Bug#482522: krb5-user - klist should mark expired tickets
Russ == Russ Allbery [EMAIL PROTECTED] writes: Russ It doesn't always do so, but I've seen the behavior that Russ you've seen before and I'm not sure what the difference is. Russ When I authenticate with the default Debian krb5.conf Russ against the stanford.edu realm, I don't get renewable Russ tickets (even though renewable tickets are supported), but I Russ do see this with our test realm, which is running the same Russ versions of all of the software. kdc.conf looks the same, Russ as do the relevant principal settings. Hm. It sets the renewable_ok flag, requesting that if the requested lifetime cannot be satisfied without renewable tickets, then renewable tickets are OK. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#480434: setting package to krb5 krb5-admin-server krb5-user libkrb5-dbg krb5-pkinit libkrb5-dev krb5-kdc-ldap krb5-kdc krb5-rsh-server krb5-ftpd krb5-clients krb5-doc krb5-telnetd libkadm55 libkrb
# Automatically generated email from bts, devscripts version 2.10.28 # # krb5 (1.6.dfsg.4~beta1-2) unstable; urgency=low # # * Patch from Bryan Kadzban to look inside spnego union_creds when #looking for a specific mechanism cred. This allows spnego creds to be #used when copying out to a ccache after delegation, Closes: #480434 # * krb5_verify_init_creds uses the default realm if it gets a referral #realm as input for server, Closes: #435427 # * Add -DFORTIFY_SOURCE=2 and -fstack-protector on ia32 and x86_64 at the request of Moritz Muehlenhoff ; he was unsure that adding these flags on other platforms would be a good idea. I'd be happy to expand the list at the request of port maintainers, Closes: #484371 package krb5 krb5-admin-server krb5-user libkrb5-dbg krb5-pkinit libkrb5-dev krb5-kdc-ldap krb5-kdc krb5-rsh-server krb5-ftpd krb5-clients krb5-doc krb5-telnetd libkadm55 libkrb53 tags 480434 + pending tags 435427 + pending tags 484371 + pending -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#482528: heimdal-clients,krb5-user - please make kadmin co-installable
Russ == Russ Allbery [EMAIL PROTECTED] writes: Russ Bastian Blank [EMAIL PROTECTED] writes: The policy mandates that one (or, if no consensus is reached, both) programs needs to be renamed in such a case (see §10.1). But in this case the functionality and the commandline interface should be similar enough, both administers kerberos, to use alternatives. Russ Okay. I've been wanting to do that for a while for all of Russ the command-line clients between Heimdal and MIT, so that's Russ more incentive. As krb5 maintainer, I concur with Russ that the interfaces are not similar enough for alternatives to be appropriate and that renaming kadmin would have the significant disadvantage of breaking lots of stuff. I'm not saying what we should do here other than that alternatives definitely seems wrong here. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#482528: heimdal-clients,krb5-user
Yeah, I'm reasonably sure that alternatives are wrong for kadmin. Editor is intended to be used by a user. Kadmin is often used by users but is also quite often used by scripts. Editors also can all work with text files. It's basically not true that you can use a heimdal kadmin against an MIT realm. I can think of basically no situation where they are interchangable. However I can think of many tasks where I'd be equally happy to use ed as Emacs. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#480523: This is ldap specific
I cannot reproduce this without ldap. I should go set up an ldap test realm. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#483382: ITP: barnowl -- curses based jabber, zephyr and IRC client
package: wnpp severity: wishlist Barnowl can be obtained from http://barnowl.mit.edu/. It is a fork of owl, which is already in Debian. Barnowl adds Jabber and IRc support and fixes many bugs providing a new extensibility architecture. I've discussed my plans to package barnowl with the Owl maintainer (Mark Eichin). he supports barnowl being packaged for Debian. At some future point it may be desirable to remove owl. Today though we both believe that would be a big transition for the owl community The main body of barnowl is distributed under the following license: From owl.c: /* Copyright (c) 2004 James Kretchmar. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are * met: * ** Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * ** Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * ** Redistributions in any form must be accompanied by information on * how to obtain complete source code for the Owl software and any * accompanying software that uses the Owl software. The source code * must either be included in the distribution or be available for no * more than the cost of distribution plus a nominal fee, and must be * freely redistributable under reasonable conditions. For an * executable file, complete source code means the source code for * all modules it contains. It does not include source code for * modules or files that typically accompany the major components of * the operating system on which the executable file runs. * * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR * NON-INFRINGEMENT, ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ In addition, barnowl includes a modified copy of XML::Stream , Net::Jabber and Net::XMPP. They are distributed under the LGPL. pgpQefSDo8PGG.pgp Description: PGP signature
Bug#487113: Barnowl crashes on call to Process
package: barnowl severity: serious Version: 1.0.1-3 justification: should not enter testing while this unstable. Several people have been reporting reasonably frequent crashes related to erros not being handled in calls to Net::XMPP::Connection::process. The error takes out the entire owl session and creates a significantly stability issue. As maintainer, I think this should block progression into testing at least until it is understood. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#480523: the fix
From upstream. I'll apply and upload. ticket: 5545 If no salt is included with the key data, set the salt length field to 0. Bug report and patch from Nalin Dahyabhai. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#487296: kadmind runs ignoring RUN_KADMIND=false
Version: 1.6.dfsg.1-6 Thanks for your report. This issue will be fixed in the upcoming lenny release and has already been fixed in testing and unstable. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#487563: [l10n] swedish (sv) strings for krb5
Hi. I've added your translations; they are certainly new and appreciated. However they are slightly out of date. I've attached sv.po after running dbeconf-updatepo against the latest release in unstable. If you get a chance to supply additional updates,please do so on a new bug. sv.po Description: Binary data
Bug#480417: Duplicity exposes credentials in the nvironment without need
package: duplicity severity: important tags: security Version: 0.4.10-1 The boto class in backends.py requires that AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY be set. However python-boto is perfectly happy to read these values out of ~/.boto. The process environment is public; setting passwords i]n the environment is problematic because everyone on a multi-user system can read them. Therefore duplicity really should take advanatge of python-boto's facility for reading passwords out of config files. All that needs to happen is that the check for these environment variables needs to be removed. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#480417: Duplicity exposes credentials in the nvironment without need
Alexander == Alexander Zangerl [EMAIL PROTECTED] writes: Alexander severity 480417 normal tags 480417 = pending thanks Alexander On Fri, 09 May 2008 17:25:24 -0400, Sam Hartman writes: The process environment is public; Alexander that's not correct. (are you maybe mixing this up with Alexander the cmdline which is indeed public?) No, I think this changed while I wasn't looking. I certainly know the environment is public on Solaris and *BSD and thought it used to be public on old versions of Linux. However you are correct that on my current system it appears private. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#363237: libpam-modules: pam_access (and pam_{group, filter, time}?) aborts for atd
It seems like either a blank tty name should be allowed or things like atd should not include common-account. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#291498: ssh-krb5: package description has a spurious 'p' character
tags 291498 pending thanks Thanks much. Fixed in my svn and in the next upload. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#364308: krb5-admin-server: kadmind stalls on system boot due to readin from /dev/random
Russ == Russ Allbery [EMAIL PROTECTED] writes: Russ Ah, okay, thank you for the information. I didn't realize Russ that that flag did the equivalent of setting the file Russ descriptor non-blocking; I thought it only affected the open Russ itself. That's a good thing to learn. Russ That being said, I don't think this is really the best fix. Russ I'm not at all confident in the security implications of Russ allowing kadmind to proceed with insufficient entropy. Russ Instead, it seems to me that the correct fix would be for Russ kadmind to background itself before going looking for Russ entropy rather than afterwards. That kadmind waits for good Russ entropy before answering requests isn't actually a bug; the Russ real bug is that it blocks the system boot process while Russ doing so. I agree with Russ's analysis; having kadmind answer requests without entropy would be bad. --Sam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#350041: krb5: [INTL:da] Danish debconf translation
