Bug#854658: unblock pre-approval request for gitlab

[Pirate Praveen]

On ഞായര്‍ 12 ഫെബ്രുവരി 2017 12:24 രാവിലെ, Niels Thykier wrote:
> The two patches in the bug looks ok; assuming only a changelog entry on
> top of that, then it is a approved.
>
> For future requests: Could you please provide a source debdiff? It makes
> it easier for us for us to figure out what will be approved (which will
> hopefully also give you faster response times from us).
Attaching the debdiff (I'll upload it once current version in unstable
migrates to testing).

I just wanted to check if such changes will be accepted before starting
the work on it.
diff -Nru gitlab-8.13.11+dfsg/debian/adduser.sh 
gitlab-8.13.11+dfsg/debian/adduser.sh
--- gitlab-8.13.11+dfsg/debian/adduser.sh   2017-02-07 11:24:36.0 
+0530
+++ gitlab-8.13.11+dfsg/debian/adduser.sh   2017-02-16 17:35:29.0 
+0530
@@ -8,9 +8,9 @@
 
 # Create gitlab user with home in /var/lib
 echo "Creating/updating ${gitlab_user} user account..."
-adduser --system --home /var/lib/${gitlab_user} --gecos "${gitlab_user} user" 
--shell /bin/sh \
+adduser --system --home ${gitlab_data_dir} --gecos "${gitlab_user} user" 
--shell /bin/sh \
--quiet --disabled-password --group ${gitlab_user} || {
 echo "Proceeding with existing ${gitlab_user} user..."
   }
-echo "Making ${gitlab_user} owner of /var/lib/${gitlab_user}..."
-chown -R ${gitlab_user} /var/lib/${gitlab_user}
+echo "Making ${gitlab_user} owner of ${gitlab_data_dir}..."
+chown -R ${gitlab_user} ${gitlab_data_dir}
diff -Nru gitlab-8.13.11+dfsg/debian/changelog 
gitlab-8.13.11+dfsg/debian/changelog
--- gitlab-8.13.11+dfsg/debian/changelog2017-02-07 11:24:36.0 
+0530
+++ gitlab-8.13.11+dfsg/debian/changelog2017-02-16 17:35:29.0 
+0530
@@ -1,3 +1,14 @@
+gitlab (8.13.11+dfsg-3) unstable; urgency=medium
+
+  * Allow choosing gitlab user (Closes: #854617)
+  * Optionally remove all data on purge (Closes: #821087, #839929)
+
+  [ Johannes Schauer ]
+  * Amend the README.Debian with instructions of how to upgrade from
+non-Debian installations (Closes: #823743)
+
+ -- Pirate Praveen   Thu, 16 Feb 2017 17:35:29 +0530
+
 gitlab (8.13.11+dfsg-2) unstable; urgency=medium
 
   * Use upstream patch for git 2.11 support (Closes: #853251)
diff -Nru gitlab-8.13.11+dfsg/debian/conf/gitlab-debian.conf.example 
gitlab-8.13.11+dfsg/debian/conf/gitlab-debian.conf.example
--- gitlab-8.13.11+dfsg/debian/conf/gitlab-debian.conf.example  2017-02-07 
11:24:36.0 +0530
+++ gitlab-8.13.11+dfsg/debian/conf/gitlab-debian.conf.example  2017-02-16 
17:35:29.0 +0530
@@ -1,6 +1,5 @@
 RAILS_ENV=production
 DB=postgres
-gitlab_user=gitlab
 gitlab_app_root=/usr/share/gitlab
 gitlab_data_dir=/var/lib/gitlab
 gitlab_cache_path=/var/cache/gitlab
@@ -20,6 +19,9 @@
 gitlab_shell_log=/var/log/gitlab-shell
 gitlab_log_dir=/var/log/gitlab
 gitlab_pid_path=/run/gitlab
+gitlab_tmpfiles_example=/usr/share/doc/gitlab/tmpfiles.d/gitlab.conf.example
+gitlab_tmpfiles_private=/var/lib/gitlab/tmpfiles.d-gitlab.conf
+gitlab_tmpfiles=/usr/lib/tmpfiles.d/gitlab.conf
 nginx_user=www-data
 nginx_conf_example=/usr/share/doc/gitlab/nginx.conf.example
 nginx_ssl_conf_example_gz=/usr/share/doc/gitlab/nginx.ssl.conf.example.gz
diff -Nru gitlab-8.13.11+dfsg/debian/conf/gitlab.yml.example 
gitlab-8.13.11+dfsg/debian/conf/gitlab.yml.example
--- gitlab-8.13.11+dfsg/debian/conf/gitlab.yml.example  2017-02-07 
11:24:36.0 +0530
+++ gitlab-8.13.11+dfsg/debian/conf/gitlab.yml.example  2017-02-16 
17:35:29.0 +0530
@@ -46,7 +46,7 @@
 # relative_url_root: /gitlab
 
 # Uncomment and customize if you can't use the default user to run GitLab 
(default: 'git')
-user: gitlab
+user: GITLAB_USER
 user_home: /var/lib/gitlab
 
 ## Date & Time settings
diff -Nru gitlab-8.13.11+dfsg/debian/conf/tmpfiles.d/gitlab.conf 
gitlab-8.13.11+dfsg/debian/conf/tmpfiles.d/gitlab.conf
--- gitlab-8.13.11+dfsg/debian/conf/tmpfiles.d/gitlab.conf  2017-02-07 
11:24:36.0 +0530
+++ gitlab-8.13.11+dfsg/debian/conf/tmpfiles.d/gitlab.conf  1970-01-01 
05:30:00.0 +0530
@@ -1,2 +0,0 @@
-d /run/gitlab 2750 gitlab www-data -
-L /run/gitlab/cache - - - - /var/cache/gitlab
diff -Nru gitlab-8.13.11+dfsg/debian/conf/tmpfiles.d/gitlab.conf.example 
gitlab-8.13.11+dfsg/debian/conf/tmpfiles.d/gitlab.conf.example
--- gitlab-8.13.11+dfsg/debian/conf/tmpfiles.d/gitlab.conf.example  
1970-01-01 05:30:00.0 +0530
+++ gitlab-8.13.11+dfsg/debian/conf/tmpfiles.d/gitlab.conf.example  
2017-02-16 17:35:29.0 +0530
@@ -0,0 +1,2 @@
+d /run/gitlab 2750 GITLAB_USER www-data -
+L /run/gitlab/cache - - - - /var/cache/gitlab
diff -Nru gitlab-8.13.11+dfsg/debian/config gitlab-8.13.11+dfsg/debian/config
--- gitlab-8.13.11+dfsg/debian/config   2017-02-07 11:24:36.0 +0530
+++ gitlab-8.13.11+dfsg/debian/config   2017-02-16 17:35:29.0 +0530
@@ -24,3 +24,7 @@
 db_go
   fi
 fi
+
+# Do you want to change gitlab user?
+db_input high gitlab/user || true
+db_g

Bug#855356: marked as done (unblock: mupdf/1.9a+ds1-3)

[Debian Bug Tracking System]

Your message dated Fri, 17 Feb 2017 06:45:00 +
with message-id 
and subject line Re: Bug#855356: unblock: mupdf/1.9a+ds1-3
has caused the Debian Bug report #855356,
regarding unblock: mupdf/1.9a+ds1-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
855356: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855356
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package mupdf

Security fixes

   * CVE-2017-5896: use-after-free in fz_subsample_pixmap()  (Closes: #854734)
   * CVE-2017-5991: NULL pointer dereference in pdf_run_xobject()

unblock mupdf/1.9a+ds1-3

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru mupdf-1.9a+ds1/debian/changelog mupdf-1.9a+ds1/debian/changelog
--- mupdf-1.9a+ds1/debian/changelog 2016-11-15 00:07:55.0 +0800
+++ mupdf-1.9a+ds1/debian/changelog 2017-02-16 23:43:55.0 +0800
@@ -1,3 +1,10 @@
+mupdf (1.9a+ds1-3) unstable; urgency=high
+
+  * CVE-2017-5896: use-after-free in fz_subsample_pixmap()  (Closes: #854734)
+  * CVE-2017-5991: NULL pointer dereference in pdf_run_xobject()
+
+ -- Kan-Ru Chen (陳侃如)   Thu, 16 Feb 2017 23:43:55 +0800
+
 mupdf (1.9a+ds1-2) unstable; urgency=medium
 
