions) wouldn't be technically sound.

I'd be in favour of closing this bug above Further Discussion.

Cheers,
OdyX

P.S. No need to reply asking me to focus on a different issue…

signature.asc
Description: This is a digitally signed message part.

Bug#841294: Global Ballot Thoughts

[Didier 'OdyX' Raboud]

Le mercredi, 30 novembre 2016, 14.11:43 h CET Sam Hartman a écrit :
> I'd really like to see the TC offer at least the following advice:
> 
> 1) We believe that strong evidence is required to hold back integrating
> new versions of software like global.  The burden of proof is on those
> who propose not to update, not on those who would like Debian to contain
> current upstream features.
> 
> 2) This burden has not been met with regard to htags and regressions
> related to htags.
> 
> 3) Delays in discussion of this issue over the year suggest that having
> more people involved in maintaining the global package would help
> address  a perception that the maintainer is blocking forward progress.

Absolutely. This would be a the very minimal statement I'd like us to emit. 

> I don't think I'd support giving global to someone else.

I would support handing global to new maintainers, really. We have 4 persons 
who have contributed to the newly-available package in experimental:
https://tracker.debian.org/news/820174
Their total work is a magnitude more than what was given to the package by the 
current maintainer in the last 6 years.

>  I don't think we even need to say "Ron you did something bad."  I do think
>  that Ron contributed to  a harmful perception that damages those who would
>  use and contribute to global in Debian.

I wouldn't support a decision where we state that Ron did something bad. It 
would be unneeded blaming (especially in a TC decision), and unnecessarily 
agressive.

I'd support a decision handing the package to better hands though. For me, it 
is now obvious that there exists a group of maintainers out there who would do 
better service to the maintenance of global, than is currently done.

> If we can find a path forward that gets a new global into Debian, I'd be
> happy only offering advice.  If we get stuck doing that, I think we need
> to overrule something.

Sure, absolutely. But its really also a question of timing, and allowing Ron 
to tell the TC (in direct words, through further NAK'ing, or through inaction) 
"fine, I've won another release with global v5 in, I'll let the package go 
after the release of stretch", we will have rewarded stop-energy and inertia, 
over service to our users.

Although we probably haven't reached consensus, I'd like to see this subject 
move forward; what about the following ballot (with options to be refined, of 
course):

A) Using §6.1.5, the TC offers advice (insert Sam's advice above) about the 
maintenance of src:global.
B) Using §6.1.2, the TC decides that the src:global maintainer is now (insert
 name)
C) Further discussion

-- 
Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#846884: cups-browsed: incomplete app armor profile

[Didier 'OdyX' Raboud]

Control: tags -1 +help

Intri: can you take a look there ? You're our apparmor reference :-)

Le samedi, 3 décembre 2016, 16.59:38 h CET Robert Fantini a écrit :
>  syslog was flooded with thousands of lines like this:
> 
> Mar 14 16:01:32 s022 kernel: [106968.865214] audit: type=1400
> audit(1457985692.167:106957): apparmor="DENIED" operation="connect"
> info="Failed name lookup - disconnected path" error=-13
> profile="/usr/sbin/cups-browsed" name="run/cups/cups.sock" pid=7006
> comm="cups-browsed" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
> 
> * I asked about this at proxmox forum [ thread:
> https://forum.proxmox.com/threads/cups-print-server-on-pve-floods-logs.2681
> 3/#post-134662 ]
> 
> and was told:
>  File a bugreport in the Debian bug tracker for the incomplete app armor
> profile, extend it locally yourself, don't use cups-browsed or don't
> confine it with apparmor (recommended in that order ;))
> 
>  uninstall cups-browsed stopped log flooding.
> 
> PS:
>  if there is any more info needed ping me.

-- 
Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#846002: blends-tasks must not be priority:important (was Re: Bug#846002: Lowering severity)

[Didier 'OdyX' Raboud]

With my Debian Printing Team member hat:

Le mardi, 6 décembre 2016, 10.18:23 h CET Philip Hands a écrit :
>   What is a print server? (CUPS) web server? (apache2)

The "print server" entry in tasksel should be rethought, as it nowadays only 
depends on CUPS, and recommends various helper drivers & co. If one really 
wants to setup a shared print server, they would install CUPS on a pristine 
Debian and configure CUPS from there on. If CUPS is "only" meant to be used as 
local print server, it should really be a recommends of the desktop tools 
caring about printing.

I don't really see the point anymore about having this entry in the d-i tasks 
selection; and would suggest to remove it entirely, and (eventually) add an 
entry in the Release Notes saying "if you want a print-server, install CUPS".

Btw, there's https://bugs.debian.org/824645 for which I put up a cleanup 
patch, but I can't push it. :/

OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#849467: jessie-pu: package hplip/3.14.6-1+deb8u1

[Didier 'OdyX' Raboud]

Le lundi, 2 janvier 2017, 18.10:15 h CET Adam D. Barratt a écrit :
> On Sun, 2017-01-01 at 11:38 +0100, Didier 'OdyX' Raboud wrote:
> > Le samedi, 31 décembre 2016, 17.10:09 h CET Adam D. Barratt a écrit :
> > > Control: tags -1 + confirmed
> > > 
> > > On Tue, 2016-12-27 at 14:18 +0100, Didier 'OdyX' Raboud wrote:
> > > > I'd like to get CVE-2015-0839 fixed in jessie, it's a no-DSA issue,
> > > > and
> > > > security team members suggested to get it fixed through stable
> > > > updates.
> > > > 
> > > > This bug is a simple 'fetching gpg key from keyservers with a short
> > > > keyid' problem, and upstream's fix is to use the full fingerprint.
> > > 
> > > Please go ahead.
> > 
> > Uploaded, thanks for the confirmation.
> 
> Automated post-upload lintian checks caught a new issue:
> 
> +E: empty-manual-page usr/share/man/man1/hp-toolbox.1.gz
> 
> and indeed:
> 
> adsb@coccia:/srv/mirrors/debian/pool/main/h/hplip$ dpkg-deb -c
> hplip-gui_3.14.6-1_all.deb | grep toolbox.1 -rw-r--r-- root/root   818
> 2014-06-15 07:31 ./usr/share/man/man1/hp-toolbox.1.gz
> adsb@coccia:/srv/mirrors/debian/pool/main/h/hplip$ dpkg-deb -c
> /srv/ftp-master.debian.org/policy/pool/main/h/hplip/hplip-gui_3.14.6-1+deb8
> u1_all.deb | grep toolbox.1 -rw-r--r-- root/root20 2016-12-27 13:48
> ./usr/share/man/man1/hp-toolbox.1.gz
> 
> Any idea what's going on there?

Ah yes. I had fixed this in b1b3f529471d15fb97d1c651f3c60901cc67131b, see 
attached patch.

This is due to new (entirely rightful) restrictions in the buildds (or in my 
sbuild setup) apparently.

So I should cherry-pick that and re-upload (re-using the 3.14.6-1+deb8u1 
version number ?) ?

-- 
Cheers,
OdyX>From b1b3f529471d15fb97d1c651f3c60901cc67131b Mon Sep 17 00:00:00 2001
From: Didier Raboud <o...@debian.org>
Date: Mon, 3 Oct 2016 11:37:37 +0200
Subject: [PATCH] Export HOME when building the manpages to permit hp-toolbox's
 manpage generation

---
 debian/rules | 1 +
 1 file changed, 1 insertion(+)

diff --git a/debian/rules b/debian/rules
index d44f11cbf..1aa626d6f 100755
--- a/debian/rules
+++ b/debian/rules
@@ -167,6 +167,7 @@ override_dh_install:
 	for file in *; do \
 			if readlink $$file | grep ".py"; then \
 PYTHONPATH=../lib/python$(PYTHON_DEFAULT_VERSION)/$(PYTHON_SITENAME)/ \
+HOME=./ \
 LD_LIBRARY_PATH=../lib/$(DEB_HOST_MULTIARCH) python3 ./$$file --help-man > $(CURDIR)/$$file.1 ; \
 			fi; \
 	done \
-- 
2.11.0

Bug#849467: jessie-pu: package hplip/3.14.6-1+deb8u1

[Didier 'OdyX' Raboud]

Le mardi, 3 janvier 2017, 12.21:36 h CET Adam D. Barratt a écrit :
> You can't immediately re-use the version. Either we can reject the 
> current package and you can then upload a fixed +deb8u1, or you can 
> upload +deb8u2 which just adds the fix above.

It does make sense to re-use the same version, doesn't it? If so, please 
reject, I'll upload after that.

-- 
Cheers,
OdyX

Bug#819092: #819092 win32-loader cannot load dailies because NSISdl doesn't support https

[Didier 'OdyX' Raboud]

tags -1 +help

Le mercredi, 23 mars 2016, 16.41:21 h CET Didier 'OdyX' Raboud a écrit :
> As the title says, win32-loader currently can't download dailies, as
> d-i.debian.org has moved to enforced https.
> 
> That's a limitation of the NSISdl NSIS builtin plugin. It could be replaced
> with the Inetc plugin [0], but it isn't packaged. 
> 
> No dailies means no kfreebsd/hurd too, unfortunately.

So I've spent a good part of today trying to fix that problem.

The path I've picked was to try to in-Debian build the Inetc plugin, and then 
use that in win32-loader to download d-i assets over https securely. 
Unfortunately, that didn't work out well enough:
* the inetc plugin is not properly licensed, but assuming it is under Zlib …
* it (kinda-)builds under Debian,
* it supports the NSIS 3.0 API,
* but I couldn't manage to make it work in win32-loader, as I was having 
errors such as "Dialog error (1812)", and then "Connection error", which I 
couldn't debug.

Anyway. Here's the nsis-plugin-inetc packaging:
https://anonscm.debian.org/cgit/collab-maint/nsis-plugin-inetc.git/

As for the bug at hand, I will upload a new win32-loader targetted at stretch 
that doesn't permit dailies or alternative architectures' download (as they 
later fail anyway), and get that into stretch.

-- 
Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#849467: jessie-pu: package hplip/3.14.6-1+deb8u1

[Didier 'OdyX' Raboud]

Le samedi, 31 décembre 2016, 17.10:09 h CET Adam D. Barratt a écrit :
> Control: tags -1 + confirmed
> 
> On Tue, 2016-12-27 at 14:18 +0100, Didier 'OdyX' Raboud wrote:
> > I'd like to get CVE-2015-0839 fixed in jessie, it's a no-DSA issue, and
> > security team members suggested to get it fixed through stable updates.
> > 
> > This bug is a simple 'fetching gpg key from keyservers with a short
> > keyid' problem, and upstream's fix is to use the full fingerprint.
> 
> Please go ahead.

Uploaded, thanks for the confirmation.

-- 
Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#845651: lsb-release: --codename returns n/a on stretch without apt sources configured

[Didier 'OdyX' Raboud]

Control: tags -1 +wontfix 

Hi there Luca,

Le dimanche, 8 janvier 2017, 14.54:16 h CET Luca Boccassi a écrit :
> Any chance this could be looked at before Stretch final freeze? Thank you!

tl;dr: unfortunately not.

I have thought about this issue for some time, and I think that the result is 
actually correct. Let me explain:

When (as currently), stretch is the testing release, /etc/debian_version 
contains "stretch/sid", as shipped by base-files. It is therefore impossible 
to rely on that file to differentiate between a host running testing or 
unstable without asking apt what is actually preferred when installing 
packages (through parsing `apt-cache policy`). That's how `lsb-release --
codename` returns "sid" _xor_ "stretch".

stretch's base-files is currently in version 9.7, and ships with "stretch/sid" 
in /etc/debian_version. But if you look at base-files in the current stable 
(8+deb8u6), its /etc/debian_version currently contains "8.6", and with that, 
`lsb-release --codename` returns "jessie" consistently, and without relying on 
apt.

base-files will be updated in stretch for the release, as happened for jessie:
> * Release for jessie as stable:
>   - Use "8" as version in /etc/issue and /etc/issue.net. As usual, this
> is never expected to change once that jessie is released as Debian 8.
>   - Use 8.0 as version in /etc/debian_version. As usual, this is expected
> to change at every point release.

So, if you manually replace your /etc/debian_version's content by "9.0", you 
should get "stretch" consistently, no matter what your apt configuration is.

That's all to say that this bug is (to my belief) actually expected behaviour; 
and fixing it through forcing the codename to be interpreted as "stretch" when 
apt-cache information is unavailable would be wrong. When /etc/debian_version 
contains "potato/sid", the codename is either potato xor sid, and only apt-
cache can discriminate a testing host from a sid host. Therefore, in such a 
situation, the correct answer is actually "I can't tell", aka "n/a".

-- 
Cheers,
OdyX

Bug#850801: unblock: win32-loader/0.8.1

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
X-Debbugs-Cc: win32-loa...@packages.debian.org, ftpmas...@ftp-master.debian.org
Usertags: unblock

Please unblock-udeb package win32-loader 0.8.1. as it has some useful
stretch'ification (and is always blocked because of the manual
migration to be done by ftpmasters):

>  * As NSIS doesn't support downloading from https (#819092), and as
>d-i dailies are now on an https-enforced hosts: don't allow branch
>or kernel selection
>  * Replace the Lines screenshot by a recent softWaves screenshot

ftpmaster: please copy debian/tools/win32-loader/unstable into …/testing 

unblock-udeb win32-loader/0.8.1

Cheers, OdyX

Bug#848889: hplip-data: There are no PPDs in the package

[Didier 'OdyX' Raboud]

Control: tags -1 +pending

Le mardi, 20 décembre 2016, 15.09:16 h CET Brian Potkin a écrit :
>   This package contains data files for the HP Linux Printing
>   and Imaging System.
> 
> would reflect the situation better.

Thanks for this patch. I should really go with you through the steps of giving 
you commit access (and confidence) so as to let you do the enhancements like 
this one  yourself. It would reduce our combined work!

Do you already have an Alioth account ?

-- 
Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#840643: jessie-pu: package cups/1.7.5-11+deb8u1

[Didier 'OdyX' Raboud]

Control: tag -1 -moreinfo

Le samedi, 17 décembre 2016, 11.38:59 h CET Julien Cristau a écrit :
> > - and debdiff
> > cups_1.7.5-11+deb8u2.debdiff
> 
> The debdiff is the one we tend to look at, but it looks like it was not
> attached.

Indeed, sorry. Here it comes.

-- 
Cheers,
OdyXdiff -Nru cups-1.7.5/debian/changelog cups-1.7.5/debian/changelog
--- cups-1.7.5/debian/changelog	2015-06-09 09:45:50.0 +0200
+++ cups-1.7.5/debian/changelog	2016-10-10 10:05:10.0 +0200
@@ -1,3 +1,13 @@
+cups (1.7.5-11+deb8u2) jessie-security; urgency=high
+
+  * Disable SSLv3 and RC4 by default to address POODLE vulnerability
+(Closes: #839226)
+- Implement SSLOptions to permit the use of AllowSSLv3 and AllowRC4
+  respectively
+  * Refresh patches
+
+ -- Didier Raboud   Mon, 10 Oct 2016 10:05:10 +0200
+
 cups (1.7.5-11+deb8u1) jessie-security; urgency=high
 
   * Import 1.7 upstream fix for CERT VU#810572: Privilege escalation through
diff -Nru cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch
--- cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch	2015-06-09 09:36:38.0 +0200
+++ cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch	2016-10-10 09:55:05.0 +0200
@@ -27,7 +27,7 @@
LaunchdTimeout = 10;
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -246,6 +246,9 @@
+@@ -248,6 +248,9 @@
  	/* SSL/TLS options */
  #endif /* HAVE_SSL */
  
diff -Nru cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch
--- cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch	2015-06-09 09:36:38.0 +0200
+++ cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch	2016-10-10 09:55:10.0 +0200
@@ -21,7 +21,7 @@
LaunchdTimeout = 10;
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -251,6 +251,9 @@
+@@ -253,6 +253,9 @@
  VAR int			IdleExitTimeout		VALUE(0);
  	/* Time after which an idle cupsd will exit */
  
@@ -51,7 +51,7 @@
  #endif /* HAVE_SYSTEMD */
 --- a/man/cupsd.conf.man.in
 +++ b/man/cupsd.conf.man.in
-@@ -521,6 +521,12 @@
+@@ -528,6 +528,12 @@
  "notify-events", "notify-pull-method", "notify-recipient-uri",
  "notify-subscriber-user-name", and "notify-user-data".
  .TP 5
diff -Nru cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch
--- cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch	2015-06-09 09:36:38.0 +0200
+++ cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch	2016-10-10 09:55:09.0 +0200
@@ -13,7 +13,7 @@
LogTimeFormat= CUPSD_TIME_STANDARD;
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -166,7 +166,7 @@
+@@ -168,7 +168,7 @@
  	/* Allow overrides? */
  			ConfigFilePerm		VALUE(0640),
  	/* Permissions for config files */
diff -Nru cups-1.7.5/debian/patches/pidfile.patch cups-1.7.5/debian/patches/pidfile.patch
--- cups-1.7.5/debian/patches/pidfile.patch	2015-06-09 09:36:38.0 +0200
+++ cups-1.7.5/debian/patches/pidfile.patch	2016-10-10 09:55:08.0 +0200
@@ -24,7 +24,7 @@
  
if (!strcmp(CUPS_DEFAULT_PRINTCAP, "/etc/printers.conf"))
  PrintcapFormat = PRINTCAP_SOLARIS;
-@@ -,6 +3335,7 @@
+@@ -3370,6 +3372,7 @@
   !_cups_strcasecmp(line, "SystemGroup") ||
   !_cups_strcasecmp(line, "SystemGroupAuthKey") ||
   !_cups_strcasecmp(line, "TempDir") ||
@@ -34,7 +34,7 @@
cupsdLogMessage(CUPSD_LOG_INFO,
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -245,6 +245,8 @@
+@@ -247,6 +247,8 @@
  VAR int			SSLOptions		VALUE(CUPSD_SSL_NONE);
  	/* SSL/TLS options */
  #endif /* HAVE_SSL */
diff -Nru cups-1.7.5/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch cups-1.7.5/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch
--- cups-1.7.5/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch	2015-06-09 09:36:38.0 +0200
+++ cups-1.7.5/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch	2016-10-10 09:55:07.0 +0200
@@ -11,7 +11,7 @@
 
 --- a/scheduler/ipp.c
 +++ b/scheduler/ipp.c
-@@ -8249,6 +8249,11 @@
+@@ -8206,6 +8206,11 @@
ipp_attribute_t	*attr,		/* Current attribute */
  			*attr2,		/* Job attribute */
  			*prev2;		/* Previous job attribute */
@@ -23,7 +23,7 @@
  
  
   /*
-@@ -8310,6 +8315,85 @@
+@@ -8267,6 +8272,85 @@
}
  
   /*
diff -Nru cups-1.7.5/debian/patches/series cups-1.7.5/debian/patches/series
--- cups-1.7.5/debian/patches/series	2015-06-09 09:36:38.0 +0200
+++ cups-1.7.5/debian/patches/series	2016-10-10 09:54:51.0 +0200
@@ -6,6 +6,7 @@
 str4500-cupsGetPPD3-Only-use-symlink-if-file-is-readable-STR.patch
 str4551-fix-buffer-overflow-in-cupsRasterReadPixels.patch
 

Bug#849467: jessie-pu: package hplip/3.14.6-1+deb8u1

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Dear RT,

I'd like to get CVE-2015-0839 fixed in jessie, it's a no-DSA issue, and
security team members suggested to get it fixed through stable updates.