You sent me a templates.pot not a de.po. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#344447: Bug #344447: security/pam_client.h: Redefinition of internal libc/libstdc++ types breaks unrelated software
[EMAIL PROTECTED] has been doing most of the pam maintinance lately. I'd rather you run your fix by him. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#350243: openafs-client: possible to kill afsd during init
Does turning on fakeroot and fakestat help with this? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#364308: krb5-admin-server: kadmind stalls on system boot due to readin from /dev/random
Russ == Russ Allbery [EMAIL PROTECTED] writes: Russ Sam, do you know what parts of kadmind use the random number Russ generator? Is it sufficient for security to seed the random Russ number generator before the first client connection is Russ handled, or does it have to be done before kadm5_init, RPC Russ service creation, fiddling with the kdb keytab, and so Russ forth? I'm looking at the implications of the following Russ patch, which builds and passes the test suite. I think that you really just want to seed the rng before generating the first long-term key, so before the first client connection should be fine. --Sam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#385259: quoted_chars support seems broken
package: rdiff-backup I tried backing up my home directory onta a vfat filesystem. rdiff-backup seems like it has quoted chararacter support that should have dealt with this. However there was a file in my home directory with multiple * characters in the name. Only one of these was quoted. So rdiff-backup executed a rename system call with a destination file name including *, which failed on the vfat filesystem. --Sam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#385039: doesn't restart on upgrade (uses --exec with --stop)
Russ == Russ Allbery [EMAIL PROTECTED] writes: Russ Ryan Murray [EMAIL PROTECTED] writes: Russ I'm working on this for unstable right now by converting the Russ init scripts to use LSB. Russ Once I finish that, I'll look at producing a new version for Russ stable. So, I'd like to understand the bug a bit better before we go and produce an update for stable. I just confirmed that when I install the 1.4.4~beta1-1 krb5kdc, whatever existing kdc is stopped and the new kdc binary ends up running. I also confirmed that if I: * cp /usr/sbin/krb5kdc /usr/sbin/krb5kdc.new * mv /usr/sbin/krb5kdc.new /usr/sbin/krb5kdc # change the inode /etc/init.d/krb5kdc restart I end up with a new KDC. I'm all for LSB-style initscripts, so I don't mind the change to unstable. But I want to actually understand what issue we're fixing before issuing an update for stable. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#385039: doesn't restart on upgrade (uses --exec with --stop)
If this patch works at all, it should be fine. I'd recommend a minor fix to the security patch if you are doing a stable update: r18438 | tlyu | 2006-08-15 15:27:08 -0400 (Tue, 15 Aug 2006) | 6 lines ticket: 4137 * src/clients/ksu/main.c (sweep_up): Don't check return value of krb5_seteuid(0), as it is not harmful for it to fail, and it will fail after setuid(target_user). Correct error message. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#380288: libkrb53: Saner error messages
Hi. Kerberos 1.5 does include support for doing this although it is not available all the places you would like it to be. So I'll close this when Debian upgrades to 1.5. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#380421: gnopernicus: fails to start--libgnome-mag2 dependency error?
Package: gnopernicus Version: 1.0.5-1 Severity: serious luminous:/usr/lib# srcore srcore: error while loading shared libraries: libgnome-mag.so.2: cannot open shared object file: No such file or directory I think that libgnome-mag2 is too loose of a dependency. Also, I cannot find which version of libgnome-mag2 I should be using. The version in unstable does not help. -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (600, 'testing'), (90, 'unstable'), (1, 'experimental') Architecture: i386 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages gnopernicus depends on: ii at-spi 1.7.7-3 Assistive Technology Service Provi ii gconf2 2.14.0-1 GNOME configuration database syste ii libart-2.0-2 2.3.17-1 Library of functions for 2D graphi ii libatk1.0-01.12.1-1 The ATK accessibility toolkit ii libatspi1.0-0 1.7.7-3 C binding libraries of at-spi for ii libbonobo2-0 2.14.0-1 Bonobo CORBA interfaces library ii libbonoboui2-0 2.14.0-3 The Bonobo UI library ii libbrlapi1 3.7.2-3 braille display access via BRLTTY ii libc6 2.3.6-15 GNU C Library: Shared libraries ii libcairo2 1.2.0-3 The Cairo 2D vector graphics libra ii libfontconfig1 2.3.2-7 generic font configuration library ii libgail-gnome-module 1.1.3-2 GNOME Accessibility Implementation ii libgconf2-42.14.0-1 GNOME configuration database syste ii libglade2-01:2.5.1-2 library to load .glade files at ru ii libglib2.0-0 2.10.3-3 The GLib library of C routines ii libgnome-keyring0 0.4.9-1 GNOME keyring services library ii libgnome-mag2 1:0.12.6-1screen magnification library for t ii libgnome-speech3 1:0.3.10-1GNOME text-to-speech library ii libgnome2-02.14.1-2 The GNOME 2 library - runtime file ii libgnomecanvas2-0 2.14.0-2 A powerful object-oriented display ii libgnomeui-0 2.14.1-2 The GNOME 2 libraries (User Interf ii libgnomevfs2-0 2.14.2-1 GNOME virtual file-system (runtime ii libgtk2.0-02.8.18-1 The GTK+ graphical user interface ii libice61:1.0.0-3 X11 Inter-Client Exchange library ii liborbit2 1:2.14.0-2libraries for ORBit2 - a CORBA ORB ii libpango1.0-0 1.12.3-1+b1 Layout and rendering of internatio ii libpopt0 1.10-2lib for parsing cmdline parameters ii libsm6 1:1.0.0-4 X11 Session Management library ii libx11-6 2:1.0.0-7 X11 client-side library ii libxcursor11.1.5.2-5 X cursor management library ii libxext6 1:1.0.0-4 X11 miscellaneous extension librar ii libxfixes3 1:3.0.1.2-4 X11 miscellaneous 'fixes' extensio ii libxi6 1:1.0.0-5 X11 Input extension library ii libxinerama1 1:1.0.1-4 X11 Xinerama extension library ii libxml22.6.26.dfsg-2 GNOME XML library ii libxrandr2 2:1.1.0.2-4 X11 RandR extension library ii libxrender11:0.9.0.2-4 X Rendering Extension client libra ii scrollkeeper 0.3.14-11 A free electronic cataloging syste ii zlib1g 1:1.2.3-13compression library - runtime Versions of packages gnopernicus recommends: pn gnome-mag none (no description available) -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#395015: openafs-krb5: kinit + aklog succeeds but the /afs access does not work (works with afslog from heimdal-clients)
severity 395015 normal thanks Other people are not seeing this; I seriously doubt it is grave. Make sure your openafs kernel module and openafs-client package are both upgraded to 1.4.2-2 Try that. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#477296: setting package to krb5-user libkrb5-dbg krb5-kdc krb5-rsh-server krb5-ftpd krb5-doc libkadm5srv6 krb5 krb5-admin-server libk5crypto3 krb5-kdc-ldap libkrb5-dev krb5-pkinit libkadm5clnt6 kr
# Automatically generated email from bts, devscripts version 2.10.35lenny1 # via tagpending # # krb5 (1.7dfsg~alpha1-2) experimental; urgency=low # # * Merge in krb5-1-7 branch through 22265; this includes most changes from 1.7~beta1 #- kadmin and related commands moved to /usr/bin, Closes: #477296 # -- Sam Hartman hartm...@debian.org Wed, 22 Apr 2009 09:53:15 -0400 # package krb5-user libkrb5-dbg krb5-kdc krb5-rsh-server krb5-ftpd krb5-doc libkadm5srv6 krb5 krb5-admin-server libk5crypto3 krb5-kdc-ldap libkrb5-dev krb5-pkinit libkadm5clnt6 krb5-clients libkdb5-4 krb5-telnetd libkrb5support0 libkrb5-3 libgssapi-krb5-2 libgssrpc4 tags 477296 + pending -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#191616: setting package to krb5-user libkrb5-dbg krb5-kdc krb5-rsh-server krb5-ftpd krb5-doc libkadm5srv6 krb5 krb5-admin-server libk5crypto3 krb5-kdc-ldap libkrb5-dev krb5-pkinit libkadm5clnt6 kr
# Automatically generated email from bts, devscripts version 2.10.35lenny1 # via tagpending # # krb5 (1.7~beta1+dfsg-1) experimental; urgency=low # # * New upstream release #- kadmin and related commands moved to /usr/bin, Closes: #477296 #- Kadmin headers are Public: Closes: #191616 #- KDC supports loopback address, Closes: #478425 # package krb5-user libkrb5-dbg krb5-kdc krb5-rsh-server krb5-ftpd krb5-doc libkadm5srv6 krb5 krb5-admin-server libk5crypto3 krb5-kdc-ldap libkrb5-dev krb5-pkinit libkadm5clnt6 krb5-clients libkdb5-4 krb5-telnetd libkrb5support0 libkrb5-3 libgssapi-krb5-2 libgssrpc4 tags 191616 + pending tags 478425 + pending -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#604925: /usr/lib/libgssapi_krb5.so.2: cannot login to ssh after upgrade from lenny to squeeze
Can you try turning off delegated credentials? GSSAPIDelegateCreds no in your client config? This is a shot in the dark, but I don't think I've ever seen a problem with the authenticator path once the ticket is decrypted. There is a first for everything, but the delegation path is more fragile. --Sam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#604925: /usr/lib/libgssapi_krb5.so.2: cannot login to ssh after upgrade from lenny to squeeze
