Re: [pcp] pcp is marked for autoremoval from testing

[Nathan Scott]

Hi folks,

The issues below no longer affect pcp-4.3.2, which has been in
unstable for some time.
According to https://tracker.debian.org/pkg/pcp this version is blocked ...

"Not touching package due to block request by freeze (please contact
debian-release if update is needed)"

Please consider unblocking pcp-4.3.2 to resolve this.

thanks!

--
Nathan

On Thu, May 30, 2019 at 2:49 PM Debian testing autoremoval watch
 wrote:
>
> pcp 4.3.1-1 is marked for autoremoval from testing on 2019-06-19
>
> It (build-)depends on packages with these RC bugs:
> 928367: papi: libpapi5: SOVERSION is too wide for the runtime check in 
> PAPI_library_init()
> 928959: papi: DFSG-unfree file in source
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Groups.io Links: You receive all messages sent to this group.
>
> View/Reply Online (#20981): https://groups.io/g/pcp/message/20981
> Mute This Topic: https://groups.io/mt/31858950/174104
> -=-=-
> pcp mailing list
> p...@groups.io
> https://groups.io/g/pcp/messages
> -=-=-
> Group Owner: pcp+ow...@groups.io
> Unsubscribe: https://groups.io/g/pcp/leave/354222/526236543/xyzzy  
> [nath...@redhat.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Processed: RFS: elpy/1.28.0-2

[Debian Bug Tracking System]

Processing control commands:

> block 928913 by -1
Bug #928913 [release.debian.org] unblock: elpy/1.28.0-2
928913 was not blocked by any bugs.
928913 was blocking: 927084 927085 928633
Added blocking bug(s) of 928913: 929740

-- 
928913: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928913
929740: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929740
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#929321: unblock: sqlalchemy/1.2.18+ds1-2 (CVE-2019-7164 CVE-2019-7548)

[Mike Bayer]

On Wed, May 29, 2019, at 5:28 PM, Thomas Goirand wrote:
> 
> Dear Debian release team,
> 
> Please note that, even though I was the person who updated SQLAlchemy to
> apply the upstream CVE fix, I am not the official maintainer of the
> package, and that this is probably up to Piotr to do the work. I'm
> happily replying though. :)
> 
> I'm CC-ing Piotr and Mike Bayer (upstream for SQLAlchemy).
> 
> On 5/28/19 8:59 PM, Paul Gevers wrote:
> > Control: tags -1 moreinfo confirmed
> > 
> > Hi Zigo,
> > 
> > On Tue, 21 May 2019 17:50:28 +0200 Thomas Goirand  wrote:
> >> Note that it may (or not) break some reverse dependencies, though according
> >> to upstream, OpenStack (the biggest SQLAlchemy consumer in Debian) behaves
> >> correctly with it. If this happens, then these reverse dependencies will
> >> have to be fixed.
> > 
> > Do you already have indications that this may be the case?
> 
> For all things OpenStack, I'm pretty sure that everything is ok, because
> the upstream author of SQLAlchemy has been hired by Red Hat to make sure
> OpenStack uses SQLAlchemy the proper way.
> 
> For other dependencies, it's harder to know.
> 
> > How you
> > already warned the reverse dependencies to check? I would appreciate it
> > if you do such that we can also have those fixed reverse dependencies in
> > buster.
> > 
> > Paul
> 
> Here's the list of reverse dependencies for python3-sqlalchemy:
> 
> * buildbot
> * changeme
> * db2twitter
> * dms-core [amd64 arm64 armel armhf i386 mips mips64el mipsel ppc64el s390x]
> * mailman3
> * openlp
> * python3-agatesql
> * python3-geoalchemy2
> * python3-osmalchemy
> * python3-pybel
> * python3-sadisplay
> * python3-sqlsoup
> * retweet
> * sqlacodegen
> * yokadi
> 
> Here are those for python-sqlalchemy:
> 
> * archipel-core
> * bauble
> * blogofile-converters
> * childsplay
> * epigrass [amd64 arm64 armel armhf i386 kfreebsd-amd64 mips mips64el
> mipsel ppc64el s390x]
> * gnukhata-core
> * gourmet
> * griffith
> * kamcli
> * pegasus-wms
> * pycsw-wsgi
> * python-elixir
> * python-pywps
> * python-sprox
> * python-sqlkit
> * python-sqlsoup
> * python-zope.sqlalchemy
> * pytrainer
> * vistrails
> * yhsm-yubikey-ksm
> 
> I removed all-things-openstack and libraries who are very unlikely to
> have issues, such as sqlalchemy-utils and others.
> 
> I don't know any of the above package. It would be hard to tell who's
> affected by a related problem, though the miss-use of SQLAlchemy
> (because that's really what we're talking about here... a miss-use that
> should have been considered a bug to begin with, even without the
> applied patch to SQLAlchemy) is quite rare.
> 
> I very much think it's safer to just allow SQLAchemy to migrate right
> now, to fix the potential SQL insertion vulnerability, rather than
> waiting for any (potential, but likely rare) issue in the above reverse
> dependencies.
> 
> I do think a gentle ping to the maintainers of the above packages would
> be nice, but probably mass-filling of bugs isn't needed. How can I
> easily gather the list of maintainer? Is there a script somewhere to do
> this, or should I write it myself (which shouldn't be hard with some
> apt-cache show in a loop...)?
> 
> Piotr, Mike, is what I wrote above accurate?

I can confirm Openstack is likely OK, most packages are likely OK, and if a 
package is not OK, it's a trivial fix for them.


> 
> Cheers,
> 
> Thomas Goirand (zigo)
> 

Bug#929731: unblock: flash-kernel/3.99

[Cyril Brulebois]

Hi,

Niels Thykier  (2019-05-29):
> Vagrant Cascadian:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian@packages.debian.org
> > Usertags: unblock
> > X-Debbugs-Cc: vagr...@debian.org, debian-b...@lists.debian.org
> > 
> > Please unblock package flash-kernel
> > 
> > This upload adds support for two additional boards, one additional name
> > for another board, and updates the Uploaders list. The changes should be
> > very low risk to existing platforms, and really appreciated by people
> > with the added boards.
> > 
> > 
> > [...]
> > 
> > unblock flash-kernel/3.99

No objections, thanks.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#929519: unblock: matrix-synapse/0.99.5.1-2

[Andrej Shadura]

Hi,

On Wed, 29 May 2019 at 23:43, Paul Gevers  wrote:
> You're not going to like it.
>
> On Sat, 25 May 2019 12:46:12 +0100 Andrej Shadura 
> wrote:
> > I’m attaching a git diff between patches-applied trees of 0.99.2-5
> > currently in buster and 0.99.5.1-1 currently in experimental (the
> > version in testing ships with a few security fixes backported from
> > 0.99.3). The proposed 0.99.5.1-2 would be a no-change upload with just
> > a changelog bump.
>
>  381 files changed, 20100 insertions(+), 16629 deletions(-)
>
> This isn't re-viewable and is very much not in line with our freeze policy.

Heh. I was hoping for an exception :)

> Shall I proceed and remove the package from buster?

Not yet. I will discuss this with the Synapse upstream to see what is
more suitable. An alternative would be a NEWS/README entry telling
users to upgrade to a version from backports if they want to be able
to use v4 or v5 rooms.

-- 
Cheers,
  Andrej

Bug#929519: unblock: matrix-synapse/0.99.5.1-2

[Paul Gevers]

Control: tags -1 moreinfo

Hi Andrej,

You're not going to like it.

On Sat, 25 May 2019 12:46:12 +0100 Andrej Shadura 
wrote:
> I’m attaching a git diff between patches-applied trees of 0.99.2-5
> currently in buster and 0.99.5.1-1 currently in experimental (the
> version in testing ships with a few security fixes backported from
> 0.99.3). The proposed 0.99.5.1-2 would be a no-change upload with just
> a changelog bump.

 381 files changed, 20100 insertions(+), 16629 deletions(-)

This isn't re-viewable and is very much not in line with our freeze policy.

Shall I proceed and remove the package from buster?

Paul

Bug#929736: marked as done (unblock: firejail/0.9.58.2-2)

[Debian Bug Tracking System]

Your message dated Wed, 29 May 2019 21:40:00 +
with message-id 
and subject line Re: Bug#929736: unblock: firejail/0.9.58.2-2
has caused the Debian Bug report #929736,
regarding unblock: firejail/0.9.58.2-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
929736: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929736
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package firejail

The version in unstable fixes two security issues:

#929732 (debian/patches/seccomp-join.patch):
This issue allowed someone to run a program inside a jail that is protected
by seccomp filters without any seccomp filtering.
The location of the filters inside the jail was writable, so it could
be overwritten/deleted, so programs that were afterwards joined into the jail
had no filter applied.

