NEW changes in oldstable-new

[Debian FTP Masters]

Processing changes file: 
llvm-toolchain-16_16.0.6-15~deb11u2_arm64-buildd.changes
  ACCEPT

NEW changes in oldstable-new

[Debian FTP Masters]

Processing changes file: 
llvm-toolchain-16_16.0.6-15~deb11u2_mips64el-buildd.changes
  ACCEPT

Bug#1050868: bookworm-pu: package debootstrap/1.0.128+nmu2+deb12u1

[Cyril Brulebois]

Hi,

Simon McVittie  (2023-10-15):
> I have attempted to test the proposed version in d-i. I am not an
> expert on d-i, but I hope what I have done here is approximately
> correct:
[…]
> I hope this is helpful information.

That's decent testing, yes, thanks.

The pu/opu review on my side should be happening in a couple of days
anyway.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#1050405: marked as done (unblock: sbcl/2:2.3.7-2)

[Debian Bug Tracking System]

Your message dated Sun, 15 Oct 2023 17:27:09 +0200
with message-id 
and subject line Re: Bug#1050405: unblock: sbcl/2:2.3.7-2
has caused the Debian Bug report #1050405,
regarding unblock: sbcl/2:2.3.7-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1050405: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050405
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: s...@packages.debian.org
Control: affects -1 + src:sbcl

Could you hint sbcl into testing, please?

The only remaining issue britney shows is that its autopkgtest fails on
ppc64el.  It's a relatively harmless failure however, to my understanding.
Upstream do not seem interested in fixing it for the time being.

-- 
Sean Whitton


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---

Hi,

On 24-08-2023 08:31, Sean Whitton wrote:

The only remaining issue britney shows is that its autopkgtest fails on
ppc64el.  It's a relatively harmless failure however, to my understanding.
Upstream do not seem interested in fixing it for the time being.


I'm not really happy doing this, but hint added to solve RC bug 1049441.

Paul


OpenPGP_signature.asc
Description: OpenPGP digital signature
--- End Message ---

Processed: bookworm-pu: package curl/7.88.1-10+deb12u5

[Debian Bug Tracking System]

Processing control commands:

> affects -1 + src:curl
Bug #1053998 [release.debian.org] bookworm-pu: package curl/7.88.1-10+deb12u5
Added indication that 1053998 affects src:curl

-- 
1053998: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053998
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1053998: bookworm-pu: package curl/7.88.1-10+deb12u5

[Samuel Henrique]

Package: release.debian.org
Control: affects -1 + src:curl
X-Debbugs-Cc: c...@packages.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: bookworm
X-Debbugs-Cc: samuel...@debian.org
Severity: normal
[ Reason ]
This change provides DEB_VERSION on "--version" output.

It's common for curl users to provide the output of "curl --version"
when reporting issues, and there have been cases where having the
version of the package in that output would have saved time (e.g.: if
we don't know which distro the person is using and/or whether the
package is up-to-date).

Recently, on a Twitter thread, someone was assuming that a server was
not patched for "CVE-2023-38545" because they only saw the upstream
version.

With this change, the "Release-Date" line of the output will change from e.g.:
Release-Date: 2020-12-09
to:
Release-Date: 2020-12-09, security patched: 7.88.1-10+deb12u4

[ Impact ]
// Explained in the "Reason" section.

[ Tests ]
Curl has an extensive test suite and no failures were detected.

[ Risks ]
The only affected code is a single "printf" statement, which is
changed to include the version:
https://github.com/curl/curl/blob/curl-7_88_1/src/tool_help.c#L171-L176

There's a risk that scripts parsing the "Release-Date:" line from
"--version" might fail to parse the date if the regex is badly
written.

I think it's very unlikely that there are scripts parsing that line of
the output. Assuming there is one, and that it's using a bad regex,
the risk is that it will match more than just the release date.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
d/rules is now importing "/usr/share/dpkg/pkg-info.mk" and setting
"CURL_PATCHSTAMP" to the value of "DEB_VERSION".

Effectively, this only changes the output of "curl --version" (on the
"Release-Date" line).

[ Other info ]
I'm opening -pu bugs against bullseye, bookworm, and I'll check with
the LTS team if they accept this change for buster.

--
Samuel Henrique 


curl_7.88.1-10+deb12u5.debdiff
Description: Binary data

Bug#1053997: bullseye-pu: package curl/7.74.0-1.3+deb11u11

[Samuel Henrique]

Package: release.debian.org
Control: affects -1 + src:curl
X-Debbugs-Cc: c...@packages.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: bullseye
X-Debbugs-Cc: samuel...@debian.org
Severity: normal

[ Reason ]
This change provides DEB_VERSION on "--version" output.

It's common for curl users to provide the output of "curl --version"
when reporting issues, and there have been cases where having the
version of the package in that output would have saved time (e.g.: if
we don't know which distro the person is using and/or whether the
package is up-to-date).

Recently, on a Twitter thread, someone was assuming that a server was
not patched for "CVE-2023-38545" because they only saw the upstream
version.

With this change, the "Release-Date" line of the output will change from e.g.:
Release-Date: 2020-12-09
to:
Release-Date: 2020-12-09, security patched: 7.88.1-10+deb12u4

[ Impact ]
// Explained in the "Reason" section.

