Bug#829371: transition: ntl

[Julien Puydt]

Hi,

On 04/07/2016 14:13, Jonathan Wiltshire wrote:

On 2016-07-03 10:30, Jonathan Wiltshire wrote:

Control: tag -1 confirmed

On 2016-07-02 21:58, Julien Puydt wrote:

I checked that these new ntl packages make it possible to build eclib,
flint, linbox, singular and flint-arb on an amd64 debian box, so I
don't expect any new problem.


Please go ahead.


Seems to have happened, so rebuilds scheduled.



The eclib failure on amd64 is pretty annoying -- I tried on my amd64 
box, and got illegal instruction too.


Then I compiled libntl27 from apt-get source and installed the obtained 
libntl27 package, and ran make check again : gone!


I don't know what is amiss with the package yet -- and even more 
worrying: I don't know how I didn't detect the matter when I checked the 
deps!


I'll try to find more about it as soon as possible,

Snark on #debian-science

Bug#826568: Bug#826161: Bug#826568: jessie-pu: package sendmail/8.14.4-8+deb8u1

[Guillem Jover]

Hi!

On Tue, 2016-07-05 at 14:41:26 +0200, Andreas Beckmann wrote:
> On 2016-07-05 11:51, Adam D. Barratt wrote:
> > On a related note, which has been mentioned before (on dda at least) -
> > please don't name your .changes file _amd64.changes if the package
> > builds amd64 binaries and they're not included in the upload. dak keeps
> 
> That's dpkg-buildpackage -g in stable. It is fixed in sid. (#826161)
> 
> Guillem, could #826161 be fixed in stable, too?

Ah certainly! I didn't mark it as a stable candidate because I was
afraid it could cause unintended problems, but if it is already
causing problems now I don't see why not. I've added a git-notes to
that commit to queue it for the next stable update.

Thanks,
Guillem

Re: Thinking about a "jessie and a half" release

[Steve McIntyre]

On Tue, Jul 05, 2016 at 06:11:24PM +, Holger Levsen wrote:
>On Mon, Jul 04, 2016 at 04:01:10PM -0400, Nicholas D Steeves wrote:
>> I still wonder if a fork of the last linux:src=4.4, updated to bring
>> it to linux-4.4.14 would be a lower support burden?  I'm still finding
>> that there are a fair number of issues reported with 4.5.x and 4.6.x
>> on various mailing lists.  Does anyone know how Skylake support is
>> like for the 4.4.x branch?  What is arm64 support like?  I've
>> corresponded with Ben Hutchings, and he tells me an LTS kernel effort
>> is ok to do, but unofficial.  Personally, I believe following bpo
>> kernel is a bit of a rodeo in comparison to what one expects from
>> Debian Stable, which is why I'm looking into this project. 
>
>Steve, *this* is a major open question as I see it, what's you take on
>it? 
>
>I assume "forking" the kernel for jessie+½ as done for etch-and-half is
>the plan already? (forking as in using a new source package…)

God, no - really *not* that way at all. I'm thinking of using the
kernel in backports at the time we do a build/test/release
cycle. People using this and updating will end up following bpo for a
while until the Stretch release.

>(Probably related to the remark that jessie+½ might become obsolete by
>stretch quite soon after too… related as in: what will be the next
>upstream LTS kernel?)
>
>
>-- 
>cheers,
>   Holger


-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
Who needs computer imagery when you've got Brian Blessed?

Re: Thinking about a "jessie and a half" release

[Steve McIntyre]

On Tue, Jul 05, 2016 at 04:15:36PM -0300, Breno Leitao wrote:
>Steve,
>
>On 07/04/2016 10:01 AM, Steve McIntyre wrote:
>>A lot of arm64 machine users would benefit from this, and maybe owners
>>of very recent amd64 machines too.
>
>ppc64el port would take benefit from it also, since, there were many new
>kernel features that made linux after 3.16.

ACK. Just kernel, or any other bits?

-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
  Getting a SCSI chain working is perfectly simple if you remember that there
  must be exactly three terminations: one on one end of the cable, one on the
  far end, and the goat, terminated over the SCSI chain with a silver-handled
  knife whilst burning *black* candles. --- Anthony DeBoer

Re: Thinking about a "jessie and a half" release

[Steve McIntyre]

On Tue, Jul 05, 2016 at 02:37:06PM +0200, Martin Zobel-Helas wrote:
>Hi Steve, 
>
>On Mon Jul 04, 2016 at 14:01:03 +0100, Steve McIntyre wrote:
>> A lot of arm64 machine users would benefit from this, and maybe owners
>> of very recent amd64 machines too, with better support for things on
>> the Skylake platform. Those are the only two architectures I'm
>> thinking of supporting at this point.
>> 
>> Is anybody else interested in helping? Thoughts/comments?
>
>from a cloud image users perspective this sounds like a great idea.
>There are several things eg. in the kernel with 10GE network drivers,
>where a newer kernel would  definitivly help a lot. Also maybe newer
>cloud-init and friends would help.
>
>Please go for it.
>
>+1 from my side.

ACk, thanks for the feedback.

-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
"This dress doesn't reverse." -- Alden Spiess

Re: Thinking about a "jessie and a half" release

[Steve McIntyre]

On Mon, Jul 04, 2016 at 07:05:42PM +0200, Ben Hutchings wrote:
>On Mon, 2016-07-04 at 14:01 +0100, Steve McIntyre wrote:
>> Hey folks,
>> 
>> There's something I've been pondering for a while, along with some
>> other folks - it might be useful to do a "jessie and a half" release,
>> similarly to what we did in the etch days.
>
>As I recall, that added extra packages to the etch suite, whereas it
>seems like this would take updated packages the jessie-backports suite.

Yup, that's what I'm thinking.

>> That's *basically* just like a normal jessie release, but with a few
>> key updates:
>> 
>>  * backports kernel
>>  * rebuilt d-i to match that kernel
>>  * X drivers
>>  * ... (other things that might be needed for consistency)
>
>For the kernel: firmware-nonfree, kernel-wedge, linux-base, linux-
>latest, linux-signed, sbsigntool.  All of those are already in jessie-
>backports, except the last two which will be needed starting with 4.7.

Right.

>For user-space graphics: libdrm and mesa, presumably.
>
>> all rolled up with a small installer image build (netinst, maybe DVD#1).
>> 
>> A lot of arm64 machine users would benefit from this, and maybe owners
>> of very recent amd64 machines too, with better support for things on
>> the Skylake platform. Those are the only two architectures I'm
>> thinking of supporting at this point.
>> 
>> Is anybody else interested in helping? Thoughts/comments?
>
>When do you anticipate this would be releasable?  Would it really be
>long enough before stretch, to be worthwhile?

I'm thinking late July / early August, which would still give us a
number of months lead on Stretch.

-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
  Armed with "Valor": "Centurion" represents quality of Discipline,
  Honor, Integrity and Loyalty. Now you don't have to be a Caesar to
  concord the digital world while feeling safe and proud.

Re: Thinking about a "jessie and a half" release

[Breno Leitao]

Steve,

On 07/04/2016 10:01 AM, Steve McIntyre wrote:

A lot of arm64 machine users would benefit from this, and maybe owners
of very recent amd64 machines too.


ppc64el port would take benefit from it also, since, there were many new
kernel features that made linux after 3.16.