#929733 (debian/patches/truncation.patch):
A race was possible that allowed someone inside the jail to truncate
the firejail binary outside the jail under certain conditions.
(The jailed program needs to be run as root, and it needs to be terminated
from the outside as root.)

Thanks in advance.

Kind regards,
   Reiner

unblock firejail/0.9.58.2-2
diff -Nru firejail-0.9.58.2/debian/changelog firejail-0.9.58.2/debian/changelog
--- firejail-0.9.58.2/debian/changelog  2019-02-08 20:06:02.0 +0100
+++ firejail-0.9.58.2/debian/changelog  2019-05-29 21:06:42.0 +0200
@@ -1,3 +1,16 @@
+firejail (0.9.58.2-2) unstable; urgency=high
+
+  * Cherry-pick security fix for seccomp bypass issue. (Closes: #929732)
+Seccomp filters were writable inside the jail, so they could be
+overwritten/truncated. Another jail that was then joined with the first
+one, had no seccomp filters applied.
+  * Cherry-pick security fix for binary truncation issue. (Closes: #929733)
+When the jailed program was running as root, and firejail was killed
+from the outside (as root), the jailed program had the possibility to
+truncate the firejail binary outside the jail.
+
+ -- Reiner Herrmann   Wed, 29 May 2019 21:06:42 +0200
+
 firejail (0.9.58.2-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru firejail-0.9.58.2/debian/patches/seccomp-join.patch 
firejail-0.9.58.2/debian/patches/seccomp-join.patch
--- firejail-0.9.58.2/debian/patches/seccomp-join.patch 1970-01-01 
01:00:00.0 +0100
+++ firejail-0.9.58.2/debian/patches/seccomp-join.patch 2019-05-29 
18:57:28.0 +0200
@@ -0,0 +1,91 @@
+From: smitsohu 
+Subject: [PATCH] mount runtime seccomp files read-only (#2602)
+Bug: https://github.com/netblue30/firejail/issues/2718
+Bug-Debian: https://bugs.debian.org/929732
+Origin: upstream, https://github.com/netblue30/firejail/commit/eecf35c
+
+avoid creating locations in the file system that are both writable and
+executable (in this case for processes with euid of the user).
+
+for the same reason also remove user owned libfiles
+when it is not needed any more
+
+--- a/src/firejail/firejail.h
 b/src/firejail/firejail.h
+@@ -57,13 +57,14 @@
+ #define RUN_LIB_FILE  "/run/firejail/mnt/libfiles"
+ #define RUN_DNS_ETC   "/run/firejail/mnt/dns-etc"
+ 
+-#define RUN_SECCOMP_LIST  "/run/firejail/mnt/seccomp.list"// list 
of seccomp files installed
+-#define RUN_SECCOMP_PROTOCOL  "/run/firejail/mnt/seccomp.protocol"// 
protocol filter
+-#define RUN_SECCOMP_CFG   "/run/firejail/mnt/seccomp" 
// configured filter
+-#define RUN_SECCOMP_32"/run/firejail/mnt/seccomp.32"  // 
32bit arch filter installed on 64bit architectures
+-#define RUN_SECCOMP_MDWX  "/run/firejail/mnt/seccomp.mdwx"
// filter for memory-deny-write-execute
+-#define RUN_SECCOMP_BLOCK_SECONDARY   
"/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking 
filter
+-#define RUN_SECCOMP_POSTEXEC  "/run/firejail/mnt/seccomp.postexec"
// filter for post-exec library
++#define RUN_SECCOMP_DIR   "/run/firejail/mnt/seccomp"
++#define RUN_SECCOMP_LIST  "/run/firejail/mnt/seccomp/seccomp.list"
// list of seccomp files installed
++#define RUN_SECCOMP_PROTOCOL  "/run/firejail/mnt/seccomp/seccomp.protocol"
// protocol filter
++#define RUN_SECCOMP_CFG   "/run/firejail/mnt/seccomp/seccomp" 
// configured filter
++#define RUN_SECCOMP_32"/run/firejail/mnt/seccomp/seccomp.32"  
// 32bit arch filter installed on 64bit architectures
++#define RUN_SECCOMP_MDWX  

Processed: Re: unblock: matrix-synapse/0.99.5.1-2

[Debian Bug Tracking System]

Processing control commands:

> tags -1 moreinfo
Bug #929519 [release.debian.org] unblock: matrix-synapse/0.99.5.1-2
Added tag(s) moreinfo.

-- 
929519: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929519
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#929486: unblock: debootstick/2.3

[Paul Gevers]

Control: tags -1 confirmed moreinfo

On Fri, 24 May 2019 14:20:54 + =?utf-8?q?Etienne_Dubl=C3=A9?=
 wrote:
> Package 2.3 of debootstick was just uploaded to experimental by my sponsor 
> (Vincent Danjean).
> If you accept this unblock request, he will upload it to unstable.

You're probably aware, but keep in mind that the version needs to be
bumped. Please go ahead and remove the moreinfo tag from this bug when
there is something to unblock.

Paul



signature.asc
Description: OpenPGP digital signature

Processed: Re: unblock: debootstick/2.3

[Debian Bug Tracking System]

Processing control commands:

> tags -1 confirmed moreinfo
Bug #929486 [release.debian.org] unblock: debootstick/2.3
Added tag(s) confirmed and moreinfo.

-- 
929486: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929486
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#929321: unblock: sqlalchemy/1.2.18+ds1-2 (CVE-2019-7164 CVE-2019-7548)

[Thomas Goirand]

Dear Debian release team,

Please note that, even though I was the person who updated SQLAlchemy to
apply the upstream CVE fix, I am not the official maintainer of the
package, and that this is probably up to Piotr to do the work. I'm
happily replying though. :)

I'm CC-ing Piotr and Mike Bayer (upstream for SQLAlchemy).

On 5/28/19 8:59 PM, Paul Gevers wrote:
> Control: tags -1 moreinfo confirmed
> 
> Hi Zigo,
> 
> On Tue, 21 May 2019 17:50:28 +0200 Thomas Goirand  wrote:
>> Note that it may (or not) break some reverse dependencies, though according
>> to upstream, OpenStack (the biggest SQLAlchemy consumer in Debian) behaves
>> correctly with it. If this happens, then these reverse dependencies will
>> have to be fixed.
> 
> Do you already have indications that this may be the case?

For all things OpenStack, I'm pretty sure that everything is ok, because
the upstream author of SQLAlchemy has been hired by Red Hat to make sure
OpenStack uses SQLAlchemy the proper way.

For other dependencies, it's harder to know.

> How you
> already warned the reverse dependencies to check? I would appreciate it
> if you do such that we can also have those fixed reverse dependencies in
> buster.
> 
> Paul

Here's the list of reverse dependencies for python3-sqlalchemy:

* buildbot
* changeme
* db2twitter
* dms-core [amd64 arm64 armel armhf i386 mips mips64el mipsel ppc64el s390x]
* mailman3
* openlp
* python3-agatesql
* python3-geoalchemy2
* python3-osmalchemy
* python3-pybel
* python3-sadisplay
* python3-sqlsoup
* retweet
* sqlacodegen
* yokadi

Here are those for python-sqlalchemy:

* archipel-core
* bauble
* blogofile-converters
* childsplay
* epigrass [amd64 arm64 armel armhf i386 kfreebsd-amd64 mips mips64el
mipsel ppc64el s390x]
* gnukhata-core
* gourmet
* griffith
* kamcli
* pegasus-wms
* pycsw-wsgi
* python-elixir
* python-pywps
* python-sprox
* python-sqlkit
* python-sqlsoup
* python-zope.sqlalchemy
* pytrainer
* vistrails
* yhsm-yubikey-ksm

I removed all-things-openstack and libraries who are very unlikely to
have issues, such as sqlalchemy-utils and others.

I don't know any of the above package. It would be hard to tell who's
affected by a related problem, though the miss-use of SQLAlchemy
(because that's really what we're talking about here... a miss-use that
should have been considered a bug to begin with, even without the
applied patch to SQLAlchemy) is quite rare.

I very much think it's safer to just allow SQLAchemy to migrate right
now, to fix the potential SQL insertion vulnerability, rather than
waiting for any (potential, but likely rare) issue in the above reverse
dependencies.

I do think a gentle ping to the maintainers of the above packages would
be nice, but probably mass-filling of bugs isn't needed. How can I
easily gather the list of maintainer? Is there a script somewhere to do
this, or should I write it myself (which shouldn't be hard with some
apt-cache show in a loop...)?

Piotr, Mike, is what I wrote above accurate?

