Processed: tagging 931596

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 931596 - moreinfo
Bug #931596 [release.debian.org] buster-pu: package 
libjavascript-beautifier-perl/0.25-1+deb10u1
Removed tag(s) moreinfo.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
931596: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931596
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#931596: stretch-pu: package libjavascript-beautifier-perl/0.25-1+deb10u1

[Xavier]

Control: tags - moreinfo

Le 22/07/2019 à 01:31, Jonathan Wiltshire a écrit :
> Control: tag -1 moreinfo
> 
> Hi,
> 
> On Mon, Jul 08, 2019 at 07:04:20AM +0200, Xavier Guimard wrote:
>> Package: release.debian.org
>> Severity: normal
>> Tags: buster
>> User: release.debian@packages.debian.org
>> Usertags: pu
> 
> Your metadata above, bug title, and changelog target all disagree about
> whether you're targetting buster or stretch or sid. Which is it?
> 
>> --- a/debian/changelog
>> +++ b/debian/changelog
>> @@ -1,3 +1,9 @@
>> +libjavascript-beautifier-perl (0.25-1+deb10u1) unstable; urgency=medium

Sorry,

title was already fixed, here is the debdiff fix for buster

diff --git a/debian/changelog b/debian/changelog
index d53fc65..531e69b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+libjavascript-beautifier-perl (0.25-1+deb10u1) buster; urgency=medium
+
+  * Add missing "=>" operator (ES6) (Closes: #931379)
+
+ -- Xavier Guimard   Wed, 03 Jul 2019 18:40:37 +0200
+
 libjavascript-beautifier-perl (0.25-1) unstable; urgency=medium
 
   * Import upstream version 0.25.
diff --git a/debian/patches/missing-operator.patch 
b/debian/patches/missing-operator.patch
new file mode 100644
index 000..54f0167
--- /dev/null
+++ b/debian/patches/missing-operator.patch
@@ -0,0 +1,18 @@
+Description: Add missing ES6 "=>" operator
+Author: Xavier Guimard 
+Bug: https://rt.cpan.org/Ticket/Display.html?id=129976
+Bug-Debian: https://bugs.debian.org/931379
+Forwarded: https://rt.cpan.org/Ticket/Display.html?id=129976
+Last-Update: 2019-07-03
+
+--- a/lib/JavaScript/Beautifier.pm
 b/lib/JavaScript/Beautifier.pm
+@@ -18,7 +18,7 @@
+ my @wordchar   = split('', 
'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_$');
+ my @digits = split('', '0123456789');
+ # 

Processed: retitle 931596 to buster-pu: package libjavascript-beautifier-perl/0.25-1+deb10u1

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> retitle 931596 buster-pu: package libjavascript-beautifier-perl/0.25-1+deb10u1
Bug #931596 [release.debian.org] buster-pu: package 
libjavascript-beautifier-perl/0.25-1+deb10u1
Ignoring request to change the title of bug#931596 to the same title
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
931596: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931596
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: warzone2100_3.2.1-3+deb10u1_mips.changes
  ACCEPT
Processing changes file: warzone2100_3.2.1-3+deb10u1_mips64el.changes
  ACCEPT

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: libblockdev_2.20-7+deb10u1_all.changes
  ACCEPT
Processing changes file: libblockdev_2.20-7+deb10u1_amd64.changes
  ACCEPT
Processing changes file: libblockdev_2.20-7+deb10u1_arm64.changes
  ACCEPT
Processing changes file: libblockdev_2.20-7+deb10u1_armel.changes
  ACCEPT
Processing changes file: libblockdev_2.20-7+deb10u1_armhf.changes
  ACCEPT
Processing changes file: libblockdev_2.20-7+deb10u1_i386.changes
  ACCEPT
Processing changes file: libblockdev_2.20-7+deb10u1_mips.changes
  ACCEPT
Processing changes file: libblockdev_2.20-7+deb10u1_mips64el.changes
  ACCEPT
Processing changes file: libblockdev_2.20-7+deb10u1_mipsel.changes
  ACCEPT
Processing changes file: libblockdev_2.20-7+deb10u1_ppc64el.changes
  ACCEPT
Processing changes file: libblockdev_2.20-7+deb10u1_s390x.changes
  ACCEPT
Processing changes file: warzone2100_3.2.1-3+deb10u1_all.changes
  ACCEPT
Processing changes file: warzone2100_3.2.1-3+deb10u1_amd64.changes
  ACCEPT
Processing changes file: warzone2100_3.2.1-3+deb10u1_arm64.changes
  ACCEPT
Processing changes file: warzone2100_3.2.1-3+deb10u1_armel.changes
  ACCEPT
Processing changes file: warzone2100_3.2.1-3+deb10u1_armhf.changes
  ACCEPT
Processing changes file: warzone2100_3.2.1-3+deb10u1_i386.changes
  ACCEPT
Processing changes file: warzone2100_3.2.1-3+deb10u1_mipsel.changes
  ACCEPT
Processing changes file: warzone2100_3.2.1-3+deb10u1_ppc64el.changes
  ACCEPT
Processing changes file: warzone2100_3.2.1-3+deb10u1_s390x.changes
  ACCEPT

Re: reflecting on the buster release cycle and RFF

[Paul Wise]

On Mon, Jul 22, 2019 at 2:44 AM Paul Gevers wrote:

> So, now you've seen how I have perceived the freeze, do you have
> anything to add? We're looking for concrete notes and observations that
> we can use when we think about how to improve the bullseye release.