This bug is a simple 'fetching gpg key from keyservers with a short
keyid' problem, and upstream's fix is to use the full fingerprint.

The debdiff is attached.

Cheers,
OdyX
diff -Nru hplip-3.14.6/debian/changelog hplip-3.14.6/debian/changelog
--- hplip-3.14.6/debian/changelog   2014-06-15 09:24:19.0 +0200
+++ hplip-3.14.6/debian/changelog   2016-12-27 09:13:54.0 +0100
@@ -1,3 +1,11 @@
+hplip (3.14.6-1+deb8u1) stable; urgency=medium
+
+  * Backport CVE-2015-0839 fix from upstream's 3.15.7: use full gpg key
+fingerprint when fetching key from keyservers
+(Closes: #787353, LP: #1432516)
+
+ -- Didier Raboud   Tue, 27 Dec 2016 09:13:54 +0100
+
 hplip (3.14.6-1) unstable; urgency=low
 
   * New upstream release
diff -Nru 
hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch
 
hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch
--- 
hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch
 1970-01-01 01:00:00.0 +0100
+++ 
hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch
 2016-12-27 09:10:11.0 +0100
@@ -0,0 +1,19 @@
+Description: Use the full key fingerprint, to fix insecure binary driver 
verification
+Bug-CVE: CVE-2015-0839
+Bug-Upstream: https://bugs.launchpad.net/hplip/+bug/1432516
+Bug-Debian: https://bugs.debian.org/787353
+Origin: vendor
+Last-Update: 2015-07-15
+
+--- a/base/validation.py
 b/base/validation.py
+@@ -40,8 +40,7 @@
+ 
+ 
+ class GPG_Verification(DigiSign_Verification):
+-
+-def __init__(self, pgp_site = 'pgp.mit.edu', key = 0xA59047B9):
++def __init__(self, pgp_site = 'pgp.mit.edu', key = 
0x4ABA2F66DBD5A95894910E0673D770CDA59047B9):
+ self.__pgp_site = pgp_site
+ self.__key = key
+ self.__gpg = utils.which('gpg',True)
diff -Nru hplip-3.14.6/debian/patches/series hplip-3.14.6/debian/patches/series
--- hplip-3.14.6/debian/patches/series  2014-04-04 17:05:13.0 +0200
+++ hplip-3.14.6/debian/patches/series  2016-12-27 09:04:13.0 +0100
@@ -18,3 +18,4 @@
 #hp-mkuri-libnotify-so-4-support.dpatch
 hpaio-option-duplex.diff
 musb-c-do-not-crash-on-usb-failure.patch
+cve-2015-0839-insecure-binary-driver-verification.patch

Bug#848692: reportbug fails with punctuation in name

[Didier 'OdyX' Raboud]

Package: reportbug
Version: 7.1.1
Tags: patch
Followup-For: Bug #848692

In reportbug/utils.py, there's a namespace collision between the "import
email" on line 38, and the use of 'email' as variable in the get_user_id
function, starting from line 282.

A possible patch is to rename 'email' to 'emailaddr' in get_user_id, see
attached patch.

Cheers,
OdyX

-- Package-specific info:
** Environment settings:
DEBEMAIL="o...@debian.org"
INTERFACE="text"

** /home/didier/.reportbugrc:
reportbug_version "7.1.1"
mode expert
ui text
realname "Didier 'OdyX' Raboud"
>From 8f7ae2aa6067b713c02004bbba174849ff513287 Mon Sep 17 00:00:00 2001
From: Didier Raboud <o...@debian.org>
Date: Tue, 27 Dec 2016 13:56:36 +0100
Subject: [PATCH] In utils.py's get_user_id, replace email with emailaddr to
 avoid namespace collision with the 'email' package

Closes: #848692
---
 reportbug/utils.py | 22 ++
 1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/reportbug/utils.py b/reportbug/utils.py
index 89e0991..53244aa 100644
--- a/reportbug/utils.py
+++ b/reportbug/utils.py
@@ -279,25 +279,25 @@ def get_email(email='', realname=''):
 return get_email_addr(get_user_id(email, realname))
 
 
-def get_user_id(email='', realname='', charset='utf-8'):
+def get_user_id(emailaddr='', realname='', charset='utf-8'):
 uid = os.getuid()
 info = pwd.getpwuid(uid)
-email = (os.environ.get('REPORTBUGEMAIL', email) or
+emailaddr = (os.environ.get('REPORTBUGEMAIL', emailaddr) or
  os.environ.get('DEBEMAIL') or os.environ.get('EMAIL'))
 
-email = email or find_rewritten(info[0]) or info[0]
+emailaddr = emailaddr or find_rewritten(info[0]) or info[0]
 
-if '@' not in email:
+if '@' not in emailaddr:
 if os.path.exists('/etc/mailname'):
 domainname = open('/etc/mailname').readline().strip()
 else:
 domainname = socket.getfqdn()
 
-email = email + '@' + domainname
+emailaddr = emailaddr + '@' + domainname
 
 # Handle EMAIL if it's formatted as 'Bob <bob@host>'.
-if '<' in email or '(' in email:
-realname, email = get_email_addr(email)
+if '<' in emailaddr or '(' in emailaddr:
+realname, emailaddr = get_email_addr(emailaddr)
 
 if not realname:
 realname = (os.environ.get('DEBFULLNAME') or os.environ.get('DEBNAME')
@@ -308,14 +308,12 @@ def get_user_id(email='', realname='', charset='utf-8'):
 realname = realname.replace('&', info[0].upper())
 
 if not realname:
-return email
+return emailaddr
 
 if re.match(r'[\w\s]+$', realname):
-return '%s <%s>' % (realname, email)
+return '%s <%s>' % (realname, emailaddr)
 
-addr = email.utils.formataddr((realname, email))
-
-return addr
+return email.utils.formataddr((realname, emailaddr))
 
 
 statuscache = {}
-- 
2.11.0

Bug#843128: partially solved

[Didier 'OdyX' Raboud]

Control: found -1 4.8.11-1

Le vendredi, 9 décembre 2016, 13.03:44 h CET Ben Hutchings a écrit :
> fgetty uses dietlibc, and the stable version of dietlibc still uses the
> vsyscall feature which is now disabled by default.  You can make it
> work again by adding 'vsyscall=emulate' to the kernel command line.
> 
> I'll have to reconsider whether to revert the configuration change now
> that I know dietlibc is a problem.

On a vagrant-lxc setup using Liip's drifter [0], we see two different programs 
segfaulting immediately after a vsyscall entry in syslog:

Dec 19 10:07:55 gyllingar kernel: [  834.998381] logsave[12259] vsyscall 
attempted with vsyscall=none ip:ff600400 cs:33 sp:7ffc918c1fc8 
ax:ff600400 si:4017c1 di:0
Dec 19 10:07:55 gyllingar kernel: [  834.998384] logsave[12259]: segfault at 
ff600400 ip ff600400 sp 7ffc918c1fc8 error 15
Dec 19 10:07:55 gyllingar kernel: [  834.998934] ip[12261] vsyscall attempted 
with vsyscall=none ip:ff600400 cs:33 sp:7fff467d8d18 
ax:ff600400 si:433d2f di:0
Dec 19 10:07:55 gyllingar kernel: [  834.998936] ip[12261]: segfault at 
ff600400 ip ff600400 sp 7fff467d8d18 error 15

So apparently /sbin/logsave from src:e2fsprogs and /sbin/ip from src:iproute2 
have the same problem. And this was on linux-image-4.8.0-2-amd64 4.8.11-1.

Both problems are circumvented by booting with vsyscall=emulated on the kernel 
command line.

Cheers,
OdyX

[0] https://github.com/liip/drifter

signature.asc
Description: This is a digitally signed message part.

Bug#830951: Support usb dongles via usb-modeswitch and network-manager during installation

[Didier 'OdyX' Raboud]

Le lundi, 26 décembre 2016, 14.42:08 h CET Pirate Praveen a écrit :
> I wanted to install using a Tata Photon mobile broadband, but it was not
> detected. Will this be addressed for stretch? (I have retitled the bug).

No. Not for stretch.

This needs at least usb-modeswitch{,-data} & pppd as udebs, and that's only to 
have the needed binaries in the d-i context.

Your best option is probably to start with a Live CD.

That's unfortunate, indeed, but it needs someone to work on that at the 
beginning of the development period, not its end (and I don't have bandwidth 
for that kind of work currently).

-- 
Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#847253: Updating the debian-installer-netboot-images Uploaders list

[Didier 'OdyX' Raboud]

Control: tags -1 +pending

Hi Tobias, hi Otavio,

Le mardi, 6 décembre 2016, 21.10:26 h CET Tobias Frost a écrit :
> Otavio Salvador  wishes no longer to be uploader of
> debian-installer-netboot-images.

Otavio, you'll be missed; thanks for you past work on d-i-n-i! I wish you good 
paths with, or without Debian!

I've now pushed the removal of your address from d-i-n-i's Uploaders field, it 
will be part of the next upload.

-- 
Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#845254: unblock: win32-loader/0.8.0

[Didier 'OdyX' Raboud]

Le lundi, 21 novembre 2016, 23.30:52 h CET Cyril Brulebois a écrit :
> so feel free to let this package get into testing when it's copied over
> by ftpmasters.

Le lundi, 21 novembre 2016, 21.09:46 h CET Didier 'OdyX' Raboud a écrit :
> 0.8.0 is long overdue in stretch, please let it migrate. ftpmaster: please
> copy debian/tools/win32-loader/unstable into …/testing

ftpmasters: ping ?

-- 
Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#818875: konqueror: green SSL checkbox despite expired server certificate

[Didier 'OdyX' Raboud]

Le lundi, 21 mars 2016, 11.03:13 h CET Thorsten Glaser a écrit :
> Package: konqueror
> Version: 4:15.08.3-1
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> See attached screenshot – konqueror does not error out when the
> certificate is expired and even shows a green checkbox. (I may
> or may not have ACK’d the certificate in an earlier session, I
> don’t know right now, but showing a green checkbox is still
> wrong.)

https://expired.identrustssl.com/ is an online example to test that use-case, 
which I can reproduce.

konqueror is RC-buggy in stretch because of that (IMHO rightful) bug. It is 
also plagued by other bugs, I wonder if konqueror should really be shipped in 
stretch. How feasible is it to remove it ?

-- 
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#859084: unblock: win32-loader/0.8.2

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock-udeb package win32-loader 0.8.2 as it fixes a FTBFS
in stretch (and is always blocked because of the manual migration to
be done by ftpmasters):

>   * Fix dpkg-query calls to use source:* for Version and Package directly
> - Add Build-Dependency on dpkg (>= 1.16.2) for that support
> - Fixes the FTBFS revealed by loadlin's binNMU
> (Closes: #858104)

debdiff is attached.

ftpmaster: please copy debian/tools/win32-loader/unstable into …/testing 

unblock-udeb win32-loader/0.8.2

Cheers, OdyX
diff -Nru win32-loader-0.8.1/debian/changelog 
win32-loader-0.8.2/debian/changelog
--- win32-loader-0.8.1/debian/changelog 2016-12-29 20:57:22.0 +0100
+++ win32-loader-0.8.2/debian/changelog 2017-03-20 21:23:59.0 +0100
@@ -1,3 +1,14 @@
+win32-loader (0.8.2) unstable; urgency=medium
+
+  * The « Iao » release
+
+  * Fix dpkg-query calls to use source:* for Version and Package directly
+- Add Build-Dependency on dpkg (>= 1.16.2) for that support
+- Fixes the FTBFS revealed by loadlin's binNMU
+(Closes: #858104)
+
+ -- Didier Raboud   Mon, 20 Mar 2017 21:23:59 +0100
+
 win32-loader (0.8.1) unstable; urgency=medium
 
   * The « poipoi » release
diff -Nru win32-loader-0.8.1/debian/control win32-loader-0.8.2/debian/control
--- win32-loader-0.8.1/debian/control   2016-12-29 19:06:06.0 +0100
+++ win32-loader-0.8.2/debian/control   2017-03-20 21:12:00.0 +0100
@@ -4,6 +4,7 @@
 Maintainer: Debian Install System Team 
 Uploaders: Robert Millan , Didier Raboud 
, Christian Perrier 
 Build-Depends:
+ dpkg (>= 1.16.2),
  debhelper (>= 9),
  nsis (>= 2.48), nsis-pluginapi,
  mingw-w64,
diff -Nru win32-loader-0.8.1/debian/rules win32-loader-0.8.2/debian/rules
--- win32-loader-0.8.1/debian/rules 2016-12-29 20:06:05.0 +0100
+++ win32-loader-0.8.2/debian/rules 2017-03-20 21:10:08.0 +0100
@@ -13,23 +13,13 @@
 PACKAGES_LIST := $(shell set -e; \
for p in ${B_D_PACKAGES}; \
do \
-   if test `dpkg-query --showformat='x$${Source}x' --show $$p` = 
"xx"; \
-   then \
-   dpkg-query --showformat='$${Package;-25} 
$${Version;-25} 
http://ftp.debian.org/debian/pool/main/$${Package;1}/$${Package}\\n' --show 
$$p; \
-   else \
-   dpkg-query --showformat='$${Package;-25} 
$${Version;-25} 
http://ftp.debian.org/debian/pool/main/$${Source;1}/$${Source}\\n' --show $$p; \
-   fi; \
+   dpkg-query --showformat='$${source:Package;-25} 
$${source:Version;-25} 
http://ftp.debian.org/debian/pool/main/$${source:Package;1}/$${source:Package}\\n'
 --show $$p; \
done)
 
 BUILT_USING_LIST := $(shell set -e; \
for p in ${B_D_PACKAGES}; \
do \
-   if test `dpkg-query --showformat='x$${Source}x' --show $$p` = 
"xx"; \
-   then \
-   dpkg-query --showformat='$${Package} (= $${Version}), ' 
--show $$p; \
-   else \
-   dpkg-query --showformat='$${Source} (= $${Version}), ' 
--show $$p; \
-   fi; \
+   dpkg-query --showformat='$${source:Package} (= 
$${source:Version}), ' --show $$p; \
done)
 
 NSIS_VERSION  := $(shell dpkg-query -f='$${Version}' -W nsis )

Bug#858341: cups-daemon: please usr /run instead of /var/run

[Didier 'OdyX' Raboud]

Control: tags -1 +patch +pending

Hi there Russell; thanks for your report!

Le mercredi, 22 mars 2017, 00.30:13 h CET Russell Coker a écrit :
> /run has been around since 2011, I think it's time to stop using the
> /var/run symlink.  Supporting the symlink in SE Linux means supporting both
> names for the contexts used in the initial creation of files and
> directories which I want to remove.  Here's a patch to make cups not use
> /var/run:

Actually, if we are to remove /var/run usages, we might as well want to do it 
everywhere, and for all usages:
* /run/cups/$NAME.pid (in the pidfile.patch, and in the init script)
* /run/cups/printcap (through --with-printcap, managed in the postinst)
* /run/cups/certs (through --with-rundir, handled in the init script and in 
the upstart script)
* /run/cups/cups.sock (through --with-rundir, used in cups.postinst and 
trigger, in the upstart script as well as in the autopkgtest

A patch for that all is attached, and, given that we have experimental, I will 
upload that soon. Thanks for the heads' up!
-- 
OdyXAuthor: Didier Raboud 
Date:   Tue Mar 21 21:15:44 2017 +0100

Use /run instead of /var/run everywhere meaningful:

* /run/cups:
  - in debian/rules; pass --with-rundir=/run/cups
  - update cups.init
* /run/cups/cupsd.pid:
  - update cups.init
  - update pidfile.patch
* /run/cups/printcap:
  - in debian/rules; update --with-printcap
  - update cups-daemon postinst
* /run/cups/cups.sock:
  - update cups postinst and postrm for the lpadmin calls
  - update the autopkgtest for the lpadmin call
  - update the libcups2 example script
  - update the upstart script
* /run/cups/certs:
  - update cups.init
  - update the upstart script

Thanks-To: Russell Coker 
Closes: #858341

diff --git a/debian/client.conf b/debian/client.conf
index 5081adeaf..b8e1c0149 100644
--- a/debian/client.conf
+++ b/debian/client.conf
@@ -34,7 +34,7 @@
 
 #
 # ServerName: the hostname of your server.  By default CUPS will use the
-# domain socket /var/run/cups/cups.sock or the value of the CUPS_SERVER
+# domain socket /run/cups/cups.sock or the value of the CUPS_SERVER
 # environment variable.
 # ONLY ONE SERVER NAME MAY BE SPECIFIED AT A TIME.  To use
 # more than one server you must use a local scheduler with browsing
diff --git a/debian/cups-daemon.cups.init b/debian/cups-daemon.cups.init
index bfb08d0ad..7b6277524 100644
--- a/debian/cups-daemon.cups.init
+++ b/debian/cups-daemon.cups.init
@@ -19,7 +19,7 @@
 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 DAEMON=/usr/sbin/cupsd
 NAME=cupsd
-PIDFILE=/var/run/cups/$NAME.pid
+PIDFILE=/run/cups/$NAME.pid
 DESC="Common Unix Printing System"
 SCRIPTNAME=/etc/init.d/cups
 
@@ -28,8 +28,8 @@ unset TMPDIR
 # Exit if the package is not installed
 test -x $DAEMON || exit 0
 
-mkdir -p /var/run/cups/certs
-[ -x /sbin/restorecon ] && /sbin/restorecon -R /var/run/cups
+mkdir -p /run/cups/certs
+[ -x /sbin/restorecon ] && /sbin/restorecon -R /run/cups
 
 # Define LSB log_* functions.
 # Depend on lsb-base (>= 3.2-14) to ensure that this file is present
diff --git a/debian/cups-daemon.postinst b/debian/cups-daemon.postinst
index cf09db6bc..e485a7526 100644
--- a/debian/cups-daemon.postinst
+++ b/debian/cups-daemon.postinst
@@ -63,7 +63,7 @@ if [ "$1" = configure ]; then
 
 	printcap_file=`egrep '^Printcap ' /etc/cups/cupsd.conf | awk '{print $2}' | tail -n 1`
 	if [ -z "$printcap_file" ]; then
-	printcap_file=/var/run/cups/printcap
+	printcap_file=/run/cups/printcap
 	fi
 	if [ ! -e /etc/printcap -a -e $printcap_file ]; then
 	ln -s $printcap_file /etc/printcap
diff --git a/debian/cups-daemon.postrm b/debian/cups-daemon.postrm
index 42c01b083..25cfca367 100644
--- a/debian/cups-daemon.postrm
+++ b/debian/cups-daemon.postrm
@@ -8,7 +8,7 @@ case "$1" in
 purge)
 	rm -rf /var/lib/cups
 	rm -rf /var/log/cups
-	rm -rf /var/run/cups
+	rm -rf /run/cups
 	rm -rf /var/cache/cups
 	rm -rf /var/spool/cups
 	rm -f /etc/cups/ssl/server.crt
diff --git a/debian/cups.postinst b/debian/cups.postinst
index 143d2d2c4..093fc2220 100644
--- a/debian/cups.postinst
+++ b/debian/cups.postinst
@@ -103,7 +103,7 @@ ppd_updater () {
 	for ppd in *.ppd; do
 	[ -r "$ppd" ] || continue
 	queue=${ppd%.ppd}
-	lpstat -h /var/run/cups/cups.sock -p "$queue" >/dev/null 2>&1 || continue
+	lpstat -h /run/cups/cups.sock -p "$queue" >/dev/null 2>&1 || continue
 	nickname=`grep '\*NickName:' "$ppd" | cut -d '"' -f 2 | perl -p -e 's/\n$//' | perl -p -e "$gennicknameregexp" | perl -p -e 's/(\W)/$1/g'`
 	lang=`grep '\*LanguageVersion:' "$ppd" | cut -d ' ' -f 2 | perl -e 'print lc(<>)' | perl -p -e 's/[\r\n]//gs'`
 	ppdfound="0"
@@ -112,12 +112,12 @@ ppd_updater () {
 	tempfiles="$tempfiles $tmpfile2"
 	cat $tmpfile1 | perl -p -e "$gennicknameregexp; s/\n*$/\n/s" | grep -E '^\S+\s+.*'"$nickname"'$' 

Bug#836127: Call for Votes for new CTTE Member

[Didier 'OdyX' Raboud]

Le lundi, 3 avril 2017, 20.15:46 h CEST Philip Hands a écrit :
> ===BEGIN
> 
> The Technical Committee recommends that David Bremner  be
> appointed by the Debian Project Leader to the Technical Committee.
> 
> A: Recommend to Appoint David Bremner 
> B: Further Discussion
> 
> ===END

I vote A > B

-- 
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#860695: win32-loader: FTBFS on i386: segmentation fault

[Didier 'OdyX' Raboud]

Control: tags -1 -moreinfo +pending

Le mercredi, 19 avril 2017, 15.44:00 h CEST Sven Joachim a écrit :
> >> Relevant part (hopefully):
> > Actually:
> >> > # Prepare the README file
> >> > awk
> >> > (…)
> >> > Segmentation fault
> > 
> > `awk` segfaults here. This seems to be an awk bug, or problem. Is the
> > command- line for it too long, or is it something else?
> 
> Possibly it's the same problem as #158481.  A workaround is to use
> original-awk or gawk instead of awk (and build-depend on it, of course).
> 
> I don't feel like debugging this issue, since mawk in Debian is
> unmaintained. :-(

Thanks for the information; I've successfully reproduced the awk segfault in a 
i386 porterbox, and I can confirm the gawk replacement fixes that.