Re: Thinking about a "jessie and a half" release

[Cyril Brulebois]

Holger Levsen  (2016-07-05):
> On Mon, Jul 04, 2016 at 04:01:10PM -0400, Nicholas D Steeves wrote:
> > I still wonder if a fork of the last linux:src=4.4, updated to bring
> > it to linux-4.4.14 would be a lower support burden?  I'm still finding
> > that there are a fair number of issues reported with 4.5.x and 4.6.x
> > on various mailing lists.  Does anyone know how Skylake support is
> > like for the 4.4.x branch?  What is arm64 support like?  I've
> > corresponded with Ben Hutchings, and he tells me an LTS kernel effort
> > is ok to do, but unofficial.  Personally, I believe following bpo
> > kernel is a bit of a rodeo in comparison to what one expects from
> > Debian Stable, which is why I'm looking into this project. 
> 
> Steve, *this* is a major open question as I see it, what's you take on
> it? 
> 
> I assume "forking" the kernel for jessie+½ as done for etch-and-half is
> the plan already? (forking as in using a new source package…)

AFAICT the plan is to use whatever is in backports and confirmed to just
work at the time, release, and be happy.


KiBi.


signature.asc
Description: Digital signature

Re: Thinking about a "jessie and a half" release

[Holger Levsen]

On Mon, Jul 04, 2016 at 04:01:10PM -0400, Nicholas D Steeves wrote:
> I still wonder if a fork of the last linux:src=4.4, updated to bring
> it to linux-4.4.14 would be a lower support burden?  I'm still finding
> that there are a fair number of issues reported with 4.5.x and 4.6.x
> on various mailing lists.  Does anyone know how Skylake support is
> like for the 4.4.x branch?  What is arm64 support like?  I've
> corresponded with Ben Hutchings, and he tells me an LTS kernel effort
> is ok to do, but unofficial.  Personally, I believe following bpo
> kernel is a bit of a rodeo in comparison to what one expects from
> Debian Stable, which is why I'm looking into this project. 

Steve, *this* is a major open question as I see it, what's you take on
it? 

I assume "forking" the kernel for jessie+½ as done for etch-and-half is
the plan already? (forking as in using a new source package…)

(Probably related to the remark that jessie+½ might become obsolete by
stretch quite soon after too… related as in: what will be the next
upstream LTS kernel?)


-- 
cheers,
Holger


signature.asc
Description: Digital signature

Re: [debian-mysql] About packages that depend on mysql-* / mariadb / virtual-mysql-*

[Robie Basak]

On Tue, Jul 05, 2016 at 11:41:15AM +0200, Jonathan Wiltshire wrote:
> > I suggest we extend the mysql-defaults source package to provide a
> > real default-mysqlclient-dev metapackage, which other packages can
> > build depend on, using versions if needed (just as default-jdk does).
> 
> Yes.
> 
> > Current mariadb-10.0 source package does not ship any
> > libmariadbclient18 nor libmariadbclient-dev packages at all, as
> > previously it was seen as against the policy (but mariadb-5.5 in
> > Debian did). I suggest we start producing them now again to make a
> > libmysqlclient.so(.18) available from mariadb-10.0.
> > 
> > Having two libmysqlclient.so.18 files from two different packages is a
> > controversial topic. They are not identical so it is ugly to use the
> > same name. This is however a necessity dictated by the need to provide
> > a drop-in-replacement that can be used directly without going into
> > every single clienting program and editing the C headers and soname
> > calls.
> 
> We discussed this in the release team and concluded that having two
> libmysqlclient.so.18 files in two packages is likely to run into problems
> later if/when they diverge, so there is no point delaying that pain.
> Especially as they are not identical even now.

Sorry, I'm not clear on the sense of your statement. By this, are you
agreeing to do it now, or saying that we shouldn't do it?

> I wonder if pkgconfig can be any help here? That involves a one-time change
> to client packages if they don't already use pkgconfig but doesn't have to
> be repeated if the default switches.

I experimented down another route. In my proposal, I keep the
libmysqlclient for MySQL only, and use libmariadbclient for the MariaDB
upstream. So:

PROPOSAL B

pkg:libmysqlclient18 ships libmysqlclient.so.18
pkg:libmysqlclient-dev ships libmysqlclient.so

(no change so far).

Then:

pkg:libmariadbclient18 is created to ship libmariadbclient.so.18
pkg:libmariadbclient-dev is created to ship libmariadbclient.so

These are new additions to src:mariadb-10.0. We have to patch a little
to switch from MariaDB from building libmysqlclient to use
libmariadbclient instead.

pkg:libmariadbclient-dev must conflict with pkg:libmysqlclient-dev
because they ship the same header files, but this affects builds only,
and not (normal) runtime.

Then:

pkg:libmariadbclient-dev-compat is created to ship a symlink:
libmysqlclient.so -> libmariadbclient.so. This must conflict with
pkg:libmysqlclient-dev, but again we're affecting builds only, and not
normal runtime.

pkg:default-libmysqlclient-dev is created to depend on
pkg:libmariadbclient-dev-compat.

What this gets us:

 1) Maintainers can build against whichever one they prefer, and/or the
 release team is in a position to be able to mandate a default as
 required.

 2) Users can build against either, and continue to use either. There is
 no system wide choice being forced here.

 3) No confusion between MySQL and MariaDB. "libmysqlclient.so.18" is
 always MySQL and "libmariadbclient.so.18" is always MariaDB.

 4) Maintainers need only change their build dependencies. Upstreams
 that try to link using "-lmysqlclient" will continue to work.

END OF PROPOSAL


I tested this and it appears to work.
https://git.launchpad.net/~racb/ubuntu/+source/mariadb-10.0/log/ is my
MariaDB test modification (PoC with amd64 hardcoded). I created a
fake "equivs" libmysqlclient-dev that depends only on
libmariadbclient-dev-compat, and dropped the necessary conflicts, for
testing purposes. cacti-spine (a simple consumer of libmysqlclient) then
successfully linked against libmariadbclient.so.18 and depended on
pkg:libmariadbclient18 with no further modification.

If we want to test more packages, it's sufficient to just rebuild them
with my test build dependencies available.

Some commentary on my justifications above:

1) I believe this is the core of what the release team requested in
terms of MySQL and MariaDB. I appreciate of course that whatever hackery
we do to make this happen is something the release team should weigh in
on also.

3) I really don't want to go down the route of "libmysqlclient.so.18"
actually being MariaDB. It may be ABI-compatible now, but what about the
future? MySQL 5.7 already bumps to libmysqlclient.so.20, for example. If
and until MariaDB ships an ABI-compatible libmysqlclient.so.20, are we
going to ship both, one from each upstream? What if MariaDB's one turns
out not to be ABI compatible? I think down this path lies madness.
sonames give us a method to avoid this conflict by using different
names. We should use this if we can.

Feedback on this approach appreciated.

Robie

Bug#829735: jessie-pu: package libdatetime-timezone-perl/1:1.75-2+2016f

[gregor herrmann]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

I've prepared an update for libdatetime-timezone-perl in
jessie+jessie-updates which incorporates today's tzdata 2016f release
as a patch changing only the timezone data files.

One of the changes (Egypt) will be effective in 2 days unfortunately.

Manually stripped down debdiff attached.