During the buster freeze period, postgrey was removed from testing and
thus should have missed the buster release. It appears that the
release team made an exception and allowed postgrey back into testing
despite the freeze policy that "packages not in testing can not
migrate to testing". I think it would be useful to document under
which circumstances packages can get exceptions to be allowed back
into testing even though they have been removed during the freeze
period.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Bug#931386: stretch-pu: package fribidi/0.19.7-1.1

[Cyril Brulebois]

Jonathan Wiltshire  (2019-07-21):
> On Wed, Jul 03, 2019 at 07:36:55PM +0200, Samuel Thibault wrote:
> > Package: release.debian.org
> > Severity: normal
> > Tags: stretch
> > User: release.debian@packages.debian.org
> > Usertags: pu
> > 
> > Hello,
> > 
> > As reported on #917909, the text-based debian installer support for
> > right-to-left languages is completely broken, only due to a path
> > mismatch. This was fixed in Buster in January with the attached change,
> > which I have uploaded to stretch as 0.19.7-1.1, could you accept it?
> 
> Looks OK to me, d-i ack needed.

No objections to the actual diff (as received following your upload), as
opposed to the attached diff (which is a src:xorg-server patch by the
looks of it). ;p

Attaching the actual diff for further reference.


By the way, it might be nice for release team members to have a slightly
more descriptive changelog entry (mentioning the RTL fix directly, as
you did in this pu bug), so that it can be mentionined in the summary of
changes issued at point release time. Example for 9.9:
  https://www.debian.org/News/2019/20190427


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant
Version in base suite: 0.19.7-1

Base version: fribidi_0.19.7-1
Target version: fribidi_0.19.7-1.1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/f/fribidi/fribidi_0.19.7-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/f/fribidi/fribidi_0.19.7-1.1.dsc

 changelog|8 
 libfribidi0-udeb.install |2 +-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff -Nru fribidi-0.19.7/debian/changelog fribidi-0.19.7/debian/changelog
--- fribidi-0.19.7/debian/changelog	2015-08-12 05:32:03.0 +
+++ fribidi-0.19.7/debian/changelog	2019-06-08 20:39:38.0 +
@@ -1,3 +1,11 @@
+fribidi (0.19.7-1.1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * libfribidi0-udeb: Install the shared library files into a multi-arch libdir
+(Closes: #917909).
+
+ -- Samuel Thibault   Sat, 08 Jun 2019 22:39:38 +0200
+
 fribidi (0.19.7-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru fribidi-0.19.7/debian/libfribidi0-udeb.install fribidi-0.19.7/debian/libfribidi0-udeb.install
--- fribidi-0.19.7/debian/libfribidi0-udeb.install	2015-08-12 05:32:03.0 +
+++ fribidi-0.19.7/debian/libfribidi0-udeb.install	2019-06-08 20:39:38.0 +
@@ -1 +1 @@
-usr/lib/*/libfribidi.so.* lib
+usr/lib/*/libfribidi.so.*


signature.asc
Description: PGP signature

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: warzone2100_3.2.1-3+deb10u1_source.changes
  ACCEPT

Bug#932618: transition: librsync

[Jonathan Wiltshire]

Control: tag -1 confirmed

On Sun, Jul 21, 2019 at 03:04:40PM +0500, Andrey Rahmatullin wrote:
> The librsync library changed the ABI and also some parts of API, the API 
> change
> impacts only rdiff-backup, for which #928885 is filed with no reaction so far.

Please go ahead in unstable.

Thanks,

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Processed: Re: Bug#932618: transition: librsync

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #932618 [release.debian.org] transition: librsync
Added tag(s) confirmed.

-- 
932618: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932618
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: warzone2100 3.2.1-3+deb10u1 flagged for acceptance

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #931198 [release.debian.org] buster-pu: package warzone2100/3.2.1-3+deb10u1
Ignoring request to alter tags of bug #931198 to the same tags previously set

-- 
931198: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931198
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: warzone2100 3.2.1-3+deb10u1 flagged for acceptance

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #931198 [release.debian.org] buster-pu: package warzone2100/3.2.1-3+deb10u1
Added tag(s) pending.

-- 
931198: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931198
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#931198: warzone2100 3.2.1-3+deb10u1 flagged for acceptance

[Jonathan Wiltshire]

Control: tags -1 + pending

Hi,

The upload referenced by this bug report has been flagged for acceptance into 
the proposed-updates queue for Debian buster.

Thanks for your contribution!

Upload details
==

Package: warzone2100
Version: 3.2.1-3+deb10u1

Explanation: fix a segmentation fault when hosting a multiplayer game

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: libblockdev_2.20-7+deb10u1_source.changes
  ACCEPT

Bug#932702: nmu: Please binNMU the following packages that have not been built on a buildd

[Laurent Bigonville]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

Hello,

So apparently I missed the memo and my first round of packages uploaded to 
unstable after the release have not been built on a buildd.

Could it be possible to binNMU them?

libsepol must probably be rebuilt first as other packages are statically
linking against it and are adding a Built-Using field:
nmu libsepol_2.9-2 . amd64 . unstable . -m "Rebuilt on a buildd"

nmu checkpolicy_2.9-2 . amd64 . unstable . -m "Rebuilt on a buildd"
nmu libselinux_2.9-2 . amd64 . unstable . -m "Rebuilt on a buildd"
nmu mcstrans_2.9-2 . amd64 . unstable . -m "Rebuilt on a buildd"
nmu policycoreutils_2.9-2 . amd64 . unstable . -m "Rebuilt on a buildd"
nmu restorecond_2.9-2 . amd64 . unstable . -m "Rebuilt on a buildd"
nmu semodule-utils_2.9-2 . amd64 . unstable . -m "Rebuilt on a buildd"
nmu setools_4.2.2-1 . amd64 . unstable . -m "Rebuilt on a buildd"

nmu deja-dup_40.1-1 . amd64 . unstable . -m "Rebuilt on a buildd"

Kind regards,

Laurent Bigonville

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: refpolicy

Processed: libblockdev 2.20-7+deb10u1 flagged for acceptance

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #932588 [release.debian.org] buster-pu: package libblockdev/2.20-7+deb10u1
Ignoring request to alter tags of bug #932588 to the same tags previously set

-- 
932588: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932588
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: libblockdev 2.20-7+deb10u1 flagged for acceptance

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #932588 [release.debian.org] buster-pu: package libblockdev/2.20-7+deb10u1
Added tag(s) pending.

