Re: jessie-updates gone
Hi Ben, On Wed, Apr 03, 2019 at 12:23:46AM +0100, Ben Hutchings wrote: > Debian LTS is a team within Debian. It's separate from the main > security team and the stable release managers, but it is no less part > of Debian. Sure, I do understand that. My employer is one of the LTS sponsors. However what I am saying is, there are clearly quite a few users of Debian who were surprised and confused about jessie-updates going away. I think that means those users also did not know that they transitioned from relying on the security team and release managers to the LTS team. Clearly the LTS team cannot provide the same level of support, so wouldn't you agree that it is important that users realise when they go from one state to another? > The transition to extended support by the LTS team has always been > announced, in any case: Absolutely, but these users did not read those announcements, or else I think they wouldn't have been so confused by jessie-updates going away. The majority of end user posts about this that I have seen have not been saying, "this is annoying, just make it stop", they have been more like, "what is going on? Is my sources.list incorrect?" i.e. I'm not convinced these posts are coming from people who read any of the various announcement emails. I've supported a couple of my own users with questions about the apt update errors and none them knew what LTS was or that they had already been using it for nearly a year. From their point of view while "apt update" continued to work without complaint, they were enjoying full Debian support. I have a feeling this wrong impression may be quite common. So, various people are asking for an empty jessie-updates to be put back because of all the confused users and the need to make changes to sources.list. I am asking: a) doesn't that suggest that many or all of these users missed that they transitioned to LTS back in June 2018, and only noticed that something was amiss now that jessie-updates has gone? b) if in future Debian does leave an empty stretch-updates then doesn't that mean that these users will continue being blissfully unaware for an even longer period of time? c) if getting warnings from "apt update" does seem to be an effective final way to reach such users, would it be a good idea to find a way to have apt tell them about their transition into LTS? Personally I'm not bothered either way about whether "-updates" remains something that can be in sources.list without causing update errors, but I am more concerned that a lot of users may have ended up transitioning to LTS without realising that, and wonder if there is any good way to help reduce that. Cheers, Andy
Re: jessie-updates gone
On Tue, 2019-04-02 at 19:30 +, Andy Smith wrote: > Hi Matus, > > On Tue, Apr 02, 2019 at 08:17:54PM +0200, Matus UHLAR - fantomas wrote: > > > On Tue, Apr 02, 2019 at 03:09:03PM +0200, Matus UHLAR - fantomas wrote: > > > > On 02.04.19 10:59, Andy Smith wrote: > > > So are you really saying that your proposed solution is just to tell > > > people who aren't currently reading announcements and are not running > > > check-support-status to try harder? > > > > I'm trying to say that people using LTS should not notice ot of nothing that > > the -updates archive is now gone. That should happen after LTS is over. > > Sure but you are aware that every Debian user becomes an LTS user > when -updates stops being a source of point releases and > further updates end up in /updates, right? > > I am not talking about telling *LTS* users anything. I am asking how > is an uninformed user of Debian supposed to know that they are no > longer supported by Debian, but only by LTS? That they have in fact > *become* an LTS user? [...] Debian LTS is a team within Debian. It's separate from the main security team and the stable release managers, but it is no less part of Debian. The transition to extended support by the LTS team has always been announced, in any case: https://lists.debian.org/debian-announce/2014/msg4.html https://lists.debian.org/debian-announce/2016/msg5.html https://lists.debian.org/debian-announce/2018/msg2.html Ben. -- Ben Hutchings Q. Which is the greater problem in the world today, ignorance or apathy? A. I don't know and I couldn't care less. signature.asc Description: This is a digitally signed message part
Re: jessie-updates gone