Cheers,
gregor

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQJ8BAEBCgBmBQJXe+HaXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXREMUUxMzE2RTkzQTc2MEE4MTA0RDg1RkFC
QjNBNjgwMTg2NDlBQTA2AAoJELs6aAGGSaoGEAcP/0Pumcgoa4jUiaOnCzXxzh8V
2PVYg3agWltvP1JEQxPliBLn1LO/6f6QlVQXMikfHQd/Zl6OuHONECj3SxjMNHww
0W1y3xTQcuZ44GxHEwWdm3KXX7vThwwiyzFRvPAAnZ1BDPybOj/AQ8TfhowyTKuY
crR9Ua9yZiCPlbKayB1+iWPNxipnCZATmylQ91aI3F95mZJRTGrtBpIU6NXPqE1O
FZ1Nlbire496WRyAR5qz/P7UDtvFt90WeFjvUtgCJCwlIQbavfXrLPjpCidoEQ55
iJMusDIv6Zf73tdjyrGruvJKzULek8bkpSnA8grVfncPAAR8Jwxb1n7OaUe5He5Q
ArbzFyj8FYVtHGEcqUUgk79S/Iuakm2O5uoP8sab9HuuO+NiAYpsc2ud2vnto2mP
nvKuQJBD/KrTAFGYHhdcXmzqUZNGfc/OQUOB/MIlahV0quTMBUqZiRqmbxjL+o6P
gVtzTel7Pu4aVVpta55phHXUaHR4DdpsIfXj0HADm9dMF+ImcBvNlnkf3xG3zhUi
IsRNEtYoSFjrgA6isgLdd6i22QlTfOR6F2YQ+mwNfB//yTkmlB1hLlNslFEGDowa
o9iKQKMl76ix3j7ppLnTrlDIYbUVPKMycaVb4xMSD3JpYsvr/LN849SmWBuxyxex
wnRzl9hLgcPfU4+s8LYb
=cuZU
-END PGP SIGNATURE-
diff -Nru libdatetime-timezone-perl-1.75/debian/changelog libdatetime-timezone-perl-1.75/debian/changelog
--- libdatetime-timezone-perl-1.75/debian/changelog	2016-06-26 17:53:17.0 +0200
+++ libdatetime-timezone-perl-1.75/debian/changelog	2016-07-05 18:31:17.0 +0200
@@ -1,3 +1,13 @@
+libdatetime-timezone-perl (1:1.75-2+2016f) UNRELEASED; urgency=medium
+
+  * Update to Olson database version 2016f.
+Add patch debian/patches olson-2016f, which updates the timezone *.pm
+files, using upstream's tools/parse_olson script.
+This update contains contemporary changes for Africa/Cairo and
+Asia/Novosibirsk.
+
+ -- gregor herrmann   Tue, 05 Jul 2016 18:29:45 +0200
+
 libdatetime-timezone-perl (1:1.75-2+2016e) jessie; urgency=medium
 
   * Update to Olson database version 2016e.
diff -Nru libdatetime-timezone-perl-1.75/debian/patches/olson-2016f libdatetime-timezone-perl-1.75/debian/patches/olson-2016f
--- libdatetime-timezone-perl-1.75/debian/patches/olson-2016f	1970-01-01 01:00:00.0 +0100
+++ libdatetime-timezone-perl-1.75/debian/patches/olson-2016f	2016-07-05 18:31:17.0 +0200
@@ -0,0 +1,16705 @@
+Description: update to olson db 2016f
+Origin: vendor
+Author: gregor herrmann 
+Last-Update: 2016-07-05
+
+--- a/lib/DateTime/TimeZone/Africa/Abidjan.pm
 b/lib/DateTime/TimeZone/Africa/Abidjan.pm
+@@ -3,7 +3,7 @@
+ # DateTime::TimeZone module distribution in the tools/ directory
+ 
+ #
+-# Generated from debian/tzdata/africa.  Olson data version 2016e
++# Generated from debian/tzdata/africa.  Olson data version 2016f
+ #
+ # Do not edit this file directly.
+ #
+@@ -39,7 +39,7 @@
+ ],
+ ];
+ 
+-sub olson_version { '2016e' }
++sub olson_version { '2016f' }
+ 
+ sub has_dst_changes { 0 }
+ 
+--- a/lib/DateTime/TimeZone/Africa/Cairo.pm
 b/lib/DateTime/TimeZone/Africa/Cairo.pm
+@@ -3,7 +3,7 @@
+ # DateTime::TimeZone module distribution in the tools/ directory
+ 
+ #
+-# Generated from debian/tzdata/africa.  Olson data version 2016e
++# Generated from debian/tzdata/africa.  Olson data version 2016f
+ #
+ # Do not edit this file directly.
+ #
+@@ -1164,1093 +1164,26 @@
+ ],
+ [
+ 63547362000, #utc_start 2014-09-25 21:00:00 (Thu)
+-63603612000, #  utc_end 2016-07-07 22:00:00 (Thu)
++DateTime::TimeZone::INFINITY, #  utc_end
+ 63547369200, #  local_start 2014-09-25 23:00:00 (Thu)
+-63603619200, #local_end 2016-07-08 00:00:00 (Fri)
++DateTime::TimeZone::INFINITY, #local_end
+ 7200,
+ 0,
+ 'EET',
+ ],
+-[
+-63603612000, #utc_start 2016-07-07 22:00:00 (Thu)
+-63613285200, #  utc_end 2016-10-27 21:00:00 (Thu)
+-63603622800, #  local_start 2016-07-08 01:00:00 (Fri)
+-63613296000, #local_end 2016-10-28 00:00:00 (Fri)
+-10800,
+-1,
+-'EEST',
+-],
+-[
+-63613285200, #utc_start 2016-10-27 21:00:00 (Thu)
+-63629013600, #  utc_end 2017-04-27 22:00:00 (Thu)
+-63613292400, #  local_start 2016-10-27 23:00:00 (Thu)
+-63629020800, #local_end 2017-04-28 00:00:00 (Fri)
+-7200,
+-0,
+-'EET',
+-],
+-[
+-63629013600, #utc_start 2017-04-27 22:00:00 (Thu)
+-63631429200, #  utc_end 2017-05-25 21:00:00 (Thu)
+-63629024400, #  local_start 2017-04-28 01:00:00 (Fri)
+-6363144, #local_end 2017-05-26 00:00:00 (Fri)
+-10800,
+-1,
+-'EEST',
+-],
+-[
+-63631429200, #utc_start 2017-05-25 21:00:00 (Thu)
+-63634456800, #  utc_end 2017-06-29 22:00:00 (Thu)
+-63631436400, #  local_start 2017-05-25 23:00:00 (Thu)
+-63634464000, #local_end 2017-06-30 00:00:00 (Fri)
+-7200,
+-0,
+-'EET',
+-],
+-[
+-

Re: Thinking about a "jessie and a half" release

[Ben Hutchings]

On Tue, 2016-07-05 at 08:25 +0100, Rebecca N. Palmer wrote:
> Would it be possible/reasonable (at least for stretch) to have the 
> installer detect this and ask "your hardware appears to be too new for 
> this release, would you like to enable -backports?"

It might be, but it's going to be hard to tell what's 'too new'.  We
could check whether there are drivers that match the device IDs for the
detected PCI and USB devices.  However, we know that device IDs are
sometimes added to a driver before the driver has stable support for
those devices.  That question might also be giving false hope, in that
the devices not supported in stable might still be unsupported in
stable-backports.