-- 
932588: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932588
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#932588: libblockdev 2.20-7+deb10u1 flagged for acceptance

[Jonathan Wiltshire]

Control: tags -1 + pending

Hi,

The upload referenced by this bug report has been flagged for acceptance into 
the proposed-updates queue for Debian buster.

Thanks for your contribution!

Upload details
==

Package: libblockdev
Version: 2.20-7+deb10u1

Explanation: use existing cryptsetup API for changing keyslot passphrase

Bug#931766: buster-pu: package openvswitch/2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12+deb10u1 - new debdiff

[Jonathan Wiltshire]

Control: tag -1 moreinfo

On Wed, Jul 10, 2019 at 09:55:20AM +0200, Thomas Goirand wrote:
> > Please allow me to fixup OVS's missing python3-six dependency, and add
> > support for fixing the MTU of OVS devices. The attached patch is quite
> > minimalistic. This also adds a bit of doc on how to set things up in
> > /etc/network/interfaces.

Not (yet) commenting on suitability, but there are some obvious issues with
the diff at a first glance:

> diff -Nru openvswitch-2.10.0+2018.08.28+git.8ca7c82b7d+ds1/debian/changelog 
> openvswitch-2.10.0+2018.08.28+git.8ca7c82b7d+ds1/debian/changelog
> --- openvswitch-2.10.0+2018.08.28+git.8ca7c82b7d+ds1/debian/changelog 
> 2019-04-14 00:25:19.0 +0200
> +++ openvswitch-2.10.0+2018.08.28+git.8ca7c82b7d+ds1/debian/changelog 
> 2019-06-24 08:53:33.0 +0200
> @@ -1,3 +1,11 @@
> +openvswitch (2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12+deb10u1) buster; 
> urgency=medium
> +
> +  * Some fixups in debian/ifupdown.sh to allow setting-up the MTU.
> +  * Document how to do Bond + Bridge + VLAN + MTU.
> +  * Correct dependency on python3-six instead of python-six (Closes: 
> #931104).
> +
> + -- Thomas Goirand   Mon, 24 Jun 2019 08:53:33 +0200
> +
>  openvswitch (2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12) unstable; 
> urgency=medium
>  
>* Add --may-exist in debian/ifupdown.sh as per upstream commit. Without it,
> @@ -7,6 +15,18 @@
>  
>  openvswitch (2.10.0+2018.08.28+git.8ca7c82b7d+ds1-11) unstable; 
> urgency=medium
>  
> +  * Removes network.service from openvswitch-switch.service to avoid a
> +dependency loop in systemd, leading to removal of networking.service.
> +Also use "ip link set DEVNAME up" instead of ifconfig, and runtime
> +depend on iproute2.
> +Thanks to Benjamin Drung for the bug report (Closes: #924562) and to
> +Jonathan Dupart for the patch as a merge request in Salsa.
> +
> + -- Thomas Goirand   Sun, 31 Mar 2019 00:50:26 +0100
> +>>> debian/stein
> +
> +openvswitch (2.10.0+2018.08.28+git.8ca7c82b7d+ds1-11) unstable; 
> urgency=medium
> +
>* Removes network.service from openvswitch-switch.service to avoid a
>  dependency loop in systemd, leading to removal of networking.service.
>  Also use "ip link set DEVNAME up" instead of ifconfig, and runtime

Seem to be some merge artefacts here, including possibly an entire
duplicate entry?

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Processed: Re: Bug#931766: buster-pu: package openvswitch/2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12+deb10u1 - new debdiff

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #931766 [release.debian.org] buster-pu: package 
openvswitch/2.10.0+2018.08.28+git.8ca7c82b7d+ds1-13
Added tag(s) moreinfo.

-- 
931766: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931766
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#931615: buster-pu: package python-autobahn/17.10.1+dfsg1-3+deb10u1

[Jonathan Wiltshire]

Control: tag -1 confirmed

On Mon, Jul 08, 2019 at 11:47:07AM +0200, Thomas Goirand wrote:
> Please accept the update of python-autobahn fixing a problem in the
> (build-)dependencies. Debdiff attached.

err... oops?

Please go ahead.

Thanks,


-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Processed: Re: Bug#931596: stretch-pu: package libjavascript-beautifier-perl/0.25-1+deb10u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #931596 [release.debian.org] buster-pu: package 
libjavascript-beautifier-perl/0.25-1+deb10u1
Added tag(s) moreinfo.

-- 
931596: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931596
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#931615: buster-pu: package python-autobahn/17.10.1+dfsg1-3+deb10u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #931615 [release.debian.org] buster-pu: package 
python-autobahn/17.10.1+dfsg1-3+deb10u1
Added tag(s) confirmed.