Hi Matus, On Tue, Apr 02, 2019 at 08:17:54PM +0200, Matus UHLAR - fantomas wrote: > >On Tue, Apr 02, 2019 at 03:09:03PM +0200, Matus UHLAR - fantomas wrote: > >>On 02.04.19 10:59, Andy Smith wrote: > >So are you really saying that your proposed solution is just to tell > >people who aren't currently reading announcements and are not running > >check-support-status to try harder? > > I'm trying to say that people using LTS should not notice ot of nothing that > the -updates archive is now gone. That should happen after LTS is over. Sure but you are aware that every Debian user becomes an LTS user when -updates stops being a source of point releases and further updates end up in /updates, right? I am not talking about telling *LTS* users anything. I am asking how is an uninformed user of Debian supposed to know that they are no longer supported by Debian, but only by LTS? That they have in fact *become* an LTS user? In this instance they got the hint because jessie-updates went away. The proposal is to not make jessie-updates go away but instead just empty it. Then these users will not get informed. While there is no proposal on how to get the word to these users, I would argue it is best to continue removing -updates when it is done with. I would rather there was a better way to communicate with users though, that does not require them to subscribe to mailing lists or run optional commands. As to the separate issue of whether to keep an empty -updates to silence complaints from "apt update", I don't really care either way. I use config management so removing it everywhere is pretty trivial. :) Cheers, Andy
Re: jessie-updates gone
On Tue, Apr 02, 2019 at 03:09:03PM +0200, Matus UHLAR - fantomas wrote: On 02.04.19 10:59, Andy Smith wrote: >The alternative is that those users continue using Debian without >realising that their packages stopped being supported by the >maintainers and security team and are now supported by LTS alone. this should happen when LTS is over, not before. also, there's check-support-status for unsupported packages. On 02.04.19 14:43, Andy Smith wrote: Sorry I am not sure I follow. Miroslav said, "led thousands of users to ask themselves what was wrong with their apt update". I cannot personally say that I saw thousands, but I did see tens (some of which are my users that I support), which suggests there are quite a lot more of these users that we don't see. You understand that these users do not currently read the announcements about support life times and do not currently run check-support-status, right? Otherwise they would not have been confused about what happened with jessie-updates. So are you really saying that your proposed solution is just to tell people who aren't currently reading announcements and are not running check-support-status to try harder? I'm trying to say that people using LTS should not notice ot of nothing that the -updates archive is now gone. That should happen after LTS is over. dropping the the -backorts is fine, maybe even just after LTS startes. note that the -updates usually contains packages that are continued to be supported. This does not apply for -backports. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "The box said 'Requires Windows 95 or better', so I bought a Macintosh".
Re: jessie-updates gone
On 01/04/2019 15:51, Pierre Fourès wrote: > Thanks Holger, > > If I understood good, this mean that tzdata will get updated through > "deb http://security.debian.org/ jessie/updates main" even if it's not > a "security" update per se ? Yes. tzdata and other such updates go into jessie-security because there's no other place for them with the closing of jessie{,-updates}. It's been that way since for a long time. The last tzdata and libdatetime-timezone-perl were uploaded to jessie-security earlier today. > So, to Jessie users, everything work as expected (we still get not > security updates) even if it doesn't goes through the way it used to ? > > Le lun. 1 avr. 2019 à 15:40, Holger Levsen a écrit : >> >> On Mon, Apr 01, 2019 at 02:29:23PM +0200, Pierre Fourès wrote: >>> Now that Jessie is in LTS and that jessie-updates/ is gone, does this >>> also mean there won't be any other updates to tzdata, clamav, or >>> similar (timely dependent's) packages ? >> >> no. >> >>> Or if still updated, where does we got them from ? I guess it's not >>> from security updates ? >> >> from LTS. >> >> to clarify: >> >> this is LTS: >> >> deb http://security.debian.org/ jessie/updates main >> >> this is gone: >> >> deb http://deb.debian.org/debian/ jessie-updates main >> >> >> >> -- >> tschau, >> Holger >> >> --- >>holger@(debian|reproducible-builds|layer-acht).org >>PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C >> >> In Europe there are people prosecuted by courts because they saved other >> people >> from drowning in the Mediterranean Sea. That is almost as absurd as if >> there >> were people being prosecuted because they save humans from drowning in the >> sea. > >
Re: jessie-updates gone