   * Acknowledge NMU.
diff -Nru mupdf-1.9a+ds1/debian/patches/0008-CVE-2016-8674.patch 
mupdf-1.9a+ds1/debian/patches/0008-CVE-2016-8674.patch
--- mupdf-1.9a+ds1/debian/patches/0008-CVE-2016-8674.patch  2016-11-14 
23:56:43.0 +0800
+++ mupdf-1.9a+ds1/debian/patches/0008-CVE-2016-8674.patch  2017-02-16 
23:43:55.0 +0800
@@ -1,10 +1,6 @@
-From: Kan-Ru Chen 
-Date: Mon, 14 Nov 2016 23:55:28 +0800
-Subject: CVE-2016-8674
-
 From: Robin Watts 
 Date: Thu, 22 Sep 2016 13:44:45 +0100
-Subject: [PATCH] Bug 697015: Avoid object references vanishing during repair.
+Subject: Bug 697015: Avoid object references vanishing during repair.
 
 A PDF repair can be triggered 'just in time', when we encounter
 a problem in the file. The idea is that this can happen without
diff -Nru mupdf-1.9a+ds1/debian/patches/0009-CVE-2017-5896.patch 
mupdf-1.9a+ds1/debian/patches/0009-CVE-2017-5896.patch
--- mupdf-1.9a+ds1/debian/patches/0009-CVE-2017-5896.patch  1970-01-01 
08:00:00.0 +0800
+++ mupdf-1.9a+ds1/debian/patches/0009-CVE-2017-5896.patch  2017-02-16 
23:43:55.0 +0800
@@ -0,0 +1,47 @@
+From: Robin Watts 
+Date: Thu, 9 Feb 2017 07:12:16 -0800
+Subject: bug 697515: Fix out of bounds read in fz_subsample_pixmap
+
+Pointer arithmetic for final special case was going wrong.
+---
+ source/fitz/pixmap.c | 6 --
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/source/fitz/pixmap.c b/source/fitz/pixmap.c
+index 6897fe3..66eb2b2 100644
+--- a/source/fitz/pixmap.c
 b/source/fitz/pixmap.c
+@@ -1420,6 +1420,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int 
h, int f, int factor,
+   
"@STACK:r1,<9>,factor,n,fwd,back,back2,fwd2,divX,back4,fwd4,fwd3,divY,back5,divXY\n"
+   "ldrr4, [r13,#4*22] @ r4 = divXY\n"
+   "ldrr5, [r13,#4*11] @ for (nn = n; nn > 0; n--) {   \n"
++  "ldrr8, [r13,#4*17] @ r8 = back4\n"
+   "18:@   \n"
+   "movr14,#0  @ r14= v = 0\n"
+   "subr5, r5, r1, LSL #8  @ for (xx = x; xx > 0; x--) {   \n"
+@@ -1436,7 +1437,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int 
h, int f, int factor,
+   "mulr14,r4, r14 @ r14= v *= divX\n"
+   "movr14,r14,LSR #16 @ r14= v >>= 16 \n"
+   "strb   r14,[r9], #1@ *d++ = r14\n"
+-  "subr0, r0, r8  @ s -= back2\n"
++  "subr0, r0, r8  @ s -= back4\n"
+   "subs   r5, r5, #1  @ n--   \n"
+   "bgt18b @ } \n"
+   "21:@   \n"
+@@ -1562,6 +1563,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, 
int factor)
+   x

Re: Help requested: Packages which FTBFS randomly

[Niels Thykier]

Ian Jackson:
> Santiago Vila writes ("Help requested: Packages which FTBFS randomly"):
>> The following packages FTBFS for me randomly. First column is the bug
>> number, second column is the estimated probability of failure in my
>> build environment, which is described here:
> 
> [...]
> 
> To the release team: please would you provide a clear answer to
> Santiago's question.  In particular, please provide an answer (or a
> rule which can be used to answer) to each of the 28 bugs mentioned in
> Santiago's mail.  If you think it will take you a while to answer the
> question, please say when you think you will have an answer.
> 
> Santiago: please keep up the good work.
> 
> Thanks,
> Ian.
> 

Hi,

Santiago already brought it up in #844264.  I believe my answer in
comment 70 is still relevant (other than I incorrectly used "after the
freeze" when I meant "after the release").

Thanks,
~Niels

Bug#855356: unblock: mupdf/1.9a+ds1-3

[陳侃如]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package mupdf

Security fixes

   * CVE-2017-5896: use-after-free in fz_subsample_pixmap()  (Closes: #854734)
   * CVE-2017-5991: NULL pointer dereference in pdf_run_xobject()

unblock mupdf/1.9a+ds1-3

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru mupdf-1.9a+ds1/debian/changelog mupdf-1.9a+ds1/debian/changelog
--- mupdf-1.9a+ds1/debian/changelog 2016-11-15 00:07:55.0 +0800
+++ mupdf-1.9a+ds1/debian/changelog 2017-02-16 23:43:55.0 +0800
@@ -1,3 +1,10 @@
+mupdf (1.9a+ds1-3) unstable; urgency=high
+
+  * CVE-2017-5896: use-after-free in fz_subsample_pixmap()  (Closes: #854734)
+  * CVE-2017-5991: NULL pointer dereference in pdf_run_xobject()
+
+ -- Kan-Ru Chen (陳侃如)   Thu, 16 Feb 2017 23:43:55 +0800
+
 mupdf (1.9a+ds1-2) unstable; urgency=medium
 
   * Acknowledge NMU.
diff -Nru mupdf-1.9a+ds1/debian/patches/0008-CVE-2016-8674.patch 
mupdf-1.9a+ds1/debian/patches/0008-CVE-2016-8674.patch
--- mupdf-1.9a+ds1/debian/patches/0008-CVE-2016-8674.patch  2016-11-14 
23:56:43.0 +0800
+++ mupdf-1.9a+ds1/debian/patches/0008-CVE-2016-8674.patch  2017-02-16 
23:43:55.0 +0800
@@ -1,10 +1,6 @@
-From: Kan-Ru Chen 
-Date: Mon, 14 Nov 2016 23:55:28 +0800
-Subject: CVE-2016-8674
-
 From: Robin Watts 
 Date: Thu, 22 Sep 2016 13:44:45 +0100
-Subject: [PATCH] Bug 697015: Avoid object references vanishing during repair.
+Subject: Bug 697015: Avoid object references vanishing during repair.
 