I will upload a simple fix later today.

-- 
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#860520: Voting for TC Chair

[Didier 'OdyX' Raboud]

Package: tech-ctte
Severity: normal

Dear TC members,

With the appointment of David to the TC and according to our current 
procedures¹, I am hereby announcing my immediate vacation of the chair 
position, triggering a new election. For clarity of the process, I am 
interested to continue serving as chair.

The ballot is the following:

===BEGIN===

The chair of the Debian Technical Committee will be:

A: Keith Packard 
B: Didier Raboud 
C: Tollef Fog Heen 
D: Sam Hartman 
E: Phil Hands 
F: Margarita Manterola 
G: David Bremner 
===END===

-- 
Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#860695: win32-loader: FTBFS on i386: segmentation fault

[Didier 'OdyX' Raboud]

Control: clone -1 -2
Control: reassign -2 mawk 1.3.3-17
Control: reopen -2 o...@debian.org
Control: retitle -2 mawk: segfaults on i386 during win32-loader build
Control: severity -2 serious

Le mercredi, 19 avril 2017, 17.31:26 h CEST Didier 'OdyX' Raboud a écrit :
> Le mercredi, 19 avril 2017, 15.44:00 h CEST Sven Joachim a écrit :
> > >> Relevant part (hopefully):
> > > Actually:
> > >> > # Prepare the README file
> > >> > awk
> > >> > (…)
> > >> > Segmentation fault
> > > 
> > > `awk` segfaults here. This seems to be an awk bug, or problem. Is the
> > > command- line for it too long, or is it something else?
> > 
> > Possibly it's the same problem as #158481.  A workaround is to use
> > original-awk or gawk instead of awk (and build-depend on it, of course).
> > 
> > I don't feel like debugging this issue, since mawk in Debian is
> > unmaintained. :-(
> 
> Thanks for the information; I've successfully reproduced the awk segfault in
> a  i386 porterbox, and I can confirm the gawk replacement fixes that.

Hereby cloning, reopening and reassigning to mawk, with a severity: serious. 
Will see if I can reproduce with a simpler test-case.

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#860695: win32-loader: FTBFS on i386: segmentation fault

[Didier 'OdyX' Raboud]

Control: tags -1 +moreinfo +help

Le mercredi, 19 avril 2017, 09.28:30 h CEST Lucas Nussbaum a écrit :
> During a rebuild of all packages in stretch (in a stretch chroot, not a
> sid chroot), your package failed to build on i386.

win32-loader is a arch:all package, and is "usually" built on amd64 buildds, 
on which it builds fine. This i386-specific FTBFS has been visible through the 
reproducible builds infrastructure for a while:


https://tests.reproducible-builds.org/debian/rb-pkg/testing/i386/win32-loader.html

> Relevant part (hopefully):

Actually:

> > # Prepare the README file
> > awk
> > '{sub(/@PACKAGES_LIST@/,"grub2 2.02~beta3-5  
> > http://ftp.debian.org/debian/pool/main/g/grub2\ncpio  
> > 2.11+dfsg-6   http://ftp.debian.org/debian/pool/main/c/cpi
> > o\ngzip  1.6-5 http://ftp.debian.o
> > rg/debian/pool/main/g/gzip\ngnupg22.1.18-6
> >   http://ftp.debian.org/debian/pool/main/g/gnupg2\ndebian-archive-keyr
> > ing2014.3http://ftp.debian.org/debian/pool/main/d/
> > debian-archive-keyring\nloadlin   1.6f-5  
> >   http://ftp.debian.org/debian/pool/main/l/loadlin\nipxe  
> > 1.0.0+git-20161027.b991c6
> > http://ftp.debian.org/debian/pool/main/i/ipxe\nnsis  
> > 2.51-1http://ftp.debian.org/debian/pool/main/n/nsis\nl
> > ibgcrypt20   1.7.6-1   http://ftp.debian.org/d
> > ebian/pool/main/l/libgcrypt20\nlibgpg-error  1.26-2   
> >  http://ftp.debian.org/debian/pool/main/l/libgpg-error\n;)}1 \
> > {sub(/@NSIS_VERSION@/,"2.51-1+b1")}1 \
> > {sub(/@W32_VERSION@/,"0.8.2")}1' \
> > debian/win32-loader_doc.txt > win32-loader_0.8.2_all.txt
> > Segmentation fault

`awk` segfaults here. This seems to be an awk bug, or problem. Is the command-
line for it too long, or is it something else?

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#860520: Voting for TC Chair

[Didier 'OdyX' Raboud]

Le mardi, 18 avril 2017, 08.58:03 h CEST Didier 'OdyX' Raboud a écrit :
> ===BEGIN===
> 
> The chair of the Debian Technical Committee will be:
> 
> A: Keith Packard 
> B: Didier Raboud 
> C: Tollef Fog Heen 
> D: Sam Hartman 
> E: Phil Hands 
> F: Margarita Manterola 
> G: David Bremner 
> ===END===

I vote:

B > E > D = C > F = G > A   

-- 
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#862051: Call for vote on allowing nodejs to provide /usr/bin/node

[Didier 'OdyX' Raboud]

Le samedi, 29 juillet 2017, 22.05:34 h CEST Tollef Fog Heen a écrit :
> === Resolution ===
> 
> The Technical Committee recognises that circumstances change in ways
> that make previous resolutions no longer appropriate.  In 2012, it was
> resolved that the nodejs package should not provide /usr/bin/node due to
> the historical conflict with the ax25-node package.  Node.js is still
> quite popular and the ax25-node package is no longer in stable, testing
> or unstable so the requirement for nodejs to not provide /usr/bin/node
> no longer applies.
> 
> The Committee therefore resolves that:
> 
> 1. The CTTE decision from 2012-07-12 in bug #614907 is repealed.
> 
> This means Debian's normal policies and practices take over and the
> nodejs package is free to provide /usr/bin/node.  The migration should
> be managed according to Debian's usual backwards-compatibility
> arrangements.
> 
> === End Resolution ===
> 
> R: Approve resolution and repeal the CTTE decision from 2012-07-12.
> F: Further Discussion

I vote R>F

-- 
OdyX

Bug#839172: TC decision regarding #741573 menu policy not reflected yet

[Didier 'OdyX' Raboud]

Control: reassign -1 debian-policy 4.0.0.4
Control: affects -1 + tech-ctte

Hi Sean,

Le mardi, 1 août 2017, 11.01:10 h CEST Sean Whitton a écrit :
> On Thu, Sep 29, 2016 at 02:55:31PM -0400, Sam Hartman wrote:
> > We also approved the decision that packages should not include both a
> > menu file and a desktop file.
> 
> For reference, Policy currently says that packages should include a
> desktop file, and may also include a menu file for the sake of old
> window managers.
> 
> So the change that was approved is:

For reference, the TC decision was announced on d-d-announce:
https://lists.debian.org/debian-devel-announce/2015/09/msg0.html

And, as far as I could tell, although the specific commit has made its way into 
Policy, point 2 of the TC decision still needs wording:
>2. In addition to those changes, the Technical Committee resolves
>   that packages providing a .desktop file shall not also provide a
>   menu file for the same application.

So yes, point 2 corresponds to your:
> - delete that paragraph
> - add a new paragraph saying "if there is a desktop file, there should
>   be no menu file"

Point 3 & 4 are up to the maintainers of 'menu'; point 5 & 6 just state where 
in policy the fine-tuning of the menu integration should happen.

> This is not strictly equivalent to "packages should not include both a
> menu file and a desktop file", but given that we have deprecated menu
> files, it seems like the right way to reflect the change.

At the risk of sounding procedural, "right way" or not, the TC has used its 
power under §6.1.1 and set policy for that change.

> > The action to draft language for that has stalled in the policy
> > process.
> 
> Is there a policy bug that got stalled?  If not, maybe this bug should
> just be reassigned to policy?

We filed that bug at times when the policy team seemed unable to get to that 
subject on its own; we also set to work on specific wording ever since (without 
success), and finally decided to assign some of us to work on that during 
DebConf17.

That said, now that thanks to new forces, the process seems vivid and strong 
again, it does indeed make sense to reassign that to Policy. I'm hereby doing 
this, marking the TC as "affected". We'd still be happy to help on the 
wording, ideally during DebConf!

Many thanks in advance for your energy to get this to closure!

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#839172: TC decision regarding #741573 menu policy not reflected yet

[Didier 'OdyX' Raboud]

Le jeudi, 3 août 2017, 08.53:09 h CEST Didier 'OdyX' Raboud a écrit :
> Le mardi, 1 août 2017, 11.01:10 h CEST Sean Whitton a écrit :
> > On Thu, Sep 29, 2016 at 02:55:31PM -0400, Sam Hartman wrote:
> > > We also approved the decision that packages should not include both a
> > > menu file and a desktop file.
> > 
> > For reference, Policy currently says that packages should include a
> > desktop file, and may also include a menu file for the sake of old
> > window managers.
> > > The action to draft language for that has stalled in the policy
> > > process.
> > 
> > Is there a policy bug that got stalled?  If not, maybe this bug should
> > just be reassigned to policy?

I now gathered some old memories and remembered that there was indeed a bug 
about this that got stalled: #707851 (which was the TC bug). See from message 
#475 (September 2015), where I tried to push a wording quite similar to yours 
to Policy:

> +Applications that are registred in the desktop menu shall not also
> +provide a Debian menu file for the same application.

So https://lists.debian.org/debian-policy/2015/09/msg00024.html is the start 
of the thread that stalled.

I read the arguments back then as critics against the TC decision itself, not 
discussions about the wording. My argument back then (and it has not changed) 
is that now that the TC decision is made, it should find it's way into the 
Policy.

So… I'm fine with your wording, but thought it'd be useful to point at the 
previous discussion about this very subject.

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#871668: Remote editition of local documents should be opt-in rather than opt-out

[Didier 'OdyX' Raboud]

Package: gobby
Version: 0.5.0-8.1
Severity: normal

On initial start (and upgrade), the "allow remote users to edit local
documents" checkbox is ticked. At a conference like DebConf17, it led to have
plenty of people 'pollute' the list of documents, and makes the "centralized
gobby server" use-case more confusing.

I also tend to think it's a bad default, especially as it comes along without
a requirement to enter a password.

Cheers,
OdyX

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'oldstable-proposed-updates'), 
(500, 'buildd-unstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), 
(1, 'experimental-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.11.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CH.UTF-8, LC_CTYPE=fr_CH.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_CH:fr (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gobby depends on:
ii  dpkg1.18.24
ii  libatk1.0-0 2.24.0-1
ii  libatkmm-1.6-1v52.24.2-2
ii  libc6   2.24-14
ii  libcairo-gobject2   1.14.10-1
ii  libcairo2   1.14.10-1
ii  libcairomm-1.0-1v5  1.12.2-1
ii  libgcc1 1:7.1.0-13
ii  libgdk-pixbuf2.0-0  2.36.5-2
ii  libglib2.0-02.53.4-3
ii  libglibmm-2.4-1v5   2.50.1-1
ii  libgnutls30 3.5.14-2
ii  libgsasl7   1.8.0-8+b2
ii  libgtk-3-0  3.22.17-1
ii  libgtkmm-3.0-1v53.22.1-1
ii  libgtksourceview-3.0-1  3.22.2-1
ii  libinfgtk3-0.6-00.6.7-2
ii  libinfinity-0.6-0   0.6.7-2
ii  libpango-1.0-0  1.40.6-1
ii  libpangocairo-1.0-0 1.40.6-1
ii  libpangomm-1.4-1v5  2.40.1-3
ii  libsigc++-2.0-0v5   2.10.0-1
ii  libstdc++6  7.1.0-13
ii  libxml++2.6-2v5 2.40.1-1
ii  libxml2 2.9.4+dfsg1-3

gobby recommends no packages.

Versions of packages gobby suggests:
ii  avahi-daemon  0.6.32-2

-- no debconf information

Bug#871917: hplip-gui: hp-toolbox will not start

[Didier 'OdyX' Raboud]

Le samedi, 12 août 2017, 18.17:51 h EDT Brad Rogers a écrit :
> Actually, that info is in my original bug report, but wy too far
> down.  I hadn't realised just how much info reportbug had put in place.
> I'll know to check next time.

Nah, I should have checked, don't worry.

Cheers,
OdyX

Bug#871917: hplip-gui: hp-toolbox will not start

[Didier 'OdyX' Raboud]

Control: severity -1 serious

Le samedi, 12 août 2017, 15.13:06 h EDT Brad Rogers a écrit :
> Since upgrading to v3.17.7+repack0-2 hp-toolbox fails to start, wether from
> SysTray, Menu or Shell.
> 
> Attempts to run from shell give the following output;

Thanks for the log.

That's actually 'serious', and hplip should not IMHO migrate to testing with 
that bug.

Cheers,
OdyX

Bug#871784: Apache: Replace redirects by passthroughs so that https://bugs.debian.org/123456 stays as URL

[Didier 'OdyX' Raboud]

Package: bugs.debian.org
Severity: wishlist

Hi there Don,

following your talk @DebConf17, I just went ahead and wrote a quick patch (two,
actually) to replace browser-side redirects with Apache passthroughs.

I've only done a quick test without cgi-bin in the loop, but it seems to work
directly. It seems like it's merely a s/L,R/PT/ accross the Apache
configuration.

Cheers,
OdyX
>From cf9d1519ac04a272f0e32062077154cc0ec4dab0 Mon Sep 17 00:00:00 2001
From: Didier Raboud 
Date: Thu, 10 Aug 2017 18:27:12 -0400
Subject: [PATCH 1/2] Use PT|passthrough redirects for ^/([0-9]+)$ for
 bugreport.cgi & ^/([^/]+)$ for pkgreport.cgi

---
 examples/apache.conf | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/examples/apache.conf b/examples/apache.conf
index 0c1315d..7ed13c6 100644
--- a/examples/apache.conf
+++ b/examples/apache.conf
@@ -43,6 +43,7 @@
 # RewriteMap fix-chars int:noescape
 RewriteCond %{REQUEST_URI} 
^/(Access\.html|Developer\.html|Reporting\.html|server-request\.html|server-control\.html|server-refcard\.html).*
 [NC]
 RewriteRule .* - [L]
-RewriteRule ^/([0-9]+)$ /cgi-bin/bugreport.cgi?bug=$1 [L,R,NE]
-RewriteRule ^/([^/]+)$ /cgi-bin/pkgreport.cgi?pkg=$1 [L,R,NE]
+# PT|passthrough to bugreport.cgi and pkgreport.cgi
+RewriteRule ^/([0-9]+)$ /cgi-bin/bugreport.cgi?bug=$1 [PT,NE]
+RewriteRule ^/([^/]+)$ /cgi-bin/pkgreport.cgi?pkg=$1 [PT,NE]
 
-- 
2.14.0

>From 1b98c0b8958b53d9fd1f32cdd771d6fe400499e8 Mon Sep 17 00:00:00 2001
From: Didier Raboud 
Date: Thu, 10 Aug 2017 18:30:12 -0400
Subject: [PATCH 2/2] Use PT|passthrough redirects also for all other rewrites

---
 examples/apache.conf | 12 ++--
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/examples/apache.conf b/examples/apache.conf
index 7ed13c6..6232e03 100644
--- a/examples/apache.conf
+++ b/examples/apache.conf
@@ -32,14 +32,14 @@
 # The following two redirect to up-to-date pages
 RewriteRule ^/[[:space:]]*#?([[:digit:]][[:digit:]][[:digit:]]+)([;&].+)?$ 
/cgi-bin/bugreport.cgi?bug=$1$2 [L,R,NE]
 RewriteRule ^/([^/+]*)([+])([^/]*)$ "/$1%%{%}2B$3" [N]
-RewriteRule ^/[Ff][Rr][Oo][Mm]:([^/]+\@.+)$ 
/cgi-bin/pkgreport.cgi?submitter=$1 [L,R,NE]
+RewriteRule ^/[Ff][Rr][Oo][Mm]:([^/]+\@.+)$ 
/cgi-bin/pkgreport.cgi?submitter=$1 [PT,NE]
 # Commented out, 'cuz aj says it will crash master. (old master)
 # RewriteRule ^/[Ss][Ee][Vv][Ee][Rr][Ii][Tt][Yy]:([^/]+\@.+)$ 
/cgi-bin/pkgreport.cgi?severity=$1 [L,R]
-RewriteRule ^/([^/]+\@.+)$ /cgi-bin/pkgreport.cgi?maint=$1 [L,R,NE]
-RewriteRule ^/mbox:([[:digit:]][[:digit:]][[:digit:]]+)([;&].+)?$ 
/cgi-bin/bugreport.cgi?mbox=yes=$1$2 [L,R,NE]
-RewriteRule ^/src:([^/]+)$ /cgi-bin/pkgreport.cgi?src=$1 [L,R,NE]
-RewriteRule ^/severity:([^/]+)$ /cgi-bin/pkgreport.cgi?severity=$1 [L,R,NE]
-RewriteRule ^/tag:([^/]+)$ /cgi-bin/pkgreport.cgi?tag=$1 [L,R,NE]
+RewriteRule ^/([^/]+\@.+)$ /cgi-bin/pkgreport.cgi?maint=$1 [PT,NE]
+RewriteRule ^/mbox:([[:digit:]][[:digit:]][[:digit:]]+)([;&].+)?$ 
/cgi-bin/bugreport.cgi?mbox=yes=$1$2 [PT,NE]
+RewriteRule ^/src:([^/]+)$ /cgi-bin/pkgreport.cgi?src=$1 [PT,NE]
+RewriteRule ^/severity:([^/]+)$ /cgi-bin/pkgreport.cgi?severity=$1 [PT,NE]
+RewriteRule ^/tag:([^/]+)$ /cgi-bin/pkgreport.cgi?tag=$1 [PT,NE]
 # RewriteMap fix-chars int:noescape
 RewriteCond %{REQUEST_URI} 
^/(Access\.html|Developer\.html|Reporting\.html|server-request\.html|server-control\.html|server-refcard\.html).*
 [NC]
 RewriteRule .* - [L]
-- 
2.14.0

Bug#868283: cups-browsed ignores "DefaultPolicy authenticated" from cupsd.conf

[Didier 'OdyX' Raboud]

Control: severity -1 important

Le vendredi, 14 juillet 2017, 08.54:29 h CEST Christoph Pleger a écrit :
> cups-browsed from Debian stretch ignores the "DefaultPolicy
> authenticated" entry in my cupsd.conf, so that all browsed-imported
> printers in /etc/cups/printers.conf are listed with "OpPolicy default".
> That differs from how it was in older Debian versions and their
> cups-browseds, and it allows users to print with another user id than
> their own without authentication, critical in an environment like ours
> where users have to pay for their print quota.