> On 04/07/16 23:38, Ben Hutchings wrote:
> > As I understand it, xserver-xorg-video-modesetting should be used
> > instead of xserver-xorg-video-intel, for chips supported by the i915
> > kernel driver.  So the latter should be changed to limit the device IDs
> > it claims, then both of them should be backported.
> 
> This appears to be causing at least one actual problem: 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828087
[...]

Once this is fixed in unstable and then testing, I wonder how to fix
this for jessie-backports.  The modesetting driver is now part of
xserver-xorg-core and that has had a driver ABI bump which would
require backporting other driver packages.

Ben.

-- 

Ben Hutchings
Life is what happens to you while you're busy making other plans.
   - John
Lennon


signature.asc
Description: This is a digitally signed message part

Bug#829130: jessie-pu: package wget/1.16-1+deb8u1

[Noël Köthe]

Hello Salvatore and Stable Release Managers,

Am Dienstag, den 05.07.2016, 15:44 +0200 schrieb Salvatore Bonaccorso:

> > Package: release.debian.org
> > Severity: normal
> > Tags: jessie
> > User: release.debian@packages.debian.org
> > Usertags: pu

> > wget in stable is affected by CVE-2016-4971, an issue where wget 
...
> JFTR, if actually Noël Köthe  would like to do the
> upload himself, I can happily hand over.

I wasn't aware of this release bugreport (sorry). Thanks for CC:.
DSA informed me that there will be no DSA for this CVE and liked to see
this fixed by a jessie point release.
https://security-tracker.debian.org/tracker/CVE-2016-4971 (at the end
"no DSA").

Attached the minor changed debdiff based on the backported patch from
Salvatore.

I tested the resulting wget 1.16-1+deb8u1 package on a amd64 jessie
machine.

If the Stable Release Manager accept the changes I will upload the
package.

Regards

Noeldiff -Nru wget-1.16/debian/changelog wget-1.16/debian/changelog
--- wget-1.16/debian/changelog	2014-10-27 11:41:18.0 +0100
+++ wget-1.16/debian/changelog	2016-07-05 16:21:21.0 +0200
@@ -1,3 +1,15 @@
+wget (1.16-1+deb8u1) jessie; urgency=medium
+
+  * added patch for CVE-2016-4971. closes: #827003, #829130
+By default, on server redirects to a FTP resource, use the original
+URL to get the local file name. Close CVE-2016-4971.  This
+introduces a backward-incompatibility for HTTP->FTP redirects and
+any script that relies on the old  behaviour must use
+--trust-server-names.
+  * debian/rules fixed clean target
+
+ -- Noël Köthe   Mon, 04 Jul 2016 18:37:47 +0200
+
 wget (1.16-1) unstable; urgency=medium
 
   * new upstream release from 2014-10-27
diff -Nru wget-1.16/debian/patches/series wget-1.16/debian/patches/series
--- wget-1.16/debian/patches/series	2014-10-16 11:32:22.0 +0200
+++ wget-1.16/debian/patches/series	2016-06-30 17:21:45.0 +0200
@@ -1,4 +1,5 @@
 wget-doc-remove-usr-local-in-sample.wgetrc
 wget-doc-remove-usr-local-in-wget.texi
 wget-passive_ftp-default
+wget-CVE-2016-4971.patch 
 
diff -Nru wget-1.16/debian/patches/wget-CVE-2016-4971.patch wget-1.16/debian/patches/wget-CVE-2016-4971.patch
--- wget-1.16/debian/patches/wget-CVE-2016-4971.patch	1970-01-01 01:00:00.0 +0100
+++ wget-1.16/debian/patches/wget-CVE-2016-4971.patch	2016-07-05 16:09:10.0 +0200
@@ -0,0 +1,270 @@
+Description: ftp: understand --trust-server-names on a HTTP->FTP redirect
+ If not --trust-server-names is used, FTP will also get the destination
+ file name from the original url specified by the user instead of the
+ redirected url.  Closes CVE-2016-4971.
+Origin: backport, http://git.savannah.gnu.org/cgit/wget.git/commit/?id=e996e322ffd42aaa051602da182d03178d0f13e1
+Bug-Debian: https://bugs.debian.org/827003
+Forwarded: not-needed
+Author: Giuseppe Scrivano 
+Reviewed-by: Salvatore Bonaccorso 
+Last-Update: 2016-06-30
+Applied-Upstream: 1.18
+---
+
+--- a/src/ftp.c
 b/src/ftp.c
+@@ -235,14 +235,15 @@ print_length (wgint size, wgint start, b
+   logputs (LOG_VERBOSE, !authoritative ? _(" (unauthoritative)\n") : "\n");
+ }
+ 
+-static uerr_t ftp_get_listing (struct url *, ccon *, struct fileinfo **);
++static uerr_t ftp_get_listing (struct url *, struct url *, ccon *, struct fileinfo **);
+ 
+ /* Retrieves a file with denoted parameters through opening an FTP
+connection to the server.  It always closes the data connection,
+and closes the control connection in case of error.  If warc_tmp
+is non-NULL, the downloaded data will be written there as well.  */
+ static uerr_t
+-getftp (struct url *u, wgint passed_expected_bytes, wgint *qtyread,
++getftp (struct url *u, struct url *original_url,
++wgint passed_expected_bytes, wgint *qtyread,
+ wgint restval, ccon *con, int count, wgint *last_expected_bytes,
+ FILE *warc_tmp)
+ {
+@@ -992,7 +993,7 @@ Error in server response, closing contro
+ {
+   bool exists = false;
+   struct fileinfo *f;
+-  uerr_t _res = ftp_get_listing (u, con, &f);
++  uerr_t _res = ftp_get_listing (u, original_url, con, &f);
+   /* Set the DO_RETR command flag again, because it gets unset when
+  calling ftp_get_listing() and would otherwise cause an assertion
+  failure earlier on when this function gets repeatedly called
+@@ -1536,7 +1537,8 @@ Error in server response, closing contro
+This loop either gets commands from con, or (if ON_YOUR_OWN is
+set), makes them up to retrieve the file given by the URL.  */
+ static uerr_t
+-ftp_loop_internal (struct url *u, struct fileinfo *f, ccon *con, char **local_file)
++ftp_loop_internal (struct url *u, struct url *original_url, struct fileinfo *f,
++   ccon *con, char **local_file)
+ {
+   int count, orig_lp;
+   wgint restval, len = 0, qtyread = 0;
+@@ -1560,7 +1562,7 @@ ftp_loop_internal (struct url *u, struct
+   else
+ {
+   /

Bug#828630: jessie-pu: package libbusiness-creditcard-perl/0.33-1+deb8u1

[gregor herrmann]

On Sun, 26 Jun 2016 18:18:55 +0200, gregor herrmann wrote:

> > > In practice there are several options to do this update in stable:
> > > - What I've prepared (attached as a debdiff) for now is to backport
> > >   the functional and some documentation changes from 0.34 and 0.35 to
> > >   0.33 in 3 logically separate quilt patches, in order to make
> > >   reviewing easy. In practice this leaves out only some minor changes
> > >   in metadata and unrelated documentation changes from 0.35.
> > > - Ivan (upstream and Debian contributor) originally asked to take
> > >   the 0.35 release and upload it to stable (presumably as
> > >   0.35-0+deb8u1). This had the advantage of shipping a fully tested
> > >   release but is probably not the release team's typically preferred
> > >   way. -- Complete diff:
> > >   
> > > https://metacpan.org/diff/file?target=IVAN%2FBusiness-CreditCard-0.35%2F&source=IVAN%2FBusiness-CreditCard-0.33%2F
> > 
> > I'd be okay with either of those options, having looked at the upstream
> > diff.
> 
> Thanks, then I think we can proceed with the second option, i.e.
> updating to the "full" 0.35 release.
> 
> I'm attaching a new debdiff for the proposed upload.