 A PDF repair can be triggered 'just in time', when we encounter
 a problem in the file. The idea is that this can happen without
diff -Nru mupdf-1.9a+ds1/debian/patches/0009-CVE-2017-5896.patch 
mupdf-1.9a+ds1/debian/patches/0009-CVE-2017-5896.patch
--- mupdf-1.9a+ds1/debian/patches/0009-CVE-2017-5896.patch  1970-01-01 
08:00:00.0 +0800
+++ mupdf-1.9a+ds1/debian/patches/0009-CVE-2017-5896.patch  2017-02-16 
23:43:55.0 +0800
@@ -0,0 +1,47 @@
+From: Robin Watts 
+Date: Thu, 9 Feb 2017 07:12:16 -0800
+Subject: bug 697515: Fix out of bounds read in fz_subsample_pixmap
+
+Pointer arithmetic for final special case was going wrong.
+---
+ source/fitz/pixmap.c | 6 --
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/source/fitz/pixmap.c b/source/fitz/pixmap.c
+index 6897fe3..66eb2b2 100644
+--- a/source/fitz/pixmap.c
 b/source/fitz/pixmap.c
+@@ -1420,6 +1420,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int 
h, int f, int factor,
+   
"@STACK:r1,<9>,factor,n,fwd,back,back2,fwd2,divX,back4,fwd4,fwd3,divY,back5,divXY\n"
+   "ldrr4, [r13,#4*22] @ r4 = divXY\n"
+   "ldrr5, [r13,#4*11] @ for (nn = n; nn > 0; n--) {   \n"
++  "ldrr8, [r13,#4*17] @ r8 = back4\n"
+   "18:@   \n"
+   "movr14,#0  @ r14= v = 0\n"
+   "subr5, r5, r1, LSL #8  @ for (xx = x; xx > 0; x--) {   \n"
+@@ -1436,7 +1437,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int 
h, int f, int factor,
+   "mulr14,r4, r14 @ r14= v *= divX\n"
+   "movr14,r14,LSR #16 @ r14= v >>= 16 \n"
+   "strb   r14,[r9], #1@ *d++ = r14\n"
+-  "subr0, r0, r8  @ s -= back2\n"
++  "subr0, r0, r8  @ s -= back4\n"
+   "subs   r5, r5, #1  @ n--   \n"
+   "bgt18b @ } \n"
+   "21:@   \n"
+@@ -1562,6 +1563,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, 
int factor)
+   x += f;
+   if (x > 0)
+   {
++  int back4 = x * n - 1;
+   div = x * y;
+   for (nn = n; nn > 0; nn--)
+   {
+@@ -1576,7 +1578,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, 
int factor)
+   s -= back5;
+   }
+   *d++ = v / div;
+-  s -= back2;
++  s -= back4;
+   }
+   }
+   }
diff -Nru mupdf-1.9a+ds1/debian/patches/0010-CVE-2017-5991.patch 
mupdf-1.9a+ds1/debian/patches/0010-CVE-2017-5991.patch
--- mupdf-1.9a+ds1/debian/patches/0010-CVE-2017-5991.patch  1970-01-01 
08:00:00.0

Bug#855352: unblock: chromium-browser/56.0.2924.76-1

[Michael Gilbert]

package: release.debian.org
user: release.debian@packages.debian.org
usertags: unblock

Please consider unblocking chromium.  This is a large upstream release
like usual with a bunch of security fixes.  As is done for jessie, the
plan is to push ongoing upstream security updates to
stretch(-security).

Best wishes,
Mike

Bug#855345: jessie-pu: package systemd/215-17+deb8u7

[Michael Biebl]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I'd like to make a stable upload for systemd, fixing two bugs.

The changelog is

systemd (215-17+deb8u7) stable; urgency=medium

  * bus: Fix bus_print_property() to use "int" for booleans.
This fixes the problem that on big endian architectures, like mips or
powerpc, boolean properties that were retrieved via via sd-bus were always
set to 0 (no). (Closes: #774430)
  * systemctl: Add is-enabled support for SysV init scripts.
The update-rc.d utility does not provide is-enabled, so implement it
ourselves in systemctl using the same logic as systemd-sysv-install from
Stretch. (Closes: #809405)

 -- Michael Biebl   Fri, 17 Feb 2017 00:26:38 +0100

The complete debdiff is attached.

Regards,
Michael


-- System Information:
Debian Release: 9.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/debian/changelog b/debian/changelog
index ffceb7d..3c17485 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+systemd (215-17+deb8u7) stable; urgency=medium
+
+  * bus: Fix bus_print_property() to use "int" for booleans.
+This fixes the problem that on big endian architectures, like mips or
+powerpc, boolean properties that were retrieved via via sd-bus were always
+set to 0 (no). (Closes: #774430)
+  * systemctl: Add is-enabled support for SysV init scripts.
+The update-rc.d utility does not provide is-enabled, so implement it
+ourselves in systemctl using the same logic as systemd-sysv-install from
+Stretch. (Closes: #809405)
+
+ -- Michael Biebl   Fri, 17 Feb 2017 00:26:38 +0100
+
 systemd (215-17+deb8u6) stable; urgency=medium
 
   [ Michael Biebl ]
diff --git 
a/debian/patches/bus-fix-bus_print_property-to-use-int-for-booleans.patch 
b/debian/patches/bus-fix-bus_print_property-to-use-int-for-booleans.patch
new file mode 100644
index 000..262252e
--- /dev/null
+++ b/debian/patches/bus-fix-bus_print_property-to-use-int-for-booleans.patch
@@ -0,0 +1,27 @@
+From: David Herrmann 
+Date: Thu, 18 Sep 2014 13:28:28 +0200
+Subject: bus: fix bus_print_property() to use "int" for booleans
+
+We always use "int" if we retrieve boolean values from sd-bus, as "bool"
+is only a single byte, but full int on va-args.
+
+Thanks to Werner Fink for the report!
+
+(cherry picked from commit c2fa048c4a70c8386c6d8fe939e5ea9edecf1e98)
+---
+ src/libsystemd/sd-bus/bus-util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libsystemd/sd-bus/bus-util.c 
b/src/libsystemd/sd-bus/bus-util.c
+index 6441c5b..d0b7c3d 100644
+--- a/src/libsystemd/sd-bus/bus-util.c
 b/src/libsystemd/sd-bus/bus-util.c
+@@ -631,7 +631,7 @@ int bus_print_property(const char *name, sd_bus_message 
*property, bool all) {
+ }
+ 
+ case SD_BUS_TYPE_BOOLEAN: {
+-bool b;
++int b;
+ 
+ r = sd_bus_message_read_basic(property, type, &b);
+ if (r < 0)
diff --git a/debian/patches/series b/debian/patches/series
index a883d86..3dc8933 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -170,6 +170,7 @@ polkit-don-t-start-polkit-agent-when-running-as-root.patch
 core-rework-logic-to-determine-when-we-decide-to-add-auto.patch
 systemctl-fix-argument-handling-when-invoked-as-shutdown.patch
 systemctl-when-reading-legacy-t-argument-for-shutdown-don.patch
+bus-fix-bus_print_property-to-use-int-for-booleans.patch
 
 ## Debian specific patches:
 Add-back-support-for-Debian-specific-config-files.patch
@@ -228,3 +229,4 @@ Skip-filesystem-check-if-already-done-by-the-initram.patch
 cryptsetup-Implement-offset-and-skip-options.patch
 Revert-core-one-step-back-again-for-nspawn-we-actual.patch
 udev-increase-udev-event-timeout-to-180s.patch
+systemctl-Add-is-enabled-support-for-SysV-init-scripts.patch
diff --git 
a/debian/patches/systemctl-Add-is-enabled-support-for-SysV-init-scripts.patch 
b/debian/patches/systemctl-Add-is-enabled-support-for-SysV-init-scripts.patch
new file mode 100644
index 000..7b73592
--- /dev/null
+++ 
b/debian/patches/systemctl-Add-is-enabled-support-for-SysV-init-scripts.patch
@@ -0,0 +1,84 @@
+From: Michael Biebl 
+Date: Wed, 15 Feb 2017 10:03:37 +0100
+Subject: systemctl: Add is-enabled support for SysV init scripts
+
+The update-rc.d utility does not provide is-enabled, so implement it
+ourselves in systemctl using the same logic as systemd-sysv-install from
+Stretch.
+See commit b5aa768d8108b294c1187a0728f5b13c033b3d47
+
+Closes: #809405
+---
+ src/systemctl/systemctl.c | 38 --
+ 1 file changed, 24 insertion

Bug#855133: unblock (pre-approval): flatpak/0.8.3-1

[Simon McVittie]

On Thu, 16 Feb 2017 at 22:19:12 +0100, Emilio Pozuelo Monfort wrote:
> On 14/02/17 15:42, Simon McVittie wrote:
> > I would like release team pre-approval for uploading flatpak/0.8.3-1
> > with the attached debdiff.
> 
> Go ahead.

Uploaded and accepted into unstable.

