Bug#1037056: bookworm-pu: package libreswan/4.10-2+deb12u1

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libres...@packages.debian.org, d...@fifthhorseman.net
Control: affects -1 + src:libreswan

[ Reason ]

Uploading libreswan 4.19-1+deb12u1 should address #1035542 (aka
CVE-2023-30570), which addresses a potential DoS against libreswan
instances that use a certain IKEv1 configuration.

Discussion with Salvatore Bonaccorso over in #1035542 concluded that
using point releases for this should be sufficient.

[ Impact ]

Users on bookworm with a specific libreswan configuration (IKEv1 in
aggressive mode) risk a DDoS on their libreswan IKE daemon if a
malicious attacker on the network emits a certain stream of packets.

[ Tests ]

Sadly, most libreswan test suites involve running virtual machines,
interacting with the linux kernel over open network policies, and this
isn't possible on debian testing architecture.

[ Risks ]

The risks of including these patches are minimal.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

The changes deal solely with how the pluto IKE daemon handles error
cases on incoming IKEv1 packets in aggressive mode.

[ Other info ]

All of the above information has been agregated and adapted from
https://libreswan.org/security/CVE-2023-30570/ Upstream released
version 4.11, which is just 4.10 with comparable patches applied.
4.11 is in unstable now.

I've already uploaded an update to 4.3 for the next bullseye point
release as well.
diff -Nru libreswan-4.10/debian/changelog libreswan-4.10/debian/changelog
--- libreswan-4.10/debian/changelog 2023-03-10 16:34:25.0 -0500
+++ libreswan-4.10/debian/changelog 2023-06-02 18:15:28.0 -0400
@@ -1,3 +1,9 @@
+libreswan (4.10-2+deb12u1) bookworm; urgency=medium
+
+  * Fix CVE-2023-30570 (Closes: #1035542)
+
+ -- Daniel Kahn Gillmor   Fri, 02 Jun 2023 18:15:28 
-0400
+
 libreswan (4.10-2) unstable; urgency=medium
 
   * Reach NSPR mipsel workaround for #854472
diff -Nru libreswan-4.10/debian/control libreswan-4.10/debian/control
--- libreswan-4.10/debian/control   2023-03-03 09:54:30.0 -0500
+++ libreswan-4.10/debian/control   2023-06-02 18:15:28.0 -0400
@@ -6,7 +6,7 @@
  Paul Wouters ,
  Ondřej Surý ,
 Vcs-Browser: https://salsa.debian.org/debian/libreswan
-Vcs-Git: https://salsa.debian.org/debian/libreswan.git
+Vcs-Git: https://salsa.debian.org/debian/libreswan.git -b debian/bookworm
 Standards-Version: 4.6.2
 Rules-Requires-Root: no
 Build-Depends:
diff -Nru libreswan-4.10/debian/gbp.conf libreswan-4.10/debian/gbp.conf
--- libreswan-4.10/debian/gbp.conf  2023-03-03 09:54:30.0 -0500
+++ libreswan-4.10/debian/gbp.conf  2023-06-02 18:15:28.0 -0400
@@ -1,4 +1,4 @@
 [DEFAULT]
 pristine-tar = True
 upstream-tag = v%(version)s
-debian-branch = debian/unstable
+debian-branch = debian/bookworm
diff -Nru libreswan-4.10/debian/patches/0005-Fix-CVE-2023-30570.patch 
libreswan-4.10/debian/patches/0005-Fix-CVE-2023-30570.patch
--- libreswan-4.10/debian/patches/0005-Fix-CVE-2023-30570.patch 1969-12-31 
19:00:00.0 -0500
+++ libreswan-4.10/debian/patches/0005-Fix-CVE-2023-30570.patch 2023-06-02 
18:14:32.0 -0400
@@ -0,0 +1,138 @@
+From: Daniel Kahn Gillmor 
+Date: Fri, 2 Jun 2023 18:14:24 -0400
+Subject: Fix CVE-2023-30570
+
+---
+ programs/pluto/ikev1.c  | 61 ++---
+ programs/pluto/ikev1_aggr.c |  5 ++--
+ 2 files changed, 61 insertions(+), 5 deletions(-)
+
+diff --git a/programs/pluto/ikev1.c b/programs/pluto/ikev1.c
+index e061532..401618b 100644
+--- a/programs/pluto/ikev1.c
 b/programs/pluto/ikev1.c
+@@ -1101,10 +1101,20 @@ void process_v1_packet(struct msg_digest *md)
+   struct state *st = NULL;
+   enum state_kind from_state = STATE_UNDEFINED;   /* state we started in 
*/
+ 
++  /*
++   * For the initial responses, don't leak the responder's SPI.
++   * Hence the use of send_v1_notification_from_md().
++   *
++   * AGGR mode is a mess in that the R0->R1 transition happens
++   * well before the transition succeeds.
++   */
+ #define SEND_NOTIFICATION(t)  \
+   {   \
+   pstats(ikev1_sent_notifies_e, t);   \
+-  if (st != NULL) \
++  if (st != NULL &&   \
++  st->st_state->kind != STATE_AGGR_R0 &&  \
++  st->st_state->kind != STATE_AGGR_R1 &&  \
++  st->st_state->kind != STATE_MAIN_R0)\
+   send

Bug#1037054: bullseye-pu: package libreswan/4.3-1+deb11u4

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libres...@packages.debian.org, d...@fifthhorseman.net
Control: affects -1 + src:libreswan

[ Reason ]

Uploading libreswan 4.3-1+deb11u4 should address #1035542 (aka
CVE-2023-30570), which addresses a potential DoS against libreswan
instances that use a certain IKEv1 configuration.

Discussion with Salvatore Bonaccorso over in #1035542 concluded that
using point releases for this should be sufficient.

[ Impact ]

Users on bullseye with a specific libreswan configuration (IKEv1 in
aggressive mode) risk a DDoS on their libreswan IKE daemon if a
malicious attacker on the network emits a certain stream of packets.

[ Tests ]

Sadly, most libreswan test suites involve running virtual machines,
interacting with the linux kernel over open network policies, and this
isn't possible on debian testing architecture.

[ Risks ]

The risks of including these patches are minimal.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

The changes deal solely with how the pluto IKE daemon handles error
cases on incoming IKEv1 packets in aggressive mode.

[ Other info ]

All of the above information has been agregated and adapted from
https://libreswan.org/security/CVE-2023-30570/ Upstream released
version 4.11, which is just 4.10 with comparable patches applied.
4.11 is in unstable now.

I'll be uploading an update to 4.10 for a bookworm point release
shortly as well.
diff -Nru libreswan-4.3/debian/changelog libreswan-4.3/debian/changelog
--- libreswan-4.3/debian/changelog  2023-03-03 08:34:50.0 -0500
+++ libreswan-4.3/debian/changelog  2023-06-01 16:14:59.0 -0400
@@ -1,3 +1,9 @@
+libreswan (4.3-1+deb11u4) bullseye; urgency=medium
+
+  * Resolve CVE-2023-30570 (Closes: #1035542)
+
+ -- Daniel Kahn Gillmor   Thu, 01 Jun 2023 16:14:59 
-0400
+
 libreswan (4.3-1+deb11u3) bullseye-security; urgency=high
 
   * use upstream patch for 4.2 and 4.3
diff -Nru libreswan-4.3/debian/patches/0005-Resolve-CVE-2023-30570.patch 
libreswan-4.3/debian/patches/0005-Resolve-CVE-2023-30570.patch
--- libreswan-4.3/debian/patches/0005-Resolve-CVE-2023-30570.patch  
1969-12-31 19:00:00.0 -0500
+++ libreswan-4.3/debian/patches/0005-Resolve-CVE-2023-30570.patch  
2023-06-01 16:14:59.0 -0400
@@ -0,0 +1,140 @@
+From: Daniel Kahn Gillmor 
+Date: Thu, 1 Jun 2023 16:12:50 -0400
+Subject: Resolve CVE-2023-30570
+
+see https://libreswan.org/security/CVE-2023-30570/CVE-2023-30570.txt
+
+This patch was ported from
+https://libreswan.org/security/CVE-2023-30570/CVE-2023-30570-libreswan-4.x.patch
+---
+ programs/pluto/ikev1.c  | 60 ++---
+ programs/pluto/ikev1_aggr.c |  5 ++--
+ 2 files changed, 60 insertions(+), 5 deletions(-)
+
+diff --git a/programs/pluto/ikev1.c b/programs/pluto/ikev1.c
+index 2a06c2c..bb6c7be 100644
+--- a/programs/pluto/ikev1.c
 b/programs/pluto/ikev1.c
+@@ -1249,10 +1249,20 @@ void process_v1_packet(struct msg_digest *md)
+   struct state *st = NULL;
+   enum state_kind from_state = STATE_UNDEFINED;   /* state we started in 
*/
+ 
++  /*
++   * For the initial responses, don't leak the responder's SPI.
++   * Hence the use of send_v1_notification_from_md().
++   *
++   * AGGR mode is a mess in that the R0->R1 transition happens
++   * well before the transition succeeds.
++   */
+ #define SEND_NOTIFICATION(t)  \
+   {   \
+   pstats(ikev1_sent_notifies_e, t);   \
+-  if (st != NULL) \
++  if (st != NULL &&   \
++  st->st_state->kind != STATE_AGGR_R0 &&  \
++  st->st_state->kind != STATE_AGGR_R1 &&  \
++  st->st_state->kind != STATE_MAIN_R0)\
+   send_notification_from_state(st, from_state, t); \
+   else\
+   send_notification_from_md(md, t);   \
+@@ -1322,17 +1332,26 @@ void process_v1_packet(struct msg_digest *md)
+   from_state = (md->hdr.isa_xchg == ISAKMP_XCHG_IDPROT ?
+ STATE_MAIN_R0 : STATE_AGGR_R0);
+   } else {
+-  /* not an initial message */
++  /*
++   * Possibly not an initial message.  Possibly
++   * from initiator.  Possibly from responder.
++

Bug#1036721: unblock: rnp/0.16.3-1

[Daniel Kahn Gillmor]

r bundle
+  else
+gem_install "bundler:${FALLBACK_BUNDLER_VERSION}" bundle
+  fi
 }
 
 install_asciidoctor() {
@@ -747,7 +768,7 @@
   ;;
 *)
   # TODO: handle ubuntu?
-  >&2 echo Error: Need to install ruby ${MINIMUM_RUBY_VERSION}+
+  >&2 echo "Error: Need to install ruby ${MINIMUM_RUBY_VERSION}+"
   exit 1
   esac
 }
@@ -931,7 +952,7 @@
   local rnpsrc="$PWD"
   pushd "$(mktemp -d)" || return 1
 
-  # shellcheck disable=SC2046
+  # shellcheck disable=SC2046,SC2086
   gcc "${rnpsrc}/src/examples/generate.c" -ogenerate $(pkg-config --cflags 
--libs $pkgflags librnp) $gccflags
   ./generate
   readelf -d generate
diff -Nru rnp-0.16.2/debian/changelog rnp-0.16.3/debian/changelog
--- rnp-0.16.2/debian/changelog 2022-10-03 21:30:25.0 -0400
+++ rnp-0.16.3/debian/changelog 2023-05-24 09:06:07.0 -0400
@@ -1,3 +1,14 @@
+rnp (0.16.3-1) unstable; urgency=medium
+
+  * New upstream release, Closes: #1034558
+- Fixes CVE-2023-29479
+- Fixes CVE-2023-29480
+  * standards-version: bump to 4.6.2 (no changes needed)
+  * drop unnecessary lintian overrides
+  * d/copyright: include 2023
+
+ -- Daniel Kahn Gillmor   Wed, 24 May 2023 09:06:07 
-0400
+
 rnp (0.16.2-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru rnp-0.16.2/debian/control rnp-0.16.3/debian/control
--- rnp-0.16.2/debian/control   2022-09-09 19:03:00.0 -0400
+++ rnp-0.16.3/debian/control   2023-05-24 09:06:07.0 -0400
@@ -15,7 +15,7 @@
  python3 ,
  python3-distutils ,
  zlib1g-dev,
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
 Vcs-Git: https://salsa.debian.org/debian/rnp.git
 Vcs-Browser: https://salsa.debian.org/debian/rnp
 Homepage: https://www.rnpgp.com/software/rnp/
diff -Nru rnp-0.16.2/debian/copyright rnp-0.16.3/debian/copyright
--- rnp-0.16.2/debian/copyright 2022-09-09 15:36:52.0 -0400
+++ rnp-0.16.3/debian/copyright 2023-05-24 09:06:07.00000 -0400
@@ -5,7 +5,7 @@
 
 Files: *
 Copyright:
- 2017-2022, Ribose Inc.
+ 2017-2023, Ribose Inc.
  2009-2010, The NetBSD Foundation, Inc.
 License: BSD-2-clause
 
@@ -30,7 +30,7 @@
 
 Files: debian/*
 Copyright:
- 2021-2022 Daniel Kahn Gillmor 
+ 2021-2023 Daniel Kahn Gillmor 
 License: BSD-2-clause
 
 License: BSD-2-clause
diff -Nru rnp-0.16.2/debian/source/lintian-overrides 
rnp-0.16.3/debian/source/lintian-overrides
--- rnp-0.16.2/debian/source/lintian-overrides  2022-09-09 19:03:00.0 
-0400
+++ rnp-0.16.3/debian/source/lintian-overrides  2023-05-24 09:06:07.0 
-0400
@@ -1,5 +1,2 @@
-# These two files are OpenPGP packets that libmagic is confused about.
-rnp source: source-contains-prebuilt-windows-binary 
[src/tests/data/test_key_validity/case8/subkey-no-sig.pgp]
-rnp source: source-contains-prebuilt-windows-binary 
[src/tests/data/test_key_validity/case8/subkey.pgp]
 # these are test elements that are expected to be long:
 rnp source: very-long-line-length-in-source-file * > 512 [src/tests/data/*]
diff -Nru rnp-0.16.2/docs/installation.adoc rnp-0.16.3/docs/installation.adoc
--- rnp-0.16.2/docs/installation.adoc   2022-09-22 05:27:54.0 -0400
+++ rnp-0.16.3/docs/installation.adoc   2023-04-12 20:27:38.0 -0400
@@ -55,7 +55,7 @@
 [source,console]
 
 # Clone the repository by version tag (or omit it to get the latest sources)
-git clone https://github.com/rnpgp/rnp.git -b v0.16.2
+git clone https://github.com/rnpgp/rnp.git -b v0.16.3
 
 # Install required packages
 sudo apt install g++-8 cmake libbz2-dev zlib1g-dev libjson-c-dev \
@@ -91,7 +91,7 @@
 [source,console]
 
 # Clone the repository by version tag (or omit it to get the latest sources)
-git clone https://github.com/rnpgp/rnp.git -b v0.16.2
+git clone https://github.com/rnpgp/rnp.git -b v0.16.3
 
 # Enable access to `testing` packages by editing /etc/apt/sources.list
 # deb http://deb.debian.org/debian testing main
diff -Nru rnp-0.16.2/.github/workflows/macos.yml 
rnp-0.16.3/.github/workflows/macos.yml
--- rnp-0.16.2/.github/workflows/macos.yml  2022-09-22 05:27:54.0 
-0400
+++ rnp-0.16.3/.github/workflows/macos.yml  2023-04-12 20:27:38.0 
-0400
@@ -42,7 +42,7 @@
 strategy:
   fail-fast: false
   matrix:
-os: [macos-10.15, macos-11.0]
+os: [macos-11, macos-12]
 env:
   - CC: gcc
 CXX: g++
diff -Nru rnp-0.16.2/src/librepgp/stream-parse.cpp 
rnp-0.16.3/src/librepgp/stream-parse.cpp
--- rnp-0.16.2/src/librepgp/stream-parse.cpp2022-09-22 05:27:54.0 
-0400
+++ rnp-0.16.3/src/librepgp/stream-parse.cpp2023-04-12 20:27:38.0 
-0400
@@ -1919,9 +1919,10 @@
 int ptype;
 /* Reading pk/sk encrypted session key(s) */
 try {
-bool stop = false;
+size_t errors = 0;
+bool   stop = false;
 while (!stop) {
-if (param->pubencs.size() + param->symencs.size() > 
MAX_RECIPIENTS) {
+if (param->pu

Bug#1028472: bullseye-pu: package publicsuffix/20221208.1942-0+deb11u1

[Daniel Kahn Gillmor]

On Sun 2023-02-19 19:45:58 +, Adam D. Barratt wrote:
> On Wed, 2023-01-11 at 11:07 -0500, Daniel Kahn Gillmor wrote:
>> Please consider an update to publicsuffix in debian bullseye.
>> 
>> This package reflects the state of the network, and keeping it
>> current
>> is useful for all the packages that depend on it.
>> 
>> The debdiff from the previous version in bullseye is attached.
>> 
>> This proposed release is also available at the
>> "publicsuffix_debian/20221208.1942-0+deb11u1" tag on the
>
> It looks like there was a 20230209 update in the meantime - is it worth
> rebasing this update on that?

Yes, that's probably a good idea.  i've opened
https://bugs.debian.org/1031788 instead with the updated publicsuffix
data.

--dkg


signature.asc
Description: PGP signature

Bug#1031788: bullseye-pu: package publicsuffix/20230209.2326-0+deb11u1

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: d...@fifthhorseman.net
Control: affects -1 src:publicsuffix

Please consider an update to publicsuffix in debian bullseye.

This package reflects the state of the network, and keeping it current
is useful for all the packages that depend on it.

The debdiff from the previous version in bullseye is attached.

This proposed release is also available at the
"publicsuffix_debian/20230209.2326-0+deb11u1" tag on the "debian/bullseye" 
branch at
the git repo for publicsuffix packaging:

https://salsa.debian.org/debian/publicsuffix

Please followup on this ticket to confirm whether I should upload this
revision to bullseye.


publicsuffix_20220811.1734-0+deb11u1_20230209.2326-0+deb11u1.debdiff.gz
Description: application/gzip

Bug#1028472: bullseye-pu: package publicsuffix/20221208.1942-0+deb11u1

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: d...@fifthhorseman.net
Control: affects -1 src:publicsuffix

Please consider an update to publicsuffix in debian bullseye.

This package reflects the state of the network, and keeping it current
is useful for all the packages that depend on it.

The debdiff from the previous version in bullseye is attached.

This proposed release is also available at the
"publicsuffix_debian/20221208.1942-0+deb11u1" tag on the "debian/bullseye" 
branch at
the git repo for publicsuffix packaging:

https://salsa.debian.org/debian/publicsuffix

Please followup on this ticket to confirm whether I should upload this
revision to bullseye.


publicsuffix_20220811.1734-0+deb11u1_20221208.1942-0+deb11u1.debdiff.gz
Description: application/gzip

Bug#1018048: buster-pu: package publicsuffix/20220811.1734-0+deb10u1

[Daniel Kahn Gillmor]

On Wed 2022-08-24 20:02:41 +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Wed, 2022-08-24 at 13:45 -0400, Daniel Kahn Gillmor wrote:
>> Please consider an update to publicsuffix in debian buster.
>> 
>> This package reflects the state of the network, and keeping it
>> current is useful for all the packages that depend on it.
>
> Please go ahead, bearing in mind that the window for the final buster
> point release closes over the weekend.

Uploaded just now.  Thanks!

   --dkg


signature.asc
Description: PGP signature

Bug#1018045: bullseye-pu: package publicsuffix/20220811.1734-0+deb11u1

[Daniel Kahn Gillmor]

On Wed 2022-08-24 20:04:00 +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Wed, 2022-08-24 at 11:44 -0400, Daniel Kahn Gillmor wrote:
>> Please consider an update to publicsuffix in debian bullseye.
>> 
>> This package reflects the state of the network, and keeping it
>> current is useful for all the packages that depend on it.
>
> Please go ahead.

Uploaded.  Thanks!

--dkg


signature.asc
Description: PGP signature

Bug#1018048: buster-pu: package publicsuffix/20220811.1734-0+deb10u1

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: d...@fifthhorseman.net
Control: affects -1 src:publicsuffix

Please consider an update to publicsuffix in debian buster.

This package reflects the state of the network, and keeping it current
is useful for all the packages that depend on it.

The debdiff from the previous version in buster is attached.

This proposed release is also available at the
"publicsuffix_debian/20220811.1734-0+deb10u1" tag on the "debian/buster" branch 
at
the git repo for publicsuffix packaging:

https://salsa.debian.org/debian/publicsuffix

Please followup on this ticket to confirm whether I should upload this
revision to buster.


publicsuffix_20211109.1735-0+deb10u1_20220811.1734-0+deb10u1.debdiff.gz
Description: application/gzip

Bug#999430: buster-pu: package publicsuffix/20211109.1735-0+deb10u1

[Daniel Kahn Gillmor]

On Fri 2022-08-05 20:36:24 +0100, Adam D. Barratt wrote:
> On Mon, 2021-11-29 at 20:45 +, Adam D. Barratt wrote:
>> Control: tags -1 + confirmed
>> 
>> On Wed, 2021-11-10 at 16:31 -0500, Daniel Kahn Gillmor wrote:
>> > Please consider an update to publicsuffix in debian buster.
>> > 
>> > This package reflects the state of the network, and keeping it
>> > current is useful for all the packages that depend on it.
>> > 
>> 
>> Please go ahead.
>
> Ping? We're in the process of organising the final point release for
> buster, as support for it transitions over to the LTS team, so if you
> would still like to fix it via pu then the upload needs to happen soon.

Sorry, I'm a bit confused by this.  afaict, #999430 refers to a version
of publicsuffix that is already shipping in buster,
20211109.1735-0+deb10u1:

0 dkg@alice:~$ rmadison publicsuffix -s buster
publicsuffix | 20211109.1735-0+deb10u1 | oldstable  | source, all
0 dkg@alice:~$ 

So i think this can be closed.  On the basis that
https://www.debian.org/News/2022/ doesn't show any recent final point
release for buster, i'll go ahead and open a new request for the latest
publicsuffix as an update, though.

Thanks for handling the debian point releases!  I know they're
complicated to coordinate.

fwiw, i'm handling the generation of publicsuffix point releases in an
automated way these days, so that they should only ever include updates
of this central file.  If there's any way to get a blanket OK for upload
of this type of narrowly-targeted update, it would help me in
maintenance to not have to wait for a response and followup after the
debdiff, at which point the update might no longer be the latest
version.  I understand the cost of making exceptions, though, so if that
doesn't work for you, i will continue as i have been.

All the best,

--dkg


signature.asc
Description: PGP signature

Bug#1018045: bullseye-pu: package publicsuffix/20220811.1734-0+deb11u1

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: d...@fifthhorseman.net
Control: affects -1 src:publicsuffix

Please consider an update to publicsuffix in debian bullseye.