Although a bug that needs to be investigated, that certainly doesn't qualify 
as "critical" in Debian Bug severities [0]. At most 'important'.

No time _right now_ to investigate this, but tagging at the correct severity 
for now. 

Cheers,
OdyX
[0] https://www.debian.org/Bugs/Developer#severities

signature.asc
Description: This is a digitally signed message part.

Bug#864973: stretch-pu: package win32-loader/0.8.3+deb9u1

[Didier 'OdyX' Raboud]

Le dimanche, 25 juin 2017, 22.53:27 h CEST Cyril Brulebois a écrit :
> Looks good to me, feel free to upload, thanks.
> 
> By the way, we probably shouldn't be using “stable” in URLs, but the
> target distribution (stretch here)?

Uploaded.

I noticed 0.8.4 hasn't migrated to testing, which might cause an issue though: 
do we need to put 0.8.3+deb9u1 in testing, or migrate 0.8.4 (with the ftp-
master dance) ?

Cheers,
OdyX

Bug#867818: No printer listed in some applications when no default printer is set

[Didier 'OdyX' Raboud]

Control: tags -1 +patch +pending

Le lundi, 10 juillet 2017, 09.28:00 h CEST Viktor Jägersküpper a écrit :
> Brian Potkin:
> > On Sun 09 Jul 2017 at 17:41:00 +, Viktor Jägersküpper wrote:
> >> The bug is already fixed upstream.
> > 
> > Reference, please.
> 
> https://github.com/apple/cups/commit/
b2f85109da901eb652babdc4f2a846c1c28228ff

Ah, great, thank you for the reference! Will include in the next upload!

Cheers,
OdyX

Bug#868374: Build failed with sbuild and pdebuilder

[Didier 'OdyX' Raboud]

Control: tags -1 +unreproducible +moreinfo

Le samedi, 15 juillet 2017, 09.06:09 h CEST Jörg Frings-Fürst a écrit :
> for the sane-backends transition I test the build and I got errors with
> 
> all build systems:
> > $ sbuild

Weird, it works on the Debian buildds… Can you make sure you have pyppd 
installed?

Cheers,
OdyX

Bug#862051: Allow nodejs to provide /usr/bin/node (draft resolution)

[Didier 'OdyX' Raboud]

Le mercredi, 19 juillet 2017, 21.35:33 h CEST Tollef Fog Heen a écrit :
> === DRAFT Resolution v2 ===
> 
> The Technical Committee recognises that circumstances change in ways
> that make previous resolutions no longer appropriate.  In 2012, it was
> resolved that the nodejs package should not provide /usr/bin/node due to
> the historical conflict with the ax25-node package.  Node.js is still
> quite popular and the ax25-node package is no longer in stable, testing
> or unstable so the requirement for nodejs to not provide /usr/bin/node
> no longer applies.
> 
> The Committee therefore resolves that:
> 
> 1. The CTTE decision from 2012-07-12 in bug #614907 is repealed.
> 
> This means Debian's normal policies and practices take over and the
> nodejs package is free to provide /usr/bin/node.  The migration should
> be managed according to Debian's usual backwards-compatibility
> arrangements.
> 
> === End DRAFT Resolution v2 ===

Thank you for that draft; we can vote on it as far as I'm concerned.

Cheers,
OdyX

Bug#840643: jessie-pu: package cups/1.7.5-11+deb8u1

[Didier 'OdyX' Raboud]

Le mardi, 27 juin 2017, 20.32:11 h CEST Cyril Brulebois a écrit :
> Assuming that this was successfully tested (including by setting those
> two options to restore support for insecure crypto) on a jessie system,
> and once you've fixed the codename in debian/changelog (you want jessie
> rather than jessie-security), feel free to upload.

Uploaded now after testing. I also fixed a typo in the changelog: AllowSSLv3 
vs AllowSSL3 (superfluous 'v').

Sorry for the delay.

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#869547: udev-rule-missing-subsystem false-positive when rules file uses a GOTO

[Didier 'OdyX' Raboud]

Package: lintian
Version: 2.5.52
Severity: minor

usb-modeswitch-data ships with 40-usb_modeswitch.rules [0] which has 388
rules that all trigger the udev-rule-missing-subsystem lintian warning.
Point is, that file has all the matching entries within a SUBSYSTEM/GOTO
block (see lines 12 and 1181); that makes the lintian warning a false
positive.

I have added this lintian warning override in the package but figured it
would be nice to let you know.

Cheers,
OdyX

[0] 
http://sources.debian.net/src/usb-modeswitch-data/20170205-1/40-usb_modeswitch.rules/

Bug#868743: gutenprint FTBFS on mips64el: check-TESTS killed with signal TERM after 150 minutes of inactivity

[Didier 'OdyX' Raboud]

Control: severity -1 important
Control: retitle -1 gutenprint sometimes FTBFS on mips64el: check-TESTS killed 
with signal TERM after 150 minutes of inactivity

Le mardi, 18 juillet 2017, 11.05:34 h CEST Adrian Bunk a écrit :
> https://buildd.debian.org/status/fetch.php?pkg=gutenprint=mips64el=
> 5.2.13-1=1500347072=0
> 
> ...
> Making check in cups
> make[4]: Entering directory '/<>/src/cups'
> make  check-TESTS
> make[5]: Entering directory '/<>/src/cups'
> make[6]: Entering directory '/<>/src/cups'
> E: Build killed with signal TERM after 150 minutes of inactivity

It built when it was retried on mipsel-aql-03; hereby downgrading the severity
accordingly.

Cheers,
OdyX

Bug#866778: lsb-release: lsb_release --all displays inconsistent information

[Didier 'OdyX' Raboud]

Control: tags -1 +wontfix 

Le samedi, 1 juillet 2017, 18.38:28 h CEST GT a écrit :
>* What led up to the situation?
> use of the command lsb_release --all
> 
> :~$ lsb_release --all
> 
> No LSB modules are available.
> Distributor ID: Debian
> Description:Debian GNU/Linux oldstable-updates (sid)
> Release:oldstable-updates
> Codename:   sid
> 
> 
>* What outcome did you expect instead?
> 
> An accurate report:
> :~$ cat /usr/lib/os-release
> 
> PRETTY_NAME="Debian GNU/Linux buster/sid"
> NAME="Debian GNU/Linux"
> ID=debian
> HOME_URL="https://www.debian.org/;
> SUPPORT_URL="https://www.debian.org/support;
> BUG_REPORT_URL="https://bugs.debian.org/;
> 
> 
> why lsb-release diplays sid while i am using buster?

lsb-release cannot _know_ that you're u sing buster and not sid, as the
/usr/lib/os-release file (as shipped by base-files) contains this "buster/
sid" string (you also find this in /etc/debian_version, which is what 
lsb_release.py uses). That's specifically made to avoid having to have one 
base-files package per suite, which would make base-files more of a special 
package than it already is.

As, technically, a set of "unstable" packages could also be a valid set of 
"testing" packages (5 days without bugs or uploads later, for instance), 
it's impossible to guess from the files on the system whether it's running 
"testing" or "unstable".

And finally, don't rely on lsb_release's output for anything non-stable; 
it's bound to be unreliable, by construction. One should really rely on 
feature-detection rather than version-matching.

Hereby closing as not-a-bug.

Cheers,
OdyX

Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse

[Didier 'OdyX' Raboud]

Le lundi, 7 août 2017, 09.40:22 h EDT Russ Allbery a écrit :
> Daniel Kahn Gillmor  writes:
> > debian-policy should encourage verification of upstream cryptographic
> > signatures.

Yes.

> diff --git a/policy.xml b/policy.xml
> index 6086901..c14d9b4 100644
> --- a/policy.xml
> +++ b/policy.xml
> @@ -2556,11 +2556,28 @@ endif
> 
>
>  This is an optional, recommended configuration file for the
> -uscan utility which defines how to
> +uscan utility which defines how to
>  automatically scan ftp or http sites for newly available updates
>  of the package.  This is used Debian QA tools to help with quality

While were at patching this, this sentence should read:
> This is used _by_ Debian QA tools …
or
> This is used _by some_ Debian QA tools…

Other than that, seconded!

Cheers,
OdyX

Bug#871262: override: Downgrading priorities of sensible-utils, lsb-base, multiarch-support

[Didier 'OdyX' Raboud]

Le lundi, 7 août 2017, 14.53:25 h EDT Andreas Henriksson a écrit :
> lsb-base -> optional (previously required)
>  - sysvinit-core pulls in lsb-base (via a dependency chain)
>  - under systemd packages should either:
>- have a masking native unit
>- directly depend on lsb-base if needed (lintian check exists already)

Fwiw, just uploaded src:lsb with that change.

-- 
OdyX


signature.asc
Description: This is a digitally signed message part.

Bug#862732: cups-filters: unreadable file /usr/lib/cups/backend/serial

[Didier 'OdyX' Raboud]

Control: tags -1 +moreinfo

Le mardi, 16 mai 2017, 12.13:23 h CEST Alexander Kurtz a écrit :
> Your package ships a file in /usr which is unreadable for regular
> users.

That's the justification from the source:

# Make the serial backend run as root, since /dev/ttyS* are
# root:dialout and thus not accessible as user lp
chmod 700 debian/cups-filters/usr/lib/cups/backend/serial

… but I think it would work with a chmod 744.
Alexander: do you have a serial printer; and could you test?
Till: as you're the initial committer of that code; any opinion ?

Cheers,
OdyX

Bug#862732: cups-filters: unreadable file /usr/lib/cups/backend/serial

[Didier 'OdyX' Raboud]

Control: tags -1 +pending -moreinfo

Le mardi, 16 mai 2017, 15.04:26 h CEST Till Kamppeter a écrit :
> The "serial" backend is a CUPS backend which has to run as root to 
> correctly work. CUPS decides which backends run as roo by the file 
> permissions of the backends. One of the backends which comes with CUPS 
> and has to run as root is the "usb" backend:
> 
> -r-xr--r-- 2 root root 34808 Mar 23 14:55 /usr/lib/cups/backend/usb
> 
> This backend is still world-readable and only omits the execution bit 
> for anyone else than root itself (644 permissions). This should also 
> work with the "serial" backend in cups-filters.

Ack, thanks for the explanation. I've fixed this in the upcoming 1.14.0 
experimental upload.

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#865485: Voting for TC Chair

[Didier 'OdyX' Raboud]

Le mercredi, 21 juin 2017, 22.21:57 h CEST Didier 'OdyX' Raboud a écrit :
> ===BEGIN===
> 
> The chair of the Debian Technical Committee will be:
> 
> A: Keith Packard 
> B: Didier Raboud 
> C: Tollef Fog Heen 
> D: Sam Hartman 
> E: Phil Hands 
> F: Margarita Manterola 
> G: David Bremner 
> H: Niko Tyni 
> ===END===

I vote

B > E > D = C > F = G = H > A

-- 
OdyX


signature.asc
Description: This is a digitally signed message part.

Bug#865485: Voting for TC Chair

[Didier 'OdyX' Raboud]

Package: tech-ctte
Severity: normal

Dear TC members,

With the appointment of Niko to the TC and according to our current 
procedures¹, I am hereby announcing my immediate vacation of the chair 
position, triggering a new election. For clarity of the process, I am 
interested to continue serving as chair.

The ballot is the following:

===BEGIN===

The chair of the Debian Technical Committee will be:

A: Keith Packard 
B: Didier Raboud 
C: Tollef Fog Heen 
D: Sam Hartman 
E: Phil Hands 
F: Margarita Manterola 
G: David Bremner 
H: Niko Tyni 
===END===

-- 
Cheers,
OdyX


signature.asc
Description: This is a digitally signed message part.

Bug#862051: Refer #862051 to ctte (WAS: nodejs-legacy: possibly drop this package, now that ax25-node has been removed?)

[Didier 'OdyX' Raboud]

Le vendredi, 19 mai 2017, 11.05:28 h CEST Margarita Manterola a écrit :
> This, compounded with the fact that the old node will be gone in stretch,
> means that it makes sense for nodejs to become node.
> 
> Does anyone think differently?

I concur with your analysis; thank you for getting through the archives!

OdyX

Bug#836127: Call for Votes for new TC member

[Didier 'OdyX' Raboud]

Le mardi, 13 juin 2017, 20.08:38 h CEST Didier 'OdyX' Raboud a écrit :
> ===BEGIN
> The Technical Committee recommends that Niko Tyni <nt...@debian.org> be
> appointed by the Debian Project Leader to the Technical Committee.
> 
> N: Recommend to Appoint Niko Tyni <nt...@debian.org>
> F: Further Discussion
> ===END

I vote:

N > F

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#864973: stretch-pu: package win32-loader/0.8.3+deb9u1

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

As discussed on debian-boot starting from
https://lists.debian.org/4374235.3xk2uo9...@odyx.org , win32-loader
(in stretch) still doesn't use the deb.debian.org agreed-upon mirror.
Also, as it's standalone version embeds multiple other packages (as
listed on
https://deb.debian.org/debian/tools/win32-loader/stable/win32-loader.txt
), the 0.8.3 version as released with Stretch still contains jessie's
debian-archive-keyring.

Specifically, we held this upload back then because we were waiting on
gnupg's 2.1.18-8 (which pu request is tracked in #863734)

It would be good to have an updated win32-loader in Stretch; the
possible debdiff would be attached.

Cheers,
OdyX
diff -Nru win32-loader-0.8.3/branch.nsi win32-loader-0.8.3+deb9u1/branch.nsi
--- win32-loader-0.8.3/branch.nsi   2017-01-01 11:40:06.0 +0100
+++ win32-loader-0.8.3+deb9u1/branch.nsi2017-06-18 10:21:47.0 
+0200
@@ -63,7 +63,7 @@
   StrCpy $base_path_images  "netboot/debian-installer/hurd-$arch"
 ${EndIf}
   ${Else}
-StrCpy $base_url "http://httpredir.debian.org/debian/dists/stable/;
+StrCpy $base_url "http://deb.debian.org/debian/dists/stable/;
 ${If} $kernel == "linux"
   ; Only Debian GNU/Linux will have a stable branch for the stretch cycle
   StrCpy $base_path_hashes"main/installer-$arch/current/images/"
diff -Nru win32-loader-0.8.3/debian/changelog 
win32-loader-0.8.3+deb9u1/debian/changelog
--- win32-loader-0.8.3/debian/changelog 2017-04-19 18:03:11.0 +0200
+++ win32-loader-0.8.3+deb9u1/debian/changelog  2017-06-18 10:25:41.0 
+0200
@@ -1,3 +1,10 @@
+win32-loader (0.8.3+deb9u1) stretch; urgency=medium
+
+  * Drop bz2 compression for source
+  * Replace all mirror urls with deb.debian.org
+
+ -- Didier Raboud   Sun, 18 Jun 2017 10:25:41 +0200
+
 win32-loader (0.8.3) unstable; urgency=low
 
   * The « Pippita » release
diff -Nru win32-loader-0.8.3/debian/rules win32-loader-0.8.3+deb9u1/debian/rules
--- win32-loader-0.8.3/debian/rules 2017-04-19 18:03:11.0 +0200
+++ win32-loader-0.8.3+deb9u1/debian/rules  2017-06-18 10:21:47.0 
+0200
@@ -13,7 +13,7 @@
 PACKAGES_LIST := $(shell set -e; \
for p in ${B_D_PACKAGES}; \
do \
-   dpkg-query --showformat='$${source:Package;-25} 
$${source:Version;-25} 
http://ftp.debian.org/debian/pool/main/$${source:Package;1}/$${source:Package}\\n'
 --show $$p; \
+   dpkg-query --showformat='$${source:Package;-25} 
$${source:Version;-25} 
http://deb.debian.org/debian/pool/main/$${source:Package;1}/$${source:Package}\\n'
 --show $$p; \
done)
 
 BUILT_USING_LIST := $(shell set -e; \
diff -Nru win32-loader-0.8.3/debian/source/options 
win32-loader-0.8.3+deb9u1/debian/source/options
--- win32-loader-0.8.3/debian/source/options2014-08-28 20:34:04.0 
+0200
+++ win32-loader-0.8.3+deb9u1/debian/source/options 1970-01-01 
01:00:00.0 +0100
@@ -1,2 +0,0 @@
-# Compress source using bz2
-compression = bzip2
diff -Nru win32-loader-0.8.3/Makefile win32-loader-0.8.3+deb9u1/Makefile
--- win32-loader-0.8.3/Makefile 2017-03-20 20:56:38.0 +0100
+++ win32-loader-0.8.3+deb9u1/Makefile  2017-06-18 10:21:47.0 +0200
@@ -181,7 +181,7 @@
   $(NULL)
genisoimage -r -J -o $@ netboot/daily
 
-BASE_URL=http://ftp.nl.debian.org/debian/dists/stable/main
+BASE_URL=http://deb.debian.org/debian/dists/stable/main
 netboot/download-stable-stamp:
mkdir -p netboot/stable/install.{386,amd}/gtk
wget 
$(BASE_URL)/installer-i386/current/images/netboot/debian-installer/i386/linux \

Bug#836127: Call for Votes for new TC member

[Didier 'OdyX' Raboud]

I call for votes on the following ballot to fill a vacant seat in the TC. The 
voting period starts immediately and lasts for up to one week, or until the 
outcome is no longer in doubt (§6.3.1).