Thanks,
S

Bug#855341: unblock: mini-httpd/1.23-1.2

[Sebastian Andrzej Siewior]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock
Severity: normal

Please unblock package mini-httpd. It has been pointed that this package
lost its https support since Jessie. It has nothing to do with with
openssl 1.1 :)
I uploaded the suggested fix to deferred/5 and I am waiting for approval
before it hits unstable. 

unblock mini-httpd/1.23-1.2

Sebastian
diff -Nru mini-httpd-1.23/debian/changelog mini-httpd-1.23/debian/changelog
--- mini-httpd-1.23/debian/changelog	2016-06-17 12:06:53.0 +0200
+++ mini-httpd-1.23/debian/changelog	2017-02-16 23:14:13.0 +0100
@@ -1,3 +1,10 @@
+mini-httpd (1.23-1.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Bring back lost HTTPS support (Closes: #818474).
+
+ -- Sebastian Andrzej Siewior   Thu, 16 Feb 2017 23:14:13 +0100
+
 mini-httpd (1.23-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru mini-httpd-1.23/debian/patches/fix-makefile mini-httpd-1.23/debian/patches/fix-makefile
--- mini-httpd-1.23/debian/patches/fix-makefile	2015-09-15 22:05:37.0 +0200
+++ mini-httpd-1.23/debian/patches/fix-makefile	2017-02-16 23:12:53.0 +0100
@@ -2,11 +2,13 @@
 Autor: Jose dos Santos Junior 
 Last-Update: 2015-09-05
 ===
-Index: mini-httpd-1.21/Makefile
-===
 mini-httpd-1.21.orig/Makefile
-+++ mini-httpd-1.21/Makefile
-@@ -19,13 +19,12 @@ CRYPT_LIB =-lcrypt
+---
+ Makefile |   15 ++-
+ 1 file changed, 6 insertions(+), 9 deletions(-)
+
+--- a/Makefile
 b/Makefile
+@@ -19,22 +19,21 @@ CRYPT_LIB =-lcrypt
  #SSL_INC =	-I$(SSL_TREE)/include
  #SSL_LIBS =	-L$(SSL_TREE)/lib -lssl -lcrypto
  
@@ -20,12 +22,14 @@
 -CFLAGS =	-O $(CDEFS) -ansi -pedantic -U__STRICT_ANSI__ -Wall -Wpointer-arith -Wshadow -Wcast-qual -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wredundant-decls -Wno-long-long
 -LDFLAGS =	-s
 +CFLAGS+=-O $(CDEFS) -ansi -pedantic -U__STRICT_ANSI__ -Wall -Wpointer-arith -Wshadow -Wcast-qual -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wredundant-decls -Wno-long-long
-+LDFLAGS+= -s `dpkg-buildflags --get CPPFLAGS` `dpkg-buildflags --get CFLAGS` `dpkg-buildflags --get LDFLAGS`
++LDFLAGS+= -s `dpkg-buildflags --get CPPFLAGS` `dpkg-buildflags --get CFLAGS` `dpkg-buildflags --get LDFLAGS` -DUSE_SSL
  LDLIBS =	$(CRYPT_LIB) $(SSL_LIBS) $(SYSV_LIBS)
  
  all:		mini_httpd htpasswd
-@@ -34,7 +33,7 @@ mini_httpd:	mini_httpd.o match.o tdate_p
- 	$(CC) $(LDFLAGS) mini_httpd.o match.o tdate_parse.o $(LDLIBS) -o mini_httpd
+ 
+ mini_httpd:	mini_httpd.o match.o tdate_parse.o
+-	$(CC) $(LDFLAGS) mini_httpd.o match.o tdate_parse.o $(LDLIBS) -o mini_httpd
++	$(CC) $(LDFLAGS) mini_httpd.o match.o tdate_parse.o $(LDLIBS) -o mini_httpd -lssl -lcrypto
  
  mini_httpd.o:	mini_httpd.c version.h port.h match.h tdate_parse.h mime_encodings.h mime_types.h
 -	$(CC) $(CFLAGS) -c mini_httpd.c

Bug#854247: marked as done (unblock: inkscape 0.92.1)

[Debian Bug Tracking System]

Your message dated Thu, 16 Feb 2017 22:08:00 +
with message-id <571ca766-0582-712a-be39-99888b058...@thykier.net>
and subject line Re: Bug#854236: unblock: inkscape 0.92.1
has caused the Debian Bug report #854236,
regarding unblock: inkscape 0.92.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
854236: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854236
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock

Hi!

This is a preapproval request.

Currently stretch has inkscape version 0.92.0 + a bunch of patches
backported from their stable branch.  I'd like to eventually ship
0.92.1, which is due in about 2 weeks if they keep the current schedule.
For avoidance of doubt, their stable branch only carries bugfixes and
i18n updates.

Yesterday they made a 0.92.1~pre1 release, which I tried to package, the
changes which will occur after this will only be l10n updates and very
important bug fixes.
You can see the full debdiff at (uncompressed ~30MB, ~500k lines)
https://volatile.mapreri.org/2017-02-05/e67ccfb026998f4d1a35b353992e669f/full_debdiff.diff.gz
whereas attached there is a filtered debdiff made by
$ filterdiff -x '*/po/*' -x '*/share/tutorials/*' -x '*/share/examples/*' -x 
'*/doc/*' -x '*/packaging/*'
We are not shipping anything from ./doc, and we have no use in what's
inside ./packaging (mostly Windows stuff); also the tutorials and the
examples take the biggest part of the diff because upstream re-scaled
all the .svg's: https://bugs.launchpad.net/inkscape/+bug/1651815
http://bazaar.launchpad.net/~inkscape.dev/inkscape/0.92.x/revision/15302


In particular there is one bugfix which I'm interested, which is causing
malformed rendering of text boxes.  This random blog post can give you
an idea of the problem (upstream is not good at bug triaging, so there
is no real trackable bug…):
http://peppercarrot.com/en/article396/new-inkscape-0-92-breaks-your-previous-works-done-with-inkscape
It has been mostly fixed by
http://bazaar.launchpad.net/~inkscape.dev/inkscape/0.92.x/revision/15338
http://bazaar.launchpad.net/~inkscape.dev/inkscape/0.92.x/revision/15350
http://bazaar.launchpad.net/~inkscape.dev/inkscape/0.92.x/revision/15351
We expect some more tidying for next point release 0.92.2 but it's very
good already.


You can see all the upstream changes here:
http://bazaar.launchpad.net/~inkscape.dev/inkscape/0.92.x/changes



Thank you for considering.


-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
more about me:  https://mapreri.org : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-
(filtered) diffstat for inkscape-0.92.0 inkscape-0.92.1~pre1

 /tmp/uf7QOdKsTV/inkscape-0.92.1~pre1/share/examples/car.svgz|binary
 /tmp/uf7QOdKsTV/inkscape-0.92.1~pre1/share/examples/gallardo.svgz   |binary
 /tmp/uf7QOdKsTV/inkscape-0.92.1~pre1/share/examples/gradient-mesh-experimental.svgz |binary
 /tmp/uf7QOdKsTV/inkscape-0.92.1~pre1/share/examples/l-systems.svgz  |binary
 /tmp/uf7QOdKsTV/inkscape-0.92.1~pre1/share/examples/stars.svgz  |binary
 /tmp/uf7QOdKsTV/inkscape-0.92.1~pre1/share/tutorials/pixelart-dialog.de.png |binary
 /tmp/uf7QOdKsTV/inkscape-0.92.1~pre1/share/tutorials/pixelart-dialog.el.png |binary
 /tmp/uf7QOdKsTV/inkscape-0.92.1~pre1/share/tutorials/pixelart-dialog.en.png |binary
 /tmp/uf7QOdKsTV/inkscape-0.92.1~pre1/share/tutorials/pixelart-dialog.fr.png |binary
 /tmp/uf7QOdKsTV/inkscape-0.92.1~pre1/share/tutorials/pixelart-dialog.nl.png |binary
 /tmp/uf7QOdKsTV/inkscape-0.92.1~pre1/share/tutorials/pixelart-dialog.png|binary
 /tmp/uf7QOdKsTV/inkscape-0.92.1~pre1/share/tutorials/pixelart-dialog.pt.png |binary
 /tmp/uf7QOdKsTV/inkscape-0.92.1~pre1/share/tutorials/pixelart-dialog.ru.png |binary
 /tmp/uf7QOdKsTV/inkscape-0.92.1~pre1/share/tutorials/pixelart-dialog.sk.png |binary
 /tmp/uf7QOdKsTV/inkscape-0.92.1~pre1/share/tutorials/pixelart-dialog.zh_TW.png  |binary
 inkscape-0.92.1~pre1/.snapcraft.yaml|2 
 inkscape-0.92.1~pre1/CMakeLists.txt |2 
 inkscape-0.92.1~pre1/CMakeScripts/inkscape-version.cmake|4 
 inksca