Le mar. 2 avr. 2019 à 15:09, Matus UHLAR - fantomas a écrit : > > >> On 4/1/19 8:14 PM, Andy Smith wrote: > >> >I do understand that re-adding an empty jessie-updates directory > >> >will silence a lot of warnings from apt update, and thus would avoid > >> >the questions from end users that I have seen in a lot of places, > >> >but… I can't help thinking that although it is bad that these users > >> >were confused, at least they now understand that the level of > >> >support has changed. > > >On Tue, Apr 02, 2019 at 11:53:50AM +0200, Miroslav Skoric wrote: > >> -1 > >> > >> Programmers' decision that led thousands of users to ask themselves what > >> was > >> wrong with their apt update was a very bad marketing for Debian. > > On 02.04.19 10:59, Andy Smith wrote: > >The alternative is that those users continue using Debian without > >realising that their packages stopped being supported by the > >maintainers and security team and are now supported by LTS alone. > > this should happen when LTS is over, not before. > also, there's check-support-status for unsupported packages. > I personally understand the both points of view. If nothing had occurred, I would have left things running thinking I'm all covered up. It's nice I learnt so much about this. My major eye-opener was the situation about the backports being deprecated. But at the same time, I have many servers (including many virtual instance) where apt-get went broken. I also have automated install scripts (not yet moved to stretch) who need to be modified and re-tested. This is not a major thing to fix, but this will take some time nonetheless. And I'm very glad this happened while I was not in an emergency, required to reinstall something as fast as possible. I think it could be nice to be able to avoid unnecessary fiddling on the servers. Especially when these kind of changes might impact a lot people. This is maybe more work involved, or this might not be doable for reasons I'm not aware, I don't know, but why not even keep [distrib]-updates up-and-running (as its intended use) ? While in LTS, the security updates would still go to the security repository, and non-security updates would go to the stable-updates/ repository. This would incur no conceptual mess about what's happening or not. For standard usage, on supported architectures, all would goes smooth, as one could expect. For my share, I would have been warned about the backports being deprecated and moved to the archives and would have been happy for the rest staying up and running (as I already knew Jessie was in LTS, with all the consequences it implies). On a more preventive level, we could keep [distrib-updates] running, and then shutdown the security repository to explicitly show the security team has ended its work, and then create a new repository dedicated to the LTS support. The ones wanting to jump in the LTS phase would do it consciously and explicitly. However the transition wouldn't be smooth as it would incur a lot of error messages. This is in some way how it works for ELTS on Wheezy. It also could be achieved more smoothly like with adding some flags on the repository and that apt-get (and friends) bring a warning to the console while proceeding the update. This warning could then be silenced through setting a flag on the concerned instances (like I did for the backports with 'Acquire::Check-Valid-Until "0";'). This would require more work involved and would need more time to propagate. But I believe this could be a nice working mechanism for the future of Debian. This warning mechanism could even be extended to help prevent situations like the following one. Since the deprecation of the backports, I had half a year to take into notice about the consequences, and then, act. I just didn't was aware of it (my fault, nonetheless it's not easy to follow everything, meaning read every announce and not skip over the one of them). Would my instances throws at me some warning like : "jessie-backports will be deprectated on July 25 2018" some month before it occurs, and then something like "jessie-backports has been deprecated since July 25 2018" would have been of great value for me. And this could be applied the same way for security transitioning to LTS. What would be even greater with this warning mechanism would be to have more overlap while the repositories are shutted down or moved to the archives. I imagine something telling me "jessie-backports has been deprecated since July 25 2018, jessie-backports is now avaible on http://archive.debian.org/, jessie-backports will be removed from the main mirrors on Mars 20 2019" some months before it accutally occurs. I thus would have had the time and set my own schedule to decide when to fiddle with /etc/apt/sources.list without causing any error on my instances. Of course, this could also be translated to something like that for the stable-updates or the security updates. I guess this is a very long term project as it is
Re: jessie-updates gone