===BEGIN
The Technical Committee recommends that Niko Tyni  be
appointed by the Debian Project Leader to the Technical Committee.

N: Recommend to Appoint Niko Tyni 
F: Further Discussion
===END

signature.asc
Description: This is a digitally signed message part.

Bug#861843: unblock: (pre-approval) hplip/3.16.11+repack0-3

[Didier 'OdyX' Raboud]

Control: tags -1 -moreinfo

Le dimanche, 7 mai 2017, 16.25:00 h CEST Niels Thykier a écrit :
> Didier 'OdyX' Raboud:
> > I plan to upload hplip with a simple fix for #861731 (UnicodeDecodeError
> > on some filenames) that has apparently been committed upstream.
> 
> Ack, please go ahead and remove the moreinfo tag once the upload has
> been ACCEPTed and the package built on all relevant release architectures.

These have happened.

Cheers,
OdyX

Bug#861729: unblock: win32-loader/0.8.3

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock-udeb package win32-loader 0.8.3 as it fixes an FTBFS
on i386 in stretch (and is always blocked because of the manual migration to
be done by ftpmasters):

> * Fix FTBFS on i386: use gawk to prepare README file (Closes: #860695)

(This is a bug in mawk, reported as #860751)

debdiff is attached.

ftpmaster: please copy debian/tools/win32-loader/unstable into …/testing 

unblock-udeb win32-loader/0.8.3

Cheers, OdyX
diff -Nru win32-loader-0.8.2/debian/changelog 
win32-loader-0.8.3/debian/changelog
--- win32-loader-0.8.2/debian/changelog 2017-03-20 21:23:59.0 +0100
+++ win32-loader-0.8.3/debian/changelog 2017-04-19 18:03:11.0 +0200
@@ -1,3 +1,11 @@
+win32-loader (0.8.3) unstable; urgency=low
+
+  * The « Pippita » release
+
+  * Fix FTBFS on i386: use gawk to prepare README file (Closes: #860695)
+
+ -- Didier Raboud   Wed, 19 Apr 2017 18:03:11 +0200
+
 win32-loader (0.8.2) unstable; urgency=medium
 
   * The « Iao » release
diff -Nru win32-loader-0.8.2/debian/control win32-loader-0.8.3/debian/control
--- win32-loader-0.8.2/debian/control   2017-03-20 21:12:00.0 +0100
+++ win32-loader-0.8.3/debian/control   2017-04-19 18:03:11.0 +0200
@@ -10,6 +10,7 @@
  mingw-w64,
  libgcrypt-mingw-w64-dev, libgpg-error-mingw-w64-dev,
  librsvg2-bin, icoutils,
+ gawk,
  gettext,
  grub-pc-bin (>= 1.99~rc1-3),
  imagemagick,
diff -Nru win32-loader-0.8.2/debian/rules win32-loader-0.8.3/debian/rules
--- win32-loader-0.8.2/debian/rules 2017-03-20 21:10:08.0 +0100
+++ win32-loader-0.8.3/debian/rules 2017-04-19 18:03:11.0 +0200
@@ -39,9 +39,9 @@
dh_auto_build

# Prepare the README file
-   awk '{sub(/@PACKAGES_LIST@/,"$(PACKAGES_LIST)")}1 \
- {sub(/@NSIS_VERSION@/,"$(NSIS_VERSION)")}1 \
- {sub(/@W32_VERSION@/,"$(W32_VERSION)")}1' \
+   gawk '{sub(/@PACKAGES_LIST@/,"$(PACKAGES_LIST)")}1 \
+ {sub(/@NSIS_VERSION@/,"$(NSIS_VERSION)")}1 \
+ {sub(/@W32_VERSION@/,"$(W32_VERSION)")}1' \
debian/win32-loader_doc.txt > $(W32_BYHAND_NAME).txt
cat debian/copyright >> $(W32_BYHAND_NAME).txt
 endif

Bug#861843: unblock: (pre-approval) hplip/3.16.11+repack0-3

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

I plan to upload hplip with a simple fix for #861731 (UnicodeDecodeError on
some filenames) that has apparently been committed upstream.

This is the changelog entry:
>   [ Gaurav Sood ]
>   * Fix handling of unicode filenames in sixext.py
> (Closes: #861731, LP: #1480152)

Please see the attached debdiff
diff -Nru hplip-3.16.11+repack0/debian/changelog 
hplip-3.16.11+repack0/debian/changelog
--- hplip-3.16.11+repack0/debian/changelog  2017-01-30 21:36:12.0 
+0100
+++ hplip-3.16.11+repack0/debian/changelog  2017-05-04 18:35:44.0 
+0200
@@ -1,3 +1,11 @@
+hplip (3.16.11+repack0-3) unstable; urgency=low
+
+  [ Gaurav Sood ]
+  * Fix handling of unicode filenames in sixext.py
+(Closes: #861731, LP: #1480152)
+
+ -- Didier Raboud   Thu, 04 May 2017 18:35:44 +0200
+
 hplip (3.16.11+repack0-2) unstable; urgency=medium
 
   [ Brian Potkin ]
diff -Nru hplip-3.16.11+repack0/debian/gbp.conf 
hplip-3.16.11+repack0/debian/gbp.conf
--- hplip-3.16.11+repack0/debian/gbp.conf   2017-01-30 19:42:12.0 
+0100
+++ hplip-3.16.11+repack0/debian/gbp.conf   2017-05-04 18:34:48.0 
+0200
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/master
+debian-branch = debian/stretch
 upstream-branch = upstream/latest
 pristine-tar = True
 
diff -Nru hplip-3.16.11+repack0/debian/.git-dpm 
hplip-3.16.11+repack0/debian/.git-dpm
--- hplip-3.16.11+repack0/debian/.git-dpm   2017-01-30 19:42:12.0 
+0100
+++ hplip-3.16.11+repack0/debian/.git-dpm   2017-05-04 18:34:48.0 
+0200
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-23ef661a83d0a96ba61be2eef3ac502a2c000724
-23ef661a83d0a96ba61be2eef3ac502a2c000724
+602e2d8fb42cf4b62bf245702f314fecf6a2227c
+602e2d8fb42cf4b62bf245702f314fecf6a2227c
 eafc834119e19d43010499f9205cd5f4485973f4
 eafc834119e19d43010499f9205cd5f4485973f4
 hplip_3.16.11+repack0.orig.tar.xz
diff -Nru 
hplip-3.16.11+repack0/debian/patches/0024-Fix-handling-of-unicode-filenames-in-sixext.py.patch
 
hplip-3.16.11+repack0/debian/patches/0024-Fix-handling-of-unicode-filenames-in-sixext.py.patch
--- 
hplip-3.16.11+repack0/debian/patches/0024-Fix-handling-of-unicode-filenames-in-sixext.py.patch
  1970-01-01 01:00:00.0 +0100
+++ 
hplip-3.16.11+repack0/debian/patches/0024-Fix-handling-of-unicode-filenames-in-sixext.py.patch
  2017-05-04 18:34:48.0 +0200
@@ -0,0 +1,29 @@
+From 602e2d8fb42cf4b62bf245702f314fecf6a2227c Mon Sep 17 00:00:00 2001
+From: Gaurav Sood 
+Date: Thu, 4 May 2017 18:32:08 +0200
+Subject: Fix handling of unicode filenames in sixext.py
+
+LP: #1480152
+Closes: #861731
+---
+ base/sixext.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/base/sixext.py b/base/sixext.py
+index 0bf4fc4f4..311bf72c6 100644
+--- a/base/sixext.py
 b/base/sixext.py
+@@ -110,11 +110,11 @@ if PY3:
+ 
+ 
+ def to_string_utf8(s):
+-return s.decode("utf-8")
++return s.decode("utf-8", 'ignore')
+ 
+ 
+ def to_string_latin(s):
+-return s.decode("latin-1")
++return s.decode("latin-1", 'ignore')
+ 
+ 
+ def to_unicode(s, enc=None):
diff -Nru hplip-3.16.11+repack0/debian/patches/series 
hplip-3.16.11+repack0/debian/patches/series
--- hplip-3.16.11+repack0/debian/patches/series 2017-01-30 19:42:12.0 
+0100
+++ hplip-3.16.11+repack0/debian/patches/series 2017-05-04 18:34:48.0 
+0200
@@ -21,3 +21,4 @@
 0021-Fix-erroneous-tabs-in-hpps-python-code.patch
 0022-Add-include-cups-ppd.h-in-various-places-as-CUPS-2.2.patch
 0023-Fix-list-wrapping-in-scan.py-to-fix-generated-manpag.patch
+0024-Fix-handling-of-unicode-filenames-in-sixext.py.patch

Bug#878641: ITP: argagg -- Argument Aggregator - Simple C++11 command line argument parser

[Didier 'OdyX' Raboud]

Package: wnpp
Severity: wishlist
Owner: Didier 'OdyX' Raboud <o...@debian.org>

Package name: argagg
Version : 0.4.6
Upstream Author : Viet The Nguyen <vietjtngu...@gmail.com>
URL : https://github.com/vietjtnguyen/argagg
License : MIT
Programming Lang: C++
Description : Argument Aggregator - Simple C++11 command line argument 
parser
 This is yet another C++ command line argument/option parser. It was
 written as a simple and idiomatic alternative to other frameworks like
 getopt, Boost program options, TCLAP, and others. The goal is to achieve
 the majority of argument parsing needs in a simple manner with an easy
 to use API. It operates as a single pass over all arguments, recognizing
 flags prefixed by - (short) or -- (long) and aggregating them into easy
 to access structures with lots of convenience functions. It defers
 processing types until you access them, so the result structures end up
 just being pointers into the original command line argument C-strings.
 .
 argagg supports POSIX recommended argument syntax conventions.

Justification   : argagg is a build dependency of "Planet Blupi"
 (http://blupi.org) which I intend to package for Debian.
Package names   : argagg-dev & argagg-dev-doc

Bug#878673: ITP: sdl-kitchensink -- FFmpeg and SDL2 based library for audio and video playback

[Didier 'OdyX' Raboud]

Package: wnpp
Severity: wishlist
Owner: Didier 'OdyX' Raboud <o...@debian.org>

Package name: sdl-kitchensink
Version : 0.0.7
Upstream Author : Tuomas Virtanen <katajak...@gmail.com>
URL : https://github.com/katajakasa/SDL_kitchensink
License : MIT
Programming Lang: C
Description : FFmpeg and SDL2 based library for audio and video playback
 * Decoding video & audio via FFmpeg
 * Dumping video data on SDL_textures
 * Dumping audio data in the usual mono/stereo interleaved formats
 * Automatic audio and video conversion to SDL2 friendly formats
 * Synchronizing video & audio to clock
 * Seeking forwards and backwards
 * Bitmap & libass subtitle support. 

Justification   : sdl-kitchensink is a build dependency of "Planet Blupi"
 (http://blupi.org) which I intend to package for Debian.
Package names   : libsdl-kitchensink0 libsdl-kitchensink-dev

Bug#878148: cups: Default ServerName wrong/not in sync with manual

[Didier 'OdyX' Raboud]

Le jeudi, 12 octobre 2017, 16.34:48 h CEST Dominik George a écrit :
> I said that I cannot access CUPS from the local network, not from loopback.

The title of this bug is "Default ServerName wrong/not in sync with manual". 
I'm not sure I understand whether you think the documentation should be 
changed, or whether the _code_ should be changed. Could you please clarify?

From the documentation, you need to have both a network-accessible IP in a 
`Listen` stanza, as well as the hostnames you want the scheduler to be 
accesssible to be listed in either `ServerName` and/or `ServerAlias`.

What I can say is that from the source (scheduler/conf.c, around lines 956 in 
stable) https://sources.debian.net/src/cups/2.2.1-8/scheduler/conf.c/#L956

>   else
>   {
> if (gethostname(temp, sizeof(temp)))
> {  
>   cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to get hostname: %s",
>   strerror(errno));
>   strlcpy(temp, "localhost", sizeof(temp));
> }
> cupsdSetString(, temp);

… ServerName is set from gethostname(2), which, by their manpages, return the 
same value as hostname(1), aka uname(2)'s nodename, which you can retrieve 
from $ uname -n.

ServerName is set around these lines and there are various heuristics which 
add ServerAliases to that configuration. All these are logged at the 'debug' 
level. I've added a patch to log the ServerName cups takes:

--- a/scheduler/conf.c
+++ b/scheduler/conf.c
@@ -891,6 +891,7 @@ cupsdReadConfiguration(void)
 }
 
 cupsdSetString(, temp);
+cupsdLogMessage(CUPSD_LOG_DEBUG, "Set ServerName %s", temp);

With this in place, and debugging enabled via `cupsctl --debug-logging` (see 
[0] for a very good documentation), a restart of the server gives me:

D [12/Oct/2017:17:21:25 +0200] Set ServerName gyllingar
D [12/Oct/2017:17:21:25 +0200] Added auto ServerAlias gyllingar

And:
$ hostname -f
gyllingar

What is it that you get? And do you still think there's discrepancy between 
code and documentation? If so, which one do you think is wrong?

Thanks in advance,

Cheers,
OdyX

[0] https://wiki.debian.org/
DissectingandDebuggingtheCUPSPrintingSystem#The_CUPS_Error_Log

Bug#878326: cups FTCBFS: runs host architecture utilities during build again

[Didier 'OdyX' Raboud]

Control: tags -1 +pending

Le jeudi, 12 octobre 2017, 22.56:25 h CEST Helmut Grohne a écrit :
> Thank you for applying my patch from #837936 to make cups cross build.
> Unfortunately, that no longer works. When cross building cups, mantohtml
> fails to run again (and #837936 was meant to fix that).
> 
> It turns out that man/Makefile is now duplicated to man/Makefile.l10n
> and it compiles its own mantohtml there with the builtin rule. Thus it
> ends up using the wrong compiler and wrong flags. After copying the
> relevant rule to man/Makefile.l10n, cups cross builds again. Please
> consider applying the attached patch.

Thanks for your scrutiny and your patch. Is there a "Cross-Builds Status" page 
I could monitor myself to proactively detect these ?

Cheers,
OdyX

Bug#754462: Bug#862051: nodejs (6.11.2~dfsg-1) experimental; urgency=medium

[Didier 'OdyX' Raboud]

Le mardi, 29 août 2017, 17.46:22 h CEST Thorsten Glaser a écrit :
> Leave /usr/bin/nodejs there for at least one more release.

I'll just note for the purpose of the TC discussion that as of nodejs 
6.11.2~dfsg-3 (the version currently in unstable) , the /usr/bin/nodejs → node 
symlink still exists, so at this point, I don't consider there is material for 
a TC decision either way, but it's an important conversation to be had.

Jérémy: could you maybe clarify your plan and your rationale? This would help 
putting everyone on common grounds.

Cheers,
OdyX

Bug#754462: Bug#862051: nodejs (6.11.2~dfsg-1) experimental; urgency=medium

[Didier 'OdyX' Raboud]

Le mardi, 29 août 2017, 12.32:19 h CEST Sam Hartman a écrit :
> > "Thorsten" == Thorsten Glaser  writes:
> Thorsten> Hi,
> 
> >> * Restore /usr/bin/node following CTTE #862051 Let's try to drop
> >> /usr/bin/nodejs before buster.  Replaces and Conflicts
> >> nodejs-legacy.  Closes: #754462.
> 
> Thorsten> please do NOT completely replace an ABI between releases.
> Thorsten> Leave /usr/bin/nodejs there for at least one more release.
> 
> 
> I agree.
> Even if you get everything in Debian fixed, you won't know about user
> scripts that have been designed around what Debian does.

Right.

Searching for "/usr/bin/nodejs" on github [0] shows around 27'500 occurences.

> Giving people a release to deal with transitions is a great thing to do
> when there's no good reason not to.
> Maintaining a symlink for a release seems a low cost.

True. On the other hand, the fact that Debian "created" /usr/bin/nodejs also 
means it's on Debian's hands to eventually remove it.

For good reasons, Debian forcibly introduced a special-case when Node.js first 
appeared in a stable release through only shipping it under /usr/bin/nodejs. 
That forced hundreds of projects to cope with that, probably often through 
supporting both /usr/bin/node and /usr/bin/nodejs I suspect.

I'm quite convinced that large parts of the Node.js ecosystem will cope well 
without any /usr/bin/nodejs available in stretch.

So I'm not convinced it's really worth the trouble to keep it around for 
another stable release; I'd probably be fine with a swap of the setup we had 
(with the convenience symlink in a different and not-installed-by-default 
package).

> For that matter I really can't see a good reason to ever drop the
> symlink.

I want Debian to be able to move on and ahead; cleaning up past special-cases 
from our stable releases is good. We only support stable-to-stable upgrades 
for good reasons and removing such convenience symlinks falls in the same 
category as cleanup of maintainer scripts' code for oldstable-to-stable paths. 
I would strongly support removal of the symlink in bullseye.

Cheers,
OdyX

[0] https://github.com/search?utf8=%E2%9C%93=%22%2Fusr%2Fbin%2Fnodejs
%22=Code

Bug#873706: mdraid2 (pulling mdadm in) should not be required by udisks2 core

[Didier 'OdyX' Raboud]

Package: udisks2
Version: 2.6.5-2
Severity: important

udisks2 is a dependency of multiple Desktop Environments (through
plasma-workspace, kde-plasma-workshop, gvfs-daemons) and pulls mdadm through
libblockdev-mdraid2 dependencies. mdadm is the full-fledged daemon that handles
MD RAID arrays, and I don't think it is useful or necessary in all Desktop
Environments.

Please make sure the mdraid2 libblockdev plugin is not _required_ by udisks2
core.

Cheers,
OdyX

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'oldstable-proposed-updates'), 
(500, 'unstable'), (500, 'testing'), (500, 'stable'), (100, 'experimental'), 
(1, 'experimental-debug'), (1, 'buildd-unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.12.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CH.UTF-8, LC_CTYPE=fr_CH.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_CH:fr (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages udisks2 depends on:
ii  dbus   1.11.16+really1.10.22-1
ii  init-system-helpers1.49
ii  libacl12.2.52-3+b1
ii  libatasmart4   0.19-4+b1
ii  libc6  2.24-17
ii  libglib2.0-0   2.53.6-1
ii  libgudev-1.0-0 230-3
ii  libpam-systemd 234-2.3
ii  libpolkit-agent-1-00.105-18
ii  libpolkit-gobject-1-0  0.105-18
ii  libsystemd0234-2.3
pn  libudisks2-0   
ii  parted 3.2-17
ii  udev   234-2.3

Versions of packages udisks2 recommends:
ii  dosfstools   4.1-1
ii  eject2.1.5+deb1+cvs20081104-13.2
ii  exfat-utils  1.2.7-1
ii  gdisk1.0.1-1
ii  ntfs-3g  1:2016.2.22AR.2-2
ii  policykit-1  0.105-18

Versions of packages udisks2 suggests:
pn  btrfs-progs | btrfs-tools  
ii  cryptsetup-bin 2:1.7.3-4
pn  mdadm  
ii  reiserfsprogs  1:3.6.25-7
ii  xfsprogs   4.9.0+nmu1

-- no debconf information

Bug#429938: /usr/bin/pinentry-qt: pinentry-qt: does not show up in window list

[Didier 'OdyX' Raboud]

Le mardi, 26 septembre 2017, 14.54:11 h CEST Daniel Kahn Gillmor a écrit :
> With no followup for more than 6 months, i'm closing this bug report.
> 
> Feel free to reopen if anyone is still having this problem!