Bug#855333: unblock: systemd/231-18

[Michael Biebl]

Am 16.02.2017 um 22:12 schrieb Martin Pitt:
> Package: release.debian.org
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Hello release team,
> 
> The current systemd in unstable (232-18) fixes an RC bug on architectures that
> don't support seccomp (https://bugs.debian.org/852811), some more seccomp bugs
> that also affect x86, and a couple of non-RC bugs; plus some autopkgtest
> improvements which increase coverage and tighten upstream CI. -18 has been in
> unstable for 3 days now without regression reports, built everywhere, and I am
> very confident that it doesn't break things compared to -15.

Afaics, Niels had already unblocked it.




-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?



signature.asc
Description: OpenPGP digital signature

Re: Help requested: Packages which FTBFS randomly

[Ian Jackson]

Santiago Vila writes ("Help requested: Packages which FTBFS randomly"):
> The following packages FTBFS for me randomly. First column is the bug
> number, second column is the estimated probability of failure in my
> build environment, which is described here:

IMO all of these bugs should be RC.  A randomly-reproducible build
failure with more than negligible probabilty is likely to show up for
some of Debian's users and downstreams and cause them mysterious
trouble.  It also causes trouble for stalwarts like Santiago, doing
much needed and largely-unloved QA work.

If there is to be a failure probability threshold I would set it at
10^-4 or so.  After all, computer time is cheap.

To the release team: please would you provide a clear answer to
Santiago's question.  In particular, please provide an answer (or a
rule which can be used to answer) to each of the 28 bugs mentioned in
Santiago's mail.  If you think it will take you a while to answer the
question, please say when you think you will have an answer.

Santiago: please keep up the good work.

Thanks,
Ian.

Bug#855333: marked as done (unblock: systemd/231-18)

[Debian Bug Tracking System]

Your message dated Thu, 16 Feb 2017 22:39:33 +0100
with message-id <3e16bc27-67ac-88b9-3be2-117012ae6...@debian.org>
and subject line Re: Bug#855333: unblock: systemd/231-18
has caused the Debian Bug report #855333,
regarding unblock: systemd/231-18
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
855333: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855333
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock

Hello release team,

The current systemd in unstable (232-18) fixes an RC bug on architectures that
don't support seccomp (https://bugs.debian.org/852811), some more seccomp bugs
that also affect x86, and a couple of non-RC bugs; plus some autopkgtest
improvements which increase coverage and tighten upstream CI. -18 has been in
unstable for 3 days now without regression reports, built everywhere, and I am
very confident that it doesn't break things compared to -15.

debdiff between -15 (in testing) and current -18 attached. I also put the
changelog and some annotations to it below.

| systemd (232-18) unstable; urgency=medium
| 
|   * udev autopkgtest: Adjust to script-based test /sys creation.
| PR #5250 changes from the static sys.tar.xz to creating the test /sys
| directory with a script. Get along with both cases until 233 gets
| released and packaged.

Improved disto/upstream CI, no runtime effect.

|   * systemd-resolved.service.d/resolvconf.conf: Don't fail if resolvconf is
| not installed. ReadWritePaths= fails by default if the referenced
| directory does not exist. This happens if resolvconf is not installed, so
| use '-' to ignore the absence. (Closes: #854814)

Fallout from the change in -17. Now it's really a no-op in Debian (as the
stricter privilege restrictions of resolved are not yet, and will not be in
stretch).

|   * Fix two more seccomp issues.
|   * Permit seeing process list of units whose unit files are missing.
|   * Fix systemctl --user enable/disable without $XDG_RUNTIME_DIR being set.
| (Closes: #855050)

Non-RC bug fixes. The patches are relatively small and straightforward, and
people asked for them.
 
|  -- Martin Pitt   Mon, 13 Feb 2017 17:36:12 +0100
| 
| systemd (232-17) unstable; urgency=medium
| 
|   * Add libcap2-bin build dependency for tests. This will make
| test_exec_capabilityboundingset() actually run. (Closes: #854394)
|   * Add iproute2 build dependency for tests. This will make
| test_exec_privatenetwork() actually run; it skips if "ip" is not present.
| (Closes: #854396)
|   * autopkgtest: Run all upstream unit tests as root.
| Ship all upstream unit tests in libsystemd-dev, and run them all as root
| in autopkgtest. (Closes: #854392) This also fixes the FTBFS on non-seccomp
| architectures.

Improved disto/upstream CI, no runtime effect.

|   * systemd-resolved.service.d/resolvconf.conf: Allow writing to
| /run/resolvconf. Upstream PR #5283 will introduce permission restrictions
| for systemd-resolved.service, including the lockdown to writing
| /run/systemd/. This will then cause the resolvconf call in our drop-in to
| fail as that needs to write to /run/resolvconf/. Add this to
| ReadWritePaths=. (This is a no-op with the current unrestricted unit).

As said above, no-op in stretch (except that this first declaration had a bug,
fixed now).

|  -- Martin Pitt   Fri, 10 Feb 2017 11:52:46 +0100
| 
| systemd (232-16) unstable; urgency=medium
| 
|   [ Martin Pitt ]
|   * Add autopkgtest for test-seccomp

Improved disto/upstream CI, no runtime effect.

|   * udev: Fix by-id symlinks for devices whose IDs contain whitespace
| (Closes: #851164, LP: #1647485)

In terms of intrusiveness this is the change with the biggest regression
potential. However, it's rather academic to expect that something relies on the
broken symlinks. This change has been tested widely already though, as it
already landed in an Ubuntu stable update for all releases, and unbreaks stable
device symlinks for NVMe devices.

|   * Add lintian overrides for binary-or-shlib-defines-rpath on shipped test
| programs. This is apparently a new lintian warning on which uploads get
| rejected.  These are only test programs, not in $PATH, and they need to
| link against systemd's internal library.

No runtime effect, just lintian cleanup.

| 
|   [ Michael Biebl ]
|   * Fix seccomp filtering. (Closes: #852811)

That's the RC bug which really needs to go in.

|   * Do not crash on daemon-reexec when /run i

Bug#855258: unblock: spice/0.12.8-2.1

[Markus Koschany]

On 16.02.2017 22:23, Emilio Pozuelo Monfort wrote:
> Control: tags -1 moreinfo
> 
> On 16/02/17 06:06, Salvatore Bonaccorso wrote:
>> Package: release.debian.org
>> Severity: normal
>> User: release.debian@packages.debian.org
>> Usertags: unblock
>>
>> Hi
>>
>> Please unblock package spice
[...]
> That failed to build on mips(64)el:
> 
> https://buildd.debian.org/status/package.php?p=spice

Hi,

I think this is unrelated to our security fix. The package already
failed on mips64el last month (2017/01/06) with the same build failure.
[1] According to Debian bug #734218 support for mips{64]el was only
enabled recently and it appears that upstream isn't even supporting this
architecture. But on 17. January it build fine again probably after some
manual intervention by the buildd admins. I think we should get in
contact with the mips64el porters or remove spice from these
architectures again.

Regards,

Markus

[1]
https://buildd.debian.org/status/fetch.php?pkg=spice&arch=mips64el&ver=0.12.8-2&stamp=1483718594&raw=0




signature.asc
Description: OpenPGP digital signature

Bug#854236: unblock: inkscape 0.92.1

[Mattia Rizzolo]

On Thu, Feb 09, 2017 at 07:05:00PM +, Niels Thykier wrote:
> Please go ahead then :)

This is now uploaded, and built on all relevant (and non) architectures.