Hi Matus, On Tue, Apr 02, 2019 at 03:09:03PM +0200, Matus UHLAR - fantomas wrote: > On 02.04.19 10:59, Andy Smith wrote: > >The alternative is that those users continue using Debian without > >realising that their packages stopped being supported by the > >maintainers and security team and are now supported by LTS alone. > > this should happen when LTS is over, not before. > also, there's check-support-status for unsupported packages. Sorry I am not sure I follow. Miroslav said, "led thousands of users to ask themselves what was wrong with their apt update". I cannot personally say that I saw thousands, but I did see tens (some of which are my users that I support), which suggests there are quite a lot more of these users that we don't see. You understand that these users do not currently read the announcements about support life times and do not currently run check-support-status, right? Otherwise they would not have been confused about what happened with jessie-updates. So are you really saying that your proposed solution is just to tell people who aren't currently reading announcements and are not running check-support-status to try harder? I can't help thinking that this will not be effective in reaching any of those users. So the situation remains that either these uninformed users will be complained at about -updates by "apt update", or else they will continue to use without knowing that it is no longer supported by package maintainers and security team. Which outcome is worse, for those users? When you say, "this should happen when LTS is over, not before" are you saying that you don't feel it is important that people know when support passes from maintainers+security to LTS alone, only when even LTS has ended? If so then I'm afraid I don't agree. Speaking as one of the LTS sponsors I think it is important that users know what Debian LTS is, how it is funded and what its limitations are. Otherwise people will, by human nature, just assume it is still supported the same. Cheers, Andy
Re: jessie-updates gone
On 4/1/19 8:14 PM, Andy Smith wrote: >I do understand that re-adding an empty jessie-updates directory >will silence a lot of warnings from apt update, and thus would avoid >the questions from end users that I have seen in a lot of places, >but… I can't help thinking that although it is bad that these users >were confused, at least they now understand that the level of >support has changed. On Tue, Apr 02, 2019 at 11:53:50AM +0200, Miroslav Skoric wrote: -1 Programmers' decision that led thousands of users to ask themselves what was wrong with their apt update was a very bad marketing for Debian. On 02.04.19 10:59, Andy Smith wrote: The alternative is that those users continue using Debian without realising that their packages stopped being supported by the maintainers and security team and are now supported by LTS alone. this should happen when LTS is over, not before. also, there's check-support-status for unsupported packages. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
Re: more missing DLAs on the website
Am 02.04.19 um 14:16 schrieb Sylvain Beucler: > Hi, > > On Tue, Apr 02, 2019 at 12:55:31PM +0200, Markus Koschany wrote: >> Am 02.04.19 um 12:39 schrieb Sylvain Beucler: >>> Ideally we could then cron this out as Markus suggested. >> >> So far I had no problems with the parse script. I just download the html >> file from the DLA announcement manually and then I use the script. The >> idea to use a block would certainly simplify the parsing though. > > The script can be used directly on the DLA text/mail, btw (it's not > based on the list archive, no need to download). I use Thunderbird for emails and I found it simpler to manage it that way but maybe the work flow has its merits for other MUAs. > Also I remember fixing one of your DLAs before a webwml admin made an > angry commit, the script is sometimes silently bogus. Sorry for the inconveniences. > On Tue, Apr 02, 2019 at 11:57:43AM +, Holger Levsen wrote: >> On Tue, Apr 02, 2019 at 12:55:31PM +0200, Markus Koschany wrote: >>> First of all, thank you for your improvements on the parse script. I >>> share your concerns about the usefulness of translating the security >>> advisories. >> >> just because you/we understand English doesnt mean the whole world does. > > I'm sure everybody understands the importance of translation, I did > quite a lot of i18n myself. Just wondering its usefulness for DLAs. > > But I figured that translating the DLAs is a matter of priority for > the translators, not us, so let's do the i18n on our side, and let the > translators prioritize :) [...] I have worked on i18n too in the past. Nobody questions the importance of translations in general but the target group for DLAs are system administrators who will most likely be comfortable with reading an advisory in English. As long as we have so many untranslated strings in desktop applications, games or documentation, something the casual user would use, it feels like the time could be spent elsewhere. Markus signature.asc Description: OpenPGP digital signature
Re: more missing DLAs on the website