Cheers,

Thomas Goirand (zigo)

Bug#929478: marked as done (unblock: live-tasks/0.7)

[Debian Bug Tracking System]

Your message dated Wed, 29 May 2019 23:26:16 +0200
with message-id 
and subject line Re: unblock: live-tasks/0.7
has caused the Debian Bug report #929478,
regarding unblock: live-tasks/0.7
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
929478: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929478
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package live-tasks

This upload addresses the following metapackage issues:

  * Add ibus-m17n to live-task-localisation
(Closes: #866391)

  * Replace inetutils-ping with iputils-ping
(Closes: #924211)

  * Make live-task-standard depend on libnss-systemd
(Closes: #924214)

  * Use new new logind virtual packages
(Closes: #925331)

thanks,

-Jonathan
--- End Message ---
--- Begin Message ---
Hi,

On Fri, 24 May 2019 12:04:43 +0200 "jonathan" 
wrote:
> Please unblock package live-tasks

Didn't check, but it migrated already.

Paul



signature.asc
Description: OpenPGP digital signature
--- End Message ---

Bug#929591: unblock: golang-github-seccomp-libseccomp-golang/0.9.0-2

[Paul Gevers]

Control: tags -1 moreinfo

On 28-05-2019 21:35, Shengjing Zhu wrote:
>> I'll binNMU that first, let's see if it doesn't pick up anything else.
>> Otherwise, you know the drill by now.
> 
> It(snapd) would,
> 
> snapd Build-Dpends golang-golang-x-sys.
> 
> Let's binNMU after the mess is cleaned up.

Ok, please remove the moreinfo tag when that is done.

Paul



signature.asc
Description: OpenPGP digital signature

Processed: Re: unblock: golang-github-seccomp-libseccomp-golang/0.9.0-2

[Debian Bug Tracking System]

Processing control commands:

> tags -1 moreinfo
Bug #929591 [release.debian.org] unblock: 
golang-github-seccomp-libseccomp-golang/0.9.0-2
Added tag(s) moreinfo.

-- 
929591: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929591
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#929736: unblock: firejail/0.9.58.2-2

[Reiner Herrmann]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package firejail

The version in unstable fixes two security issues:

#929732 (debian/patches/seccomp-join.patch):
This issue allowed someone to run a program inside a jail that is protected
by seccomp filters without any seccomp filtering.
The location of the filters inside the jail was writable, so it could
be overwritten/deleted, so programs that were afterwards joined into the jail
had no filter applied.

#929733 (debian/patches/truncation.patch):
A race was possible that allowed someone inside the jail to truncate
the firejail binary outside the jail under certain conditions.
(The jailed program needs to be run as root, and it needs to be terminated
from the outside as root.)

Thanks in advance.

Kind regards,
   Reiner

unblock firejail/0.9.58.2-2
diff -Nru firejail-0.9.58.2/debian/changelog firejail-0.9.58.2/debian/changelog
--- firejail-0.9.58.2/debian/changelog  2019-02-08 20:06:02.0 +0100
+++ firejail-0.9.58.2/debian/changelog  2019-05-29 21:06:42.0 +0200
@@ -1,3 +1,16 @@
+firejail (0.9.58.2-2) unstable; urgency=high
+
+  * Cherry-pick security fix for seccomp bypass issue. (Closes: #929732)
+Seccomp filters were writable inside the jail, so they could be
+overwritten/truncated. Another jail that was then joined with the first
+one, had no seccomp filters applied.
+  * Cherry-pick security fix for binary truncation issue. (Closes: #929733)
+When the jailed program was running as root, and firejail was killed
+from the outside (as root), the jailed program had the possibility to
+truncate the firejail binary outside the jail.
+
+ -- Reiner Herrmann   Wed, 29 May 2019 21:06:42 +0200
+
 firejail (0.9.58.2-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru firejail-0.9.58.2/debian/patches/seccomp-join.patch 
firejail-0.9.58.2/debian/patches/seccomp-join.patch
--- firejail-0.9.58.2/debian/patches/seccomp-join.patch 1970-01-01 
01:00:00.0 +0100
+++ firejail-0.9.58.2/debian/patches/seccomp-join.patch 2019-05-29 
18:57:28.0 +0200
@@ -0,0 +1,91 @@
+From: smitsohu 
+Subject: [PATCH] mount runtime seccomp files read-only (#2602)
+Bug: https://github.com/netblue30/firejail/issues/2718
+Bug-Debian: https://bugs.debian.org/929732
+Origin: upstream, https://github.com/netblue30/firejail/commit/eecf35c
+
+avoid creating locations in the file system that are both writable and
+executable (in this case for processes with euid of the user).
+
+for the same reason also remove user owned libfiles
+when it is not needed any more
+
+--- a/src/firejail/firejail.h
 b/src/firejail/firejail.h
+@@ -57,13 +57,14 @@
+ #define RUN_LIB_FILE  "/run/firejail/mnt/libfiles"
+ #define RUN_DNS_ETC   "/run/firejail/mnt/dns-etc"
+ 
+-#define RUN_SECCOMP_LIST  "/run/firejail/mnt/seccomp.list"// list 
of seccomp files installed
+-#define RUN_SECCOMP_PROTOCOL  "/run/firejail/mnt/seccomp.protocol"// 
protocol filter
+-#define RUN_SECCOMP_CFG   "/run/firejail/mnt/seccomp" 
// configured filter
+-#define RUN_SECCOMP_32"/run/firejail/mnt/seccomp.32"  // 
32bit arch filter installed on 64bit architectures
+-#define RUN_SECCOMP_MDWX  "/run/firejail/mnt/seccomp.mdwx"
// filter for memory-deny-write-execute
+-#define RUN_SECCOMP_BLOCK_SECONDARY   
"/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking 
filter
+-#define RUN_SECCOMP_POSTEXEC  "/run/firejail/mnt/seccomp.postexec"
// filter for post-exec library
++#define RUN_SECCOMP_DIR   "/run/firejail/mnt/seccomp"
++#define RUN_SECCOMP_LIST  "/run/firejail/mnt/seccomp/seccomp.list"
// list of seccomp files installed
++#define RUN_SECCOMP_PROTOCOL  "/run/firejail/mnt/seccomp/seccomp.protocol"
// protocol filter
++#define RUN_SECCOMP_CFG   "/run/firejail/mnt/seccomp/seccomp" 
// configured filter
++#define RUN_SECCOMP_32"/run/firejail/mnt/seccomp/seccomp.32"  
// 32bit arch filter installed on 64bit architectures
++#define RUN_SECCOMP_MDWX  "/run/firejail/mnt/seccomp/seccomp.mdwx"
// filter for memory-deny-write-execute
++#define RUN_SECCOMP_BLOCK_SECONDARY   
"/run/firejail/mnt/seccomp/seccomp.block_secondary" // secondary arch 
blocking filter
++#define RUN_SECCOMP_POSTEXEC  "/run/firejail/mnt/seccomp/seccomp.postexec"
// filter for post-exec library
+ #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") 
// default filter built during make
+ #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // 
default filter built during make
+ #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32")   
// 32bit arch filter built during make
+@@ -94,7 +95,6 @@
+ #define RUN_ASOUNDRC_FILE "/run/firejail/mnt/.asoundrc"
+ #define 

Bug#929734: unblock: nova/18.1.0-6

[Thomas Goirand]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Dear release team,
Please unblock package nova 18.1.0-6.

During normal operation, it may happen that nova-conductor doesn't
work as expected when requesting a (live) migration of a virtual
machine from one compute node to another. Indeed, some information
may be missing in the json object generated by nova-conductor,
leading to a HTTP 500 error.

This patch fixes the mess if a VM gets into this broken state.

I'm sorry if this isn't a full explanation of how things work, but
it'd be hard to get into the full details of how Nova works. Though
please trust me, this is an important patch that really needs to
be in Buster, and I have tested this patch with success in production.

