Re: proposed stable update for libcompress-raw-zlib-perl

[Adam D. Barratt]

On Thu, 2009-08-27 at 00:25 +0300, Niko Tyni wrote:
> the security team deferred patching CVE-2009-1391 to the stable
> update.  This needs to be fixed both in perl and the separate
> libcompress-raw-zlib-perl. Please let me know if I can upload
> the latter with the attached debdiff.

Please go ahead.

Regards,

Adam


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: proposed stable update for perl

[Adam D. Barratt]

On Thu, 2009-08-27 at 00:12 +0300, Niko Tyni wrote:
>  perl (5.10.0-19lenny2) stable; urgency=low
>  .
>* Fix a typo in the replaces/conflicts/provides: libcpan-plus-perl
>  should have been libcpanplus-perl. (Closes: #516289)
>* Fix a memory leak with the map operator. (Closes: #528332)
>* Configure CPANPLUS to use the site directories by default.
>  (Closes: #533707)
>* Save local versions of CPANPLUS::Config::System into /etc/perl.
>  (See #533707)
>  .
>  perl (5.10.0-19lenny1) stable-security; urgency=high
>  .
>* [SECURITY] CVE-2009-1391: Fix a buffer overflow in Compress::Raw::Zlib.
>  (Closes: #532736)

Please go ahead.

Regards,

Adam


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Security update for ‘burn’ package

[Adam D. Barratt]

On Thu, 2009-08-27 at 14:06 +1000, Ben Finney wrote:
> "Adam D. Barratt"  writes:
> > Please could you prepare and send an updated diff which does not include
> > the removal of old commented out code and the removal of functions from
> > "import" lines where the code is no longer used?
> 
> Done now, and attached to this message.

Please go ahead.

Regards,

Adam


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: [Secure-testing-team] RFS: sponsor for poppler stable point release

[Steffen Joeris]

On Thu, 27 Aug 2009 01:38:18 pm Michael S Gilbert wrote:
> Hi,
>
> A new lenny release is coming soon and there are some open security
> issues in poppler that I have fixed.  Attached is the debdiff of the
> changes.
>
> The package can be found on mentors.debian.net:
> - URL: http://mentors.debian.net/debian/pool/main/p/poppler
> - Source repository: deb-src http://mentors.debian.net/debian unstable
> main contrib non-free
> - dget
> http://mentors.debian.net/debian/pool/main/p/poppler/poppler_0.8.7-2lenny1.
>dsc
>
> I would be glad if someone uploaded this package for me.
Doesn't matter, as long as the version number is higher than the previous 
stable one, but lower than the one in testing.
I personally prefer to have the codename in the version.

Cheers
Steffen


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: [Secure-testing-team] RFS: sponsor for poppler stable point release

[Steffen Joeris]

On Thu, 27 Aug 2009 01:38:18 pm Michael S Gilbert wrote:
> Hi,
>
> A new lenny release is coming soon and there are some open security
> issues in poppler that I have fixed.  Attached is the debdiff of the
> changes.
>
> The package can be found on mentors.debian.net:
> - URL: http://mentors.debian.net/debian/pool/main/p/poppler
> - Source repository: deb-src http://mentors.debian.net/debian unstable
> main contrib non-free
> - dget
> http://mentors.debian.net/debian/pool/main/p/poppler/poppler_0.8.7-2lenny1.
>dsc
>
> I would be glad if someone uploaded this package for me.
Just a note, I haven't looked at the patch.
The distribution field for point release updates should either say "stable" or 
"stable-proposed-updates". Only uploads targeted for security.debian.org 
should have "stable-security" in the distribution field.

Cheers
Steffen


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Security update for ‘burn’ package

[Ben Finney]

"Adam D. Barratt"  writes:

> Ah, yes, I missed that on my first skim through the diff due to the
> horrible indent level. :-/

Take a guess what was one of the first refactoring operations done to
the code base by new upstream :-)

> Looking through the diff again, there are a lot of changes which don't
> appear to be required and make the diff harder to review; one of the
> principles of stable updates is that diffs should be minimal wherever
> possible.

Understood; I was aiming for that, but I appreciate knowing where this
can be improved.

> Please could you prepare and send an updated diff which does not include
> the removal of old commented out code and the removal of functions from
> "import" lines where the code is no longer used?

Done now, and attached to this message.
diff -Nru burn-0.4.3/debian/changelog burn-0.4.3/debian/changelog
--- burn-0.4.3/debian/changelog	2009-08-23 15:12:43.0 +1000
+++ burn-0.4.3/debian/changelog	2009-08-27 13:40:56.0 +1000
@@ -1,3 +1,12 @@
+burn (0.4.3-2.2) stable; urgency=high
+
+  * Non-maintainer upload.
+  * Security fix for “TEMP-0542329 burn: Insecure escaping of file names”.
+  * Backport fix for secure handling of child process command arguments.
+(Closes: Bug#542329)
+
+ -- Ben Finney   Thu, 27 Aug 2009 13:35:51 +1000
+
 burn (0.4.3-2.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru burn-0.4.3/debian/control burn-0.4.3/debian/control
--- burn-0.4.3/debian/control	2009-08-23 15:12:43.0 +1000
+++ burn-0.4.3/debian/control	2009-08-27 13:40:56.0 +1000
@@ -2,7 +2,7 @@
 Section: otherosfs
 Priority: optional
 Maintainer: Gaetano Paolone (bigpaul) 
-Build-Depends: debhelper (>= 4.0.0)
+Build-Depends: debhelper (>= 4.0.0), quilt (>= 0.40)
 Standards-Version: 3.6.0
 
 Package: burn
diff -Nru burn-0.4.3/debian/patches/01.subprocess.patch burn-0.4.3/debian/patches/01.subprocess.patch
--- burn-0.4.3/debian/patches/01.subprocess.patch	1970-01-01 10:00:00.0 +1000
+++ burn-0.4.3/debian/patches/01.subprocess.patch	2009-08-27 13:40:56.0 +1000
@@ -0,0 +1,433 @@
+Author: Ben Finney 
+Description: Bug#542329: burn: Quotation marks in filenames aren't handled properly.
+Use ‘subprocess’ module, with command argument sanitisation, for
+all invocation and interaction with child processes.
+
+=== modified file 'burn'
+--- old/burn	2005-03-16 19:37:40 +
 new/burn	2009-08-27 03:14:53 +
+@@ -53,6 +53,8 @@
+ import ogg.vorbis
+ import gettext
+ import popen2, pwd
++import subprocess
++import shlex
+ import tty, termios, time, fnmatch
+ 
+ gettext.bindtextdomain('burn', '/usr/share/locale/it/LC_MESSAGES/')
+@@ -147,12 +149,15 @@
+ 
+ def check_media_empty():
+ 	"""check if cdrom is empty using cdrdao"""
+-	# giuppi's function 
+-	device = config.get('CD-writer','device')
+-	driver = config.get('CD-writer','driver')
+-	media_raw_info=popen2.popen2('%s disk-info --device %s --driver %s 2>/dev/null'%(cdrdao,device,driver))
++	command_args = [
++		cdrdao, "disk-info",
++		"--device", config.get('CD-writer', 'device'),
++		"--driver", config.get('CD-writer', 'driver'),
++		]
++	command_process = subprocess.Popen(
++		command_args, close_fds=True,
++		stdout=subprocess.PIPE, stderr=open(os.devnull))
+-	lines=media_raw_info[0].readlines()
+-	for line in lines:
++	for line in command_process.stdout:
+ 		if line.startswith('CD-R empty'):
+ 			if line.split(':')[1].strip()=='yes':
+ return True
+@@ -175,12 +180,15 @@
+ 
+ def get_media_capacity():
+ 	"""get media capacity using cdrdao"""
+-	# giuppi's function 
+-	device = config.get('CD-writer','device')
+-	driver = config.get('CD-writer','driver')
+-	media_raw_info=popen2.popen2('%s disk-info --device %s --driver %s 2>/dev/null'%(cdrdao,device,driver))
+-	lines=media_raw_info[0].readlines()
+-	for line in lines:
++	command_args = [
++		cdrdao, "disk-info",
++		"--device", config.get('CD-writer', 'device'),
++		"--driver", config.get('CD-writer', 'driver'),
++		]
++	command_process = subprocess.Popen(
++		command_args, close_fds=True,
++		stdout=subprocess.PIPE, stderr=open(os.devnull))
++	for line in command_process.stdout:
+ 		if line.startswith('Total Capacity'):
+ 			if line.split(':')[1].strip()=='n/a':
+ return None
+@@ -284,23 +292,20 @@
+ class ISO:
+ 	"ISO class"
+ 	path_o = []
+-	mkisofs_line = ''
++	mkisofs_args = []
+ 	windows = config.get('ISO','windows_read')
+ 	tempdir = config.get('ISO','tempdir')
+ 	image_name = config.get('ISO','image') 
+ 	mount_dir = config.get('ISO','mount_dir')
+ 	dest = normpath(tempdir + image_name)
+-	def mkisofs_line_append(self, addenda):		
+-		"""append string (addenda) to mkisofs_line"""
+-		self.mkisofs_line = self.mkisofs_line + addenda
+-	def mkisofs_line_view(self):
+-		"""view command in mkisofs_line"""
+-		return self.mkisofs_line
+ 	def create(self):
+-		"""exec command in mkisofs_line"""
++		""" Execute data track recording command. """
+ 		print _('Creating temporary image: '), self.dest
+

RFS: sponsor for poppler stable point release

[Michael S Gilbert]

Hi,

A new lenny release is coming soon and there are some open security
issues in poppler that I have fixed.  Attached is the debdiff of the
changes.