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
more about me:  https://mapreri.org : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-


signature.asc
Description: PGP signature

Bug#855217: unblock: openmpi/2.0.2

[Emilio Pozuelo Monfort]

On 15/02/17 16:25, Alastair McKinstry wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package openmpi to fix RC bug #848574
> 
> Openmpi 2.0.2 was released just as Stretch was being frozen. The package in 
> testing,
> 2.0.2~git.20161225 was packaged to get relevant (2.0.2) changes into Stretch, 
> but unfortuanatelt contained
> a significant bug on mips64el release architecture that was not caught before 
> transition.
> 
> debdiff too large to be useful.

Yes, that's the issue:

 4391 files changed, 1353847 insertions(+), 423120 deletions(-)

How can there be so many changes in this point update? Some of that comes from
autogenerated Makefile.in files. configure alone is:

openmpi-2.0.2/configure|315387 ++

So perhaps you can get a filtered diff, saying what you have excluded (and why),
and explain what changes there are in this release and why we should accept it,
rather than a targeted fix for #848574?

Cheers,
Emilio

Bug#855333: unblock: systemd/231-18

[Martin Pitt]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock

Hello release team,

The current systemd in unstable (232-18) fixes an RC bug on architectures that
don't support seccomp (https://bugs.debian.org/852811), some more seccomp bugs
that also affect x86, and a couple of non-RC bugs; plus some autopkgtest
improvements which increase coverage and tighten upstream CI. -18 has been in
unstable for 3 days now without regression reports, built everywhere, and I am
very confident that it doesn't break things compared to -15.

debdiff between -15 (in testing) and current -18 attached. I also put the
changelog and some annotations to it below.

| systemd (232-18) unstable; urgency=medium
| 
|   * udev autopkgtest: Adjust to script-based test /sys creation.
| PR #5250 changes from the static sys.tar.xz to creating the test /sys
| directory with a script. Get along with both cases until 233 gets
| released and packaged.

Improved disto/upstream CI, no runtime effect.

|   * systemd-resolved.service.d/resolvconf.conf: Don't fail if resolvconf is
| not installed. ReadWritePaths= fails by default if the referenced
| directory does not exist. This happens if resolvconf is not installed, so
| use '-' to ignore the absence. (Closes: #854814)

Fallout from the change in -17. Now it's really a no-op in Debian (as the
stricter privilege restrictions of resolved are not yet, and will not be in
stretch).

|   * Fix two more seccomp issues.
|   * Permit seeing process list of units whose unit files are missing.
|   * Fix systemctl --user enable/disable without $XDG_RUNTIME_DIR being set.
| (Closes: #855050)

Non-RC bug fixes. The patches are relatively small and straightforward, and
people asked for them.
 
|  -- Martin Pitt   Mon, 13 Feb 2017 17:36:12 +0100
| 
| systemd (232-17) unstable; urgency=medium
| 
|   * Add libcap2-bin build dependency for tests. This will make
| test_exec_capabilityboundingset() actually run. (Closes: #854394)
|   * Add iproute2 build dependency for tests. This will make
| test_exec_privatenetwork() actually run; it skips if "ip" is not present.
| (Closes: #854396)
|   * autopkgtest: Run all upstream unit tests as root.
| Ship all upstream unit tests in libsystemd-dev, and run them all as root
| in autopkgtest. (Closes: #854392) This also fixes the FTBFS on non-seccomp
| architectures.

Improved disto/upstream CI, no runtime effect.

|   * systemd-resolved.service.d/resolvconf.conf: Allow writing to
| /run/resolvconf. Upstream PR #5283 will introduce permission restrictions
| for systemd-resolved.service, including the lockdown to writing
| /run/systemd/. This will then cause the resolvconf call in our drop-in to
| fail as that needs to write to /run/resolvconf/. Add this to
| ReadWritePaths=. (This is a no-op with the current unrestricted unit).

As said above, no-op in stretch (except that this first declaration had a bug,
fixed now).

|  -- Martin Pitt   Fri, 10 Feb 2017 11:52:46 +0100
| 
| systemd (232-16) unstable; urgency=medium
| 
|   [ Martin Pitt ]
|   * Add autopkgtest for test-seccomp

Improved disto/upstream CI, no runtime effect.

|   * udev: Fix by-id symlinks for devices whose IDs contain whitespace
| (Closes: #851164, LP: #1647485)

In terms of intrusiveness this is the change with the biggest regression
potential. However, it's rather academic to expect that something relies on the
broken symlinks. This change has been tested widely already though, as it
already landed in an Ubuntu stable update for all releases, and unbreaks stable
device symlinks for NVMe devices.

|   * Add lintian overrides for binary-or-shlib-defines-rpath on shipped test
| programs. This is apparently a new lintian warning on which uploads get
| rejected.  These are only test programs, not in $PATH, and they need to
| link against systemd's internal library.

No runtime effect, just lintian cleanup.

| 
|   [ Michael Biebl ]
|   * Fix seccomp filtering. (Closes: #852811)

That's the RC bug which really needs to go in.

|   * Do not crash on daemon-reexec when /run is full (Closes: #850074)

The patches are a bit large-ish, but this avoids completely ruining your
system when /run is out of space.

Please let me know if you have any question.

Thanks for considering!

Martin
diff --git a/debian/changelog b/debian/changelog
index a5acc0c..2e4d6da 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,57 @@
+systemd (232-18) unstable; urgency=medium
+
+  * udev autopkgtest: Adjust to script-based test /sys creation.
+PR #5250 changes from the static sys.tar.xz to creating the test /sys
+directory with a script. Get along with both cases until 233 gets
+released and packaged.
+  * systemd-resolved.service.d/resolvconf.conf: Don't fail if resolvconf is
+not installed. ReadWritePaths= fails by default if the referenced
+directory does not exist. This happens if resol

Bug#855258: unblock: spice/0.12.8-2.1

[Emilio Pozuelo Monfort]

Control: tags -1 moreinfo

On 16/02/17 06:06, Salvatore Bonaccorso wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Hi
> 
> Please unblock package spice
> 
> It fixes two CVEs, CVE-2016-9577 CVE-2016-9578, reported by Moritz as
> #854336. Markus Kschany fixed it as:
> 
> +spice (0.12.8-2.1) unstable; urgency=medium
> +
> +  * Non-maintainer upload.
> +  * Add CVE-2016-9577-and-CVE-2016-9578.patch:
> +- CVE-2016-9577: A buffer overflow vulnerability in
> +  main_channel_alloc_msg_rcv_buf was found that occurs when reading large
> +  messages due to missing buffer size check.
> +- CVE-2016-9578: A vulnerability was discovered in the server's
> +  protocol handling. An attacker able to connect to the spice server 
> could
> +  send crafted messages which would cause the process to crash.
> +  (Closes: #854336)
> +
> + -- Markus Koschany   Mon, 13 Feb 2017 21:42:01 +0100
> 
> Attached the resulting debdiff from the version in testing.
> 
> unblock spice/0.12.8-2.1

That failed to build on mips(64)el:

https://buildd.debian.org/status/package.php?p=spice

Cheers,
Emilio

Processed: Re: Bug#855258: unblock: spice/0.12.8-2.1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 moreinfo
Bug #855258 [release.debian.org] unblock: spice/0.12.8-2.1
Added tag(s) moreinfo.