Hi, On Tue, Apr 02, 2019 at 12:55:31PM +0200, Markus Koschany wrote: > Am 02.04.19 um 12:39 schrieb Sylvain Beucler: > > Ideally we could then cron this out as Markus suggested. > > So far I had no problems with the parse script. I just download the html > file from the DLA announcement manually and then I use the script. The > idea to use a block would certainly simplify the parsing though. The script can be used directly on the DLA text/mail, btw (it's not based on the list archive, no need to download). Also I remember fixing one of your DLAs before a webwml admin made an angry commit, the script is sometimes silently bogus. On Tue, Apr 02, 2019 at 11:57:43AM +, Holger Levsen wrote: > On Tue, Apr 02, 2019 at 12:55:31PM +0200, Markus Koschany wrote: > > First of all, thank you for your improvements on the parse script. I > > share your concerns about the usefulness of translating the security > > advisories. > > just because you/we understand English doesnt mean the whole world does. I'm sure everybody understands the importance of translation, I did quite a lot of i18n myself. Just wondering its usefulness for DLAs. But I figured that translating the DLAs is a matter of priority for the translators, not us, so let's do the i18n on our side, and let the translators prioritize :) > > I agree without the translations we could also consider to > > link to the mail archive. > > and then the mail archive software changes one day, and the links break. > > i agree there is a little overhead currently, but a.) there are benefits > in doing so and b.) we can make the overhead go away. I'll recap the rationale points in the Development wiki page in a few days unless somebody beats me to it. Cheers! Sylvain
Re: more missing DLAs on the website
On Tue, Apr 02, 2019 at 12:55:31PM +0200, Markus Koschany wrote: > First of all, thank you for your improvements on the parse script. I > share your concerns about the usefulness of translating the security > advisories. just because you/we understand English doesnt mean the whole world does. > I agree without the translations we could also consider to > link to the mail archive. and then the mail archive software changes one day, and the links break. i agree there is a little overhead currently, but a.) there are benefits in doing so and b.) we can make the overhead go away. -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Accepted libssh2 1.4.3-4.1+deb8u3 (source amd64) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 02 Apr 2019 10:31:13 +0200 Source: libssh2 Binary: libssh2-1 libssh2-1-dev libssh2-1-dbg Architecture: source amd64 Version: 1.4.3-4.1+deb8u3 Distribution: jessie-security Urgency: medium Maintainer: Mikhail Gusarov Changed-By: Mike Gabriel Description: libssh2-1 - SSH2 client-side library libssh2-1-dbg - SSH2 client-side library (debug package) libssh2-1-dev - SSH2 client-side library (development headers) Changes: libssh2 (1.4.3-4.1+deb8u3) jessie-security; urgency=medium . * CVE-2019-3859: Regression fix. Fix user authentication. See https://github.com/libssh2/libssh2/pull/327 for details. Thanks to Salvatore Bonaccorso for noticing this. Checksums-Sha1: 8c905f36b2bd7518e72d90c0cc6bc12abd853c9e 1928 libssh2_1.4.3-4.1+deb8u3.dsc c136bf05bc08d6c01b1c56ee73c9e42149da981f 15632 libssh2_1.4.3-4.1+deb8u3.debian.tar.xz 8dbe49148822d8e8b99c2ae0fe0562da7716 127372 libssh2-1_1.4.3-4.1+deb8u3_amd64.deb 2d92706845a5a892e0eb3f9d90585ed343a0e9e9 291956 libssh2-1-dev_1.4.3-4.1+deb8u3_amd64.deb 34d664881f32d92c0d7ad5abff1bd96b4e4d530a 232636 libssh2-1-dbg_1.4.3-4.1+deb8u3_amd64.deb Checksums-Sha256: 31de099ac637f875c752833d449f2df7f555025e5535dea8bf622a15c22831ef 1928 libssh2_1.4.3-4.1+deb8u3.dsc b25cc7bc596134042c4df08e2b9cc188d83ffb112e501f45571eca698766c730 15632 libssh2_1.4.3-4.1+deb8u3.debian.tar.xz a7f43dba97eaac53bad54b2888b07f6821354178cd2cdaa95994b259c7d34fd8 127372 libssh2-1_1.4.3-4.1+deb8u3_amd64.deb 69caa6232588e63ce52d9f161d6e9184650d73f4843d45dbd5d250d91ad9f9e3 291956 libssh2-1-dev_1.4.3-4.1+deb8u3_amd64.deb 5881ad485e316b5666c793e1bf0f328df19adb40e9615c36b594ebc8dd464809 232636 libssh2-1-dbg_1.4.3-4.1+deb8u3_amd64.deb Files: df0d3591c97d0dd55cfed9aff421e05b 1928 libs optional libssh2_1.4.3-4.1+deb8u3.dsc 090b3a18530828f533782f7c102359b0 15632 libs optional libssh2_1.4.3-4.1+deb8u3.debian.tar.xz 71a7a46e548b8850014096cfa486ef68 127372 libs optional libssh2-1_1.4.3-4.1+deb8u3_amd64.deb ce050cd7389268fbaf781138f50993a4 291956 libdevel optional libssh2-1-dev_1.4.3-4.1+deb8u3_amd64.deb 5287612f1038a5b7c0188f253a4dc0c9 232636 debug extra libssh2-1-dbg_1.4.3-4.1+deb8u3_amd64.deb -BEGIN PGP SIGNATURE- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAlyjIQ4VHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxQIUP/2X2dhhGWp6sAzCX9u9owweGe0rt lM2H7d2TGYPwpYTsr49d/F7eBZ+HvJKOGpXj6FNp1a4DCAm8YLPJC0B4DW/ZPXnF Ujc2xMyIbwtpUuA0NnUNXrWZg8Xq/pw0xLQIgxHImTXNF3AsB8LrmpNv6DqgyaWv aDPlWhkwtXImpm65YusyXOvd059+yPdzOEGSIDs3b8UPvbEF2rvMU3FABvNTKxxp SoBtWCEI601XI3CKdo9U/WXJedK4yBumofuav4gUtEY4vAbKU8V2Xz/dHWHj+vPF OXRL/kFTAf2oLfYRgN8zpf7NXNWC0B8H7MMuvwiY/kNOD1xArf6cu2dZ4He2OBUs /AfCCHLIslps5CwPn+MctUODiYkWA1mAlsqNexZyUK7WluNiE1a2I3KXs4srYJG2 j8EetqV5CipWkhEQp3UBV+4nA3m0pz6pvnbDA8yTvqd2oxFT56PTUAjnxbKrrENN nwAv1Kd+i2Ly2P+VUIfHr4LeYKTKPWZ0cUoonnefcpa5otyd/wlXdjWXPJlN60Sx 6BJSlQ/mN7vub8AzXc/7rlmhIDphn+OGMTZP41JRskCIDT6fVub5X1li6jl/HmNe DUMNKV/T4Jf9yCBZ1OO+uMM5V71usQwCBcFBaAQVTWSksFdW7ry+B1qDxIS1JsO8 I6P+H1Al5y8ZCw8s =Emt8 -END PGP SIGNATURE-