The package can be found on mentors.debian.net:
- URL: http://mentors.debian.net/debian/pool/main/p/poppler
- Source repository: deb-src http://mentors.debian.net/debian unstable
main contrib non-free
- dget
http://mentors.debian.net/debian/pool/main/p/poppler/poppler_0.8.7-2lenny1.dsc

I would be glad if someone uploaded this package for me.

Kind regards,
Michael Gilbert


poppler.debdiff
Description: Binary data

proposed stable update for libcompress-raw-zlib-perl

[Niko Tyni]

Hi release team,

the security team deferred patching CVE-2009-1391 to the stable
update.  This needs to be fixed both in perl and the separate
libcompress-raw-zlib-perl. Please let me know if I can upload
the latter with the attached debdiff.

Thanks for your work,
-- 
Niko Tyni   nt...@debian.org
diff -u libcompress-raw-zlib-perl-2.012/debian/changelog 
libcompress-raw-zlib-perl-2.012/debian/changelog
--- libcompress-raw-zlib-perl-2.012/debian/changelog
+++ libcompress-raw-zlib-perl-2.012/debian/changelog
@@ -1,3 +1,10 @@
+libcompress-raw-zlib-perl (2.012-1lenny1) stable; urgency=high
+
+  * [SECURITY] CVE-2009-1391: Fix a buffer overflow in inflate().
+(Closes: #532738)
+
+ -- Niko Tyni   Sat, 13 Jun 2009 22:19:41 +0300
+
 libcompress-raw-zlib-perl (2.012-1) unstable; urgency=low
 
   * New upstream release
diff -u libcompress-raw-zlib-perl-2.012/debian/patches/series 
libcompress-raw-zlib-perl-2.012/debian/patches/series
--- libcompress-raw-zlib-perl-2.012/debian/patches/series
+++ libcompress-raw-zlib-perl-2.012/debian/patches/series
@@ -1 +1,2 @@
+CVE-2009-1391
 use-debian-zlib.patch
only in patch2:
unchanged:
--- libcompress-raw-zlib-perl-2.012.orig/debian/patches/CVE-2009-1391
+++ libcompress-raw-zlib-perl-2.012/debian/patches/CVE-2009-1391
@@ -0,0 +1,18 @@
+[SECURITY] CVE-2009-1391: Fix a buffer overflow in inflate().
+
+Closes: #532738
+
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1391
+
+Fix cherry-picked from upstream version 2.017.
+--- libcompress-raw-zlib-perl-2.012.orig/Zlib.xs
 libcompress-raw-zlib-perl-2.012/Zlib.xs
+@@ -1319,7 +1319,7 @@
+ while (RETVAL == Z_OK) {
+ if (s->stream.avail_out == 0 ) {
+   /* out of space in the output buffer so make it bigger */
+-Sv_Grow(output, SvLEN(output) + bufinc) ;
++Sv_Grow(output, SvLEN(output) + bufinc +1) ;
+ cur_length += increment ;
+ s->stream.next_out = (Bytef*) SvPVbyte_nolen(output) + cur_length 
;
+ increment = bufinc ;

proposed stable update for perl

[Niko Tyni]

Hi release team,

the security team deferred patching CVE-2009-1391 to the stable update.
I'd also like to get a couple of other bugfixes in, debdiff attached.
Please let me know if this is OK by you.

Sorry about the unwrapped debian/control lines; it really is
just s/libcpan-plus-perl/libcpanplus-perl/ 

Changes: 
 perl (5.10.0-19lenny2) stable; urgency=low
 .
   * Fix a typo in the replaces/conflicts/provides: libcpan-plus-perl
 should have been libcpanplus-perl. (Closes: #516289)
   * Fix a memory leak with the map operator. (Closes: #528332)
   * Configure CPANPLUS to use the site directories by default.
 (Closes: #533707)
   * Save local versions of CPANPLUS::Config::System into /etc/perl.
 (See #533707)
 .
 perl (5.10.0-19lenny1) stable-security; urgency=high
 .
   * [SECURITY] CVE-2009-1391: Fix a buffer overflow in Compress::Raw::Zlib.
 (Closes: #532736)

-- 
Niko Tyni   nt...@debian.org
diff -u perl-5.10.0/pp_ctl.c perl-5.10.0/pp_ctl.c
--- perl-5.10.0/pp_ctl.c
+++ perl-5.10.0/pp_ctl.c
@@ -946,7 +946,7 @@
 if (PL_op->op_private & OPpGREP_LEX)
PAD_SVl(PL_op->op_targ) = src;
 else
-   DEFSV = src;
+   DEFSV_set(src);
 
 PUTBACK;
 if (PL_op->op_type == OP_MAPSTART)
@@ -1057,7 +1057,7 @@
if (PL_op->op_private & OPpGREP_LEX)
PAD_SVl(PL_op->op_targ) = src;
else
-   DEFSV = src;
+   DEFSV_set(src);
 
RETURNOP(cLOGOP->op_other);
 }
@@ -4663,7 +4663,7 @@
SAVETMPS;
EXTEND(SP, 2);
 
-   DEFSV = upstream;
+   DEFSV_set(upstream);
PUSHMARK(SP);
PUSHs(sv_2mortal(newSViv(0)));
if (filter_state) {
diff -u perl-5.10.0/pp_hot.c perl-5.10.0/pp_hot.c
--- perl-5.10.0/pp_hot.c
+++ perl-5.10.0/pp_hot.c
@@ -2398,7 +2398,7 @@
if (PL_op->op_private & OPpGREP_LEX)
PAD_SVl(PL_op->op_targ) = src;
else
-   DEFSV = src;
+   DEFSV_set(src);
 
RETURNOP(cLOGOP->op_other);
 }
diff -u perl-5.10.0/patches-applied perl-5.10.0/patches-applied
--- perl-5.10.0/patches-applied
+++ perl-5.10.0/patches-applied
@@ -38,6 +38,8 @@
 debian/patches/37_fix_coredump_indicator
 debian/patches/38_fix_weaken_memleak
 debian/patches/39_fix_archive_tar_symlink_unpack
+debian/patches/40_compress_raw_zlib_cve_2009_1391
+debian/patches/41_map_memleak.diff
 debian/patches/50_debian_use_gdbm
 debian/patches/51_debian_ld_run_path
 debian/patches/52_debian_extutils_hacks
@@ -64,0 +67,2 @@
+debian/patches/74_debian_cpanplus_config_path
+debian/patches/75_debian_cpanplus_definstalldirs
diff -u perl-5.10.0/perl.h perl-5.10.0/perl.h
--- perl-5.10.0/perl.h
+++ perl-5.10.0/perl.h
@@ -1292,8 +1292,12 @@
 #endif
 
 #define ERRSV GvSV(PL_errgv)
-/* FIXME? Change the assignments to PL_defgv to instantiate GvSV?  */
-#define DEFSV GvSVn(PL_defgv)
+#ifdef PERL_CORE
+# define DEFSV (0 + GvSVn(PL_defgv))
+#else
+# define DEFSV GvSVn(PL_defgv)
+#endif
+#define DEFSV_set(sv) (GvSV(PL_defgv) = (sv))
 #define SAVE_DEFSV SAVESPTR(GvSV(PL_defgv))
 
