Bug#1059095: general: Unable to boot

[Janusz S . Bień]

On Wed, Dec 20 2023 at  8:47 +01, Janusz Bień wrote:
> Package: general
> Severity: grave
> X-Debbugs-Cc: jsb...@mimuw.edu.pl
>
> Since yesterday I'm unable to boot the system, it hangs after the
> messages shown in an attachment; these messages or very similar ones
> appeared earlier with no harm.
>
> I update the system almost every evening. On 18th December the system
> worked normally, in the evening libfreeimage3 has been updated. Next
> day the boot problem appeared.
>
> The same problem occurs when I try to run Debian Live, I reported it
> as the bug #1059037.
>
> The computer has Windows on another disk (which I use now), so I can
> access the Linux disk and e.g. provide you with some logs. I can also
> run hardware detection from Debian Live.

Today everything works! The installed system, the installer (#1059167)
and Debian Live (1059037). Earlier several attemps failed, it was not
just a single incident.

Should I suspect a hardware malfunction? Can you recommend some testing
program?

Best regards

JSB

-- 
 ,   
Janusz S. Bien
emeryt (emeritus)
https://sites.google.com/view/jsbien

Re: Reaction to potential PGP schism

[Daniel Kahn Gillmor]

hey folks--

[ This message won't make sense unless the reader distinguishes clearly
  between OpenPGP the protocol and GnuPG the implementation! As a
  community we have a history of fuzzily conflating the two terms, which
  is one of the reasons that we're in this mess today.  Please read
  explicitly. ]

[ Background: for those who don't know, i've been a maintainer in debian
  of GnuPG and other OpenPGP-related tooling for several years, and i'm
  also the co-chair of the IETF's OpenPGP working group; i participated
  in many of the discussions that led to the current sorry situation,
  and it is happening despite my best efforts to avoid this problem.
  I'm probably as responsible for this situation as anyone in Debian
  is. My apologies. ]

The best outcome, in my opinion, would be for GnuPG to go ahead and
implement the pending updated OpenPGP specification (the so-called
"crypto-refresh"). I say this despite personally preferring some of the
concrete ways that i think the GnuPG project would have preferred to (as
indicated by the latest "LibrePGP" Internet-Draft, at least) diverge
from the OpenPGP specification.  There are enough other advantages to
the OpenPGP crypto-refresh that it doesn't make sense for GnuPG to
deliberately avoid implementing the community consensus. The GnuPG
project clearly has all the underlying cryptographic and engineering
capability to do this, if it wants to, and the OpenPGP crypto-refresh
process took deliberate measures to avoid collisions with any
prematurely deployed code that implements a draft that hadn't managed to
reach a rough consensus.

Can debian make GnuPG interoperate with the rest of the OpenPGP
ecosystem?  Probably not without GnuPG's cooperation: it would be a
substantial patchset to carry in Debian, and even trickier to do if
GnuPG upstream sees such a patchset as hostile.

Read on below if you want to consider some other options.

Stephan Verbücheln wrote:
> As you probably know, Debian relies heavily on GnuPG for various
> purposes, including:
> - developer communication
> - signing of tarballs and patches
> - automated processes such as update validation by APT

Debian by policy and by mechanism relies heavily on the OpenPGP protocol
for these things.  And i'd also add certificate verification, aka "web
of trust" for Debian developer identities to the list as well.

In particular, we use OpenPGP for cryptographic signing of software
source, packaging information, archive control, and distribution
mechanisms; for developer identities; and for cryptographic verification
of all of these things.  As a project, we don't make much use of the
encryption/decryption parts of OpenPGP, since we develop mainly in the
open.  But not everyone uses GnuPG for these purposes.  There are
multiple interoperable OpenPGP implementations in Debian beyond the
GnuPG family (C), including RNP (C/C++), pgpainless (java), pgpy
(Python), GOpenPGP (Go), hOpenPGP (haskell), and Sequoia (Rust).

But it is also true that the GnuPG implementation specifically is baked
into some of our infrastructure.  I'll get into why that is below (see
"Why is GnuPG on Debian's Critical Path?").

> How can Debian deal with this? Should Debian intervene to prevent the
> worst?

I don't think Debian can make a specific intervention that will avoid
the global problem, but i think there are things we can consider going
forward.

One possible approach is to drop the use of OpenPGP (or "LibrePGP")
entirely, and instead base our internal cryptographic dependencies on
bespoke cryptographic implementations.