This package reflects the state of the network, and keeping it current
is useful for all the packages that depend on it.

The debdiff from the previous version in bullseye is attached.

This proposed release is also available at the
"publicsuffix_debian/20220811.1734-0+deb11u1" tag on the "debian/bullseye" 
branch at
the git repo for publicsuffix packaging:

https://salsa.debian.org/debian/publicsuffix

Please followup on this ticket to confirm whether I should upload this
revision to bullseye.


publicsuffix_20211207.1025-0+deb11u1_20220811.1734-0+deb11u1.debdiff.gz
Description: application/gzip

Bug#1011505: transition: gpgme1.0

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition
X-Debbugs-Cc: d...@fifthhorseman.net, delta...@debian.org

The only packages that need to be rebuilt against this soname bump are
part of KDE, specifically these binary packages:

 accountwizard
 kdepim-addons
 kget
 kleopatra
 kmail
 libkf5libkleo5
 libkf5mailcommon5abi2
 libkf5messagecomposer5abi1
 libkf5messagecore5abi1
 libkf5messageviewer5abi1
 libkf5mimetreeparser5abi1

These come from the following sources:

 kdepim-addons
 kf5-messagelib
 kget
 kleopatra
 kmail
 kmail-account-wizard
 libkf5libkleo
 libkf5mailcommon

Patrick Franz (in Cc) from the KDE team tested them and reported that
they build cleanly with an NMU (see attached message).

Release team, please ACK so i can proceed with the upload to unstable.

Regards,

--dkg


Ben file:

title = "gpgme1.0";
is_affected = .depends ~ "libqgpgme7" | .depends ~ "libqgpgme15";
is_good = .depends ~ "libqgpgme15";
is_bad = .depends ~ "libqgpgme7";
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
bh=oeVrgfF5zWr7ctjic7dVLveRG26Sy0vaKyFu8vQ1Xpo=;
b=g4a5KhJl1Z86Zo5WyqUkuDiZzLvD2ag98UswCzkP/nG8i0tFIglylY0HD1SVg7N+2y
 r+vYb3xuRohGxwSPPZTBWEERpIzMXVwg0qVHdwjvpHWLV21T2OmEwB1r3iLcYHURIOZX
 0aIcaZwSFn7fXBhjYdXRllAi4UzBT87wgo5aTNbrgveYkmuETd2fWnlWt+rdXUnLZtWb
 yNFjOePrrp+2yAQl5vVLno5ljNwvoK3wkJNtPNqX3opWRJRvTKMod2tHXNa1lCVZ86rn
 LXGtxd7EWsVYfTPfJEHFac2ApJpF8PDR1qII9qxXVsKzMrUG0g1RmfCg+D4fCPWgSPlU
 VTuw==
X-Gm-Message-State: AOAM5316WPFtNxI4QQZw4IxqiNBw7n9VbWHLp6yREKH7KwRzmsmJgmWp
gJPDL3BGOlXPpHuJIBOiJQc=
X-Google-Smtp-Source: 
ABdhPJxtTiLSLkyyEU6xbiBlvNXUhN9FH1qGtHs3aTU30OPqODvCX44FW7qW+5V2/w40TEvQxue0Tw==
X-Received: by 2002:a2e:a5ca:0:b0:253:c604:647c with SMTP id 
n10-20020a2ea5ca00b00253c604647cmr11071204ljp.403.1653237143884;
Sun, 22 May 2022 09:32:23 -0700 (PDT)
Received: from delta-one.localnet (217-210-33-15-no2104.tbcn.telia.com. 
[217.210.33.15])
by smtp.gmail.com with ESMTPSA id 
bi23-20020a05651c231700b00253dfbe2522sm1080181ljb.100.2022.05.22.09.32.22
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Sun, 22 May 2022 09:32:23 -0700 (PDT)
From: Patrick Franz 
To: debian-qt-...@lists.debian.org, Daniel Kahn Gillmor 
Subject: Re: rebuilding against libqgpgme-dev (soname bump from libqgpgme7 to 
libqgpgme15)
Date: Sun, 22 May 2022 18:32:21 +0200
Message-ID: <1831765.tdWV9SEqCh@delta-one>
In-Reply-To: <87zgjbficl@fifthhorseman.net>
References: <87zgjbficl@fifthhorseman.net>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass (srs.pair.com ... _spfmailwash.pair.com: 209.68.5.116 is 
authorized to use 'SRS0=GHde=V6=gmail.com=deltaone.deb...@srs.pair.com' in 
'mfrom' identity (mechanism 'ip4:209.68.0.0/18' matched)) 
receiver=mailwash52.pair.com; identity=mailfrom; 
envelope-from="SRS0=GHde=V6=gmail.com=deltaone.deb...@srs.pair.com"; 
helo=itihasa.pair.com; client-ip=209.68.5.116
X-Virus-Check-By: mailwash52.pair.com
X-Scanned-By: mailmunge 3.07 on 66.39.2.52
Delivered-To: d...@fifthhorseman.net
X-Scanned-By: mailmunge 3.07 on 66.39.2.52
Delivered-To: daniel_gill...@fifthhorseman.net
X-Envelope-To: daniel_gill...@fifthhorseman.net

Hi Daniel,

Am Samstag, 21. Mai 2022, 09:35:54 CEST schrieb Daniel Kahn Gillmor:
> I think the following 8 source packages will need a rebuild:
>=20
> kdepim-addons
> kf5-messagelib
> kget
> kleopatra
> kmail
> kmail-account-wizard
> libkf5libkleo
> libkf5mailcommon
>=20
> Let me know what you think is a good plan here,

I rebuilt those packages against gpgme 1.17 in experimental and all of=20
them built successfully without the need of adjusting anything.

So I'd suggest you simply request a transition and state that all these=20
packages build against gpgme 1.17 and only need NMUs.


=2D-=20
Med v=C3=A4nliga h=C3=A4lsningar

Patrick Franz

Bug#1004452: bullseye-pu: package gnupg2/2.2.27-2+deb11u1

[Daniel Kahn Gillmor]

On Fri 2022-03-18 09:13:08 +, Adam D. Barratt wrote:
> Unfortunately it looks like the upload failed:
>
> gnupg2_2.2.27-2+deb11u1.dsc: Refers to non-existing file
> 'gnupg2_2.2.27.orig.tar.bz2.asc'

Sigh.  thanks for the note.  I've just tried again, this time including
the orig.tar.bz2.asc in the upload.

--dkg


signature.asc
Description: PGP signature

Bug#1004452: bullseye-pu: package gnupg2/2.2.27-2+deb11u1

[Daniel Kahn Gillmor]

On Thu 2022-03-17 17:49:04 +, Adam D. Barratt wrote:
> On Sat, 2022-02-19 at 22:24 -0500, Daniel Kahn Gillmor wrote:
>> On Sat 2022-02-19 17:09:21 +, Adam D. Barratt wrote:
>> > Control: tags -1 + confirmed d-i
>> > 
> [...]
>> > That looks fine to me, but will need a d-i ack as the package
>> > builds a
>> > udeb; tagging and CCing accordingly.
>> 
>> Understood -- i'll wait for a d-i ack before uploading.
>
> As we're getting very close to the window for 11.3 closing, please feel
> free to upload.

I've just uploaded gnupg2/2.2.27-2+deb11u1 to bullseye now.  Please let
me know if there are any problems.

thanks for your ongoing work maintaining debian stable!

 --dkg


signature.asc
Description: PGP signature

Bug#1004452: bullseye-pu: package gnupg2/2.2.27-2+deb11u1

[Daniel Kahn Gillmor]

On Sat 2022-02-19 17:09:21 +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed d-i
>
> On Thu, 2022-01-27 at 17:02 -0500, Daniel Kahn Gillmor wrote:
>> Please consider an update to GnuPG in debian bullseye, from version
>> 2.2.27-2 to 2.2.27-2+deb11u1.
>> 
>
> The version mentioned above is correct, but the proposed changelog is
> not:
>
> +gnupg2 (2.2.27-2+deb11+1) bullseye; urgency=medium
>
> (it should be "deb11u1", not "deb11+1").

thanks for catching that, i've corrected it and pushed the corrected
version to the debian/bullseye branch in salsa.

> That looks fine to me, but will need a d-i ack as the package builds a
> udeb; tagging and CCing accordingly.

Understood -- i'll wait for a d-i ack before uploading.

   --dkg


signature.asc
Description: PGP signature

Bug#1004452: gnuplot 5.4.1+dfsg1-1+deb11u1 flagged for acceptance

[Daniel Kahn Gillmor]

Hi Adam--

No problem, i've made way worse copy/paste mistakes myself 

On Thu 2022-02-03 06:41:21 +, Adam D. Barratt wrote:
> Control: tags -1 - pending

For clarity, I'm assuming this means that the GnuPG upload for bullseye
(#1004452) is *not* yet approved, and i will wait for additional
feedback from you or other release managers before continuing.

Thanks for the quick followup!

--dkg


signature.asc
Description: PGP signature

Bug#1004452: gnuplot 5.4.1+dfsg1-1+deb11u1 flagged for acceptance

[Daniel Kahn Gillmor]

Hi Adam--

Thanks for reviewing, but this is confusing to me.  I thought 1004452
was for GnuPG gnupg2/2.2.27-2+deb11u1, not gnuplot
5.4.1+dfsg1-1+deb11u1.  Which one did you mean to accept with this
message?

  --dkg

On Wed 2022-02-02 20:30:58 +, Adam D Barratt wrote:
> package release.debian.org
> tags 1004452 = bullseye pending
> thanks
>
> Hi,
>
> The upload referenced by this bug report has been flagged for acceptance into 
> the proposed-updates queue for Debian bullseye.
>
> Thanks for your contribution!
>
> Upload details
> ==
>
> Package: gnuplot
> Version: 5.4.1+dfsg1-1+deb11u1
>
> Explanation: fix division by zero [CVE-2021-44917]


signature.asc
Description: PGP signature

Bug#1004452: bullseye-pu: package gnupg2/2.2.27-2+deb11u1

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: d...@fifthhorseman.net
X-Debbugs-Cc: pkg-gnupg-ma...@lists.alioth.debian.org
Control: affects -1 src:gnupg2

Please consider an update to GnuPG in debian bullseye, from version
2.2.27-2 to 2.2.27-2+deb11u1.

The fixes, by Christoph Biedel and Raphaël Hertzog, are narrowly
targeted and fix real, significant issues that a subset of users have.
They have been in debian unstable and testing for a while now without
issue:

--
  [ Raphaël Hertzog ]
  * Avoid network interaction in generator. Closes: #993578

  [ Christoph Biedl ]
  * Backport "Scd: Fix CCID driver for SCM SPR332/SPR532". Closes: #982546
--

The debdiff from the version in bullseye (2.2.27-2) is attached.

This proposed release is also available on the "debian/bullseye" branch at
the git repo for GnuPG packaging:

 https://salsa.debian.org/debian/gnupg2

Please followup on this ticket to confirm whether I should upload this
revision to bullseye's proposed updates.

Regards,

--dkg

diff -Nru gnupg2-2.2.27/debian/changelog gnupg2-2.2.27/debian/changelog
--- gnupg2-2.2.27/debian/changelog	2021-04-22 14:40:36.0 -0400
+++ gnupg2-2.2.27/debian/changelog	2022-01-27 14:46:11.0 -0500
@@ -1,3 +1,16 @@
+gnupg2 (2.2.27-2+deb11+1) bullseye; urgency=medium
+
+  [ Raphaël Hertzog ]
+  * Avoid network interaction in generator. Closes: #993578
+
+  [ Christoph Biedl ]
+  * Backport "Scd: Fix CCID driver for SCM SPR332/SPR532". Closes: #982546
+
+  [ Daniel Kahn Gillmor ]
+  * update git to point to debian/bullseye branch
+
+ -- Daniel Kahn Gillmor   Thu, 27 Jan 2022 14:46:11 -0500
+
 gnupg2 (2.2.27-2) unstable; urgency=medium
 
   * Add a NEWS entry about the end of support for ~/.gnupg/options.
diff -Nru gnupg2-2.2.27/debian/control gnupg2-2.2.27/debian/control
--- gnupg2-2.2.27/debian/control	2021-04-22 14:40:36.0 -0400
+++ gnupg2-2.2.27/debian/control	2022-01-27 14:45:43.0 -0500
@@ -43,7 +43,7 @@
  libnpth-mingw-w64-dev (>= 1.2),
  libz-mingw-w64-dev,
  mingw-w64,
-Vcs-Git: https://salsa.debian.org/debian/gnupg2.git -b debian/main
+Vcs-Git: https://salsa.debian.org/debian/gnupg2.git -b debian/bullseye
 Vcs-Browser: https://salsa.debian.org/debian/gnupg2
 Homepage: https://www.gnupg.org/
 Rules-Requires-Root: no
diff -Nru gnupg2-2.2.27/debian/gbp.conf gnupg2-2.2.27/debian/gbp.conf
--- gnupg2-2.2.27/debian/gbp.conf	2021-02-08 14:38:26.0 -0500
+++ gnupg2-2.2.27/debian/gbp.conf	2022-01-27 14:45:33.0 -0500
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/main
+debian-branch = debian/bullseye
 pristine-tar = True
 upstream-vcs-tag = gnupg-%(version)s
 
diff -Nru gnupg2-2.2.27/debian/patches/cherry-picked/1617856888.gnupg-2.3.0-4-gab66c4357.scd-fix-ccid-driver-for-scm-spr332-spr532.patch gnupg2-2.2.27/debian/patches/cherry-picked/1617856888.gnupg-2.3.0-4-gab66c4357.scd-fix-ccid-driver-for-scm-spr332-spr532.patch
--- gnupg2-2.2.27/debian/patches/cherry-picked/1617856888.gnupg-2.3.0-4-gab66c4357.scd-fix-ccid-driver-for-scm-spr332-spr532.patch	1969-12-31 19:00:00.0 -0500
+++ gnupg2-2.2.27/debian/patches/cherry-picked/1617856888.gnupg-2.3.0-4-gab66c4357.scd-fix-ccid-driver-for-scm-spr332-spr532.patch	2022-01-27 14:44:28.0 -0500
@@ -0,0 +1,48 @@
+Subject: Scd: Fix CCID driver for SCM SPR332/SPR532
+Origin: gnupg-2.3.0-4-gab66c4357
+Upstream-Author: NIIBE Yutaka 
+Date: Thu Apr 8 13:41:28 2021 +0900
+Bug-Debian: https://bugs.debian.org/982546
+
+* scd/ccid-driver.c (ccid_vendor_specific_pinpad_setup): New.
+(ccid_vendor_specific_setup): Only send CLEAR_HALT.
+(ccid_transceive_secure): Each time, use send_escape_cmd.
+
+--
+
+GnuPG-bug-id: 5297
+Signed-off-by: NIIBE Yutaka 
+
+--- a/scd/ccid-driver.c
 b/scd/ccid-driver.c
+@@ -1304,10 +1304,20 @@
+ {
+   if (handle->id_vendor == VENDOR_SCM && handle->id_product == SCM_SPR532)
+ {
++  libusb_clear_halt (handle->idev, handle->ep_intr);
++}
++  return 0;
++}
++
++
++static int
++ccid_vendor_specific_pinpad_setup (ccid_driver_t handle)
++{
++  if (handle->id_vendor == VENDOR_SCM && handle->id_product == SCM_SPR532)
++{
+   DEBUGOUT ("sending escape sequence to switch to a case 1 APDU\n");
+   send_escape_cmd (handle, (const unsigned char*)"\x80\x02\x00", 3,
+NULL, 0, NULL);
+-  libusb_clear_halt (handle->idev, handle->ep_intr);
+ }
+   return 0;
+ }
+@@ -3583,6 +3593,8 @@
+   if (pininfo->fixedlen < 0 || pininfo->fixedlen >= 16)
+ return CCID_DRIVER_ERR_NOT_SUPPORTED;
+ 
++  ccid_vendor_specific_pinpad_setup (handle);
++
+   msg = send_buffer;
+   msg[0] = cherry_mode? 0x89 : PC_to_RDR_Secure;
+   msg[5] = 0; /* slot */
diff -Nru gnupg2-2.2.27/debian/patches/series gnupg2-2.2.27/debian/patches/series
--- gnupg2-2.2.27/deb

Bug#1001279: bullseye-pu: package publicsuffix/20211207.1025-0+deb11u1

[Daniel Kahn Gillmor]

On Tue 2021-12-07 19:03:57 +0200, Daniel Kahn Gillmor wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: d...@fifthhorseman.net
> Control: affects -1 src:publicsuffix
>
> Please consider an update to publicsuffix in debian bullseye.
>
> This package reflects the state of the network, and keeping it current
> is useful for all the packages that depend on it.
>
> The debdiff from the previous version in bullseye is attached.
>
> This proposed release is also available at the
> "publicsuffix_debian/20211207.1025-0+deb11u1" tag on the "debian/bullseye" 
> branch at
> the git repo for publicsuffix packaging:
>
> https://salsa.debian.org/debian/publicsuffix
>
> Please followup on this ticket to confirm whether I should upload this
> revision to bullseye.

Apologies, i just read a late-received message about #999427 and
misinterpreted it as about this report.  I went ahead and uploaded
20211207.1025-0+deb11u1 as a result.  (this is one additional month of
updated data beyond the authorized/accepted 20211109.1735-0+deb11u1)

Feel free to reject it if you think that's appropriate, my feelings
won't be hurt ☺.  sorry about the confusion!

  --dkg


signature.asc
Description: PGP signature

Bug#1001280: buster-pu: package publicsuffix/20211207.1025-0+deb10u1

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: d...@fifthhorseman.net
Control: affects -1 src:publicsuffix

Please consider an update to publicsuffix in debian buster.

This package reflects the state of the network, and keeping it current
is useful for all the packages that depend on it.

The debdiff from the previous version in buster is attached.

This proposed release is also available at the
"publicsuffix_debian/20211207.1025-0+deb10u1" tag on the "debian/buster" branch 
at
the git repo for publicsuffix packaging:

https://salsa.debian.org/debian/publicsuffix

Please followup on this ticket to confirm whether I should upload this
revision to buster.


publicsuffix_20211109.1735-0+deb10u1_20211207.1025-0+deb10u1.debdiff.gz
Description: application/gzip

Bug#1001279: bullseye-pu: package publicsuffix/20211207.1025-0+deb11u1

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: d...@fifthhorseman.net
Control: affects -1 src:publicsuffix

Please consider an update to publicsuffix in debian bullseye.

This package reflects the state of the network, and keeping it current
is useful for all the packages that depend on it.

The debdiff from the previous version in bullseye is attached.

This proposed release is also available at the
"publicsuffix_debian/20211207.1025-0+deb11u1" tag on the "debian/bullseye" 
branch at
the git repo for publicsuffix packaging:

https://salsa.debian.org/debian/publicsuffix

Please followup on this ticket to confirm whether I should upload this
revision to bullseye.


publicsuffix_20211109.1735-0+deb11u1_20211207.1025-0+deb11u1.debdiff.gz
Description: application/gzip

Bug#999427: bullseye-pu: package publicsuffix/20211109.1735-0+deb11u1

[Daniel Kahn Gillmor]

On Wed 2021-12-01 09:43:18 +, Adam D. Barratt wrote:
> It looks like you've hit a (fairly) common issue with trying to upload
> the same upstream version to multiple suites in a short time.

thanks for keeping an eye on this, and giving a quick diagnosis, Adam.

> I assume both of your uploads included the .orig.tar.gz and were made
> close together.

This is exactly right.

> At this point your options are either to re-upload the .orig.tar.gz
> directly, or dcut and re-upload the complete bullseye upload.

i've taken the former approach, uploading directly with sftp.  hopefully
that'll work :)

> In general, either don't include the orig in the later upload, or space
> them apart so that you receive the queued confirmation for the first
> before uploading the second. (If the orig is already in the archive, as
> I assume is the case here, then you don't actually need to include it
> in either upload.)

Thanks, this is useful guidance for a workaround.

I can't help but wonder whether there isn't some way to avoid the need
for a workaround in the backend anyway, though.  for example, if the
orig.tar.gz is missing, look in neighboring suites for one with the
matching digest.  Where would i look for a bug report on the
infrastructure that would cover this?

   --dkg


signature.asc
Description: PGP signature

Bug#999427: bullseye-pu: package publicsuffix/20211109.1735-0+deb11u1

[Daniel Kahn Gillmor]

On Mon 2021-11-29 20:46:25 +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Wed, 2021-11-10 at 16:09 -0500, Daniel Kahn Gillmor wrote:
>> Please consider an update to publicsuffix in debian bullseye.
>> 
>> This package reflects the state of the network, and keeping it
>> current
>> is useful for all the packages that depend on it.
>> 
>
> Please go ahead.

thanks, uploaded just now.

--dkg
  

Bug#999427: bullseye-pu: package publicsuffix/20211109.1735-0+deb11u1

[Daniel Kahn Gillmor]

On Mon 2021-11-29 20:46:25 +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Wed, 2021-11-10 at 16:09 -0500, Daniel Kahn Gillmor wrote:
>> Please consider an update to publicsuffix in debian bullseye.
>> 
>> This package reflects the state of the network, and keeping it
>> current
>> is useful for all the packages that depend on it.
>> 
>
> Please go ahead.

Thanks, uploaded just now.

--dkg

Bug#999430: buster-pu: package publicsuffix/20211109.1735-0+deb10u1

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: d...@fifthhorseman.net
Control: affects -1 src:publicsuffix

Please consider an update to publicsuffix in debian buster.

This package reflects the state of the network, and keeping it current
is useful for all the packages that depend on it.

The debdiff from the previous version in buster is attached.

This proposed release is also available at the
"publicsuffix_debian/20211109.1735-0+deb10u1" tag on the "debian/buster" branch 
at
the git repo for publicsuffix packaging:

https://salsa.debian.org/debian/publicsuffix

Please followup on this ticket to confirm whether I should upload this
revision to buster.


publicsuffix_20190925.1705-0+deb10u1_20211109.1735-0+deb10u1.debdiff.gz
Description: application/gzip

Bug#999427: bullseye-pu: package publicsuffix/20211109.1735-0+deb11u1

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: d...@fifthhorseman.net
Control: affects -1 src:publicsuffix

Please consider an update to publicsuffix in debian bullseye.

This package reflects the state of the network, and keeping it current
is useful for all the packages that depend on it.

The debdiff from the previous version in bullseye is attached.

