Re: Bug#989243: RFS: opendmarc/1.4.0~beta1+dfsg-4 -- Milter implementation of DMARC
Adam, thank you for uploading. The release team have asked for a change https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989324 Can I upload a new package with version 1.4.0~beta1+dfsg-4 to mentors, or do I have to use version 1.4.0~beta1+dfsg-5 with new changelog entry?
Re: Bug#989243: RFS: opendmarc/1.4.0~beta1+dfsg-4 -- Milter implementation of DMARC
On Wed, Jun 02, 2021 at 11:45:23AM +0200, David Bürgin wrote: > The release team have asked for a change > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989324 > > Can I upload a new package with version 1.4.0~beta1+dfsg-4 to mentors, > or do I have to use version 1.4.0~beta1+dfsg-5 with new changelog entry? 1.4.0~beta1+dfsg-4 is already in unstable, there's no way to reuse that version number ever. You need to upload -5. Meow! -- ⢀⣴⠾⠻⢶⣦⠀ The oldest dated printed book includes the following license grant: ⣾⠁⢠⠒⠀⣿⡁ Reverently made for universal free distribution by Wang Jie ⢿⡄⠘⠷⠚⠋⠀ on behalf of his two parents on the 15th of the 4th moon of ⠈⠳⣄ the 9th year of Xiantong [11 May 868].
Bug#989386: RFS: gifsicle/1.92-3 [ITA] -- Tool for manipulating GIF images
Package: sponsorship-requests Severity: normal Dear mentors, I am looking for a sponsor for my package "gifsicle": * Package name: gifsicle Version : 1.92-3 Upstream Author : Eddie Kohler * URL : http://www.lcdf.org/gifsicle/ * License : GPL-2 or CLICK or special, GPL-2 or special * Vcs : https://salsa.debian.org/debian/gifsicle Section : graphics It builds those binary packages: gifsicle - Tool for manipulating GIF images To access further information about this package, please visit the following URL: https://mentors.debian.net/package/gifsicle/ Alternatively, one can download the package with dget using this command: dget -x https://mentors.debian.net/debian/pool/main/g/gifsicle/gifsicle_1.92-3.dsc Changes since the last upload: gifsicle (1.92-3) experimental; urgency=medium . * New Maintainer. Thanks Herbert Parentes Fortes Neto for the nice work. (Closes: #986934) * d/upstream/metadata: added. * Bump standards version to 4.5.1. * Bump debhelper version to 13. * d/control: added Rules-Requires-Root. Regards, -- Gürkan Myczko
Re: Bug#989243: RFS: opendmarc/1.4.0~beta1+dfsg-4 -- Milter implementation of DMARC
Adam Borowski:
On Wed, Jun 02, 2021 at 11:45:23AM +0200, David Bürgin wrote:
The release team have asked for a change
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989324
Can I upload a new package with version 1.4.0~beta1+dfsg-4 to mentors,
or do I have to use version 1.4.0~beta1+dfsg-5 with new changelog entry?
1.4.0~beta1+dfsg-4 is already in unstable, there's no way to reuse that
version number ever. You need to upload -5.
All right, thank you. Would you recommend that I file a new RFS bug for
1.4.0~beta1+dfsg-5 (now on mentors)?
Sorry for any breach of protocol, I’m doing this for the first time. I
hope this version will be acceptable to the release team (CC, final
debdiff attached).