[ Tests ]
Curl has an extensive test suite and no failures were detected.

[ Risks ]
The only affected code is a single "printf" statement, which is
changed to include the version:
https://github.com/curl/curl/blob/curl-7_74_0/src/tool_help.c#L949-L954

There's a risk that scripts parsing the "Release-Date:" line from
"--version" might fail to parse the date if the regex is badly
written.

I think it's very unlikely that there are scripts parsing that line of
the output. Assuming there is one, and that it's using a bad regex,
the risk is that it will match more than just the release date.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
d/rules is now importing "/usr/share/dpkg/pkg-info.mk" and setting
"CURL_PATCHSTAMP" to the value of "DEB_VERSION".

Effectively, this only changes the output of "curl --version" (on the
"Release-Date" line).

[ Other info ]
I'm opening -pu bugs against bullseye, bookworm, and I'll check with
the LTS team if they accept this change for buster.

--
Samuel Henrique 


curl_7.74.0-1.3+deb11u11.debdiff
Description: Binary data

Processed: bullseye-pu: package curl/7.74.0-1.3+deb11u11

[Debian Bug Tracking System]

Processing control commands:

> affects -1 + src:curl
Bug #1053997 [release.debian.org] bullseye-pu: package curl/7.74.0-1.3+deb11u11
Added indication that 1053997 affects src:curl

-- 
1053997: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053997
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

NEW changes in oldstable-new

[Debian FTP Masters]

Processing changes file: 
llvm-toolchain-16_16.0.6-15~deb11u2_armel-buildd.changes
  ACCEPT

NEW changes in oldstable-new

[Debian FTP Masters]

Processing changes file: tomcat9_9.0.43-2~deb11u8_source.changes
  ACCEPT
Processing changes file: tomcat9_9.0.43-2~deb11u8_all-buildd.changes
  ACCEPT

NEW changes in oldstable-new

[Debian FTP Masters]

Processing changes file: 
llvm-toolchain-16_16.0.6-15~deb11u2_armhf-buildd.changes
  ACCEPT

Bug#1050868: bookworm-pu: package debootstrap/1.0.128+nmu2+deb12u1

[Simon McVittie]

On Sun, 15 Oct 2023 at 11:56:21 +0100, Simon McVittie wrote:
>   - copy the proposed debootstrap-udeb_1.0.128+nmu2+deb12u1_all.udeb into
> debian-installer_bookworm/build/pkg-lists/base

Sorry, that should of course have said: into
debian-installer_bookworm/build/localudebs/.

smcv

Bug#1050868: bookworm-pu: package debootstrap/1.0.128+nmu2+deb12u1

[Simon McVittie]

On Wed, 30 Aug 2023 at 23:40:12 +0100, Simon McVittie wrote:
> On Wed, 30 Aug 2023 at 16:27:12 +0100, Simon McVittie wrote:
> > Part of the transition to merged-/usr, and more specifically, allowing
> > us to stop shipping files in trixie whose physical path on disk does
> > not match their path in the dpkg database due to directory aliasing.
> > 
> > This change needs to be in bookworm (and bullseye, and maybe buster)
> > before that process can continue, because official buildds run debootstrap
> > from stable (or older).
> > 
> > I also took the opportunity to backport changes that make the autopkgtests
> > pass.
> 
> Sorry, I should have mentioned that this is a (significant) d-i component
> and so will presumably need a d-i ack.

I have attempted to test the proposed version in d-i. I am not an expert
on d-i, but I hope what I have done here is approximately correct:

* on a bookworm VM (the build VM):
  - git clone -b bookworm 
https://salsa.debian.org/installer-team/debian-installer.git 
debian-installer_bookworm
  - cd debian-installer_bookworm
  - sudo apt --no-install-recommends build-dep .
  - edit build/pkg-lists/base and add debootstrap-udeb to the list of
packages to be bundled into the installer rather than downloaded from
a mirror
- this seemed easier than finding out how to add a second apt source
  for installer components
  - copy the proposed debootstrap-udeb_1.0.128+nmu2+deb12u1_all.udeb into
debian-installer_bookworm/build/pkg-lists/base
  - make -C build reallyclean
  - fakeroot make -C build build_netboot-gtk

* on the host system:
  - copy debian-installer_bookworm/build/dest/netboot/gtk/mini.iso from the
build VM
  - boot a second VM from it (the installation VM)

* in the installation VM:
  - proceed through the installation as usual
  - during the step "Installing the base system", send Ctrl+Alt+F2 and
run "debootstrap --version"
- the answer should be the proposed version
  - also run "less /usr/share/debootstrap/functions"
- it should contain a comment
  "Previous implementation of merged /usr: not used within debootstrap,"
  and so on, indicating that this is a version that includes Helmut's
  changes for "implement merged-/usr by post-merging" from 1.0.130 and
  my follow-up from 1.0.131
  - go back to the GUI and continue installation
- any package set will do, I installed GNOME
  - installation was successful
  - the installed system boots successfully
  - the installed system is merged-/usr

I hope this is helpful information.

smcv

NEW changes in oldstable-new

[Debian FTP Masters]

Processing changes file: 
llvm-toolchain-16_16.0.6-15~deb11u2_s390x-buildd.changes
  ACCEPT