-- 
931615: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931615
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#931596: stretch-pu: package libjavascript-beautifier-perl/0.25-1+deb10u1

[Jonathan Wiltshire]

Control: tag -1 moreinfo

Hi,

On Mon, Jul 08, 2019 at 07:04:20AM +0200, Xavier Guimard wrote:
> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian@packages.debian.org
> Usertags: pu

Your metadata above, bug title, and changelog target all disagree about
whether you're targetting buster or stretch or sid. Which is it?

> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,9 @@
> +libjavascript-beautifier-perl (0.25-1+deb10u1) unstable; urgency=medium

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Bug#931616: buster-pu: package puppet-module-cinder/13.1.0-3+deb10u1

[Jonathan Wiltshire]

Control: tag -1 confirmed

On Mon, Jul 08, 2019 at 11:54:53AM +0200, Thomas Goirand wrote:
> Please allow me to fix puppet-module-cinder in Buster. The attached debdiff
> shows that, when using the CEPH backend, puppet-cinder attemps to write in
> /etc/init, which fails since we don't have this upstart folder anymore.
> I failed to see this bug until I attempted to add a CEPH backend (instead
> of the "regular" LVM backend) in my cluster.

Please go ahead.

Thanks,

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Processed: Re: Bug#931616: buster-pu: package puppet-module-cinder/13.1.0-3+deb10u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #931616 [release.debian.org] buster-pu: package 
puppet-module-cinder/13.1.0-3+deb10u1
Added tag(s) confirmed.

-- 
931616: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931616
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#931386: stretch-pu: package fribidi/0.19.7-1.1

[Jonathan Wiltshire]

On Wed, Jul 03, 2019 at 07:36:55PM +0200, Samuel Thibault wrote:
> Package: release.debian.org
> Severity: normal
> Tags: stretch
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> Hello,
> 
> As reported on #917909, the text-based debian installer support for
> right-to-left languages is completely broken, only due to a path
> mismatch. This was fixed in Buster in January with the attached change,
> which I have uploaded to stretch as 0.19.7-1.1, could you accept it?

Looks OK to me, d-i ack needed.

thanks,

> 
> Thanks,
> Samuel
> 
> -- System Information:
> Debian Release: 10.0
>   APT prefers testing
>   APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
> 'testing-debug'), (500, 'stable-debug'), (500, 'proposed-updates-debug'), 
> (500, 'proposed-updates'), (500, 'oldoldstable'), (500, 'buildd-unstable'), 
> (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 
> 'experimental-debug'), (1, 'buildd-experimental'), (1, 'experimental')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
> 
> Kernel: Linux 5.1.0 (SMP w/8 CPU cores)
> Kernel taint flags: TAINT_OOT_MODULE
> Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), 
> LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)

> commit 8469bfead9515ab3644f1769a1ff51466ba8ffee
> Author: Samuel Thibault 
> Date:   Mon Jul 1 02:31:02 2019 +0200
> 
> Fix crash on XkbSetMap
> 
> Some devices may not have keyboard information.
> 
> Fixes #574
> 
> diff --git a/xkb/xkb.c b/xkb/xkb.c
> index 764079506..9bd45a34a 100644
> --- a/xkb/xkb.c
> +++ b/xkb/xkb.c
> @@ -2383,6 +2383,9 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, 
> xkbSetMapReq * req,
>  XkbSymMapPtr map;
>  int i;
>  
> +if (!dev->key)
> +return 0;
> +
>  xkbi = dev->key->xkbInfo;
>  xkb = xkbi->desc;
>  
> @@ -2495,6 +2498,9 @@ _XkbSetMap(ClientPtr client, DeviceIntPtr dev, 
> xkbSetMapReq * req, char *values)
>  XkbSrvInfoPtr xkbi;
>  XkbDescPtr xkb;
>  
> +if (!dev->key)
> +return Success;
> +
>  xkbi = dev->key->xkbInfo;
>  xkb = xkbi->desc;
>  
> commit fabc4219622f3c0b41b1cb897c46e092377059e3
> Author: Samuel Thibault 
> Date:   Mon Jul 1 02:33:26 2019 +0200
> 
> Fix crash on XkbSetMap
> 
> Since group_info and width are used for the key actions allocations,
> when modifying them we need to take care of reallocation key actions if
> needed.
> 
> diff --git a/xkb/xkb.c b/xkb/xkb.c
> index 9bd45a34a..3162574a4 100644
> --- a/xkb/xkb.c
> +++ b/xkb/xkb.c
> @@ -2110,6 +2110,9 @@ SetKeySyms(ClientPtr client,
>  }
>  }
>  }
> +if (XkbKeyHasActions(xkb, i + req->firstKeySym))
> +XkbResizeKeyActions(xkb, i + req->firstKeySym,
> +XkbNumGroups(wire->groupInfo) * wire->width);
>  oldMap->kt_index[0] = wire->ktIndex[0];
>  oldMap->kt_index[1] = wire->ktIndex[1];
>  oldMap->kt_index[2] = wire->ktIndex[2];


-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Re: testing migration aging and reproducible builds

[Holger Levsen]

On Sun, Jul 21, 2019 at 05:35:53PM -0300, Jonathan Wiltshire wrote:
> On Sun, Jul 21, 2019 at 11:55:59AM -0300, Vagrant Cascadian wrote:
> > This makes me think to decrease the delay for reproducible packages
> > rather than increase the delay for unreproducible ones? Though then
> > you'd want it to be a small increment...
> How about if the current bonus of three days is dependent on both
> autopkgtests *and* reproducibility? That keeps the incentive without ending
> up with same-day migrations.

/me likes!