*gentle ping*

(As in: "I'd rather be on the cautious side and have an explicit ACK
on the last debdiff before uploading.")


Cheers,
gregor

-- 
 .''`.  Homepage https://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06
 : :' : Debian GNU/Linux user, admin, and developer -  https://www.debian.org/
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   


signature.asc
Description: Digital Signature

Re: Unsattisfied dependency python-cffi-backend-api-min (<= 9729)

[Johannes Schauer]

Hi all,

Quoting Ralf Treinen (2016-07-05 15:51:58)
> One change I also spotted only very recently is that the --latest option now
> takes an integer argument. If you used -latest before you should replace it
> by "--latest 1" now.

from IRC, the error supposedly was:

STDERR:
Fatal error in module deb/debcudf.ml:
 Unable to get real version for libusb-1.0-0-dev:kfreebsd-i386 (20826)
 All Known versions for this package are (libusb-1.0-0-dev,2:1.0.19)

Aurélien told me that they will try to get some data for us to reproduce and
analyze the issue.

> Cheers from debconf in Cape Town -Ralf.

cheers to cape town!

josch


signature.asc
Description: signature

Re: Unsattisfied dependency python-cffi-backend-api-min (<= 9729)

[Ralf Treinen]

Hi Aurelien,

On Tue, Jul 05, 2016 at 03:12:06PM +0200, Aurelien Jarno wrote:

> > Thanks a lot, I have installed it on wuiet. It seems to work fine at a
> > first glance.
> 
> Unfortunately I had to revert it to the jessie version has it doesn't
> correctly compute the dependencies. It looks like something has changed
> in the command line interface, and I have no time to investigate now.

One change I also spotted only very recently is that the --latest option
now takes an integer argument. If you used -latest before you should
replace it by "--latest 1" now.

Cheers from debconf in Cape Town -Ralf.

Bug#829130: jessie-pu: package wget/1.16-1+deb8u1

[Salvatore Bonaccorso]

Hi,

On Thu, Jun 30, 2016 at 09:42:44PM +0200, Salvatore Bonaccorso wrote:
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> Hi stable release managers,
> 
> wget in stable is affected by CVE-2016-4971, an issue where wget does
> not correctly handle filenames when beeing redirected from a HTTP to a
> FTP URL. We think that this does not necessarly need a DSA, but still
> would be good to be fixed in stable. I thus have prepared a debdiff,
> attached. Bug in BTS is #827003.
> 
> The debdiff contains an increasing debian/wget.debhelper.log.
> 
> If you allow me to, I can prepare a new debdiff, to clean this up as
> well, by using dh_prep instead of dh_clean -k for the build target.
> Would that be fine?
> 
> But attached the debdiff without that packaging change.

JFTR, if actually Noël Köthe  would like to do the
upload himself, I can happily hand over.

Regards,
Salvatore

Re: Unsattisfied dependency python-cffi-backend-api-min (<= 9729)

[Aurelien Jarno]

On 2016-07-05 14:36, Aurelien Jarno wrote:
> On 2016-07-02 22:03, Anton Gladky wrote:
> > Dear all,
> > 
> > I have just uploaded dose3_5.0-1~bpo8+1 into jessie-backports.
> > 
> 
> Thanks a lot, I have installed it on wuiet. It seems to work fine at a
> first glance.

Unfortunately I had to revert it to the jessie version has it doesn't
correctly compute the dependencies. It looks like something has changed
in the command line interface, and I have no time to investigate now.

Aurelien

-- 
Aurelien Jarno  GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://www.aurel32.net


signature.asc
Description: PGP signature

Processed: tagging 829606

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> # forgot to remove moreinfo on own reply
> tags 829606 - moreinfo
Bug #829606 [release.debian.org] jessie-pu: package duck/0.7+deb8u1
Removed tag(s) moreinfo.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
829606: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829606
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Re: Thinking about a "jessie and a half" release

[Samuel Henrique]

2016-07-05 7:43 GMT-03:00 Jose R R :

> > Why would you call it "Jessie + 1/2"? Wouldn't it be a better idea
> Well IBM set a precedent for that: OS/2.
> Accordingly, Jessie BP could be called Jessie/2 ;-)


​Well, that would be a half Jessie, not Jessie and a half, right?​ We could
use 3Jessie/2 or Jessie3/2, or maybe not.

Mark Brown

> We're getting to the point where there's a fairly pressing need for
> arm64 - the more useful hardware is starting to get a wider distribution
> and we don't really have anything for people who want to run Debian
> that gets them a supported system with an upgrade path.
>

​We have Debian Stretch, which is what i recommend to anybody who wants do
install Debian as a desktop.

I understand the difference of running Debian Testing and Debian Stable
with some backported packages, but is it really worth it?
Shouldn't we discuss more the usability of Testing as a solid release, or
maybe start doing a stable release and another release kinda like Testing
but with more stability guarantees?

I'm not really sure, but i think opensuse has a model like that.

I use debian for a considerable amount of time now, but just started
interacting with the community recently, having installed debian to a lot
of new users on installfests over the years, one of the most common
problems i found out for novice Debian users is that they don't really know
how Debian releases works and thinks using stable in their laptop bought
last year is a good idea, then i always end up having a conversation where
they're needing help with problems related to using stable, i have to
explain things like: why their performance is crap, why they can't see
youtube html5 videos on iceweasel version lastversion-4, why they can't
install softwares like steam (wheezy was a hard one on this)* and how the
testing stability is the same, or better, than of the other distros they
used to use.
They always end up using Debian Testing, knowing that the main risk comes
when the unfreeze happens and that while the freeze is rolling they will
have a more stable debian (compared to when unfreezed).

*these are just some of the various conversations i've had.

​Unfortunately i' not attending DebConf, but it is a great opportunity to
discuss​ things like this there, maybe even form a team and work on
policies changes for this "new testing" release, if i'm not dreaming too
big.


Samuel Henrique O. P. [samueloph]

Bug#826568: jessie-pu: package sendmail/8.14.4-8+deb8u1

[Andreas Beckmann]

On 2016-07-05 11:51, Adam D. Barratt wrote:
> On a related note, which has been mentioned before (on dda at least) -
> please don't name your .changes file _amd64.changes if the package
> builds amd64 binaries and they're not included in the upload. dak keeps

That's dpkg-buildpackage -g in stable. It is fixed in sid. (#826161)

Guillem, could #826161 be fixed in stable, too?


Andreas

Re: Thinking about a "jessie and a half" release

[Martin Zobel-Helas]

Hi Steve, 

On Mon Jul 04, 2016 at 14:01:03 +0100, Steve McIntyre wrote:
> A lot of arm64 machine users would benefit from this, and maybe owners
> of very recent amd64 machines too, with better support for things on
> the Skylake platform. Those are the only two architectures I'm
> thinking of supporting at this point.
> 
> Is anybody else interested in helping? Thoughts/comments?

from a cloud image users perspective this sounds like a great idea.
There are several things eg. in the kernel with 10GE network drivers,
where a newer kernel would  definitivly help a lot. Also maybe newer
cloud-init and friends would help.