Cheers,

Thomas Goirand (zigo)

unblock nova/18.1.0-6
diff -Nru nova-18.1.0/debian/changelog nova-18.1.0/debian/changelog
--- nova-18.1.0/debian/changelog2019-03-07 17:24:19.0 +0100
+++ nova-18.1.0/debian/changelog2019-05-29 14:56:05.0 +0200
@@ -1,3 +1,11 @@
+nova (2:18.1.0-6) unstable; urgency=medium
+
+  * Add upstream patch to fix broken request_spec, which in certain cases lead
+to breaking instance migration:
+- Workaround_missing_RequestSpec.instance_group.uuid.patch
+
+ -- Thomas Goirand   Wed, 29 May 2019 14:56:05 +0200
+
 nova (2:18.1.0-5) unstable; urgency=medium
 
   * Revert using uwsgi for nova-api: this breaks the metadata server.
diff -Nru nova-18.1.0/debian/patches/revert-restore-async-keyword.patch 
nova-18.1.0/debian/patches/revert-restore-async-keyword.patch
--- nova-18.1.0/debian/patches/revert-restore-async-keyword.patch   
2019-03-07 17:24:19.0 +0100
+++ nova-18.1.0/debian/patches/revert-restore-async-keyword.patch   
2019-05-29 14:56:05.0 +0200
@@ -6,11 +6,11 @@
 Forwarded: not-needed
 Last-Update: 2018-09-25
 
-diff --git a/nova/db/sqlalchemy/api.py b/nova/db/sqlalchemy/api.py
-index a67747e408..59f0a8c292 100644
 a/nova/db/sqlalchemy/api.py
-+++ b/nova/db/sqlalchemy/api.py
-@@ -202,7 +202,7 @@ def select_db_reader_mode(f):
+Index: nova/nova/db/sqlalchemy/api.py
+===
+--- nova.orig/nova/db/sqlalchemy/api.py
 nova/nova/db/sqlalchemy/api.py
+@@ -204,7 +204,7 @@ def select_db_reader_mode(f):
  use_slave = keyed_args.get('use_slave', False)
  
  if use_slave:
diff -Nru nova-18.1.0/debian/patches/series nova-18.1.0/debian/patches/series
--- nova-18.1.0/debian/patches/series   2019-03-07 17:24:19.0 +0100
+++ nova-18.1.0/debian/patches/series   2019-05-29 14:56:05.0 +0200
@@ -3,3 +3,4 @@
 remove-crashing-blockdiag-doc-line.patch
 revert-restore-async-keyword.patch
 fix-python3-compatibility-ceph.patch
+Workaround_missing_RequestSpec.instance_group.uuid.patch
diff -Nru 
nova-18.1.0/debian/patches/Workaround_missing_RequestSpec.instance_group.uuid.patch
 
nova-18.1.0/debian/patches/Workaround_missing_RequestSpec.instance_group.uuid.patch
--- 
nova-18.1.0/debian/patches/Workaround_missing_RequestSpec.instance_group.uuid.patch
 1970-01-01 01:00:00.0 +0100
+++ 
nova-18.1.0/debian/patches/Workaround_missing_RequestSpec.instance_group.uuid.patch
 2019-05-29 14:56:05.0 +0200
@@ -0,0 +1,45 @@
+Author: Matt Riedemann 
+Date: Tue, 28 May 2019 11:24:11 -0400
+Subject: [PATCH] Workaround missing RequestSpec.instance_group.uuid
+ It's clear that we could have a RequestSpec.instance_group
+ without a uuid field if the InstanceGroup is set from the
+ _populate_group_info method which should only be used for
+ legacy translation of request specs using legacy filter
+ properties dicts.
+ .
+ To workaround the issue, we look for the group scheduler hint
+ to get the group uuid before loading it from the DB.
+ .
+ The related functional regression recreate test is updated
+ to show this solves the issue.
+Change-Id: I20981c987549eec40ad9762e74b0db16e54f4e63
+Closes-Bug: #1830747
+Origin: upstream, https://review.opendev.org/#/c/661786
+Last-Update: 2019-05-29
+
+Index: nova/nova/objects/request_spec.py
+===
+--- nova.orig/nova/objects/request_spec.py
 nova/nova/objects/request_spec.py
+@@ -225,6 +225,8 @@ class RequestSpec(base.NovaObject):
+ policies = list(filter_properties.get('group_policies'))
+ hosts = list(filter_properties.get('group_hosts'))
+ members = list(filter_properties.get('group_members'))
++# TODO(mriedem): We could try to get the group uuid from the
++# group hint in the filter_properties.
+ self.instance_group = objects.InstanceGroup(policy=policies[0],
+ hosts=hosts,
+ members=members)
+@@ -502,6 +504,12 @@ class RequestSpec(base.NovaObject):
+ spec._context = context
+ 
+ 

follow up

[Anna Kurcirkova]

Did you get my last email? I hope that I have the correct email address. Please 
let me know what you think about my article If I don't hear back from you I 
won't bug you again. 
Thank you very much and have a great day

Anna.

On Thu, May 23, 2019 at 9:58 PM, Anna Kurcirkova 
 wrote:

 Hello there,

Amazing job on your page 
https://networkinferno.net/synergy-within-our-discipline  you have on your site 
really great stuff! I just wanted to ask if you would give me some feedback on 
an article I wrote:


Climate Change Is Having A Huge Effect On Penguin Colonies
You can access my article here: 


https://moboxmarine.com/blogs/mobox-marine-blog/climate-change-is-having-a-huge-effect-on-penguin-colonies

If you were interested, it would be great if you would add my article as a 
resource on the page I mentioned earlier. 
Thank you,

Anna.

Bug#928185: unblock: openjdk-11/11.0.3+7-4

[Paul Gevers]

Control: tags -1 928185 moreinfo
Control: reopen -1

Hi,

On 28-05-2019 23:50, Emmanuel Bourg wrote:
> Tony Mancill has prepared the tpu upload yesterday and Matthias was ok
> with 11.0.3+7 in testing [1].

Can I see a debdiff please?

> Unless Buster is expected at the end of July I'd advise against having
> 11.0.4+2 in testing. This version is an early access release, the final
> 11.0.4 release is expected on July 16th [2]. Debian is currently being
> criticized [3] for allowing EA versions of OpenJDK in Debian stable, I
> think it's important to ship Buster with a GA release.

Then please refrain from uploading the wrong version to unstable, we
have experimental for that. TPU doesn't get much testing, and for sure
isn't covered well by our QA yet. So having such a high profile package
with so much changes going through tpu is awkward.

Paul
/me still not amused



signature.asc
Description: OpenPGP digital signature

Processed (with 1 error): Re: Bug#928185: unblock: openjdk-11/11.0.3+7-4

[Debian Bug Tracking System]

Processing control commands:

> tags -1 928185 moreinfo
Unknown tag/s: 928185.
Recognized are: patch wontfix moreinfo unreproducible help security upstream 
pending confirmed ipv6 lfs d-i l10n newcomer a11y ftbfs fixed-upstream fixed 
fixed-in-experimental sid experimental potato woody sarge sarge-ignore etch 
etch-ignore lenny lenny-ignore squeeze squeeze-ignore wheezy wheezy-ignore 
jessie jessie-ignore stretch stretch-ignore buster buster-ignore bullseye 
bullseye-ignore bookworm bookworm-ignore.

Bug #928185 {Done: Paul Gevers } [release.debian.org] 
unblock: openjdk-11/11.0.3+7-4
Added tag(s) moreinfo.
> reopen -1
Bug #928185 {Done: Paul Gevers } [release.debian.org] 
unblock: openjdk-11/11.0.3+7-4
Bug reopened
Ignoring request to alter fixed versions of bug #928185 to the same values 
previously set

-- 
928185: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928185
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#929635: marked as done (unblock: munin/2.0.49-1)

[Debian Bug Tracking System]

Your message dated Wed, 29 May 2019 17:46:00 +
with message-id <05ce3b6f-7cf4-08a2-8341-7d4c6bac5...@thykier.net>
and subject line Re: Bug#929635: unblock: munin/2.0.49-1
has caused the Debian Bug report #929635,
regarding unblock: munin/2.0.49-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
929635: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929635
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package munin, it fixes three important bugs (and a bunch
of normal bugs). munin is a leaf package and 2.0.49 is just another bugfix
release and has been in sid since 11 days without any new issues reported.

munin (2.0.49-1) unstable; urgency=medium

  [ Lars Kruse ]
  * New upstream version 2.0.49, fixing the upstream issue #1187
(https://github.com/munin-monitoring/munin/issues/1187) which breaks the
visualization of comparison pages and the "problems" overview for munin's
default settings ("html_strategy" and "graph_strategy" being "cron").
  * New upstream version 2.0.48, fixing various issues, including bugs in:
- Accept DNS names in "allow" (Closes: #483617)
- Natural sort output on cpuspeed plugin (Closes: #924366)
- postgres_connections_ "Query failed!" (Closes: #924424)
- diskstat_ plugin fails with 4.19 kernels (Closes: #926146)
- open_files max is 18 quintillion, obscuring graph (Closes: #928211)
- upstream issues:
  * https://github.com/munin-monitoring/munin/issues/579:
A connection issue with a node leads to the premature removal of all
its graphs from the master visualization, if any plugin (from any
node) returned an invalid output.
  * https://github.com/munin-monitoring/munin/issues/951:
munin-async failed to handle plugins with names containing special
characters. Such valid plugins worked only locally, but not via
munin-async.
  * https://github.com/munin-monitoring/munin/issues/460:
In an fcgid-based setup (recommended when using nginx) every but the
first request for a "comparison" page returned invalid graphs due to
a mistaken permanent internal state change. This long-standing issue
plagued munin since wheezy.
  * Re-export upstream signing key without extra signatures.
  * Ensure that /var/cache/munin/www exists.
Thanks to Marvin Gülker (Closes: #927692)
  * Keep permission of /run/munin in sync for systemd and sysvinit