This proposed release is also available at the
"publicsuffix_debian/20211109.1735-0+deb11u1" tag on the "debian/bullseye" 
branch at
the git repo for publicsuffix packaging:

https://salsa.debian.org/debian/publicsuffix

Please followup on this ticket to confirm whether I should upload this
revision to bullseye.


publicsuffix_20210108.1309-1_20211109.1735-0+deb11u1.debdiff.gz
Description: application/gzip

Bug#956701: RM: enigmail/2:2.0.8-5~deb9u1

[Daniel Kahn Gillmor]

Control: affects 956701 + src:enigmail

On Tue 2020-04-14 15:57:10 +0300, Adrian Bunk wrote:
> Package: release.debian.org
> Severity: normal
> Tags: stretch
> User: release.debian@packages.debian.org
> Usertags: rm
>
> enigmail is no longer installable with the thunderbird version
> now in stretch (#949736).
>
> Updating enigmail in stretch might be non-trivial due to the
> versioned dependency on gnupg.
>
> It is expected that shortly after the final non-LTS release of stretch
> there will be an LTS update of thunderbird in stretch with a version
> that can no longer be supported by enigmail:
> https://www.enigmail.net/index.php/en/home/news/70-2019-10-08-future-openpgp-support-in-thunderbird
>
> I do not see a better solution than removing the enigmail package
> that is already not installable in stretch.
>
> Daniel Kahn Gillmor Cc'ed, an ACK/NAK would be appreciated.

I'm fine with removing enigmail from stretch; i don't have the capacity
to support it that far back.  I would strongly recommend anyone using a
desktop environment to move to debian stable.

  --dkg


signature.asc
Description: PGP signature

Bug#945066: buster-pu: package enigmail/2:2.1.3+ds1-4~deb10u1

[Daniel Kahn Gillmor]

sts/enigmailMsgComposeOverlay-test.js |   31 -
 ui/tests/main.js   |   18 +-
 ui/tests/testHelper.js |   13 +
 util/build.mk  |   49 -
 util/checkFiles.py |2 +
 util/gen-filterable-key|   55 -
 util/genxpi|  248 +-
 util/header.py |  542 
 util/ply/__init__.py   |4 -
 util/ply/lex.py| 1058 ---
 util/ply/yacc.py   | 3276 
 util/prepPackage   |   25 +
 util/prepPostbox   |   59 +
 util/run-jsunit|   11 +-
 util/test.jpg  |  Bin 518 -> 0 bytes
 util/typelib.py|  302 --
 util/xpidl.py  | 1421 -
 util/xpidllex.py   |9 -
 util/xpidlyacc.py  |   85 -
 util/xpt.py| 1382 -
 util/xptgen|   64 -
 485 files changed, 39321 insertions(+), 36946 deletions(-)

The diff from what's in unstable is much simpler:

diff --git enigmail-2.1.3+ds1-4/debian/changelog 
enigmail-2.1.3+ds1-4~deb10u1/debian/changelog
index fb04d6912..59c7c1ad4 100644
--- enigmail-2.1.3+ds1-4/debian/changelog
+++ enigmail-2.1.3+ds1-4~deb10u1/debian/changelog
@@ -1,3 +1,10 @@
+enigmail (2:2.1.3+ds1-4~deb10u1) buster; urgency=medium
+
+  * Upload to debian stable to keep it installable now that Thunderbird 68
+is in stable (Closes: #945014)
+
+ -- Daniel Kahn Gillmor   Tue, 19 Nov 2019 15:43:20 
+0800
+
 enigmail (2:2.1.3+ds1-4) unstable; urgency=medium
 
   * convert to python3
@@ -65,6 +72,22 @@ enigmail (2:2.0.11+ds1-1) unstable; urgency=medium
 
  -- Daniel Kahn Gillmor   Thu, 23 May 2019 17:06:35 
-0400
 
+enigmail (2:2.0.12+ds1-1~deb10u1) buster; urgency=medium
+
+  * upload upstream version to Debian stable
+   - addresses CVE-2019-12269 (Closes: #929363)
+   - uses "advanced" version of WKD
+   - switches to using keys.openpgp.org as the default keyserver
+   - avoid decrypting/verifying quoted inline-PGP
+   - un-mangling MS Exchange: ensure that message structure is
+ as expected to avoid data loss
+   - only include Subject: line in legacy-display part for
+ protected headers
+  * move Vcs-Git fields to DEP-14 branch debian/buster
+  * refresh patches
+
+ -- Daniel Kahn Gillmor   Wed, 21 Aug 2019 12:57:35 
-0400
+
 enigmail (2:2.0.10+ds1-1) unstable; urgency=medium
 
   * new upstream release
diff --git enigmail-2.1.3+ds1-4/debian/control 
enigmail-2.1.3+ds1-4~deb10u1/debian/control
index 3ebe3bc29..ae0a43015 100644
--- enigmail-2.1.3+ds1-4/debian/control
+++ enigmail-2.1.3+ds1-4~deb10u1/debian/control
@@ -14,7 +14,7 @@ Build-Depends:
  zip,
 Standards-Version: 4.4.1
 Homepage: https://www.enigmail.net/
-Vcs-Git: https://salsa.debian.org/debian/enigmail.git -b debian/master
+Vcs-Git: https://salsa.debian.org/debian/enigmail.git -b debian/buster
 Vcs-Browser: https://salsa.debian.org/debian/enigmail
 Rules-Requires-Root: no
 
diff --git enigmail-2.1.3+ds1-4/debian/gbp.conf 
enigmail-2.1.3+ds1-4~deb10u1/debian/gbp.conf
index ec1a2b13e..ad90c8b99 100644
--- enigmail-2.1.3+ds1-4/debian/gbp.conf
+++ enigmail-2.1.3+ds1-4~deb10u1/debian/gbp.conf
@@ -1,7 +1,7 @@
 [DEFAULT]
 upstream-vcs-tag = enigmail-%(version)s
 pristine-tar = True
-debian-branch = debian/master
+debian-branch = debian/buster
 
 [import-orig]
 filter = [


Please let me know if i should upload.

   --dkg


-- System Information:
Debian Release: bullseye/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'stable'), (500, 
'oldstable'), (200, 'unstable-debug'), (200, 'unstable'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)


signature.asc
Description: PGP signature

Bug#941673: jessie-pu: package publicsuffix/20190925.1705-0+deb8u1

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Control: affects -1 src:publicsuffix

Please consider an update to publicsuffix in debian jessie.

This package reflects the state of the network, and keeping it current
is useful for all the packages that depend on it.

The debdiff from the previous version in jessie is attached.

This proposed release is also available at the
"publicsuffix_debian/20190925.1705-0+deb8u1" tag on the "debian/jessie" branch 
at the
git repo for publicsuffix packaging:

https://salsa.debian.org/debian/publicsuffix

Please followup on this ticket to confirm whether I should upload this
revision to jessie.



../publicsuffix_20171028.2055-0+deb8u1_20190925.1705-0+deb8u1.debdiff.gz
Description: Binary data

Bug#941617: stretch-pu: package publicsuffix/20190925.1705-0+deb9u1

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
Control: affects -1 src:publicsuffix

Please consider an update to publicsuffix in debian stretch.

This package reflects the state of the network, and keeping it current
is useful for all the packages that depend on it.

The debdiff from the previous version in stretch is attached.

This proposed release is also available at the
"publicsuffix_debian/20190925.1705-0+deb9u1" tag on the "debian/stretch" branch 
at
the git repo for publicsuffix packaging:

https://salsa.debian.org/debian/publicsuffix

Please followup on this ticket to confirm whether I should upload this
revision to stretch.



../publicsuffix_20190415.1030-0+deb9u1_20190925.1705-0+deb9u1.debdiff.gz
Description: Binary data

Bug#941615: buster-pu: package publicsuffix/20190925.1705-0+deb10u1

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
Control: affects -1 src:publicsuffix

Please consider an update to publicsuffix in debian buster.

This package reflects the state of the network, and keeping it current
is useful for all the packages that depend on it.

The debdiff from the previous version in buster is attached.

This proposed release is also available at the
"publicsuffix_debian/20190925.1705-0+deb10u1" tag on the "debian/buster" branch 
at
the git repo for publicsuffix packaging:

https://salsa.debian.org/debian/publicsuffix

Please followup on this ticket to confirm whether I should upload this
revision to buster.



../publicsuffix_20190904.1802-0+deb10u1_20190925.1705-0+deb10u1.debdiff.gz
Description: Binary data

Bug#940059: buster-pu: package publicsuffix/20190904.1802-0+deb10u1

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
Control: affects -1 src:publicsuffix

Please consider an update to publicsuffix in debian buster.

This package reflects the state of the network, and keeping it current
is useful for all the packages that depend on it.

The debdiff from the previous version in buster is attached.

This proposed release is also available at the
"publicsuffix_debian/20190904.1802-0+deb10u1" tag on the "debian/buster" branch 
at
the git repo for publicsuffix packaging:

https://salsa.debian.org/debian/publicsuffix

Please followup on this ticket to confirm whether I should upload this
revision to buster.



../publicsuffix_20190415.1030-1_20190904.1802-0+deb10u1.debdiff.gz
Description: Binary data

Bug#932684: buster-pu: package gnupg2/2.2.12-1+deb10u1

[Daniel Kahn Gillmor]

On Sat 2019-08-31 12:33:51 +0100, Adam D. Barratt wrote:
> I don't know if that will be in time, but while we wait feel free to
> upload so that the package is available if the timings turn out to be
> on our side.

uploaded now, thanks.

 --dkg


signature.asc
Description: PGP signature

Bug#932684: buster-pu: package gnupg2/2.2.12-1+deb10u1

[Daniel Kahn Gillmor]

On Wed 2019-08-21 18:19:06 +0100, Adam D. Barratt wrote:
>>  * We adopt GnuPG's upstream approach of making keyserver access
>>default to self-sigs-only.  This means that the keyserver cannot
>>flood the user's keyring by default. (we do *not* adopt upstream's
>>choice of import-clean for keyserver default, see
>>https://dev.gnupg.org/T4628 for more explanation)
>
> The introduction of this change in unstable (and since in testing)
> apparently led to some confusion amongst, and queries from, members of
> the project, so is likely to have a similar (but quite possibly larger)
> effect on the wider stable user base.
>
> If we are to include it, I think it would therefore be wise to ensure
> that it is accompanied by a NEWS entry which briefly explains the
> change and its implications. (Relatedly, the further through the stable
> cycle we get, the more awkward this would be to introduce.)

Thanks, that's entirely reasonable.  I've put this NEWS item into the
debian/buster branch on salsa.  Otherwise, the debdiff is the same.  


diff --git a/debian/NEWS b/debian/NEWS
index 0a6a7440d..3005e935c 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,25 @@
+gnupg2 (2.2.12-1+deb10u1) buster; urgency=medium
+
+  In this version we adopt GnuPG's upstream approach of making keyserver
+  access default to self-sigs-only.  This defends against receiving
+  flooded OpenPGP certificates.  To revert to the previous behavior (not
+  recommended!), add the following directive to ~/.gnupg/gpg.conf:
+
+keyserver-options no-self-sigs-only
+
+  We also adopt keys.openpgp.org as the default keyserver, since it avoids
+  the associated bandwidth waste of fetching third-party certifications
+  that will not be used.  To revert to the older SKS keyserver network (not
+  recommended!), add the following directive to ~/.gnupg/dirmngr.conf:
+
+keyserver hkps://hkps.pool.sks-keyservers.net
+
+  Note: we do *not* adopt upstream's choice of import-clean for the
+  keyserver default, since it can lead to data loss, see
+  https://dev.gnupg.org/T4628 for more details.
+
+ -- Daniel Kahn Gillmor   Wed, 21 Aug 2019 14:53:47 
-0400
+


Let me know if you want me to re-generate a full debdiff, or if you're
ok with this plus the previous debdiff (with an updated date on
debian/changelog to match debian/NEWS), let me know whether i should go
ahead and upload.

Thanks for your thoughtfulness and review.

Regards,

--dkg


signature.asc
Description: PGP signature

Bug#931126: unblock: enigmail/2:2.0.12+ds1~deb10u1

[Daniel Kahn Gillmor]

On Wed 2019-08-21 18:17:14 +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Wed, 2019-08-21 at 13:05 -0400, Daniel Kahn Gillmor wrote:
>> Control: tags 931126 - moreinfo
>> Control: retitle 931126 unblock: enigmail/2:2.0.12+ds1~deb10u1
>
> The "buster-pu" bit of the previous title was correct. :-) Will fix
> that up shortly.

sorry about that, and thanks for fixing it.  i was just trying to update
the version number.

> [...]
>> +enigmail (2:2.0.12+ds1-1~deb10u1) buster; urgency=medium
>> +
>> +  * upload upstream version to Debian stable
>> +   - addresses CVE-2019-12269 (Closes: #929363)
>> +   - uses "advanced" version of WKD
>> +   - switches to using keys.openpgp.org as the default keyserver
>> +   - avoid decrypting/verifying quoted inline-PGP
>> +   - un-mangling MS Exchange: ensure that message structure is
>> + as expected to avoid data loss
>> +   - only include Subject: line in legacy-display part for
>> + protected headers
>
> Please go ahead.

uploaded.  don't hesitate to let me know if you need anything done
differently.

thanks for your attention to this.

 --dkg


signature.asc
Description: PGP signature

Bug#931126: unblock: enigmail/2:2.0.12+ds1~deb10u1

[Daniel Kahn Gillmor]

Control: tags 931126 - moreinfo
Control: retitle 931126 unblock: enigmail/2:2.0.12+ds1~deb10u1

On Tue 2019-08-20 21:05:37 +0100, Adam D. Barratt wrote:
>> I would love it if someone else wants to step up and help with this.
>> I'm currently working on an update to GnuPG for buster, and have not
>> had time yet to do the 2.0.12 upload for Buster (either as a security
>> or point release).
>
> Tagging as moreinfo for now, until there's a definite plan and diff
> either way.

Thanks, Adam.

Attached is a debdiff for the update to enigmail 2.0.12 for buster.
I've also pushed it to the debian/buster branch on salsa.  I've reduced
the size of the debdiff by about a third by filtering out the changes to
the lang/ directory (in particular, the updates to the russian
translation are large), but those changes can be seen in git if you're
interested.

from debian/changelog:

+enigmail (2:2.0.12+ds1-1~deb10u1) buster; urgency=medium
+
+  * upload upstream version to Debian stable
+   - addresses CVE-2019-12269 (Closes: #929363)
+   - uses "advanced" version of WKD
+   - switches to using keys.openpgp.org as the default keyserver
+   - avoid decrypting/verifying quoted inline-PGP
+   - un-mangling MS Exchange: ensure that message structure is
+ as expected to avoid data loss
+   - only include Subject: line in legacy-display part for
+ protected headers
+  * move Vcs-Git fields to DEP-14 branch debian/buster
+  * refresh patches
+
+ -- Daniel Kahn Gillmor   Wed, 21 Aug 2019 12:57:35 
-0400

Please let me know if i should go ahead with the upload.

Regards,

--dkg



enigmail_2:2.0.10+ds1-1_2:2.0.12+ds1-1~deb10u1.debdiff.gz
Description: application/gzip


signature.asc
Description: PGP signature

Bug#932684: buster-pu: package gnupg2/2.2.12-1+deb10u1

[Daniel Kahn Gillmor]

On Sun 2019-07-21 15:55:28 -0400, Daniel Kahn Gillmor wrote:
> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian@packages.debian.org
> Usertags: pu
> Control: affects -1 src:gnupg2
>
> The version of GnuPG in debian buster (2.2.12-1) has a number of
> outstanding bugs related to OpenPGP certificate management and network
> access.  Many of these concerns are addressed in some of the patches
> in upstream's STABLE-BRANCH-2-2 series.
>
> The debdiff (attached) is basically a slew of bugfix, documentation,
> stability, and efficiency patches cherry-picked from upstream, plus
> some additional changes to reduce the exposure of debian users to
> malicious attack on the SKS keyserver network, and some improvements
> in the continuous integration test suite.

ping on this?  i'd appreciate any feedback about its prospects for
fixing problems for users of debian buster.

   --dkg


signature.asc
Description: PGP signature

Bug#932684: buster-pu: package gnupg2/2.2.12-1+deb10u1

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
Control: affects -1 src:gnupg2

The version of GnuPG in debian buster (2.2.12-1) has a number of
outstanding bugs related to OpenPGP certificate management and network
access.  Many of these concerns are addressed in some of the patches
in upstream's STABLE-BRANCH-2-2 series.

The debdiff (attached) is basically a slew of bugfix, documentation,
stability, and efficiency patches cherry-picked from upstream, plus
some additional changes to reduce the exposure of debian users to
malicious attack on the SKS keyserver network, and some improvements
in the continuous integration test suite.

These additional changes address concerns due to the fact that the SKS
keyserver network is failing due to abuse, and GnuPG had used it as a
default keyserver.  These changes offer ways to work around the
problems our users face when fetching data off the network today.  In
particular:

 * We adopt GnuPG's upstream approach of making keyserver access
   default to self-sigs-only.  This means that the keyserver cannot
   flood the user's keyring by default. (we do *not* adopt upstream's
   choice of import-clean for keyserver default, see
   https://dev.gnupg.org/T4628 for more explanation)
   
 * We constrain the SKS CA to only validate
   hkps.pool.sks-keyservers.net (and we avoid using the system CAs for
   the SKS pool), thereby tightening the confidentiality constraints
   on TLS-wrapped keyserver access.

 * Since the SKS pool's distribution of third-party certifications
   will be ignored by default, we change the default keyserver to
   hkps://keys.openpgp.org, which won't waste the user's bandwidth for
   data that they won't even consider by default.  keys.openpgp.org is
   significantly more performant for read-only clients (most keyserver
   access) than any member of the SKS pool.

 * We also allow GnuPG to merge certificate updates (revocations,
   subkey rotations) which might be published on keys.openpgp.org
   without any user ID (see https://dev.gnupg.org/T4393 for more
   discussion).  This represents a security improvement for users who
   might otherwise use a locally-cached certificate that should have
   been revoked, or who cannot encrypt to a locally-cached certificate
   because they don't know about its new encryption-capable subkey.

 * migrate-pubring-from-classic-gpg fails when the user's keyring
   contains a flooded certificate -- we address this (#931385), and
   adds a test for it.

---

A note about "web of trust" and the third-party certifications it
depends on:

Third-party certifications are still importable by default over WKD
and DANE/OPENPGPKEY access.  It is generally recommended to use those
mechanisms where providers offer them, using --locate-key by e-mail
address instead of --search.

A user who wants to import arbitrary third-party certifications via
HKP or HKPS can still do so by identifying their trusted keyserver
source and indicating that third-party certifications are OK.  for
example:

--keyserver hkps://hkps.pool.sks-keyservers.net --keyserver-options 
no-self-sigs-only

---

Finally, we add an additional simple test for ci.debian.org, and we
adjust the gpgv-win32 ci test so that it will only run on i386 testers
(#905563).  continuous integration for the win! :)

The changelog entry provides this summary:

gnupg2 (2.2.12-1+deb10u1) buster; urgency=medium

  * drop unneeded patch for printing revocation certificates
  * backport bugfix and stability patches from upstream 2.2.13
  * backport bugfix and stability patches from upstream 2.2.14
  * backport documentation, stability, ssh, and WKD patches from upstream 2.2.15
  * backport documentation and bugfix patches from upstream 2.2.16
  * import bugfixes and cleanup around secret key handling from 2.2.14
  * backport bugfixes, documentation, WKD, and keyserver fixes from 2.2.17
  * import efficiency and security fixes from upstream STABLE-BRANCH-2-2
  * avoid using SKS pool CA unless the keyserver is hkps.pool.sks-keyservers.net
  * drop import-clean from default keyserver options, to avoid data loss
  * use keys.openpgp.org as the default keyserver
  * enable merging certificate updates even if update has no user ID
  * update Vcs-Git: to point to debian/buster branch
  * Adopt migrate-pubring-from-classic-gpg robustness fixes (Closes: #931385)
  * add new CI test: debian/tests/simple-tests
  * debian/tests/gpgv-win32: make arch-specific (Closes: #905563)

 -- Daniel Kahn Gillmor   Sun, 21 Jul 2019 15:39:05 
-0400


I recognize that this is a lot of changes, but upstream's 2.2 branch
is intended to be stable.  (most of the GnuPG development work is
happening on the 2.3 branch, and most of the work on 2.2 is just
backports of bugfixes) These changes are also visible on the
debian/buster branch on https://salsa.debian.org/debian/gnupg2.

So another option, if the release-team pref

Bug#931126: unblock: enigmail/2:2.0.11+ds1-2

[Daniel Kahn Gillmor]

On Sat 2019-07-20 21:41:12 -0300, Jonathan Wiltshire wrote:
> Hi,
>
> On Mon, Jul 01, 2019 at 01:21:22PM -0400, Daniel Kahn Gillmor wrote:
>> On Sun 2019-06-30 20:01:21 +0200, Paul Gevers wrote:
>> > The time for unblocks for buster has come and gone. The deadline was
>> > last Tuesday, we are now in deep freeze and we were not able to process
>> > your unblock request and give it an exception. I assume this should be
>> > fixed via the security archive, please confirm that (and I'll fix this
>> > bugs metadata). Otherwise I propose you prepare a stable release update
>> > targeting buster, such that this can be fixed in the first point release.
>> 
>> I'm fine with this going through either security or the first buster
>> point release.  So yes, Paul, if you can update this issue to be treated
>> as a security issue, that would be great.
>
> Would you prefer to do this as a security upload (in which case this
> unblock bug should be closed) or as a no-dsa (we will repurpose it for a
> p-u)?

At this point, given the upstream changes and the issues with the SKS
keyserver network, i think we should aim to import 2.0.12 into buster,
not 2.0.11.

I would love it if someone else wants to step up and help with this.
I'm currently working on an update to GnuPG for buster, and have not had
time yet to do the 2.0.12 upload for Buster (either as a security or
point release).

 --dkg


signature.asc
Description: PGP signature

Bug#931126: unblock: enigmail/2:2.0.11+ds1-2

[Daniel Kahn Gillmor]

On Sun 2019-06-30 20:01:21 +0200, Paul Gevers wrote:
> The time for unblocks for buster has come and gone. The deadline was
> last Tuesday, we are now in deep freeze and we were not able to process
> your unblock request and give it an exception. I assume this should be
> fixed via the security archive, please confirm that (and I'll fix this
> bugs metadata). Otherwise I propose you prepare a stable release update
> targeting buster, such that this can be fixed in the first point release.

I'm fine with this going through either security or the first buster
point release.  So yes, Paul, if you can update this issue to be treated
as a security issue, that would be great.

thank you for your work on the release.

  --dkg


signature.asc
Description: PGP signature

Bug#931126: unblock: enigmail/2:2.0.11+ds1-2

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Control: affects -1 src:enigmail
X-debbugs-cc: Salvatore Bonaccorso , Moritz Mühlenhoff 


Please unblock package enigmail

enigmail 2:2.0.11+ds1-2 includes several usability and security fixes
from upstream, including a fix for CVE-2019-12269 (debian bug #929363).

