Bug#1037542: bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1

2023-06-14 Thread Pierre Gruet 

Hi Salvatore,

Le 15/06/2023 à 07:21, Salvatore Bonaccorso a écrit :

Hi Pierre,

On Wed, Jun 14, 2023 at 12:01:18AM +0200, Pierre Gruet wrote:

[...]



diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 
xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog
--- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog   2023-02-04 
14:24:45.0 +0100
+++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog   2023-06-13 
23:19:59.0 +0200
@@ -1,3 +1,9 @@
+xerial-sqlite-jdbc (3.40.1.0+dfsg-1+deb12u1) bookworm; urgency=medium
+
+  * Using a random UUID for the connection (Fixes CVE-2023-32697 in Bookworm)
+
+ -- Pierre Gruet   Tue, 13 Jun 2023 23:19:59 +0200


Can you as well add the Debian bug closer for #1036706 here?


Thanks for looking at my diff. I admit I had not considered closing the 
bug here since it has already been declared as closed by the upload to 
unstable, I would have issued a BTS command after this proposal hits 
bookworm.

Anyway, thanks for educating me on this.

Enclosed is the new source debdiff, everything else in the original 
message of this bug thread remains unchanged.




Regards,
Salvatore


Best,

--
Pierre
diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog
--- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog	2023-02-04 14:24:45.0 +0100
+++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog	2023-06-13 23:19:59.0 +0200
@@ -1,3 +1,10 @@
+xerial-sqlite-jdbc (3.40.1.0+dfsg-1+deb12u1) bookworm; urgency=medium
+
+  * Using a random UUID for the connection (Fixes CVE-2023-32697 in Bookworm,
+Closes: #1036706)
+
+ -- Pierre Gruet   Tue, 13 Jun 2023 23:19:59 +0200
+
 xerial-sqlite-jdbc (3.40.1.0+dfsg-1) unstable; urgency=medium
 
   * New upstream version 3.40.1.0+dfsg
diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch
--- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch	1970-01-01 01:00:00.0 +0100
+++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch	2023-06-13 23:17:23.0 +0200
@@ -0,0 +1,28 @@
+Description: fixing CVE-2023-32697
+Author: Pierre Gruet 
+Origin: upstream, https://github.com/xerial/sqlite-jdbc/commit/edb4b8adc2447bc04e05b9b908195a4bc7926242
+Bug: https://github.com/xerial/sqlite-jdbc/security/advisories/GHSA-6phf-6h5g-97j2
+Bug-Debian: https://bugs.debian.org/1036706
+Forwarded: not-needed
+Applied-Upstream: edb4b8adc2447bc04e05b9b908195a4bc7926242
+Last-Update: 2023-06-13
+
+--- a/src/main/java/org/sqlite/SQLiteConnection.java
 b/src/main/java/org/sqlite/SQLiteConnection.java
+@@ -13,6 +13,7 @@
+ import java.sql.ResultSet;
+ import java.sql.SQLException;
+ import java.util.Properties;
++import java.util.UUID;
+ import java.util.concurrent.Executor;
+ import org.sqlite.SQLiteConfig.TransactionMode;
+ import org.sqlite.core.CoreDatabaseMetaData;
+@@ -303,7 +304,7 @@
+ }
+ 
+ String tempFolder = new File(System.getProperty("java.io.tmpdir")).getAbsolutePath();
+-String dbFileName = String.format("sqlite-jdbc-tmp-%d.db", resourceAddr.hashCode());
++String dbFileName = String.format("sqlite-jdbc-tmp-%s.db", UUID.randomUUID());
+ File dbFile = new File(tempFolder, dbFileName);
+ 
+ if (dbFile.exists()) {
diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series
--- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series	2023-02-02 17:16:53.0 +0100
+++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series	2023-06-13 23:10:58.0 +0200
@@ -7,3 +7,4 @@
 skip_OSInfoTest.patch
 tests_without_archunit-junit5_and_some_assertions.patch
 junit-jupiter-params_artifact.patch
+CVE-2023-32697.patch