 -- Holger Levsen   Thu, 16 May 2019 01:21:08 +0200

$ debdiff munin_2.0.47-1.dsc  munin_2.0.49-1.dsc | diffstat
 ChangeLog   |   56 
 RELEASE |2 
 debian/changelog|   57 ++--
 debian/examples/systemd-fastcgi/munin-graph.service |   11 ++
 debian/examples/systemd-fastcgi/munin-graph.socket  |8 +
 debian/examples/systemd-fastcgi/munin-html.service  |   11 ++
 debian/examples/systemd-fastcgi/munin-html.socket   |8 +
 debian/munin-common.tmpfile |2 
 debian/munin-node.tmpfile   |2 
 debian/munin.examples   |1 
 debian/munin.init   |   10 +-
 debian/tests/munin-node/02.plugins.t|4 
 debian/upstream/signing-key.asc |   39 
 master/lib/Munin/Master/Config.pm   |   21 +++-
 master/lib/Munin/Master/HTMLOld.pm  |   92 ++--
 master/lib/Munin/Master/Node.pm |   32 --
 master/lib/Munin/Master/Update.pm   |3 
 master/lib/Munin/Master/UpdateWorker.pm |   26 -
 node/_bin/munin-asyncd.in   |5 -
 node/lib/Munin/Node/Config.pm   |1 
 node/lib/Munin/Node/SpoolWriter.pm  |9 +
 node/t/munin_node_spoolreader.t |   40 
 node/t/munin_node_spoolwriter.t |4 
 plugins/node.d.linux/acpi.in|2 
 plugins/node.d.linux/cpuspeed.in|2 
 plugins/node.d.linux/diskstat_.in   |4 
 plugins/node.d.linux/open_files.in  |6 -
 plugins/node.d/nutups_.in   |   16 ++-
 plugins/node.d/postgres_connections_.in |2 
 plugins/node.d/snmp__if_.in

Bug#929630: marked as done (unblock: wireshark/2.6.8-1.1)

[Debian Bug Tracking System]

Your message dated Wed, 29 May 2019 17:22:00 +
with message-id 
and subject line Re: Bug#929630: unblock: wireshark/2.6.8-1.1
has caused the Debian Bug report #929630,
regarding unblock: wireshark/2.6.8-1.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
929630: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929630
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package wireshark. The NMU fixes CVE-2019-12295, reported
as Debian bug #929446.

unblock wireshark/2.6.8-1.1

Regards,
Tobias
diff --git a/debian/changelog b/debian/changelog
index 4699904b15..dbdda67912 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+wireshark (2.6.8-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2019-12295
+In Wireshark 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, and 2.4.0 to 2.4.14,
+the dissection engine could crash. This was addressed in
+epan/packet.c by restricting the number of layers and
+consequently limiting recursion. (Closes: #929446)
+
+ -- Dr. Tobias Quathamer   Mon, 27 May 2019 16:08:44 +0200
+
 wireshark (2.6.8-1) unstable; urgency=medium
 
   * New upstream version 2.6.8
diff --git a/debian/patches/CVE-2019-12295.patch b/debian/patches/CVE-2019-12295.patch
new file mode 100644
index 00..494c09ee44
--- /dev/null
+++ b/debian/patches/CVE-2019-12295.patch
@@ -0,0 +1,42 @@
+Description: CVE-2019-12295
+ In Wireshark 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, and 2.4.0 to 2.4.14,
+ the dissection engine could crash. This was addressed in
+ epan/packet.c by restricting the number of layers and
+ consequently limiting recursion.
+Origin: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=7b6e197da4c497e229ed3ebf6952bae5c426a820
+Bug-Debian: https://bugs.debian.org/929446
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/epan/packet.c
 b/epan/packet.c
+@@ -725,6 +725,13 @@
+ call_dissector_work_error(dissector_handle_t handle, tvbuff_t *tvb,
+ 			  packet_info *pinfo_arg, proto_tree *tree, void *);
+ 
++/*
++ * XXX packet_info.curr_layer_num is a guint8 and *_MAX_RECURSION_DEPTH is
++ * 100 elsewhere in the code. We should arguably use the same value here,
++ * but using that makes suite_wslua.case_wslua.test_wslua_dissector_fpm fail.
++ */
++#define PINFO_LAYER_MAX_RECURSION_DEPTH 500
++
+ static int
+ call_dissector_work(dissector_handle_t handle, tvbuff_t *tvb, packet_info *pinfo_arg,
+ 		proto_tree *tree, gboolean add_proto_name, void *data)
+@@ -747,6 +754,7 @@
+ 	saved_proto = pinfo->current_proto;
+ 	saved_can_desegment = pinfo->can_desegment;
+ 	saved_layers_len = wmem_list_count(pinfo->layers);
++	DISSECTOR_ASSERT(saved_layers_len < PINFO_LAYER_MAX_RECURSION_DEPTH);
+ 
+ 	/*
+ 	 * can_desegment is set to 2 by anyone which offers the
+@@ -2675,6 +2683,8 @@
+ 	saved_layers_len = wmem_list_count(pinfo->layers);
+ 	*heur_dtbl_entry = NULL;
+ 
++	DISSECTOR_ASSERT(saved_layers_len < PINFO_LAYER_MAX_RECURSION_DEPTH);
++
+ 	for (entry = sub_dissectors->dissectors; entry != NULL;
+ 	entry = g_slist_next(entry)) {
+ 		/* XXX - why set this now and above? */
diff --git a/debian/patches/series b/debian/patches/series
index c3ea6754c4..1e3c412166 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@
 09_idl2wrs.patch
 16_licence_about_location.patch
 17_libdir_location.patch
+CVE-2019-12295.patch


signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Dr. Tobias Quathamer:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package wireshark. The NMU fixes CVE-2019-12295, reported
> as Debian bug #929446.
> 
> unblock wireshark/2.6.8-1.1
> 
> Regards,
> Tobias
> 

Unblocked, thanks.
~Niels--- End Message ---

Processed: Re: Bug#929731: unblock: flash-kernel/3.99

[Debian Bug Tracking System]

Processing control commands:

> tags -1 confirmed d-i
Bug #929731 [release.debian.org] unblock: flash-kernel/3.99
Added tag(s) d-i and confirmed.

-- 
929731: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929731
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#929731: unblock: flash-kernel/3.99

[Niels Thykier]

Control: tags -1 confirmed d-i

Vagrant Cascadian:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: vagr...@debian.org, debian-b...@lists.debian.org
> 
> Please unblock package flash-kernel
> 
> This upload adds support for two additional boards, one additional name
> for another board, and updates the Uploaders list. The changes should be
> very low risk to existing platforms, and really appreciated by people
> with the added boards.
> 
> 
> [...]
> 
> unblock flash-kernel/3.99
> 
> 
> Thanks for considering!
> 
> live well,
>   vagrant
> 

Hi,

Thanks, this is marked OK from a release team PoV.  Adding KiBi for a
d-i ack before the final unblock.

Thanks,
~Niels

Bug#929705: marked as done (unblock: nautilus/3.30.5-2)

[Debian Bug Tracking System]

Your message dated Wed, 29 May 2019 17:13:00 +
with message-id <1b23756f-5ad5-4f5a-bb24-1bbff75f9...@thykier.net>
and subject line Re: Bug#929705: unblock: nautilus/3.30.5-2
has caused the Debian Bug report #929705,
regarding unblock: nautilus/3.30.5-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
929705: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929705
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package nautilus.