--
David
diff -Nru opendmarc-1.4.0~beta1+dfsg/debian/changelog opendmarc-1.4.0~beta1+dfsg/debian/changelog
--- opendmarc-1.4.0~beta1+dfsg/debian/changelog 2020-09-19 08:40:47.0 +0200
+++ opendmarc-1.4.0~beta1+dfsg/debian/changelog 2021-06-02 14:17:33.0 +0200
@@ -1,3 +1,18 @@
+opendmarc (1.4.0~beta1+dfsg-5) unstable; urgency=high
+
+ * Amend cve-2020-12272.patch to keep libopendmarc2 public ABI unchanged
+
+ -- David Bürgin Wed, 02 Jun 2021 14:17:33 +0200
+
+opendmarc (1.4.0~beta1+dfsg-4) unstable; urgency=high
+
+ * Backport patches from upstream version 1.4.1.1 (Closes: #977766, #977767):
+- CVE-2019-16378: Fix handling of multi-valued From headers
+- CVE-2019-20790: Validate incoming SPF headers
+- CVE-2020-12272: Check DKIM and SPF domain syntax
+
+ -- David Bürgin Sat, 29 May 2021 16:22:50 +0200
+
opendmarc (1.4.0~beta1+dfsg-3) unstable; urgency=high
* Cherry-pick patch for CVE-2020-12460 from upstream:
diff -Nru opendmarc-1.4.0~beta1+dfsg/debian/patches/cve-2019-16378.patch opendmarc-1.4.0~beta1+dfsg/debian/patches/cve-2019-16378.patch
--- opendmarc-1.4.0~beta1+dfsg/debian/patches/cve-2019-16378.patch 1970-01-01 01:00:00.0 +0100
+++ opendmarc-1.4.0~beta1+dfsg/debian/patches/cve-2019-16378.patch 2021-06-02 12:14:59.0 +0200
@@ -0,0 +1,321 @@
+Description: CVE-2019-16378: Handle multi-valued From header, add RejectMultiValueFrom parameter
+Author: Murray S. Kucherawy
+Origin: backport, https://github.com/trusteddomainproject/OpenDMARC/releases/tag/rel-opendmarc-1-4-1-1
+
+--- a/opendmarc/parse.c
b/opendmarc/parse.c
+@@ -12,10 +12,18 @@
+ #include
+ #include
+ #include
++#include
+
+ /* opendmarc includes */
+ #include "util.h"
+
++#ifndef FALSE
++# define FALSE 0
++#endif /* ! FALSE */
++#ifndef TRUE
++# define TRUE 1
++#endif /* ! TRUE */
++
+ /* types */
+ typedef unsigned long cmap_elem_type;
+
+@@ -24,6 +32,7 @@
+ #define MAILPARSE_ERR_PUNBALANCED 1 /* unbalanced parentheses */
+ #define MAILPARSE_ERR_QUNBALANCED 2 /* unbalanced quotes */
+ #define MAILPARSE_ERR_SUNBALANCED 3 /* unbalanced sq. brackets */
++#define MAILPARSE_ERR_MULTIVALUE 4 /* multiple possible values */
+
+ /* a bitmap for the "specials" character class */
+ #define CMAP_NBITS (sizeof(cmap_elem_type) * CHAR_BIT)
+@@ -466,6 +475,160 @@
+ }
+ }
+
++/*
++** DMARCF_MAIL_PARSE_MULTI -- extract the local-part and hostname from a mail
++** header field that might contain multiple
++** values, e.g. "To:", "Cc:"
++**
++** Parameters:
++** line -- input line
++** users_out -- array of pointers to "local-part" (returned)
++** domains_out -- array of pointers to hostname (returned)
++**
++** Return value:
++** 0 on success, or an DKIM_MAILPARSE_ERR_* on failure.
++**
++** Notes:
++** Input string is modified.