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1037542: bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1

2023-06-14 Thread Salvatore Bonaccorso 
Hi Pierre,

On Wed, Jun 14, 2023 at 12:01:18AM +0200, Pierre Gruet wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: xerial-sqlite-j...@packages.debian.org
> Control: affects -1 + src:xerial-sqlite-jdbc
> 
> Dear Release team,
> 
> I would like to upload xerial-sqlite-jdbc to stable-proposed-updates.
> 
> [ Reason ]
> Grave bug #1036706 has been filled a few days before the release of Bookworm.
> This is a security bug associated to CVE-2023-32697. Although it has been
> marked no-dsa by the security team, we exchanged a few emails and our
> conclusion was the fix of this bug, which amounts to cherry-pick one commit of
> upstream, should land in Bookworm during a point release.
> 
> [ Impact ]
> CVE-2023-32697 would remain. The Debian-packaged reverse dependencies of the
> package are mainly used in a single-user environment, but possibly it is also
> used in a network environment by some users for their own programs, and this 
> is
> where there might be some hazard.
> 
> [ Tests ]
> The package was built in a Bookworm chroot and its autopkgtest is passing.
> 
> [ Risks ]
> Code is very simple, only 2 lines are changed. Upstream has published it
> three weeks ago and it has issued new upstream versions since then.
> 
> [ Checklist ]
>   [X] *all* changes are documented in the d/changelog
>   [X] I reviewed all changes and I approve them
>   [X] attach debdiff against the package in (old)stable
>   [X] the issue is verified as fixed in unstable
> 
> [ Changes ]
> Cherry-picking commit edb4b8adc2447bc04e05b9b908195a4bc7926242 from upstream,
> which uses a random UUID instead of the hash of some fixed address in order to
> define the DB file name.
> 
> 
> 
> Thanks for your help,
> 
> Best,
> 
> -- 
> Pierre

> diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 
> xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog
> --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-02-04 
> 14:24:45.0 +0100
> +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-06-13 
> 23:19:59.0 +0200
> @@ -1,3 +1,9 @@
> +xerial-sqlite-jdbc (3.40.1.0+dfsg-1+deb12u1) bookworm; urgency=medium
> +
> +  * Using a random UUID for the connection (Fixes CVE-2023-32697 in Bookworm)
> +
> + -- Pierre Gruet   Tue, 13 Jun 2023 23:19:59 +0200

Can you as well add the Debian bug closer for #1036706 here?

Regards,
Salvatore

Bug#1037444: bookworm-pu: package kanboard/1.2.26+ds-4

2023-06-14 Thread Salvatore Bonaccorso 
Hi Joseph,

[disclaimer, not a release team member but I believe can give input on
the debdiff below]

On Mon, Jun 12, 2023 at 08:19:55PM -0400, Joseph Nahmias wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: kanbo...@packages.debian.org, j...@nahmias.net
> Control: affects -1 + src:kanboard
> 
> [ Reason ]
> Security updates for kanboard since v1.2.26.
> 
> [ Tests ]
> upstream's unit test suite are run at build time and via autopkgtest.
> there are also some other (superficial) autopkgtests.
> 
> [ Risks ]
> All listed CVEs have targeted fixes picked from upstream github.
> 
> [ Checklist ]
>   [X] *all* changes are documented in the d/changelog
>   [X] I reviewed all changes and I approve them
>   [X] attach debdiff against the package in (old)stable
>   [X] the issue is verified as fixed in unstable
> 
> [ Other info ]
> 
> My first stable update, so please advise if I missed anything.
> --Joe