Sorry for my inaction there; it seems to work now for me, or I have a 
workaround in place.

Thank you for the cleanup!

-- 
OdyX

Bug#873090: RM: lsb-compat -- NBS; Deprecation for Buster

[Didier 'OdyX' Raboud]

Package: ftp.debian.org
Severity: normal

Hi there,

since it's 9.20170807 upload, src:lsb doesn't build the lsb-compat
package anymore. The fact that lsb-compat is still around in unstable
seems to confuse dak, and lsb-compat doesn't seem to be catched by the
autodecruft.

Please remove the lsb-compat binary package from unstable.

Cheers,

OdyX

Bug#870463: lp no longer honours default printers

[Didier 'OdyX' Raboud]

Hi there martin, and thanks for your bugreport,

Le mercredi, 2 août 2017, 10.22:13 h CEST martin f krafft a écrit :
> Possibly related to #867818, /usr/bin/lp no longer honours a default
> printer configured:
> 
>   albatross:~/FOR_FILING% head -1 ~/.cups/lpoptions
>   Default mfc9465cdn
>   albatross:~/FOR_FILING% lp -P 30 2017-08-02-Scans.pdf
>   lp: Error - no default destination available.

I can't reproduce this; it works fine here for me. Let's see from some things 
fixed upstream:
* https://github.com/apple/cups/issues/5072 - Do you happen to use a 
ServerAlias ?
* https://github.com/apple/cups/commit/
c536b6c583abd9ea1b750f15e887b313ed7ad951 maybe ?

Can you rebuild cups with these patches or would you like me to build a 
patched version for you? (I'd probably upload an upstream snapshot to 
experimental then)

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#676472: cups: please suggest a compatible inet server (for lpd support)

[Didier 'OdyX' Raboud]

Control: tags -1 +wontfix
Control: severity -1 wishlist

Hi there Vincent,

Le jeudi, 7 juin 2012, 17.47:59 h CEST Vincent McIntyre a écrit :
> Somehow my system got installed with update-inetd but not inetutils-inetd.
> 
> I wanted to turn on lpd support so installed cups-bsd.
> update-inetd ran without apparrent errors when I did
>   # dpkg-reconfigure cups-bsd
> to enable the lpd server, but there was no inetd.conf file to append to
> and none was created. No error was indicated.
> 
> Once I installed inetutils-inetd and reconfigured cups-bsd again,
> things worked as expected.
> 
> Possibly this is actually a bug in update-inetd but I'll leave that to
> your discretion.

As of 2017, I tend to think that lpd support should disappear for Buster. Iff 
we'd want to keep it, having cups-bsd get a 
Suggests: inetutils-inetd | inet-superserver, update-inetd
_could_ make sense.

I'm not going to investigate more than that; so if someone wants that in 
2017's CUPS, please answer to this bug by saying so and confirming the above 
strategy makes sense.

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#865649: cups HTTPS issues -- Lack of SHA-2 certificate, weak TLSv1.0 crypto

[Didier 'OdyX' Raboud]

Le samedi, 26 août 2017, 15.47:20 h CEST Didier Raboud a écrit :
> > * Generate SHA-2 signed certificates by default. This will lessenthe
> > additional browser warnings.
> 
> The CUPS server certificates are setup to be ssl-cert's (see symlinking code
> in cups-daemon.postinst, so that's a good suggestion for that to be fixed
> centrally in ssl-cert.

Oh. As I was explaining bug #865598, I actually noticed that that symlinking 
code was just useless now (it symlinks to `…/server.crt` where CUPS uses
`…/$(gethostname()).crt`).

So the certificate creation indeed happens in CUPS (cups/tls-gnutls.c, line 
184):
>  gnutls_x509_crt_sign(crt, crt, key);

But I stand to my initial position: I'm not going to maintain a non-upstream 
patch queue of crypto code.

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#863270: cups: https uses SHA-1 signature algorithm

[Didier 'OdyX' Raboud]

Control: tags -1 +confirmed +upstream
Control: forcemerge 865649 -1

Hi Henrich, and thank you for your bugreport,

Le mercredi, 24 mai 2017, 18.26:11 h CEST Heinrich Schuchardt a écrit :
> the cups webserver on port 631 supports the https protocol.
> 
> When browsing cups using the https protocol a certificate/key pair is
> created in /etc/cups/ssl.
> 
> $ openssl x509 -in /etc/cups/ssl/hostname.crt -text
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 1495639838 (0x5925a71E)
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C = US, CN = hostname, O = hostname, OU = Unknown, ST =
>(…)
> 
> Using SHA-1 as signature algorithm is unsafe.
> This algorithm will not be accepted in future browser versions.

That's very much a problem yes, but upstream is aware of the problem. See 
https://github.com/apple/cups/issues/4876 for a somewhat recent discussion 
about this.

> I have no clue why the country is set to US. That is not where my system is.
> Please, remove this bogus when fixing the SHA-1 issue.

http://sources.debian.net/src/cups/2.2.4-3/cups/tls-gnutls.c/#L151 is where 
this happens; the country code is guessed from the end of your locale setting.

But all that is vain; we're talking about a self-signed certificate, which is 
not trusted (nor trustable nowadays) in modern browsers.

Finally, from a Debian maintenance point of view, I'm not going to diverge 
from upstream code on crypto.

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#865598: cups: CUPS server ignores SSL key and certificate setting

[Didier 'OdyX' Raboud]

Control: tags -1 +upstream
Control: tags -1 +wontfix

Le vendredi, 23 juin 2017, 05.13:19 h CEST Drexl Johannes a écrit :
> I've just upgraded to Stretch and noticed CUPS won't use my certificate/key
> files any longer. It seems the options ServerCertificate and ServerKey have
> moved somewhere else (or dropped without upgrade notice), and this isn't
> really documented. CUPS now refuses to use those options alltogether,
> insisting on FQDN.key and FQDN.crt for no apparent reason whatsoever,
> generating the files as soon as one visits the web interface. The possible
> solution to this was to manually symlink the intended certificate/key to
> the hardcoded file names. While this works without (apparent) problems, I
> don't think this should be necessary nor forced upon the user.

ServerCertificate & ServerKey configuration directives' support has been 
dropped 
in CUPS 2.2~b1, so is replaced by ServerKeyChain (in /etc/cups/cups-files.conf) 
which indicates a keychain path (`ssl`, so `/etc/cups/ssl/` by default). The 
auto-generation is controlled by the option CreateSelfSignedCerts, that 
defaults to 'yes'.

Actually, looking at the code, it seems that : cupsSetServerCredentials(…)
is called with ServerName as second argument, without a possibility of that 
getting changed. ServerName is set as the result of gethostname().

All-in-all: 
* the cups.postinst certificate symlinking is not achieving what it wants: the 
symlinks are not used, and CUPS will generate new self-signed certificates on-
demand anyway. We should either stop the symlinking (and defer to CUPS' code) 
or fix it (put ssl-cert's back).
* I certainly agree that this migration away from ServerCertificate and 
ServerKey was suboptimally documented by upstream (and hence by Debian), but 
that's too late. :-/
* The forced certificate name is unfortunate, but of upstream' realm, and I 
don't really fancy forcefully changing that back to 'server.crt', as using the 
hostname is somewhat better, isn't it?

Looking forward to your feedback!

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#870463: lp no longer honours default printers

[Didier 'OdyX' Raboud]

Control: tags -1 +upstream
Control: severity -1 wishlist
Control: forwarded -1 https://github.com/apple/cups/issues/5096
Control: retitle -1  lp error message when the configured default printer isn't 
available could be clearer

Le samedi, 26 août 2017, 17.20:08 h CEST martin f krafft a écrit :
> also sprach Didier 'OdyX' Raboud <o...@debian.org> [2017-08-26 15:20 +0200]:
> > >   albatross:~/FOR_FILING% head -1 ~/.cups/lpoptions
> > >   Default mfc9465cdn
> > >   albatross:~/FOR_FILING% lp -P 30 2017-08-02-Scans.pdf
> > >   lp: Error - no default destination available.
> 
> I am sorry, I totally forgot about this bug report.

Don't worry. I was just doing some routine bug triaging.

> The problem was that the cups-browsed upgrade ended up with new device
> names, so obviously the previous one "mfc9465cdn" no longer works. The error
> message could be improved, i.e. "Invalid default destination specified in
> config file: mfc9465cdn", but other than that, this isn't really a bug.
> 
> What do you want me to do? Take this upstream? Downgrade? Close?

Just did all of that. :-) See the control tags above.

Cheers,
   OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#784512: Is anybody working on PySide2?

[Didier 'OdyX' Raboud]

Le dimanche, 27 août 2017 16.53:30 h CEST, vous avez écrit :
> Hi,
> 
> python-ghost depends on pyside, which will be removed with Qt4.
> Upstream already ported to pyside2, but I can't find pyside2 in
> Debian, not even an ITP or RFP. But somewhere I read, that
> pyside2 will be part of Qt. Is somebody working on this? It
> would be bad to remove pyside from Debian before pyside2 is in
> place, right?

For what is worth: I'm not working on pyside, nor pyside2. I removed myself 
from both shiboken and pyside's uploader fields (but should really have mailed 
debian-python about that earlier).

Cheers,
OdyX

Bug#868316: cups-bsd: lpr does not print with "DefaultPolicy authenticated" in cupsd.conf

[Didier 'OdyX' Raboud]

Control: tags -1 +upstream

Le lundi, 28 août 2017, 14.47:40 h CEST Christoph Pleger a écrit :
> I believe that I found a complete solution:
> 
> What introduced the bug, is that httpAddrPort() from http-addr.c now 
> returns 0 in the case when connection type is AF_UNIX. That differs from 
> the cups version in jessie, where httpAddrPort returned 631 in that 
> case.

Right. This was changed for CUPS 2.2~ b1.

> As in my opinion, it makes sense to return 0 as port number in an 
> AF_UNIX connection, I did not change http-addr.c, but request.c so that 
> the port comparison is only relevant if the connection type is not 
> AF_UNIX.

Thank you for the patch. It seems, from what I understand, that this change 
could have unintended consequences outside of the scope of fixing your very 
bug; it also really looks like something I'd like upstream to vouch for.

Would you be interested to push a pull-request to upstream? It doesn't make a 
lot of sense for me to play proxy…
https://github.com/apple/cups

I'll happily backport whatever patch upstream has accepted!

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#868316: cups-bsd: lpr does not print with "DefaultPolicy authenticated" in cupsd.conf

[Didier 'OdyX' Raboud]

Le lundi, 28 août 2017, 16.39:57 h CEST Christoph Pleger a écrit :
> Done, though I do not understand what you see as a possible problem 
> there. I guess that comparison of port numbers in an AF_UNIX connection 
> never makes sense ...

Thank you; I've marked this bug as 'forwarded', accordingly.

You might want to edit your pull-request to either target the branch-2.1 from 
upstream, or rebase yours on top of upstream's master; as-it-is it's quite 
confusing :-/

https://github.com/apple/cups/pull/5098

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#868316: cups-bsd: lpr does not print with "DefaultPolicy authenticated" in cupsd.conf

[Didier 'OdyX' Raboud]

Le mardi, 29 août 2017, 09.00:57 h CEST Christoph Pleger a écrit :
> The request has already been acted on and the issue is closed. They did 
> not exactly apply my patch, but their solution does quite the same.

Yep. I've seen; I am uploading the upstream snapshot to experimental and will 
backport that patch to unstable immediately after. Thank you very much for 
your time and energy!

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#862051: nodejs (6.11.2~dfsg-1) experimental; urgency=medium

[Didier 'OdyX' Raboud]

Le jeudi, 31 août 2017, 12.25:50 h CEST Ian Jackson a écrit :
> Philip Hands writes ("Bug#862051: nodejs (6.11.2~dfsg-1) experimental; 
urgency=medium"):
> > I guess that one could do something like moving the symlink into another
> > -legacy style package, and recomend that from the main package for one
> > release to keep upgrades happy. Then drop the recomendation, and wait
> > for popcon to show that people are not installing the package any more.
> > Then remove the package in testing early in a cycle and see if anyone
> > reports bugs about it.
> 
> Even that would be quite unfriendly, because third party scripts might
> easily be deployed onto new Debian installs as well as existing ones.
> 
> Also, it is imposing an administrative burden on all Debian users (the
> metadata for the -legacy package, spurious search hits, etc.).  That
> burden might be small but would be completely unjustified.

This exact argument stands against not allowing NodeJS to use /usr/bin/node in 
the first place, really. We accepted to enforce that change for the /usr/bin/ 
namespace "first-come-first-served" reason. We imposed a quite heavy 
administrative burden of either targetting /u/b/nodejs additionally or (finding 
out and) installing nodejs-legacy for anyone wanting to use NodeJS on Debian.

Now, there are two categories of scripts affected by this discussion:
* All scripts which support /u/b/nodejs *in addition* to /u/b/node. These do 
so _because_ of a Debian-specific change, and removing the /u/b/nodejs symlink 
is not going to break those.
* All scripts which support /u/b/nodejs *exclusively*. These do so _because_ 
of a Debian-specific change, and don't support *any* non-Debian-derivative 
target (checked Fedora's nodejs RPMs: no /u/b/nodejs). Maintainers of those 
scripts have at one point decided to support only Debian{, and derivatives}.

There are _plenty_ of changes that one needs to care about in a stable 
upgrade: things like mandatory postfixing of Apache configuration files, 
removal 
of specific Python3 versions, removal of upstart, etc. Having to change a 
shebang isn't a big deal given the amount of things one has to check accross a 
stable release upgrade.

All that to say that despite the very small cost of keeping the symlink 
around, I do see value in closing the Debian-specific /u/b/nodejs chapter *at 
some point*. We should not clutter our future releases indefinitely with 
convenience symlinks for historical reasons, especially not when these were 
created _by_ Debian and have only been _in_ Debian.

Le jeudi, 31 août 2017, 13.52:00 h CEST Jérémy Lal a écrit :
> How about printing a "nice" warning explaining it would be a good idea to
> move to /usr/bin/node ? Then in next next release drop the nodejs symlink.

This seems like a very good plan to me: let /u/b/nodejs spit out a deprecation 
warning to stderr / syslog but pass all arguments to /u/b/node in Buster; 
remove it entirely in Bullseye & get proper release note entries for both 
Buster and Bullseye.

Cheers.
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#754462: Bug#862051: nodejs (6.11.2~dfsg-1) experimental; urgency=medium

[Didier 'OdyX' Raboud]

Le jeudi, 31 août 2017, 13.58:23 h CEST Thorsten Glaser a écrit :
> Do not drop it before *after* the next release, so people have,
> at the very least, one full release of time to switch their
> scripts in a way that works with both the old and new names
> *first*, gradually.

They have Stretch for that; it has both /usr/bin/nodejs and /usr/bin/node (in 
nodejs-legacy).

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#879103: ITP: doctest -- Light and feature-rich C++ testing framework

[Didier 'OdyX' Raboud]

Package: wnpp
Severity: wishlist
Owner: Didier 'OdyX' Raboud <o...@debian.org>

Package name: doctest
Version : 1.2.5
Upstream Author : Viktor Kirilov <vik.kiri...@gmail.com> 
URL : https://github.com/onqtam/doctest
License : MIT
Programming Lang: C++
Description : Light and feature-rich C++ testing framework
 doctest is a light and feature-rich C++98 / C++11 single-header testing
 framework for unit tests and TDD.
 .
 It is inspired by the unittest {} functionality of the D programming
 language and Python's docstrings - tests can be considered a form of
 documentation and should be able to reside near the production code
 which they test. This isn't possible (or at least practical) with any
 other testing framework for C++.

Justification: doctest is a B-D of argagg (ITP #878641)
Package name: doctest-dev, as the package installs /usr/lib/doctest/doctest.h

I welcome suggestions on the source or binary names, as well as packaging :)

Bug#878867: cups-filters: unreadable file /usr/lib/cups/backend/cups-brf

[Didier 'OdyX' Raboud]

Le mardi, 17 octobre 2017, 23.08:52 h CEST Samuel Thibault a écrit :
> Yes, this is on purpose, just like in the cups-pdf package: it has to be
> run as root.

Right, but couldn't CUPS (be changed to) use a different heuristic than the 
filter's access rights to determine if it has to be run as root?

Cheers,
OdyX

Bug#879526: dgit broken by recent dpkg (Can't locate object method "new" via package "Dpkg::Compression::Process" …)

[Didier 'OdyX' Raboud]

Package: dgit
Version: 3.12
Severity: important

I finally wanted to try dgit today, but…

$ dgit clone argagg
canonical suite name for unstable is sid
starting new git history
downloading 
http://ftp.debian.org/debian//pool/main/a/argagg/argagg_0.4.6-2.dsc...
downloading 
http://ftp.debian.org/debian//pool/main/a/argagg/argagg_0.4.6-1.dsc...
last upload to archive: NO git hash
  % Total% Received % Xferd  Average Speed   TimeTime Time  Current
 Dload  Upload   Total   SpentLeft  Speed
100  109k  100  109k0 0   109k  0  0:00:01 --:--:--  0:00:01  381k
  % Total% Received % Xferd  Average Speed   TimeTime Time  Current
 Dload  Upload   Total   SpentLeft  Speed
100 25308  100 253080 0  25308  0  0:00:01 --:--:--  0:00:01  118k
Can't locate object method "new" via package "Dpkg::Compression::Process" 
(perhaps you forgot to load "Dpkg::Compression::Process"?) at /usr/bin/dgit 
line 2185.

Cheers,
OdyX

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'oldstable-proposed-updates'), 
(500, 'unstable'), (500, 'testing'), (500, 'stable'), (100, 'experimental'), 
(1, 'experimental-debug'), (1, 'buildd-unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CH.UTF-8, LC_CTYPE=fr_CH.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_CH:fr (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages dgit depends on:
ii  apt   1.5
ii  ca-certificates   20170717
ii  coreutils 8.28-1
ii  curl  7.55.1-1
ii  devscripts2.17.10
ii  dpkg-dev  1.19.0.3
ii  dput-ng [dput]1.15
ii  git [git-core]1:2.15.0~rc1-1
ii  git-buildpackage  0.9.0
ii  git-core  1:2.15.0~rc0-1
ii  libdpkg-perl  1.19.0.3
ii  libjson-perl  2.94-1
ii  liblist-moreutils-perl0.416-1+b3
ii  libperl5.24 [libdigest-sha-perl]  5.24.1-7
ii  libperl5.26 [libdigest-sha-perl]  5.26.0-8
ii  libtext-glob-perl 0.10-1
ii  libtext-iconv-perl1.7-5+b6
ii  libwww-perl   6.27-1
ii  perl  5.26.0-8

Versions of packages dgit recommends:
ii  openssh-client [ssh-client]  1:7.6p1-2

Versions of packages dgit suggests:
pn  sbuild  

-- no debconf information

Bug#879535: doctest.h convenience copy: please use the Debian-provided doctest.h

[Didier 'OdyX' Raboud]

Source: manaplus
Version: 1.7.9.2-1
Severity: normal
Tags: patch

src:doctest just got accepted in Debian unstable and provides
/usr/include/doctest/doctest.h in doctest-dev. In order to reduce the use of
convenience copies, please patch manaplus to use this file instead of the
src/unittests/doctest.h copy. A possible patch is attached.