Please go for it.

+1 from my side.

Cheers,
Martin
-- 
 Martin Zobel-Helas Debian System Administrator
 Debian & GNU/Linux Developer   Debian Listmaster
 http://about.me/zobel   Debian Webmaster
 GPG Fingerprint:  6B18 5642 8E41 EC89 3D5D  BDBB 53B1 AC6D B11B 627B 

Re: Unsattisfied dependency python-cffi-backend-api-min (<= 9729)

[Aurelien Jarno]

On 2016-07-02 22:03, Anton Gladky wrote:
> Dear all,
> 
> I have just uploaded dose3_5.0-1~bpo8+1 into jessie-backports.
> 

Thanks a lot, I have installed it on wuiet. It seems to work fine at a
first glance.

Aurelien

-- 
Aurelien Jarno  GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://www.aurel32.net


signature.asc
Description: PGP signature

Bug#829145: transition: glibc 2.23

[Emilio Pozuelo Monfort]

On 04/07/16 00:48, Aurelien Jarno wrote:
> On 2016-07-01 09:42, Emilio Pozuelo Monfort wrote:
>> Control: tags -1 confirmed
>>
>> On 01/07/16 01:41, Aurelien Jarno wrote:
>>> Package: release.debian.org
>>> Severity: normal
>>> User: release.debian@packages.debian.org
>>> Usertags: transition
>>>
>>> Dear release team,
>>>
>>> We would like to get a transition slot for glibc 2.23. It is currently
>>> available in experimental and has been built successfully on all
>>> official architectures except hurd-i386. We have fixed the hurd-i386
>>> failure in out git, and we are working on build failures for alpha, hppa
>>> and sparc64. There are due to testsuite issue, mostly in the math parts
>>> and do not look very critical.
>>>
>>> It should be noted that this upload will make a few packages to FTBFS,
>>> mostly due to more precise checking in the floating-point classification
>>> macros (isnan, isinf, ...). In most of the cases the changes just make
>>> existing bugs visible. The list of affected packages is available [1]
>>> (thanks to Martin Michlmayr), and the bugs have been opened for more
>>> than 3 months.
>>>
>>> As the glibc is using symbol versioning, there is no soname change. That
>>> said a few packages are using libc internal symbols and have to be
>>> rebuilt for this transition:
>>>  - apitrace
>>>  - bro
>>>  - dante
>>>  - libnih
>>>  - libnss-db
>>>  - unscd
>>>  
>>> Here is the corresponding ben file:
>>>  
>>> title = "glibc";
>>> is_affected = .depends ~ /libc[0-9.]* \(<>> is_good = .depends ~ /libc[0-9.]* \(<< 2.24\)/;
>>> is_bad = .depends ~ /libc[0-9.]* \(<< 2.23\)/;
>>>
>>> In addition to that, a few new symbols have been added that might
>>> prevent a few other packages to transition to testing if they pick up
>>> the new symbols, namely the fts64_* and the lgamma* ones. It should not
>>> concerns many packages.
>>
>> Go ahead.
> 
> It has just been accepted by dak.

binnmus scheduled.

Cheers,
Emilio

Bug#829371: transition: ntl

[Julien Puydt]

Hi,

On 04/07/2016 14:13, Jonathan Wiltshire wrote:

On 2016-07-03 10:30, Jonathan Wiltshire wrote:

Control: tag -1 confirmed

On 2016-07-02 21:58, Julien Puydt wrote:

I checked that these new ntl packages make it possible to build eclib,
flint, linbox, singular and flint-arb on an amd64 debian box, so I
don't expect any new problem.


Please go ahead.


Seems to have happened, so rebuilds scheduled.


I still follow things on the auto-ntl tracker, so I don't see if 
anything happens with flint-arb : is it ok ?


Snark on #debian-science

Re: [debian-mysql] About packages that depend on mysql-* / mariadb / virtual-mysql-*

[peter green]

2016-07-02 17:53 GMT+03:00 Otto Kekäläinen:
>  This is modeled after how default-jdk or default-mta works.

Actually default-jdk is a real metapackage, while default-mta is a
pure virtual package. I am not sure which way to pick here now.

https://packages.debian.org/jessie/default-mta
https://packages.debian.org/jessie/default-jdk
   

It depends on what behaviour you want on dist-upgrade.

A real package will stick arround, so if you switch the default then a 
dist-upgrade will pull in the new default. On the other hand a virtual 
package is never installed as such, so existing systems will keep their 
existing implementation.

Re: Thinking about a "jessie and a half" release

[Jose R R]

On Tue, Jul 5, 2016 at 2:01 AM, Christian Seiler  wrote:
>
> On 07/04/2016 03:01 PM, Steve McIntyre wrote:
> > There's something I've been pondering for a while, along with some
> > other folks - it might be useful to do a "jessie and a half" release,
> > similarly to what we did in the etch days. That's *basically* just
> > like a normal jessie release, but with a few key updates:
> >
> >  * backports kernel
> >  * rebuilt d-i to match that kernel
> >  * X drivers
> >  * ... (other things that might be needed for consistency)
> >
> > all rolled up with a small installer image build (netinst, maybe DVD#1).
>
> Why would you call it "Jessie + 1/2"? Wouldn't it be a better idea
Well IBM set a precedent for that: OS/2.
Accordingly, Jessie BP could be called Jessie/2 ;-)

> to regularly have a "backports installer" netinst image? So when
> 8.6 (or 8.7 if it takes longer) comes around, there'll be an image,
> part of the point release, that will contain the backports kernel
> that's current at that time, plus the installer will enable backports
> automatically, plus it will install a preferences.d file that will
> enable pulling kernel + X11 drivers from backports. (But not other
> things.)
>
> This could then be a regular part of the released installer images,
> and any new major release (e.g. Stretch 9.0) would enable the
> preferences.d file + backports automatically, but would still use
> the regular kernel at that point (because there'd be no backports
> then).
>
> That way, you'd have a little more work in the installer in creating
> an image that uses a backports kernel, but there'd be no need in
> having to support a new release in addition to Jessie, because the
> installed system would be equivalent to Jessie + upgrade kernel to
> backports + remove old kernel package. Which is already something
> that people do _now_.
>
> Regards,
> Christian
>


Good luck!

-- 
Jose R R
http://metztli.it
-
Try at no charge http://b2evolution.net for http://OpenShift.com PaaS
-
from our GitHub http://Nepohualtzintzin.com repository. Cloud the easy way!
-

Re: About packages that depend on mysql-* / mariadb / virtual-mysql-*

[Otto Kekäläinen]

2016-07-05 12:41 GMT+03:00 Jonathan Wiltshire :
> I don't think I understand why you would have both virtual-mysql-* and
> default-mysql-* packages for dependencies (leaving aside build-deps). If a
> package requires one of the variants, it will need an explicit dependency.
> If it doesn't care, it should use the default.
>
> Therefore are the virtual-* packages required?
>
> As virtual packages provided by >1 package breaks build-dependency
> handling, if there is any danger that these might be used in build-depends
> they should be meta-packages, not virtual.

Maintainers need to have 2 options:

1. depend on a specific one
OR
2. depend on the default one but be work with any of them

default-mysql-* only points to a single option. If the admin of system
has already installed MariaDB, Oracle, Percona, mysql-wsrep or
whatever is available from 3rd party repositories, they should be able
to continue using that option and not forced into installing what
default-mysql-* points to.

