Re: Security issue in groovy<2.5.0

2017-09-07 Thread Emmanuel Bourg
Le 7/09/2017 à 20:40, Felix Natter a écrit :

> I have backported the single GROOVY-8163 [1] [2] commit (plus a missing
> import), and pushed the result here:
>   https://anonscm.debian.org/cgit/pkg-java/groovy.git
> 
> [1] https://issues.apache.org/jira/browse/GROOVY-8163
> [2] 
> https://github.com/apache/groovy/commit/0305a38a0cc8f4190a1486c460ebc6f712ad1a07
> 
> I have tested this extensively with freeplane.

Thanks !

> Could someone please consider sponsoring this?

I'll upload the package.

> I assumed a QA upload because lintian complains about missing Uploader:
> and because of Paul Wise's advice. Shall I revert to team upload?

Yes please.

Emmanuel Bourg



Re: Security issue in groovy<2.5.0

2017-09-07 Thread Felix Natter
hello Debian-java,

Emmanuel Bourg  writes:
> Le 17/08/2017 à 20:18, Felix Natter a écrit :
>
>> So the question is: Can I package freeplane without the 'securegroovy'
>> library, expecting that groovy 2.5 will be released soon, and will
>> shortly after be packaged for Debian?
>
> Yes ignore securegroovy, we have to directly patch or upgrade our groovy
> package in this case.

I have backported the single GROOVY-8163 [1] [2] commit (plus a missing
import), and pushed the result here:
  https://anonscm.debian.org/cgit/pkg-java/groovy.git

[1] https://issues.apache.org/jira/browse/GROOVY-8163
[2] 
https://github.com/apache/groovy/commit/0305a38a0cc8f4190a1486c460ebc6f712ad1a07

I have tested this extensively with freeplane.

Could someone please consider sponsoring this?

I assumed a QA upload because lintian complains about missing Uploader:
and because of Paul Wise's advice. Shall I revert to team upload?

Thanks and Best Regards,
-- 
Felix Natter
debian/rules!



Re: Security issue in groovy<2.5.0

2017-09-06 Thread Paul Wise
On Thu, Sep 7, 2017 at 12:01 AM, 殷啟聰 | Kai-Chung Yan wrote:

> Changing the maintainer to Debian QA Group does not seem incorrect to me.

Unfortunately orphaning packages tends to attract deletionists, so you
have to be vigilant to ensure the package doesn't get removed from
Debian entirely. If no-one on the Java team cares about it, maybe just
removing it is fine though.

> However, I'm curious about the situation when someone wants to upload a 
> simple change to an orphaned package. Do people refrain from it or they 
> simply do a non-maintainer upload?

They do a QA upload:

https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#nmu-qa-upload

-- 
bye,
pabs

https://wiki.debian.org/PaulWise



Re: Security issue in groovy<2.5.0

2017-09-06 Thread 殷啟聰 | Kai-Chung Yan
Hello Felix,

I agree that the changes are made into a single patch.

Now that no human being is actively maintaining this package, I think it is 
effectively orphaned. pkg-java team is unable to be responsible for the package 
because nobody *is* pkg-java. Changing the maintainer to Debian QA Group does 
not seem incorrect to me.

However, I'm curious about the situation when someone wants to upload a simple 
change to an orphaned package. Do people refrain from it or they simply do a 
non-maintainer upload?