> diff -Nru kanboard-1.2.26+ds/debian/changelog 
> kanboard-1.2.26+ds/debian/changelog
> --- kanboard-1.2.26+ds/debian/changelog   2023-05-16 22:49:38.0 
> -0400
> +++ kanboard-1.2.26+ds/debian/changelog   2023-06-07 20:45:40.0 
> -0400
> @@ -1,3 +1,24 @@
> +kanboard (1.2.26+ds-4) unstable; urgency=medium
> +
> +  * backport security fixes from kanboard v1.2.30
> + > CVE-2023-33956: Parameter based Indirect Object Referencing leading
> +   to private file exposure
> + > CVE-2023-33968: Missing access control allows user to move and
> +   duplicate tasks to any project in the software
> + > CVE-2023-33969: Stored XSS in the Task External Link Functionality
> + > CVE-2023-33970: Missing access control in internal task links feature
> +(Closes: #1037167)
> +
> + -- Joseph Nahmias   Wed, 07 Jun 2023 20:45:40 -0400
> +
> +kanboard (1.2.26+ds-3) unstable; urgency=medium
> +
> +  * backport fix for CVE-2023-32685 from kanboard v1.2.29
> +
> https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv
> +Based on upstream commits 26b6eeb & c9c1872. (Closes: #1036874)
> +
> + -- Joseph Nahmias   Sun, 28 May 2023 21:42:46 -0400

This seems to be the current debdiff between bookworm and the unstable
version. But now that bookworm is releases, a package does nto migrate
anymore from there to stable. What is needed above is to apply the
needed patches on top of the 1.2.26+ds-2 versiion in testing and
version it such that it is 1.2.26+ds-2+deb12u1.

The developers-reference has some additional hints:
https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions

Hope this helps,
Regards,
Salvatore

Bug#1037945: bookworm-pu: package aide/aide_0.18.3-1+deb12u1

2023-06-14 Thread Marc Haber 
On Wed, Jun 14, 2023 at 06:20:44PM +0100, Adam D. Barratt wrote:
> On Wed, 2023-06-14 at 17:27 +0200, Marc Haber wrote:
> > this pre-upload request for the aide package is filed to ask for
> > guidance whether this package is suitable for bookworm-updates.
> 
> Do you actually mean bookworm-updates here (i.e. pushed to users in
> advance of 12.1), or simply (bookworm-)proposed-updates, therefore
> reaching users with the release of 12.1?

I would be fine with either, proposed-updates of course being less
invasive. Probably a misunderstanding because of me being too stupidto
find the docs. I'll read up on what you linked to me.

> I'd be interested in seeing a binary debdiff (for an arbitrary
> architecture) with "--controlfiles=ALL" to see the changes made to the
> maintainer scripts, but overall I think this looks OK.

aide-dynamic:
1 [23/4887]mh@salida:~/packages/aide $ debdiff --controlfiles=ALL
20230614/aide-dynamic_0.18.3-1_all.deb
build-area/aide-dynamic_0.18.3-1+deb12u1_all.deb
File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)

Recommends: aide-common (= [-0.18.3-1)-] {+0.18.3-1+deb12u1)+}
Version: [-0.18.3-1-] {+0.18.3-1+deb12u1+}
1 [24/4888]mh@salida:~/packages/aide $ 

aide:
[19/4883]mh@salida:~/packages/aide $ debdiff --controlfiles=ALL
20230614/aide_0.18.3-1_amd64.deb
build-area/aide_0.18.3-1+deb12u1_amd64.deb 
File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)

Installed-Size: [-289-] {+293+}
Recommends: aide-common (= [-0.18.3-1)-] {+0.18.3-1+deb12u1)+}
Version: [-0.18.3-1-] {+0.18.3-1+deb12u1+}
1 [20/4884]mh@salida:~/packages/aide $

aide-common is attached.

> 
> One small comment:
> 
> +if dpkg --compare-versions "$2" le 0.18.3-1; then
> +# we're updating from 0.18-3 or earlier, chown aideinit logs
> 
> That should presumably be "from 0.18.3".

Yes. fixed in git and master. Thanks for spotting this.