 #define ERRHV GvHV(PL_errgv)   /* XXX unused, here for compatibility */
diff -u perl-5.10.0/debian/control perl-5.10.0/debian/control
--- perl-5.10.0/debian/control
+++ perl-5.10.0/debian/control
@@ -69,9 +69,9 @@
 Priority: standard
 Architecture: all
 Depends: perl (>= ${Upstream-Version}-1)
-Conflicts: libpod-parser-perl (<< 1.32-1), libansicolor-perl (<< 1.10-1), 
libfile-temp-perl (<< 0.18), libnet-perl (<= 1:1.19-3), 
libattribute-handlers-perl (<< 0.78.02-1), libcgi-pm-perl (<< 3.15-1), 
libi18n-langtags-perl (<< 0.35-1), liblocale-maketext-perl (<< 1.08-1), 
libmath-bigint-perl (<< 1.77-1), libnet-ping-perl (<< 2.31-1), 
libtest-harness-perl (<< 2.56-1), libtest-simple-perl (<< 0.62-1), 
liblocale-codes-perl (<< 2.06.1-1), libmodule-corelist-perl (<< 2.13-1), 
libio-zlib-perl (<< 1.07-1), libarchive-tar-perl (<= 1.38-2), 
libextutils-cbuilder-perl (<< 0.21-1), libmodule-build-perl (<< 0.2808.1-1), 
libmodule-load-perl (<< 0.12-1), liblocale-maketext-simple-perl (<< 0.18-1), 
libparams-check-perl (<< 0.26-1), libmodule-pluggable-perl (<< 3.6-1), 
libmodule-load-conditional-perl (<< 0.22-1), libcpan-plus-perl (<< 0.83.09-1), 
libversion-perl (<< 1:0.7400-2), libpod-simple-perl (<< 3.05-2), 
libextutils-parsexs-perl (<= 2.18), podlators-perl (<< 2.2.0)
-Replaces: libpod-parser-perl, libansicolor-perl, libfile-temp-perl, 
libnet-perl, libattribute-handlers-perl, libcgi-pm-perl, libi18n-langtags-perl, 
liblocale-maketext-perl, libmath-bigint-perl, libnet-ping-perl, 
libtest-harness-perl, libtest-simple-perl, liblocale-codes-perl, 
libmodule-corelist-perl, libio-zlib-perl, libarchive-tar-perl, 
libextutils-cbuilder-perl, libmodule-build-perl, libmodule-load-perl, 
liblocale-maketext-simple-perl, libparams-check-perl, libmodule-pluggable-perl, 
libmodule-load-conditional-perl, libcpan-plus-perl, libversion-perl, 
libpod-simple-perl, libextutils-parsexs-perl, podlators-perl
-Provides: libpod-parser-perl, libansicolor-perl, libfil

Re: [SRM] spamassassin 3.2.5-2+lenny1

[Adam D. Barratt]

On Wed, 2009-08-26 at 16:10 -0400, Noah Meyerhans wrote:
> On Wed, Aug 26, 2009 at 08:40:17PM +0100, Adam D. Barratt wrote:
> > > > fwiw, the open-whois change is one I'd definitely be happy to accept.
> > > 
> > > I'm preparing that upload now.  Is it OK to use the same version number
> > > as the one that was rejected?
> > 
> > You can, although if you are then you'll need to leave it until after
> > it's moved from the "pending" section of
> > http://release.debian.org/proposed-updates/stable.html to the lower
> > "processed" section to make sure that the previous package has been
> > rejected by dak.
> 
> Attached is a proposed debdiff.  I included the pod2man fixes because
> they're easy, don't affect functionality, and the manpages are ugly
> without them.

Please go ahead.

Regards,

Adam


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: [SRM] spamassassin 3.2.5-2+lenny1

[Noah Meyerhans]

On Wed, Aug 26, 2009 at 08:40:17PM +0100, Adam D. Barratt wrote:
> > > fwiw, the open-whois change is one I'd definitely be happy to accept.
> > 
> > I'm preparing that upload now.  Is it OK to use the same version number
> > as the one that was rejected?
> 
> You can, although if you are then you'll need to leave it until after
> it's moved from the "pending" section of
> http://release.debian.org/proposed-updates/stable.html to the lower
> "processed" section to make sure that the previous package has been
> rejected by dak.

Attached is a proposed debdiff.  I included the pod2man fixes because
they're easy, don't affect functionality, and the manpages are ugly
without them.

Thanks.
noah

diff -u spamassassin-3.2.5/debian/changelog spamassassin-3.2.5/debian/changelog
--- spamassassin-3.2.5/debian/changelog
+++ spamassassin-3.2.5/debian/changelog
@@ -1,3 +1,13 @@
+spamassassin (3.2.5-2+lenny1) stable; urgency=low
+
+  * Remove open-whois.org as it is cybersquatted (Closes: #537477)
+  * Fix numerous perl pod errors that caused warnings to be embedded
+in several manpages.
+  * Fix man page formatting so as not to break whatis.
+  * Update debian/control to list the right Maintainer value.
+
+ -- Noah Meyerhans   Wed, 26 Aug 2009 15:45:35 -0400
+
 spamassassin (3.2.5-2) unstable; urgency=low
 
   [ Duncan Findlay ]
diff -u spamassassin-3.2.5/debian/control spamassassin-3.2.5/debian/control
--- spamassassin-3.2.5/debian/control
+++ spamassassin-3.2.5/debian/control
@@ -1,8 +1,8 @@
 Source: spamassassin
 Section: mail
 Priority: optional
-Maintainer: Duncan Findlay 
-Uploaders: Jesus Climent , Noah Meyerhans 

+Maintainer: Noah Meyerhans 
+Uploaders: Jesus Climent 
 Build-Depends: debhelper (>= 4.1.16), perl (>= 5.6.0-16), libssl-dev,
  dpatch, libhtml-parser-perl (>= 3.24), libdigest-sha1-perl,
  libnet-dns-perl (>= 0.34)
diff -u spamassassin-3.2.5/debian/patches/00list 
spamassassin-3.2.5/debian/patches/00list
--- spamassassin-3.2.5/debian/patches/00list
+++ spamassassin-3.2.5/debian/patches/00list
@@ -4 +4,5 @@
-40_remote_dsbl.dpatch
+40_remote_dsbl
+41_remove_openwhois
+60_fix-pod
+70_fix-whatis
+80_fix_man_warnings
only in patch2:
unchanged:
--- spamassassin-3.2.5.orig/debian/patches/70_fix-whatis.dpatch
+++ spamassassin-3.2.5/debian/patches/70_fix-whatis.dpatch
@@ -0,0 +1,95 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 70_fix-whatis.dpatch by  
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix lintian's complaints about bad whatis lines
+
+...@dpatch@
+diff -urNad spamassassin-3.2.5~/lib/Mail/SpamAssassin/Plugin/Check.pm 
spamassassin-3.2.5/lib/Mail/SpamAssassin/Plugin/Check.pm
+--- spamassassin-3.2.5~/lib/Mail/SpamAssassin/Plugin/Check.pm  2009-08-09 
16:35:07.0 -0400
 spamassassin-3.2.5/lib/Mail/SpamAssassin/Plugin/Check.pm   2009-08-09 
16:37:04.0 -0400
+@@ -1,6 +1,6 @@
+ =head1 NAME
+ 
+-Mail::SpamAssassin::Plugin::Check
++Mail::SpamAssassin::Plugin::Check - spamassassin message checking plugin
+ 
+ =head1 SYNOPSIS
+ 
+diff -urNad 
spamassassin-3.2.5~/lib/Mail/SpamAssassin/Plugin/OneLineBodyRuleType.pm 
spamassassin-3.2.5/lib/Mail/SpamAssassin/Plugin/OneLineBodyRuleType.pm
+--- spamassassin-3.2.5~/lib/Mail/SpamAssassin/Plugin/OneLineBodyRuleType.pm
2009-08-09 16:35:07.0 -0400
 spamassassin-3.2.5/lib/Mail/SpamAssassin/Plugin/OneLineBodyRuleType.pm 
2009-08-09 16:37:04.0 -0400
+@@ -1,6 +1,6 @@
+ =head1 NAME
+ 
+-Mail::SpamAssassin::Plugin::OneLineBodyRuleType
++Mail::SpamAssassin::Plugin::OneLineBodyRuleType - spamassassin body test 
plugin
+ 
+ =cut
+ 
+diff -urNad spamassassin-3.2.5~/lib/Mail/SpamAssassin/Plugin/VBounce.pm 
spamassassin-3.2.5/lib/Mail/SpamAssassin/Plugin/VBounce.pm
+--- spamassassin-3.2.5~/lib/Mail/SpamAssassin/Plugin/VBounce.pm
2009-08-09 16:35:07.0 -0400
 spamassassin-3.2.5/lib/Mail/SpamAssassin/Plugin/VBounce.pm 2009-08-09 
16:37:04.0 -0400
+@@ -17,7 +17,7 @@
+ 
+ =head1 NAME
+ 
+-Mail::SpamAssassin::Plugin::VBounce
++Mail::SpamAssassin::Plugin::VBounce - spamassassin bounce classification 
plugin
+ 
+ =head1 SYNOPSIS
+ 
+diff -urNad spamassassin-3.2.5~/lib/Mail/SpamAssassin/Util/DependencyInfo.pm 
spamassassin-3.2.5/lib/Mail/SpamAssassin/Util/DependencyInfo.pm
+--- spamassassin-3.2.5~/lib/Mail/SpamAssassin/Util/DependencyInfo.pm   
2009-08-09 16:37:04.0 -0400
 spamassassin-3.2.5/lib/Mail/SpamAssassin/Util/DependencyInfo.pm
2009-08-09 16:37:22.0 -0400
+@@ -17,6 +17,16 @@
+ # limitations under the License.
+ # 
+ 
++=head1 NAME
++
++Mail::SpamAssassin::Util::DependencyInfo - spamassassin debugging helpers
++
++=head1 SYNOPSIS
++
++ loadplugin Mail::SpamAssassin::Util::DependencyInfo
++
++=cut
++
+ package Mail::SpamAssassin::Util::DependencyInfo;
+ 
+ use strict;
+@@ -208,6 +218,8 @@
+ 
+ ###
+ 
++=head1 METHODS
++
+ =over 4
+ 
+ =item $f->debug_diagnostics ()
+diff -

Re: Security update for ‘burn’ package

[Adam D. Barratt]

On Wed, 2009-08-26 at 10:21 +1000, Ben Finney wrote:
> "Adam D. Barratt"  writes:
> 
> > On Sun, 2009-08-23 at 15:57 +1000, Ben Finney wrote:
> > In either case, the answer is yes - uploads to any Debian archive must
> > be signed by a key in the Debian keyring.
> 
> Okay. So I should seek a sponsor in the ‘debian-mentors’ forum for the
> update into ‘stable’? Or should that be done here on the
> ‘debian-release’ forum?