-- 
855258: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855258
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#855133: unblock (pre-approval): flatpak/0.8.3-1

[Emilio Pozuelo Monfort]

Control: tags -1 confirmed

On 14/02/17 15:42, Simon McVittie wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> I would like release team pre-approval for uploading flatpak/0.8.3-1
> with the attached debdiff.
> 
> The main reason is a bug that affects the configuration in which
> we use it, making it impossible for "portal" services outside
> the sandbox to identify which sandbox a requesting app is in
> (). The upstream fix for this is
> deleting one line, which I definitely want to get into stretch,
> either in 0.8.3 or as a patch.
> 
> However, since upstream stable branch 0.8.x receives cherry-picked
> bugfixes from master and basically only exists for Debian's benefit,
> I'd like to track it for as long as we can. Having flatpak pull in
> proprietary OpenGL drivers automatically accounts for a lot of the diff,
> and is arguably more feature than bugfix, but seems like something
> usability of stable could really benefit from.
> 
> https://bugs.debian.org/846338 (copying the profile.d snippet into
> Xsession.d) seems like a low-risk/high-utility change, but I can
> drop it if you don't like it.
> 
> If there's anything here that's particularly objectionable for stable,
> please let me know and I'll ask upstream to be more strict about 0.8.x.
> 
> Debdiff filtered to exclude */po/* (l10n) from the diff but not the
> diffstat.

Go ahead.

Cheers,
Emilio

Processed: Re: Bug#855133: unblock (pre-approval): flatpak/0.8.3-1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 confirmed
Bug #855133 [release.debian.org] unblock (pre-approval): flatpak/0.8.3-1
Added tag(s) confirmed.

-- 
855133: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855133
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#855217: unblock: openmpi/2.0.2

[Graham Inggs]

FWIW, builds of at least dune-common [1], elpa [2] and trilinos [3]
have become successful again since the upload of openmpi/2.0.2.


[1] https://buildd.debian.org/status/logs.php?pkg=dune-common&arch=mips64el
[2] https://buildd.debian.org/status/logs.php?pkg=elpa&arch=mips64el
[3] https://buildd.debian.org/status/logs.php?pkg=trilinos&arch=mips64el

Processed: openmpi / petsc / deal.ii

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> block 855328 by 854905
Bug #855328 [release.debian.org] nmu: deal.ii_8.4.2-2
855328 was not blocked by any bugs.
855328 was not blocking any bugs.
Added blocking bug(s) of 855328: 855204 and 854905
> block 849764 by 855328
Bug #849764 [libdeal.ii-dev] libdeal.ii-dev: fatal error: mpi.h: No such file 
or directory
849764 was not blocked by any bugs.
849764 was not blocking any bugs.
Added blocking bug(s) of 849764: 855328
> severity 849764 important
Bug #849764 [libdeal.ii-dev] libdeal.ii-dev: fatal error: mpi.h: No such file 
or directory
Severity set to 'important' from 'normal'
> user release.debian@packages.debian.org
Setting user to release.debian@packages.debian.org (was gin...@debian.org).
> usertag 854905 binnmu
Usertags were: nmu.
Usertags are now: binnmu nmu.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
849764: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849764
854905: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854905
855328: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855328
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#855328: nmu: deal.ii_8.4.2-2

[Graham Inggs]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: binnmu

Hi release team

Deal.ii needs to be rebuild against openmpi to pick up headers in the
new multiarch locations (#849764).  It will also need to be rebuilt
after petsc is rebuilt (#854905).

I suggest only scheduling this rebuild after opempi has been unblocked
(#855217) and petsc has been rebuilt.

nmu deal.ii_8.4.2-2 . ANY . unstable . -m "Rebuild with openmpi 2.0.2
/ petsc 3.7.5"

Regards
Graham

Bug#855312: marked as done (unblock: dbus/1.10.16-1)

[Debian Bug Tracking System]

Your message dated Thu, 16 Feb 2017 20:00:00 +
with message-id <32d46313-84bb-9b68-82b3-25fcd83b1...@thykier.net>
and subject line Re: Bug#855312: unblock: dbus/1.10.16-1
has caused the Debian Bug report #855312,
regarding unblock: dbus/1.10.16-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
855312: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855312
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package dbus. This new upstream release fixes a couple
of symlink attacks in rare code paths, which could be argued to be
security vulnerabilities by someone sufficiently pedantic (I'm going
to raise this with the security team, but I suspect they will not
consider it worth doing a stable update).

I would like to track the dbus-1.10 branch in stretch-as-stable,
as I have for dbus-1.8 in jessie. I am an upstream dbus maintainer,
and I plan to continue to produce minimal upstream stable releases.

I plan to release dbus 1.12.0 at some point in the near future (during
or soon after the stretch freeze), at which point 1.10.x will go from
"bug fixes only" to "security fixes only".

unblock dbus/1.10.16-1

Thanks,
S

-- System Information:
Debian Release: 9.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), 
(500, 'stable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diffstat for dbus-1.10.14 dbus-1.10.16

 Makefile.in  |2 +-
 NEWS |   34 ++
 bus/activation.c |   20 +---
 configure|   26 +-
 configure.ac |4 ++--
 dbus/dbus-keyring.c  |2 +-
 dbus/dbus-sysdeps-unix.c |   31 ++-
 dbus/dbus-sysdeps-win.c  |   31 ++-
 dbus/dbus-sysdeps.h  |3 +++
 debian/changelog |9 +
 doc/Makefile.in  |2 +-
 11 files changed, 129 insertions(+), 35 deletions(-)

diff -Nru dbus-1.10.14/bus/activation.c dbus-1.10.16/bus/activation.c
--- dbus-1.10.14/bus/activation.c	2016-11-28 15:50:28.0 +
+++ dbus-1.10.16/bus/activation.c	2017-02-16 13:46:23.0 +
@@ -2436,21 +2436,8 @@
 static dbus_bool_t
 init_service_reload_test (DBusString *dir)
 {
-  DBusStat stat_buf;
-
-  if (!_dbus_stat (dir, &stat_buf, NULL))
-{
-  if (!_dbus_create_directory (dir, NULL))
-return FALSE;
-}
-  else
-{
-  if (!test_remove_directory (dir))
-return FALSE;
-
-  if (!_dbus_create_directory (dir, NULL))
-return FALSE;
-}
+  if (!_dbus_create_directory (dir, NULL))
+return FALSE;
 
   /* Create one initial file */
   if (!test_create_service_file (dir, SERVICE_FILE_1, SERVICE_NAME_1, "exec-1"))
@@ -2638,6 +2625,9 @@
   /* Do nothing? */
 }
 
+  if (!cleanup_service_reload_test (&directory))
+goto out;
+
   /* Do OOM tests */
   if (!init_service_reload_test (&directory))
 _dbus_assert_not_reached ("could not initiate service reload test");
diff -Nru dbus-1.10.14/configure dbus-1.10.16/configure
--- dbus-1.10.14/configure	2016-11-28 18:48:55.0 +
+++ dbus-1.10.16/configure	2017-02-16 13:47:19.0 +
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for dbus 1.10.14.
+# Generated by GNU Autoconf 2.69 for dbus 1.10.16.
 #
 # Report bugs to .
 #
@@ -591,8 +591,8 @@
 # Identity of this package.
 PACKAGE_NAME='dbus'
 PACKAGE_TARNAME='dbus'
-PACKAGE_VERSION='1.10.14'
-PACKAGE_STRING='dbus 1.10.14'
+PACKAGE_VERSION='1.10.16'
+PACKAGE_STRING='dbus 1.10.16'
 PACKAGE_BUGREPORT='https://bugs.freedesktop.org/enter_bug.cgi?product=dbus'
 PACKAGE_URL=''
 
@@ -1553,7 +1553,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures dbus 1.10.14 to adapt to many kinds of systems.
+\`configure' configures dbus 1.10.16 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1628,7 +1628,7 @@
 
 i

Bug#855312: unblock: dbus/1.10.16-1

[Cyril Brulebois]

Niels Thykier  (2017-02-16):
> Simon McVittie:
> > I would like to track the dbus-1.10 branch in stretch-as-stable, as
> > I have for dbus-1.8 in jessie. I am an upstream dbus maintainer, and
> > I plan to continue to produce minimal upstream stable releases.
> > 
> > I plan to release dbus 1.12.0 at some point in the near future
> > (during or soon after the stretch freeze), at which point 1.10.x
> > will go from "bug fixes only" to "security fixes only".
… 
> Looks good to me, but needs an ACK from KiBi due to its udebs.

