Re: stretch-ignore for invalid maintainer address ?
On 2018-06-10 18:24, Emilio Pozuelo Monfort wrote: > On 10/06/18 11:40, Andreas Beckmann wrote: >> Hi, >> >> can we tag >> "Invalid maintainer address pkg-foo...@lists.alioth.debian.org" >> bugs as stretch-ignore? > > Yes, or they could be tagged "sid buster" as we don't intend to fix those in > stable. Going for the latter ... What should happen to packages that have been removed from unstable? How can the metadata for (old-)stable be fixed in that case? Andreas
Processed: blocking 898934 by 900530
Processing commands for cont...@bugs.debian.org: > block 898934 by 900530 Bug #898934 [release.debian.org] transition: libmygpo-qt 898934 was not blocked by any bugs. 898934 was not blocking any bugs. Added blocking bug(s) of 898934: 900530 > thanks Stopping processing here. Please contact me if you need assistance. -- 898934: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898934 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#867461: Bug#858539: should ca-certificates certdata.txt synchronize across all suites?
On 06/08/2018 03:37 PM, Adam D. Barratt wrote: Ping? We're a week away from the final chance to get an update into jessie-as-oldstable before it becomes jessie-lts. Thanks for the ping. I updated the debian-jessie branch of ca-certificates with mozilla bundle 2.22, and it's ready to be uploaded. Thijs, might you have a chance to upload 20141019+deb8u4 to jessie-updates? If not, perhaps we can wrangle someone else to help. commit: ce1498e496b749f71fd96d60942d2c2aa7fdf0ca $ git diff --stat debian/20141019+deb8u3 debian-jessie debian/changelog |74 + debian/control | 1 - mozilla/certdata.txt | 28220 +-- mozilla/nssckbi.h|39 +- 4 files changed, 10787 insertions(+), 17547 deletions(-) Thanks all! -- Kind regards, Michael
Bug#899006: stretch-pu: package intel-microcode/3.20180425.1~deb9u1
On Sat, 09 Jun 2018, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Fri, 2018-05-18 at 10:32 -0300, Henrique de Moraes Holschuh wrote: > > I'd like to update the intel-microcode package in Debian stretch. > > > > This update adds the microcode-side fix for CVE-2017-5715 aka Spectre > > v2. > > > > Please go ahead. Uploaded. Thank you! -- Henrique Holschuh
Bug#901276: jessie-pu: package lame/3.99.5+repack1-7+deb8u2
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, lame 3.99.5+repack1-7+deb8u1 is affected by several vulnerabilities in the code used to read the input file. These issues are not present in any Debian release after Jessie because the package switched to libsndfile to read and write audio files. The upstream code itself was recently fixed in 3.100. Following advices from lame's upstream and from lame's maintainer I proposed the attached patch. In this patch we modify the Jessie package to use libsndfile instead of the internal code. The security team considers these issues not worth a DSA but recommended me to submit this patch as jessie-pu. You can find more detailed information about this patch on the debian-lts ML[0]. Thanks ! Regards, Hugo [0] https://lists.debian.org/debian-lts/2018/05/msg00081.html -- Hugo Lefeuvre (hle)|www.owl.eu.com 4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA diff -Nru lame-3.99.5+repack1/debian/changelog lame-3.99.5+repack1/debian/changelog --- lame-3.99.5+repack1/debian/changelog 2015-06-15 09:05:28.0 -0400 +++ lame-3.99.5+repack1/debian/changelog 2018-05-27 17:30:02.0 -0400 @@ -1,3 +1,16 @@ +lame (3.99.5+repack1-7+deb8u2) oldstable; urgency=high + + [ Fabian Greffrath ] + + * Build the frontend with the sndfile io routines, RAW PCM and WAV can be +read from stdin since at least 3.99.0 (Closes: #867725). +- Add Build-Depends: libsndfile1-dev. + +Addressed CVEs: CVE-2017-9872, CVE-2017-9871, CVE-2017-9870, CVE-2017-9869, +CVE-2017-15046, CVE-2017-15045, CVE-2017-15018. + + -- Hugo Lefeuvre Sun, 27 May 2018 17:30:02 -0400 + lame (3.99.5+repack1-7+deb8u1) jessie; urgency=medium * debian/patches/force_align_arg_pointer.patch: Enable functions with SSE diff -Nru lame-3.99.5+repack1/debian/control lame-3.99.5+repack1/debian/control --- lame-3.99.5+repack1/debian/control 2015-06-15 09:03:04.0 -0400 +++ lame-3.99.5+repack1/debian/control 2018-05-27 17:16:42.0 -0400 @@ -9,6 +9,7 @@ debhelper (>= 9), dh-autoreconf, libncurses5-dev, + libsndfile1-dev, pkg-config, nasm [i386] Standards-Version: 3.9.5 diff -Nru lame-3.99.5+repack1/debian/rules lame-3.99.5+repack1/debian/rules --- lame-3.99.5+repack1/debian/rules 2015-06-15 09:03:04.0 -0400 +++ lame-3.99.5+repack1/debian/rules 2018-05-27 17:16:42.0 -0400 @@ -9,4 +9,4 @@ --enable-dynamic-frontends \ --enable-expopt=full \ --enable-nasm \ - --with-fileio=lame + --with-fileio=sndfile signature.asc Description: PGP signature
jessie-security packages missing from ftp-master
Hi, As we're getting very close to the EOL point release for jessie (at least from the main archive perspective), I've been having a look at making the delta from the security archive as small as possible beforehand. Packages not synced to ftp-master = I've added notes where I'm aware of reasons for the missing sync. I think this set will all need ftp-master investigation / resolution. * enigmail 2:1.9.9-1~deb8u1 (source + all) * freerdp 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1 (source + binaries) * mat 0.5.2-3+deb8u1 (source + all) - This was originally uploaded to ftp-master, rejected, and re- uploaded to security "as-is", so failed the replay check on ftp-master * openjdk-7 7u171-2.6.13-1~deb8u1 (source + binaries) - I think this may have been a case where the binary uploads were processed before the source. I suspect that on re-processing some architectures may have issues with version constraints, but getting as many incorporated as possible would be appreciated. * openoffice.org-dictionaries 1:3.3.0~rc10-4+deb8u1 (source + all) - I think this is due to some of the binaries (e.g. hunspell-fr) being produced by other source packages with higher versions * procps - appears to have had some sort of upload error 20180610173424|process-upload|dak|procps_3.3.9-9+deb8u1_armhf.changes|Error while loading changes: No valid signature found. (GPG exited with status code 512) Packages not available on -security === Is it worth retrying any of these? * git-annex 5.20141125+deb8u1 (arm64 ppc64el) * graphicsmagick 1.3.20-3+deb8u2 (powerpc) * mariadb-10.0 10.0.32-0+deb8u1 (mips mipsel powerpc s390x) * openjdk-7 7u151-2.6.11-2~deb8u1 (arm64 s390x) * icedove (arm64 i386 mips mipsel powerpc ppc64el s390x) * thunderbird (arm64 mips mipsel powerpc ppc64el s390x) I've grouped these two together as it's basically the same package. Note that the thunderbird source package has never built any binaries in jessie for most of the above architectures, but for tracking purposes we've used the architecture list from the icedove source to calculate regressions. Cheers, Adam
Bug#900514: marked as done (nmu: gnucobol_2.2-1)
Your message dated Sun, 10 Jun 2018 20:22:36 +0200 with message-id <87lgbmpklv@turtle.gmx.de> and subject line Re: Bug#900514: nmu: gnucobol_2.2-1 has caused the Debian Bug report #900514, regarding nmu: gnucobol_2.2-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 900514: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900514 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu Another case of a package which was uploaded before the ncurses transition and got stuck in NEW for too long. nmu gnucobol_2.2-1 . amd64 . unstable . -m "Rebuild against libncurses6." --- End Message --- --- Begin Message --- On 2018-05-31 19:09 +0200, Sven Joachim wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: binnmu > > Another case of a package which was uploaded before the ncurses > transition and got stuck in NEW for too long. > > nmu gnucobol_2.2-1 . amd64 . unstable . -m "Rebuild against libncurses6." Looks like this has been done in the meantime.--- End Message ---
Re: stretch-ignore for invalid maintainer address ?