++*/
++
++int
++dmarcf_mail_parse_multi(unsigned char *line, unsigned char ***users_out,
++unsigned char ***domains_out)
++{
++ _Bool escaped = FALSE;
++ _Bool quoted = FALSE;
++ _Bool done = FALSE;
++ int a = 0;
++ int n = 0;
++ int status;
++ int parens = 0;
++ char *p;
++ char *addr;
++ unsigned char **uout = NULL;
++ unsigned char **dout = NULL;
++ unsigned char *u;
++ unsigned char *d;
++
++ /* walk the input string looking for unenclosed commas */
++ addr = line;
++ for (p = line; !done; p++)
++ {
++ if (escaped)
++ {
++ escaped = FALSE;
++ continue;
++ }
++
++ switch (*p)
++ {
++ case '\\':
++ escaped = TRUE;
++ continue;
++
++ case '"':
++ quoted = !quoted;
++ continue;
++
++ case '(':
++ parens++;
++ continue;
++
++ case ')':
++ parens--;
++ continue;
++
++ case ',':
++ /* skip it if it's quoted or in a comment */
++ if (parens != 0 || quoted)
++continue;
++ /* FALLTHROUGH */
++
++ case '\0':
++ if (*p == '\0')
++done = TRUE;
++ else
++*p = '\0';
++
++ status = dmarcf_mail_parse(addr, &u, &d);
++ if (status != 0)
++ {
++if (uout != NULL)
++{
++ free(uout);
++ free(dout);
++}
++
++return status;
++ }
++
++ if (n == 0)
++ {
++size_t newsize = 2 * sizeof(unsigned char *);
++
++uout = (unsigned char **) malloc(newsize);
++if (uout == NULL)
++ return -1;
Bug#981794: RFS: gftools/0.5.2+dfsg-1 [ITP] -- Google Fonts Tools
Control: tags -1 moreinfo Hi Romain Porte, The package fails to build; there is no package named python3-opentype-sanitizer in Debian. $ pbuilder build gftools_0.5.2+dfsg-1.dsc (...) The following packages have unmet dependencies: pbuilder-satisfydepends-dummy : Depends: python3-opentype-sanitizer which is a virtual package and is not provided by any available package Unable to resolve dependencies! Giving up... Cheers, tobi
Bug#989386: RFS: gifsicle/1.92-3 [ITA] -- Tool for manipulating GIF images
Package: sponsorship-requests Followup-For: Bug #989386 Uploaded. Thanks for the package! -- tobi
Re: Bug#981794: RFS: gftools/0.5.2+dfsg-1 [ITP] -- Google Fonts Tools
Am 02.06.2021 um 17:02 schrieb Tobias Frost: Control: tags -1 moreinfo Hi Romain Porte, The package fails to build; there is no package named python3-opentype-sanitizer in Debian. $ pbuilder build gftools_0.5.2+dfsg-1.dsc (...) The following packages have unmet dependencies: pbuilder-satisfydepends-dummy : Depends: python3-opentype-sanitizer which is a virtual package and is not provided by any available package Unable to resolve dependencies! Giving up... https://github.com/googlefonts/ots-python and there is python3-ots - Python library for OpenType Sanitizer Steffen
Bug#989365: RFS: recastnavigation
On Tue, 1 Jun 2021 22:02:57 +0200 bret curtis wrote: > Package: sponsorship-requests > Severity: wishlist > > Hello Debian, > > I've prepared the packaging of recastnavigation. It is lintian clean > and tested with pbuilder. Further information about this package can > be accessed from the URL : > https://salsa.debian.org/games-team/recastnavigation > > it's been put into use here, as it is a build dependency for the upcoming > OpenMW release. > https://launchpad.net/~openmw/+archive/ubuntu/openmw/+packages > > Please consider it for review and possible upload for 'experimental', at > least until Bullseye has been released. :) New packages (ITPs) can go to unstable; (they don't interfere with the freeze) Would you mind to upload a package to mentors for easier consumption? (Sponsors like me are lazy and have some automation in place for mentors, but not for git as working from git makes them often need to guess what exactly wants to be sponsored) -- Cheers, tobi
Bug#988484: ITP: openh264 -- H.264 encoding and decoding
On Fri, 14 May 2021 00:04:52 +0200 Bastian Germann wrote: > Control: retitle -1 ITP: openh264 -- H.264 encoding and decoding > > On Sat, 8 May 2021 18:28:35 +0200 Bastian Germann wrote: > > This is fine. The package must not reside in main. If you plan to > > release the package (the downloader) under a DFSG-compatible license, > > please submit it to contrib rather than non-free. > > I am currently packaging openh264. > (I was checking the RFS, thats why I came accross this ITP) I'm confused; is there now a legal patent problem with the library that could affect/hurt Debian? Has this been discussed on e.g debian-legal or with the ftp masters beforehand? Is this RFS package now a downloader or the library itself? -- tobi
Bug#987996: RFS: hipercontracer/1.6.0~rc1-1 [ITP]