For any stable upload which requires sponsorship, you should look for
that wherever you would for any other upload, be that debian-mentors or
elsewhere.

> > One quick query about the debdiff; apologies if I'm missing something,
> > but this hunk looks like a functionality change, rather than a strict
> > replacement:
> >
> > +-  if path_excluded:
> > +-  iso.mkisofs_line_append(path_excluded + ' ')
> > ++  for path_excluded in paths_excluded:
> > ++  iso.mkisofs_args.extend(["-x", path_excluded])
> 
> Thanks for asking. This change is necessary to go from invoking a shell
> with a single command-line string, to invoking a list of command-line
> arguments to be executed directly.
[...]
> This is a backport of the same approach from the version in ‘unstable’.

Ah, yes, I missed that on my first skim through the diff due to the
horrible indent level. :-/

Looking through the diff again, there are a lot of changes which don't
appear to be required and make the diff harder to review; one of the
principles of stable updates is that diffs should be minimal wherever
possible.

Please could you prepare and send an updated diff which does not include
the removal of old commented out code and the removal of functions from
"import" lines where the code is no longer used?  In general, code
tidy-up is obviously a good thing, but it's not really appropriate for a
stable update.  The change to burn-configure should definitely not be
included, as it only contains tidy-ups.

Apologies for not having spotted / mentioned that earlier.

Regards,

Adam


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: [SRM] spamassassin 3.2.5-2+lenny1

[Adam D. Barratt]

On Wed, 2009-08-26 at 15:13 -0400, Noah Meyerhans wrote:
> On Wed, Aug 26, 2009 at 08:11:08PM +0100, Adam D. Barratt wrote:
> > > Feel free to reject these packages, though; they're definitely not what
> > > I *intended* to upload.
> > 
> > Okay; I've done so, so they'll disappear from p-u-new at the next
> > dinstall.
> > 
> > fwiw, the open-whois change is one I'd definitely be happy to accept.
> 
> I'm preparing that upload now.  Is it OK to use the same version number
> as the one that was rejected?

You can, although if you are then you'll need to leave it until after
it's moved from the "pending" section of
http://release.debian.org/proposed-updates/stable.html to the lower
"processed" section to make sure that the previous package has been
rejected by dak.

Adam


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: [SRM] spamassassin 3.2.5-2+lenny1

[Noah Meyerhans]

On Wed, Aug 26, 2009 at 08:11:08PM +0100, Adam D. Barratt wrote:
> > Feel free to reject these packages, though; they're definitely not what
> > I *intended* to upload.
> 
> Okay; I've done so, so they'll disappear from p-u-new at the next
> dinstall.
> 
> fwiw, the open-whois change is one I'd definitely be happy to accept.

I'm preparing that upload now.  Is it OK to use the same version number
as the one that was rejected?

noah



signature.asc
Description: Digital signature

Re: [SRM] spamassassin 3.2.5-2+lenny1

[Adam D. Barratt]

On Wed, 2009-08-26 at 14:32 -0400, Noah Meyerhans wrote:
> On Wed, Aug 26, 2009 at 07:22:47PM +0100, Adam D. Barratt wrote:
> > There are also a few other changes which weren't mentioned in the
> > changelog or your mail, at least the first of which looks unintentional.
> > The others are relatively minor, but I wasn't sure if they were intended
> > to form part of the update, as they weren't mentioned.
> 
> I curse "svn merge"

:-)

> Feel free to reject these packages, though; they're definitely not what
> I *intended* to upload.

Okay; I've done so, so they'll disappear from p-u-new at the next
dinstall.

fwiw, the open-whois change is one I'd definitely be happy to accept.

Cheers,

Adam


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Stable update for python-support

[Adam D. Barratt]

On Wed, 2009-08-26 at 20:24 +0200, Josselin Mouette wrote:
> Le mercredi 26 août 2009 à 19:18 +0100, Adam D. Barratt a écrit :
> > Ah, I see by "prepared" you meant "uploaded". :-)
> > 
> > In future, it would be good if you could post a debdiff to -release and
> > wait for confirmation before uploading Just In Case[tm].
> 
> Is it really a problem for you? I mean, if you choose to reject it, I
> have no problem uploading it again.
> 
> If it causes trouble to do this without the confirmation mail, I’ll
> stop, of course, but it looked harmless.

It's not a huge problem for small updates, and I'm certainly not going
to not accept it because you didn't ask first.  As a general rule
though, not having to reject stuff makes me a happier RA. :-)

Letting us know that you've uploaded and what/why (as you did) is
definitely better than simply uploading and waiting for someone to
notice though.

Adam


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

FSF Guidelines for Free System Distributions (was: Release goal for Squeeze)

[Ben Finney]

(The ‘debian-release’ forum is for coordination of the release of
Debian. This discussion about release goals should better take place on
the ‘debian-devel’ forum.)

Praveen P  writes:

> I would like to see squeeze released 100% free at par with "Guidelines
> for Free System Distributions" by FSF.

I assume you're referring to the guidelines documented here
http://www.gnu.org/philosophy/free-system-distribution-guidelines.html>.

In your assessment, what specific, measurable goals would the Debian
project need to set in addition to those already announced for Squeeze
http://lists.debian.org/debian-announce/2009/msg00010.html>?

> I am using gnewsense also. It is very difficult to get quality free
> softwares to replace the proprietary ones now.

Note that, unlike the FSF, the Debian project does not distinguish
between programs and non-programs for free software; per our Social
Contract, all software works in Debian need to meet the Debian Free
Software Guidelines regardless of how their bits might be interpreted.

This is in contrast to the FSF “Guidelines for Free System
Distributions” which makes special mention for different freedoms for
each of programs, documentation, and “non-functional data”, without
guidelines for works that may defy pre-hoc classification or straddle
those boundaries.

Do you see these differing standards of freedom being in conflict? How
would you suggest they be resolved?

> The condition will go worse with the advancement of time. So this is
> my request and suggestion for debian developers.

You're welcome to suggest specific, measurable release goals. As it
stands, your suggestion doesn't give much to aim for more than what
the Debian project is already committed to for Squeeze.

-- 
 \ “Nature hath given men one tongue but two ears, that we may |
  `\  hear from others twice as much as we speak.” —Epictetus, |
_o__)  _Fragments_ |
Ben Finney


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Stable update for python-support

[Adam D. Barratt]

On Wed, 2009-08-26 at 19:03 +0100, Adam D. Barratt wrote:
> On Wed, 2009-08-26 at 15:48 +0200, Josselin Mouette wrote:
> > I have prepared a python-support update targeted at the next lenny point
> > release.
> > 
> >* update-python-modules (create_dotpath):
> >  + Completely ignore lines starting with "import", as they would be
> >executed by python upon startup.
> > 
> > It is just a backport of this change which was made for 0.8.6, which
> > fixes a very annoying bug triggered by some packages using some
> > completely brain-dead functionality of .pth files.
> 
> Please go ahead.

Ah, I see by "prepared" you meant "uploaded". :-)

In future, it would be good if you could post a debdiff to -release and
wait for confirmation before uploading Just In Case[tm].

Thanks,

Adam


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: [SRM] spamassassin 3.2.5-2+lenny1

[Noah Meyerhans]

On Wed, Aug 26, 2009 at 07:22:47PM +0100, Adam D. Barratt wrote:
> In future, it would be good if you could post debdiffs to -release and
> wait for confirmation /before/ uploading. :-)

OK

> >* Remove open-whois.org as it is cybersquatted (Closes: #537477)
> >* Backport IPv6 support for the Received header parser (Closes: #510711)
> >* Correct the Maintainer field.
> >* Fix numerous pod2man errors that caused warning messages to be
> >  embedded within several man pages.
> 
> There are also a few other changes which weren't mentioned in the
> changelog or your mail, at least the first of which looks unintentional.
> The others are relatively minor, but I wasn't sure if they were intended
> to form part of the update, as they weren't mentioned.

I curse "svn merge"

> - The documentation fix for spamhaus and SURBL not being free for all
> has been reverted, as has the corresponding changelog entry from 3.2.5-2
> (and the changelog trailer for that version changed).
> 
> - The perl-modules dependency has grown a "| libio-zlib-perl (>= 1.04)"
> alternative.
> 
> - GPG.KEY is no longer not compressed
> 
> - sa-update is no longer run with an explicit umask by the cron job

These all came from unstable.  The libio-zlib-perl makes life easier for
backporting this package to etch, and is the only one that I actually
*meant* to include.  The rest I blame on svn.