-- 
tschau,
Holger

---
   holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

Dance like no one's watching. Encrypt like everyone is.


signature.asc
Description: PGP signature

Re: testing migration aging and reproducible builds

[Jonathan Wiltshire]

On Sun, Jul 21, 2019 at 11:55:59AM -0300, Vagrant Cascadian wrote:
> This makes me think to decrease the delay for reproducible packages
> rather than increase the delay for unreproducible ones? Though then
> you'd want it to be a small increment...

How about if the current bonus of three days is dependent on both
autopkgtests *and* reproducibility? That keeps the incentive without ending
up with same-day migrations.


-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Bug#931659: transition: rm python2

[Scott Kitterman]

On Sunday, July 21, 2019 4:15:43 PM EDT Jonathan Wiltshire wrote:
> On Sun, Jul 21, 2019 at 08:00:20PM +, Scott Kitterman wrote:
> > Thanks.  It looks plausible.  As doko mentioned, it'll need the same for
> > build depends.
> 
> It already has the .build-depends, the answer to that is what I was waiting
> for.

Thanks.  I see that now.  I guess that's what I get for trying to read it on 
my phone.

Scott K

Bug#931659: transition: rm python2

[Jonathan Wiltshire]

On Sun, Jul 21, 2019 at 08:00:20PM +, Scott Kitterman wrote:
> Thanks.  It looks plausible.  As doko mentioned, it'll need the same for
> build depends.

It already has the .build-depends, the answer to that is what I was waiting
for.

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Bug#931659: transition: rm python2

[Scott Kitterman]

Thanks.  It looks plausible.  As doko mentioned, it'll need the same for build 
depends.

Scott K

Bug#931659: transition: rm python2

[Jonathan Wiltshire]

Control: forwarded -1 
https://release.debian.org/transitions/html/python2-rm.html

On Tue, Jul 09, 2019 at 11:15:31AM +, Scott Kitterman wrote:
> 
> 
> On July 9, 2019 8:19:03 AM UTC, Jonathan Wiltshire  wrote:
> >Control: tag -1 moreinfo
> >
> >Hi,
> >
> >On Mon, Jul 08, 2019 at 06:31:50PM -0400, Scott Kitterman wrote:
> >> title = "python-defaults";
> >> is_affected = .depends ~
> >/python|python-minimal|python-dev|libpython-dev|libpython-stdlib|python-doc|python-dbg|libpython-dbg|python-all|python-all-dev|python-all-dbg|libpython-all-dev|libpython-all-dbg|python2|python2-minimal|python2-dev|libpython2-dev|libpython2-stdlib|python2-doc|python2-dbg|libpython2-dbg|python2.7|libpython2.7-stdlib|python2.7-minimal|libpython2.7-minimal|libpython2.7|python2.7-examples|python2.7-dev|libpython2.7-dev|libpython2.7-testsuite|idle-python2.7|python2.7-doc|python2.7-dbg|libpython2.7-dbg/
> >| .depends ~ "''";
> >
> >I don't quite understand the alternative .depends, "''". Can you
> >clarify
> >please?
> >
> >Thanks,
> 
> That's the binaries produced by python-defaults and python2.7 as 
> affected/bad.  Good is empty since it about removal.

That wasn't quite what I meant - it was the alternative .depends for
affected which puzzled me. But this seems to be an artefact of reportbug.

I *think* I have the tracker right now, please see
https://release.debian.org/transitions/html/python2-rm.html
It's certainly long, does it look plausible?

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Bug#932684: buster-pu: package gnupg2/2.2.12-1+deb10u1

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
Control: affects -1 src:gnupg2

The version of GnuPG in debian buster (2.2.12-1) has a number of
outstanding bugs related to OpenPGP certificate management and network
access.  Many of these concerns are addressed in some of the patches
in upstream's STABLE-BRANCH-2-2 series.

The debdiff (attached) is basically a slew of bugfix, documentation,
stability, and efficiency patches cherry-picked from upstream, plus
some additional changes to reduce the exposure of debian users to
malicious attack on the SKS keyserver network, and some improvements
in the continuous integration test suite.

These additional changes address concerns due to the fact that the SKS
keyserver network is failing due to abuse, and GnuPG had used it as a
default keyserver.  These changes offer ways to work around the
problems our users face when fetching data off the network today.  In
particular:

 * We adopt GnuPG's upstream approach of making keyserver access
   default to self-sigs-only.  This means that the keyserver cannot
   flood the user's keyring by default. (we do *not* adopt upstream's
   choice of import-clean for keyserver default, see
   https://dev.gnupg.org/T4628 for more explanation)
   
 * We constrain the SKS CA to only validate
   hkps.pool.sks-keyservers.net (and we avoid using the system CAs for
   the SKS pool), thereby tightening the confidentiality constraints
   on TLS-wrapped keyserver access.

 * Since the SKS pool's distribution of third-party certifications
   will be ignored by default, we change the default keyserver to
   hkps://keys.openpgp.org, which won't waste the user's bandwidth for
   data that they won't even consider by default.  keys.openpgp.org is
   significantly more performant for read-only clients (most keyserver
   access) than any member of the SKS pool.

 * We also allow GnuPG to merge certificate updates (revocations,
   subkey rotations) which might be published on keys.openpgp.org
   without any user ID (see https://dev.gnupg.org/T4393 for more
   discussion).  This represents a security improvement for users who
   might otherwise use a locally-cached certificate that should have
   been revoked, or who cannot encrypt to a locally-cached certificate
   because they don't know about its new encryption-capable subkey.

 * migrate-pubring-from-classic-gpg fails when the user's keyring
   contains a flooded certificate -- we address this (#931385), and
   adds a test for it.