Control: tags -1 moreinfo Hi Thomas, Mentors says: "Package closes bugs in a wrong way Errors: Bug #987996 is a RFS bug hipercontracer: #987996 (Normal, RFS): RFS: hipercontracer/1.6.0~rc1-1 [ITP]" --> you need to close the ITP bug in the changelog. Possibly after filing one; I couldnt find it at least… - On a new package, the _only_ changelog entry is that one that closes the ITP. (in your case delete the new upstream version line and *all* older entries. - There are lots of versioned Build-Depends which are already fulfilled in oldstable. drop those. - There is no cmake3 package in Debian, drop that alternative to cmake. - It should be sufficient for the boost B-D to just specify the version agnostic one. Or do I miss the point what you want to archive here? (beside, oldstable has already 1.62, so no need to say >1.58) - Pendantic lintian has this, easy to fix: P: hipercontracer source: uses-debhelper-compat-file - The examples should be installed using dh_installexamples (not using *.install) - Please add comments to lintian overrides. Did you override because you checked them or just overode them? - I think the user/group handling in postinst is wrong in several ways. - hardcoded id of 888. - names should be "invalid names" so that it cannot cause collisions. - setting the hoemdirectory to /tmp/ is certainly a bad idea and I guess insecure. Especially when setting /bin/bash as shell… - IOW, Read the Debian Policy on this topic. Package needs work; therefore tagging moreinfo. Please remove for the next iteration. I did not do a copyright review. -- cheers tobi
Bug#987794: RFS: budgie-screensaver/4.0-1 [ITP] -- Screensaver and screen lock for the Budgie Desktop
Control: tags -1 moreinfo Hi David, - d/copyright: - its incomplete; at least the entry for git.mk is missing. - There are files in src/ that are NOT GPL (e.g. setuid.h) - (NOTE: I stopped here doing the copyright review. Please make sure to review it again in depth and fix any issues _before_ the next sponsorship iteration.) - (optional, but very appreciated): you can tidy up the file a bit by not repeating the License Texts… I mean, for example, it's ok to says "License: GPL-2" in the files section and then have a stand-aline "License: GPL-2" section with the text. This would improve readability/reviewability a lot… A small IRL example: https://tracker.debian.org/media/packages/d/darkradiant/copyright-2.11.0-1 (look for the GPL-2+ and GPL-3+ sections) - d/docs: the NEWS file should probably be installed as upstream changelog, not as doc. - d/rules (optional) I'd prefer to use d/clean instead of overriding dh_clean - d/control why control.in ? A diff with control shows no dynamic parts in that file beside the "do not change me" header. ( something to ask upstream): Upstream says "this is GPL-2-only" but this is contradicted by the headers in e.g src/, which say "GPL-2+". Possibly upstream might want to rectify that. (Not needed for this upload) Package needs updating; please remove the moreinfo tag when ready. -- Cheers, tobi
Bug#987244: RFS: nbsdgames/4.0-1 [ITP] -- text based mini games for your terminal
Control: tags -1 moreinfo The current package on mentors from May 11th has still the collisions mentioned earlier in #12*. Until that is not resolved, the sponsoring cannot proceed. Tagging moreinfo to reduce the noise in sponsorship-requests… * sos -> pkg sosreport has /usr/bin/sos sudoku -> pkg sudoko /usr/games/sudoku Cheers, -- tobi
Bug#987181: RFS: cpufetch/0.97-1 -- Simple yet fancy CPU architecture fetching tool
Control: tags -1 moreinfo Hi Clay, here's a review: - The patch: The dep3 header, the field Bug-Debian is wrong, the ITP is not related to the patch - The patch looks strange to me: Why do you patch the Makefile? What do you want to archieve? Parts of the patching seems ok (like avoiding stomping over CFLAGS, but other parts seems excessive, removing sane parts to me… - Upstream seems to support arm, you patch that out? - There is no LDCFLAGS -> did you mean LDFLAGS? - (not a blocker) Please send the manpage upstream for inclusion. Waiting for your reply… Cheers, tobi
Bug#988484: Bug#974678: ITP: openh264 -- H.264 encoding and decoding