(I also note that the doctest.h's authorship and license are not represented in
d/copyright)

Cheers,
OdyX
diff -Nru manaplus-1.7.9.2/debian/changelog manaplus-1.7.9.2/debian/changelog
--- manaplus-1.7.9.2/debian/changelog   2017-09-12 15:42:48.0 +0200
+++ manaplus-1.7.9.2/debian/changelog   2017-10-22 18:17:45.0 +0200
@@ -1,3 +1,10 @@
+manaplus (1.7.9.2-1.1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Add doctest-dev Build-Depends and patch to use its doctest.h (Closes: #-1)
+
+ -- Didier Raboud   Sun, 22 Oct 2017 18:17:45 +0200
+
 manaplus (1.7.9.2-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru manaplus-1.7.9.2/debian/control manaplus-1.7.9.2/debian/control
--- manaplus-1.7.9.2/debian/control 2017-09-12 15:42:48.0 +0200
+++ manaplus-1.7.9.2/debian/control 2017-10-22 18:17:45.0 +0200
@@ -5,6 +5,7 @@
 Maintainer: Patrick Matthäi 
 Standards-Version: 4.1.0
 Build-Depends: debhelper (>= 10),
+ doctest-dev,
  libcurl4-gnutls-dev,
  libgl1-mesa-dev,
  libsdl1.2-dev,
diff -Nru manaplus-1.7.9.2/debian/patches/series 
manaplus-1.7.9.2/debian/patches/series
--- manaplus-1.7.9.2/debian/patches/series  1970-01-01 01:00:00.0 
+0100
+++ manaplus-1.7.9.2/debian/patches/series  2017-10-22 18:09:53.0 
+0200
@@ -0,0 +1 @@
+use_system_doctest.h
diff -Nru manaplus-1.7.9.2/debian/patches/use_system_doctest.h 
manaplus-1.7.9.2/debian/patches/use_system_doctest.h
--- manaplus-1.7.9.2/debian/patches/use_system_doctest.h1970-01-01 
01:00:00.0 +0100
+++ manaplus-1.7.9.2/debian/patches/use_system_doctest.h2017-10-22 
18:17:45.0 +0200
@@ -0,0 +1,28 @@
+Description: Use Debian-provided /usr/include/doctest/doctest.h instead of the 
convenience copy
+Author: Didier Raboud 
+Last-Update: 2017-10-22
+
+--- a/src/Makefile.am
 b/src/Makefile.am
+@@ -2067,10 +2067,6 @@
+ manaplustests_SOURCES += \
+ unittests/catch.hpp
+ endif
+-if ENABLE_UNITTESTS_DOCTEST
+-manaplustests_SOURCES += \
+-unittests/doctest.h
+-endif
+ 
+ if MINGW
+ manaplustests_SOURCES += manaplus.rc
+--- a/src/maingui.cpp
 b/src/maingui.cpp
+@@ -60,7 +60,7 @@
+ #endif  // UNITTESTS_CATCH
+ #ifdef UNITTESTS_DOCTEST
+ #define DOCTEST_CONFIG_IMPLEMENT
+-#include "unittests/doctest.h"
++#include "doctest/doctest.h"
+ #endif  // UNITTESTS_DOCTEST
+ #else  // UNITTESTS
+ #include "utils/xml.h"

Bug#881619: /etc/cups/cups-files.conf: cannot job-edit as root: root missing from SystemGroup

[Didier 'OdyX' Raboud]

Control: tags -1 +wontfix

Le lundi, 13 novembre 2017, 15.34:25 h CET Alban Browaeys a écrit :
> per the man page root should be in cups-files.conf SystemGroup.
> JobPrivateAccess requires @SYSTEM or @OWNER but root in not in any of
> those. Thus root cannot job-edit (cancel jobs)
> This forbid cups-pk-helper from cancelling jobs as it run as root.
> 
> A workaround is adding "root" to "SystemGroup" (which includes
> only lpadmin on debian).

This was discussed last year:
https://lists.debian.org/debian-printing/2016/11/msg00045.html

> In other words, letting cups-pk-helper run as 'root' (but accept commands
> from any allowed users) leads to a user-to-lpadmin privilege escalation. At
> least, it defers access control away from CUPS to cups-pk-helper.

See also
https://bugs.debian.org/698504

https://bugs.launchpad.net/ubuntu/+source/gnome-control-center/+bug/934291

The point is that we don't want to let anyone with access to cups-pk-helper 
delete jobs through it as that defeats the security mechanism put in place by 
CUPS.

The solution is to get cups-pk-helper run as root but use the requesting user 
when using the CUPS API (so that it respects the "system group" restrictions 
of CUPS). In other words, I think this is a bug in how cups-pk-helper runs in 
Debian.

Cheers,
OdyX


signature.asc
Description: This is a digitally signed message part.

Bug#880658: dgit server rejects unattributed commits

[Didier 'OdyX' Raboud]

Package: dgit
Version: 3.13
Severity: normal

I want to use dgit to upload src:cups, but it fails when pusing to the server:

dgit-repos-server: reject: corrupted object 
5b59c734bfc13c2e40061b90d002bfe4794a646c (missing metadata)

Indeed, 5b59c734bfc13c2e40061b90d002bfe4794a646c has a broken author:
> commit 5b59c734bfc13c2e40061b90d002bfe4794a646c
> Author: martin-eric.rac...@iki.fi <>
> Date:   Sat Jan 28 17:01:18 2012 +0200
> 
> [ Martin-Éric Racine ]
> Removed myself from Uploaders.
> (…)

That's unfortunate, but it's history, and I wouldn't like to need to rewrite
all of CUPS's history.

What could be done on that front?

Cheers,
OdyX

-- System Information:
Debian Release: buster/sid
  APT prefers buildd-unstable
  APT policy: (990, 'buildd-unstable'), (500, 'unstable-debug'), (500, 
'oldstable-proposed-updates'), (500, 'unstable'), (500, 'testing'), (500, 
'stable'), (100, 'experimental'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CH.UTF-8, LC_CTYPE=fr_CH.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_CH:fr (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages dgit depends on:
ii  apt   1.6~alpha3
ii  ca-certificates   20170717
ii  coreutils 8.28-1
ii  curl  7.56.1-1
ii  devscripts2.17.11
ii  dpkg-dev  1.19.0.4
ii  dput-ng [dput]1.15
ii  git [git-core]1:2.15.0-1
ii  git-buildpackage  0.9.1
ii  git-core  1:2.15.0~rc0-1
ii  libdpkg-perl  1.19.0.4
ii  libjson-perl  2.94-1
ii  liblist-moreutils-perl0.416-1+b3
ii  libperl5.24 [libdigest-sha-perl]  5.24.1-7
ii  libperl5.26 [libdigest-sha-perl]  5.26.1-2
ii  libtext-glob-perl 0.10-1
ii  libtext-iconv-perl1.7-5+b6
ii  libwww-perl   6.27-1
ii  perl  5.26.1-2

Versions of packages dgit recommends:
ii  openssh-client [ssh-client]  1:7.6p1-2

Versions of packages dgit suggests:
pn  sbuild  

-- no debconf information

Bug#880658: dgit server rejects unattributed commits

[Didier 'OdyX' Raboud]

Le vendredi, 3 novembre 2017, 15.39:20 h CET Ian Jackson a écrit :
> Mattia Rizzolo writes ("Bug#880658: dgit server rejects unattributed 
commits"):
> > Can you try creating a new repository and push it anew?
> > At least for other cases (I'm not sure if this is one of them) github
> > started to reject malformed objects after several were already there
> > (happened with a several pbuilder tags, and ISTR it also happened with
> > some Xorg thing)

Just did that, with that commit as HEAD:
https://github.com/OdyX/test-broken-commits

The push went through without problem.

> Erk.
> 
> Well, if that's the case then I guess I will have to have a
> grandfathering ability where I can make an exception for specific
> commits.  How many are there like this, in this instance ?

Oh, plenty. That commit is the most recent of very ancient history converted 
away from svn.

I don't get why it makes sense to block on git commits which are valid in 
git's eyes… dgit doesn't seem like the right place to be strict about these, 
frankly.

Cheers,
OdyX

Bug#880658: dgit server rejects unattributed commits

[Didier 'OdyX' Raboud]

Le vendredi, 3 novembre 2017, 12.44:57 h CET Ian Jackson a écrit :
> Didier 'OdyX' Raboud writes ("Bug#880658: dgit server rejects unattributed 
commits"):
> > dgit-repos-server: reject: corrupted object
> > 5b59c734bfc13c2e40061b90d002bfe4794a646c (missing metadata)
> > (…)
> Who else accepts/rejects this commit ?

At least GitHub has it:
https://github.com/OdyX/cups/commit/5b59c734bfc13c2e40061b90d002bfe4794a646c

I just got myself an account on Gitlab.com to test that:
https://gitlab.com/OdyX/cups/commit/5b59c734bfc13c2e40061b90d002bfe4794a646c

> The "corrupted object" check is there to stop the dgit repos server
> containing commits that will be rejected by popular git hosting
> sites.
> 
> But maybe if this commit is accepted by gitlab and github I can make
> the check more subtle.

Good, thanks in advance!

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#880721: FTBFS: fatal error: doctest/doctest.h: No such file or directory

[Didier 'OdyX' Raboud]

Control: reassign -1 src:doctest 1.2.5+repack0-2
Control: retitle -1 doctest-dev built without doctest.h
Control: affects -1 argagg

Le samedi, 4 novembre 2017, 14.27:07 h CET Andreas Moog a écrit :
> Source: argagg
> Severity: serious
> Justification: fails to build from source (but built successfully in the
> past)
> 
> argagg seems to FTBFS in a clean sid environment:

Oh. That's pretty bad. The doctest I uploaded just recently doesn't ship it's 
doctest.h anymore.

Reassigning; fix in progress.

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#877024: Modemmanager probing of unknown Devices

[Didier 'OdyX' Raboud]

Le lundi, 30 octobre 2017, 14.06:01 h CET Ian Jackson a écrit :
> I can see why the TC might want to avoid making a final ruling without
> proper input from the maintainers.

> But, should I upload to experimental, and later, to sid, as I have
> proposed ?  It's not quite clear whose permission I need.  To some
> people I have already overstepped the mark[1].
> [1] Apparently referring the matter to the TC a mere 5 years after
> the maintainers rejected changing the behaviour is too hasty.  I
> accept of course that the way I recently brought my renewed awareness
> of this problem to the attention of the maintainers wasn't ideal.

My personal take is that waiting only two days between saying "I'm likely to 
escalate to the TC" and doing so [2,3] is quite pushy "against" the 
maintainers who haven't had a reasonable chance to react, especially after two 
years inactivity on a 5 year-old bug.

[2] https://bugs.debian.org/683839#77
[3] https://bugs.debian.org/877024#5

> The dev ref says "Have you geared the NMU towards helping the
> maintainer?" and it all seems rather awkward to me to claim I am
> "helping the maintainer" when AFAICT the maintainers are quite
> unenthusiastic about these proposals.

Claiming that they are unenthusiastic is far-reaching IMHO. We just don't know 
what they think of the change, really. I wouldn't necessarily interpret the 
removal from the maintainers' field as a statement of opinion on these 
proposed changes, but much more about who the process went, and was handled by 
the TC too.

Le lundi, 30 octobre 2017, 13.45:00 h CET Sam Hartman a écrit :
> Wou/ld it be reasonable for him to make an NMU to experimental, and then
> if there is no objection after testing to unstable?
> 
> In parallel, it seems desirable to see if any of the maintainers are
> active.

The latter looks like a prerequisite to me, frankly. It seems to me from 
reading the bug log again that a solution is being worked out by upstream; and 
that this solution seems fine to the people who have intervened in this very 
bug. So it looks like the solution is ahead, "just" not yet in a Debian 
package. That bug exists in Debian for 5+ years, so I really don't see the 
urgency for an NMU, and would much rather let the current maintainers include 
the upstream version which includes the fix (and configure it appropriately) 
when they see fit.

Cheers,
OdyX

Bug#883573: Reevaluate libpam-systemd systemd-sysv dependency ordering (746578)

[Didier 'OdyX' Raboud]

Hi Julian,

Le mardi, 5 décembre 2017, 12.26:43 h CET Julian Andres Klode a écrit :
> In 746578, the CTTE decided that the dependency be swapped
> to systemd-shim | systemd-sysv in order to prevent systems
> from being upgraded installing systemd.
> 
> (…)
> 
> I thus opened bug 883569 against systemd, but mbiebl would like to
> get permission from the you first.

Thank you for filiing this bug. This is just a short answer to acknowledge it 
as well as provide visibility upon the timeframe for its resolution. As you 
might be aware from discussions on the debian-ctte@l.d.o list, we are 
currently discussing seat-filling, both concretely and meta, so our energy is 
spread accross these topics already. Also, December is notorious for being a 
dense period in the year for many, TC members included.

My hope is that the TC will be able to spend enough energy to get this ball 
rolling, with a resolution somewhere in January.

With my best regards,
OdyX

Bug#879495: gbp dch fails with UnboundLocalError

[Didier 'OdyX' Raboud]

Package: git-buildpackage
Version: 0.9.0
Severity: normal
File: gbp-dch

On multiple of my repositories, `gbp dch` fails with the following error:

(That's on https://anonscm.debian.org/cgit/pkg-games/planetblupi.git )

$ gbp dch --release --verbose
gbp:debug: ['git', 'rev-parse', '--show-cdup']
gbp:debug: ['git', 'rev-parse', '--is-bare-repository']
gbp:debug: ['git', 'rev-parse', '--git-dir']
gbp:debug: ['git', 'symbolic-ref', 'HEAD']
gbp:debug: ['git', 'show-ref', 'refs/heads/debian/master']
gbp:debug: ['git', 'tag', '-l', 'debian/1.11.0-1']
gbp:debug: ['git', 'rev-parse', '--quiet', '--verify', 'debian/1.11.0-1^0']
gbp:debug: ['git', 'log', '--pretty=format:%H', 
'a1f72589d8e0285b65438bb924197a3dd5a93bb2..HEAD', '--no-merges', '--']
gbp:debug: ['git', 'merge-base', 'HEAD', 'upstream/latest']
gbp:debug: ['git', 'describe', '--match', 'upstream/*', '--abbrev=0', 
'e0ace8819512553d3680e912e419a5df1b8295ab']
gbp:debug: Found upstream version None.
gbp:debug: /usr/bin/dpkg ['--compare-versions'] [None, 'lt', '1.11.0-1']
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/gbp/command_wrappers.py", line 232, in 
call
ret = self.__call(args)
  File "/usr/lib/python3/dist-packages/gbp/command_wrappers.py", line 125, in 
__call
stderr=stderr_arg)
  File "/usr/lib/python3.6/subprocess.py", line 709, in __init__
restore_signals, start_new_session)
  File "/usr/lib/python3.6/subprocess.py", line 1275, in _execute_child
restore_signals, start_new_session, preexec_fn)
TypeError: expected str, bytes or os.PathLike object, not NoneType

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/gbp", line 151, in 
sys.exit(supercommand())
  File "/usr/bin/gbp", line 147, in supercommand
return module.main(args)
  File "/usr/lib/python3/dist-packages/gbp/scripts/dch.py", line 506, in main
options.upstream_branch, cp)
  File "/usr/lib/python3/dist-packages/gbp/scripts/dch.py", line 52, in 
guess_version_from_upstream
if compare_versions(version, cp.version) > 0:
  File "/usr/lib/python3/dist-packages/gbp/deb/__init__.py", line 111, in 
compare_versions
return DpkgCompareVersions()(version1, version2)
  File "/usr/lib/python3/dist-packages/gbp/deb/__init__.py", line 66, in 
__call__
res = self.call([version1, 'lt', version2])
  File "/usr/lib/python3/dist-packages/gbp/command_wrappers.py", line 237, in 
call
if ret and not quiet:
UnboundLocalError: local variable 'ret' referenced before assignment



-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'oldstable-proposed-updates'), 
(500, 'unstable'), (500, 'testing'), (500, 'stable'), (100, 'experimental'), 
(1, 'experimental-debug'), (1, 'buildd-unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CH.UTF-8, LC_CTYPE=fr_CH.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_CH:fr (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages git-buildpackage depends on:
ii  devscripts 2.17.10
ii  git1:2.15.0~rc1-1
ii  man-db 2.7.6.1-2
ii  python33.6.3-1
ii  python3-dateutil   2.6.1-1
ii  python3-pkg-resources  36.2.7-2
ii  python3-six1.11.0-1

Versions of packages git-buildpackage recommends:
ii  cowbuilder0.85
ii  pbuilder  0.228.9
ii  pristine-tar  1.42
ii  python3-requests  2.18.1-1

Versions of packages git-buildpackage suggests:
ii  python3-notify2  0.3-3
ii  sudo 1.8.21p2-2
ii  unzip6.0-21

-- no debconf information

Bug#879495: gbp dch fails with UnboundLocalError

[Didier 'OdyX' Raboud]

Le dimanche, 22 octobre 2017, 12.04:37 h CEST Didier 'OdyX' Raboud a écrit :
> Le dimanche, 22 octobre 2017, 11.52:25 h CEST Didier 'OdyX' Raboud a écrit :
> > $ gbp dch --release --verbose
> > gbp:debug: ['git', 'rev-parse', '--show-cdup']
> > gbp:debug: ['git', 'rev-parse', '--is-bare-repository']
> > gbp:debug: ['git', 'rev-parse', '--git-dir']
> > gbp:debug: ['git', 'symbolic-ref', 'HEAD']
> > gbp:debug: ['git', 'show-ref', 'refs/heads/debian/master']
> > gbp:debug: ['git', 'tag', '-l', 'debian/1.11.0-1']
> > gbp:debug: ['git', 'rev-parse', '--quiet', '--verify',
> > 'debian/1.11.0-1^0']
> > gbp:debug: ['git', 'log', '--pretty=format:%H',
> > 'a1f72589d8e0285b65438bb924197a3dd5a93bb2..HEAD', '--no-merges', '--']
> > gbp:debug: ['git', 'merge-base', 'HEAD', 'upstream/latest']
> > gbp:debug: ['git', 'describe', '--match', 'upstream/*', '--abbrev=0',
> > 'e0ace8819512553d3680e912e419a5df1b8295ab'] gbp:debug: Found upstream
> > version None.
> > gbp:debug: /usr/bin/dpkg ['--compare-versions'] [None, 'lt', '1.11.0-1']
> > 
> > Traceback (most recent call last):
> >   File "/usr/lib/python3/dist-packages/gbp/command_wrappers.py", line 232,
> > 
> > in call ret = self.__call(args)
> > 
> >   File "/usr/lib/python3/dist-packages/gbp/command_wrappers.py", line 125,
> > 
> > in __call stderr=stderr_arg)
> > 
> >   File "/usr/lib/python3.6/subprocess.py", line 709, in __init__
> >   
> > restore_signals, start_new_session)
> >   
> >   File "/usr/lib/python3.6/subprocess.py", line 1275, in _execute_child
> >   
> > restore_signals, start_new_session, preexec_fn)
> > 
> > TypeError: expected str, bytes or os.PathLike object, not NoneType
> > 
> > During handling of the above exception, another exception occurred:
> > 
> > Traceback (most recent call last):
> >   File "/usr/bin/gbp", line 151, in 
> >   
> > sys.exit(supercommand())
> >   
> >   File "/usr/bin/gbp", line 147, in supercommand
> >   
> > return module.main(args)
> >   
> >   File "/usr/lib/python3/dist-packages/gbp/scripts/dch.py", line 506, in
> > 
> > main options.upstream_branch, cp)
> > 
> >   File "/usr/lib/python3/dist-packages/gbp/scripts/dch.py", line 52, in
> > 
> > guess_version_from_upstream if compare_versions(version, cp.version) > 0:
> >   File "/usr/lib/python3/dist-packages/gbp/deb/__init__.py", line 111, in
> > 
> > compare_versions return DpkgCompareVersions()(version1, version2)
> > 
> >   File "/usr/lib/python3/dist-packages/gbp/deb/__init__.py", line 66, in
> > 
> > __call__ res = self.call([version1, 'lt', version2])
> > 
> >   File "/usr/lib/python3/dist-packages/gbp/command_wrappers.py", line 237,
> > 
> > in call if ret and not quiet:
> > UnboundLocalError: local variable 'ret' referenced before assignment
> 
> This fails because I did `git tag upstream/1.11.0 v1.11.0` but that creates
> a tag pointing to a tag. Doing `git tag -m v1.11.0 upstream/1.11.0` fixes
> the above.