There's a #kerberos? Who knew! So, I'd like to confirm. You have a Mac OS Open Directory KDC and a lenny client. When you authenticate to a squeeze server you get authdata verification failure? Have you failed to try authentication from squeeze to squeeze or does that also fail? -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#604925: /usr/lib/libgssapi_krb5.so.2: cannot login to ssh after upgrade from lenny to squeeze
Hi. At today's release meeting, MIT indicated that they are going to set up an OSX X test environment to reproduce this problem. They will also look into whether we can ignore the PAC and remove it from the authdata if it fails to verify rather than failing the authentication. There was agreement that if we do that we need to insert a trace point in the PAC code so we can know that the PAC is not verified. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#604925: /usr/lib/libgssapi_krb5.so.2: cannot login to ssh after upgrade from lenny to squeeze
This patch looks reasonable. I have not confirmed that successfully makes the PAC disappear, but if you've examined the logic there I'm happy to assume it does. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#608736: upgrading krb5-kdc breaks kprop entry in inetd.conf
Hi. I believe this has been fixed and is no longer a bug in squeeze. I'd appreciate any comments you have about whether this is still an issue in squeeze. I'm skeptical that this issue is something that should be fixed in lenny this close to the squeeze release. I do agree it's a bug and a significant issue. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#611614: libapache2-mod-shib2: /etc/init.d/shibd removes pidfile before (unsuccesful) attept to stop daemon
Russ == Russ Allbery r...@debian.org writes: Russ Ferenc Wagner wf...@niif.hu writes: It looks like our squeeze branch misses the merge of bug/unlink-pidfile. Nor was upstream/2.3.1+dfsg merged into that bugfix branch... As things stand, our master branch has the fix (e3f9f278) but our debian branch does not, so when I branched squeeze off it the fix got lost. I'm a little uncertain how to untagle this... Russ I think my bright idea of the separate debian branch turns out Russ to be way more confusing than it's worth, so I propose Russ dropping that distinction going forward and merging the debian Russ branch into master, then making Debian-specific changes only Russ in master. Having separate branches for bug fixes and Russ features that we want to push upstream makes sense, but the Russ distinction between debian and master was never clear and Russ makes it too likely that we'll run into problems like this. This will save me the trouble of understanding how it worked:-) Russ is aware of my experiments in doing something similar. I've looked at git-dpm and topgit. Topgit seems too immature. Git-dpm seems like a potentially valuable tool but it requires a lot of knowledge. So, there's not really anything I can recommend to replace the debian/master distinction. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#611906: libgssapi-krb5-2: GSS-API provides invalid key (?) to nsupdate
Can you give me tcpdumhp capture of the entire DNS packets for both a working and non-working case? -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#587313: What are the plans for newer buildbot?
Hi. I'm just wondering what plans are for buildbot 0.8 packaging? It would be really nice to get better git support. I can point to specific upstream patches to be backported, or if there's going to be movement on this bug now that squeeze has released, perhaps that's unnecessary. P.S. Thanks for all the great work on the existing packages. They make my life much easier. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#604925: closed by Sam Hartman hartm...@debian.org (Bug#604925: fixed in krb5 1.9+dfsg~beta2-1)
OK, thanks for the confirmation. I'll now work on squeeze. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#607228: no way to run setup command inside a chroot
package: sbuild version: 0.60.7-1 severity: normal When --setup-hook was implemented in terms of --chroot-setup-commands, the user it is run as changed. Previously it was run as root; now it is run as the build user. That's problematic because there no longer seems to be a way a to run commands as root in the chroot. My use case is as follows. I'm building a related set of packages that inter-depend on each other under the control of a buildbot. The build slave (which runs sbuild) doesn't have the permissions necessary to install into any apt archive. So, I want to modify the chroot to have an additional apt source. The location of that source will depend on which build slave it is, and so I'm running a setup hook to do this. I'd be happy with any of the following options: * external commands run as root * a way to do a build in a session style schroot (schroot -r -c * session:foo instead of schroot -c foo) * A way to make packages of my choice available for satisfying build * depends -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#616429: libkrb53: Unable to authenticate with Win2K8R2 RODC - TGS principle name incorrect
severity 616429 serious thanks I'll definitely apply this to stable. I do not plan to update oldstable for this although would not object if someone wanted to do the work to make that possible. (I suspect there's not actually a process for doing so though) --Sam pgpKQ4SIHt1UX.pgp Description: PGP signature
Bug#616728: krb5: fails to verify PAC with non-rc4 checksum
Package: krb5 Version: 1.8.3+dfsg-4 Severity: serious Justification: justification of maintainer -- System Information: Debian Release: squeeze/sid APT prefers oldstable APT policy: (500, 'oldstable'), (500, 'testing'), (101, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash This bug tracks launchpad 723840 so I can request a stable update. The Debian squeeze krb5 cannot verify a PAC checksum if AES256 tickets are used. This means in some fairly common situations, a Debian server cannot be used with a Windows KDC. In related news, the pac checksum is incorrectly checked in some cross-realm cases where it cannot be verified. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#617625: apt-get man page should not recommend dselect
Package: apt Version: 0.8.8 Severity: normal Hi. The apt-get man page points out that users should use a frontend and lists several, starting with dselect. A friend was asking me to help clean up the mess that resulted because he followed that recommendation. It's way to easy to convince dselect to do damage to a system and leave it in an inconsistent state. Dselect is also a horrible introduction to Debian. My preference is that dselect disappear from the archive and thus the apt-get man page. Realistically I'd be happy if we stopped recommending it, either by removing it entirely or explicitly mentioning that it is crufty. Thanks for your consideration, --Sam -- Package-specific info: -- /etc/apt/preferences -- package: * pin: release a=unstable pin-priority: 101 package: * pin: release a=testing pin-priority: 500 -- (/etc/apt/sources.list present, but not submitted) -- -- System Information: Debian Release: squeeze/sid APT prefers oldstable APT policy: (500, 'oldstable'), (500, 'testing'), (101, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages apt depends on: ii debian-archive-keyring 2010.08.28 GnuPG archive keys of the Debian a ii gnupg 1.4.10-4 GNU privacy guard - a free PGP rep ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib ii libgcc1 1:4.5.1-10 GCC support library ii libstdc++6 4.4.5-8 The GNU Standard C++ Library v3 ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime apt recommends no packages. Versions of packages apt suggests: pn apt-doc none (no description available) ii aptitude0.6.3-3.2terminal-based package manager (te ii bzip2 1.0.5-6 high-quality block-sorting file co ii dpkg-dev1.15.8.5 Debian package development tools ii lzma4.43-14 Compression method of 7z format in ii python-apt 0.7.100 Python interface to libapt-pkg ii synaptic0.70~pre1+b1 Graphical package manager -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#605586: Thanks, you made my day
Hi. One of the things I like about Debian is that you can report bugs and over time they actually get fixed. I like the power as a user of being able to say hey this isn't working for me, and to actually believe that eventually there's a good chance you'll make a difference. (Obviously it's great to be on the other side of that when I'm acting as a developer.) Anyway, thanks! -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#566988: libk5crypto3 not downward compatible
package: libk5crypto3 severity: serious version: 1.8+dfsg~alpha1-1 justification: huge mess for lenny-squeeze Adrian Zaugg noticed that if you install libk5crypto3 from unstable with libkrb53 from lenny, nothing works. In particular, the internal symbol krb5_hmac disappeared. The obvious and probably wrong answer to this is to conflicts: libkrb53. I'm concerned though if we are not very careful about installation order that could leave huge chunks of the system unusable during an upgrade. Bringing back krb5_hmac might well be easy. However there's somewhat more of a mess with libkrb4.so.2 and presumably libdes425. That probably affects many fewer people. However it's still a policy violation for things to break in that way. I'm going to need to spend some quality time thinking through this issue. It will be at least a week before I have that chance. --Sam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#566977: Samba, MIT krb5 and allow_weak_crypto