The debdiff is attached.

unblock enigmail/2:2.0.11+ds1-2

About half of this bulky debdiff is upstream fixes to the test suite,
which has been improved; this is useful for our own testing, and it
should have no effect on the functionality of the package.

Some of the code in debian/patches is also obsolete thanks to the new
upstream version.  In particular,
debian/patches/0005-avoid-OpenPGP.js-during-key-file-import.patch is now
much simpler -- it now rips out a chunk of unusable code (that
references OpenPGP.js, see #787774) and doesn't need to add very much,
because of adoption of the same gpg-based strategy by upstream.

Thanks for your work on fine-tuning the debian Buster release!

   --dkg

diff --git enigmail-2:2.0.10+ds1-1/configure.ac enigmail-2:2.0.11+ds1-2/configure.ac
index 4db7ecc57..e64eff0c1 100644
--- enigmail-2:2.0.10+ds1-1/configure.ac
+++ enigmail-2:2.0.11+ds1-2/configure.ac
@@ -2,7 +2,7 @@
 AC_PREREQ(2.61)
 min_automake_version="1.10"
 
-AC_INIT([enigmail],[2.0.10], [https://www.enigmail.net])
+AC_INIT([enigmail],[2.0.11], [https://www.enigmail.net])
 
 
 AC_PATH_PROG(PYTHON, "python2")
diff --git enigmail-2:2.0.10+ds1-1/debian/changelog enigmail-2:2.0.11+ds1-2/debian/changelog
index 5baba4f74..234181b12 100644
--- enigmail-2:2.0.10+ds1-1/debian/changelog
+++ enigmail-2:2.0.11+ds1-2/debian/changelog
@@ -1,3 +1,17 @@
+enigmail (2:2.0.11+ds1-2) unstable; urgency=medium
+
+  * minimize legacy-display protected headers for encrypted mails
+
+ -- Daniel Kahn Gillmor   Thu, 30 May 2019 15:40:57 -0400
+
+enigmail (2:2.0.11+ds1-1) unstable; urgency=medium
+
+  * new upstream release
+  * refresh patches
+  * use the older import-show with --dry-run instead of show-only
+
+ -- Daniel Kahn Gillmor   Thu, 23 May 2019 17:06:35 -0400
+
 enigmail (2:2.0.10+ds1-1) unstable; urgency=medium
 
   * new upstream release
diff --git enigmail-2:2.0.10+ds1-1/debian/patches/0005-avoid-OpenPGP.js-during-key-file-import.patch enigmail-2:2.0.11+ds1-2/debian/patches/0005-avoid-OpenPGP.js-during-key-file-import.patch
index 4496a5ce1..a52cf709a 100644
--- enigmail-2:2.0.10+ds1-1/debian/patches/0005-avoid-OpenPGP.js-during-key-file-import.patch
+++ enigmail-2:2.0.11+ds1-2/debian/patches/0005-avoid-OpenPGP.js-during-key-file-import.patch
@@ -7,15 +7,18 @@ contingent on GnuPG's mechanisms for reporting standalone revocation
 certs:
 
 https://dev.gnupg.org/T4018
+
+This means we depend on a more recent version (or a patched version)
+of GnuPG than upstream enigmail does.
 ---
- package/key.jsm | 92 +++--
- 1 file changed, 57 insertions(+), 35 deletions(-)
+ package/key.jsm | 58 ++---
+ 1 file changed, 2 insertions(+), 56 deletions(-)
 
 diff --git a/package/key.jsm b/package/key.jsm
-index f7976dc..85572cc 100644
+index 0b4a0ef..565273f 100644
 --- a/package/key.jsm
 +++ b/package/key.jsm
-@@ -128,7 +128,8 @@ var EnigmailKey = {
+@@ -137,7 +137,8 @@ var EnigmailKey = {
 *  - id (key ID)
 *  - fpr
 *  - name (the UID of the key)
@@ -24,106 +27,66 @@ index f7976dc..85572cc 100644
 +   *  - revoke? (boolean, true if contains a revocation cert, undefined is the same as false)
 */
getKeyListFromKeyBlock: function(keyBlockStr, errorMsgObj, interactive = true) {
- EnigmailLog.DEBUG("key.jsm: getKeyListFromKeyBlock\n");
-@@ -148,46 +149,67 @@ var EnigmailKey = {
- 
- let keyList = [];
+ EnigmailLog.DEBUG("key.jsm: getKeyListFromKeyBlock()\n");
+@@ -150,61 +151,6 @@ var EnigmailKey = {
+ let keyList = getGpgKeyData(keyBlockStr);
  let key = {};
--for (let b of blocks) {
--  let m = EnigmailOpenPGP.openpgp.message.readArmored(b);
+ 
+-if (keyList.length === 0) {
+-  EnigmailLog.DEBUG("key.jsm: getKeyListFromKeyBlock: no data from GnuPG\n");
+-  if (keyBlockStr.search(/-BEGIN PGP (PUBLIC|PRIVATE) KEY BLOCK-/) >= 0) {
+-blocks = this.splitArmoredBlocks(keyBlockStr);
+-  } else {
+-isBinary = true;
+-blocks = [EnigmailOpenPGP.enigmailFuncs.bytesToArmor(EnigmailOpenPGP.openpgp.enums.armor.public_key, keyBlockStr)];
+-  }
 -
--  for (let i = 0; i < m.packets.length; i++) {
--let packetType = EnigmailOpenPGP.openpgp.enums.read(EnigmailOpenPGP.openpgp.enums.packet, m.packets[i].tag);
--switch (packetType) {
--  case "publicKey":
--  case "secretKey":
--key = {
--  id: m.packets[i].getKey

Bug#928776: unblock: monkeysphere/0.43-3

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Control: affects -1 src:monkeysphere

Please unblock package monkeysphere

monkeysphere 0.43-3 resolves a grave bug in monkeysphere, which causes
the monkeysphere-host import-key subcommand to fail in newly-installed
buster systems (#909700, merged with #928684).

The initial monkeysphere "solution" for #909700 in 0.42-1 actually just
worked around the test suite failure, and failed to fix the underlying
problem, which was a mistake.

#928684 pointed out that the standard use of monkeysphere-host
import-key on a new install of debian buster would fail.  These imported
patches from the upstream development branch solve the problem correctly
(and revert the test suite workaround, so that it is properly tested).

The debdiff is attached.

unblock monkeysphere/0.43-3

Thanks for your work on fine-tuning the debian Buster release!

--dkg

diff --git monkeysphere_0.43-2/debian/changelog monkeysphere_0.43-3/debian/changelog
index 2948c8b..f57df6d 100644
--- monkeysphere_0.43-2/debian/changelog
+++ monkeysphere_0.43-3/debian/changelog
@@ -1,3 +1,10 @@
+monkeysphere (0.43-3) unstable; urgency=medium
+
+  * fix monkeysphere-host import-key (Closes: #909700)
+  * update GnuPG dependency
+
+ -- Daniel Kahn Gillmor   Fri, 10 May 2019 16:55:04 -0400
+
 monkeysphere (0.43-2) unstable; urgency=medium
 
   * Autopkgtest should cover Ed25519 as well
diff --git monkeysphere_0.43-2/debian/control monkeysphere_0.43-3/debian/control
index 120cca6..6db41c0 100644
--- monkeysphere_0.43-2/debian/control
+++ monkeysphere_0.43-3/debian/control
@@ -11,7 +11,7 @@ Build-Depends:
  cpio,
  debhelper-compat (= 12),
  dpkg-dev (>= 1.17.14),
- gnupg (>= 2.1.11) ,
+ gnupg (>= 2.1.17) ,
  gnupg-agent ,
  libassuan-dev,
  libcrypt-openssl-rsa-perl ,
@@ -31,7 +31,7 @@ Package: monkeysphere
 Architecture: all
 Depends:
  adduser,
- gnupg (>= 2.1.11),
+ gnupg (>= 2.1.17),
  libcrypt-openssl-rsa-perl,
  libdigest-sha-perl,
  lockfile-progs | procmail,
diff --git monkeysphere_0.43-2/debian/patches/0004-tests-basic-ensure-functionality-with-output-of-stan.patch monkeysphere_0.43-3/debian/patches/0004-tests-basic-ensure-functionality-with-output-of-stan.patch
new file mode 100644
index 000..a8ecd8d
--- /dev/null
+++ monkeysphere_0.43-3/debian/patches/0004-tests-basic-ensure-functionality-with-output-of-stan.patch
@@ -0,0 +1,32 @@
+From: Daniel Kahn Gillmor 
+Date: Fri, 10 May 2019 12:15:00 -0400
+Subject: tests/basic: ensure functionality with output of standard OpenSSH
+ keygen
+
+Our "fix" to https://bugs.debian.org/909700 in
+d8fc9f284fc9a128a174b16ad19e866f1c00bc27 just avoided testing the
+actual typical default output of ssh-keygen.
+
+While this was fair to do in tests/keytrans, where it is exercised on
+pem2openpgp (which is explicitly defined as only accepting PEM input),
+this is inappropriate for testing monkeysphere in general.
+
+So now, the test suite breaks again, but we need to provide a proper
+fix.
+---
+ tests/basic | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/basic b/tests/basic
+index d5c4692..72a79a6 100755
+--- a/tests/basic
 b/tests/basic
+@@ -275,7 +275,7 @@ fi
+ echo
+ echo "##"
+ echo "### import host key..."
+-ssh-keygen -m PEM -b 3072 -t rsa -N '' -f "$TEMPDIR"/ssh_host_rsa_key
++ssh-keygen -b 3072 -t rsa -N '' -f "$TEMPDIR"/ssh_host_rsa_key
+ monkeysphere-host import-key "$TEMPDIR"/ssh_host_rsa_key ssh://testhost.example
+ 
+ echo
diff --git monkeysphere_0.43-2/debian/patches/0005-Use-gpg-s-reworked-quick-interface-for-adding-revoki.patch monkeysphere_0.43-3/debian/patches/0005-Use-gpg-s-reworked-quick-interface-for-adding-revoki.patch
new file mode 100644
index 000..201d410
--- /dev/null
+++ monkeysphere_0.43-3/debian/patches/0005-Use-gpg-s-reworked-quick-interface-for-adding-revoki.patch
@@ -0,0 +1,62 @@
+From: Daniel Kahn Gillmor 
+Date: Fri, 10 May 2019 16:18:28 -0400
+Subject: Use gpg's reworked --quick-* interface for adding/revoking uids
+
+This interface stabilized in GnuPG 2.1.17, so we increase our
+versioned dependency.
+---
+ README   |  2 +-
+ src/share/mh/add_name|  5 +
+ src/share/mh/revoke_name | 10 +-
+ 3 files changed, 3 insertions(+), 14 deletions(-)
+
+diff --git a/README b/README
+index b47a9bf..33f5a0d 100644
+--- a/README
 b/README
+@@ -19,7 +19,7 @@ Dependencies
+ 
+ Monkeysphere depends on:
+ 
+- * GnuPG >= 2.1.11
++ * GnuPG >= 2.1.17
+  * Perl
+  * Perl's Crypt::OpenSSL::RSA module
+  * lockfile-progs or procmail's lockfile
+diff --git a/src/share/mh/add_name b/src/share/mh/add_name
+index f37d9df..6357284 100644
+--- a/src/share/mh/add_name
 b/src/share/mh/add_name
+@@ -50,10 +50,7 @@ else
+ fi
+ 
+ # execute edit-key script
+-if gpg_host --export-secret-

Bug#927160: stretch-pu: package publicsuffix/20190415.1030-0+deb9u1

[Daniel Kahn Gillmor]

On Wed 2019-04-17 22:00:23 +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Mon, 2019-04-15 at 14:12 -0400, Daniel Kahn Gillmor wrote:
>> Please consider an update to publicsuffix in debian stretch.
>> 
>> This package reflects the state of the network, and keeping it
>> current
>> is useful for all the packages that depend on it.
>
> Please go ahead.

Thanks, I've just done the upload.

--dkg


signature.asc
Description: PGP signature

Bug#924493: stretch-pu: package publicsuffix/20190221.0923-0+deb9u1

[Daniel Kahn Gillmor]

On Sat 2019-04-13 22:04:03 +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Wed, 2019-03-13 at 11:12 -0400, Daniel Kahn Gillmor wrote:
>> Please consider an update to publicsuffix in debian stretch.
>> 
>> This package reflects the state of the network, and keeping it
>> current
>> is useful for all the packages that depend on it.
>> 
>
> Please go ahead.

Thanks, uploaded.

In the month since i made this initial request for update, more upstream
updates have come in, so i've also just now filed #927160.  If there's a
way that you'd prefer i track these updates that's different from what
i'm doing, please let me know.

Thanks for your work maintaining stretch!

 --dkg


signature.asc
Description: PGP signature

Bug#927160: stretch-pu: package publicsuffix/20190415.1030-0+deb9u1

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
Control: affects -1 src:publicsuffix

Please consider an update to publicsuffix in debian stretch.

This package reflects the state of the network, and keeping it current
is useful for all the packages that depend on it.

The debdiff from the previous version in stretch is attached.

This proposed release is also available at the
"publicsuffix_debian/20190415.1030-0+deb9u1" tag on the "debian/stretch" branch 
at
the git repo for publicsuffix packaging:

https://salsa.debian.org/debian/publicsuffix

Please followup on this ticket to confirm whether I should upload this
revision to stretch.



../publicsuffix_20190221.0923-0+deb9u1_20190415.1030-0+deb9u1.debdiff.gz
Description: Binary data

Bug#926817: unblock: publicsuffix/20190329.0756-1

[Daniel Kahn Gillmor]

Control: tags 926817 - moreinfo
Control: retitle 926817 unblock: publicsuffix/20190415.1030-1

unblock publicsuffix/20190415.1030-1

On Sun 2019-04-14 12:35:44 +0200, Ivo De Decker wrote:
> We don't accept debhelper compat changes during the freeze. Please do an
> upload reverting that change and update this request after that.

There are no differences between the binary package output for debhelper
11 and debhelper 12, but ok, i've reverted that change.  I've gone ahead
and updated to the latest upstream data as well.  The updated debdiff is
attached.

Thanks for your work on the release!

   --dkg

diff --git publicsuffix-20190221.0923-1/debian/changelog publicsuffix-20190415.1030-1/debian/changelog
index 818926d..80eae84 100644
--- publicsuffix-20190221.0923-1/debian/changelog
+++ publicsuffix-20190415.1030-1/debian/changelog
@@ -1,3 +1,15 @@
+publicsuffix (20190415.1030-1) unstable; urgency=medium
+
+  * new upstream version
+
+ -- Daniel Kahn Gillmor   Mon, 15 Apr 2019 13:47:04 -0400
+
+publicsuffix (20190329.0756-1) unstable; urgency=medium
+
+  * new upstream version
+
+ -- Daniel Kahn Gillmor   Wed, 03 Apr 2019 22:49:31 -0400
+
 publicsuffix (20190221.0923-1) unstable; urgency=medium
 
   * new upstream version
diff --git publicsuffix-20190221.0923-1/debian/control publicsuffix-20190415.1030-1/debian/control
index 683edff..e50f1e4 100644
--- publicsuffix-20190221.0923-1/debian/control
+++ publicsuffix-20190415.1030-1/debian/control
@@ -6,7 +6,7 @@ Build-Depends:
  debhelper (>= 11~),
  psl-make-dafsa,
  python3-minimal,
-Standards-Version: 4.2.1
+Standards-Version: 4.3.0
 Homepage: https://publicsuffix.org
 Vcs-Browser: https://salsa.debian.org/debian/publicsuffix
 Vcs-Git: https://salsa.debian.org/debian/publicsuffix.git
diff --git publicsuffix-20190221.0923-1/debian/upstream-changes.txt publicsuffix-20190415.1030-1/debian/upstream-changes.txt
index f575c27..027116e 100644
--- publicsuffix-20190221.0923-1/debian/upstream-changes.txt
+++ publicsuffix-20190415.1030-1/debian/upstream-changes.txt
@@ -1,3 +1,143 @@
+commit 033221af7f600bcfce38dcbfafe03b9a2269c4cc
+Author: İlhan Subaşı 
+Date:   Mon Apr 15 13:30:45 2019 +0300
+
+Update .TR (#741)
+
+- Add tsk.tr
+- Sort entries
+
+commit 9375b697baddb0827a5995c81bd3c75877a0b35d
+Author: Paulus Schoutsen 
+Date:   Mon Apr 15 03:15:13 2019 -0700
+
+Add Nabu Casa (#781)
+
+Nabu Casa offers Home Assistant Cloud, a cloud extension for the open source home automation platform Home Assistant. With Home Assistant Cloud, local running Home Assistant instances can be accessed via the internet and integrate with cloud-only services like Alexa and Google Assistant.
+
+To allow remote connection to Home Assistant instances, we're soon giving users the option to access their local running instance under the domain https://.ui.nabu.casa. These domains will be served by their local Home Assistant instances, not under our control. Home Assistant allows users to built extensions in both Python and JavaScript, which will allow the user to run any code under their domain. For security, cookies should not be allowed to be shared across subdomains.
+
+commit 93e545f2989a4541eb1cfdf9ed9ed9bb9e2e4ab4
+Author: Paul Cammish <30495014+pcamm...@users.noreply.github.com>
+Date:   Mon Apr 15 11:12:33 2019 +0100
+
+Added uk0.bigv.io under Bytemark Hosting (#745)
+
+uk0.bigv.io is used as a domain name for our self-service customers, and therefore hosts various customer virtual machines under the same 'public' domain name. These domains are often used for administrative control panels, and other interfaces, so cookie security at this level would be very useful.
+
+Note: This had to be excluded from #620 due to technical issues preventing the DNS verification at the time, but that issue has now been resolved.
+
+commit b1bb1c841157eada1e88840e3d813e6fb8e8b81a
+Author: Tom Whitwell 
+Date:   Mon Apr 15 11:05:52 2019 +0100
+
+Add GOV.UK PaaS client domains (#765)
+
+GOV.UK Platform as a Service is the UK Government's PaaS - these are the domains we use for client applications, ie. appname.cloudapps.digital / appname.london.cloudapps.digital.
+
+We need these domains to be in the public suffix list as each subdomain is specific to one client application: cookie isolation is required.
+
+Additionally, one of our subdomains has been flagged as phishing, which has resulted in the whole london.cloudapps.digital being flagged as dangerous. We would like an explicit distinction between independent subdomains.
+
+commit 826d762a078ae21cd8bb95fa8f38ae84bb3948e7
+Author: Rishabh 
+Date:   Fri Mar 29 00:56:08 2019 -0700
+
+Add discourse.group for Civilized Discourse Construction Kit, Inc. (#768)
+
+At Discourse (Civilized Discourse Construction Kit, Inc.), we host free
+discussion forums for open source organizations under the `discourse.group` domain.
+https://blog.discourse.o

Bug#926882: unblock: pymilter/1.0.3-3

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Control: affects -1 src:pymilter

Please unblock package pymilter

pymilter 1.0.3-3 resolves an important bug that causes python3-milter to
fail under a common simple use case (#922733).

The debdiff is attached.

unblock pymilter/1.0.3-3

Thanks for your work on making Buster awesome!

  --dkg

diff --git pymilter-1.0.3-2/debian/changelog pymilter-1.0.3-3/debian/changelog
index 5afa05c..0161d90 100644
--- pymilter-1.0.3-2/debian/changelog
+++ pymilter-1.0.3-3/debian/changelog
@@ -1,3 +1,10 @@
+pymilter (1.0.3-3) unstable; urgency=medium
+
+  * Avoid crashes in Milter.utils.parseaddr (Closes: #922733)
+  * add myself to uploaders
+
+ -- Daniel Kahn Gillmor   Tue, 19 Feb 2019 18:35:31 -0500
+
 pymilter (1.0.3-2) unstable; urgency=medium
 
   * Add preprocessor defines for kfreebsd and hurd
diff --git pymilter-1.0.3-2/debian/control pymilter-1.0.3-3/debian/control
index 016bea6..98901b4 100644
--- pymilter-1.0.3-2/debian/control
+++ pymilter-1.0.3-3/debian/control
@@ -2,7 +2,8 @@ Source: pymilter
 Section: python
 Priority: optional
 Maintainer: Scott Kitterman 
-Uploaders: Debian Python Modules Team 
+Uploaders: Debian Python Modules Team ,
+ Daniel Kahn Gillmor ,
 Build-Depends: debhelper (>= 9), dh-python, python-all-dev (>= 2.6.5-2~), python3-all-dev, libmilter-dev
 Build-Depends-Indep: doxygen
 Standards-Version: 4.3.0
diff --git pymilter-1.0.3-2/debian/patches/0002-utils-import-email.utils.patch pymilter-1.0.3-3/debian/patches/0002-utils-import-email.utils.patch
new file mode 100644
index 000..ee90a3e
--- /dev/null
+++ pymilter-1.0.3-3/debian/patches/0002-utils-import-email.utils.patch
@@ -0,0 +1,25 @@
+From: Daniel Kahn Gillmor 
+Date: Tue, 19 Feb 2019 18:20:18 -0500
+Subject: utils: import email.utils
+
+Without this patch, Milter.utils.parseaddr() fails with:
+
+  File "/usr/lib/python3/dist-packages/Milter/utils.py", line 139, in parseaddr
+res = email.utils.parseaddr(t)
+AttributeError: module 'email' has no attribute 'utils'
+---
+ Milter/utils.py | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/Milter/utils.py b/Milter/utils.py
+index 2ed5db8..85fd635 100644
+--- a/Milter/utils.py
 b/Milter/utils.py
+@@ -8,6 +8,7 @@ import socket
+ import email.errors
+ from email.header import decode_header
+ import email.base64mime
++import email.utils
+ from fnmatch import fnmatchcase
+ from binascii import a2b_base64
+ 
diff --git pymilter-1.0.3-2/debian/patches/series pymilter-1.0.3-3/debian/patches/series
index 44e9f8c..de96083 100644
--- pymilter-1.0.3-2/debian/patches/series
+++ pymilter-1.0.3-3/debian/patches/series
@@ -1 +1,2 @@
 hurd_kfreebsd.patch
+0002-utils-import-email.utils.patch


signature.asc
Description: PGP signature

Bug#926817: unblock: publicsuffix/20190329.0756-1

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Control: affects -1 src:publicsuffix

Please unblock package publicsuffix

The publicsuffix package contains up-to-date descriptions of the network
environment.  In addition to capturing the most recent state of the
DNS's public cutpoints, this update marks the correct level of debian
policy compliance (4.3.0) and moves to debhelper compat level 12 (no
changes to the generated tarball resulted from this shift in dh compat
level).