Based on the changelog entry, no objections.


KiBi.


signature.asc
Description: Digital signature

Processed: libboinc-app-dev: depends on old versions of libstdc++

[Debian Bug Tracking System]

Processing control commands:

> block 851871 by -1
Bug #851871 [release.debian.org] RM: gcc-5/5.4.1-4
851871 was blocked by: 852008 852009
851871 was not blocking any bugs.
Added blocking bug(s) of 851871: 855316

-- 
851871: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851871
855316: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855316
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#855312: unblock: dbus/1.10.16-1

[Simon McVittie]

On Thu, 16 Feb 2017 at 16:54:00 +, Niels Thykier wrote:
> Looks good to me, but needs an ACK from KiBi due to its udebs.

I'm curious whether debian-installer actually uses them yet...
(We added these udebs early in the jessie-as-testing cycle for
AT-SPI's benefit.)

S

Processed: Re: Bug#855312: unblock: dbus/1.10.16-1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 confirmed
Bug #855312 [release.debian.org] unblock: dbus/1.10.16-1
Added tag(s) confirmed.

-- 
855312: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855312
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#855312: unblock: dbus/1.10.16-1

[Niels Thykier]

Control: tags -1 confirmed

Simon McVittie:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package dbus. This new upstream release fixes a couple
> of symlink attacks in rare code paths, which could be argued to be
> security vulnerabilities by someone sufficiently pedantic (I'm going
> to raise this with the security team, but I suspect they will not
> consider it worth doing a stable update).
> 
> I would like to track the dbus-1.10 branch in stretch-as-stable,
> as I have for dbus-1.8 in jessie. I am an upstream dbus maintainer,
> and I plan to continue to produce minimal upstream stable releases.
> 
> I plan to release dbus 1.12.0 at some point in the near future (during
> or soon after the stretch freeze), at which point 1.10.x will go from
> "bug fixes only" to "security fixes only".
> 
> unblock dbus/1.10.16-1
> 
> Thanks,
> S
> 
> [...]

Looks good to me, but needs an ACK from KiBi due to its udebs.

Thanks,
~Niels

Bug#855312: unblock: dbus/1.10.16-1

[Simon McVittie]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package dbus. This new upstream release fixes a couple
of symlink attacks in rare code paths, which could be argued to be
security vulnerabilities by someone sufficiently pedantic (I'm going
to raise this with the security team, but I suspect they will not
consider it worth doing a stable update).

I would like to track the dbus-1.10 branch in stretch-as-stable,
as I have for dbus-1.8 in jessie. I am an upstream dbus maintainer,
and I plan to continue to produce minimal upstream stable releases.

I plan to release dbus 1.12.0 at some point in the near future (during
or soon after the stretch freeze), at which point 1.10.x will go from
"bug fixes only" to "security fixes only".

unblock dbus/1.10.16-1

Thanks,
S

-- System Information:
Debian Release: 9.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), 
(500, 'stable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diffstat for dbus-1.10.14 dbus-1.10.16

 Makefile.in  |2 +-
 NEWS |   34 ++
 bus/activation.c |   20 +---
 configure|   26 +-
 configure.ac |4 ++--
 dbus/dbus-keyring.c  |2 +-
 dbus/dbus-sysdeps-unix.c |   31 ++-
 dbus/dbus-sysdeps-win.c  |   31 ++-
 dbus/dbus-sysdeps.h  |3 +++
 debian/changelog |9 +
 doc/Makefile.in  |2 +-
 11 files changed, 129 insertions(+), 35 deletions(-)

diff -Nru dbus-1.10.14/bus/activation.c dbus-1.10.16/bus/activation.c
--- dbus-1.10.14/bus/activation.c	2016-11-28 15:50:28.0 +
+++ dbus-1.10.16/bus/activation.c	2017-02-16 13:46:23.0 +
@@ -2436,21 +2436,8 @@
 static dbus_bool_t
 init_service_reload_test (DBusString *dir)
 {
-  DBusStat stat_buf;
-
-  if (!_dbus_stat (dir, &stat_buf, NULL))
-{
-  if (!_dbus_create_directory (dir, NULL))
-return FALSE;
-}
-  else
-{
-  if (!test_remove_directory (dir))
-return FALSE;
-
-  if (!_dbus_create_directory (dir, NULL))
-return FALSE;
-}
+  if (!_dbus_create_directory (dir, NULL))
+return FALSE;
 
   /* Create one initial file */
   if (!test_create_service_file (dir, SERVICE_FILE_1, SERVICE_NAME_1, "exec-1"))
@@ -2638,6 +2625,9 @@
   /* Do nothing? */
 }
 
+  if (!cleanup_service_reload_test (&directory))
+goto out;
+
   /* Do OOM tests */
   if (!init_service_reload_test (&directory))
 _dbus_assert_not_reached ("could not initiate service reload test");
diff -Nru dbus-1.10.14/configure dbus-1.10.16/configure
--- dbus-1.10.14/configure	2016-11-28 18:48:55.0 +
+++ dbus-1.10.16/configure	2017-02-16 13:47:19.0 +
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for dbus 1.10.14.
+# Generated by GNU Autoconf 2.69 for dbus 1.10.16.
 #
 # Report bugs to .
 #
@@ -591,8 +591,8 @@
 # Identity of this package.
 PACKAGE_NAME='dbus'
 PACKAGE_TARNAME='dbus'
-PACKAGE_VERSION='1.10.14'
-PACKAGE_STRING='dbus 1.10.14'
+PACKAGE_VERSION='1.10.16'
+PACKAGE_STRING='dbus 1.10.16'
 PACKAGE_BUGREPORT='https://bugs.freedesktop.org/enter_bug.cgi?product=dbus'
 PACKAGE_URL=''
 
@@ -1553,7 +1553,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures dbus 1.10.14 to adapt to many kinds of systems.
+\`configure' configures dbus 1.10.16 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1628,7 +1628,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
- short | recursive ) echo "Configuration of dbus 1.10.14:";;
+ short | recursive ) echo "Configuration of dbus 1.10.16:";;
esac
   cat <<\_ACEOF
 
@@ -1841,7 +1841,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-dbus configure 1.10.14
+dbus configure 1.10.16
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2617,7 +2617,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by dbus $as_me 1.10.14, which was
+It was created by dbus $as_me 1.10.16, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3560,7 +3560,7 @@
 
 # Define the identity of the

Re: Bug#740998: Bug#854801: No network after netinst Stretch RC2

[Bernhard Schmidt]

On 14.02.2017 00:43, Pierre Ynard wrote:

Hi,

>> in finish-install /e/n/i will never be properly populated for a wireless
>> installation without network-manager, although I think ifupdown would be
>> capable to do this (not tested, but have a look at
>> https://anonscm.debian.org/cgit/d-i/netcfg.git/tree/write_interface.c).
>> I guess the justification is that people using wireless usually would
>> want a GUI to roam between networks, and a interface stanza would
>> prevent even a (later installed) network-manager from touching the
>> interface.
> 
> That makes sense. Maybe it could still output commented-out
> configuration into /e/n/i, to make it easier in case people do end up
> editing the file to set up their network, for whatever reason.

We already have several bugs for this behaviour:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694068
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=727740
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777439

and likely more.

Users installing with a wireless connection do not have network after
first boot, unless a -desktop task pulls in network-manager _and_
network-manager is not blocked by rdnssd.

I can fix the latter by removing the conflicts and changing the hook
again to be a no-op if network-manager is installed. But I think a
proper solution would be to warn the user at the end of the installation
that he will not have network access after boot and offer to write a
complete /e/n/i or forcibly install network-manager .

Bernhard

Bug#855109: unblock: pyrit/0.4.0-7.1

[Gianfranco Costamagna]

Hi,

>This failed to build on i386.


I saw it already, and I'm having difficulties in understanding why
(builds fine on pbuilder sid i386, debomatic sbuild i386, bad on barriere
i386 dchroot).

Asked for help on -mentors mail list

thanks

G.