Greetings
Marc

-- 
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany|  lose things."Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421
[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files in second .deb but not in first
-
-rw-r--r--  root/root   /usr/lib/sysusers.d/aide-common.conf

No differences were encountered between the config files

Control files: lines which differ (wdiff format)

Depends: aide (>= 0.17), liblockfile1, ucf (>= 2.0020), debconf (>= 0.5) | 
[-debconf-2.0-] {+debconf-2.0, systemd | systemd-standalone-sysusers | 
systemd-sysusers+}
Installed-Size: [-449-] {+451+}
Version: [-0.18.3-1-] {+0.18.3-1+deb12u1+}

Postinst files: lines which differ (wdiff format)
-
[-if dpkg --compare-versions "$2" lt 0.17.5-1; then-]
[-# we're updating from a version earlier than 0.17.5, chown logs-]
[-# and databases-]
[-chown --quiet _aide:adm /var/log/aide /var/log/aide/aide.log 
/var/log/aide/aide.log.* || true-]
[-chmod --quiet 2755 /var/log/aide || true-]
[-chown --quiet _aide:root /var/lib/aide/aide.db /var/lib/aide/aide.db.new 
|| true-]
[-fi-]
[-if dpkg --compare-versions "$2" lt 0.18-3; then-]
[-# we're updating from a version earlier than 0.18-3, chown aideinit logs-]
[-chown --quiet _aide:adm /var/log/aide/aideinit.log 
/var/log/aide/aideinit.errors|| true-]
[-fi-]
# Automatically added by {+dh_installsysusers/13.11.4+}
{+if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = 
"abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then+}
{+   systemd-sysusers ${DPKG_ROOT:+--root="$DPKG_ROOT"} aide-common.conf+}
{+fi+}
{+# End automatically added section+}
{+# Automatically added by+} dh_installtmpfiles/13.11.4
{+# this needs to be after debhelper, otherwise the account doesn't+}
{+# yet exist.+}
{+if dpkg --compare-versions "$2" lt 0.17.5-1; then+}
{+# we're updating from a version earlier than 0.17.5, chown logs+}
{+# and databases+}
{+chown --quiet _aide:adm /var/log/aide /var/log/aide/aide.log 
/var/log/aide/aide.log.* || true+}
{+chmod --quiet 2755 /var/log/aide || true+}
{+chown --quiet _aide:root /var/lib/aide/aide.db /var/lib/aide/aide.db.new 
|| true+}
{+fi+}
{+if dpkg --compare-versions "$2" le 0.18.3-1; then+}
{+# we're updating from 0.18-3 or earlier, chow

Bug#1037931: transition: platformdirs

2023-06-14 Thread Stefano Rivera 
Hi Simon (2023.06.14_13:49:15_+)
> python3-platformdirs 3.x makes python3-virtualenv and python3-poetry
> uninstallable; reporting this as a transition to get it on the release
> team's radar.

Uploaded both of those to unstick it.

They were both staged in experimental, but I'd forgotten that they were
needed :)

Stefano

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272

Processed: Re: Bug#1037932: transition: python-resolvelib

2023-06-14 Thread Debian Bug Tracking System 
Processing control commands:

> reassign -1 src:ansible-core 2.14.3-1
Bug #1037932 [release.debian.org] transition: python-resolvelib
Bug reassigned from package 'release.debian.org' to 'src:ansible-core'.
Ignoring request to alter found versions of bug #1037932 to the same values 
previously set
Ignoring request to alter fixed versions of bug #1037932 to the same values 
previously set
Bug #1037932 [src:ansible-core] transition: python-resolvelib
Marked as found in versions ansible-core/2.14.3-1.
> severity -1 serious
Bug #1037932 [src:ansible-core] transition: python-resolvelib
Severity set to 'serious' from 'normal'
> tags -1 sid trixie
Bug #1037932 [src:ansible-core] transition: python-resolvelib
Added tag(s) sid and trixie.
> retitle -1 ansible-core: requires update for python3-resolvelib 1.x
Bug #1037932 [src:ansible-core] transition: python-resolvelib
Changed Bug title to 'ansible-core: requires update for python3-resolvelib 1.x' 
from 'transition: python-resolvelib'.