Felix Natter 於 2017/9/5 上午3:35 寫道:
> 殷啟聰 | Kai-Chung Yan  writes:
>
>> Hello Natter,
> hi Kai,
> thanks for the reply.
>
> s/Natter/Felix/g ;-) (my first name is Felix)
>
>> Since it's just one commit, I suggest you put it as a patch in
>> `debian/patches`. When someone is updating the package to 2.5.0, she
>> can just remove it.
> There is already a 2.4.8-2 in the git pipeline (unreleased) by Miguel
> Landaeta (CC):
>   https://anonscm.debian.org/cgit/pkg-java/groovy.git
>
> In the corresponding bug for 2.4.8-2 (#871857) Miguel says:
>
> "I removed myself from uploaders list and prepared a tentative QA upload
> but I didn't upload it to the archive since the resulting package would
> be in violation of Debian Policy (§3.3 and §5.6.3). I'd appreciate if
> somebody else can step in as maintainer."
>
> Policy §5.6.3 says:
> "This is normally an optional field, but if the Maintainer control field
> names a group of people and a shared email address, the Uploaders field
> must be present and must contain at least one human with their personal
> email address."
>
> --> groovy currently only has:
>   Maintainer: Debian Java Maintainers 
> 
>  (no Uploader:)
> which seems to violate §5.6.3. So how can we make a policy-compliant
> team upload without becoming maintainer (I'd like to avoid taking over
> groovy maintainership if possible)?
>
> Shall we set
>   Maintainer: Debian QA Group 
> according to Policy §3.3, even if we usually do team uploads?
>
> Other than that: @Miguel, @Emmanuel, @Kai: do you agree to make a simple
> 2.4.8-2 release with Miguel's changes only adding that patch?
>
> Thanks and Best Regards,




signature.asc
Description: OpenPGP digital signature


Re: Security issue in groovy<2.5.0

2017-09-05 Thread Miguel Landaeta
Hi,

On Monday, September 4, 2017 09:35:46 PM CEST Felix Natter wrote:
>
> [...]
>
> which seems to violate §5.6.3. So how can we make a policy-compliant
> team upload without becoming maintainer (I'd like to avoid taking over
> groovy maintainership if possible)?
> 
> Shall we set
>   Maintainer: Debian QA Group 
> according to Policy §3.3, even if we usually do team uploads?

The Debian Java team should be kept as maintainer since groovy is not
being orphaned. It's only the uploaders list that is not correct anymore.

> Other than that: @Miguel, @Emmanuel, @Kai: do you agree to make a simple
> 2.4.8-2 release with Miguel's changes only adding that patch?

I'm just curious here, but what's the upstream rationale to don't
release a hot fix for groovy if we are talking about a security issue?

I agree with including the patch, especially if it's already merged at
upstream and scheduled to be included in 2.5.0.

Cheers,
Miguel.

-- 
Miguel Landaeta, nomadium at debian.org
secure email with PGP 0x6E608B637D8967E9 available at http://miguel.cc/key.
"Faith means not wanting to know what is true." -- Nietzsche


signature.asc
Description: Digital signature


Re: Security issue in groovy<2.5.0

2017-09-04 Thread Felix Natter
殷啟聰 | Kai-Chung Yan  writes:

> Hello Natter,

hi Kai,
thanks for the reply.

s/Natter/Felix/g ;-) (my first name is Felix)

> Since it's just one commit, I suggest you put it as a patch in
> `debian/patches`. When someone is updating the package to 2.5.0, she
> can just remove it.

There is already a 2.4.8-2 in the git pipeline (unreleased) by Miguel
Landaeta (CC):
  https://anonscm.debian.org/cgit/pkg-java/groovy.git

In the corresponding bug for 2.4.8-2 (#871857) Miguel says:

"I removed myself from uploaders list and prepared a tentative QA upload
but I didn't upload it to the archive since the resulting package would
be in violation of Debian Policy (§3.3 and §5.6.3). I'd appreciate if
somebody else can step in as maintainer."

Policy §5.6.3 says:
"This is normally an optional field, but if the Maintainer control field
names a group of people and a shared email address, the Uploaders field
must be present and must contain at least one human with their personal
email address."

--> groovy currently only has:
  Maintainer: Debian Java Maintainers 

 (no Uploader:)
which seems to violate §5.6.3. So how can we make a policy-compliant
team upload without becoming maintainer (I'd like to avoid taking over
groovy maintainership if possible)?