Buster should start off with an accurate state of the public network.

The debdiff is attached.

unblock publicsuffix/20190329.0756-1

Thanks for your work on Buster!

--dkg

diff --git publicsuffix-20190221.0923-1/debian/changelog publicsuffix-20190329.0756-1/debian/changelog
index 818926d..6a336fc 100644
--- publicsuffix-20190221.0923-1/debian/changelog
+++ publicsuffix-20190329.0756-1/debian/changelog
@@ -1,3 +1,9 @@
+publicsuffix (20190329.0756-1) unstable; urgency=medium
+
+  * new upstream version
+
+ -- Daniel Kahn Gillmor   Wed, 03 Apr 2019 22:49:31 -0400
+
 publicsuffix (20190221.0923-1) unstable; urgency=medium
 
   * new upstream version
diff --git publicsuffix-20190221.0923-1/debian/compat publicsuffix-20190329.0756-1/debian/compat
deleted file mode 100644
index b4de394..000
--- publicsuffix-20190221.0923-1/debian/compat
+++ /dev/null
@@ -1 +0,0 @@
-11
diff --git publicsuffix-20190221.0923-1/debian/control publicsuffix-20190329.0756-1/debian/control
index 683edff..f9f9dbe 100644
--- publicsuffix-20190221.0923-1/debian/control
+++ publicsuffix-20190329.0756-1/debian/control
@@ -3,10 +3,10 @@ Section: net
 Priority: optional
 Maintainer: Daniel Kahn Gillmor 
 Build-Depends:
- debhelper (>= 11~),
+ debhelper-compat (= 12),
  psl-make-dafsa,
  python3-minimal,
-Standards-Version: 4.2.1
+Standards-Version: 4.3.0
 Homepage: https://publicsuffix.org
 Vcs-Browser: https://salsa.debian.org/debian/publicsuffix
 Vcs-Git: https://salsa.debian.org/debian/publicsuffix.git
diff --git publicsuffix-20190221.0923-1/debian/upstream-changes.txt publicsuffix-20190329.0756-1/debian/upstream-changes.txt
index f575c27..b85f949 100644
--- publicsuffix-20190221.0923-1/debian/upstream-changes.txt
+++ publicsuffix-20190329.0756-1/debian/upstream-changes.txt
@@ -1,3 +1,102 @@
+commit 826d762a078ae21cd8bb95fa8f38ae84bb3948e7
+Author: Rishabh 
+Date:   Fri Mar 29 00:56:08 2019 -0700
+
+Add discourse.group for Civilized Discourse Construction Kit, Inc. (#768)
+
+At Discourse (Civilized Discourse Construction Kit, Inc.), we host free
+discussion forums for open source organizations under the `discourse.group` domain.
+https://blog.discourse.org/2018/11/free-hosting-for-open-source-v2/
+
+Therefore, each subdomain of discourse.group should be treated as a distinct domain.
+Website: https://www.discourse.org/
+
+As we host multiple forums under the discourse.group domain we'd like to add it to the PSL to:
+
+1. Ensure that each subdomain of discourse.group is treated as a distinct domain.
+2. Adding cookie security.
+
+commit 1def5910a0c1db384691adf55f769de191b4f2b7
+Author: Vincent Fiduccia 
+Date:   Fri Mar 29 00:53:18 2019 -0700
+
+Add on-rancher.cloud and on-rio.io (#779)
+
+We are adding a feature to automatically provide each user cluster with a ..on-rancher.cloud (and on-rio.io) DNS entry, so each user-id is a mutually untrusting third-party that should not be able to set cookies readable by each other. We also plan to provide Let's Encrypt wildcard certs for each user-id.
+
+commit 2b92a7f2c9c91f1141faea73d3ec2d429da18698
+Author: Boris Rybalkin 
+Date:   Fri Mar 29 07:49:12 2019 +
+
+Syncloud dynamic dns service (#727)
+
+Syncloud DDNS server (syncloud.it) hosts user's DNS records and also has its own site at syncloud.it.
+So In practice allthesebelong todifferent people:
+user1.syncloud.it
+user2.syncloud.it
+www.syncloud.it
+
+Also any incorrectly set cookie sharing across all three is not safe as different users can run anything under *.[user].syncloud.it
+
+commit e2e4e03ff8cba26140f973a8b64a24891d1789b9
+Author: Jennifer Herting 
+Date:   Thu Mar 28 13:38:33 2019 -0400
+
+Add git-pages.rit.edu (#690)
+
+Proper handling of the namespace by browsers.
+Prevention of cookie based attacks among others. Sites hosted under this namespace will be controlled by any number of students, staff, faculty, etc.
+
+commit a4ebab27463e90f80d3ab99220af90211299d7e1
+Author: Jake Riesterer 
+Date:   Thu Mar 28 12:36:52 2019 -0500
+
+Add workers.dev (#772)
+
+Cloudflare customers will given a subdomain of workers.dev to which they can deploy their serverless applications. Because subdomains are each controlled by different customers, they should be treated as separate domains for cookie purposes.
+
+commit f2f5143bc727d695f41195fe0300ff2133a79953
+Aut

Bug#924493: stretch-pu: package publicsuffix/20190221.0923-0+deb9u1

[Daniel Kahn Gillmor]

On Tue 2019-03-26 10:21:12 +0100, Daniel Kahn Gillmor wrote:
> On Wed 2019-03-13 11:12:26 -0400, Daniel Kahn Gillmor wrote:
>> Package: release.debian.org
>> Severity: normal
>> Tags: stretch
>> User: release.debian@packages.debian.org
>> Usertags: pu
>> Control: affects -1 src:publicsuffix
>>
>> Please consider an update to publicsuffix in debian stretch.
>
> Ping!
>
> If 20190221.0923-0+deb9u1 of publicsuffix could make it into stretch, we
> could close https://bugs.debian.org/879008, a concern from a user that
> they're not getting frequent enough updates about the state of the known
> publicly-registerable DNS suffixes.

here's another weekly ping on this issue.  I'd really like to be able to
keep the PSL more up-to-date than it has been in stretch.

 --dkg

Bug#925351: stretch-pu: package dns-root-data/2019031302~deb9u1

[Daniel Kahn Gillmor]

On Sun 2019-03-31 20:07:06 +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Sat, 2019-03-23 at 16:04 +0100, Daniel Kahn Gillmor wrote:
>> Please consider an update to dns-root-data in debian stretch.
>
> +dns-root-data (2019031302~deb9u1) stretch; urgency=medium
> +
> +  * Rebuild for stretch-backports.
>
> *cough* :-)

d'oh!  that's embarrassing.

> With that fixed, please go ahead.

uploaded, thanks for the review!

--dkg

Bug#924493: stretch-pu: package publicsuffix/20190221.0923-0+deb9u1

[Daniel Kahn Gillmor]

On Wed 2019-03-13 11:12:26 -0400, Daniel Kahn Gillmor wrote:
> Package: release.debian.org
> Severity: normal
> Tags: stretch
> User: release.debian@packages.debian.org
> Usertags: pu
> Control: affects -1 src:publicsuffix
>
> Please consider an update to publicsuffix in debian stretch.

Ping!

If 20190221.0923-0+deb9u1 of publicsuffix could make it into stretch, we
could close https://bugs.debian.org/879008, a concern from a user that
they're not getting frequent enough updates about the state of the known
publicly-registerable DNS suffixes.

thanks for your work on keeping Debian's stable release in good shape :)

 --dkg


signature.asc
Description: PGP signature

Bug#925376: unblock: dns-root-data/2019031302

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Control: block -1 by 925374 
Control: affects -1 + src:dns-root-data

Please unblock package dns-root-data, package version 2019031302.

This closes serious bug #925374 ("dns-root-data: ships an obsolete root
zone signing key"), which notes that the older versions of dns-root-data
ship with a root key that is now expired.  This is not the absolute
worst thing, because they *also* ship with the functional, current root
key.  But it is not a good idea to leave this sort of thing lying
around, and we probably don't want to release it in buster.

the debdiff between 2018091102 and 2019031302 is attached.  It's a bit
more complex than just dropping the keys from the distributed files,
because it includes a few extra verification steps during package build,
and accounts for the validity window described in iana's
root-anchors.xml.

The binary diff is actually much smaller :)

To properly avoid this sort of delay for future planned
rollovers/transition, i think we need marginally more sophisticated
binary packages, which i've started a discussion on in #925349.  But
that work isn't relevant directly for the upcoming buster release.

Thanks for your work on debian buster, and sorry for the extra unblock
hassle here,

--dkg

unblock dns-root-data/2019031302

diff --git publicsuffix-2018091102/debian/changelog publicsuffix-2019031302/debian/changelog
index 68800a6..8a4a8b3 100644
--- publicsuffix-2018091102/debian/changelog
+++ publicsuffix-2019031302/debian/changelog
@@ -1,3 +1,15 @@
+dns-root-data (2019031302) unstable; urgency=medium
+
+  * cryptographically verify root.hints
+  * get_orig_source: refresh root-anchors.{xml,p7s} as well
+  * update root data to 2019031302
+  * standards-version: bump to 4.3.0 (no changes needed)
+  * parse-root-anchors.sh: account for validity windows
+  * check: deliberately skip the TTL generated by ldns-key2ds
+  * dns-root-data is Multi-Arch: foreign
+
+ -- Daniel Kahn Gillmor   Sat, 23 Mar 2019 15:33:17 +0100
+
 dns-root-data (2018091102) unstable; urgency=medium
 
   * new upstream version of root.hints, 2018091102
diff --git publicsuffix-2018091102/debian/control publicsuffix-2019031302/debian/control
index 940e507..7295849 100644
--- publicsuffix-2018091102/debian/control
+++ publicsuffix-2019031302/debian/control
@@ -8,11 +8,12 @@ Uploaders:
  Robert Edmonds ,
 Build-Depends:
  debhelper (>= 11~),
+ gpgv,
  ldnsutils,
  openssl,
  unbound-anchor,
  xml2,
-Standards-Version: 4.2.1
+Standards-Version: 4.3.0
 Homepage: https://data.iana.org/root-anchors/
 Vcs-Git: https://salsa.debian.org/dns-team/dns-root-data.git
 Vcs-Browser: https://salsa.debian.org/dns-team/dns-root-data
@@ -20,6 +21,7 @@ Rules-Requires-Root: no
 
 Package: dns-root-data
 Architecture: all
+Multi-Arch: foreign
 Depends:
  ${misc:Depends},
 Description: DNS root data including root zone and DNSSEC key
diff --git publicsuffix-2018091102/debian/rules publicsuffix-2019031302/debian/rules
index 3c46b59..5fe3d9a 100755
--- publicsuffix-2018091102/debian/rules
+++ publicsuffix-2019031302/debian/rules
@@ -14,11 +14,14 @@ override_dh_auto_build:
 	# Verify root-anchors.xml using OpenSSL
 	openssl smime -verify -noverify -inform DER -in root-anchors.p7s -content root-anchors.xml
 
+	# Verify root.hints
+	gpgv --keyring $(CURDIR)/registry-admin.key $(CURDIR)/root.hints.sig $(CURDIR)/root.hints
+
 	# Create key from validated root-anchors.xml
 	./parse-root-anchors.sh < root-anchors.xml | sort -k 4 -n > root-anchors.ds
 
 	# Create key from downloaded root.key
-	/usr/bin/ldns-key2ds -n -2 root.key | sed -e 's/\t/ /g' -e 's/ 172800//' | sort -k 4 -n > root.ds
+	/usr/bin/ldns-key2ds -n -2 root.key | cut --fields=1,3- --output-delimiter=' ' | sort -k 4 -n > root.ds
 
 	# Compare the DS from root.key and from root-anchors.xml
 	diff -u root-anchors.ds root.ds
@@ -35,3 +38,7 @@ get_orig_source:
 	< $(CURDIR)/root-auto.key grep -Ev "^($$|;)" | sed -e 's/ ;;count=.*//' > $(CURDIR)/root.key
 	rm $(CURDIR)/root-auto.key
 	wget -O $(CURDIR)/root.hints "https://www.internic.net/domain/named.root;
+	wget -O $(CURDIR)/root.hints.sig "https://www.internic.net/domain/named.root.sig;
+	# get root-anchors.xml and root-anchors.p7s as well
+	wget -O $(CURDIR)/root-anchors.xml 'http://data.iana.org/root-anchors/root-anchors.xml'
+	wget -O $(CURDIR)/root-anchors.p7s 'http://data.iana.org/root-anchors/root-anchors.p7s'
diff --git publicsuffix-2018091102/parse-root-anchors.sh publicsuffix-2019031302/parse-root-anchors.sh
index 4281534..eb1696b 100755
--- publicsuffix-2018091102/parse-root-anchors.sh
+++ publicsuffix-2019031302/parse-root-anchors.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-unset ZONE KTAG ALGO DTYPE DIGEST
+unset ZONE KTAG ALGO DTYPE DIGEST EXPIRES BEGINS
 
 export IFS="="
 xml2 | while read -r KEY VAL; do
@@ -9,14 +9,22 @@ xml2 | while read

Bug#925351: stretch-pu: package dns-root-data/2019031302~deb9u1

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
Control: affects -1 src:dns-root-data

Please consider an update to dns-root-data in debian stretch.

This package reflects the state of the network, and keeping it current
is useful for all the packages that depend on it.  In particular, it
removes a DNSSEC root key that is expired.

For future DNSSEC root key rollovers, we should do something better than
a package upgrade (see https://bugs.debian.org/925349) but for now this
is the least restrictive change.

The debdiff from the previous version in stretch is attached.

This proposed release is also available at the
"debian/2019031302_deb9u1" tag on the "debian/stretch" branch at
the git repo for dns-root-data packaging:

https://salsa.debian.org/dns-team/dns-root-data

Please followup on this ticket to confirm whether I should upload this
revision to stretch.

Thanks for helping to maintain debian's stable release!

   --dkg

diff --git publicsuffix-2017072601~deb9u1/debian/changelog publicsuffix-2019031302~deb9u1/debian/changelog
index 036aebe..660bdd3 100644
--- publicsuffix-2017072601~deb9u1/debian/changelog
+++ publicsuffix-2019031302~deb9u1/debian/changelog
@@ -1,3 +1,19 @@
+dns-root-data (2019031302~deb9u1) stretch; urgency=medium
+
+  * Rebuild for stretch-backports.
+  * d/control: move Vcs-* to salsa.debian.org
+  * d/control: use dns-root-d...@packages.debian.org as Maintainer
+  * sort generated .ds files by key tag
+  * Update root.hints to 2018013001
+  * Update order of root.key to follow output of unbound-anchor
+  * use DEP-14 branches
+  * update root data to 2019031302
+  * parse-root-anchors.sh: account for validity windows
+  * check: deliberately skip the TTL generated by ldns-key2ds
+  * add myself to uploaders
+
+ -- Daniel Kahn Gillmor   Sat, 23 Mar 2019 15:43:27 +0100
+
 dns-root-data (2017072601~deb9u1) stretch; urgency=high
 
   * Update root.hints to 2017072601 version
diff --git publicsuffix-2017072601~deb9u1/debian/control publicsuffix-2019031302~deb9u1/debian/control
index 8413872..bd0ab25 100644
--- publicsuffix-2017072601~deb9u1/debian/control
+++ publicsuffix-2019031302~deb9u1/debian/control
@@ -1,8 +1,9 @@
 Source: dns-root-data
 Section: misc
 Priority: optional
-Maintainer: Debian DNS Maintainers 
+Maintainer: dns-root-data packagers 
 Uploaders: Ondřej Surý ,
+       Daniel Kahn Gillmor ,
 	   Robert Edmonds 
 Build-Depends: debhelper (>= 8.0.0),
 	   unbound-anchor,
@@ -11,8 +12,8 @@ Build-Depends: debhelper (>= 8.0.0),
 	   xml2
 Standards-Version: 3.9.6
 Homepage: https://data.iana.org/root-anchors/
-Vcs-Git: git://git.debian.org/pkg-dns/dns-root-data.git
-Vcs-Browser: http://git.debian.org/?p=pkg-dns/dns-root-data.git;a=summary
+Vcs-Git: https://salsa.debian.org/dns-team/dns-root-data.git -b debian/stretch
+Vcs-Browser: https://salsa.debian.org/dns-team/dns-root-data
 
 Package: dns-root-data
 Architecture: all
diff --git publicsuffix-2017072601~deb9u1/debian/gbp.conf publicsuffix-2019031302~deb9u1/debian/gbp.conf
index 3b27f6d..9453f5b 100644
--- publicsuffix-2017072601~deb9u1/debian/gbp.conf
+++ publicsuffix-2019031302~deb9u1/debian/gbp.conf
@@ -1,2 +1,2 @@
 [DEFAULT]
-debian-branch = master-stretch
+debian-branch = debian/stretch
diff --git publicsuffix-2017072601~deb9u1/debian/rules publicsuffix-2019031302~deb9u1/debian/rules
index b697fc0..453b594 100755
--- publicsuffix-2017072601~deb9u1/debian/rules
+++ publicsuffix-2019031302~deb9u1/debian/rules
@@ -15,13 +15,13 @@ override_dh_auto_build:
 	openssl smime -verify -noverify -inform DER -in root-anchors.p7s -content root-anchors.xml
 
 	# Create key from validated root-anchors.xml
-	./parse-root-anchors.sh < root-anchors.xml > root-anchors.ds
+	./parse-root-anchors.sh < root-anchors.xml | sort -k 4 -n > root-anchors.ds
 
 	# Create key from downloaded root.key
-	/usr/bin/ldns-key2ds -n -2 root.key | sed -e 's/\t/ /g' -e 's/ 172800//' > root.ds
+	/usr/bin/ldns-key2ds -n -2 root.key | cut --fields=1,3- --output-delimiter=' ' | sort -k 4 -n > root.ds
 
 	# Compare the DS from root.key and from root-anchors.xml
-	diff root-anchors.ds root.ds
+	diff -u root-anchors.ds root.ds
 
 override_dh_auto_clean:
 	rm -f root-anchors.ds root.ds
diff --git publicsuffix-2017072601~deb9u1/parse-root-anchors.sh publicsuffix-2019031302~deb9u1/parse-root-anchors.sh
index 4281534..eb1696b 100755
--- publicsuffix-2017072601~deb9u1/parse-root-anchors.sh
+++ publicsuffix-2019031302~deb9u1/parse-root-anchors.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-unset ZONE KTAG ALGO DTYPE DIGEST
+unset ZONE KTAG ALGO DTYPE DIGEST EXPIRES BEGINS
 
 export IFS="="
 xml2 | while read -r KEY VAL; do
@@ -9,14 +9,22 @@ xml2 | while read -r KEY VAL; do
 	"/TrustAnchor/KeyDigest/KeyTag") KTAG="$VAL";;
 	"/TrustAnchor/KeyDigest/Algorithm") ALGO="$VAL";;
 	"/TrustAnchor/KeyDigest/D

Bug#924872: unblock: knot-resolver/3.2.1-3

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Control: block -1 by 924019
Control: affects -1 + src:knot-resolver

Please unblock package knot-resolver, package version 3.2.1-3.

knot-resolver 3.2.1-1 (in testing) ships libkres-dev, which does not
work for building other tools against libkres9 :( Upstream packaging
tries to install the development files, but they just aren't
functional (see more discussion on the RC-critical bug
https://bugs.debian.org/923970).

3.2.1-3 solves the issue by folding the .so back into the
knot-resolver binary package, and removing the libkres-dev and
libkres9 packages.

However, those packages linger on the arm64 platform, which hasn't
supported the knot-resolver binary itself for a while.  see
https://bugs.debian.org/924019 for the request to the ftp team to
remove those binary packages on that platform to avoid shipping
lingering unusable packages.  i'm marking this bug as blocked by that
one, because i believe this all needs to happen together.

In the course of package review, i discovered that the
debian/missing-sources/ file for the dygraphs javascript library was
outdated, so i've replaced it as well -- that huge difference between
3.2.1-1 and 3.2.1-3 has been filtered out of the debdiff, but feel
free to take a look at commit 0ca501d492beca924e1e5dd20314f0e5640a5102
in https://salsa.debian.org/dns-team/knot-resolver.git for the
comparison.

This update also avoids shipping an embedded copy of font file
glyphs-halfling.woff, and converts from debhelper 11 to debhelper 12
(which causes no changes in the underlying package).  And it fixes
passing CXXFLAGS to the text-string matching Aho Corasick Lua module
that it uses, further expanding the scope of automatic debian
hardening.

Thanks for your work on the debian release,

--dkg

unblock knot-resolver/3.2.1-3

-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (200, 
'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git knot-resolver-3.2.1/debian/changelog 
knot-resolver-3.2.1/debian/changelog
index 8e18a042..4af50d4e 100644
--- knot-resolver-3.2.1/debian/changelog
+++ knot-resolver-3.2.1/debian/changelog
@@ -1,3 +1,23 @@
+knot-resolver (3.2.1-3) unstable; urgency=medium
+
+  * knot-resolver-module-http is arch: all, not arch: any
+  * Explicitly list all non-arm64 architectures
+
+ -- Daniel Kahn Gillmor   Fri, 08 Mar 2019 00:56:09 
-0500
+
+knot-resolver (3.2.1-2) unstable; urgency=medium
+
+  * Standards-Version: move to 4.3.0 (no changes needed)
+  * move to debhelper 12
+  * Avoid breakage when built against knot-dns 2.8.0
+  * d/tests/control: wrap-and-sort
+  * Drop libkres9 and libkres-dev packages (Closes: #923970)
+  * avoid clobbering CXXFLAGS when compiling lua-aho-corasick
+  * missing-sources: updated dygraph-combined.js to match minified version
+  * avoid shipping pre-built glyphicons-halflings-regular.woff2
+
+ -- Daniel Kahn Gillmor   Thu, 07 Mar 2019 16:23:16 
-0500
+
 knot-resolver (3.2.1-1) unstable; urgency=medium
 
   * new upstream release (Closes: #922172)
diff --git knot-resolver-3.2.1/debian/clean knot-resolver-3.2.1/debian/clean
index a8241244..ce17de8f 100644
--- knot-resolver-3.2.1/debian/clean
+++ knot-resolver-3.2.1/debian/clean
@@ -1,5 +1,5 @@
 doc/kresd.8
 libkres.pc
 lib/libkres.a
-lib/libkres.so.9
+lib/libkres.so.*
 test-modules/
diff --git knot-resolver-3.2.1/debian/compat knot-resolver-3.2.1/debian/compat
deleted file mode 100644
index b4de3947..
+++ /dev/null
@@ -1 +0,0 @@
-11
diff --git knot-resolver-3.2.1/debian/control knot-resolver-3.2.1/debian/control
index 4da0323a..4ed0dad4 100644
--- knot-resolver-3.2.1/debian/control
+++ knot-resolver-3.2.1/debian/control
@@ -11,7 +11,7 @@ Build-Depends-Indep:
  python3-sphinx,
  python3-sphinx-rtd-theme,
 Build-Depends:
- debhelper (>= 11~),
+ debhelper-compat (= 12),
  dns-root-data,
  gnutls-bin ,
  knot-dnsutils ,
@@ -20,6 +20,7 @@ Build-Depends:
  libgeoip-dev,
  libgnutls28-dev,
  libknot-dev (>= 2.7.2),
+ libknot-dev (<< 2.8.0),
  liblmdb-dev,
  libluajit-5.1-dev,
  libsystemd-dev (>= 227) [linux-any],
@@ -27,23 +28,26 @@ Build-Depends:
  luajit,
  pkg-config,
  socat ,
-Standards-Version: 4.2.1
+Standards-Version: 4.3.0
 Homepage: https://www.knot-resolver.cz/
 Vcs-Browser: https://salsa.debian.org/dns-team/knot-resolver
 Vcs-Git: https://salsa.debian.org/dns-team/knot-resolver.git
 Rules-Requires-Root: no
 
 Package: knot-resolver
-# actually "Architecture: any [!arm64]" via debian/rules, see #907729
-Architecture: any
+# intended to be "Architectu

Bug#924493: stretch-pu: package publicsuffix/20190221.0923-0+deb9u1

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
Control: affects -1 src:publicsuffix

Please consider an update to publicsuffix in debian stretch.