-- 
1037932: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037932
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1037932: transition: python-resolvelib

2023-06-14 Thread Sebastian Ramacher 
Control: reassign -1 src:ansible-core 2.14.3-1 
Control: severity -1 serious
Control: tags -1 sid trixie
Control: retitle -1 ansible-core: requires update for python3-resolvelib 1.x

On 2023-06-14 14:51:03 +0100, Simon McVittie wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: transition
> X-Debbugs-Cc: python-resolve...@packages.debian.org, 
> ansible-c...@packages.debian.org
> Control: affects -1 + src:ansible-core src:python-resolvelib
> 
> python3-resolvelib 1.x makes ansible-core uninstallable; reporting this
> as a transition to get it on the release team's radar.

It's only one package. So let's turn this into an RC bug against
ansible-core.

Cheers
-- 
Sebastian Ramacher

Bug#1037945: bookworm-pu: package aide/aide_0.18.3-1+deb12u1

2023-06-14 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Wed, 2023-06-14 at 17:27 +0200, Marc Haber wrote:
> this pre-upload request for the aide package is filed to ask for
> guidance whether this package is suitable for bookworm-updates.

Do you actually mean bookworm-updates here (i.e. pushed to users in
advance of 12.1), or simply (bookworm-)proposed-updates, therefore
reaching users with the release of 12.1?

>  I have
> never done this before and am open for suggestions to improve and for
> documentation pointers. I haven't found the bookwork point release
> policy yet, for example.
> 

There's been no substantial changes to the policy for a while. The
"workflow" section of 
https://lists.debian.org/debian-devel-announce/2019/08/msg0.html
(as linked from https://release.debian.org/ ) is still basically
appropriate, and the basis of 
https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions

(The "must be severity:important" bit isn't strictly enforced, more a
guide as to the expected impact of the issue being resolved.)

Maybe we should re-post it.

I'd be interested in seeing a binary debdiff (for an arbitrary
architecture) with "--controlfiles=ALL" to see the changes made to the
maintainer scripts, but overall I think this looks OK.

One small comment:

+if dpkg --compare-versions "$2" le 0.18.3-1; then
+# we're updating from 0.18-3 or earlier, chown aideinit logs

That should presumably be "from 0.18.3".

Regards,

Adam

Processed: Re: Bug#1037945: bookworm-pu: package aide/aide_0.18.3-1+deb12u1

2023-06-14 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + confirmed
Bug #1037945 [release.debian.org] bookworm-pu: package 
aide/aide_0.18.3-1+deb12u1
Added tag(s) confirmed.

-- 
1037945: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037945
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1037945: bookworm-pu: package aide/aide_0.18.3-1+deb12u1

2023-06-14 Thread Marc Haber 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: a...@packages.debian.org
Control: affects -1 + src:aide

Dear stable release team,

this pre-upload request for the aide package is filed to ask for
guidance whether this package is suitable for bookworm-updates. I have
never done this before and am open for suggestions to improve and for
documentation pointers. I haven't found the bookwork point release
policy yet, for example.

A fixed package has been uploaded to unstable minutes ago, and I do not
plan to actually upload the deb12u1 version of the package until the
fixes have reached testing.

[ Reason ]
This update fixes #1037171, a serious bug that prevents new
installations and upgrades of aide due to a misunderstanding in the dh
code regarding dh_installsysusers. Embarrassing.

And it also fixes #1037436, a "just" important bug that will fix correct
processing of extended attributes on symlinks that are monitored by
aide. This is a fix suggested by upstream (who is also a DD) and I will
create a similiar package for bullseye.