Am 02.06.21 um 17:33 schrieb Tobias Frost: On Fri, 14 May 2021 00:04:52 +0200 Bastian Germann wrote: This is fine. The package must not reside in main. If you plan to release the package (the downloader) under a DFSG-compatible license, please submit it to contrib rather than non-free. I am currently packaging openh264. (I was checking the RFS, thats why I came accross this ITP) I'm confused; is there now a legal patent problem with the library that could affect/hurt Debian? There are H.264 patents that are applicable. I do not know how the existing H.264 implementations in Debian handle this, e.g. x264 or ffmpeg. According to the legal FAQ, these seem to be ignored. For the OpenH264 binaries, Cisco actually pays a license fee so that it can be used by the general public at no cost. The exact license terms are included in the package: https://salsa.debian.org/bage/openh264/-/blob/debian/2.1.1-1/debian/libopenh264-6.copyright The key point for having the library package in contrib and download the library is: "The Cisco-provided binary is separately downloaded to an end user's device, and not integrated into or combined with third party software prior to being downloaded to the end user's device;" Has this been discussed on e.g debian-legal or with the ftp masters beforehand? Not for OpenH264 specifically, but I am including debian-legal now. For the H.264 patents, there is an old thread at https://lists.debian.org/debian-legal/2006/04/msg00286.html Is this RFS package now a downloader or the library itself? It's both. The -dev package is created from the source files and resides in main. The library package contains the downloader as a postinst script, which checks the known SHA256 hashes. There are some example userspace tools available in the package which could potentially be packaged in an additional package. I left this for a later version. There is also a chance that reproducible build might be implemented: https://github.com/cisco/openh264/issues/893 When that works, the package could build the lib, verify the resulting hashes, and throw away the built binary. That way we could be sure not to have any additions to the downloaded library that are not available as source. I think, as Cisco provides the patent license, having the downloader in contrib (for some architectures) is better than having the built library in main (for all compiling architectures). We could also provide both. Any thoughts?
Bug#988484: Bug#974678: ITP: openh264 -- H.264 encoding and decoding
Bastian Germann writes: > Am 02.06.21 um 17:33 schrieb Tobias Frost: >> Is this RFS package now a downloader or the library itself? > > It's both. The -dev package is created from the source files and > resides in main. The library package contains the downloader as a > postinst script, which checks the known SHA256 hashes. > There are some example userspace tools available in the package which > could potentially be packaged in an additional package. I left this > for a later version. > > There is also a chance that reproducible build might be implemented: > https://github.com/cisco/openh264/issues/893 > When that works, the package could build the lib, verify the resulting > hashes, and throw away the built binary. That way we could be sure not > to have any additions to the downloaded library that are not available > as source. > > I think, as Cisco provides the patent license, having the downloader > in contrib (for some architectures) is better than having the built > library in main (for all compiling architectures). We could also > provide both. Any thoughts? As I understand Debian Policy, downloading anything during postinst is discouraged, if not banned. So it would be best to avoid it. In terms of the patent license, I do not think that x264 has any special dispensation. So just directly building and packaging openh264 should not open Debian to any significant additional liability. But as always, the FTP masters will be the final arbiter of that. Cheers, Walter
Bug#981794: RFS: gftools/0.5.2+dfsg-1 [ITP] -- Google Fonts Tools
Hi tobi, On Wed, 02 Jun 2021 17:02:06 +0200 Tobias Frost wrote: > Control: tags -1 moreinfo > > The package fails to build; there is no package named python3-opentype-sanitizer > in Debian. I have fixed this issue by renaming the dependency to the correct name (python3-ots instead of python3-opentype-sanitizer). New package version has just been signed and uploaded to mentors [1]. The commit that provides the fix was also pushed to the Salsa repository [2]. [1] https://mentors.debian.net/package/gftools/ see upload #6 [2] https://salsa.debian.org/fonts-team/gftools/-/commit/7fa7395834e36281796744540b1d461ef526bc70 Can you check again for other issues? Thanks in advance, Romain.
Bug#988484: ITP: openh264 -- H.264 encoding and decoding
On Wed, Jun 2, 2021 at 3:36 PM Tobias Frost wrote: > Has this been discussed on e.g debian-legal or with the ftp masters > beforehand? FTR, Debian's patent policy is to only discuss them with lawyers, never in public: https://www.debian.org/legal/patent https://www.debian.org/reports/patent-faq -- bye, pabs https://wiki.debian.org/PaulWise