Shall we set
  Maintainer: Debian QA Group 
according to Policy §3.3, even if we usually do team uploads?

Other than that: @Miguel, @Emmanuel, @Kai: do you agree to make a simple
2.4.8-2 release with Miguel's changes only adding that patch?

Thanks and Best Regards,
-- 
Felix Natter
debian/rules!



Re: Security issue in groovy<2.5.0

2017-09-03 Thread 殷啟聰 | Kai-Chung Yan
Hello Natter,

Since it's just one commit, I suggest you put it as a patch in 
`debian/patches`. When someone is updating the package to 2.5.0, she can just 
remove it.


Felix Natter 於 2017/9/2 下午10:35 寫道:
> hello Emmanuel, 
>
> Felix Natter  writes:
>>> Le 26/08/2017 à 18:14, Felix Natter a écrit :
>>>
 The problem is that it may take weeks/months for groovy 2.5 to be
 released, and weeks/months until it's packaged for Debian.
>>> How big is the fix for Groovy? Do you know which commits should be
>>> backported?
>> It's a single (but nontrivial) commit:
>> https://github.com/apache/groovy/commit/0305a38a0cc8f4190a1486c460ebc6f712ad1a07
>>
>> The groovy people decided not to backport to groovy 2.4.x, so I am not
>> sure whether we shall do it?
> Is there any update on this? What shall I do?
> I don't mean to be impatient, I was just not sure whether you've seen
> this.
>
> Thanks and Best Regards,




signature.asc
Description: OpenPGP digital signature


Re: Security issue in groovy<2.5.0

2017-09-02 Thread Felix Natter
hello Emmanuel, 

Felix Natter  writes:
>> Le 26/08/2017 à 18:14, Felix Natter a écrit :
>>
>>> The problem is that it may take weeks/months for groovy 2.5 to be
>>> released, and weeks/months until it's packaged for Debian.
>>
>> How big is the fix for Groovy? Do you know which commits should be
>> backported?
>
> It's a single (but nontrivial) commit:
> https://github.com/apache/groovy/commit/0305a38a0cc8f4190a1486c460ebc6f712ad1a07
>
> The groovy people decided not to backport to groovy 2.4.x, so I am not
> sure whether we shall do it?

Is there any update on this? What shall I do?
I don't mean to be impatient, I was just not sure whether you've seen
this.

Thanks and Best Regards,
-- 
Felix Natter
debian/rules!



Re: Security issue in groovy<2.5.0

2017-08-28 Thread Felix Natter
Thorsten Glaser  writes:

> On Sat, 26 Aug 2017, Felix Natter wrote:

hi Thorsten,

>> OTOH, this is for Debian unstable/testing...
>
> Debian unstable is where you upload things to that you expect
> to be part of the next Debian stable, and thus in an appropriate
> shape; it might make sense for experimental though?

This post is about considering to patch groovy-2.4 to fix a sandbox
escape in that version, which the groovy people did not want to patch in
2.4.x, but it will be part of 2.5.x.

I meant that we might consider using the patch on Debian
testing/unstable, because unlike upstream groovy 2.4.x it won't be used
in a stable environment soon (i.e. until 2.5.0 is released). Of course,
this might neglect Ubuntu releases.

Best Regards,
-- 
Felix Natter
debian/rules!



Re: Security issue in groovy<2.5.0

2017-08-26 Thread Thorsten Glaser
On Sat, 26 Aug 2017, Felix Natter wrote:

> OTOH, this is for Debian unstable/testing...