[ Impact ]
Regarding #1037171, Aide will not be useable until the _aide account is
manually created and some file permissions fixed. While package
installation will succeed, neither aideinit nor the daily aide cronjob
are invokeable and will error out.

Regarding #1037436, Aide will wrongly process extended attributes for
the file a symlink points to, which is not the intended behavior. The
fixed aide will process the extended attributes of a symlink.

[ Tests ]
Both bugs are sadly not covered by automated tests, but I am kind of
surprised that piuparts didn't catch #1037171. Regarding #1037171, I
tested:

- installation of aide in a bookworm VM with no aide installed before
- updating 0.18.3-1 to 0.18.3-2 in a bookworm VM
- updating 0.17.3-4+deb11u1 (oldstable) to 0.18.3-2 in a bookworm VM

Regarding #1037436, I created a symlink with extended attributes
pointing to a file with different extended attributes and verified that
actually the extended attributes of the symlink show up in the database.

[ Risks ]
Risks are that I goofed up in the fixes.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
commit 456704ab523c6b7ca088a15ffde543fbac3fa391
Author: Marc Haber 
Date:   Wed Jun 14 16:51:03 2023 +0200

remove trailing whitespace in debian/rules

Git-Dch: ignore

commit 2c221fd08e6c4d570c4a2c86c87d0a94201fbe9d
Author: Marc Haber 
Date:   Wed Jun 14 15:28:15 2023 +0200

chown aide logs even when updating from 0.18.3-1

0.18.3-1 doesn't create the account, so we need to see for correct
file ownership when updating to a version that actually creates the
account.

commit 11547993349b3dffad11f2d6998875d58f6b0395
Author: Marc Haber 
Date:   Wed Jun 14 04:15:51 2023 +0200

Fix handling of extended attributes on symlinks

Closes: #1037436

This fixes wrong behavior regarding extended attributes on symlinks.
Prior versions of aide would wrongly process the extended attributes
of the file a symlink points to. This fix makes aide correctly process
the extended attributes of the link itself, which is the intended
behavior.

The fix for extended attributes on symlinks might lead to reported
changed entries during the next AIDE run. You can use the
`report_ignore_changed_attrs` option (see aide.conf(5)) to ignore
changes of the xattrs attribute; but be aware that this will not
only exclude the expected changes (of the symlink files) but also
the unexpected changes (of other files).

commit 0d0251e639334e0ef139c1f6f9d34b6032378d3d
Author: Marc Haber 
Date:   Tue Jun 13 16:53:49 2023 +0200

Move chown calls after #DEBHELPER#

This is part of the fix for #1037171, the account is only created in the
code inserted by debhelper at the #DEBHELPER# token. We thus cannot use
the account after that tag.

commit 218fff3fc157b89e53ece470267cb238fac5daac
Author: Marc Haber 
Date:   Sun Jun 11 22:54:19 2023 +0200

call dh_installsysusers manually in debian/rules

Thanks: Tomasz Ciolek
Closes: #1037171

dh_installsysusers is not called in the normal dh calling sequence in dh
compat level 13. This resulted in the account not being created in new
installs and probably also during upgrades from bullseye. Thix fixes the
issue by calling dh_installsysusers explicitly in
override_dh_auto_install.


[ Other info ]
source debdiff attached.

Please indicate whether this package might be a valid candidate to be in
the next bookworm point relase once 0.18.3-2 has reached testing.

Greetings
Marc
diff -Nru aide-0.18.3/debian/aide-common.postinst 
aide-0.18.3/debian/aide-common.postinst
--- aide-0.18.3/debian/aide-common.postinst 2

Processed: bookworm-pu: package aide/aide_0.18.3-1+deb12u1

2023-06-14 Thread Debian Bug Tracking System 
Processing control commands:

> affects -1 + src:aide
Bug #1037945 [release.debian.org] bookworm-pu: package 
aide/aide_0.18.3-1+deb12u1
Added indication that 1037945 affects src:aide

-- 
1037945: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037945
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: transition: python-resolvelib