Using "Depends: mysql-default-server | virtual-mysql-server" allows
this flexibility. Also, mysql-virtual-* has been in production since
2013 and is implemented everywhere, we should not break it now.

>> > 3. libmysqlclient.so.18
...
> I wonder if pkgconfig can be any help here? That involves a one-time change
> to client packages if they don't already use pkgconfig but doesn't have to
> be repeated if the default switches.

I don't know, I am not faimiliar with it. I'll research.

Bug#826568: jessie-pu: package sendmail/8.14.4-8+deb8u1

[Adam D. Barratt]

On Sun, 2016-07-03 at 17:50 +0200, Adam D. Barratt wrote:
> Uploaded and flagged for acceptance.

On a related note, which has been mentioned before (on dda at least) -
please don't name your .changes file _amd64.changes if the package
builds amd64 binaries and they're not included in the upload. dak keeps
the changes files in dists/proposed-updates until they're manually
cleared out as part of a point release, so the buildd upload on amd64
was rejected due to there already being an _amd64.changes there.

I've asked ftp-master to rename and accept the buildd upload, but it
makes me a little unhappy every time I have to do so.

Regards,

Adam

Re: About packages that depend on mysql-* / mariadb / virtual-mysql-*

[Jonathan Wiltshire]

On Sun, Jul 03, 2016 at 12:46:29PM +0100, Otto Kekäläinen wrote:
> On the pkg-mysql-maint team we have discussed providing a new scheme
> to complement the existing virtual-mysql-* scheme. We plan to
> introduce new purely virtual packages, that are provided only by
> MariaDB:
> - default-mysql-client
> - default-mysql-client-core
> - default-mysql-server
> - default-mysql-server-core
> - default-libmysqlclient
> 
> (the last item on the list is my own addition, see point 3 below)
> 
> Once these are available we would announce them on debian-devel@ and
> ask all packagers to update existing "Depends: mysql-*" to "Depends:
> default-mysql-*"
> 
> If release team whished to switch defaults, then it is just a matter
> on deciding which package shall provide these default-mysql-* virtual
> packages. This is how e.g. default-mta works and is provided by
> Postfix.

I don't think I understand why you would have both virtual-mysql-* and
default-mysql-* packages for dependencies (leaving aside build-deps). If a
package requires one of the variants, it will need an explicit dependency.
If it doesn't care, it should use the default.

Therefore are the virtual-* packages required?

As virtual packages provided by >1 package breaks build-dependency
handling, if there is any danger that these might be used in build-depends
they should be meta-packages, not virtual.

> > 3. libmysqlclient.so.18
> 
> Here theres's no concensus yet within the pkg-mysql-maint team on this one.
> 
> I suggest we extend the mysql-defaults source package to provide a
> real default-mysqlclient-dev metapackage, which other packages can
> build depend on, using versions if needed (just as default-jdk does).

Yes.

> Current mariadb-10.0 source package does not ship any
> libmariadbclient18 nor libmariadbclient-dev packages at all, as
> previously it was seen as against the policy (but mariadb-5.5 in
> Debian did). I suggest we start producing them now again to make a
> libmysqlclient.so(.18) available from mariadb-10.0.
> 
> Having two libmysqlclient.so.18 files from two different packages is a
> controversial topic. They are not identical so it is ugly to use the
> same name. This is however a necessity dictated by the need to provide
> a drop-in-replacement that can be used directly without going into
> every single clienting program and editing the C headers and soname
> calls.

We discussed this in the release team and concluded that having two
libmysqlclient.so.18 files in two packages is likely to run into problems
later if/when they diverge, so there is no point delaying that pain.
Especially as they are not identical even now.

I wonder if pkgconfig can be any help here? That involves a one-time change
to client packages if they don't already use pkgconfig but doesn't have to
be repeated if the default switches.



-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Re: Thinking about a "jessie and a half" release

[Mark Brown]

On Tue, Jul 05, 2016 at 10:52:37AM +0200, Ben Hutchings wrote:
> On Tue, 2016-07-05 at 10:07 +0200, Mark Brown wrote:

> > We're getting to the point where there's a fairly pressing need for
> > arm64 - the more useful hardware is starting to get a wider distribution
> > and we don't really have anything for people who want to run Debian
> > that gets them a supported system with an upgrade path.

> I'm not questioning whether it would be good to have this now.  But we
> don't have it now and won't have it for some time.

So long as it's substantially before the next release it shuld still be
useful.


signature.asc
Description: PGP signature

Re: Thinking about a "jessie and a half" release

[Christian Seiler]

On 07/04/2016 03:01 PM, Steve McIntyre wrote:
> There's something I've been pondering for a while, along with some
> other folks - it might be useful to do a "jessie and a half" release,
> similarly to what we did in the etch days. That's *basically* just
> like a normal jessie release, but with a few key updates:
> 
>  * backports kernel
>  * rebuilt d-i to match that kernel
>  * X drivers
>  * ... (other things that might be needed for consistency)
> 
> all rolled up with a small installer image build (netinst, maybe DVD#1).

Why would you call it "Jessie + 1/2"? Wouldn't it be a better idea
to regularly have a "backports installer" netinst image? So when
8.6 (or 8.7 if it takes longer) comes around, there'll be an image,
part of the point release, that will contain the backports kernel
that's current at that time, plus the installer will enable backports
automatically, plus it will install a preferences.d file that will
enable pulling kernel + X11 drivers from backports. (But not other
things.)

This could then be a regular part of the released installer images,
and any new major release (e.g. Stretch 9.0) would enable the
preferences.d file + backports automatically, but would still use
the regular kernel at that point (because there'd be no backports
then).

That way, you'd have a little more work in the installer in creating
an image that uses a backports kernel, but there'd be no need in
having to support a new release in addition to Jessie, because the
installed system would be equivalent to Jessie + upgrade kernel to
backports + remove old kernel package. Which is already something
that people do _now_.

Regards,
Christian



signature.asc
Description: OpenPGP digital signature

Re: Thinking about a "jessie and a half" release

[Ben Hutchings]

On Tue, 2016-07-05 at 10:07 +0200, Mark Brown wrote:
> On Mon, Jul 04, 2016 at 07:05:42PM +0200, Ben Hutchings wrote:
> > On Mon, 2016-07-04 at 14:01 +0100, Steve McIntyre wrote:
> 
> > > A lot of arm64 machine users would benefit from this, and maybe owners
> > > of very recent amd64 machines too, with better support for things on
> > > the Skylake platform. Those are the only two architectures I'm
> > > thinking of supporting at this point.
> 
> > > Is anybody else interested in helping? Thoughts/comments?
> 
> > When do you anticipate this would be releasable?  Would it really be
> > long enough before stretch, to be worthwhile?
> 
> We're getting to the point where there's a fairly pressing need for
> arm64 - the more useful hardware is starting to get a wider distribution
> and we don't really have anything for people who want to run Debian
> that gets them a supported system with an upgrade path.

I'm not questioning whether it would be good to have this now.  But we
don't have it now and won't have it for some time.

Ben.

-- 

Ben Hutchings
Life is what happens to you while you're busy making other plans.
   - John
Lennon


signature.asc
Description: This is a digitally signed message part

Bug#827160: jessie-pu: package dosfstools/3.0.27-1+deb8u1

[Petter Reinholdtsen]

[Andreas Bombe]
> If you strongly expect it to be accepted as it is, then push it.
>
> Or wait with tagging until it is accepted. Moving tags and releases
> that aren't releases after all is something I'd like to avoid.