I think that would be a mistake.

I do not want Debian's long-term health to depend on any particular
implementation.  If the implementation fails then we would have to (as a
project) decide on our own upgrade path.  For a failure due to
cryptanalytic advances, that can be particularly harrowing: I don't
think we as a project have the necessary expertise to do that well.  For
failures due to buggy implementations, we can always patch, but i wonder
about the amount of cryptanalytic review a bespoke implementation will
have as opposed to publicly audited generic tooling.

If we have to decide as a project on LibrePGP vs. OpenPGP, i'd prefer
the wider community project with a stable reference, functioning (albeit
sometimes rough) consensus, a range of diverse implementations, and
substantial public interoperability testing.  That means OpenPGP.

To be clear, the IETF OpenPGP working group actively solicited input
from the GnuPG team, and tried to work with the project as one
significant implementation among many.  But ultimately, the GnuPG
project decided to break away from the community process, and created
this "LibrePGP" split, which threatens interoperability for the *PGP
ecosystem as a whole.  Maybe the end result of this will be to put a
nail in *PGP's coffin, and we'll all just go back to bespoke
cryptographic implementations that have no stable reference other than
the source code, and little inte

Bug#1059195: ITP: golang-github-envoyproxy-go-control-plane -- Go implementation of data-plane-api

[Maytham Alsudany]

Package: wnpp
Severity: wishlist
Owner: Maytham Alsudany 
X-Debbugs-CC: debian-devel@lists.debian.org, debian...@lists.debian.org
Control: block 1057834 by -1
Control: block -1 by 1057894

* Package name: golang-github-envoyproxy-go-control-plane
  Version : 0.11.1
  Upstream Author : Envoyproxy Authors
* URL : https://github.com/envoyproxy/go-control-plane
* License : Apache-2.0
  Programming Lang: Go
  Description : Go implementation of data-plane-api

 This repository contains a Go-based implementation of an API server that
 implements the discovery service APIs defined in data-plane-api.
 .
 Due to the variety of platforms out there, there is no single control plane
 implementation that can satisfy everyone's needs. Hence this code base does
 not attempt to be a full scale control plane for a fleet of Envoy proxies.
 Instead, it provides infrastructure that is shared by multiple different
 control plane implementations. The components provided by this library are:
 .
   * API Server: A generic gRPC based API server that implements xDS APIs as
 defined in the data-plane-api. The API server is responsible for pushing
 configuration updates to Envoys. Consumers should be able to import this
 go library and use the API server as is, in production deployments.
 .
   * Configuration Cache: The library will cache Envoy configurations in memory
 in an attempt to provide fast response to consumer Envoys. It is the
 responsibility of the consumer of this library to populate the cache as
 well as invalidate it when necessary. The cache will be keyed based on a
 pre-defined hash function whose keys are based on the Node information.
 .
 At this moment, this repository will not tackle translating platform specific
 representation of resources (e.g., services, instances of services, etc.) into
 Envoy-style configuration. Based on usage and feedback, we might decide to
 revisit this aspect at a later point in time.

This package is a new dependency of the latest version of golang-google-grpc-
dev.

- Will be packaged within Debian Go Packaging Team.
- Will need a sponsor to upload.

Kind regards,
Maytham


signature.asc
Description: This is a digitally signed message part

Bug#1059143: ITP: rust-rockusb -- Rockchip USB protocol host implementation

[Arnaud Ferraris]

Package: wnpp
Severity: wishlist
Owner: Arnaud Ferraris 
X-Debbugs-Cc: debian-devel@lists.debian.org, aferra...@debian.org, 
pkg-rust-maintain...@alioth-lists.debian.net

* Package name: rust-rockusb
  Version : 0.1.3
  Upstream Contact: Sjoerd Simons 
* URL : https://github.com/collabora/rockchiprs
* License : MIT, Apache 2.0
  Programming Lang: Rust
  Description : Rockchip USB protocol host implementation

The "rockusb" Rust crate provides an independent re-implementation of the
Rockchip USB
protocol used to communicate with various Rockchip processors. It allows one to
read information about the processor or the flash memory, read and write files
to and from flash, reset the device and various other commands.

This package provides both the Rust source code for the crate/library and the
binary "rockusb" package, which can be used as an alternative to
"rkdeveloptool".

It will be maintained within the Debian Rust team.