This package reflects the state of the network, and keeping it current
is useful for all the packages that depend on it.

The debdiff from the previous version in stretch is attached.

This proposed release is also available at the
"publicsuffix_debian/20190221.0923-0+deb9u1" tag on the "debian/stretch" branch 
at
the git repo for publicsuffix packaging:

https://salsa.debian.org/debian/publicsuffix

Please followup on this ticket to confirm whether I should upload this
revision to stretch.



publicsuffix_20181030.1007-0+deb9u1_20190221.0923-0+deb9u1.debdiff.gz
Description: application/gzip


signature.asc
Description: PGP signature

Bug#914032: stretch-pu: package gnupg2/2.1.18-8~deb9u4

[Daniel Kahn Gillmor]

On Wed 2019-02-06 18:31:22 +0100, Cyril Brulebois wrote:
> Adam D. Barratt  (2019-02-04):
>> Subject to a d-i ack, please go ahead; sorry for the delay.
>
> All my (d-i) local tests look good, no objections.

Thanks, Adam and KiBi.  I've just uploaded 2.1.18-8~deb9u4 with the
attached debdiff (which i believe addresses the test failure that KiBi
found), and i've pushed the corresponding signed tag to the
debian/stretch branch on https://salsa.debian.org/debian/gnupg2

Please let me know if you need anything else from me to address this.

All the best,

--dkg

diff -Nru gnupg2-2.1.18/debian/changelog gnupg2-2.1.18/debian/changelog
--- gnupg2-2.1.18/debian/changelog	2018-10-05 16:43:38.0 -0400
+++ gnupg2-2.1.18/debian/changelog	2019-02-07 15:57:27.0 -0500
@@ -1,3 +1,9 @@
+gnupg2 (2.1.18-8~deb9u4) stretch; urgency=medium
+
+  * Avoid crash when importing without a TTY (Closes: #913614)
+
+ -- Daniel Kahn Gillmor   Thu, 07 Feb 2019 15:57:27 -0500
+
 gnupg2 (2.1.18-8~deb9u3) stretch; urgency=medium
 
   * block trivial access to scdaemon memory (Closes: #878952)
diff -Nru gnupg2-2.1.18/debian/patches/0094-gpg-Avoid-superfluous-sig-check-info-during-import.patch gnupg2-2.1.18/debian/patches/0094-gpg-Avoid-superfluous-sig-check-info-during-import.patch
--- gnupg2-2.1.18/debian/patches/0094-gpg-Avoid-superfluous-sig-check-info-during-import.patch	1969-12-31 19:00:00.0 -0500
+++ gnupg2-2.1.18/debian/patches/0094-gpg-Avoid-superfluous-sig-check-info-during-import.patch	2018-11-16 00:45:16.0 -0500
@@ -0,0 +1,200 @@
+From: Werner Koch 
+Date: Thu, 15 Nov 2018 18:24:56 -0500
+Subject: gpg: Avoid superfluous sig check info during import.
+
+* g10/key-check.c (print_info): New.
+(key_check_all_keysigs): Print sig checking results only in debug
+mode.  Prettify the stats info and suppress them in quiet mode.
+
+--
+
+This also makes usable stats by prefixing them with the key and the
+program name.
+
+GnuPG-bug-id: 3397
+Signed-off-by: Werner Koch 
+
+(cherry-picked/backported from upstream
+84af859e391a757877c9a1d78e35face983e6d23 by dkg)
+
+Signed-off-by: Daniel Kahn Gillmor 
+---
+ g10/keyedit.c | 133 +-
+ 1 file changed, 95 insertions(+), 38 deletions(-)
+
+diff --git a/g10/keyedit.c b/g10/keyedit.c
+index 3d6c5d4c4..bdeb251f9 100644
+--- a/g10/keyedit.c
 b/g10/keyedit.c
+@@ -329,6 +329,26 @@ print_and_check_one_sig (KBNODE keyblock, KBNODE node,
+ }
+ 
+ 
++/* Print PREFIX followed by TEXT.  With mode > 0 use log_info, with
++ * mode < 0 use ttyio, else print to stdout.  If TEXT is not NULL, it
++ * may be modified by this function.  */
++static void
++print_info (int mode, const char *prefix, char *text)
++{
++  char *p;
++
++  if (!text)
++text = "";
++  else if ((p = strchr (text,'\n')))
++*p = 0; /* Strip LF.  */
++
++   if (mode > 0)
++ log_info ("%s %s\n", prefix, text);
++   else
++ tty_fprintf (mode? NULL:es_stdout, "%s %s\n", prefix, text);
++}
++
++
+ 
+ /* Order two signatures.  The actual ordering isn't important.  Our
+goal is to ensure that identical signatures occur together.  */
+@@ -766,8 +786,9 @@ check_all_keysigs (KBNODE kb, int only_selected, int only_selfsigs)
+   has_selfsig = 1;
+   }
+ 
+-if ((n2 && n2 != last_printed_component)
+-|| (! n2 && last_printed_component != current_component))
++if (DBG_PACKET
++&& ((n2 && n2 != last_printed_component)
++|| (! n2 && last_printed_component != current_component)))
+   {
+ int is_reordered = n2 && n2 != current_component;
+ if (n2)
+@@ -779,31 +800,32 @@ check_all_keysigs (KBNODE kb, int only_selected, int only_selfsigs)
+   ;
+ else if (last_printed_component->pkt->pkttype == PKT_USER_ID)
+   {
+-tty_printf ("uid  ");
+-tty_print_utf8_string (last_printed_component
+-   ->pkt->pkt.user_id->name,
+-   last_printed_component
+-   ->pkt->pkt.user_id->len);
++log_debug ("uid  ");
++print_utf8_buffer (log_get_stream (),
++   last_printed_component
++   ->pkt->pkt.user_id->name,
++   last_printed_component
++   ->pkt->pkt.user_id->len);
++log_flush ();
+   }
+ else if (last_printed_component->pkt->pkttype
+  == PKT_PUBLIC_KEY)
+-  tty_printf ("pub 

Bug#914032: stretch-pu: package gnupg2/2.1.18-8~deb9u4

[Daniel Kahn Gillmor]

On Wed 2019-02-06 17:11:16 +0100, Cyril Brulebois wrote:
> Hi,
>
> Adam D. Barratt  (2019-02-04):
>> Control: tags -1 + confirmed d-i
>> 
>> On Sun, 2018-11-18 at 12:38 -0500, Daniel Kahn Gillmor wrote:
>> > When fixing #906545 (GnuPG rejects some malformed keys during import
>> > instead of cleaning), i inadvertently introduced #913614 (GnuPG fails
>> > to import keys when no TTY attached and --batch is not specified)
>> > into debian stable.
>> 
>> Subject to a d-i ack, please go ahead; sorry for the delay.
>
> FWIW that didn't build in my stretch sbuild chroot, due to test failures:
 […]
> | GPG=build/g10/gpg debian/tests/no-tty
> | gpg: keybox '/tmp/tmp.XD9JXRSdGU/pubring.kbx' created
> | gpg: key 79BE3E4300411886: 3 duplicate signatures removed
> | gpg: key 79BE3E4300411886: 3 signatures not checked due to missing keys
> | gpg: /tmp/tmp.XD9JXRSdGU/trustdb.gpg: trustdb created
> | gpg: key 79BE3E4300411886: public key "Linus Torvalds 
> " imported
> | gpg: failed to start agent '/usr/bin/gpg-agent': No such file or directory
> | gpg: can't connect to the agent: No such file or directory
> | gpg: Total number processed: 1
> | gpg:   imported: 1
> | gpg: no ultimately trusted keys found
> | debian/rules:71: recipe for target 'override_dh_auto_test' failed
> | make[1]: *** [override_dh_auto_test] Error 2
> | make[1]: Leaving directory '/<>'
> | debian/rules:26: recipe for target 'build' failed
> | make: *** [build] Error 2
> | dpkg-buildpackage: error: debian/rules build gave error exit status 2

Thanks for catching this, kibi.  It looks like the added test needs to
explicitly start up a gpg-agent from the build path rather than the
system environment, so i'm fixing that test now, before uploading.

   --dkg

Bug#914032: stretch-pu: package gnupg2/2.1.18-8~deb9u4

[Daniel Kahn Gillmor]

On https://bugs.debian.org/914032, Daniel Kahn Gillmor wrote:
> Package: release.debian.org
> User: release.debian@packages.debian.org
> Usertags: pu
> Tags: stretch
> Severity: normal
> Control: affects -1 src:gnupg2
> Control: block 913614 by -1
>
> When fixing #906545 (GnuPG rejects some malformed keys during import
> instead of cleaning), i inadvertently introduced #913614 (GnuPG fails to
> import keys when no TTY attached and --batch is not specified) into
> debian stable.

Many thanks to the stable release managers for their work done on
getting the latest stretch point release out.

Ping on this request for an updated gnupg2/2.1.18-8~deb9u4 to address
the regression #913614 -- maybe it can make it into the next point
release?

 --dkg


signature.asc
Description: PGP signature

Bug#914032: stretch-pu: package gnupg2/2.1.18-8~deb9u4

[Daniel Kahn Gillmor]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: stretch
Severity: normal
Control: affects -1 src:gnupg2
Control: block 913614 by -1

When fixing #906545 (GnuPG rejects some malformed keys during import
instead of cleaning), i inadvertently introduced #913614 (GnuPG fails to
import keys when no TTY attached and --batch is not specified) into
debian stable.

This slipped through because there was no test for this particular use
case :( GnuPG upstream has stated that all automated/scripted use (the
typical situation where no TTY is present) should always specify
--batch, therefore the specific use case is considered out of scope,
despite apparently being widely used in places like docker scripts
without --batch.

The attached patch to the gnupg2 packaging in stable resolves #913614
without re-breaking #906545, and also introduces a test for the specific
use case for #913614.  The test should run both at build time and with
the autopkgtest suite.

Adrian Bunk tagged #913614 as severity serious, making it RC critical.
If we want to resolve the RC bug in debian stretch, then we need to use
something like the attached debdiff as gnupg2/2.1.18-8~deb9u4.
Alternately, if this is not RC-critical, then the bug report should have
its severity reduced.

Please let me know if you want me to go ahead with the upload, or if you
would like to see anything else addressed.  Apologies for the hassle.

Regards,

--dkg


-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (200, 
'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.18.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru gnupg2-2.1.18/debian/changelog gnupg2-2.1.18/debian/changelog
--- gnupg2-2.1.18/debian/changelog	2018-10-05 16:43:38.0 -0400
+++ gnupg2-2.1.18/debian/changelog	2018-11-18 12:20:52.0 -0500
@@ -1,3 +1,9 @@
+gnupg2 (2.1.18-8~deb9u4) stretch; urgency=medium
+
+  * Avoid crash when importing without a TTY (closes #913614)
+
+ -- Daniel Kahn Gillmor   Sun, 18 Nov 2018 12:20:52 -0500
+
 gnupg2 (2.1.18-8~deb9u3) stretch; urgency=medium
 
   * block trivial access to scdaemon memory (Closes: #878952)
diff -Nru gnupg2-2.1.18/debian/patches/0094-gpg-Avoid-superfluous-sig-check-info-during-import.patch gnupg2-2.1.18/debian/patches/0094-gpg-Avoid-superfluous-sig-check-info-during-import.patch
--- gnupg2-2.1.18/debian/patches/0094-gpg-Avoid-superfluous-sig-check-info-during-import.patch	1969-12-31 19:00:00.0 -0500
+++ gnupg2-2.1.18/debian/patches/0094-gpg-Avoid-superfluous-sig-check-info-during-import.patch	2018-11-16 00:45:16.0 -0500
@@ -0,0 +1,200 @@
+From: Werner Koch 
+Date: Thu, 15 Nov 2018 18:24:56 -0500
+Subject: gpg: Avoid superfluous sig check info during import.
+
+* g10/key-check.c (print_info): New.
+(key_check_all_keysigs): Print sig checking results only in debug
+mode.  Prettify the stats info and suppress them in quiet mode.
+
+--
+
+This also makes usable stats by prefixing them with the key and the
+program name.
+
+GnuPG-bug-id: 3397
+Signed-off-by: Werner Koch 
+
+(cherry-picked/backported from upstream
+84af859e391a757877c9a1d78e35face983e6d23 by dkg)
+
+Signed-off-by: Daniel Kahn Gillmor 
+---
+ g10/keyedit.c | 133 +-
+ 1 file changed, 95 insertions(+), 38 deletions(-)
+
+diff --git a/g10/keyedit.c b/g10/keyedit.c
+index 3d6c5d4c4..bdeb251f9 100644
+--- a/g10/keyedit.c
 b/g10/keyedit.c
+@@ -329,6 +329,26 @@ print_and_check_one_sig (KBNODE keyblock, KBNODE node,
+ }
+ 
+ 
++/* Print PREFIX followed by TEXT.  With mode > 0 use log_info, with
++ * mode < 0 use ttyio, else print to stdout.  If TEXT is not NULL, it
++ * may be modified by this function.  */
++static void
++print_info (int mode, const char *prefix, char *text)
++{
++  char *p;
++
++  if (!text)
++text = "";
++  else if ((p = strchr (text,'\n')))
++*p = 0; /* Strip LF.  */
++
++   if (mode > 0)
++ log_info ("%s %s\n", prefix, text);
++   else
++ tty_fprintf (mode? NULL:es_stdout, "%s %s\n", prefix, text);
++}
++
++
+ 
+ /* Order two signatures.  The actual ordering isn't important.  Our
+goal is to ensure that identical signatures occur together.  */
+@@ -766,8 +786,9 @@ check_all_keysigs (KBNODE kb, int only_selected, int only_selfsigs)
+   has_selfsig = 1;
+   }
+ 
+-if ((n2 && n2 != last_printed_component)
+-|| (! n2 && last_printed_component != current_component))
++if (DBG_PACKET
++&& ((n2 && n2 != last_prin

Bug#912194: stretch-pu: package enigmail/2.0.8-5~deb9u1

[Daniel Kahn Gillmor]

On Mon 2018-10-29 19:31:07 +, Adam D. Barratt wrote:
> Please go ahead.

this is now uploaded, and it's in stable-new.

 --dkg

Bug#910398: stretch-pu: package gnupg2/2.1.18-8~deb9u3

[Daniel Kahn Gillmor]

On Sun 2018-10-28 21:58:55 +, Adam D. Barratt wrote:
> I don't have any objections if you want to upload already, but it won't
> get accepted into p-u from stable-new until it's had the d-i ack.

OK, it's uploaded now, in stable-new, waiting for the d-i ack.

thanks for your work on the stable release, Adam.

--dkg

Bug#910398: stretch-pu: package gnupg2/2.1.18-8~deb9u3

[Daniel Kahn Gillmor]

On Sun 2018-10-28 10:58:17 -0400, Daniel Kahn Gillmor wrote:
> On Sat 2018-10-27 16:47:27 +0100, Adam D. Barratt wrote:
>> Are you planning on handling the enigmail upload as well? I can't see
>> an open p-u bug for it so, given the timings, would suggest that start
>> getting progressed ASAP so that we can make sure that it makes the
>> point release.
>
> I didn't want to propose the enigmail update until i knew that this
> change would go through.  I'll do that today.  Thanks!

The proposed upgrade to enigmail is #912194.  thanks!

--dkg


signature.asc
Description: PGP signature

Bug#910398: stretch-pu: package gnupg2/2.1.18-8~deb9u3

[Daniel Kahn Gillmor]

On Sat 2018-10-27 16:47:27 +0100, Adam D. Barratt wrote:
> As it turns out, that was quite a lot of noise indeed - about 1/3 of
> the ~3300 line diff, from my visual scan-and-chop. Apologies for the
> delay, but I've finally managed to carve out a block of time to handle
> this.

apologies for the noise.  i appreciate your handling it.  It will make
any possible future cleanup/fixit work on this package much simpler.

> I know you mentioned that the changes shouldn't affect gpgv
> (particularly as used in d-i), but the udeb still means that the upload
> needs an explicit ack, so I've CCed KiBi and tagged the bug
> appropriately.

thank you!  should i go ahead with the upload to land it in proposed, or
should i wait for kibi's review+ack?

> In terms of whether the update should be pushed via stable-updates, it
> looks like we'll be freezing for the next point release in a week's
> time, so it may not be worth the extra work at this point.

understood, and that's fine with me.

> Are you planning on handling the enigmail upload as well? I can't see
> an open p-u bug for it so, given the timings, would suggest that start
> getting progressed ASAP so that we can make sure that it makes the
> point release.

I didn't want to propose the enigmail update until i knew that this
change would go through.  I'll do that today.  Thanks!

   --dkg


signature.asc
Description: PGP signature

Bug#910398: stretch-pu: package gnupg2/2.1.18-8~deb9u3

[Daniel Kahn Gillmor]

Hi Adam--

On Tue 2018-10-23 16:18:05 +0100, Adam D. Barratt wrote:

> Sure, but that's not what I said. My distinction was between including 
> the gnupg update in the point release versus pushing it more urgently 
> via stable-updates. I never implied the updates shouldn't be released at 
> all.

thanks for the clarification, i didn't understand that distinction.  I'm
glad you're considering it at least for the point release.

> FWIW I don't recognise that characterisation. Yes, I should have 
> confirmed the Security Team's intentions at an earlier point, but I 
> don't consider that buck-passing or the situation deadlocked.

fwiw, i'd heard privately earlier from the security team that they don't
see this fix as in their bailiwick, but they hadn't responded to my
requests for comments in public on the BTS.  So the deadlock
misperception may have been due to what looked like a longer delay from
my vantage point.

I'm glad it's not deadlock!

--dkg

Bug#910398: stretch-pu: package gnupg2/2.1.18-8~deb9u3

[Daniel Kahn Gillmor]

On Tue 2018-10-23 20:00:06 +0100, Adam D. Barratt wrote:
> From discussions elsewhere, I understand that the "raw" upstream
> enigmail - i.e. installed via upstream's addons service - is actually
> already compatible with the new Thunderbird version, and the problem
> only affects the Debian packages - is that correct? (Specifically,
> upstream includes some kind of compatibility shim, which is not shipped
> in our packages for DFSG reasons.)

the version of enigmail shipped in the mozilla add-ons has at least two
problems, both arguably DFSG-free-related, and both described in
#909000, i believe.

 0) it ships a pre-built copy of OpenPGP.js, which i have not been able
to build directly in debian due to a deep dependency mess (see #787774)

 1) by default it downloads a binary from the internet, stores it in the
user's thunderbird profile, and executes it as the user without
checking its integrity with anything beyond an HTTPS (see #891882)

Encouraging users with sensitive communication needs to install
something with either of these choices made this way is pretty
problematic.  And users who install enigmail from the add-on store will
most likely never revert to the debian packages that fix these
misfeatures :/

> Explicitly CCing KiBi is generally more effective, as -boot@ is a
> fairly busy list at times. I imagine he'll want the SRM review
> completed first, but that also depends on whether the changes actually
> impact d-i's usage, which I'm not entirely clear on - could you provide
> any insight there?

d-i's usage is limited to gpgv; the gpgv-udeb is deliberately narrowly
targeted, since all d-i needs from gpgv is (a) interpret the debian
distro public keys, and (b) verify signatures on the apt manifests.
None of the changes in this update should affect gpgv's behavior in
either of these tasks.

hope that helps to clarify,

   --dkg


signature.asc
Description: PGP signature

Bug#911244: stretch-pu: package publicsuffix/20181003.1334-0+deb9u1

[Daniel Kahn Gillmor]

On Sun 2018-10-21 11:47:51 +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Wed, 2018-10-17 at 11:13 -0400, Daniel Kahn Gillmor wrote:
>> Please consider an update to publicsuffix in debian stretch.
>> 
>> This package reflects the state of the network, and keeping it
>> current
>> is useful for all the packages that depend on it.
>
> Please go ahead.

uploaded, thanks.

  --dkg

Bug#910398: stretch-pu: package gnupg2/2.1.18-8~deb9u3

[Daniel Kahn Gillmor]

Thanks to Adam for your ongoing work on the stable releases!

I just wanted to clarify a few points here.

On Tue 2018-10-23 08:57:08 +0100, Adam D. Barratt wrote:
> An issue is that the gnupg update itself doesn't really qualify for 
> stable-updates any more than it qualifies for stable-security. The 
> changes to gnupg itself are at best security improvements, which isn't 
> justification for forcing all stretch users to install the new version 
> as a matter of urgency - indeed, if the new version of enigmail weren't 
> relying on new functionality no-one would be suggesting pushing gnupg so 
> urgently - nor, I imagine, backporting all of the mentioned features. 

I would be pushing for a stable point release for GnuPG at least for the
cryptographic defaults refresh, and the series of minor bugfixes that
resolve outstanding problems.

I brought up the idea of a cryptographic defaults refresh nearly a year
ago [0], and it's overdue (my fault).  i don't think it's responsible
for us to ship a new stable installation in 2019 that by default creates
2048-bit RSA keys that claim to be valid through 2021.