Right.  I believe the changes are sound and suspect the release team
agree with me that fixing also minor security issues in Stable is
important. Because of this, I've pushed the changes, but not added the
tag.  I suspect it would help if you the package maintainer believe
these changes should go into stable too.

Btw, do you know why there is no BTS report about these two CVEs?

--
Happy hacking
Petter Reinholdtsen

Re: Thinking about a "jessie and a half" release

[Steve McIntyre]

On Mon, Jul 04, 2016 at 04:01:10PM -0400, Nicholas D Steeves wrote:
>>>
>>> Is anybody else interested in helping? Thoughts/comments?
>
>Yes, it's a project I'm already working on ;-)  Is this project a
>candidate for a new Debian Team?

I guess so, yes. :-)

>>  2. Does it have to be called "jessie and a half"? (How much is the
>> concept understood across users? Wouldn't it be a better idea to
>> squeeze the "backports" concept into the name somehow?)
>
>Maybe something like jessie-fresh-unofficial?

I'm definitely *not* thinking of saying this is "unofficial" - I'm
wanting this to be blessed as an additional installation option here.

>On 4 July 2016 at 13:13, Hideki Yamane  wrote:
>>
>>  Just a comment. I don't have any objection for this proposal.
>>
>>  However, not only half but also updates with some point is better
>>  to deliver value for users, I hope it'll be in Stretch cycle.
>>
>>  Recently I've read "lean software development" and it's quite
>>  impressive for me. "deliver value to users" is one of the most
>>  important thing in Debian (it means "do continuous improvement
>>  for stable"), IMO.
>
>Agreed!  Also, OpenSUSE has been doing this with their post-42.x
>release model.  Mind you, to the best of my knowledge Debian has
>always cherry picked fixes and essential hardware enablement fixes for
>the stable packages (eg: intel-microcode).  This newly proposed Debian
>project seems to be a more aggressive approach...but does it also have
>a client machine focus to the exclusion of servers, or should it serve
>both?

I'm more concerned about easy installation on new "client" x86
machines at this point, and for arm64 machines in general as they've
seen massive changes since we released jessie. I don't think x86
server machines are such an issue, but I'm open-minded if somebody
wants to argue otherwise.

-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
"C++ ate my sanity" -- Jon Rabone

Re: Thinking about a "jessie and a half" release

[Mark Brown]

On Mon, Jul 04, 2016 at 07:05:42PM +0200, Ben Hutchings wrote:
> On Mon, 2016-07-04 at 14:01 +0100, Steve McIntyre wrote:

> > A lot of arm64 machine users would benefit from this, and maybe owners
> > of very recent amd64 machines too, with better support for things on
> > the Skylake platform. Those are the only two architectures I'm
> > thinking of supporting at this point.

> > Is anybody else interested in helping? Thoughts/comments?

> When do you anticipate this would be releasable?  Would it really be
> long enough before stretch, to be worthwhile?

We're getting to the point where there's a fairly pressing need for
arm64 - the more useful hardware is starting to get a wider distribution
and we don't really have anything for people who want to run Debian
that gets them a supported system with an upgrade path.


signature.asc
Description: PGP signature

Re: Thinking about a "jessie and a half" release

[Steve McIntyre]

On Mon, Jul 04, 2016 at 03:12:34PM +0200, Cyril Brulebois wrote:
>Hi,
>
>Steve McIntyre  (2016-07-04):
>> There's something I've been pondering for a while, along with some
>> other folks - it might be useful to do a "jessie and a half" release,
>> similarly to what we did in the etch days. That's *basically* just
>> like a normal jessie release, but with a few key updates:
>> 
>>  * backports kernel
>
>That's a given.
>
>>  * rebuilt d-i to match that kernel
>
>You know there are patches around for that.

ACK. :-)

>>  * X drivers
>
>I don't see backports for them.

I installed a backport Intel xserver driver over the weekend at the
installfest, and it helped the user in question.

>>  * ... (other things that might be needed for consistency)
>> 
>> all rolled up with a small installer image build (netinst, maybe
>> DVD#1).
>
>That'd probably make it easy to decide how to resolve open questions
>with my "d-i vs. backported kernel" patches.

Cool.

>> Is anybody else interested in helping? Thoughts/comments?
>
>Questions:
> 1. Is it going to pick pieces from backports only? (See X question
>above.)

That's my current plan, unless people have good arguments otherwise.

> 2. Does it have to be called "jessie and a half"? (How much is the
>concept understood across users? Wouldn't it be a better idea to
>squeeze the "backports" concept into the name somehow?)

I'm not attached to any particular name. Something like "Jessie
Backport August 2016" would work for me too - suggest a better name?

> 3. What about security support once the system is installed? (Which
>can be answered along with 1., I suppose.)

Most of the core packages I'd expect to use in backports are seeing
regular updates AFAICS. That's probably enough?

-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
You lock the door
And throw away the key
There's someone in my head but it's not me 

Re: Thinking about a "jessie and a half" release

[Russell Stuart]

On Tue, 2016-07-05 at 08:25 +0100, Rebecca N. Palmer wrote:
> Have you reported this bug (with the full warnings)?  If not, please
> do so.

I haven't.  If I got a response at all to "My monitor doesn't work" it
looks to me it would be: compile latest source with instrumentation
turned on and send log.  I've tried compiling the Intel drivers before
- I could not get patches to apply.

Fortunately, others get the same backtrace:

  https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1523088

It probably isn't related to my monitor not displaying, but I won't be
able to tell until 4.8, when the patch addressing that report is
scheduled to make it to a released kernel.  Like I said, progress is
slw.

My point is really the 4.4 kernel is nothing special for amd64.
 Laptop's with Intel chipsets that started shipping over 6 months ago
don't work 100% with it.  Actually from memory the Intel GPU driver
opps's on occasion in 4.4.

signature.asc
Description: This is a digitally signed message part

Re: Thinking about a "jessie and a half" release

[Rebecca N. Palmer]

Would it be possible/reasonable (at least for stretch) to have the 
installer detect this and ask "your hardware appears to be too new for 
this release, would you like to enable -backports?"


On 04/07/16 23:38, Ben Hutchings wrote:

As I understand it, xserver-xorg-video-modesetting should be used
instead of xserver-xorg-video-intel, for chips supported by the i915
kernel driver.  So the latter should be changed to limit the device IDs
it claims, then both of them should be backported.


This appears to be causing at least one actual problem: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828087


(The other backports-kernel bugs known to me are 
https://lists.debian.org/debian-backports/2016/06/threads.html#00133 
(appears to be fixed in 4.6) and 
https://lists.debian.org/debian-backports/2016/06/threads.html#00139 (no 
details yet)).


Russell Stuart wrote:

Currently 4.6.0 doesn't work with skylake for me when I plug in a
3440x1440 monitor on a Dell XPS 9550, both with and without xserver-
xorg-video-intel installed.  It never has worked reliably on any kernel
version.  Currently, the monitor works maybe 20% of the time - so if
you persist for 5 boots you've got a reasonable chance of getting
lucky. The only noticeable change from 4.5 to 4.6 is in the kernel
backtraces produced - they have got fewer, and they are only warnings
now.


Have you reported this bug (with the full warnings)?  If not, please do so.