---

A note about "web of trust" and the third-party certifications it
depends on:

Third-party certifications are still importable by default over WKD
and DANE/OPENPGPKEY access.  It is generally recommended to use those
mechanisms where providers offer them, using --locate-key by e-mail
address instead of --search.

A user who wants to import arbitrary third-party certifications via
HKP or HKPS can still do so by identifying their trusted keyserver
source and indicating that third-party certifications are OK.  for
example:

--keyserver hkps://hkps.pool.sks-keyservers.net --keyserver-options 
no-self-sigs-only

---

Finally, we add an additional simple test for ci.debian.org, and we
adjust the gpgv-win32 ci test so that it will only run on i386 testers
(#905563).  continuous integration for the win! :)

The changelog entry provides this summary:

gnupg2 (2.2.12-1+deb10u1) buster; urgency=medium

  * drop unneeded patch for printing revocation certificates
  * backport bugfix and stability patches from upstream 2.2.13
  * backport bugfix and stability patches from upstream 2.2.14
  * backport documentation, stability, ssh, and WKD patches from upstream 2.2.15
  * backport documentation and bugfix patches from upstream 2.2.16
  * import bugfixes and cleanup around secret key handling from 2.2.14
  * backport bugfixes, documentation, WKD, and keyserver fixes from 2.2.17
  * import efficiency and security fixes from upstream STABLE-BRANCH-2-2
  * avoid using SKS pool CA unless the keyserver is hkps.pool.sks-keyservers.net
  * drop import-clean from default keyserver options, to avoid data loss
  * use keys.openpgp.org as the default keyserver
  * enable merging certificate updates even if update has no user ID
  * update Vcs-Git: to point to debian/buster branch
  * Adopt migrate-pubring-from-classic-gpg robustness fixes (Closes: #931385)
  * add new CI test: debian/tests/simple-tests
  * debian/tests/gpgv-win32: make arch-specific (Closes: #905563)

 -- Daniel Kahn Gillmor   Sun, 21 Jul 2019 15:39:05 
-0400


I recognize that this is a lot of changes, but upstream's 2.2 branch
is intended to be stable.  (most of the GnuPG development work is
happening on the 2.3 branch, and most of the work on 2.2 is just
backports of bugfixes) These changes are also visible on the
debian/buster branch on https://salsa.debian.org/debian/gnupg2.

So another option, if the release-team prefers, would be to mo

Processed: Re: Bug#931659: transition: rm python2

[Debian Bug Tracking System]

Processing control commands:

> forwarded -1 https://release.debian.org/transitions/html/python2-rm.html
Bug #931659 [release.debian.org] transition: rm python2
Set Bug forwarded-to-address to 
'https://release.debian.org/transitions/html/python2-rm.html'.

-- 
931659: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931659
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: buster-pu: package gnupg2/2.2.12-1+deb10u1

[Debian Bug Tracking System]

Processing control commands:

> affects -1 src:gnupg2
Bug #932684 [release.debian.org] buster-pu: package gnupg2/2.2.12-1+deb10u1
Added indication that 932684 affects src:gnupg2

-- 
932684: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932684
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#932665: stretch-pu: package systemd/232-25+deb9u12

[Michael Biebl]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I'd like to make a stable upload for stretch.

It fixes an issue in networkd, which is not enabled by default, but
apparently sees increased usage, so it seems worthwile fixing it, as it
can result in loss of IPv4 connectivity on DHCPv4 lease expirations.


Full debdiff is attached.

Regards,
Michael

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index 5971d52..a985539 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+systemd (232-25+deb9u12) stretch; urgency=medium
+
+  * networkd: Do not stop ndisc client in case of conf error.
+When an NDisc error happens, e.g. in case of a prefix change, do not shut
+down the dhcp client. Instead log about it and continue.
+Otherwise networkd might fail to renew the DHCPv4 address and lose IPv4
+connectivity. (Closes: #930353)
+
+ -- Michael Biebl   Sun, 21 Jul 2019 20:43:29 +0200
+
 systemd (232-25+deb9u11) stretch-security; urgency=high
 
   * pam-systemd: use secure_getenv() rather than getenv()
diff --git 
a/debian/patches/networkd-ndisc-Do-not-stop-ndisc-client-incase-of-conf-er.patch
 
b/debian/patches/networkd-ndisc-Do-not-stop-ndisc-client-incase-of-conf-er.patch
new file mode 100644
index 000..015fb35
--- /dev/null
+++ 
b/debian/patches/networkd-ndisc-Do-not-stop-ndisc-client-incase-of-conf-er.patch
@@ -0,0 +1,32 @@
+From: Susant Sahani 
+Date: Tue, 26 Sep 2017 17:17:32 +0530
+Subject: networkd: ndisc Do not stop ndisc client incase of conf error.
+
+Now in ndisc_netlink_handler if route or address fails we stop the clients.
+link_enter_failed->link_stop_clients that is dhcp, ndisc etc.
+
+The clients should be keep on running .
+
+Fixes #5625
+
+(cherry picked from commit 7f676aa324cb5498a5f9c3d51ecfe53242e0)
+---
+ src/network/networkd-ndisc.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/src/network/networkd-ndisc.c b/src/network/networkd-ndisc.c
+index d3fa56b..1513d66 100644
+--- a/src/network/networkd-ndisc.c
 b/src/network/networkd-ndisc.c
+@@ -37,10 +37,8 @@ static int ndisc_netlink_handler(sd_netlink *rtnl, 
sd_netlink_message *m, void *
+ link->ndisc_messages--;
+ 
+ r = sd_netlink_message_get_errno(m);
+-if (r < 0 && r != -EEXIST) {
++if (r < 0 && r != -EEXIST)
+ log_link_error_errno(link, r, "Could not set NDisc route or 
address: %m");
+-link_enter_failed(link);
+-}
+ 
+ if (link->ndisc_messages == 0) {
+ link->ndisc_configured = true;
diff --git a/debian/patches/series b/debian/patches/series
index ddd4a0b..411780d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -100,6 +100,7 @@ 
mount-util-accept-that-name_to_handle_at-might-fail-with-.patch
 automount-ack-automount-requests-even-when-already-mounte.patch
 backport-read_line-from-systemd-master.patch
 core-when-deserializing-state-always-use-read_line-LONG_L.patch
+networkd-ndisc-Do-not-stop-ndisc-client-incase-of-conf-er.patch
 debian/Use-Debian-specific-config-files.patch
 debian/don-t-try-to-start-autovt-units-when-not-running-wit.patch
 debian/Make-logind-hostnamed-localed-timedated-D-Bus-activa.patch