The problems with bugs like handling import of malformed keys (#906545),
for example, are bad enough to have already caused extra labor in the
form of stretch-backports maintenance to work around the fact that these
bugs are present in debian stretch.  Thanks are due to Roger Shimizu
(cc'ed) for handling that ongoing task!  Note that malformed keys are
significantly more present today than they were when stretch was
released, due to ongoing attacks on the keyserver infrastructure. :(

The fact that the upstream-supported version of enigmail that works with
the upcoming stretch version of thunderbird depends on these fixes is,
as you say, another reason to suggest inclusion in debian stretch.

> It's also going to need a d-i sign-off, because gnupg produces a udeb.

I've added debian-b...@lists.debian.org in the hopes that someone from
there can supply a d-i sign-off.

I've done my best with this series of patches to minimize disruption to
this critical part of debian stretch while still supporting the shifting
network ecosystem that depends on it.  If these changes cause any
significant disruption, please point it out to me so that i can try to
repair it.

But if debian's policies and practices don't have a way to get these
fixes to stable users who might depend on them for matters of critical
security (even if the gnupg updates are not in themselves deemed to be
critical security updates), then we're failing our stable users.

If that's the case, then either debian's policies or practices need to
change, or debian needs to get a more capable maintainer for GnuPG who
can figure out how to effectively navigate or avoid what feels like a
buck-passing deadlock between two (maybe three)
overworked/underresourced teams.  I welcome any help in that regard.

All the best,

--dkg

[0] 
https://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/2017-October/006148.html


signature.asc
Description: PGP signature

Bug#903656: publicsuffix 20180523.2326-0+deb9u1 flagged for acceptance

[Daniel Kahn Gillmor]

On Tue 2018-10-09 19:15:09 +, Adam D Barratt wrote:
> The upload referenced by this bug report has been flagged for acceptance into 
> the proposed-updates queue for Debian stretch.
>
> Thanks for your contribution!
>
> Upload details
> ==
>
> Package: publicsuffix
> Version: 20180523.2326-0+deb9u1

thanks!  since this process started, there has been more updates to the
publicsuffix list.  I've opened #911244 to track that request.

Regards,

--dkg

Bug#911244: stretch-pu: package publicsuffix/20181003.1334-0+deb9u1

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
Control: affects -1 publicsuffix

Please consider an update to publicsuffix in debian stretch.

This package reflects the state of the network, and keeping it current
is useful for all the packages that depend on it.

The debdiff from the version currently in stretch-proposed-updates is
attached.

This proposed release is also available at the
"publicsuffix_debian/20181003.1334-0+deb9u1" tag on the "debian/stretch" branch 
at
the git repo for publicsuffix packaging:

https://salsa.debian.org/debian/publicsuffix

Please followup on this ticket to confirm whether I should upload this
revision to stretch.



publicsuffix_20180523.2326-0+deb9u1_20181003.1334-0+deb9u1.debdiff.gz
Description: application/gzip

Bug#910398: stretch-pu: package gnupg2/2.1.18-8~deb9u3

[Daniel Kahn Gillmor]

Hi release team, security team:

over in #910398, i wrote:

On Fri 2018-10-05 17:48:10 -0500, Daniel Kahn Gillmor wrote:
> I'd like to update the version of GnuPG in debian stable with a series
> of targeted bugfixes (most of which are backported from upstream).
>
> There are four complementary reasons, which i explain in more detail
> below:
>
>  * ptrace hardening for scdaemon
>  * bugfixes that target some common workflows
>  * updating cryptographic defaults
>  * fixing enigmail in stretch
>
> All of the patches that implement these changes have been in buster
> for many months (either as upstream improvements or debian-specific
> improvements).

I'd appreciate some followup on this from the debian teams -- am i
barking up the wrong tree?  should i take a different approach?  or do i
(and the stretch users of enigmail) just need to wait a little while
longer for review?

Many thanks for your work in keeping debian stable safe, healthy, and
useful.

Regards,

--dkg

PS thanks to Georg for his testing of these changes, as noted in
#910398!


signature.asc
Description: PGP signature

Bug#910398: stretch-pu: package gnupg2/2.1.18-8~deb9u3

[Daniel Kahn Gillmor]

On Thu 2018-10-11 13:02:18 +, Georg Faerber wrote:
> Although I'm not using Thunderbird and Enigmail myself, I've rolled out
> this fix to a couple of friends on Monday. So far, they're pretty happy,
> no problems found.

thanks for this testing and feedback, Georg!

   --dkg

Bug#903656: stretch-pu: package publicsuffix/20180523.2326-0+deb9u1

[Daniel Kahn Gillmor]

On Sat 2018-10-06 18:13:12 +0100, Adam D. Barratt wrote:
> On Thu, 2018-07-12 at 12:27 -0400, Daniel Kahn Gillmor wrote:
>> I've tried multiple times now to attach the debdiff to this bug
>> report,
>> and it continues to be rejected as spam by bugs.debian.org with this
>> message:
>> 
>>  <903...@bugs.debian.org>: host buxtehude.debian.org[209.87.16.39]
>> said: 550
>>  malware detected: Sanesecurity.Jurlbl.db3039.UNOFFICIAL: message
>> rejected
>>  (in reply to end of DATA command)
>
> I'd be interested to know if that's still the case. Does changing the
> compression format help?

It appears to have been fixed, without having to change the compression format.

> Please go ahead.

done, thanks.  however, i note that since the original report, there
have been more updates on publicsuffix upstream (the state of the DNS
continues to change).  I've uploaded those changes to unstable as
20181003.1334-1, but those changes should probably also be ported to
stretch.

i'll soon submit another bug report asking for that update as well on
top of 20180523.2326-0+deb9u1, unless you want me to reuse this current
bug report.

regards,

--dkg



signature.asc
Description: PGP signature

Bug#903656: stretch-pu: package publicsuffix/20180523.2326-0+deb9u1

[Daniel Kahn Gillmor]

On Sat 2018-10-06 18:13:12 +0100, Adam D. Barratt wrote:
> On Thu, 2018-07-12 at 12:27 -0400, Daniel Kahn Gillmor wrote:
>> I've tried multiple times now to attach the debdiff to this bug
>> report,
>> and it continues to be rejected as spam by bugs.debian.org with this
>> message:
>> 
>>  <903...@bugs.debian.org>: host buxtehude.debian.org[209.87.16.39]
>> said: 550
>>  malware detected: Sanesecurity.Jurlbl.db3039.UNOFFICIAL: message
>> rejected
>>  (in reply to end of DATA command)
>
> I'd be interested to know if that's still the case.

i'll try it again here.

regards,

--dkg



publicsuffix_20180218.2049-0+deb9u1_20180523.2326-0+deb9u1.debdiff.gz
Description: debdiff for #903656

Bug#910398: stretch-pu: package gnupg2/2.1.18-8~deb9u3

[Daniel Kahn Gillmor]

Package: release.debian.org
User: release.debian@packages.debian.org
X-Debbugs-Cc: pkg-gnupg-ma...@lists.alioth.debian.org, secur...@debian.org
Usertags: pu
Tags: stretch
Severity: normal
Control: affects -1 src:gnupg2 enigmail
Control: block 909000 -1

I'd like to update the version of GnuPG in debian stable with a series
of targeted bugfixes (most of which are backported from upstream).

There are four complementary reasons, which i explain in more detail
below:

 * ptrace hardening for scdaemon
 * bugfixes that target some common workflows
 * updating cryptographic defaults
 * fixing enigmail in stretch

All of the patches that implement these changes have been in buster
for many months (either as upstream improvements or debian-specific
improvements).


Debian logistics


I note that this is *not* itself a security fix -- these fixes do not
address a specific vulnerability in stretch's version of GnuPG.
However, they do have security implications for stretch, because they
are needed in order to support enigmail since the thunderbird 60
upgrade.

If the release team or the security team (x-debbug-cc'ed here) would
prefer that we handle this via stretch-security instead of
stretch-proposed-updates, that's fine with me: please let me know.

I've attached a debdiff below, and the git history of these changes is
also available on the debian/stretch git branch on
https://salsa.debian.org/debian/gnupg2 (commit
f74eb5b2898ced14f910a7e4c7a28cc295dbd3cb)

The debdiff contains some minor updates to patch metadata that makes it
easier to work with git-buildpackage going forward.  I apologize for
this extra noise, but syncing up with gbp like this should make
maintenance of any future changes easier.


Justification for changes
=

scdaemon hardening
--

scdaemon currently can hold sensitive data, comparable to the data
held by gpg-agent.  gpg-agent currently blocks ptrace access to its
internal RAM.  scdaemon now also blocks ptrace. (see: #878952)

common workflow bugfixes


 * Dirmngr currently fails on IPv6-only systems.  Enable dirmngr to
   query nameservers over IPv6. (see: #862282)

 * Malformed keys are currently rejected rather than being cleaned up.
   (some keys are malformed on the public keyservers). Clean keys
   before importing.  (see: #906545)

update cryptographic defaults
-

A user of debian stable who creates a key today will have a default
expiration date of two years, well into 2020.  Currently in stretch,
the default asymmetric key is 2048-bit RSA.

None of the reasonable guides to cryptographic strength think that
2048-bit RSA keys should be used past 2020. (see for example ECRYPT or
NIST recommendations).

Furthermore, AES128 today is considered slightly riskier than AES256,
due in part to batch attacks and its smaller margin of safety against
quantum cryptanalysis (see for example, the Modern TLS recommendations
at https://wiki.mozilla.org/Security/Server_Side_TLS, and djb's
http://blog.cr.yp.to/20151120-batchattacks.html).

Update the cryptographic defaults to create 3072-bit RSA keys, and to
prefer AES256 over AES128 when all recipients support it.

fixing Enigmail
---

As Thunderbird 60 is now in stretch, enigmail is broken (see
https://bugs.debian.org/909000) :/

This can be fixed by importing the current (buster/stretch) enigmail
into stretch as well, but this updated version of enigmail depends on
bugfixes in GnuPG that are not yet in debian stretch.

Backport a series of minor bugfixes and small functionality
improvements to enable enigmail's test suite to pass cleanly.  From
debian/changelog, those are:

  * backport --no-symkey-cache
  * backport improved import and export filtering
  * backport display of revocation certificates
  * backport stripping unusable subkey material during export-minimal
  * backport fix to make --dry-run work when listing secret keys
  * backport fix showing secret keys when listing keys


Testing
===

I've tested these changes on an x86_64 system running debian stretch.
The GnuPG test suite all passes, and an updated/backported version of
enigmail 2.0.8-5 also works on that platform.

I welcome any feedback on this!  sorry it has taken so long to produce
this series of changes.

Regards,

--dkg



gnupg2_2.1.18-8~deb9u2_2.1.18-8~deb9u3.debdiff.gz
Description: debdiff for proposed fixes for GnuPG for debian stretch

-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'oldstable'), 
(200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.18.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via 

Bug#903656: stretch-pu: package publicsuffix/20180523.2326-0+deb9u1

[Daniel Kahn Gillmor]

On Thu 2018-07-12 11:25:58 -0400, d...@fifthhorseman.net wrote:
> Package: release.debian.org
> Severity: normal
> Tags: stretch
> User: release.debian@packages.debian.org
> Usertags: pu
> Control: affects -1 publicsuffix
>
> Please consider an update to publicsuffix in debian stretch.
>
> This package reflects the state of the network, and keeping it current
> is useful for all the packages that depend on it.
>
> The debdiff from the previous version in stretch is not attached because it 
> was being rejected as spam.
>
> This proposed release is also available at the
> "publicsuffix_debian/20180523.2326-0+deb9u1" tag on the "debian/stretch" 
> branch at
> the git repo for publicsuffix packaging:
>
> https://salsa.debian.org/debian/publicsuffix
>
> Please followup on this ticket to confirm whether I should upload this
> revision to stretch.

I've tried multiple times now to attach the debdiff to this bug report,
and it continues to be rejected as spam by bugs.debian.org with this
message:

 <903...@bugs.debian.org>: host buxtehude.debian.org[209.87.16.39] said: 550
 malware detected: Sanesecurity.Jurlbl.db3039.UNOFFICIAL: message rejected
 (in reply to end of DATA command)


Since that's failing, i'll just post it publicly on the web.  You can
retrieve the debdiff at:

  
https://dkg.fifthhorseman.net/publicsuffix_20180218.2049-0+deb9u1_20180523.2326-0+deb9u1.debdiff.gz

It has a sha256sum of:

  8cbafa1ef6fac079f3a32ba88c5fd1bb4bb43335feb4ff3e16fdfbd3df7a069f

Apologies for the inconvenience.

  --dkg


signature.asc
Description: PGP signature

skipped autopkgtests should not influence migration times

[Daniel Kahn Gillmor]

hey debian release team and debian ci team--

Package transition times should not be affected by skipped autopkgtest
suites.

i uploaded libreswan 3.25-1 yesterday.  It has one autopkgtest that
needs machine-level isolation, which ci.debian.net currently does not
provide, afaict, so its tests are all skipped:


https://ci.debian.net/data/autopkgtest/testing/amd64/libr/libreswan/522991/log.gz

However, the autopkgtest results are being interpreted by the migration
scheduler as a PASS, reducing the number of days needed to transition by
3, instead of the usual full 5, if
https://tracker.debian.org/pkg/libreswan is to be believed.

I think this is an oversight, but it would be great to get it resolved.

If all tests are skipped by CI that should be treated the same way as if
there were no autopkgtests for a given package.

Many thanks for the work you are doing to get debian on board with more
rigorous testing, i really appreciate it!

 --dkg


signature.asc
Description: PGP signature

Bug#889001: stretch-pu: package publicsuffix/20180218.2049-0+deb9u1

[Daniel Kahn Gillmor]

Control: retitle 889001: stretch-pu: package publicsuffix/20180218.2049-0+deb9u1

Thanks, this is now uploaded.

--dkg

PS and as luck would have it, the PSL has changed again minorly in the
meantime (to add mozilla-iot.org for the Mozilla IOT initiative
described at https://iot.mozilla.org) i'll upload the new changes to
unstable, but i do wonder what the stable release managers think should
be our cadence for packages like this.

Bug#889001: stretch-pu: package publicsuffix/20180125.0922-0+deb9u1

[Daniel Kahn Gillmor]

On Fri 2018-02-23 17:00:41 +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Wed, 2018-01-31 at 23:21 -0500, d...@fifthhorseman.net wrote:
>> Please consider an update to publicsuffix in debian stretch.
>> 
>> This package reflects the state of the network, and keeping it
>> current
>> is useful for all the packages that depend on it.
>
> Please go ahead.

Since i filed this bug report, there are a handful of additional changes
made upstream, as reflected in publicsuffix 20180218.2049-1 since
20180125.0922-1:

--- a/public_suffix_list.dat
+++ b/public_suffix_list.dat
@@ -10891,6 +10891,7 @@ virtueeldomein.nl
 // Cloud66 : https://www.cloud66.com/
 // Submitted by Khash Sajadi 
 c66.me
+cloud66.ws
 
 // CloudAccess.net : https://www.cloudaccess.net/
 // Submitted by Pawel Panek 
@@ -11786,6 +11787,11 @@ git-repos.de
 lcube-server.de
 svn-repos.de
 
+// linkyard ldt: https://www.linkyard.ch/
+// Submitted by Mario Siegenthaler 
+linkyard.cloud
+linkyard-cloud.ch
+
 // LiquidNet Ltd : http://www.liquidnetlimited.com/
 // Submitted by Victor Velchev 
 we.bs
@@ -12136,6 +12142,10 @@ sandcats.io
 logoip.de
 logoip.com
 
+// schokokeks.org GbR : https://schokokeks.org/
+// Submitted by Hanno Böck 
+schokokeks.net
+
 // Scry Security : http://www.scrysec.com
 // Submitted by Shante Adam 
 scrysec.com
@@ -12316,6 +12326,10 @@ inc.hk
 // Submitted by Ed Moore 
 lib.de.us
 
+// VeryPositive SIA : http://very.lv
+// Submitted by Danko Aleksejevs 
+2038.io
+
 // Viprinet Europe GmbH : http://www.viprinet.com
 // Submitted by Simon Kissel 
 router.management
@@ -12344,6 +12358,10 @@ cistron.nl
 demon.nl
 xs4all.space
 
+// YesCourse Pty Ltd : https://yescourse.com
+// Submitted by Atul Bhouraskar 
+official.academy
+
 // Yola : https://www.yola.com/
 // Submitted by Stefano Rivera 
 yolasite.com


Would it be OK to retitle this bug report as:

stretch-pu: package publicsuffix/20180218.2049-0+deb9u1

or should i go ahead with the 20180125.0922 upload to stretch and then
immediately open another report?

--dkg


signature.asc
Description: PGP signature

Bug#879161: jessie-pu: package dns-root-data/2017072601~deb8u2

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Control: affects -1 dns-root-data
Control: blocks 877683 -1

the version of dns-root-data in jessie (2017072601~deb8u1) only ships
one entry in /usr/share/root.ds.  see https://bugs.debian.org/877683

I've cherry-picked a few changes from the master branch which
accomodate the new situation at ICANN and use a different toolchain to
produce root.ds that can handle multiple keys.  This should probably
go into jessie sooner rather than later, though we have a bit of a
reprieve since the root key rollover has been postponed for the moment.

You can see that work on the master-jessie branch at
https://anonscm.debian.org/git/pkg-dns/dns-root-data.git

I'm attaching the debdiff here as well.

--dkg

-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'oldstable'), 
(200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru dns-root-data-2017072601~deb8u1/debian/changelog 
dns-root-data-2017072601~deb8u2/debian/changelog
--- dns-root-data-2017072601~deb8u1/debian/changelog2017-08-23 
03:09:51.0 -0400
+++ dns-root-data-2017072601~deb8u2/debian/changelog2017-10-19 
18:27:04.0 -0400
@@ -1,3 +1,15 @@
+dns-root-data (2017072601~deb8u2) jessie-updates; urgency=medium
+
+  [ Ondřej Surý ]
+  * Update IANA DNSSEC files to 2017-02-02 versions
+  * Strip the GPG verification (IANA doesn't provide it anymore)
+  * Rewrite DS creation check (Closes: #877683)
+
+  [ Daniel Kahn Gillmor ]
+  * added myself to uploaders
+
+ -- Daniel Kahn Gillmor <d...@fifthhorseman.net>  Thu, 19 Oct 2017 18:25:06 
-0400
+
 dns-root-data (2017072601~deb8u1) jessie; urgency=high
 
   * Add KSK-2017 to root.key file
diff -Nru dns-root-data-2017072601~deb8u1/debian/control 
dns-root-data-2017072601~deb8u2/debian/control
--- dns-root-data-2017072601~deb8u1/debian/control  2017-08-23 
03:09:51.0 -0400
+++ dns-root-data-2017072601~deb8u2/debian/control  2017-10-19 
18:19:07.0 -0400
@@ -2,13 +2,13 @@
 Section: misc
 Priority: optional
 Maintainer: Ondřej Surý <ond...@debian.org>
-Uploaders: Robert Edmonds <edmo...@debian.org>
+Uploaders: Robert Edmonds <edmo...@debian.org>,
+   Daniel Kahn Gillmor <d...@fifthhorseman.net>
 Build-Depends: debhelper (>= 8.0.0),
   unbound-anchor,
   openssl,
-  gnupg2,
-  bind9utils,
-  libxml2-utils
+  ldnsutils,
+  xml2
 Standards-Version: 3.9.5
 Homepage: https://data.iana.org/root-anchors/
 #Vcs-Git: git://git.debian.org/collab-maint/dns-root-data.git
diff -Nru dns-root-data-2017072601~deb8u1/debian/rules 
dns-root-data-2017072601~deb8u2/debian/rules
--- dns-root-data-2017072601~deb8u1/debian/rules2017-08-23 
03:09:51.0 -0400
+++ dns-root-data-2017072601~deb8u2/debian/rules2017-10-19 
18:19:07.0 -0400
@@ -14,25 +14,11 @@
# Verify root-anchors.xml using OpenSSL
openssl smime -verify -noverify -inform DER -in root-anchors.p7s 
-content root-anchors.xml
 
-   # Verify root-anchors.xml using OpenPGP
-   mkdir -m 0700 -p $(CURDIR)/.gnupg/
-   GNUPGHOME=$(CURDIR)/.gnupg/ gpg2 --quiet --import $(CURDIR)/icann.pgp
-   echo "2FBB91BCAAEE0ABE1F8031C7D1AFBCE00F6C91D2:6:" | \
-   GNUPGHOME=$(CURDIR)/.gnupg/ gpg2 --quiet --import-ownertrust
-   GNUPGHOME=$(CURDIR)/.gnupg/ gpg2 --quiet --verify root-anchors.asc 
root-anchors.xml
-   rm -rf .gnupg/
-
# Create key from validated root-anchors.xml
-   echo \
-   "$$(xmllint --xpath '//TrustAnchor/Zone/text()' root-anchors.xml) IN 
DS" \
-   "$$(xmllint --xpath '//TrustAnchor/KeyDigest/KeyTag/text()' 
root-anchors.xml)" \
-   "$$(xmllint --xpath '//TrustAnchor/KeyDigest/Algorithm/text()' 
root-anchors.xml)" \
-   "$$(xmllint --xpath '//TrustAnchor/KeyDigest/DigestType/text()' 
root-anchors.xml)" \
-   "$$(xmllint --xpath '//TrustAnchor/KeyDigest/Digest/text()' 
root-anchors.xml)" > \
-   root-anchors.ds
+   ./parse-root-anchors.sh < root-anchors.xml > root-anchors.ds
 
# Create key from downloaded root.key
-   /usr/sbin/dnssec-dsfromkey -2 root.key > root.ds
+   /usr/bin/ldns-key2ds -n -2 root.key > root.ds
 
# Compare the DS from root.key and from root-anchors.xml
diff root-anchors.ds root.ds
diff -Nru dns-root-data-2017072601~deb8u1/icannbundle.pem 
dns-root-data

Bug#879081: stretch-pu: package publicsuffix/20170910.1557-0+deb9u1

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

publicsuffix is a data package, like tzdata and dns-root-data.

Debian stable is currently shipping publicsuffix data from March.  A
few dozen public registration domains have been added since then
(including debian.net).  It would be good for debian stable users to
know that (for example) cookies should not be shared across debian.net
subdomains, and that X.509 certificate issuance for foo.debian.net
shouldn't be treated as a demonstration of control over bar.debian.net

The debdiff is attached.  the "stretch" branch on
https://anonscm.debian.org/git/collab-maint/publicsuffix tracks
debian packaging intended for stretch.

Please let me know if you have any questions.