[SECURITY] [DLA 1730-2] libssh2 regression update
Package: libssh2 Version: 1.4.3-4.1+deb8u3 CVE ID : CVE-2019-3859 This regression update follows up on an upstream regression update [1] regarding CVE-2019-3859. With the previous libssh2 package revision, it was observed that user authentication with private/public key pairs would fail under certain circumstances. For Debian 8 "Jessie", this problem has been fixed in version 1.4.3-4.1+deb8u3. We recommend that you upgrade your libssh2 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS [1] https://github.com/libssh2/libssh2/pull/327 -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Re: jessie-updates gone
Hi Miroslav, On Tue, Apr 02, 2019 at 11:53:50AM +0200, Miroslav Skoric wrote: > On 4/1/19 8:14 PM, Andy Smith wrote: > > >I do understand that re-adding an empty jessie-updates directory > >will silence a lot of warnings from apt update, and thus would avoid > >the questions from end users that I have seen in a lot of places, > >but… I can't help thinking that although it is bad that these users > >were confused, at least they now understand that the level of > >support has changed. > > -1 > > Programmers' decision that led thousands of users to ask themselves what was > wrong with their apt update was a very bad marketing for Debian. The alternative is that those users continue using Debian without realising that their packages stopped being supported by the maintainers and security team and are now supported by LTS alone. Is that a better outcome? Cheers, Andy
Re: more missing DLAs on the website
Am 02.04.19 um 12:39 schrieb Sylvain Beucler: > Hi, > > On 02/04/2019 12:09, Holger Levsen wrote: >> On Tue, Apr 02, 2019 at 11:52:58AM +0200, Sylvain Beucler wrote: >>> OK so I guess we need DLA translations ;) >>> I was wondered whether actual users asked for them, but let's assume so. >> you might not be aware, but: >> >> ~/Projects/debian-www/webwml$ for i in english french russian danish >> japanese ; do echo -n "$i: " ; find |grep -i dla|grep -c $i ; done >> english: 3574 >> french: 703 >> russian: 424 >> danish: 73 >> japanese: 108 > > That's precisely what I'm worried about: we're taking resources from > translators (and for quite boring texts), so I hope users do care about it. > I don't see security advisory translations in other distros, so we > better be confident this is worth the effort - including our effort to > double-publish DLAs at the website :) First of all, thank you for your improvements on the parse script. I share your concerns about the usefulness of translating the security advisories. I agree without the translations we could also consider to link to the mail archive. https://salsa.debian.org/webmaster-team/webwml/merge_requests/47 >>> Cool, though we still have the parse-dla limitations, i.e. the results >>> needs to be manually checked every time. >> yup. and besides #859123 there is also #922246: "www/lts: if DLA-1234-1 and >> DLA-1234-2 exist, only that last one shows up in indexes" >> >>> It seems implicit given my involvement in the discussions and fixes for >>> the past weeks, but I'm willing to help improve this too :) >> yay. please just go ahead. ;) > > One issue is that I proposed to simplify the handling of parse-dla to > make is more robust (grab DLA description as a block instead of > the fragile regexp-based HTMLization) > - but no involved parties answer. > I'll let some time pass, then I guess I'll make the change and see who > complains :P > > Ideally we could then cron this out as Markus suggested. So far I had no problems with the parse script. I just download the html file from the DLA announcement manually and then I use the script. The idea to use a block would certainly simplify the parsing though. Regards, Markus signature.asc Description: OpenPGP digital signature
Re: more missing DLAs on the website
Hi, On 02/04/2019 12:09, Holger Levsen wrote: > On Tue, Apr 02, 2019 at 11:52:58AM +0200, Sylvain Beucler wrote: >> OK so I guess we need DLA translations ;) >> I was wondered whether actual users asked for them, but let's assume so. > you might not be aware, but: > > ~/Projects/debian-www/webwml$ for i in english french russian danish japanese > ; do echo -n "$i: " ; find |grep -i dla|grep -c $i ; done > english: 3574 > french: 703 > russian: 424 > danish: 73 > japanese: 108 That's precisely what I'm worried about: we're taking resources from translators (and for quite boring texts), so I hope users do care about it. I don't see security advisory translations in other distros, so we better be confident this is worth the effort - including our effort to double-publish DLAs at the website :) >>> https://salsa.debian.org/webmaster-team/webwml/merge_requests/47 >> Cool, though we still have the parse-dla limitations, i.e. the results >> needs to be manually checked every time. > yup. and besides #859123 there is also #922246: "www/lts: if DLA-1234-1 and > DLA-1234-2 exist, only that last one shows up in indexes" > >> It seems implicit given my involvement in the discussions and fixes for >> the past weeks, but I'm willing to help improve this too :) > yay. please just go ahead. ;) One issue is that I proposed to simplify the handling of parse-dla to make is more robust (grab DLA description as a block instead of the fragile regexp-based HTMLization) - but no involved parties answer. I'll let some time pass, then I guess I'll make the change and see who complains :P Ideally we could then cron this out as Markus suggested. - Sylvain
Re: jessie-updates gone
On 4/1/19 8:14 PM, Andy Smith wrote: I do understand that re-adding an empty jessie-updates directory will silence a lot of warnings from apt update, and thus would avoid the questions from end users that I have seen in a lot of places, but… I can't help thinking that although it is bad that these users were confused, at least they now understand that the level of support has changed. -1 Programmers' decision that led thousands of users to ask themselves what was wrong with their apt update was a very bad marketing for Debian.
Re: more missing DLAs on the website
On Tue, Apr 02, 2019 at 11:52:58AM +0200, Sylvain Beucler wrote: > OK so I guess we need DLA translations ;) > I was wondered whether actual users asked for them, but let's assume so. you might not be aware, but: ~/Projects/debian-www/webwml$ for i in english french russian danish japanese ; do echo -n "$i: " ; find |grep -i dla|grep -c $i ; done english: 3574 french: 703 russian: 424 danish: 73 japanese: 108 > > https://salsa.debian.org/webmaster-team/webwml/merge_requests/47 > Cool, though we still have the parse-dla limitations, i.e. the results > needs to be manually checked every time. yup. and besides #859123 there is also #922246: "www/lts: if DLA-1234-1 and DLA-1234-2 exist, only that last one shows up in indexes" > It seems implicit given my involvement in the discussions and fixes for > the past weeks, but I'm willing to help improve this too :) yay. please just go ahead. ;) -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: more missing DLAs on the website
Hi, On 02/04/2019 10:59, Holger Levsen wrote: > On Mon, Apr 01, 2019 at 08:51:00PM +0200, Sylvain Beucler wrote: >> I wondered whether we needed translations at: > because: > [...] > - translations OK so I guess we need DLA translations ;) I was wondered whether actual users asked for them, but let's assume so. > - https://www.debian.org/lts/security/2019/dla-1735 is a much better URL > than https://lists.debian.org/debian-lts-announce/2019/03/msg02342.html for > DLA-1735 > - much better means easier to refer/find after the fact OK though I personally would either check the index page (www or lists) to look-up by name, or https://security-tracker.debian.org/tracker/DLA--1 to look-up by ID. > >> I would be willing to help here, however don't want to step on anybodies >> toes... > \o/ > > Thanks for this offer! I don't think anybody would complain if you do this > work... quite the contrary :) > >> Has anybody considered writing a script (assuming such a thing doesn't >> already exist) that will somehow fetch the DLA from the mailing list >> archive (given the URL), extract the contents from the ... >> tags and then then calls parse-dla.pl on the result? > Such a script exists, see the top of > https://salsa.debian.org/webmaster-team/webwml/merge_requests/47 Cool, though we still have the parse-dla limitations, i.e. the results needs to be manually checked every time. It seems implicit given my involvement in the discussions and fixes for the past weeks, but I'm willing to help improve this too :) Cheers! Sylvain
Re: more missing DLAs on the website
On Mon, Apr 01, 2019 at 08:51:00PM +0200, Sylvain Beucler wrote: > Is there a rationale on why we are updating the website, by the way? > And with a full copy of the advisory? > (instead of e.g. pointing to the list archives). > I wondered whether we needed translations at: because: - https://www.debian.org/lts/security/2019/dla-1735 is a much better URL than https://lists.debian.org/debian-lts-announce/2019/03/msg02342.html for DLA-1735 - much better means easier to refer/find after the fact - translations -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: Possible regression/problem with libssh2 update