Nautilus contains an embedded copy of the thumbnailing code from
`gnome-desktop3'. This has received several updates upstream, which it'd
be great to get into buster. Here's my changelog entry, to avoid
repeating myself too much:

  * Update gnome-desktop code. Nautilus contains a copy of this code,
which originated in gnome-desktop3.
  + Fixes a potential crash during thumbnailing
  + Fixes thumbnailer on 32-bit systems where /lib64 is not available.
  + Also improves handling of usrmerged and non-usrmerged systems.
  + Mounts the fontconfig cache dir, to improve performance if fontconfig
is used
- Add a corresponding BD on libfontconfig1-dev, to fetch the needed
  variable from its pcfile.
  + Fixes seccomp filter bypass. CVE-2019-11461
  + Closes: #928054

I don't actually know how the CVE could be triggered from Nautilus, but
it got 'medium' severity and a request from the security team to be
fixed. That's the main reason for this upload, but there are also other
important fixes in this code too. I'd be grateful if you could consider
it for buster.

unblock nautilus/3.30.5-2

Cheers,

-- 
Iain Lane  [ i...@orangesquash.org.uk ]
Debian Developer   [ la...@debian.org ]
Ubuntu Developer   [ la...@ubuntu.com ]
diff -Nru nautilus-3.30.5/debian/changelog nautilus-3.30.5/debian/changelog
--- nautilus-3.30.5/debian/changelog2018-12-22 13:53:04.0 +
+++ nautilus-3.30.5/debian/changelog2019-05-29 12:47:33.0 +0100
@@ -1,3 +1,20 @@
+nautilus (3.30.5-2) unstable; urgency=medium
+
+  * debian/control{,.in}, gbp.conf: Update debian branch to debian/buster
+  * Update gnome-desktop code. Nautilus contains a copy of this code,
+which originated in gnome-desktop3.
+  + Fixes a potential crash during thumbnailing
+  + Fixes thumbnailer on 32-bit systems where /lib64 is not available.
+  + Also improves handling of usrmerged and non-usrmerged systems.
+  + Mounts the fontconfig cache dir, to improve performance if fontconfig
+is used
+- Add a corresponding BD on libfontconfig1-dev, to fetch the needed
+  variable from its pcfile.
+  + Fixes seccomp filter bypass. CVE-2019-11461
+  + Closes: #928054
+
+ -- Iain Lane   Wed, 29 May 2019 12:47:33 +0100
+
 nautilus (3.30.5-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru nautilus-3.30.5/debian/control nautilus-3.30.5/debian/control
--- nautilus-3.30.5/debian/control  2018-12-22 13:53:04.0 +
+++ nautilus-3.30.5/debian/control  2019-05-29 12:47:33.0 +0100
@@ -15,6 +15,7 @@
gobject-introspection (>= 0.9.12-4~),
gtk-doc-tools (>= 1.10),
libatk1.0-dev (>= 1.32.0),
+   libfontconfig1-dev,
libgail-3-dev,
libgexiv2-dev (>= 0.10.0),
libgirepository1.0-dev (>= 0.10.7-1~),
@@ -41,7 +42,7 @@
 Rules-Requires-Root: no
 Homepage: https://wiki.gnome.org/action/show/Apps/Nautilus
 Vcs-Browser: https://salsa.debian.org/gnome-team/nautilus
-Vcs-Git: https://salsa.debian.org/gnome-team/nautilus.git
+Vcs-Git: https://salsa.debian.org/gnome-team/nautilus.git -b debian/buster
 Standards-Version: 4.2.1
 
 Package: nautilus
diff -Nru nautilus-3.30.5/debian/control.in nautilus-3.30.5/debian/control.in
--- nautilus-3.30.5/debian/control.in   2018-12-22 13:53:04.0 +
+++ nautilus-3.30.5/debian/control.in   2019-05-29 12:47:33.0 +0100
@@ -11,6 +11,7 @@
gobject-introspection (>= 0.9.12-4~),
gtk-doc-tools (>= 1.10),
libatk1.0-dev (>= 1.32.0),
+   libfontconfig1-dev,
libgail-3-dev,
libgexiv2-dev (>= 0.10.0),
libgirepository1.0-dev (>= 0.10.7-1~),
@@ -37,7 +38,7 @@
 Rules-Requires-Root: no
 Homepage: 

Bug#929731: unblock: flash-kernel/3.99

[Vagrant Cascadian]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: vagr...@debian.org, debian-b...@lists.debian.org

Please unblock package flash-kernel

This upload adds support for two additional boards, one additional name
for another board, and updates the Uploaders list. The changes should be
very low risk to existing platforms, and really appreciated by people
with the added boards.


diff -Nru flash-kernel-3.98/db/all.db flash-kernel-3.99/db/all.db
--- flash-kernel-3.98/db/all.db 2019-04-04 14:37:13.0 -0700
+++ flash-kernel-3.99/db/all.db 2019-05-23 09:54:49.0 -0700
@@ -481,6 +481,13 @@
 U-Boot-Script-Name: bootscr.sunxi
 Required-Packages: u-boot-tools
 
+Machine: FriendlyARM NanoPi NEO 2
+Kernel-Flavors: arm64
+Boot-Script-Path: /boot/boot.scr
+DTB-Id: allwinner/sun50i-h5-nanopi-neo2.dtb
+U-Boot-Script-Name: bootscr.uboot-generic
+Required-Packages: u-boot-tools
+
 Machine: Gemei G9 Tablet
 Kernel-Flavors: armmp
 Boot-Script-Path: /boot/boot.scr
@@ -945,12 +952,20 @@
 Required-Packages: u-boot-tools
 
 Machine: Marvell 8040 MACCHIATOBin
+Machine: Marvell 8040 MACCHIATOBin Double-shot
 Machine: Marvell 8040 MACHIATOBin
 Kernel-Flavors: arm64
 DTB-Id: marvell/armada-8040-mcbin.dtb
 Boot-Script-Path: /boot/boot.scr
 U-Boot-Script-Name: bootscr.uboot-generic
 Required-Packages: u-boot-tools
+
+Machine: Marvell 8040 MACCHIATOBin Single-shot
+Kernel-Flavors: arm64
+DTB-Id: marvell/armada-8040-mcbin-singleshot.dtb
+Boot-Script-Path: /boot/boot.scr
+U-Boot-Script-Name: bootscr.uboot-generic
+Required-Packages: u-boot-tools
 
 # Marvell dev board has different names depending on how it's booted,
 # via DTB or older ATAGS
diff -Nru flash-kernel-3.98/debian/changelog flash-kernel-3.99/debian/changelog
--- flash-kernel-3.98/debian/changelog  2019-04-04 14:38:42.0 -0700
+++ flash-kernel-3.99/debian/changelog  2019-05-24 18:36:25.0 -0700
@@ -1,3 +1,18 @@
+flash-kernel (3.99) unstable; urgency=medium
+
+  [ Domenico Andreoli ]
+  * Add support for NanoPi NEO2 (Closes: #928861).
+
+  [ Cyril Brulebois ]
+  * Remove Christian Perrier from Uploaders, with many thanks for all
+his contributions over the years! (Closes: #927488)
+
+  [ Heinrich Schuchardt ]
+  * Add Marvell 8040 MACCHIATOBin Double-shot and Single-shot.
+(Closes: #928951)
+
+ -- Vagrant Cascadian   Fri, 24 May 2019 18:36:25 -0700
+
 flash-kernel (3.98) unstable; urgency=medium
 
   [ Vagrant Cascadian ]
diff -Nru flash-kernel-3.98/debian/control flash-kernel-3.99/debian/control
--- flash-kernel-3.98/debian/control2019-02-27 22:52:45.0 -0800
+++ flash-kernel-3.99/debian/control2019-05-12 14:42:39.0 -0700
@@ -2,8 +2,7 @@
 Section: utils
 Priority: optional
 Maintainer: Debian Install System Team 
-Uploaders: Christian Perrier ,
-   Vagrant Cascadian ,
+Uploaders: Vagrant Cascadian ,
Karsten Merker 
 Build-Depends: debhelper (>= 9), devio, linux-base (>= 3.2), dash
 Standards-Version: 3.9.6

unblock flash-kernel/3.99


Thanks for considering!

live well,
  vagrant


signature.asc
Description: PGP signature

Bug#929724: unblock: shim-signed/1.32

[Steve McIntyre]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package shim-signed

I've tweaked the shim-signed packaging to make what I believe are all
the changes wanted before we get our latest signed binaries back from
the Microsoft CA. Summary:

  * Add Breaks/Replaces to shim-signed-common for
update-secureboot-policy etc. Closes: #929673
  * update-secureboot-policy: fix error if /var/lib/dkms does not
exist. Closes: #923718
  * Separate the helper scripts into a new shim-signed-common package,
apart from the actual signed shim binaries so that we can
sensibly support co-installability using Multi-Arch.
Closes: #928486
  * Add/update translations:
+ Italian (Closes: #915993, thanks to Beatrice Torracca)
+ Swedish (Closes: #921410, thanks to Matrin Bagge)
+ Russian (Closes: #99, thanks to Lev Lamberov)
+ Dutch (Closes: #917580, #926664, thanks to Frans Spiesschaert)
  * Remove doc link used to quieten old lintian versions

The main fixes are for #928486 (which is blocking some users building
multi-arch live media), but I've also rolled in a trivial fix for
#923718 (cosmetic) and a bunch of translation updates (filtered out
here). #929673 showed I made a daft mistake with the 1.31 upload. :-(

I expect to make one more shim-signed upload before buster, just
adding the new signed binaries. I'm doing all the other changes here
and now to make that final change as small and as easy to review as
possible.