> > The IPv6 header support is the only change to actual functionality.  It
> > fixes the problem where the config parser was unable to handle IPv6
> > addresses in config directives like "trusted_networks".  Given that one
> > of lenny's release goals was pervasive IPv6 support, I felt that this
> > was worth fixing.  Aside from myself, at least one other person is
> > currently using packages including this patch on a busy mail site, and
> > they work as expected.  It is worth noting, though, that this change
> > introduced a new dependency on libnetaddr-ip-perl.
> 
> Personally, the patch is a little larger than I'd currently be happy
> accepting for a stable update (at least for a non-security / RC fix). I
> realise the changes are all in unstable, although only for a couple of
> weeks.

Yeah, I wasn't sure whether it'd be accepted or not.  The change doesn't
have any functional effect at all if you haven't configured any IPv6
addresses in trusted_networks, etc, so I believe them to be safe.

Feel free to reject these packages, though; they're definitely not what
I *intended* to upload.

> I'd definitely suggest a lenny-backports upload including the changes
> though.

That's pretty much a given.  SpamAssassin in bpo stays pretty well in
sync with what's in testing.

noah



signature.asc
Description: Digital signature

Re: [SRM] wordpress update for lenny

[Adam D. Barratt]

On Tue, 2009-08-25 at 12:58 +0200, Giuseppe Iuculano wrote:
> I'd like to fix an annoying bug (#519798) in the wordpress password reset
> procedure in lenny.
> debdiff attached.

Please go ahead.

Regards,

Adam


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Stable upload for avelsieve

[Adam D. Barratt]

On Tue, 2009-08-25 at 11:37 +0200, Jan wrote:
> I would like to see an upload of avelsieve accepted to stable-p-u. A few
> weeks before the stable release I fixed an important bug for dovecot
> users using the sieve capabilities via avelsieve. Unfortunately I lost
> track of that with an upload of a new upstream version which didn't make
> it into lenny.
> 
> There are two different patches, one for a small bug which makes
> deleting the last sieve rule impossible, and another one for proper use
> with dovecot-imap. A user just asked to include these patches in lenny
> by filing a grave bug. I don't consider this issue as grave but it at
> least shows the impact of the missing patches for dovecot users.

Please go ahead.

On a side note, if you as the maintainer don't consider the bug to be
grave, it shouldn't be marked as such...

Regards,

Adam


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Stable update for python-support

[Josselin Mouette]

Le mercredi 26 août 2009 à 19:18 +0100, Adam D. Barratt a écrit :
> Ah, I see by "prepared" you meant "uploaded". :-)
> 
> In future, it would be good if you could post a debdiff to -release and
> wait for confirmation before uploading Just In Case[tm].

Is it really a problem for you? I mean, if you choose to reject it, I
have no problem uploading it again.

If it causes trouble to do this without the confirmation mail, I’ll
stop, of course, but it looked harmless.

Cheers,
-- 
 .''`.  Josselin Mouette
: :' :
`. `'   “I recommend you to learn English in hope that you in
  `- future understand things”  -- Jörg Schilling


signature.asc
Description: Ceci est une partie de message numériquement signée

Re: [SRM] spamassassin 3.2.5-2+lenny1

[Adam D. Barratt]

On Wed, 2009-08-26 at 09:24 -0400, Noah Meyerhans wrote:
> Hello.  I just uploaded a new set of spamassassin packages for
> consideration for the upcoming stable point release.  The changelog
> entry is:

In future, it would be good if you could post debdiffs to -release and
wait for confirmation /before/ uploading. :-)

>* Remove open-whois.org as it is cybersquatted (Closes: #537477)
>* Backport IPv6 support for the Received header parser (Closes: #510711)
>* Correct the Maintainer field.
>* Fix numerous pod2man errors that caused warning messages to be
>  embedded within several man pages.

There are also a few other changes which weren't mentioned in the
changelog or your mail, at least the first of which looks unintentional.
The others are relatively minor, but I wasn't sure if they were intended
to form part of the update, as they weren't mentioned.

- The documentation fix for spamhaus and SURBL not being free for all
has been reverted, as has the corresponding changelog entry from 3.2.5-2
(and the changelog trailer for that version changed).

- The perl-modules dependency has grown a "| libio-zlib-perl (>= 1.04)"
alternative.

- GPG.KEY is no longer not compressed

- sa-update is no longer run with an explicit umask by the cron job

> The IPv6 header support is the only change to actual functionality.  It
> fixes the problem where the config parser was unable to handle IPv6
> addresses in config directives like "trusted_networks".  Given that one
> of lenny's release goals was pervasive IPv6 support, I felt that this
> was worth fixing.  Aside from myself, at least one other person is
> currently using packages including this patch on a busy mail site, and
> they work as expected.  It is worth noting, though, that this change
> introduced a new dependency on libnetaddr-ip-perl.

Personally, the patch is a little larger than I'd currently be happy
accepting for a stable update (at least for a non-security / RC fix). I
realise the changes are all in unstable, although only for a couple of
weeks.

I'd definitely suggest a lenny-backports upload including the changes
though.

Regards,

Adam


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Stable update for python-support

[Adam D. Barratt]

On Wed, 2009-08-26 at 15:48 +0200, Josselin Mouette wrote:
> I have prepared a python-support update targeted at the next lenny point
> release.
> 
>* update-python-modules (create_dotpath):
>  + Completely ignore lines starting with "import", as they would be
>executed by python upon startup.
> 
> It is just a backport of this change which was made for 0.8.6, which
> fixes a very annoying bug triggered by some packages using some
> completely brain-dead functionality of .pth files.

Please go ahead.

Regards,

Adam


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Pidgin SSL issue - proposed-updates

[Adam D. Barratt]

On Wed, 2009-08-26 at 10:34 -0400, Ari Pollak wrote:
> Philipp Kern wrote:
> > On Mon, Aug 24, 2009 at 09:26:46AM -0400, Ari Pollak wrote:
> >> Bug #542891 covers a security bug that will probably be getting a CVE
> >> number and affects all supported versions of Debian, but the security
> >> team indicated that it isn't important enough to warrant a DSA. So I was
> >> planning on uploading an update to lenny and etch with the fix.
> > 
> > That's ok.  It would be cool however if you could post debdiffs for
> > both before you upload them to proposed-updates.
> 
> Here's the diff for lenny. Apparently etch isn't affected by this bug
> since it never claimed to require SSL/TLS, so I won't be updating that.

Please go ahead.

Regards,

Adam


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Release goal for Squeeze

[Petter Reinholdtsen]

[Praveen P]
> I would like to see squeeze released 100% free at par with
> "Guidelines for Free System Distributions" by FSF. I am using
> gnewsense also. It is very difficult to get quality free softwares
> to replace the proprietary ones now. The condition will go worse
> with the advancement of time.  So this is my request and suggestion
> for debian developers.

What exactly would have to change to make this happen?  Your request
is rather vague to me, and I wonder how much work is involved and the
consequences of the change you propose.

Happy hacking,
-- 
Petter Reinholdtsen


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: will 2.6 be default?

[Luk Claes]

Josselin Mouette wrote:
> Le mercredi 26 août 2009 à 10:14 +0200, Tshepang Lekhonkhobe a écrit : 
>> I saw recently that RT did not list 2.6 as default Python as a release
>> goal. I also saw a thread talking about the problems related to 2.6.
>> Does this mean Squeeze won't use it by default or are u guys working
>> on it?
> 
> In the current state of affairs and given the plans of the Python
> maintainers, there will be likely no python2.6 (even as non-default) in
> squeeze.

What specific technical issue(s) are in your opinion so unlikely to get
solved soon?

Is there any unreasonable plan of the Python maintainers in your opinion?

Cheers

Luk


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Bits from the release team: Release goals, schedule, state of the union

[Moritz Muehlenhoff]

On Wed, Aug 26, 2009 at 08:23:09AM +0200, Marc 'HE' Brockschmidt wrote:
> Steffen Joeris  writes:
> > On Wed, 26 Aug 2009 06:51:48 am Marc 'HE' Brockschmidt wrote:
> >> Release Goals
> >> =
> [...]
> >>  - kFreeBSD:
> >> Debian 6.0 Squeeze should be the first Debian release shipping with
> >> a non-Linux kernel.
> > Out of curiosity, how is security support working for this and who is 
> > providing it?
> 
> We [1] were hoping that kfreebsd-{i386,amd64} would be handled like i386
> and amd64 and be supported by the security team.
> 
> As we know that the security team's manpower is limited, we acknowledge
> this by asking you for any concers in supporting a architecture. For the
> Squeeze cycle, this hasn't been done yet [2], as we haven't decided yet
> which of the old architectures can't be supported from a release team
> point of view.
> 
> Including kFreeBSD architectures in the release has been in discussion
> for some time now, and we didn't see any official security team position
> on this yet, thus assumed there were no (big) concers. Should you have
> see some, please inform us soon.