$ git tag upstream/1.11.0 `git rev-parse v1.11.0` 

sorry…

OdyX

Bug#879495: gbp dch fails with UnboundLocalError

[Didier 'OdyX' Raboud]

Le dimanche, 22 octobre 2017, 11.52:25 h CEST Didier 'OdyX' Raboud a écrit :
> $ gbp dch --release --verbose
> gbp:debug: ['git', 'rev-parse', '--show-cdup']
> gbp:debug: ['git', 'rev-parse', '--is-bare-repository']
> gbp:debug: ['git', 'rev-parse', '--git-dir']
> gbp:debug: ['git', 'symbolic-ref', 'HEAD']
> gbp:debug: ['git', 'show-ref', 'refs/heads/debian/master']
> gbp:debug: ['git', 'tag', '-l', 'debian/1.11.0-1']
> gbp:debug: ['git', 'rev-parse', '--quiet', '--verify', 'debian/1.11.0-1^0']
> gbp:debug: ['git', 'log', '--pretty=format:%H',
> 'a1f72589d8e0285b65438bb924197a3dd5a93bb2..HEAD', '--no-merges', '--']
> gbp:debug: ['git', 'merge-base', 'HEAD', 'upstream/latest']
> gbp:debug: ['git', 'describe', '--match', 'upstream/*', '--abbrev=0',
> 'e0ace8819512553d3680e912e419a5df1b8295ab'] gbp:debug: Found upstream
> version None.
> gbp:debug: /usr/bin/dpkg ['--compare-versions'] [None, 'lt', '1.11.0-1']
> Traceback (most recent call last):
>   File "/usr/lib/python3/dist-packages/gbp/command_wrappers.py", line 232,
> in call ret = self.__call(args)
>   File "/usr/lib/python3/dist-packages/gbp/command_wrappers.py", line 125,
> in __call stderr=stderr_arg)
>   File "/usr/lib/python3.6/subprocess.py", line 709, in __init__
> restore_signals, start_new_session)
>   File "/usr/lib/python3.6/subprocess.py", line 1275, in _execute_child
> restore_signals, start_new_session, preexec_fn)
> TypeError: expected str, bytes or os.PathLike object, not NoneType
> 
> During handling of the above exception, another exception occurred:
> 
> Traceback (most recent call last):
>   File "/usr/bin/gbp", line 151, in 
> sys.exit(supercommand())
>   File "/usr/bin/gbp", line 147, in supercommand
> return module.main(args)
>   File "/usr/lib/python3/dist-packages/gbp/scripts/dch.py", line 506, in
> main options.upstream_branch, cp)
>   File "/usr/lib/python3/dist-packages/gbp/scripts/dch.py", line 52, in
> guess_version_from_upstream if compare_versions(version, cp.version) > 0:
>   File "/usr/lib/python3/dist-packages/gbp/deb/__init__.py", line 111, in
> compare_versions return DpkgCompareVersions()(version1, version2)
>   File "/usr/lib/python3/dist-packages/gbp/deb/__init__.py", line 66, in
> __call__ res = self.call([version1, 'lt', version2])
>   File "/usr/lib/python3/dist-packages/gbp/command_wrappers.py", line 237,
> in call if ret and not quiet:
> UnboundLocalError: local variable 'ret' referenced before assignment

This fails because I did `git tag upstream/1.11.0 v1.11.0` but that creates a 
tag pointing to a tag. Doing `git tag -m v1.11.0 upstream/1.11.0` fixes the 
above.

Cheers,
OdyX

Bug#897221: Session logout doesn't TERMinate all processes

[Didier 'OdyX' Raboud]

!Holà Maxy!

Le jeudi, 3 mai 2018, 17.53:12 h CEST Maximiliano Curia a écrit :
> El 2018-04-30 a las 12:21 +0200, Didier 'OdyX' Raboud escribió:
> > I routinely run two sessions in parallel (pro & private); and I noticed
> > that sddm (which I assume is handling the logind session) doesn't
> > coherently TERMinate (or KILL after some delay) processes from a
> > logged-out session.
> > 
> > Some of these consume ressources (akonadiserver is the usual culprit), but
> > more importantly; keeping these alive will  break subsequent sessions for
> > the same user (plasma, akonadi, etc).
> 
> I guess akonadiserver is started as a detached process, so ksmserver doesn't
> know about it.
> 
> Anyway the problem are the processes that are in the systemd concept of
> session but not in the kde concept of session, those are the ones that
> systemd is waiting for, and ksmserver has long forgotten about them.
> 
> Please check loginctl session-status  (The id can be obtained with
> loginctl list-sessions)

I noticed it also appears when disconnecting, and reconnecting back. Akonadi 
is then broken, etc etc.

Hereattached is a log of the processes from a stopped session. It really feels 
like plasma doesn't stop its child processes from the systray either.

> Mmh, this is a complex problem. Debian systemd reverts the default logind
> configuration KillUserProcesses, that effectively terminates the session
> when the user logs out, and most desktop environments assume this is set to
> it's default value, so they don't have to deal with the processes started
> by systemd --user, which, by the way, the desktop environment had nothing
> to do with.
> 
> Also, kde does nothing to remember which processes were started as autostart
> desktop files.
> 
> Gnome "fixes" this by terminating the logind session, as if
> KillUserProcesses was set, at the cost of breaking tmux and screen (which is
> the reason why Debian reverts the KillUserProcesses setting on the first
> place).
> 
> So, either we need to fix tmux and screen to they can be detached from the
> logind session, or fix the kde concept of session so it matches better what
> logind expects.

The first alternative looks like the correct thing to do to me. So a route to 
fix this is for systemd to revert the KillUserProcesses back to upstream's 
default, right? This was apparently last reinforced in systemd 234-3 and was 
discussed in #825394.

But it doesn't seem like this would gather consensus currently. How hard is it 
to get KDE to grow better login session processes handling?

Cheers,
OdyX3 - didier (1000)
   Since: Wed 2018-06-06 18:38:57 CEST; 45min ago
  Leader: 1849
Seat: seat0; vc7
 Display: :0
 Service: sddm; type x11; class user
 Desktop: KDE
   State: closing
Unit: session-3.scope
  ├─ 2690 /usr/lib/postgresql/9.6/bin/postgres -D 
/home/didier/.local/share/akonadi/db_data -k/tmp/akonadi-didier.bR0FSO -h
  ├─ 2695 postgres: checkpointer process   
  ├─ 2696 postgres: writer process   
  ├─ 2697 postgres: wal writer process   
  ├─ 2698 postgres: autovacuum launcher process   
  ├─ 2699 postgres: stats collector process   
  ├─ 2955 /usr/lib/at-spi2-core/at-spi-bus-launcher 
--launch-immediately
  ├─ 2976 /usr/bin/dbus-daemon 
--config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork 
--print-address 3
  ├─ 2986 /usr/bin/perl /usr/bin/parcimonie-applet
  ├─ 3083 /usr/bin/python3 /usr/bin/hp-systray -x
  ├─ 3086 /usr/bin/python3 /usr/bin/hp-systray -x
  ├─ 3920 
/usr/lib/x86_64-linux-gnu/libexec/kf5/kio_http_cache_cleaner
  ├─20252 postgres: didier akonadi [local] idle
  ├─20277 postgres: didier akonadi [local] idle
  ├─20278 postgres: didier akonadi [local] idle
  ├─20507 postgres: didier akonadi [local] idle
  ├─20509 postgres: didier akonadi [local] idle
  ├─20792 /usr/lib/at-spi2-core/at-spi2-registryd 
--use-gnome-session
  ├─21250 postgres: didier akonadi [local] idle
  ├─21252 postgres: didier akonadi [local] idle
  ├─21318 postgres: didier akonadi [local] idle
  └─21377 postgres: didier akonadi [local] idle

jun 06 18:38:57 gyllingar sddm-helper[1871]: Adding cookie to 
"/home/didier/.Xauthority"
jun 06 18:39:04 gyllingar /hp-systray[2797]: hp-systray[2797]: error: option -s 
not recognized
jun 06 18:39:54 gyllingar sudo[3695]:   didier : TTY=pts/0 ; PWD=/home/didier ; 
USER=root ; COMMAND=/usr/bin/aptitude
jun 06 18:39:54 gyllingar sudo[3695]: pam_unix(sudo:sessi

Bug#902226: debian-installer-netboot-images: FTBFS in stretch, even when allowing network access

[Didier 'OdyX' Raboud]

Hi theres,

Le lundi, 25 juin 2018, 01.33:38 h CEST Cyril Brulebois a écrit :
> Cyril Brulebois  (2018-06-24):
> > At first glance, it seems to me this bug could be addressed in two
> > different ways, which don't seem to be too convoluted. The first way
> > would be to try the s-p-u download and fall back to s download, for each
> > and every download. But this could (probably only theoretically) lead to
> > inconsistent downloads, mixing bits and pieces from s-p-u and from s.
> > Plus plenty of errors when the default location isn't the right one.

Exactly. If a pure s-p-u build fails, it's because the s-p-u debian-installer 
isn't built on all architectures, so the d-i-n-i s-p-u build should really 
fail. (acronyms ftw)

> > I suppose a better way would be to figure out with an early test if the
> > target version is available in s-p-u or in s, and then pick the right
> > suite for all downloads. Patches for this second approach are welcome.

That seems more fool-proof and consistent: download from a single suite: 
either from s-p-u or from stretch only, and for all archs.

> I've pushed a prospective branch (pu/fix-ftbfs-in-stretch) with two commits:
> https://salsa.debian.org/installer-team/debian-installer-netboot-images/com
> mit/86f910f8e1e60e308747a7f53045862705b0a132
> https://salsa.debian.org/installer-team/debian-installer-netboot-images/com
> mit/eb2e5b3fb437b288c4c83427fb1c0d213f7b5a5e

Looks good to me, given that strategy.

> Only checked with the first few architectures (still on limited bandwidth),
> but that seems to do the trick. Slightly not happy about having that check
> and fallback done for each and every architecture (instead of once and for
> all), which could again lead to bits and pieces from both sources mixed
> together); but I guess that's a reasonable compromise (no big changes needed
> in the code).

I've tried for some time to (ab)use make targets to modify DISTRIBUTION 
depending on partial calls to get_images, but failed.

Given my failed attempts, I suspect your patches are the lesser evilfor 
solving this. But I'm not convinced that solving this is better than ensuring 
we only ever build "pure-stretch" or "pure-stretch-proposed-updates" d-i-n-
i's.

> I'll let others comment on this bug report plus proposed solution; Didier
> maybe?

Thanks for the explicit ping; I'm not on top of Debian things these days.

Cheers,
OdyX

Bug#897221: Session logout doesn't TERMinate all processes

[Didier 'OdyX' Raboud]

Package: sddm
Version: 0.17.0-1
Severity: important
Tags: upstream

I routinely run two sessions in parallel (pro & private); and I noticed that
sddm (which I assume is handling the logind session) doesn't coherently
TERMinate (or KILL after some delay) processes from a logged-out session.

Some of these consume ressources (akonadiserver is the usual culprit), but more
importantly; keeping these alive will  break subsequent sessions for the same
user (plasma, akonadi, etc).

Running:
# loginctl terminate-user 
circumvents the issue, but that should really be done by the login manager.

Please tell me if there's something I can do to help here.

Cheers,
OdyX

-- System Information:
Debian Release: buster/sid
  APT prefers buildd-unstable
  APT policy: (990, 'buildd-unstable'), (500, 'unstable-debug'), (500, 
'oldstable-proposed-updates'), (500, 'unstable'), (500, 'testing'), (500, 
'stable'), (100, 'experimental'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.15.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CH.UTF-8, LC_CTYPE=fr_CH.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_CH:fr (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages sddm depends on:
ii  adduser 3.117
ii  debconf [debconf-2.0]   1.5.66
ii  libc6   2.27-3
ii  libgcc1 1:8-20180425-1
ii  libpam0g1.1.8-3.7
ii  libqt5core5a5.10.1+dfsg-5
ii  libqt5dbus5 5.10.1+dfsg-5
ii  libqt5gui5  5.10.1+dfsg-5
ii  libqt5network5  5.10.1+dfsg-5
ii  libqt5qml5  5.10.1-4
ii  libqt5quick55.10.1-4
ii  libstdc++6  8-20180425-1
ii  libsystemd0 238-4
ii  libxcb-xkb1 1.13-1
ii  libxcb1 1.13-1
ii  qml-module-qtquick2 5.10.1-4
ii  x11-common  1:7.7+19
ii  xserver-xorg [xserver]  1:7.7+19
ii  xvfb [xserver]  2:1.19.6-1

Versions of packages sddm recommends:
ii  libpam-systemd  238-4
ii  sddm-theme-breeze [sddm-theme]  4:5.12.4-1

Versions of packages sddm suggests:
ii  libpam-kwallet5   5.12.1-1
pn  qtvirtualkeyboard-plugin  

-- debconf information:
  sddm/daemon_name: /usr/bin/sddm
* shared/default-x-display-manager: sddm

Bug#879214: ITP: planetblupi -- Planet Blupi - A delirious spell-binding game

[Didier 'OdyX' Raboud]

Package: wnpp
Severity: wishlist
Owner: Didier 'OdyX' Raboud <o...@debian.org>

Package name: planetblupi
Version : 1.11.0
Upstream Author : Mathieu Schroeter, Daniel Roux, EPSITEC SA & Denis Dumoulin
URL : http://blupi.org/
License : GPL-3+
Programming Lang: C++
Description : Planet Blupi - A delirious spell-binding game
 Planet Blupi is a strategy and adventure game. It subtly blends action with
 thought-provoking challenges. Behind the quiet and gentle facade, you'll enjoy
 a fascinating diversion full of surprises.

This is another of the finally-freed games from Epsitec. The other one is
Colobot (src:colobot), already in Debian.

Its build-dependencies have reached NEW already. I will put it under the
Debian Games Team umbrella.

Bug#880014: Call for (self-)nominations for a Technical Committee seat

[Didier 'OdyX' Raboud]

Dear Debian Contributors,

Our Constitution imposes an expiry on Technical Committee terms, and it's that 
time of the year again: Keith Packard 's term will expire on December 
31st 2017. The Technical Committee would like to thank Keith for serving since 
November 2013, in addition to all the other work he does for Debian.

To fill this seat, we are soliciting nominations, including self-nominations. 
To nominate yourself or someone else, please send an e-mail to
debian-ctte-priv...@debian.org with the subject "TC Nomination of loginname", 
where loginname is the nominee's Debian account login¹. Please let us know in 
the body of the e-mail why the nominee would be a good fit for the TC, 
specifically instances where the nominee was able to help resolve 
disagreements, both technical and non-technical. We would like to start our 
selection process on or about the first of December.

Being a member of the TC does require a time commitment. Members should be 
able to follow e-mail discussions on an ongoing basis and respond within a 
couple of days so that discussions progress. Members should ideally be able to 
spend 10 hours a month for relatively busy months, but typical time 
requirements will be less.

We are in the process of documenting how the TC implements the nomination 
process as outlined in §6.2, including clarifying what is made public (such as 
nominations) and when. Any nominee is of course free to drop off the process 
at any point in time.

Regards,
OdyX, for the TC

¹ See http://db.debian.org/ if you need to look the login up

signature.asc
Description: This is a digitally signed message part.

Bug#880014: 2018 - New TC member

[Didier 'OdyX' Raboud]

Package: tech-ctte
User: tech-c...@packages.debian.org

According to our Constitution's §6.2, Keith's term will expire at the end of
this year, freeing one seat on the TC from January 1st 2018 on.

This bug will track that process.

Bug#888743: pidofproc returns PIDs in foreign chroots and containers

[Didier 'OdyX' Raboud]

Hi there Harald,

Le lundi, 29 janvier 2018, 14.19:53 h CET Harald Dunkel a écrit :
> Apparently pidofproc returns the PIDs of programs running
> in a chroot or in a container, if there is no local PID file.
> This is a *huge* problem for me, because either the init
> scripts on the host fail to restart services, or they affect
> services running in a container/chroot.
> (…)
> lsb-base version 9.20170808 has the same problem. I would highly
> appreciate a fix for stretch and sid.

For all practical concerns, you should consider the LSB package orphaned (and 
I should probably just go ahead and orphan it).

For the bug at hand, I would recommend checking what Ubuntu has in their 
pidofproc command in lsb-base, but I've long resisted re-using theirs as the 
list of conditionals is really scary. Any update of src:lsb goes on _all 
possible Debian machines_, so that didn't leave me with a lot of willingness 
to change anything there.

I'm not opposed to a change there, and I don't challenge the validity of that 
bug, I'm merely saying that I won't be the one pushing it. Patches and NMUs 
welcome, but please upload to experimental first! :-)

Cheers,
OdyX


signature.asc
Description: This is a digitally signed message part.

Bug#889493: tech-ctte: Please review if systemd is reliable enough to be the default

[Didier 'OdyX' Raboud]

Le samedi, 3 février 2018, 22.22:19 h CET Philip Hands a écrit :
> On Sat, 03 Feb 2018, "Kingsley G. Morse Jr."  wrote:
> > Package: tech-ctte
> 
> I don't formally have the right to simply close this bug (as I am now
> doing), so if anyone else on the TC thinks there is any merit whatsoever
> in this bug report, please feel free to reopen it.

I concur with the closing of this bug, thank you for promptly doing so.

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#880014: Call for Votes for new TC member

[Didier 'OdyX' Raboud]

The current number of nominees is: 1
The current number of accepted nominations is: 0.

(The request for accept/decline has just been sent now.)

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.