This package still has the same outstanding RC bug as version 1.30
(#928107), which is impossible to fix right now. When they arrive, the
new signed binaries will allow us to fix this with the 1.33 upload.

debdiff attached.

unblock shim-signed/1.32

-- System Information:
Debian Release: 10.0
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru shim-signed-1.30/debian/changelog shim-signed-1.32/debian/changelog
--- shim-signed-1.30/debian/changelog   2019-04-23 00:01:10.0 +0100
+++ shim-signed-1.32/debian/changelog   2019-05-28 14:23:54.0 +0100
@@ -1,3 +1,27 @@
+shim-signed (1.32) unstable; urgency=medium
+
+  * Add Breaks/Replaces to shim-signed-common for
+update-secureboot-policy etc. Closes: #929673
+
+ -- Steve McIntyre <93...@debian.org>  Tue, 28 May 2019 14:23:54 +0100
+
+shim-signed (1.31) unstable; urgency=medium
+
+  * update-secureboot-policy: fix error if /var/lib/dkms does not
+exist. Closes: #923718
+  * Separate the helper scripts into a new shim-signed-common package,
+apart from the actual signed shim binaries so that we can
+sensibly support co-installability using Multi-Arch.
+Closes: #928486
+  * Add/update translations:
++ Italian (Closes: #915993, thanks to Beatrice Torracca)
++ Swedish (Closes: #921410, thanks to Matrin Bagge)
++ Russian (Closes: #99, thanks to Lev Lamberov)
++ Dutch (Closes: #917580, #926664, thanks to Frans Spiesschaert)
+  * Remove doc link used to quieten old lintian versions
+
+ -- Steve McIntyre <93...@debian.org>  Mon, 27 May 2019 23:02:10 +0100
+
 shim-signed (1.30) unstable; urgency=medium
 
   * Force the built-using version to be 15+1533136590.3beb971-6. That
diff -Nru shim-signed-1.30/debian/control shim-signed-1.32/debian/control
--- shim-signed-1.30/debian/control 2019-04-22 23:59:15.0 +0100
+++ shim-signed-1.32/debian/control 2019-05-28 14:23:54.0 +0100
@@ -18,6 +18,7 @@
 
 Package: shim-signed
 Architecture: amd64 i386 arm64
+Multi-Arch: same
 Depends: ${misc:Depends},
  grub-efi-amd64-bin [amd64],
  shim-helpers-amd64-signed (>= 1+15+1533136590.3beb971+5) [amd64],
@@ -25,8 +26,7 @@
  shim-helpers-i386-signed (>= 1+15+1533136590.3beb971+5) [i386],
  grub-efi-arm64-bin [arm64],
  shim-helpers-arm64-signed (>= 1+15+1533136590.3beb971+5) [arm64],
- grub2-common (>= 2.02+dfsg1-16),
- mokutil
+ grub2-common (>= 2.02+dfsg1-16)
 Recommends: secureboot-db
 Built-Using: shim (= 15+1533136590.3beb971-6)
 Description: Secure Boot chain-loading bootloader (Microsoft-signed binary)
@@ -38,3 +38,19 @@
  .
  This package contains the version of the bootloader binary signed by the
  Microsoft UEFI CA.
+
+Package: shim-signed-common
+Multi-Arch: foreign
+Architecture: all
+Depends: ${misc:Depends}, mokutil
+Replaces: shim-signed (<< 1.32+15+1533136590.3beb971-5)
+Breaks: shim-signed (<< 1.32+15+1533136590.3beb971-5)
+Description: Secure Boot chain-loading bootloader (common helper scripts)
+ This package provides a minimalist boot loader which allows verifying
+ signatures of other UEFI binaries against either the Secure Boot DB/DBX or
+ against a built-in signature database.  Its 

Bug#929722: unblock: python-debian/0.1.35

[Stuart Prescott]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Dear Release Team,

There are two important bugs in python-debian that I would like to fix in
buster. I don't think the changes are sufficiently large or problematic to
prevent that, but I seek your pre-approval for them prior to uploading
(diff against 0.1.34 attached).

* debian_support.PackageFile is completely broken with non-ASCII Packages
  and Sources files when used with Python 3. (#928655)
* when processing debian/copyright files, NotMachineReadableError is not
  raised when the file is not copyright-format/1.0. (not filed in the bts,
  MR submitted directly, would be severity:important since it makes the
  debian.copyright  module almost unusable for consumers like
  sources.debian.net)

There are additionally two other minor bugs that are already fixed in git.
Fixing them seems reasonable to me but your input is sought.

* Stop using the deprecated autopkgtest needs-recommends restriction.
* Prevent accidental overwriting of abc.Mapping and typing.Mapping with
  Python 3.

regards
Stuart


unblock python-debian/0.1.35

-- System Information:
Debian Release: 10.0
  APT prefers testing
  APT policy: (550, 'testing'), (500, 'testing-proposed-updates'), (500, 
'testing-debug'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index 5d1db94..60d9f95 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+python-debian (0.1.35) unstable; urgency=medium
+
+  [ Stuart Prescott ]
+  * Fix decode error when using debian_support.PackageFile by allowing the
+caller to specify an encoding, defaulting to UTF-8 (Closes: #928655).
+  * Remove needs-recommends from autopkgtest definitions.
+
+  [ Jan Teske ]
+  * Fix overwriting of names in importing abc.Mapping and typing.Mapping.
+
+  [ Jelmer Vernooij ]
+  * Correctly raise NotMachineReadableError when no format is set.
+
+ -- Stuart Prescott   Thu, 30 May 2019 00:23:06 +1000
+
 python-debian (0.1.34) unstable; urgency=medium
 
   [ Jelmer Vernooij ]
diff --git a/debian/tests/control b/debian/tests/control
index ecb50a4..386071d 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -1,17 +1,19 @@
 Tests: python3-debian
-Restrictions: allow-stderr needs-recommends
+Restrictions: allow-stderr
 Depends:
  binutils (>= 2.23),
  python3-all,
+ python3-apt,
  python3-debian,
  debian-keyring,
  debian-archive-keyring
 
 Tests: python-debian
-Restrictions: allow-stderr needs-recommends
+Restrictions: allow-stderr
 Depends:
  binutils (>= 2.23),
  python2.7,
+ python-apt,
  python-debian,
  python-unittest2,
  debian-keyring,
diff --git a/lib/debian/copyright.py b/lib/debian/copyright.py
index cfe587b..d360784 100644
--- a/lib/debian/copyright.py
+++ b/lib/debian/copyright.py
@@ -639,7 +639,7 @@ class Header(deb822.RestrictedWrapper):
 super(Header, self).__init__(data)
 
 fmt = self.format   # type: ignore
-if fmt != _CURRENT_FORMAT:
+if fmt != _CURRENT_FORMAT and fmt is not None:
 # Add a terminal slash onto the end if missing
 if not fmt.endswith('/'):
 fmt += "/"
diff --git a/lib/debian/deb822.py b/lib/debian/deb822.py
index 3dbd41c..0686cdb 100644
--- a/lib/debian/deb822.py
+++ b/lib/debian/deb822.py
@@ -222,16 +222,11 @@ from __future__ import absolute_import, print_function
 import collections
 try:
 # Python 3
-from collections.abc import (
-Mapping,
-MutableMapping,
-)
+import collections.abc as collections_abc
 except ImportError:
 # Python 2.7 cruft
-from collections import (
-Mapping,
-MutableMapping,
-)
+# pylint: disable=reimported
+import collections as collections_abc# type: ignore
 
 import datetime
 import email.utils
@@ -321,7 +316,7 @@ class RestrictedFieldError(Error):
 """Raised when modifying the raw value of a field is not allowed."""
 
 
-class TagSectionWrapper(Mapping):
+class TagSectionWrapper(collections_abc.Mapping):
 """Wrap a TagSection object, using its find_raw method to get field values
 
 This allows us to pick which whitespace to strip off the beginning and end
@@ -423,7 +418,7 @@ class OrderedSet(object):
 # ###
 
 
-class Deb822Dict(MutableMapping):
+class Deb822Dict(collections_abc.MutableMapping):
 """A dictionary-like object suitable for storing RFC822-like data.
 
 Deb822Dict behaves like a normal dict, except:
diff --git a/lib/debian/debian_support.py b/lib/debian/debian_support.py
index 851eb90..cf4a26e 100644
--- a/lib/debian/debian_support.py
+++ b/lib/debian/debian_support.py
@@ -379,7 +379,7 @@ class 

Bug#929705: unblock: nautilus/3.30.5-2

[Iain Lane]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package nautilus.