The scope of security support for FreeBSD is different than for Linux:
FreeBSD doesn't treat local denial of service issues as security issues,
but rather as regular bugs (which is fine for > 90% of all systems).
I don't think we can do anything about this, so this needs to be documented
in release notes.

Other than that I don't see a problem. Security issues in the FreeBSD
kernel are infrequent. Testing can be a problem, so we need someone from
the kfreebsd porters to build and test the update for us. Since Aurelien
has been doing that for the existing - unsupported - packages in Lenny
already (in the form of stable-proposed-updates), everything should be
fine if he continues to do so.

Also we should aim at only supporting one kernel for FreeBSD in the Squeeze
release. (I don't know the current state, but IIRC there were multiple
kfreebsd kernel packages in the past).

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: will 2.6 be default?

[Nicolas Chauvat]

On Wed, Aug 26, 2009 at 09:20:51PM +1000, Ben Finney wrote:
> I'm confident that, if the right coordination of effort and publicity of
> the necessary to-do tasks were applied, there would be ample willingness
> From Debian members who want Python 2.6 in Debian Squeeze.

It would indeed be nice if someone could list the hurdles that stand
between us and Python 2.6 in Squeeze, or point us to the web page that
lists them.

Python2.6 is in experimental:
http://packages.debian.org/source/experimental/python2.6
Python2.6 is in Ubuntu jaunty:
https://lists.ubuntu.com/archives/ubuntu-devel/2009-May/028266.html

Has anything changed since:
http://lists.debian.org/debian-python/2009/03/msg00091.html
and:
http://lists.debian.org/debian-python/2009/08/msg3.html
?

I read the list and can search the archives, but have not found a list
of tasks that need doing to get 2.6 in squeeze.

-- 
Nicolas Chauvat

logilab.fr - services en informatique scientifique et gestion de connaissances  


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Pidgin SSL issue - proposed-updates

[Ari Pollak]

-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160

Philipp Kern wrote:
> On Mon, Aug 24, 2009 at 09:26:46AM -0400, Ari Pollak wrote:
>> Bug #542891 covers a security bug that will probably be getting a CVE
>> number and affects all supported versions of Debian, but the security
>> team indicated that it isn't important enough to warrant a DSA. So I was
>> planning on uploading an update to lenny and etch with the fix.
> 
> That's ok.  It would be cool however if you could post debdiffs for
> both before you upload them to proposed-updates.

Here's the diff for lenny. Apparently etch isn't affected by this bug
since it never claimed to require SSL/TLS, so I won't be updating that.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREDAAYFAkqVR6AACgkQwO+u47cOQDsQ7QCgiy/BtpNOr4bXuWycFlLqcgR1
3KUAnAlNnRmEyisdwECAfyL3X3ozaKNX
=gyK9
-END PGP SIGNATURE-
diff -Nru pidgin-2.4.3/debian/changelog pidgin-2.4.3/debian/changelog
--- pidgin-2.4.3/debian/changelog   2009-08-26 14:31:07.0 +
+++ pidgin-2.4.3/debian/changelog   2009-08-26 14:31:08.0 +
@@ -1,3 +1,11 @@
+pidgin (2.4.3-4lenny4) stable; urgency=medium
+
+  * debian/patches/35_xmpp-require-ssl.patch:
+- Fix XMPP not properly enforcing "Require SSL/TLS" on some older 
+  servers (Closes: #542891)
+
+ -- Ari Pollak   Tue, 25 Aug 2009 09:53:14 -0400
+
 pidgin (2.4.3-4lenny3) stable-security; urgency=low
 
   * debian/patches/33_ssl-nss-self-signed-crash.patch:
diff -Nru pidgin-2.4.3/debian/patches/35_xmpp-require-ssl.patch 
pidgin-2.4.3/debian/patches/35_xmpp-require-ssl.patch
--- pidgin-2.4.3/debian/patches/35_xmpp-require-ssl.patch   1970-01-01 
00:00:00.0 +
+++ pidgin-2.4.3/debian/patches/35_xmpp-require-ssl.patch   2009-08-26 
14:31:08.0 +
@@ -0,0 +1,28 @@
+#
+#
+# patch "libpurple/protocols/jabber/auth.c"
+#  from [c6da33813f947a747b08aec752db34db121516fd]
+#to [4846e5134fd09bde6ad21cd0b75b64693e90e5ea]
+#
+
+--- libpurple/protocols/jabber/auth.c  c6da33813f947a747b08aec752db34db121516fd
 libpurple/protocols/jabber/auth.c  4846e5134fd09bde6ad21cd0b75b64693e90e5ea
+@@ -689,6 +689,18 @@ void jabber_auth_start_old(JabberStream 
+   JabberIq *iq;
+   xmlnode *query, *username;
+ 
++  /* We can end up here without encryption if the server doesn't support
++   *  and we're not using old-style SSL.  If the user
++   * is requiring SSL/TLS, we need to enforce it.
++   */
++  if (js->gsc == NULL &&
++  
purple_account_get_bool(purple_connection_get_account(js->gc), "require_tls", 
FALSE)) {
++  purple_connection_error_reason (js->gc,
++  PURPLE_CONNECTION_ERROR_ENCRYPTION_ERROR,
++  _("You require encryption, but it is not available on 
this server."));
++  return;
++  }
++
+ #ifdef HAVE_CYRUS_SASL
+   /* If we have Cyrus SASL, then passwords will have been set
+* to OPTIONAL for this protocol. So, we need to do our own


pidgin_2.4.3-4lenny4.debdiff.sig
Description: Binary data

Stable update for python-support

[Josselin Mouette]

Hi,

I have prepared a python-support update targeted at the next lenny point
release.

   * update-python-modules (create_dotpath):
 + Completely ignore lines starting with "import", as they would be
   executed by python upon startup.

It is just a backport of this change which was made for 0.8.6, which
fixes a very annoying bug triggered by some packages using some
completely brain-dead functionality of .pth files.

--- deb-maint/python-support/trunk/update-python-modules2009/05/05 
17:04:53 12975
+++ deb-maint/python-support/trunk/update-python-modules2009/05/05 
17:05:11 12976
@@ -186,6 +186,9 @@
 if f.endswith(".pth") and os.path.isfile(f):
   for l in file(f):
 l=l.rstrip('\n')
+if l.startswith('import'):
+  # Do not ship lines starting with "import", they are executed! 
(complete WTF)
+  continue
 pathlist.append(l)
 l2=os.path.join(path,l)
 pathlist.append(l2)

-- 
 .''`.  Josselin Mouette
: :' :
`. `'   “I recommend you to learn English in hope that you in
  `- future understand things”  -- Jörg Schilling


signature.asc
Description: Ceci est une partie de message numériquement signée

[SRM] spamassassin 3.2.5-2+lenny1

[Noah Meyerhans]

Hello.  I just uploaded a new set of spamassassin packages for
consideration for the upcoming stable point release.  The changelog
entry is:

   * Remove open-whois.org as it is cybersquatted (Closes: #537477)
   * Backport IPv6 support for the Received header parser (Closes: #510711)
   * Correct the Maintainer field.
   * Fix numerous pod2man errors that caused warning messages to be
 embedded within several man pages.

The IPv6 header support is the only change to actual functionality.  It
fixes the problem where the config parser was unable to handle IPv6
addresses in config directives like "trusted_networks".  Given that one
of lenny's release goals was pervasive IPv6 support, I felt that this
was worth fixing.  Aside from myself, at least one other person is
currently using packages including this patch on a busy mail site, and
they work as expected.  It is worth noting, though, that this change
introduced a new dependency on libnetaddr-ip-perl.

noah



signature.asc
Description: Digital signature

Re: Bits from the release team: Release goals, schedule, state of the union

[Raphael Hertzog]

On Wed, 26 Aug 2009, Goswin von Brederlow wrote:
> Is that actualy a release goal for squeeze?

Yes, that's the release goal because it requires work on many packages.

There's no point in having a release goal stating "wait until ftpmasters
apply buxy's patch to allow 3.0 source packages".

> Since blindly changing dpkg-source to use 3.0 format breaks packages
> maybe a better change would be to make a missing debian/source/format
> first a warning and then an error. But maybe that is just me.

Many transition scenario are possible, I chosed one that makes most sense
to me. It's not going to be disruptive if we take the time to prepare for
the switch. This is what this release goal is about.

Cheers,
-- 
Raphaël Hertzog


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: will 2.6 be default?

[Ben Finney]

Josselin Mouette  writes:

> Le mercredi 26 août 2009 à 10:14 +0200, Tshepang Lekhonkhobe a écrit : 
> > I saw recently that RT did not list 2.6 as default Python as a
> > release goal. I also saw a thread talking about the problems related
> > to 2.6. Does this mean Squeeze won't use it by default or are u guys
> > working on it?
>
> In the current state of affairs and given the plans of the Python
> maintainers

By this, do you mean “the plans of the maintainers of the Debian
maintainers of Python”, or “the plans of the upstream maintainers of
Python”?