Hi. Hi, I don't have enough time to dig into the Samba code, but I'm happy to help interface with the MIT Kerberos team on this issue. A couple of points. First, 1.8 is in alpha test. Etienne's assumption that upstream is aware of the consequences of their changes is false. Upstream (including myself) was and remains puzzled that this change breaks Samba. We were aware it would create problems for OpenAFS but have worked with that community to provide a way to fix the problem. Second, I still don't understand what's breaking. Samba should not be relying only on DES: doing so will break against a Windows 2008 R2 domain; Microsoft lead the way in turning off DES. If Samba *needs* to be using DES and not DES+RC4 please let the Kerberos folks know, as it would really surprise us and we'd like to understand why. Second, setting allow_weak_crypto for samba seems like very much the wrong fix unless we can figure out a good reason why Samba should be using DES. It's my understanding that setting default enctypes that include both DES and RC4 should not actually produce an error: DES should be filtered out. If Samba is telling the Kerberos library that it would like to use either DES or RC4, and the Kerberos library is returning a bug, then that's a bug; please report it against libkrb5-3 and we'll expedite a fix. The only thing that should fail is either if you only enable DES enctypes or the only enctype a server and client share is DES. Since Windows *always* supports RC4, that should not be an issue for Samba. Finally, as an asside, not including aes256 decreases Samba's security against Vista, 2008 and 2008 R2 and may create interoperability problems with some configurations of 2008 and 2008 R2. --Sam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#557929: possible breaking ssh is RC
Andreas == Andreas Barth a...@not.so.argh.org writes: Andreas About the bug itself: How about e.g. adding an transition Andreas package libkrb53 to unstable which depends on libk5crypto Andreas and also libk5crypto breaks the lenny libkrb53. That Andreas together would makes sure that the breakage doesn't happen? Andreas That transition package can then be dropped after one Andreas release cycle. (Please just say if that's a silly idea.) Andreas The same is true for all other split off packages of Andreas course. So, the reason we're splitting out libkrb53 is that upstream dropped some APIs and ABIs in krb5 1.7. In particular, the libkrb4.so.2 ABI and the libdes425.so.something ABI are dropped. Those ABIs were all part of libkrb53 from about 2000 when I first packaged krb5 until squeeze/karmic. For krb5 1.7 it would have been relatively easy to make a transition package using code from krb5 1.6 that provided the removed ABIs. However upstream has this annoying tendency to improve their code and has significantly reorganized a bunch of internal APIs for better modularity and performance. As a result, the implementations of libkrb4.so.2 and libdes425 in krb5 1.6 depend on chunks of code simply not present in krb5 1.8. I have not investigated making a transition package but I suspect that making a package that preserved the ABI would be more effort than I can dedicate. There are only two packages in lenny that use these ABIs: zephyr and kstart (besides krb5 packages themselves). However there are also probably lots of user applications linked against theses libraries. So, here are some options: 1) generate stub functions that return errors and produce a transition package. Doing that for libkrb4.so.2 is probably easy because of work done for the Mac. Doing that for libdes425 is probably more time than I have, although especially with help is dobale. 2) Produce a transition package that actually drops the libraries. That would mean some programs in lenny would segfault if you installed that package. We could add conflicts. However we'd create segfaults for non-packaged applications linked against libkrb4.so.2 or libdes425 3) Create a prerm script in the new libraries that prevents there removal if libkrb53 is installed. We'd need to make sure that the downgrade procedure described in the news file (or some variation) could still be executed. That's a solution to this bug but not to #566988. I'd still really appreciate input on how this situation comes up for real users. The cases where libk5crypto3 gets installed without a bunch of dependencies to keep it in place still seem very rare to me. --Sam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#557929: libkrb5-3: weak enctypes should act as filter and not break samba
reassign 557929 libkrb5-3 found 557929 libkrb5-3/1.8+dfsg~alpha1-1 severity 557929 serious retitle 557929 set_default_enctype_var should filter weak enctypes not reject on weak enctype tags 557929 upstream, confirmed thanks Steve pointed out that libkrb5-3 does not act as I describe In particular if a configuration file or application request includes any weak enctypes then the entire request is rejected. This means an application cannot say something like I work with DES and RC4 because even though RC4 is not weak, the request will be rejected for including DES. It seems very probable this is not what we want. RC because this seems likely to break a large number of configurations and applications like Samba for no good reason. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#566977: ends up being a krb5 problem
reassign 566977 libkrb5-3 found 566977 libkrb5-3/1.8+dfsg~alpha1-1 severity 566977 serious retitle 566977 set_default_enctype_var should filter weak enctypes not reject on weak enctype tags 566977 upstream, confirmed thanks Steve pointed out that libkrb5-3 does not act as I describe In particular if a configuration file or application request includes any weak enctypes then the entire request is rejected. This means an application cannot say something like I work with DES and RC4 because even though RC4 is not weak, the request will be rejected for including DES. It seems very probable this is not what we want. RC because this seems likely to break a large number of configurations and applications like Samba for no good reason. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#557929: Info received (libkrb5-3: weak enctypes should act as filter and not break samba)
reassign 557929 libk5crypto3 retitle 557929 libk5crypto3 - Replaces libkrb53 but nothing depends on it tags 557929 -upstream thanks Aaargh. sent to wrong bug. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#558719: krb5: FTBFS due to dh_makeshlibs/dpkg-gensymbols
So, something has changed in dpkg-gensymbols. encrypted_challenge.so is a plugin, not a library. Previously, it was not listed nor expected in the symbols file. I think that's the correct behavior. I do not think it would be desirable to move this plugin into another package. I realize it's not your job, but any ideas on how to convince dpkg-gensymbols to behave as it used to? -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#558719: krb5: FTBFS due to dh_makeshlibs/dpkg-gensymbols
Actually, I suspect that the shared library build command is coming from src/config/lib.in and is being substutited into the Makefile. I don't see anything specific to shared library builds . I'm honestly not sure that what upstream is doing is *wrong*. It's *strange* and I can probably change it for 1.8, but I'm having a hard time explaining why it is a bug. I'm about to upload something with -Xusr/lib/krb5/plugins after testing it. I did update my tool chain and confirm that I can reproduce the FTBFS. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#523971: I have the same problem
Zahari == Zahari Zahariev zahari.zahar...@gmail.com writes: Zahari Hello, I am trying to set up Kerberos server on Debian in Zahari VirtualBox. When I am trying to run krb5_newrealm and it Zahari hangs! Getting sufficient random data for virtualization software is tricky. I'd recommend googling for random entropy virtualbox or random entropy virtual machines. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#538697: Permission to upload heimdal-multidev
package: heimdal
severity: wishlist
tags: patch
Brian, per our discussions I'd like permission to NMU the following patch:
diff --git a/debian/changelog b/debian/changelog
index 0b27460..e7c2247 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+heimdal (1.2.e1.dfsg.1-1.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Implement heimdal-multidev package to provide set of headers and
+libraries that can be installed along-side MIT Kerberos Development
+files
+
+ -- Sam Hartman hartm...@debian.org Sat, 25 Jul 2009 13:35:51 -0400
+
heimdal (1.2.e1.dfsg.1-1) unstable; urgency=low
* New upstream version.
diff --git a/debian/control b/debian/control
index 3f8f834..b9af0fb 100644
--- a/debian/control
+++ b/debian/control
@@ -39,7 +39,7 @@ Description: Heimdal Kerberos - key distribution center (KDC)
such a way that the server computers do not need to know the
passwords.