Nautilus contains an embedded copy of the thumbnailing code from
`gnome-desktop3'. This has received several updates upstream, which it'd
be great to get into buster. Here's my changelog entry, to avoid
repeating myself too much:

  * Update gnome-desktop code. Nautilus contains a copy of this code,
which originated in gnome-desktop3.
  + Fixes a potential crash during thumbnailing
  + Fixes thumbnailer on 32-bit systems where /lib64 is not available.
  + Also improves handling of usrmerged and non-usrmerged systems.
  + Mounts the fontconfig cache dir, to improve performance if fontconfig
is used
- Add a corresponding BD on libfontconfig1-dev, to fetch the needed
  variable from its pcfile.
  + Fixes seccomp filter bypass. CVE-2019-11461
  + Closes: #928054

I don't actually know how the CVE could be triggered from Nautilus, but
it got 'medium' severity and a request from the security team to be
fixed. That's the main reason for this upload, but there are also other
important fixes in this code too. I'd be grateful if you could consider
it for buster.

unblock nautilus/3.30.5-2

Cheers,

-- 
Iain Lane  [ i...@orangesquash.org.uk ]
Debian Developer   [ la...@debian.org ]
Ubuntu Developer   [ la...@ubuntu.com ]
diff -Nru nautilus-3.30.5/debian/changelog nautilus-3.30.5/debian/changelog
--- nautilus-3.30.5/debian/changelog2018-12-22 13:53:04.0 +
+++ nautilus-3.30.5/debian/changelog2019-05-29 12:47:33.0 +0100
@@ -1,3 +1,20 @@
+nautilus (3.30.5-2) unstable; urgency=medium
+
+  * debian/control{,.in}, gbp.conf: Update debian branch to debian/buster
+  * Update gnome-desktop code. Nautilus contains a copy of this code,
+which originated in gnome-desktop3.
+  + Fixes a potential crash during thumbnailing
+  + Fixes thumbnailer on 32-bit systems where /lib64 is not available.
+  + Also improves handling of usrmerged and non-usrmerged systems.
+  + Mounts the fontconfig cache dir, to improve performance if fontconfig
+is used
+- Add a corresponding BD on libfontconfig1-dev, to fetch the needed
+  variable from its pcfile.
+  + Fixes seccomp filter bypass. CVE-2019-11461
+  + Closes: #928054
+
+ -- Iain Lane   Wed, 29 May 2019 12:47:33 +0100
+
 nautilus (3.30.5-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru nautilus-3.30.5/debian/control nautilus-3.30.5/debian/control
--- nautilus-3.30.5/debian/control  2018-12-22 13:53:04.0 +
+++ nautilus-3.30.5/debian/control  2019-05-29 12:47:33.0 +0100
@@ -15,6 +15,7 @@
gobject-introspection (>= 0.9.12-4~),
gtk-doc-tools (>= 1.10),
libatk1.0-dev (>= 1.32.0),
+   libfontconfig1-dev,
libgail-3-dev,
libgexiv2-dev (>= 0.10.0),
libgirepository1.0-dev (>= 0.10.7-1~),
@@ -41,7 +42,7 @@
 Rules-Requires-Root: no
 Homepage: https://wiki.gnome.org/action/show/Apps/Nautilus
 Vcs-Browser: https://salsa.debian.org/gnome-team/nautilus
-Vcs-Git: https://salsa.debian.org/gnome-team/nautilus.git
+Vcs-Git: https://salsa.debian.org/gnome-team/nautilus.git -b debian/buster
 Standards-Version: 4.2.1
 
 Package: nautilus
diff -Nru nautilus-3.30.5/debian/control.in nautilus-3.30.5/debian/control.in
--- nautilus-3.30.5/debian/control.in   2018-12-22 13:53:04.0 +
+++ nautilus-3.30.5/debian/control.in   2019-05-29 12:47:33.0 +0100
@@ -11,6 +11,7 @@
gobject-introspection (>= 0.9.12-4~),
gtk-doc-tools (>= 1.10),
libatk1.0-dev (>= 1.32.0),
+   libfontconfig1-dev,
libgail-3-dev,
libgexiv2-dev (>= 0.10.0),
libgirepository1.0-dev (>= 0.10.7-1~),
@@ -37,7 +38,7 @@
 Rules-Requires-Root: no
 Homepage: https://wiki.gnome.org/action/show/Apps/Nautilus
 Vcs-Browser: https://salsa.debian.org/gnome-team/nautilus
-Vcs-Git: https://salsa.debian.org/gnome-team/nautilus.git
+Vcs-Git: https://salsa.debian.org/gnome-team/nautilus.git -b debian/buster
 Standards-Version: 4.2.1
 
 Package: nautilus
diff -Nru nautilus-3.30.5/debian/gbp.conf nautilus-3.30.5/debian/gbp.conf
--- nautilus-3.30.5/debian/gbp.conf 2018-12-22 13:53:04.0 +
+++ nautilus-3.30.5/debian/gbp.conf 2019-05-29 12:47:33.0 +0100
@@ -1,6 +1,6 @@
 [DEFAULT]
 pristine-tar = True
-debian-branch = debian/master
+debian-branch = debian/buster
 upstream-branch = upstream/latest
 upstream-vcs-tag = %(version)s
 
diff -Nru 
nautilus-3.30.5/debian/patches/Define-symbol-needed-for-gnome-desktop.patch 
nautilus-3.30.5/debian/patches/Define-symbol-needed-for-gnome-desktop.patch
--- 

Re: That merged-usr is mandatory is RC

[Sam Hartman]

> "Ivo" == Ivo De Decker  writes:

Ivo> Hi, Given that there is still discussion about the impact of
Ivo> merged /usr at this very late point of the freeze, I think
Ivo> having merged /usr by default for new installations should be
Ivo> reconsidered.

What discussion are you seeing other than this discussion here?
Things seem to have been fairly quiet on the merged /usr front since the
 TC decision.

What am I missing?

Re: That merged-usr is mandatory is RC

[Ivo De Decker]

Hi,

Given that there is still discussion about the impact of merged /usr at this
very late point of the freeze, I think having merged /usr by default for new
installations should be reconsidered.

On Sun, May 19, 2019 at 07:22:08AM -0400, Sam Hartman wrote:
> I've been debating doing this, but continue to believe that it's
> important after several days of pondering.  So, per constitution 5.1
> (2), I'd like to explicitly lend support to the idea that it would be
> really good if we provide our users a way to install buster without
> merged /usr.  I think that if we do not do so now, we need to be open to
> the possibility that if users are stymied in doing their work, we will
> need to do so in a buster point release even if we would not normally
> add something some might consider a feature in a point release.
> 
> I'm not speaking to whether I think it should be RC or even whether an
> expert only option is good enough.
> I am simply saying that with my DPL hat on, I think this issue is
> important enough it deserves real consideration.
> 
> 
> I think that the TC's ruling and ongoing experience suggests we have
> carefully considered how we want to approach merged /usr for our own
> internal work developing Debian and come to a position that at least for
> the moment seems to be working.
> 
> What I'm most concerned about is people who use Debian to develop
> software they plan to use on Debian but who are not part of Debian.
> Examples of this include people within organizations who build programs
> to distribute within their organization.  People who build upstream
> programs using configure from source.  That sort of thing.
> 
> These people may not use packages.  These people may not use chroots.

People who develop software often do this on different machines than the one
the software runs on. When the production server gets upgraded, and a new
development machine is installed, one will have merged /usr and the other
doesn't. This probably isn't very good. Having an option to change this during
the install probably won't help these users.

In general, I think that if merged /usr is the default for new installations
for a Debian release, it should be the default on upgrades to that release as
well. This is not the case for buster. Obviously changing the default on
upgrades needs carefull planning and should be started at the beginning of a
release cycle.

> They are our users; they are our priority.  Even if we believe using
> chroots or containers would be better for them, I don't think we should
> force people into changing their build processes.
> 
> 
> I don't think we have a good idea how big the impact will be for these
> users, and so, I think we should be conservative.
> 
> If we don't choose to be conservative, I think we should be extra
> willing to revisit our decision if we find we are wrong.

Please note that there were a number of bugs triggered by merged /usr that
were discovered during the freeze. Most of them were actual bugs in the
packages, but they were (only) triggered with merged /usr. The fact that they
were only discovered late in the release cycle isn't a good sign.

> Again, all I'm saying is that I think this issue is important enough to
> consider seriously.  I am not in a position to balance this issue
> against other things before us.
> I'm speaking as the DPL because I'm trying to consider something that is
> a project level concern.  However, this statement has no actual force as
> clearly spelled out in the constitution.
> I'm speaking in the hopes of getting people to take a moment, think
> about this issue and come to their own conclusions.

Having an option to allow experienced user to change the default doesn't
really solve this. So the way forward is to change the default back to not
having merged /usr on new installs.

Thanks,

Ivo