> there will be likely no python2.6 (even as non-default) in squeeze.

Can this situation be improved by input from enthustic volunteers, even
those without specific skills in the Debian package of Python?

I'm confident that, if the right coordination of effort and publicity of
the necessary to-do tasks were applied, there would be ample willingness
From Debian members who want Python 2.6 in Debian Squeeze.

-- 
 \  “A new swimming pool is rapidly taking shape since the |
  `\contractors have thrown in the bulk of their workers.” |
_o__)   newspaper article, east Africa |
Ben Finney


pgpshMPn25uue.pgp
Description: PGP signature

Re: Bits from the release team: Release goals, schedule, state of the union

[Goswin von Brederlow]

Raphael Hertzog  writes:

> On Wed, 26 Aug 2009, Matthijs Kooijman wrote:
>> Or is the second step in this release goal of actually using the new source
>> format for all (or at least a lot?) packages?
>
> Yes. I'd like to achieve this by changing dpkg-source to build 3.0 (quilt)
> or 3.0 (native) source packages by default (generating a source package
> using the old format would then require putting "1.0" in
> debian/source/format).
>
> Cheers,
> -- 
> Raphaël Hertzog

Is that actualy a release goal for squeeze?

If so then I would prefer if that where stated specifically and
seperately to the goal of allowing 3.0 source packages at all.

Allowing 3.0 format is long overdue imho and from what has been told
just needs patches to be applied to DAK to b completed.

Changing packages I believe will happen naturally after that and I
would rather see a gradual adoption of the new format than brute
forcing maintainer to change their packages before squeeze. The new
format has enough advantages to stand on its own. Change dh_make and
other package creating helpers so new packages default to 3.0 (quilt).

Since blindly changing dpkg-source to use 3.0 format breaks packages
maybe a better change would be to make a missing debian/source/format
first a warning and then an error. But maybe that is just me.

MfG
Goswin


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: KDE plans for the squeeze cycle

[Ana Guerrero]

Hi Marc et all,

I will answer including also Qt 4 plans, that as you know is a quite
important part of KDE 4 :)

> * Which major upstream releases of KDE are expected in the next two
>   years? Which of those are material for Debian stable, which might be a bit
>   flaky?

About KDE
--

We currently have KDE 4.3.0 in unstable.
KDE 4.4 is expected about January 2010.
KDE 4.5 is expected about July 2010.

It is not a good idea to do more speculation about dates after this point
because in KDE they are also testing new release management methods. 

About flaky releases, usually 0 point releases have some bugs and any further 
point releases are highly preferred to ship in a Debian stable release.
In case of freezing with a .0 (or .1) release, we would like to be given the 
possibility of upload the next point releases given that point releases have so 
far contained fewer regressions than actual bug fixes.
Having a .2 or .3 point release would be the ideal.

We would like to mention that neither of us expected to release with KDE 4.3.X 
and we didn't give (nor will give now being late to the party) to it as much 
care as it probably needed to.

About Qt
-
We currently have Qt 4.5.2 in the archive and the development and expectations 
are on Qt 4.6. This release is expected about the end of this year or worse 
case, 
very early 2010.
Qt 4.6 will deliver an important set of new features (animation API, state 
machine 
framework), and important updates (graphics view, webkit, qtscript) [0]. 
Leaving 
4.6 outside of the next stable, would put Squeeze in an unsupported status of 
new 
Qt software for its entire life span.
It is also worth mentioning Qt 4.5.x doesn't support GCC 4.4 (and won't), Qt 
4.6 
will do. 
As with KDE the best is always shipping with a point release and Qt 4.6.1 is 
our 
minimal target.


> * How much time do you usually need from a new upstream release of KDE
>   to a stable Debian package in unstable?

KDE releases the tarballs to packagers one week before release, so packagers
have time to prepare the packaging. We usually get something ready (with the
4.x releases) for release day, sometimes with some bugs, sometimes not. These
bugs are usually weeded out during a week or two after this.

For point releases, which is only bug fix releases, we usually get the
packaging fully right at first upload, which happens around release day.


> * How many "big" transitions will the upcoming changes cause? When should 
> those
>   happen? Can we do something to make them easier?

We already have done most of the complicated stuff when moving from kde 3 to 
kde 4.
We have some stuff we would like to do but nothing too big or "must do" before 
next
release.


If we could plan the Debian release cycle completely after what would be good
for KDE, squeeze will freeze shortly after KDE 4.5.0 is uploaded to Debian
(July 2010) and the 4.5.x point releases would be allowed in.

KDE would have the possibility to take advantage of the new things in Qt4.6, 
and 
we would reach Qt4.6.2 or something like that on the Qt side.



-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: will 2.6 be default?

[Josselin Mouette]

Le mercredi 26 août 2009 à 10:14 +0200, Tshepang Lekhonkhobe a écrit : 
> I saw recently that RT did not list 2.6 as default Python as a release
> goal. I also saw a thread talking about the problems related to 2.6.
> Does this mean Squeeze won't use it by default or are u guys working
> on it?

In the current state of affairs and given the plans of the Python
maintainers, there will be likely no python2.6 (even as non-default) in
squeeze.

Cheers,
-- 
 .''`.  Josselin Mouette
: :' :
`. `'   “I recommend you to learn English in hope that you in
  `- future understand things”  -- Jörg Schilling


signature.asc
Description: Ceci est une partie de message numériquement signée

Re: Bits from the release team: Release goals, schedule, state of the union

[Raphael Hertzog]

On Wed, 26 Aug 2009, Matthijs Kooijman wrote:
> Or is the second step in this release goal of actually using the new source
> format for all (or at least a lot?) packages?

Yes. I'd like to achieve this by changing dpkg-source to build 3.0 (quilt)
or 3.0 (native) source packages by default (generating a source package
using the old format would then require putting "1.0" in
debian/source/format).

Cheers,
-- 
Raphaël Hertzog


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Bits from the release team: Release goals, schedule, state of the union

[Matthijs Kooijman]

On Wed, Aug 26, 2009 at 10:21:00AM +0200, Marc 'HE' Brockschmidt wrote:
> You missed something:
> http://lists.debian.org/debian-devel-announce/2008/04/msg4.html

On Wed, Aug 26, 2009 at 10:18:05AM +0200, Raphael Hertzog wrote:
> You missed several announces on debian-devel-announce (you are supposed to
> be subscribed and reading) and a status update on -devel recently.

Ah, thanks. From reading there, and the other pointers you've given, I
understand that this release goal is mostly focused on applications that work
with source packages (dpkg, apt, svn-buildpackage, etc.), not on changing
"regular" packages to (be able to) use the new source formats.

I had expected changes to be required in all packages, which is why I didn't
remember that particular announcement (I had read it and concluded it did not
affect my package).

I think the source of my confusion was (and is) caused by use of the phrase
"all packages" in the release goal "Have all packages in the archive buildable
using the new source package formats.". Perhaps phrasing it as "Having the
archive and all package-support tools support the new source package formats"
would be better?

Or is the second step in this release goal of actually using the new source
format for all (or at least a lot?) packages?

Thanks for your time!

Matthijs


signature.asc
Description: Digital signature

Re: Bits from the release team: Release goals, schedule, state of the union

[Marc 'HE' Brockschmidt]

Matthijs Kooijman  writes:
>>  - New source package format:
>> Make it possible to build all packages using dpkg source format
>> 3.0 (quilt).
> This seems like something that requires packagers to take some action, or at
> least check their packages for this possibility? However, I've never heard
> about this new "source format" until now. Did I miss something,

You missed something:
http://lists.debian.org/debian-devel-announce/2008/04/msg4.html

> A quick read of the dpkg-source manpage about the source format 3 didn't
> really help my understanding of what would be required to attain this goal.
> Could you elaborate a bit? Perhaps in the next update?

The documentation for all goals is reachable from the release goal list
I referenced in the bits mail [1], in this case you can find more
information on http://wiki.debian.org/ReleaseGoals/NewDebFormats
There are links to a description of the new format as well as pointers
to bugs filed for known problems.

Marc

Footnotes: 
[1]  http://release.debian.org/squeeze/goals.txt
-- 
BOFH #154:
You can tune a file system, but you can't tune a fish (from most
tunefs man pages)


pgpNnPT0o1LCd.pgp
Description: PGP signature

Re: Bits from the release team: Release goals, schedule, state of the union

[Raphael Hertzog]

Hi,

On Wed, 26 Aug 2009, Matthijs Kooijman wrote:
> >  - New source package format:
> > Make it possible to build all packages using dpkg source format
> > 3.0 (quilt).
> This seems like something that requires packagers to take some action, or at
> least check their packages for this possibility? However, I've never heard
> about this new "source format" until now. Did I miss something, or will there
> be separate announcements about this still?

You missed several announces on debian-devel-announce (you are supposed to
be subscribed and reading) and a status update on -devel recently.

Start with http://wiki.debian.org/Projects/DebSrc3.0 to get more
information.