Re: testing migration aging and reproducible builds

[Vagrant Cascadian]

On 2019-07-21, Chris Lamb wrote:
> So, the devil is very much in the details here, alas. Whilst I am a
> definite +1 on this idea the day-to-day experience may not be ideal
> so your thoughts are very welcome.
>
> Just to take one recent example: I noticed yesterday a regression
> whereby one of our tools (strip-nondeterminism) is causing a fair
> number of Java packages to be unreproducible — it would seem a little
> antisocial to block them from migrating to testing when it was "our"
> fault. It is not really within the power or remit of the maintainers
> in-question to fix this particular issue, and we should not implicitly
> encourage maintainers to manually (!) fix it in each of the affected
> packages just to get it to migrate...

Indeed.


> Note that delaying migration here has quite a different consent
> and social dynamic to autopkgtest failures as the maintainers have,
> by uploading a package that contains autopkgtests, implicitly opted
> into the committment to ensure they continue to pass.
>
> Anyway, your thoughts on this important angle?

This makes me think to decrease the delay for reproducible packages
rather than increase the delay for unreproducible ones? Though then
you'd want it to be a small increment...

It's more of an incentive that way than a punishment, and humans tend to
be more motivated by incentives rather than punishment...

Still would hate for maintainers to be overly zealous in on-off fixes.


>> For this to be possible, we would need to have an automated way to get 
>> data about the source packages
>
> Regarding the technical side of the implementation, we currently
> generate this (~3MB bzipped) JSON file:
>
>   https://tests.reproducible-builds.org/debian/reproducible.json.bz2
>
> ... that (unless I am mistaken) is the data being used by qa.debian.org.

I think it's:

  https://tests.reproducible-builds.org/reproducible-tracker.json

Which only shows results for "bullseye" (formerly only "buster).

We wanted to filter out the unstable and experimental suites from the
tracker which may have larger numbers of variations (e.g. build path),
some of which may be just be distracting to developers at this point
until we have a more complete fix for those issues.

I'm not sure relying on our test infrastructure at the moment is the
right approach long-term, maybe fine in the short-term.

We really need to start doing verification of buildd builds rather than
simply rebuilding packages twice with variations. Was hoping to put
together a BoF this week with DSA about that; maybe release team would
also be interested?


live well,
  vagrant


signature.asc
Description: PGP signature

Re: Bits from the Release Team: ride like the wind, Bullseye!

[Ivo De Decker]

Hi Ben,

Sorry for not getting back to you about this earlier.

On 7/7/19 3:43 PM, Ben Hutchings wrote:

On Sun, 2019-07-07 at 02:47 +0100, Jonathan Wiltshire wrote:
[...]

No binary maintainer uploads for bullseye
=

The release of buster also means the bullseye release cycle is about to begin.
 From now on, we will no longer allow binaries uploaded by maintainers to
migrate to testing. This means that you will need to do source-only uploads if
you want them to reach bullseye.


I support this move in principle, but:


   Q: I already did a binary upload, do I need to do a new (source-only) upload?
   A: Yes (preferably with other changes, not just a version bump).

   Q: I needed to do a binary upload because my upload went to the NEW queue,
  do I need to do a new (source-only) upload for it to reach bullseye?
   A: Yes. We also suggest going through NEW in experimental instead of unstable
  where possible, to avoid disruption in unstable.

[...]

This is not going to fly for src:linux.  We can't stage ABI bumps in
experimental as we typically have a different upstream versions in
unstable and experimental.  We even need to do ABI bumps in stable from
time to time.


We are aware that src:linux is a special case here. I added an exception 
for the arch:all binaries from src:linux. When the next ABI bump in 
unstable happens, feel free to let me know, so that I can check if it 
works as expected.


Thanks,

Ivo

Re: testing migration aging and reproducible builds

[Chris Lamb]

Dear Ivo et al.,

Thanks for reaching out.

So, the devil is very much in the details here, alas. Whilst I am a
definite +1 on this idea the day-to-day experience may not be ideal
so your thoughts are very welcome.

Just to take one recent example: I noticed yesterday a regression
whereby one of our tools (strip-nondeterminism) is causing a fair
number of Java packages to be unreproducible — it would seem a little
antisocial to block them from migrating to testing when it was "our"
fault. It is not really within the power or remit of the maintainers
in-question to fix this particular issue, and we should not implicitly
encourage maintainers to manually (!) fix it in each of the affected
packages just to get it to migrate...

Similar mishaps or problems with the testing framework itself are
usually more typical than the above but would have the same effect of
directing a lot of distracting and demotivating blowback in our
direction.

Note that delaying migration here has quite a different consent
and social dynamic to autopkgtest failures as the maintainers have,
by uploading a package that contains autopkgtests, implicitly opted
into the committment to ensure they continue to pass.