On 10/06/18 11:40, Andreas Beckmann wrote: > Hi, > > can we tag > "Invalid maintainer address pkg-foo...@lists.alioth.debian.org" > bugs as stretch-ignore? Yes, or they could be tagged "sid buster" as we don't intend to fix those in stable. Emilio
Bug#901248: Britney crashes in _compute_groups when attempting migration
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: britney Hi! This is a slightly different form of the issue we recently discussed on IRC, but it likely has the same cause: arch:all package being available in different versions in arm64 vs amd64 for some reason. Britney crashes with the following error: ``` I: [2018-06-06T19:54:54+] - most: (92) .. kicad-templates kimagemapeditor -python-msrestazure kicad-footprints kicad-packages3d kopano-webapp libgitlab-api-v4-perl cross-toolchain-base-ports emacs-jabber pxz fonts-sawarabi-gothic ruby-sidekiq-limit-fetch golang-github-go-ini-ini apache-directory-server python-certbot-dns-digitalocean stenographer t4kcommon libsdl1.2 emacs-ctable refpolicy I: [2018-06-06T19:54:54+] - trying: r-cran-bayesplot I: [2018-06-06T19:54:54+] - skipped: r-cran-bayesplot (41, 0, 10) I: [2018-06-06T19:54:54+] - got: 17398+0: a-14680:a-2718 I: [2018-06-06T19:54:54+] - * amd64: r-cran-bayesplot I: [2018-06-06T19:54:54+] - trying: neutron I: [2018-06-06T19:54:54+] - skipped: neutron (41, 1, 9) I: [2018-06-06T19:54:54+] - got: 17398+0: a-14680:a-2718 I: [2018-06-06T19:54:54+] - * amd64: neutron-plugin-openvswitch-agent I: [2018-06-06T19:54:54+] - trying: selinux-dbus selinux-python Traceback (most recent call last): File "/srv/laniakea/dist/britney2/britney.py", line 2857, in Britney().main() File "/srv/laniakea/dist/britney2/britney.py", line 2846, in main self.upgrade_testing() File "/srv/laniakea/dist/britney2/britney.py", line 2493, in upgrade_testing self.do_all() File "/srv/laniakea/dist/britney2/britney.py", line 2359, in do_all (nuninst_end, extra) = self.iter_packages(upgrade_me, selected, nuninst=nuninst_end, lundo=lundo) File "/srv/laniakea/dist/britney2/britney.py", line 2250, in iter_packages accepted, nuninst_after, comp_undo, failed_arch = self.try_migration(comp, nuninst_last_accepted, lundo) File "/srv/laniakea/dist/britney2/britney.py", line 2149, in try_migration allow_smooth_updates=False) File "/srv/laniakea/dist/britney2/britney.py", line 1855, in _compute_groups if binaries_t[parch][0][binary].source != source_name: KeyError: 'policycoreutils-gui' ``` Given this configuration file (slightly reduced and simplified here): ``` NONINST_STATUS = output/target/non-installable-status EXCUSES_OUTPUT = output/target/excuses.html EXCUSES_YAML_OUTPUT = output/target/excuses.yaml UPGRADE_OUTPUT = output/target/output.txt HEIDI_OUTPUT= output/target/HeidiResult STATIC_INPUT_DIR = input/ HINTSDIR = input/hints STATE_DIR= state/ HINTS_LANIAKEA = ALL SMOOTH_UPDATES = libs oldlibs IGNORE_CRUFT = 1 UNSTABLE = /path/to/landing TESTING = /path/to/purple COMPONENTS = main ARCHITECTURES = amd64 arm64 NOBREAKALL_ARCHES = amd64 MINDAYS_LOW = 0 MINDAYS_EMERGENCY = 0 MINDAYS_CRITICAL = 0 MINDAYS_HIGH = 0 MINDAYS_MEDIUM = 0 DEFAULT_URGENCY = medium OUTOFSYNC_ARCHES = amd64 arm64 BREAK_ARCHES = NEW_ARCHES= ``` And using these Packages/Sources as input: https://people.debian.org/~mak/share/pureos-mindist-britney-crash.zip (file is a bit bigger than what could be uploaded here). Britney2 is at commit `d11152b36601bf81c2ab0f24a476654bb1e59eff` when showing this crash. A difference to the previous crash (at the same position) that did show up first is that this time, arm64 is not in BREAK_ARCHES. If there is any further information you need or anything I can help with, please let me know! Thank you!
Re: stretch-ignore for invalid maintainer address ?
On 6/10/18 11:40 AM, Andreas Beckmann wrote: > can we tag > "Invalid maintainer address pkg-foo...@lists.alioth.debian.org" > bugs as stretch-ignore? As we need a way to reach people, I suppose that'd only make sense if the metadata has been fixed in unstable, no? Kind regards Philipp kern
stretch-ignore for invalid maintainer address ?
Hi, can we tag "Invalid maintainer address pkg-foo...@lists.alioth.debian.org" bugs as stretch-ignore? Andreas
Bug#885584: jessie-pu: package ncurses/5.9+20140913-1+deb8u3
On 2018-06-08 21:26 +0100, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Thu, 2017-12-28 at 11:43 +0100, Sven Joachim wrote: >> > The same problem with the same fix as in #885582 for stretch. > > Please go ahead. Apologies for the very long delay. Uploaded, thanks. Cheers, Sven
Bug#893507: jessie-pu: package reportbug/6.6.3+deb8u1
Hi Adam, On Fri, Jun 08, 2018 at 08:53:32PM +0100, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Mon, 2018-03-19 at 14:39 +0100, Salvatore Bonaccorso wrote: > > This is the corresponding request to #891918 but for jessie-pu. > > > > I like to propose the following little change for the upcoming point > > release to include for reportbug. The secure testing security team > > does not exists for a long time by now, and when alioth will be > > decomissioned the secure-testing-team list will disapear. Cf. > > #32. > > > > It would thus be good if reportbug stops Cc'ing the secure-testing > > team. > > > > Please go ahead; sorry for the delay. No problem at all :). Thanks a lot I just have uploaded reportbug/6.6.3+deb8u1. Regards, Salvatore
Bug#901155: transition: octave-4.4
On Sat, Jun 09, 2018 at 07:52:12PM +0200, Emilio Pozuelo Monfort wrote: > On 09/06/18 16:22, Sébastien Villemot wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: transition > > Control: forwarded -1 > > https://release.debian.org/transitions/html/auto-octave.html > > > > Dear Release Team, > > > > Please schedule a transition for octave 4.4. The new package is already in > > experimental. > > > > Few reverse dependencies will need sourceful NMUs. In any case, we stand > > ready > > to NMU. > > Go ahead. Thanks. Octave 4.4.0-3 is now uploaded and built on all release architectures. -- ⢀⣴⠾⠻⢶⣦⠀ Sébastien Villemot ⣾⠁⢠⠒⠀⣿⡁ Debian Developer ⢿⡄⠘⠷⠚⠋⠀ http://sebastien.villemot.name ⠈⠳⣄ http://www.debian.org signature.asc Description: PGP signature