> A quick read of the dpkg-source manpage about the source format 3 didn't
> really help my understanding of what would be required to attain this goal.
> Could you elaborate a bit? Perhaps in the next update?

Basically fix all those bugs:
http://bugs.debian.org/cgi-bin/pkgreport.cgi?users=hert...@debian.org;tag=3.0-quilt-by-default

(And continue to maintain other packages sanely to not expand that list)

Cheers,
-- 
Raphaël Hertzog


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

will 2.6 be default?

[Tshepang Lekhonkhobe]

Hi,

I saw recently that RT did not list 2.6 as default Python as a release
goal. I also saw a thread talking about the problems related to 2.6.
Does this mean Squeeze won't use it by default or are u guys working
on it?

It always seems a great challenge everytime there's a switch of
defaults. Is there anything to learn from other distros or are they
taking shortcuts, or is there something else holding back Debian's
progress.

-- 
my place on the web:
floss-and-misc.blogspot.com


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Bits from the release team: Release goals, schedule, state of the union

[Matthijs Kooijman]

Heya,

>  - New source package format:
> Make it possible to build all packages using dpkg source format
> 3.0 (quilt).
This seems like something that requires packagers to take some action, or at
least check their packages for this possibility? However, I've never heard
about this new "source format" until now. Did I miss something, or will there
be separate announcements about this still?

A quick read of the dpkg-source manpage about the source format 3 didn't
really help my understanding of what would be required to attain this goal.
Could you elaborate a bit? Perhaps in the next update?

Gr.

Matthijs


signature.asc
Description: Digital signature

Re: [SRM] stable udev update

[Philipp Kern]

Hallo Marco,

am Tue, Aug 25, 2009 at 10:11:47PM +0200 hast du folgendes geschrieben:
> On Aug 25, Julien Cristau  wrote:
> > Looks like the uploaded package wasn't built in a lenny environment.
> Indeed, sorry for the mistake. I am uploading a properly built
> 0.125-7+lenny3.
> (What about .symbols files for libraries >= standard as a release goal?)

that would have hid this problem in question if there were other subtle
changes from the build environment of Lenny to the old you used?

(Not that I would be against it in principle or something.)

Kind regards,
Philipp Kern
-- 
 .''`.  Philipp KernDebian Developer
: :' :  http://philkern.de Stable Release Manager
`. `'   xmpp:p...@0x539.de Wanna-Build Admin
  `-finger pkern/k...@db.debian.org


signature.asc
Description: Digital signature

Re: Unjamming the botan transition

[Philipp Kern]

Hallo Zack,

am Tue, Aug 25, 2009 at 08:43:25AM -0700 hast du folgendes geschrieben:
> I'm trying to figure out why the renamed botan library packages and
> their dependencies (monotone and keysafe) have not made it into
> testing, despite everything being a "Valid candidate".  The most
> recent update_output.txt (Generated on: 2009.08.25 10:44:55 +)
> just says

FWIW, the output Andi quoted was dak ls on ftp-master.  If you are
certain that there was a dinstall since Britney's update_output and
your time (there are various sources on the net to get the dinstall
times, which are 4 times a day) you can use rmadison which does
a dak ls on the database mirror which is updated at the end of dinstall.

> Trying hint from luk: botan1.8/1.8.5-5 -botan-devel/1.8.1-1
> monotone/0.44-2 keysafe/0.4-1.1
> leading: botan1.8,-botan-devel,monotone,keysafe
> failed: botan1.8

I suspect that it needed aging.  When I last tried my hints they were
constantly broken by new uploads to the point I stopped tracking it.

> but yesterday's (Generated on: 2009.08.24 22:34:02 +) has
> marginally more information:
> 
> Trying hint from luk: botan1.8/1.8.5-5 -botan-devel/1.8.1-1
> monotone/0.44-2 keysafe/0.4-1.1
> leading: botan1.8,-botan-devel,monotone,keysafe
> start: 139+2497: 
> i-27:a-9:a-23:a-11:h-20:i-12:m-8:m-8:p-4:s-9:s-8:k-1270:k-1227
> orig: 139+2497: i-27:a-9:a-23:a-11:h-20:i-12:m-8:m-8:p-4:s-9:s-8:k-1270:k-1227
> recur: [] botan1.8,-botan-devel,monotone,keysafe 696/0
> ...
>  finish: [botan1.8,-botan-devel,monotone,keysafe]
> endloop: 139+2497:
> i-27:a-9:a-23:a-11:h-20:i-12:m-8:m-8:p-4:s-9:s-8:k-1270:k-1227
> now: 139+2499:
> i-27:a-9:a-23:a-11:h-20:i-12:m-8:m-8:p-4:s-9:s-8:k-1271:k-1228
> * kfreebsd-amd64: keysafe
> * kfreebsd-i386: keysafe
> Apparently successful
> 
> Despite this being *labeled* a success, packages did not move, and I
> think the problem is keysafe becoming uninstallable on
> kfreebsd-{amd64,i386}.  If so, perhaps binNMUs of that package on
> those architectures would help?

We are currently not considering uninstallability on kfreebsd-* a problem.
This might change in the near future but will be announced in this case.

> The only other thing that might be going on is, is it source or binary
> packages that are mentioned in hint files?  I see things like this in
> the older update_output.txt ...

It's trying source packages (and binNMUs of them as srcpkg/arch) but
uninstallability is reported for binary packages as source packages do
not have dependencies and you normally want to know where it's coming
from.

> p.s. For reference, these are the relevant lines in the current set of
> hint files:
> 
> adeodato:block keysafe
> adeodato:block monotone
> luk:hint botan1.8/1.8.5-5 -botan-devel/1.8.1-1 monotone/0.44-2 keysafe/0.4-1.1
> neilm:unblock monotone/0.44-2
> neilm:remove botan-devel/1.8.1-1
> neilm:hint monotone/0.44-2
> 
> of which I *think* only luk's is actually doing anything at this point.

True.  And I assume that adeodato's hints are currently ignored anyway.

Kind regards,
Philipp Kern
-- 
 .''`.  Philipp KernDebian Developer
: :' :  http://philkern.de Stable Release Manager
`. `'   xmpp:p...@0x539.de Wanna-Build Admin
  `-finger pkern/k...@db.debian.org


signature.asc
Description: Digital signature

Re: Bits from the release team: Release goals, schedule, state of the union

[Steffen Joeris]

Hi Marc

On Wed, 26 Aug 2009 04:23:09 pm Marc 'HE' Brockschmidt wrote:
> Steffen Joeris  writes:
> > On Wed, 26 Aug 2009 06:51:48 am Marc 'HE' Brockschmidt wrote:
> >> Release Goals
> >> =
>
> [...]
>
> >>  - kFreeBSD:
> >> Debian 6.0 Squeeze should be the first Debian release shipping with
> >> a non-Linux kernel.
> >
> > Out of curiosity, how is security support working for this and who is
> > providing it?
>
> We [1] were hoping that kfreebsd-{i386,amd64} would be handled like i386
> and amd64 and be supported by the security team.
>
> As we know that the security team's manpower is limited, we acknowledge
> this by asking you for any concers in supporting a architecture. For the
> Squeeze cycle, this hasn't been done yet [2], as we haven't decided yet
> which of the old architectures can't be supported from a release team
> point of view.
>
> Including kFreeBSD architectures in the release has been in discussion
> for some time now, and we didn't see any official security team position
> on this yet, thus assumed there were no (big) concers. Should you have
> see some, please inform us soon.
For kernel-security support, we have Dann Frazier in the security team, who is 
also working in the kernel team (and of course other kernel team members might 
help on security behind the curtain).
Now I am not sure how to do it for another kernel, because the rest of the 
team is usually busy with the rest of the archive. Maybe it would be a good 
idea to see, if someone from the kfreeBSD kernel team would be willing to 
help? Also, I guess Dann or someone else from the sec team should probably 
comment on this as well.

Cheers
Steffen


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Bits from the release team: Release goals, schedule, state of the union

[Steffen Joeris]

On Wed, 26 Aug 2009 04:58:24 pm Andreas Barth wrote:
> * Steffen Joeris (steffen.joe...@skolelinux.de) [090826 08:53]:
> > For kernel-security support, we have Dann Frazier in the security team,
> > who is also working in the kernel team (and of course other kernel team
> > members might help on security behind the curtain).
>
> So your basic concern is: Who will support the kbsd-specific packages
> (kernel plus kernel-near userland)? (The other packages shouldn't be
> an issue, or?)
Yeah basically, I mean they should be supported from within the security team, 
but I was wondering, whether we have a particular individual appointed for it 
(like for the linux kernel) or how the details should look like.

I just reread my first response to Marc and saw that it could have been read as 
very sarcastic and rude, my apologies that wasn't the intention I wrote that 
sentence in a hurry.

Cheers
Steffen

P.S. The comments/ideas/questions in this thread are my own, not the view of 
the security team.

P.P.S. We could probably drop -devel from this thread.


signature.asc
Description: This is a digitally signed message part.