Debian unstable is where you upload things to that you expect
to be part of the next Debian stable, and thus in an appropriate
shape; it might make sense for experimental though?

bye,
//mirabilos
-- 
15:41⎜ Somebody write a testsuite for helloworld :-)



Re: Security issue in groovy<2.5.0

2017-08-26 Thread Felix Natter
Felix Natter  writes:

> Emmanuel Bourg  writes:
>
> hi Emmanuel,
>
>> Le 26/08/2017 à 18:14, Felix Natter a écrit :
>>
>>> The problem is that it may take weeks/months for groovy 2.5 to be
>>> released, and weeks/months until it's packaged for Debian.
>>
>> How big is the fix for Groovy? Do you know which commits should be
>> backported?
>
> It's a single (but nontrivial) commit:
> https://github.com/apache/groovy/commit/0305a38a0cc8f4190a1486c460ebc6f712ad1a07
>
> The groovy people decided not to backport to groovy 2.4.x, so I am not
> sure whether we shall do it?

OTOH, this is for Debian unstable/testing...

Cheers and Best Regards,
-- 
Felix Natter



Re: Security issue in groovy<2.5.0

2017-08-26 Thread Felix Natter
Emmanuel Bourg  writes:

hi Emmanuel,

> Le 26/08/2017 à 18:14, Felix Natter a écrit :
>
>> The problem is that it may take weeks/months for groovy 2.5 to be
>> released, and weeks/months until it's packaged for Debian.
>
> How big is the fix for Groovy? Do you know which commits should be
> backported?

It's a single (but nontrivial) commit:
https://github.com/apache/groovy/commit/0305a38a0cc8f4190a1486c460ebc6f712ad1a07

The groovy people decided not to backport to groovy 2.4.x, so I am not
sure whether we shall do it?

Thanks and Best Regards,
-- 
Felix Natter



Re: Security issue in groovy<2.5.0

2017-08-26 Thread Emmanuel Bourg
Le 26/08/2017 à 18:14, Felix Natter a écrit :

> The problem is that it may take weeks/months for groovy 2.5 to be
> released, and weeks/months until it's packaged for Debian.

How big is the fix for Groovy? Do you know which commits should be
backported?

Emmanuel Bourg



Re: Security issue in groovy<2.5.0

2017-08-26 Thread Felix Natter
Emmanuel Bourg  writes:

> Le 17/08/2017 à 20:18, Felix Natter a écrit :

hi Emmanuel,

>> So the question is: Can I package freeplane without the 'securegroovy'
>> library, expecting that groovy 2.5 will be released soon, and will
>> shortly after be packaged for Debian?
>
> Yes ignore securegroovy, we have to directly patch or upgrade our groovy
> package in this case.

The problem is that it may take weeks/months for groovy 2.5 to be
released, and weeks/months until it's packaged for Debian.

I would like to package freeplane 1.6.5 this/next week, and I guess
freeplane users expect that this version is safe. So shall I package
securegroovy, and throw it away soon?

Cheers and Best Regards,
-- 
Felix Natter



Re: Security issue in groovy<2.5.0

2017-08-26 Thread Emmanuel Bourg
Le 17/08/2017 à 20:18, Felix Natter a écrit :

> So the question is: Can I package freeplane without the 'securegroovy'
> library, expecting that groovy 2.5 will be released soon, and will
> shortly after be packaged for Debian?

Yes ignore securegroovy, we have to directly patch or upgrade our groovy
package in this case.

Emmanuel Bourg



Security issue in groovy<2.5.0

2017-08-17 Thread Felix Natter
hello debian-java,

freeplane 1.5/1.6 added a library [1] which uses byte-buddy to fix a
security problem in groovy < 2.5.0 [2]. The fix will be included in
groovy 2.5, which should be released soon (currently at 2.5.0-beta-2).

So the question is: Can I package freeplane without the 'securegroovy'
library, expecting that groovy 2.5 will be released soon, and will
shortly after be packaged for Debian?

[1] https://github.com/dpolivaev/securegroovy/

[2] https://issues.apache.org/jira/browse/GROOVY-8163
(freeplane maps include groovy scripts which can escape the sandbox)

Thanks and Best Regards,
-- 
Felix Natter