-Package: heimdal-dev
+Package: heimdal-multidev
Section: devel
Priority: extra
Architecture: any
@@ -47,6 +47,22 @@ Conflicts: heimdal-clients ( 0.4e-7), kerberos4kth-dev
Depends: ${misc:Depends}, libasn1-8-heimdal (= ${binary:Version}), libkrb5-25-heimdal (= ${binary:Version}), libhdb9-heimdal (= ${binary:Version}), libkadm5srv8-heimdal (= ${binary:Version}), libkadm5clnt7-heimdal (= ${binary:Version}), libgssapi2-heimdal (= ${binary:Version}), libkafs0-heimdal (= ${binary:Version}), comerr-dev
Replaces: heimdal-clients ( 0.4e-7)
Suggests: heimdal-docs
+Description: Heimdal Kerberos - Multi-implementation Development
+ Heimdal is a free implementation of Kerberos 5 that aims to be
+ compatible with MIT Kerberos.
+ .
+ This package provides versions of the Heimdal development files that
+ can be installed along-side MIT Kerberos development files.
+ Normally, heimdal-dev should be used. However if a package needs to
+ build against both Heimdal Kerberos and MIT Kerberos, then the
+ multidev package should be used.
+
+Package: heimdal-dev
+Depends: heimdal-multidev (= ${binary:Version})
+Section: devel
+Conflicts: libkrb5-dev
+Priority: extra
+Architecture: any
Description: Heimdal Kerberos - development files
Heimdal is a free implementation of Kerberos 5 that aims to be
compatible with MIT Kerberos.
diff --git a/debian/heimdal-dev.dirs b/debian/heimdal-dev.dirs
new file mode 100644
index 000..e43b95c
--- /dev/null
+++ b/debian/heimdal-dev.dirs
@@ -0,0 +1 @@
+usr/include
diff --git a/debian/heimdal-dev.install b/debian/heimdal-dev.install
index 9e39a8b..3d9a05e 100644
--- a/debian/heimdal-dev.install
+++ b/debian/heimdal-dev.install
@@ -1,7 +1,3 @@
usr/bin/krb5-config
-usr/lib/*.a
-usr/lib/*.la
-usr/lib/*.so
-usr/include
usr/share/man/man1/krb5-config.1
usr/share/man/man3
diff --git a/debian/heimdal-dev.links b/debian/heimdal-dev.links
new file mode 100644
index 000..cfecffe
--- /dev/null
+++ b/debian/heimdal-dev.links
@@ -0,0 +1,98 @@
+usr/lib/heimdal/libasn1.a usr/lib/libasn1.a
+usr/lib/heimdal/libasn1.la usr/lib/libasn1.la
+usr/lib/heimdal/libasn1.so usr/lib/libasn1.so
+usr/lib/heimdal/libgssapi.a usr/lib/libgssapi.a
+usr/lib/heimdal/libgssapi.la usr/lib/libgssapi.la
+usr/lib/heimdal/libgssapi.so usr/lib/libgssapi.so
+usr/lib/heimdal/libhdb.a usr/lib/libhdb.a
+usr/lib/heimdal/libhdb.la usr/lib/libhdb.la
+usr/lib/heimdal/libhdb.so usr/lib/libhdb.so
+usr/lib/heimdal/libheimntlm.a usr/lib/libheimntlm.a
+usr/lib/heimdal/libheimntlm.la usr/lib/libheimntlm.la
+usr/lib/heimdal/libheimntlm.so usr/lib/libheimntlm.so
+usr/lib/heimdal/libhx509.a usr/lib/libhx509.a
+usr/lib/heimdal/libhx509.la usr/lib/libhx509.la
+usr/lib/heimdal/libhx509.so usr/lib/libhx509.so
+usr/lib/heimdal/libkadm5clnt.a usr/lib/libkadm5clnt.a
+usr/lib/heimdal/libkadm5clnt.la usr/lib/libkadm5clnt.la
+usr/lib/heimdal/libkadm5clnt.so usr/lib/libkadm5clnt.so
+usr/lib/heimdal/libkadm5srv.a usr/lib/libkadm5srv.a
+usr/lib/heimdal/libkadm5srv.la usr/lib/libkadm5srv.la
+usr/lib/heimdal/libkadm5srv.so usr/lib/libkadm5srv.so
+usr/lib/heimdal/libkafs.a usr/lib/libkafs.a
+usr/lib/heimdal/libkafs.la usr/lib/libkafs.la
+usr/lib/heimdal/libkafs.so usr/lib/libkafs.so
+usr/lib/heimdal/libkdc.a usr/lib/libkdc.a
+usr/lib/heimdal/libkdc.la usr/lib/libkdc.la
+usr/lib/heimdal/libkdc.so usr/lib/libkdc.so
+usr/lib/heimdal/libkrb5.a usr/lib/libkrb5.a
+usr/lib/heimdal/libkrb5.la usr/lib/libkrb5.la
+usr/lib/heimdal/libkrb5.so usr/lib/libkrb5.so
+usr/lib/heimdal/libotp.a usr/lib/libotp.a
+usr/lib/heimdal/libotp.la usr/lib/libotp.la
+usr/lib/heimdal/libotp.so usr/lib/libotp.so
+usr/lib/heimdal/libroken.a usr/lib/libroken.a
+usr/lib/heimdal/libroken.la usr/lib/libroken.la
+usr/lib/heimdal/libroken.so usr/lib/libroken.so
+usr/lib/heimdal/libsl.a usr/lib/libsl.a
+usr/lib/heimdal/libsl.la usr/lib/libsl.la
+usr/lib/heimdal/libsl.so usr/lib/libsl.so
+usr/lib/heimdal/libwind.a usr/lib/libwind.a
+usr/lib/heimdal/libwind.la usr/lib/libwind.la
+usr/lib/heimdal/libwind.so usr/lib/libwind.so
+usr/lib/heimdal/windc.a usr/lib/windc.a
+usr/lib
Bug#538697: Permission to upload heimdal-multidev
Sorry, I broke the last patch fixing a cosmetic issue reported by Russ. I will retest and fix. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#539163: Only enabling profiles with no auth leaves system wide open
severity: serious tags: security package: libpam-runtime Version: 1.0.1-6 Even with the changes committed for 1.0.1-10, enabling only profiles like consolekit that provide no authentication option leave the system accepting any password. I realize this is messy in the code, but I think we need to actually check that the auth stack contains an entry and require more profiles if that is not true. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#539163: Only enabling profiles with no auth leaves system wide open
Honestly I'd rather think about fixing it than argue about bug severities. I would probably have treated all of these as grave/critical, but I don't care much. As far as I can tell, the bug severity doesn't matter much: 1) They are all in testing already 2) We agree they want to be fixed 3) We plan to fix all the above before the freeze in December 4) The release team would find it easier to get this fixed than remove pam. So, while I personally think they are all RC, I'm also happy if you want to downgrade. If we end up uploading before this is fixed, well, incremental improvement is good. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#539500: translation updated
Luca == Luca Monducci luca...@tiscali.it writes: Luca Hello, I received a late feedback from one of proofreader. Luca Could you please add the attache translation instead of Luca previuops one? Sure thing, done. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#569758: krb524d file descriptor leak when using LDAP back-end
This is a known problem. Unfortunately, it looks like neither upstream nor I will have time to investigate it. As krb524d has been removed from current krb5 releases, it is unlikely to be resolved. A There seems to be a related, much slower leak having to do with krb5-kdc and ldap. That does seem more likely to attract attention. --Sam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/tslzl3bw7ax@mit.edu
Bug#564566: libkadm5clnt7: SONAME conflict with Heimdal
I'll add a conflicts for now. Are you running into a case where you'd actually like to have both libraries installed at the same time? -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#564566: libkadm5clnt7: SONAME conflict with Heimdal
Russ == Russ Allbery r...@debian.org writes: Russ Sam Hartman hartm...@debian.org writes: I'll add a conflicts for now. Are you running into a case where you'd actually like to have both libraries installed at the same time? Russ I will definitely need to be able to install both libraries at Russ the same time. I believe this also will break the -multidev Russ setup that we're trying to get working, no? no. krb5-multidev currently doesn't include libkadm5clnt7. Although it does mean you cannot use it for building libpam-krb5-migrate. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#564666: krb5-multidev and heimdal-dev: error when trying to install together
Hi. I'm going to add a conflicts for now, although it sounds like this needs an upstream fix. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#564753: libkrb5-3: Update breaks aklog in openafs-krb5
Can I get you to try adding allow_weak_crypto = true to the libdefaults sections of /etc/krb5.conf? If that fixes your problem, then this is not a bug. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#564753: libkrb5-3: Update breaks aklog in openafs-krb5
Russ == Russ Allbery r...@debian.org writes: Russ Vasilis Vasaitis v.vasai...@sms.ed.ac.uk writes: However, IMHO this is an unsatisfactory solution. Packages should ideally work correctly with their default settings, and therefore having each person that needs openafs-krb5 edit krb5.conf is not ideal. So I was wondering if the maintainers involved have a way in mind to avoid this? A conf.d style solution perhaps? Patching openafs-krb5 so that it specifies the setting programmatically in its code? Something else? Russ Unfortunately, MIT Kerberos doesn't support conf.d-style Russ krb5.conf files, and I don't believe there's any way to set Russ this parameter programmatically rather than in the krb5.conf Russ file. There's also the issue that it is a fairly security sensitive setting. I think that weakening the security defaults like this is something the user should at least know about. However it's possible we could do something in krb5-config. For example, ask about allow_weak_crypto at priority low normally, but if we find /usr/bin/aklog ask at priority high. Would that make things better? --sam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#564753: libkrb5-3: Update breaks aklog in openafs-krb5