Hi Salvatore, On Di 02 Apr 2019 08:48:18 CEST, Salvatore Bonaccorso wrote: Hi Mike While working on an update for libssh2 first for buster and stretch for the recent CVEs I noticed that the libssh2 update might have a problem with one patch, when I compared with the jessie LTS update. Upstream did wrongly apply some checks, which resulted https://github.com/libssh2/libssh2/pull/327 . Commit: https://github.com/libssh2/libssh2/commit/165f05ef01a95538b426cc8c90da8accfaa20d01 I have included this commit in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924965#23 And actually a user followed up todayin the bug #924965. Can you double check if 1.4.3-4.1+deb8u2 for this issue? Regards, Salvatore You are right. The patch from PR #327 applies on top of the current jessie version of libssh2. A regression upload is needed for libssh2 in jessie LTS. I have built a follow-up revision of the jessie package and will test later today with the PHP example given in #924965 msg-23. (Now, I need to run to an appointment). http://packages.sunweavers.net/debian/pool/main/libs/libssh2/ Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgptOsBZJ8Inv.pgp Description: Digitale PGP-Signatur
Re: more missing DLAs on the website
Hi Chris, On Tue, Apr 02, 2019 at 03:59:09AM -0400, Chris Lamb wrote: > Really sorry about this. I've made a corresponding MR, now pending > merge. I think I managed to skip this as it was a change of process, > but I've made it more obvious in my "checklist" now. great, thank you! -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: more missing DLAs on the website
On Tue, Apr 02, 2019 at 05:26:14PM +1100, Brian May wrote: > I would be willing to help here, however don't want to step on anybodies > toes... \o/ Thanks for this offer! I don't think anybody would complain if you do this work... quite the contrary :) > Has anybody considered writing a script (assuming such a thing doesn't > already exist) that will somehow fetch the DLA from the mailing list > archive (given the URL), extract the contents from the ... > tags and then then calls parse-dla.pl on the result? Such a script exists, see the top of https://salsa.debian.org/webmaster-team/webwml/merge_requests/47 -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: jessie-updates gone
On 2019-04-01 20:14, Andy Smith wrote: I don't know what the answer is other than having apt itself show a warning about the levels of support changing, but until we work out a better solution, isn't having the -updates suite go away at least a final chance to get the user's attention? I don't see how this significantly differs from having to have an LTS-specific directory. Based on the argument above, invalidating all regular Jessie directories and using an LTS-specific directory serves that purpose far better. I think any such change is actively negative to anyone maintaining a system or a set of systems, though. > How about a package update at the cut-over point with a NEWS > changelog saying something like, "this distribution is now only > supported by LTS; you should upgrade to continue to enjoy the usual > level of support. For more information about the LTS project please > see: https://…; ? This might help, except for the "see: https://; part. When proposing changes in distribution handling, imagine a stressed admin on a text-only console in a cramped server room somewhere, who is investigating problems. Try to consider what kind of information and changes that are actually useful, and which will complicate matters to the point that it makes the admin's job difficult or impossible. -- Cheers, Jan
Re: more missing DLAs on the website
Hi Holger, > the number of missing DLAs on https://www.debian.org/lts/security/ has > recently gone up again. Missing are: [..] > Chris Lamb [DLA 1719-1] libjpeg-turbo security update Really sorry about this. I've made a corresponding MR, now pending merge. I think I managed to skip this as it was a change of process, but I've made it more obvious in my "checklist" now. Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Possible regression/problem with libssh2 update
Hi Mike While working on an update for libssh2 first for buster and stretch for the recent CVEs I noticed that the libssh2 update might have a problem with one patch, when I compared with the jessie LTS update. Upstream did wrongly apply some checks, which resulted https://github.com/libssh2/libssh2/pull/327 . Commit: https://github.com/libssh2/libssh2/commit/165f05ef01a95538b426cc8c90da8accfaa20d01 I have included this commit in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924965#23 And actually a user followed up todayin the bug #924965. Can you double check if 1.4.3-4.1+deb8u2 for this issue? Regards, Salvatore
Re: more missing DLAs on the website
Holger Levsen writes: > If somebody picks up the rest, I'd also be really thankful. And probably > not just me! ;) I would be willing to help here, however don't want to step on anybodies toes... Has anybody considered writing a script (assuming such a thing doesn't already exist) that will somehow fetch the DLA from the mailing list archive (given the URL), extract the contents from the ... tags and then then calls parse-dla.pl on the result? (even better if it could look up the URL automatically, but that might be slightly harder...) -- Brian May