Anyway, your thoughts on this important angle?

> For this to be possible, we would need to have an automated way to get 
> data about the source packages

Regarding the technical side of the implementation, we currently
generate this (~3MB bzipped) JSON file:

  https://tests.reproducible-builds.org/debian/reproducible.json.bz2

... that (unless I am mistaken) is the data being used by qa.debian.org.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org 🍥 chris-lamb.co.uk
   `-

testing migration aging and reproducible builds

[Ivo De Decker]

Hi reproducible builds team,

The release team is planning to revisit the testing migration aging 
policy in the near future. The details haven't been worked out yet, but 
we are considering to use reproducibility of packages as one of the new 
factors that could influence the aging.


For this to be possible, we would need to have an automated way to get 
data about the source packages for which the binaries from the buildds 
can be reproduced. Would this be something that could be arranged?


Thanks,

Ivo

Bug#931126: unblock: enigmail/2:2.0.11+ds1-2

[Daniel Kahn Gillmor]

On Sat 2019-07-20 21:41:12 -0300, Jonathan Wiltshire wrote:
> Hi,
>
> On Mon, Jul 01, 2019 at 01:21:22PM -0400, Daniel Kahn Gillmor wrote:
>> On Sun 2019-06-30 20:01:21 +0200, Paul Gevers wrote:
>> > The time for unblocks for buster has come and gone. The deadline was
>> > last Tuesday, we are now in deep freeze and we were not able to process
>> > your unblock request and give it an exception. I assume this should be
>> > fixed via the security archive, please confirm that (and I'll fix this
>> > bugs metadata). Otherwise I propose you prepare a stable release update
>> > targeting buster, such that this can be fixed in the first point release.
>> 
>> I'm fine with this going through either security or the first buster
>> point release.  So yes, Paul, if you can update this issue to be treated
>> as a security issue, that would be great.
>
> Would you prefer to do this as a security upload (in which case this
> unblock bug should be closed) or as a no-dsa (we will repurpose it for a
> p-u)?

At this point, given the upstream changes and the issues with the SKS
keyserver network, i think we should aim to import 2.0.12 into buster,
not 2.0.11.

I would love it if someone else wants to step up and help with this.
I'm currently working on an update to GnuPG for buster, and have not had
time yet to do the 2.0.12 upload for Buster (either as a security or
point release).

 --dkg


signature.asc
Description: PGP signature

Bug#932618: transition: librsync

[Andrey Rahmatullin]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

The librsync library changed the ABI and also some parts of API, the API change
impacts only rdiff-backup, for which #928885 is filed with no reaction so far.

I've tested all revdeps, they rebuild cleanly apart from rdiff-backup.

https://release.debian.org/transitions/html/auto-librsync.html looks correct.



-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'unstable'), (500, 'testing'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.0.0-trunk-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8), LANGUAGE= 
(charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#932616: nmu: tcptraceroute_1.5beta7+debian-4.1

[Sven Joachim]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

Bug #932240 in debhelper 12.2 has caused missing dependencies in
packages with setuid/setgid binaries.  At least the tcptraceroute
package is affected by this bug, see #932603.  But there could well be
others. :-(

nmu tcptraceroute_1.5beta7+debian-4.1 . ANY . unstable . -m "Rebuild with fixed 
debhelper."

Bug#145257: [britney] build-depends not taken into consideration for arch:all packages

[Graham Inggs]

Some recent bugs that seem to have been caused by this:

#898245 src:flask-limiter-> python-aniso8601
#932507 src:python-crontab-> python-croniter
#932509 src:pyrsample-> python-xarray

Bug#932606: buster-pu: package node-mixin-deep/1.1.3-3+deb10u1

[Xavier Guimard]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Hi all,

node-mixin-deep is vulnerable to prototype pollution (#932500,
CVE-2019-10746). Here is a proposed update.

Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index 17cb287..74f9154 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-mixin-deep (1.1.3-3+deb10u1) buster; urgency=medium
+
+  * Fix prototype pollution (Closes: #932500, CVE-2019-10746)
+
+ -- Xavier Guimard   Sat, 20 Jul 2019 17:41:17 +0200
+
 node-mixin-deep (1.1.3-3) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2019-10746.diff 
b/debian/patches/CVE-2019-10746.diff
new file mode 100644
index 000..cc4b58a
--- /dev/null
+++ b/debian/patches/CVE-2019-10746.diff
@@ -0,0 +1,41 @@
+Description: Fix for CVE-2019-10746 (prototype pollution)
+Author: Jon Schlinkert (https://github.com/jonschlinkert)
+Origin: upstream, https://github.com/jonschlinkert/mixin-deep/commit/90ee1fab
+Bug: https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212
+Bug-Debian: https://bugs.debian.org/932500
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard 
+Last-Update: 2019-07-20
+
+--- a/index.js
 b/index.js
+@@ -23,10 +23,9 @@
+  */
+ 
+ function copy(val, key) {
+-  if (key === '__proto__') {
++  if (!isValidKey(key)) {
+ return;
+   }
+-
+   var obj = this[key];
+   if (isObject(val) && isObject(obj)) {
+ mixinDeep(obj, val);
+@@ -47,6 +46,17 @@
+ }
+ 
+ /**
++ * Returns true if `key` is a valid key to use when extending objects.
++ *
++ * @param  {String} `key`
++ * @return {Boolean}
++ */
++
++function isValidKey(key) {
++  return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
++};
++
++/**
+  * Expose `mixinDeep`
+  */
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 9b10403..da1c174 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 CVE-2018-3719.diff
+CVE-2019-10746.diff