For AS requests it definitely is a security issue. For TGS it is less of an issue and may not be an issue at all. The case I'm still pondering is the cross-realm case. Perhaps we should backport the API from Heimdal. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#564753: libkrb5-3: Update breaks aklog in openafs-krb5
Sadly, given the MIT implementation porting that API for 1.8 would be kind of tricky. The bit about whether something is weak is not stored per-context. I guess we should discuss on krbdev. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#565129: bug on file conflict
Ralf == Ralf Treinen trei...@free.fr writes: Ralf Hi, sorry for the double submission (I should just have Ralf reopenend the old bug report Bug#564666). I thought that I had Ralf seen that bug before but couldn't find it since it was Ralf assigned to a different package, and somehow my usertag got Ralf lost. No, actually, this is a related, but not identical problem. Since you've already mereged, that's fine. However, as a future FYI, the first problem was with missing conflict relationships in library packages. The second is with me sticking files in the wrong newly created packages. My bad for not fully testing this. A lot has been going on. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#564753: disastrous for stable
Thomas == Thomas Bushnell BSG t...@becket.net writes: Thomas This bug was propagated to the *stable* release because of Thomas the recent (minor) security issue. Thomas, I'm having a hard time substantiating this claim. According to my rmadison: krb5 | 1.6.dfsg.4~beta1-5lenny2 | proposed-updates | source I believe that's also the same version in stable-security. Looking at what commits were merged to the lenny-security branch in my git, I do not believe any of the changes related to this bug are in stable. In fact, the code necessary to disable weak crypto support in the manner done recently in unstable was *introduced* in krb5 1.7; stable has 1.6.4 roughly. Now, it's possible I did something really stupid on the packaging front. If I did somehow manage to upload krb5 1.8 to stable and call it 1.6 that would be disastrous as you claim. However can I get you to approach this with the assumption that something non-obvious is going on here and check your details and let me know what you're seeing? --Sam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#565429: libkdb5-4: missing Replaces: libkadm5srv6?
No, I'm not entirely sure what's going on there, but conflicts or breaks is the right relationship. I'd expect that libkadm5srv6 would go away and be replaced by libkadm5srv7. Try explicitly installing that. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#564753: disastrous for stable
Here are my thoughts. 1) There are things we could choose to do in krb5-config to make things better for Debian. I made one proposal. It's not clear that's necessary though. 2) Either upstream or in a Debian-specific API to be removed in the future--I.E. something not in a public header--we could provide some exception path for AFS. 3) Complaining about the KDC log error upstream definitely seems reasonable. I'm about to head out for the weekend. There's no reason that I need to be the one discussing these issues, but I'm happy to take responsibility for #3 above. --Sam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#564753: disastrous for stable
This issue was a major focus of discussion at today's release meeting for MIT Kerberos upstream. The consortium plans to: 1) Introduce a new API to enable weak crypto for a given context. This API will not be the same as the Heimdal API for implementation complexity reasons. 2) Look into logging and returning a better error for the case when the client's enctypes do not overlap with the service's enctypes. --Sam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#566223: krb5-user: kinit segfaults while using specific enctypes
severity 566223 normal thanks The problem is your config file is wrong. Remove the enctype lines you added and add allow_weak_crypto = true as described in /usr/share/doc/libkrb5-3/NEWS.debian.gz There is a bug that if one of the enctype lists is empty, kinit segfaults. We'll get that fixed, but what will happen instead is you will get a no supported enctype error. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#566346: ITP: krb5-appl - Kerberos applications and clients
package: wnpp severity: wishlist owner: hartm...@debian.org name: krb5-appl URL: http://web.mit.edu/kerberos/dist/krb5-appl License: MIT Kerberos license (roughly MIT license plus a requirement that if you modify the software you must mark it as modified) description: Contains fairly ancient versions of telnetd, ftpd, rsh and rlogin that support Kerberos authentication Up until the upcoming Kerberos 1.8 release, these applications were part of the main krb5 tree. They are kind of old and crufty, but attempts to kill them off have met with users (and Debian users) who say they are still valuable in certain environments. Reasons cited include that the code base is simpler than things like ssh, it works and is in use, etc. My belief that the security of the rsh and rlogin programs is quite good, although the telnet and telnetd are well below current security standards. However upstream krb5 doesn't want to maintain the applicatinos as part of the main source tree. So, they are being split out. Since Debian users still want them, I'm going to package them. They've been in Debian for years already, so I think this should not be a problem. To look at the WIP packages see git://git.debian.org/git/pkg-k5-afs/debian-krb5-appl.git pgpO2QvvDeOoI.pgp Description: PGP signature
Bug#540955: libpam-runtime: clever upgrade-logic seems to not work
I guess the question is whether there are any significant changes in common-password that need to be merged in or whether it is OK for new systems to get the new file and old systems not to. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#541188: no login possible after some time (using ldap, krb5, ssh, login)
Are you using LDAP for nss in /etc/nsswitch.conf? This sounds more like an NSS or Kerberos issue than a PAM issue. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#538697: Permission to upload heimdal-multidev
Hi. I wanted to give an update here. It turns out that you don't want to install the .la files in heimdal-multidev because libtool really doesn't deal at all well with the .la and .so.x.y living in different directories. So, I'm leaving the .la files in heimdal-dev and the .so and .a files in heimdal-multidev. What that means is that you cannot use libtool libraries if you are linking againstthe multidev packages. I think that's reasonable; you probably didn't want libtool .la files anyway on Debian. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#543015: barnowl: FTBFS: tests failed
Thanks. Sloppiness on my part in dealing with build-depends; will update and re-upload. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#538697: symlinks to shared libraries
Another area the patch needs to cover is repointing the .so symlinks to /usr/lib instead of /usr/lib/heimdal. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#528828: krb5: FTBFS on hurd-i386: Unguarded use of system limit macros #2
Marc == Marc Dequènes (Duck) d...@duckcorp.org writes: Marc Coin, In fact, the patch is mostly identical to the previous Marc one, just added 3 very small chunks to solve the same thing Marc as the previous patch. It is a fix because PATH_MAX, Marc MAXHOSTNAMELEN, and MAXPATHLEN should not be used Marc unconditionnaly, as it is a POSIX incompatibility. That I understand. I started through your patch and was confused about the pthread changes in k5-platform.h. Please ignore debain/patches and assume that this project is a fairly standard git repository with that community's standards for patch submission. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#529068: libkrb53: gssapi browser auth slow and freezy
Aleksandar == Aleksandar Kostadinov ava...@friendofpooh.com writes: Aleksandar It is in the form kdc = host:port just like the Aleksandar standard entries in the file. This is the same as on Aleksandar the fedora system which is actually a virtualbox VM Aleksandar (with vbox nat networking) on the debian machine so I'm looking into DNS issues; the VM under vboxnat doesn't entirely exclude that. put something like kdc = host.:port in krb5.conf. Based on some other things, I suspect that's not the issue, but it is important to rule out. I don't have a lot of ideas here about what is going on. I can think of things that might be slow or blocking on the server side, but not on the client side. Do you happen to know approximately how many http connections are required in a given page load? I'd expect that the only place any Kerberos could slow things down is during the initial sending of an HTTP request. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#528828: [PATCH] Don't rely on MAXPATHLEN and MAXHOSTNAMELEN to be defined, this is a POSIX incompatibility and cause build failures on systems that don't need them (like the Hurd).