2023-06-14 Thread Debian Bug Tracking System 
Processing control commands:

> affects -1 + src:ansible-core src:python-resolvelib
Bug #1037932 [release.debian.org] transition: python-resolvelib
Added indication that 1037932 affects src:ansible-core and src:python-resolvelib

-- 
1037932: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037932
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1037932: transition: python-resolvelib

2023-06-14 Thread Simon McVittie 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition
X-Debbugs-Cc: python-resolve...@packages.debian.org, 
ansible-c...@packages.debian.org
Control: affects -1 + src:ansible-core src:python-resolvelib

python3-resolvelib 1.x makes ansible-core uninstallable; reporting this
as a transition to get it on the release team's radar.

(I am not involved in this transition and was not responsible for planning
or starting it.)

Transition tracker:
https://release.debian.org/transitions/html/auto-upperlimit-python3-resolvelib.html

smcv

Processed: transition: platformdirs

2023-06-14 Thread Debian Bug Tracking System 
Processing control commands:

> affects -1 + src:platformdirs src:python-virtualenv src:poetry
Bug #1037931 [release.debian.org] transition: platformdirs
Added indication that 1037931 affects src:platformdirs, src:python-virtualenv, 
and src:poetry

-- 
1037931: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037931
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1037931: transition: platformdirs

2023-06-14 Thread Simon McVittie 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition
X-Debbugs-Cc: platformd...@packages.debian.org, 
python-virtual...@packages.debian.org, poe...@packages.debian.org
Control: affects -1 + src:platformdirs src:python-virtualenv src:poetry

python3-platformdirs 3.x makes python3-virtualenv and python3-poetry
uninstallable; reporting this as a transition to get it on the release
team's radar.

(I am not involved in this transition and was not responsible for planning
or starting it.)

Transition tracker:
https://release.debian.org/transitions/html/auto-upperlimit-python3-platformdirs.html

smcv

Re: ReleaseCheckList wiki page for web team

2023-06-14 Thread Cyril Brulebois 
Holger Wansing  (2023-06-14):
> I have added an entry to update packages.debian.org for the search
> interface (update mapping of codenames to stable|testing|unstable;
> much hardcoding of codenames there:-( )

Yes, this is… painful.

> Feel free to remove or change that, if you think it should be listed
> at a different place or similar (it's also listed on release-managers
> list btw)

That was a nice first draft, and something I was meaning to add today
(after fixing the biggest bugs in there), thanks for doing so.

I've switched that to:

See 
https://salsa.debian.org/webmaster-team/packages/-/compare/6bdfeb02f5...bde18c3458
for an example + plus deploy on picconi).

I'm not sure whether to push the local branch I worked on (and merged
into debian-master), which is an explicit `bookworm-is-released`, so
that it can easily be found when it's time to `trixie-is-released`.

In any case, that series of commits is a split of the big commit you
linked to into smaller chunks so that it can be done and reviewed
incrementally, hence the range of commits above. I suppose the
presence/absence of a specifically-named branch is a matter of taste, as
long as there's a reference to the actual commits in the wiki page… ;)


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Re: ReleaseCheckList wiki page for web team

2023-06-14 Thread Holger Wansing 
[ Also sent to the other lists; I broke the loop, sorry]


Hi,

Am 11. Juni 2023 14:34:03 MESZ schrieb Laura Arjona Reina :
>Hello all
>I have tried to gather all the changes needed in the website for a release in 
>this wiki page:
>
>https://wiki.debian.org/Teams/Webmaster/ReleaseCheckList

I have added an entry to update packages.debian.org for the search interface 
(update mapping of codenames to stable|testing|unstable; much hardcoding of 
codenames there:-( )

Feel free to remove or change that, if you think it should be listed at a 
different place or similar
(it's also listed on release-managers list btw)


Holger


-- 
Sent from /e/ OS on Fairphone3
-- 
Sent from /e/ OS on Fairphone3