Thanks for the updated patch. I noticed you dropped the pthread hunk; I'm assuming that is either not needed or you'll open a separate bug on that issue. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#529068: libkrb53: gssapi browser auth slow and freezy
Can I get you to make sure you have krb5-user installed, kinit -c KEYRING:blah principal_name_goes_here and start firefox with the KRB5CCNAME environment variable set to KEYRING:blah (to confirm you're using the keyring cache, probably doing a kdestroy on your normal tickets would be good) What I'm trying to do here is to see if the performance is dependent on what type of credential cache is used. I'm suspecting that there is a locking problem in either MIT or Heimdal. Either MIT holds a lock too long, doesn't have fine grain locking somewhere, or Heimdal has a race condition and is not holding a lock that it needs. The keyring cache has a different locking path than the file based cache. So, it may perform differently. If it is faster, then that tells us something. If it is not, then we don't learn much. I don't have a test environment in which to reproduce this, although I am talking to upstream about the issue. I have not actually opened an upstream bug at this point; I've brought the issue up on the krbcore list. --Sam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#529068: libkrb53: gssapi browser auth slow and freezy
I've forwarded your latest message to upstream. One advantage of the keyring cache is that it completely isolates the file system for ticket caching. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#515118: CVE-2009-0363: multiple buffer overflows that can be remotely triggered
package: owl Version: 2.1.11-2 severity: grave Tags: security Justification: cve-2009-0363 zwrite.c and zcrypt.c contain multiple buffer overflows in calls to sprintf that appear to be remotely exploitable. Please see the patch to barnowl 1.0.1-4 for a minimal set of changes that we think addresses this vulnerability. However there have been other related changes to barnowl and owl may well have more vulnerabilities in this area. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#495056: closed by Sam Hartman hartm...@debian.org (Bug#495056: fixed in barnowl 1.0.5-1)
Niko == Niko Tyni nt...@debian.org writes: Niko On Fri, Feb 13, 2009 at 05:45:07PM +, Debian Bug Niko Tracking System wrote: This is an automatic notification regarding your Bug report which was filed against the barnowl package: #495056: barnowl: embedding perl needs PERL_SYS_INIT3() It has been closed by Sam Hartman hartm...@debian.org. Changes: barnowl (1.0.5-1) unstable; urgency=high . * New upstream release * Fix use of sprintf in zwrite.c and zcrypt.c that is likely to be exploitable * Enable fortify_source and stack protector to reduce impact of similar problems in the future. * Together, fixes: CVE-2009-0363t3; Closes: #495056 Niko Hi Sam, Niko did you get the bug number wrong? -- Niko Tyni No, I mispasted some additional text from later in the changelog. This bug was already closed in 1.0.3-1 . -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#510419: Example usage of debconf for krb5-config
Does the code fail if you dpkg-reconfigure and tell krb5-config that you are using DNS? My view is that the authoritative state for whether you are using DNS (or more precisely whether you want your kdcs in krb5.conf) lives in debconf and if you change that state, you should run dpkg-reconfigure. --Sam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#510419: krb5-config - uses debconf as registry
severity 510419 normal thanks Please write up an explanation of what you think is wrong and why with explicit citations to policy. Once you provide enough detail, I'll consider whether this is RC or not. I understand you've already convinced Russ, but it is entirely non-obvious to me. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#531635: missing prototypes
As best I can tell these symbols were only ever available with the KRB5_PRIVATE preprocessor define set in the compilation environment. Symbols made available by the KRB5_PRIVATE symbol are not part of the public ABI/API of the krb5 libraries. They may be renamed, removed, arguments changed without updating the soname or elf version. In general new symbols are added to k5-int.h rather than put in krb5.h with KRB5_PRIVATE. From time to time more symbols are migrated from krb5.h to k5-int.h. Arguably when these symbols were migrated they should have been renamed. To address this bug, I could do a number of things including adding a #error to the krb5.h that gets installed if krb5_private is defined. I could also rename the symbols in question or see if upstream would do that. However I suspect a far more important thing to address is whether we can get to a point where you don't need private symbols. krb5_kt_free_entry is probably fairly easy. There is a comment in the krb5 1.6 krb5.h saying to use krb5_kt_free_entry_contents instead. The other symbols may be more problematic. We can discuss via e-mail or IRC. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#532536: libgssapi-krb5: krb5_gss_acquire_cred resolves forward/reverse DNS but doesn't properly handles multiple search domains
This is strange. So, the reverse resolution behavior is intentional (and highly broken--it's a long story) but can be disable by setting rdns=true in the libdefaults section of krb5.conf. Gss calls gss_import_name (lib/gssapi/krb5/import_name.c) and that calls krb5_sname_to_principal (src/lib/krb5/os/sn2princ.c) which is almost certainly your problem. However I think that just calls getaddrinfo and getnameinfo so I suspect something strange is going on here. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#537915: Please support weak encryption types
package: krb5-config Version: 1.23 severity: wishlist MIT Kerberos 1.7 and some recent version of Heimdal support a consistent config file option to disable weak encryption types like des and rc4-56. Please implement this option for Debian. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#538052: tzc: uninstallable in unstable
package: tzc severity: grave version: 2.6.15-5 Hi. tzc depends on libzephyr3 which is no longer present in unstable. This is blocking the zephyr transition, which is blocking the removal of libkrb53 from testing. I plan to schedule an NMU for 4 days from now using the delayed queue. I'll attach an NMU diff here; you can either upload before my NMU hits incoming, cancel my NMU, or do nothing and the NMU should go through. --Sam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#538053: owl: fails to install in unstable
Package: owl Version: 2.2.2-1 Severity: grave Justification: renders package unusable Hi. Owl depends on libzephyr3 which is no longer in unstable. This is blocking the zephyr transition which is blocking the removal of libkrb53 from testing. I'll schedule an NMU through the delayed queue mechanism for four days; feel free to cancel if you like. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#538052: tzc: uninstallable in unstable
I will send a diff when I schedule the NMU. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#538052: tzc: diff for NMU version 2.6.15-5.1
tags 538052 + patch thanks Dear maintainer, I've prepared an NMU for tzc (versioned as 2.6.15-5.1) and uploaded it to DELAYED/4. Please free to tell me if I should delay it longer. Regards. diff -u tzc-2.6.15/debian/changelog tzc-2.6.15/debian/changelog --- tzc-2.6.15/debian/changelog +++ tzc-2.6.15/debian/changelog @@ -1,3 +1,11 @@ +tzc (2.6.15-5.1) unstable; urgency=low + + * Non-maintainer upload. + * Build depend on zephyr 3.0, indicating a transition from krb4 to krb5 +zephyr, Closes: #538052 + + -- Sam Hartman hartm...@debian.org Thu, 23 Jul 2009 07:42:27 -0400 + tzc (2.6.15-5) unstable; urgency=low * Fix FTBFS with gcc 3.4. (Closes: #264445) diff -u tzc-2.6.15/debian/control tzc-2.6.15/debian/control --- tzc-2.6.15/debian/control +++ tzc-2.6.15/debian/control @@ -2,7 +2,7 @@ Section: net Priority: optional Maintainer: Theodore Y. Ts'o ty...@mit.edu -Build-Depends: debhelper ( 3.0.0), libzephyr-dev, comerr-dev +Build-Depends: debhelper ( 3.0.0), libzephyr-dev (= 3.0~beta), comerr-dev Standards-Version: 3.6.2.1 Package: tzc
Bug#538053: owl: diff for NMU version 2.2.2-1.1
tags 538053 + patch thanks Dear maintainer, I've prepared an NMU for owl (versioned as 2.2.2-1.1) and uploaded it to DELAYED/4. Please free to tell me if I should delay it longer. Regards. diff -u owl-2.2.2/debian/control owl-2.2.2/debian/control --- owl-2.2.2/debian/control +++ owl-2.2.2/debian/control @@ -2,7 +2,7 @@ Section: net Priority: optional Maintainer: Mark W. Eichin eic...@thok.org -Build-Depends: debhelper ( 7), libzephyr-dev (= 2.1.20010518.SNAPSHOT-7), libncurses5-dev, libkrb5-dev, libperl-dev, libssl-dev, libglib2.0-dev +Build-Depends: debhelper ( 7), libzephyr-dev (= 3.0~beta), libncurses5-dev, libkrb5-dev, libperl-dev, libssl-dev, libglib2.0-dev Standards-Version: 3.8.0 Package: owl diff -u owl-2.2.2/debian/changelog owl-2.2.2/debian/changelog --- owl-2.2.2/debian/changelog +++ owl-2.2.2/debian/changelog @@ -1,3 +1,11 @@ +owl (2.2.2-1.1) unstable; urgency=low + + * Non-maintainer upload. + * Build depend on libzephyr-dev = 3.0; this indicates a transition from +krb4-based zephyr to krb5-based zephyr, Closes: #538053 + + -- Sam Hartman hartm...@debian.org Thu, 23 Jul 2009 07:37:06 -0400 + owl (2.2.2-1) unstable; urgency=low * New upstream release. The upstream author has become active again and
Bug#538142: /usr/bin/nmudiff: nmudiff: does not respect DEB_EMAIL
Package: devscripts Version: 2.10.52 Severity: normal File: /usr/bin/nmudiff I filed two nmudiffs; despite DEB_EMAIL being set, it was not used for my from address. I had mutt installed. -- Package-specific info: --- /etc/devscripts.conf --- --- ~/.devscripts --- Not present -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable'), (40, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages devscripts depends on: ii dpkg-dev 1.14.25Debian package development tools ii libc6 2.9-4 GNU C Library: Shared libraries ii perl 5.10.0-19 Larry Wall's Practical Extraction Versions of packages devscripts recommends: ii at3.1.10.2 Delayed job execution and batch pr ii bsd-mailx [ma 8.1.2-0.20081101cvs-2 A simple mail user agent ii bzr 1.14-2 easy to use distributed version co ii curl 7.18.2-8.1 Get a file from an HTTP, HTTPS or ii cvs 1:1.12.13-12 Concurrent Versions System ii dctrl-tools 2.13.1 Command-line tools to process Debi ii debian-keyrin 2009.01.18 GnuPG (and obsolete PGP) keys of D ii debian-mainta 1.53 GPG keys of Debian maintainers ii dput 0.9.3 Debian package upload tool ii dupload 2.6.6 utility to upload Debian packages ii edbrowse [www 3.4.1-1A /bin/ed-alike webbrowser written ii epiphany-geck 2.22.3-9 Intuitive GNOME web browser - Geck ii equivs2.0.7-0.1 Circumvent Debian package dependen ii fakeroot 1.12.2 Gives a fake root environment ii git-core 1:1.6.2-1 fast, scalable, distributed revisi ii gnupg 1.4.9-4GNU privacy guard - a free PGP rep ii iceweasel [ww 3.0.9-1lightweight web browser based on M ii libauthen-sas 2.12-1 Authen::SASL - SASL Authentication ii libcrypt-ssle 0.57-1+b1 Support for https protocol in LWP ii libparse-debc 2.005-2Easy OO parsing of Debian control- ii libsoap-lite- 0.710.08-2 Client and server side SOAP implem ii libterm-size- 0.2-4+b1 Perl extension for retrieving term ii libtimedate-p 1.1600-9 Time and date functions for Perl ii liburi-perl 1.37+dfsg-1Manipulates and accesses URI strin ii libwww-perl 5.825-1WWW client/server library for Perl ii libyaml-syck- 1.05-1 Fast, lightweight YAML loader and ii lintian 2.2.8 Debian package checker ii lsb-release 3.2-20 Linux Standard Base version report ii lynx-cur [www 2.8.7dev13-1 Text-mode WWW Browser with NLS sup ii mailx 1:20081101-2 Transitional package for mailx ren ii man-db2.5.4-1on-line manual pager ii mercurial 1.1.2-2scalable distributed version contr ii openssh-clien 1:5.1p1-5 secure shell client, an rlogin/rsh ii patch 2.5.9-5Apply a diff file to an original ii patchutils0.3.1-1Utilities to work with patches ii strace4.5.17+cvs080723-2 A system call tracer ii subversion1.5.6dfsg-1Advanced version control system ii svk 2.0.2-3A Distributed Version Control Syst ii unzip 5.52-12De-archiver for .zip files ii w3-el-e21 [ww 4.0pre.2001.10.27.nodocs-5 Web browser for GNU Emacs 21 ii w3m [www-brow 0.5.2-2+b1 WWW browsable pager with excellent ii wdiff 0.5-18 Compares two files word by word ii wget 1.11.4-2 retrieves files from the web Versions of packages devscripts suggests: ii build-essential 11.4 Informational list of build-essent pn cvs-buildpackage none (no description available) pn devscripts-el none (no description available) pn gnuplot none (no description available) pn libfile-desktopentry-perl none (no description available) pn libnet-smtp-ssl-perl none (no description available) ii mutt 1.5.20-2 text-based mailreader supporting M pn svn-buildpackage none (no description available) -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a
Bug#538142: /usr/bin/nmudiff: nmudiff: does not respect DEB_EMAIL
I'm terribly sorry. hartm...@live:sid(140) env |grep -i email debemail=hartm...@debian.org However I was using mutt not sendmail. Is DEBEMAIL expected to be ignored in the mutt case? If so, why? -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#538142: /usr/bin/nmudiff: nmudiff: does not respect DEB_EMAIL
Ah. I specifically installed mutt only because nmudiff seemed to imply I'd be happy with it than without. I don't use mutt. This may be a doc issue. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#581815: kinit: KDC has no support for encryption type while getting initial credentials
source: krb5 source-version: 1.8.1+dfsg-2 Quoting /usr/share/doc/libkrb5-3/NEWS.debian.gz: krb5 (1.8+dfsg~alpha1-1) unstable; urgency=low This version of MIT Kerberos disables DES and 56-bit RC4 by default. These encryption types are generally regarded as weak; defeating them is well within the expected resources of some attackers. However, some applications, such as OpenAFS or Kerberized NFS, still rely on DES. To re-enable DES support add allow_weak_crypto=true to the libdefaults section of /etc/krb5.conf -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#582122: krb5-kdc fails on startup because it may need slapd running
Andreas == Andreas B Mundt andi.mu...@web.de writes: Andreas If, for some reason, it is not desired to change the boot Andreas ordering for kdc in general, there should be a correct Andreas ordering as soon as you install krb5-kdc-ldap. This is messy. The problem is that you might well want to use Kerberos for LDAP authentication--for example for one LDAP replica to talk to another. Your LDAP server may not be on the same machine as your Kerberos server. I'd be interested in patches to do any of the following in decreasing order of preference: 1) Periodically reconnect to LDAP if LDAP is unavailable--upstream patch 2) If krb5-kdc-ldap is installed ask a medium priority debconf question with default yes about whether kdc should come before ldap (and act appropriately) 3) Ask a medium priority debconf question with default yes about whether krb5kdc should come before ldap (ignoring the krb5-kdc-ldap package entirely) Any change to the boot order should work both with classic ordering and dependency-based ordering. I'm happy to review patches or discuss design directions; I do not have time to implement one of the proposed patches above. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#582122: krb5-kdc fails on startup because it may need slapd running
OK. This sounds good. Will get to it in my next upload if Russ doesn't get there first. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#577389: inetd.conf is broken again :-(
Hi. I had totally missed this bug being opened. I definitely think we can address it in the next update. I'm really sorry about this. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#577490: TGT renewal causes krb5kdc to crash on armel
It would be very interesting to see whether this happens with the kdc in testing (1.8~alpha1-7). There is a particular change introduced in 1.8+dfsg-1.1 that might be the problem (although I doubt it). -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