   --dkg

-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'oldstable'), 
(200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru publicsuffix-20170424.0717/debian/changelog 
publicsuffix-20170910.1557/debian/changelog
--- publicsuffix-20170424.0717/debian/changelog 2017-05-16 23:47:27.0 
-0400
+++ publicsuffix-20170910.1557/debian/changelog 2017-10-19 02:20:46.0 
-0400
@@ -1,3 +1,9 @@
+publicsuffix (20170910.1557-0+deb9u1) stable; urgency=medium
+
+  * new upstream publicsuffix data
+
+ -- Daniel Kahn Gillmor <d...@fifthhorseman.net>  Thu, 19 Oct 2017 02:20:46 
-0400
+
 publicsuffix (20170424.0717-1) unstable; urgency=medium
 
   * new upstream version
diff -Nru publicsuffix-20170424.0717/debian/gbp.conf 
publicsuffix-20170910.1557/debian/gbp.conf
--- publicsuffix-20170424.0717/debian/gbp.conf  2016-08-08 18:56:38.0 
-0400
+++ publicsuffix-20170910.1557/debian/gbp.conf  2017-10-19 02:13:42.0 
-0400
@@ -2,3 +2,4 @@
 pristine-tar = False
 upstream-tag = publicsuffix/%(version)s
 debian-tag = publicsuffix_debian/%(version)s
+debian-branch = stretch
diff -Nru publicsuffix-20170424.0717/debian/new-upstream-version 
publicsuffix-20170910.1557/debian/new-upstream-version
--- publicsuffix-20170424.0717/debian/new-upstream-version  2017-02-23 
09:41:16.0 -0500
+++ publicsuffix-20170910.1557/debian/new-upstream-version  2017-10-19 
02:13:31.0 -0400
@@ -2,21 +2,16 @@
 
 set -ex
 
-git remote update upstream
-git diff upstream..upstream/master
-read -p "changes ok to continue? [y/N] " REPLY
-[ ${REPLY,,} = y ]
+# assume that upstream/master has already been updated, since the package
+# goes into unstable first.
 date=$(date -u -d $(git log -1 --date=short --pretty=format:%cI 
upstream/master) +%Y%m%d.%H%M)
-git branch -D upstream
-git branch upstream upstream/master
-git tag "publicsuffix/${date}" upstream/master
 git merge -m "merge upstream changes to ${date}" "publicsuffix/${date}"
 git log -n30 upstream/master > debian/upstream-changes.txt
 git add debian/upstream-changes.txt
-dch --distribution unstable -v "${date}-1" 'new upstream version'
+dch --distribution stable -v "${date}-0+deb9u1" 'new upstream publicsuffix 
data'
 git add debian/changelog
 git commit -m "new upstream version ${date}"
 gbp buildpackage --git-tag --changes-option=-S
 debian/rules clean
-dupload "../publicsuffix_${date}-1_$(dpkg-architecture -q 
DEB_HOST_ARCH).changes"
-git push gdo --follow-tags master --follow-tags upstream
+dupload "../publicsuffix_${date}-0+deb9u1_$(dpkg-architecture -q 
DEB_HOST_ARCH).changes"
+git push gdo --follow-tags stretch
diff -Nru publicsuffix-20170424.0717/debian/upstream-changes.txt 
publicsuffix-20170910.1557/debian/upstream-changes.txt
--- publicsuffix-20170424.0717/debian/upstream-changes.txt  2017-05-16 
23:47:27.0 -0400
+++ publicsuffix-20170910.1557/debian/upstream-changes.txt  2017-10-19 
02:20:46.0 -0400
@@ -1,200 +1,211 @@
-commit cabeda8651aa3ca353cecca9c6bc8ad77cd04751
-Author: Simone Carletti <wep...@weppos.net>
-Date:   Mon Apr 24 09:17:11 2017 +0200
+commit 47da4a259d9c45349fbe732debe81f590a48c9d0
+Author: Frederico A C Neves <fne...@gmail.com>
+Date:   Sun Sep 10 12:57:02 2017 -0300
 
-Formatting
+.br updated - 18 new 2nd level city domains (#507)
+
+* .br updated - 18 new 2nd level city domains
+* .pvh.br withdraw 20170818
 
-commit cae8dc77f5a6545dc6b43345ea6d6fcd517b29b9
-Author: Nikola Kotur <kotn...@gmail.com>
-Date:   Wed Apr 12 17:24:57 2017 +0200
+commit 38b238d6324042f2c2e6270459d1f4ccfe789fba
+Author: weasel <github@palfrader.org>
+Date:   Mon Aug 28 

Bug#863734: unblock: gnupg2/2.1.18-8

[Daniel Kahn Gillmor]

On Sat 2017-09-23 19:46:42 +0100, Adam D. Barratt wrote:
> On Wed, 2017-09-20 at 23:07 -0400, Daniel Kahn Gillmor wrote:
>> I've built this against a stretch system and tested it on a stretch
>> system, and it still works.
>> 
>> Please advise me whether i should make an upload.
>
> With a slightly more definite changelog stanza, please go ahead. :-)

Thanks, I've uploaded.

 --dkg

Bug#863734: unblock: gnupg2/2.1.18-8

[Daniel Kahn Gillmor]

On Sun 2017-06-25 18:39:34 -0400, Daniel Kahn Gillmor wrote:
> On Sat 2017-06-17 17:36:39 +0100, Adam D. Barratt wrote:
>> Unfortunately we ran out of time to handle this before the release, so
>> converting it to a proto-p-u request.
>
> Thanks for this conversion, Adam.  Please let me know if you need any
> feedback from on it from me or anyone else on the pkg-gnupg-maint team.

ping on https://bugs.debian.org/863734 (sending gnupg2/2.1.18-8 to
stretch proposed-updates) -- please let me know if you need anything
else.

thanks for your work keeping debian healthy!

   --dkg


signature.asc
Description: PGP signature

Bug#863734: unblock: gnupg2/2.1.18-8

[Daniel Kahn Gillmor]

On Sat 2017-06-17 17:36:39 +0100, Adam D. Barratt wrote:
> retitle 863734 stretch-pu: gnupg2
> user release.debian@packages.debian.org
> usertags 863734 = pu
> tags 863734 = stretch moreinfo
> thanks
>
> On Sat, 2017-06-03 at 15:31 +0200, Cyril Brulebois wrote:
>> Daniel Kahn Gillmor <d...@fifthhorseman.net> (2017-06-03):
>> > Ping on the unblock request for gnupg2/2.1.18-8 -- i've heard from
>> > several people that this version of the package is better for them in
>> > stretch than 2.1.18-6, and i'm getting concerned about tht timing.
>> > 
>> > sorry for the nudge,
>> > 
>> >   --dkg
>> 
>> Well I had more time during May than I have during early June to look at
>> packages with such a huge debdiff, so sorry for not being able to answer
>> in just a few days.
>
> Unfortunately we ran out of time to handle this before the release, so
> converting it to a proto-p-u request.

Thanks for this conversion, Adam.  Please let me know if you need any
feedback from on it from me or anyone else on the pkg-gnupg-maint team.

Regards,

 --dkg


signature.asc
Description: PGP signature

Bug#863734: unblock: gnupg2/2.1.18-8

[Daniel Kahn Gillmor]

Ping on the unblock request for gnupg2/2.1.18-8 -- i've heard from
several people that this version of the package is better for them in
stretch than 2.1.18-6, and i'm getting concerned about tht timing.

sorry for the nudge,

  --dkg


signature.asc
Description: PGP signature

Bug#863990: unblock: runit/2.1.2-9.2

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package runit

See the discussion on #861536 -- the upload of runit 2.1.2-9.1
inadvertently left users who want to use runit as PID 1 incapable of
doing so at all without building their own package.

This resolves that problem.  Apologies for the extra noise.

unblock runit/2.1.2-9.2

-- System Information:
Debian Release: 9.0
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (200, 
'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 
'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru runit-2.1.2/debian/changelog runit-2.1.2/debian/changelog
--- runit-2.1.2/debian/changelog2017-05-30 11:46:28.0 -0400
+++ runit-2.1.2/debian/changelog2017-05-31 12:44:38.0 -0400
@@ -1,3 +1,11 @@
+runit (2.1.2-9.2) unstable; urgency=medium
+
+  * non-maintainer upload
+  * re-add /sbin/runit{,-init} to runit package so it remains possible to
+use runit as PID 1
+
+ -- Daniel Kahn Gillmor <d...@fifthhorseman.net>  Wed, 31 May 2017 12:44:38 
-0400
+
 runit (2.1.2-9.1) unstable; urgency=medium
 
   * non-maintainer upload
diff -Nru runit-2.1.2/debian/control runit-2.1.2/debian/control
--- runit-2.1.2/debian/control  2017-05-28 15:07:36.0 -0400
+++ runit-2.1.2/debian/control  2017-05-31 12:44:38.0 -0400
@@ -6,7 +6,6 @@
 Homepage: http://smarden.org/runit/
 Build-Depends: bash-completion,
debhelper (>= 9),
-   dh-exec,
dh-systemd,
dh-runit (>= 1.6),
dh-buildinfo (>= 0.11+nmu1),
@@ -17,6 +16,8 @@
 Package: runit
 Architecture: any
 Depends: ${misc:Depends}, ${shlibs:Depends}
+Breaks: runit-init
+Replaces: runit-init
 Description: system-wide service supervision
  runit is a collection of tools to provide system-wide service supervision
  and to manage services.  Contrary to sysv init, it not only cares about
diff -Nru runit-2.1.2/debian/rules runit-2.1.2/debian/rules
--- runit-2.1.2/debian/rules2017-05-28 15:08:57.0 -0400
+++ runit-2.1.2/debian/rules2017-05-31 12:44:38.0 -0400
@@ -9,9 +9,6 @@
 override_dh_systemd_enable:
dh_systemd_enable --name runit
 
-override_dh_installman-arch:
-   dh_installman
-
 override_dh_runit: runscripts/getty
dh_runit
 
diff -Nru runit-2.1.2/debian/runit.install runit-2.1.2/debian/runit.install
--- runit-2.1.2/debian/runit.install2017-05-28 14:51:14.0 -0400
+++ runit-2.1.2/debian/runit.install2017-05-31 12:44:38.0 -0400
@@ -8,7 +8,9 @@
 runit-*/src/chpst  /usr/bin
 runit-*/src/runsvchdir /usr/sbin
 runit-*/src/utmpset/usr/sbin
+runit-*/src/runit-init /sbin
+runit-*/src/runit  /sbin
 
 runit-*/etc/debian/1   /etc/runit
 runit-*/etc/2  /etc/runit
-runit-*/etc/debian/3   /etc/runit
\ No newline at end of file
+runit-*/etc/debian/3   /etc/runit
diff -Nru runit-2.1.2/debian/runit.manpages runit-2.1.2/debian/runit.manpages
--- runit-2.1.2/debian/runit.manpages   2017-05-28 14:51:14.0 -0400
+++ runit-2.1.2/debian/runit.manpages   2017-05-31 12:40:18.0 -0400
@@ -5,4 +5,6 @@
 runit-*/man/chpst.8
 runit-*/man/runsvchdir.8
 runit-*/man/utmpset.8
+runit-*/man/runit.8
+runit-*/man/runit-init.8
 debian/contrib/update-service.8

Bug#863734: unblock: gnupg2/2.1.18-8

[Daniel Kahn Gillmor]

On Tue 2017-05-30 22:48:20 +0200, Cyril Brulebois wrote:
> Jonathan Wiltshire <j...@debian.org> (2017-05-30):
>> Control: tag -1 moreinfo
>> 
>> On Tue, May 30, 2017 at 12:41:48PM -0400, Daniel Kahn Gillmor wrote:
>> > Please unblock package gnupg2
>> > 
>> > The gnupg2 source package 2.1.18-8 contains a significant number of
>> > useful fixes from 2.1.18-6, and should be propagated into testing.
>> 
>> Cc-ing the d-i RM for an ack.
>
> TBF I'm not thrilled by the amount of patches and the limited time before
> the release. :(

I'm also not thrilled by the amount of patches, but these are clear
bugfixes from upstream. They've been in unstable for several weeks now,
and i've avoided an unblock specifically because i wanted to hear from
people that they solve their problems and don't introduce new ones.
that seems to be the case.  :/

> ISTR we mainly use gpgv from src:gnupg2, through the gpgv-udeb package.
> Any chance you could pinpoint changesets affecting it, so that I can
> concentrate on those only?

sure thing.  Most of these don't affect gpgv.  The most relevant patches
for gpgv are these two patches from upstream which have an effect on the
use of specific file descriptors (the first catches errors in
mis-configured invocations, and the second ensures that gpgv works
cross-platform on windows):

0032-gpg-common-Make-sure-that-all-fd-given-are-valid.patch
debian/patches/0040-gpgv-w32-Fix-status-fd.patch

however, the following other patches since 2.1.18-6 all touch some
source file that contributes to the build of gpgv, though i think none
of them are relevant for gpgv generally, let alone for d-i's specific
use of gpgv -- the gpgv source is just mixed together with
GnuPG's other functionality:

0044-gpg-Make-export-options-work-with-export-secret-keys.patch
0048-gpg-Fix-attempt-to-double-free-an-UID-structure.patch
0050-gpg-Flush-stdout-before-printing-stats-with-check-si.patch
0059-gpg-Handle-critical-marked-Reason-for-Revocation.patch
0065-gpg-Fix-printing-of-offline-taken-subkey.patch
0072-g10-Minor-fixes.patch
0074-g10-invalidate-the-fd-cache-for-keyring.patch
avoid-spurious-warnings/0078-gpg-Avoid-spurious-warnings-about-trust-packets.patch
skel-file-removal/0077-g10-remove-skeleton-options-files.patch
skip-missing-signing-keys/0076-g10-Skip-signing-keys-where-no-secret-key-is-availab.patch

(for example, gpgv doesn't do export-secret-keys at all, but it does
include g10/main.h, which that 0044-*.patch does have to modify.
similarly, gpgv doesn't read config files at all, but
skel-file-removal/0077*.patch touches g10/openfile.c.)

Let me know if you have any more questions,

--dkg


signature.asc
Description: PGP signature

Re: [pkg-gnupg-maint] Last chance for d-i changes in stretch

[Daniel Kahn Gillmor]

On Mon 2017-05-29 08:16:11 +0200, Didier 'OdyX' Raboud wrote:
> If I upload win32-loader now, it will embed gpgv-win32 2.1.18-8, no matter 
> which gnupg2 version will be part of stretch. There are three alternatives, 
> in 
> decreasing order of preference:
> * get gnupg2 in testing, upload win32-loader to unstable, migrate it

I've just filed unblock request #863734, which will hopefully achieve
this result.

 --dkg


signature.asc
Description: PGP signature

Bug#863732: unblock: runit/2.1.2-9.1

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Control: affects -1 runit

Please unblock package runit

I've just uploaded 2.1.2-9.1 as an NMU, removing the runit-init
package to resolve #861536 as discussed on that bug report.  Please
unblock this upload so that we can keep the runit binary package in
stretch.

unblock runit/2.1.2-9.1

-- System Information:
Debian Release: 9.0
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (200, 
'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 
'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru runit-2.1.2/debian/changelog runit-2.1.2/debian/changelog
--- runit-2.1.2/debian/changelog2016-10-09 06:21:59.0 -0400
+++ runit-2.1.2/debian/changelog2017-05-30 11:46:28.0 -0400
@@ -1,3 +1,10 @@
+runit (2.1.2-9.1) unstable; urgency=medium
+
+  * non-maintainer upload
+  * drop runit-init package (Closes: #861536)
+
+ -- Daniel Kahn Gillmor <d...@fifthhorseman.net>  Tue, 30 May 2017 11:46:28 
-0400
+
 runit (2.1.2-9) unstable; urgency=medium
 
   * Make runit-init depends getty-run, otherwise user can end up with
diff -Nru runit-2.1.2/debian/control runit-2.1.2/debian/control
--- runit-2.1.2/debian/control  2016-10-09 02:47:44.0 -0400
+++ runit-2.1.2/debian/control  2017-05-28 15:07:36.0 -0400
@@ -26,8 +26,8 @@
  and a log facility with automatic log file rotation and disk space limits.
  .
  runit service supervision can run under sysv init or replace the init
- system completely.  Complete init replacement provided by 'runit-init'
- package.
+ system completely.  Complete init replacement needs to be done by hand
+ (see https://bugs.debian.org/861536)
 
 Package: runit-systemd
 Architecture: all
@@ -71,19 +71,3 @@
  .
  This package provides scripts to supervise getty processes, allowing
  local login.
-
-Package: runit-init
-Architecture: any
-Depends: runit (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends}, 
getty-run
-Replaces: systemd-sysv, sysvinit (<< 2.88dsf-44~), sysvinit-core, upstart
-Conflicts: systemd-sysv, sysvinit (<< 2.88dsf-44~), sysvinit-core, upstart
-Priority: extra
-Description: system-wide service supervision (as init system)
- runit is a collection of tools to provide system-wide service supervision
- and to manage services.  Contrary to sysv init, it not only cares about
- starting and stopping services, but also supervises the service daemons
- while they are running.  Amongst other things, it provides a reliable
- interface to send signals to service daemons without the need for pid-files,
- and a log facility with automatic log file rotation and disk space limits.
- .
- This package provides /sbin/init, that boots your system and starts runit.
diff -Nru runit-2.1.2/debian/rules runit-2.1.2/debian/rules
--- runit-2.1.2/debian/rules2016-10-09 02:46:35.0 -0400
+++ runit-2.1.2/debian/rules2017-05-28 15:08:57.0 -0400
@@ -11,8 +11,6 @@
 
 override_dh_installman-arch:
dh_installman
-   mv debian/runit-init/usr/share/man/man8/runit-init.8 \
-   debian/runit-init/usr/share/man/man8/init.8
 
 override_dh_runit: runscripts/getty
dh_runit
@@ -32,7 +30,7 @@
dh_clean
 override_dh_installchangelogs:
dh_installchangelogs
-   dh_installchangelogs -p runit -p runit-init \
+   dh_installchangelogs -p runit \
runit-$(DEB_VERSION_UPSTREAM)/package/CHANGES
 
 .PHONY: runscripts/getty
diff -Nru runit-2.1.2/debian/runit-init.install 
runit-2.1.2/debian/runit-init.install
--- runit-2.1.2/debian/runit-init.install   2016-10-09 02:58:07.0 
-0400
+++ runit-2.1.2/debian/runit-init.install   1969-12-31 19:00:00.0 
-0500
@@ -1,6 +0,0 @@
-#!/usr/bin/dh-exec
-runit-2.1.2/src/runit-init => /sbin/init
-runit-2.1.2/src/runit  /sbin
-debian/contrib/shutdown /sbin
-debian/contrib/reboot   /sbin
-debian/contrib/runlevel /sbin
diff -Nru runit-2.1.2/debian/runit-init.links 
runit-2.1.2/debian/runit-init.links
--- runit-2.1.2/debian/runit-init.links 2016-10-09 06:17:37.0 -0400
+++ runit-2.1.2/debian/runit-init.links 1969-12-31 19:00:00.0 -0500
@@ -1 +0,0 @@
-/usr/share/man/man8/shutdown.8.gz /usr/share/man/man8/reboot.8.gz
diff -Nru runit-2.1.2/debian/runit-init.manpages 
runit-2.1.2/debian/runit-init.manpages
--- runit-2.1.2/debian/runit-init.manpages  2016-10-09 06:19:28.0 
-0400
+++ runit-2.1.2/debian/runit-init.manpages  1969-12-31 19:00:00.0 
-0500
@@ -1,4 +0,0 @@
-runit-*/man/runit.8
-runit-*/man/runit-init.8
-debian/contrib/shutdown.8
-debian/contrib/runlevel.8

Bug#863559: unblock: libgnupg-interface-perl/0.52-9

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package libgnupg-interface-perl

libgnupg-interface-perl version 0.52-9 is an improvement for stretch
over 0.52-5 (currently in testing).  In particular, it:

 * fixes an FTBFS in some conditions (#861591)
 * allows users to supply a password via perl itself instead of
   out-of-band with gpg-agent (#845781)

This also resolves some concerns about request-tracker4 with these
updates.  rt remains stuck on gpg1 (see #845781) because of an
overly-brittle test suite, but with this revision it should be
possible to eventually migrate RT to the modern gpg suite (though note
that this unblock request is *not* asking for any changes to RT in
stretch).

Thanks for your consideration!

unblock libgnupg-interface-perl/0.52-9

-- System Information:
Debian Release: 9.0
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (200, 
'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 
'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#863275: unblock: enigmail/2:1.9.7-2

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package enigmail

enigmail 1.9.7 rolls up some minor upstream bugfixes for the enigmail
stable branch and closes #863273, which is an annoying failure mode
for one specific workflow.

Enigmail upstream has kept the stable branch quite stable -- as a
bugfix-only branch -- and tracking that stable release in what will
become debian stable seems reasonable to me.

debdiff is attached.

unblock enigmail/2:1.9.7-2

-- System Information:
Debian Release: 9.0
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (200, 
'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 
'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#863181: unblock: debirf/0.37

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package debirf

Version 0.37 contains fixes for #850080 and #833125, both of which
make debirf unusable on debian stretch.

It also includes a few smaller fixes which produce more usable and
compact debirf images.  These versions are currently being used to
produce the debirf autobuilder images at
http://debirf.cmrg.net/autobuilds/ so they have been tested, and will
continue to be tested regularly.

The debdiff between 0.36 and 0.37 is attached.

unblock debirf/0.37

-- System Information:
Debian Release: 9.0
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (200, 
'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 
'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru debirf-0.36/debian/changelog debirf-0.37/debian/changelog
--- debirf-0.36/debian/changelog2016-05-08 22:37:31.0 -0400
+++ debirf-0.37/debian/changelog2017-05-18 12:10:07.0 -0400
@@ -1,3 +1,18 @@
+debirf (0.37) unstable; urgency=medium
+
+  [ JH Chatenet ]
+  * run fakeroot with bash (Closes: #850080)
+  * a0_prep-root: run insserv if installed (Closes: #833125)
+
+  [ Antoine Beaupré ]
+  * avoid crash if CDPATH is set (Closes: #848693)
+
+  [ Daniel Kahn Gillmor ]
+  * enable rootfs xz compression (Closes: #813472)
+  * Add more utilities to rescue profile (Closes: #834478)
+
+ -- Daniel Kahn Gillmor <d...@fifthhorseman.net>  Thu, 18 May 2017 12:10:07 
-0400
+
 debirf (0.36) unstable; urgency=medium
 
   * better systemd compatibility, prune obsolete modules
diff -Nru debirf-0.36/debian/control debirf-0.37/debian/control
--- debirf-0.36/debian/control  2016-05-08 20:23:32.0 -0400
+++ debirf-0.37/debian/control  2017-05-18 11:24:00.0 -0400
@@ -17,6 +17,7 @@
  fakechroot,
  fakeroot,
  klibc-utils,
+ xz-utils,
  ${misc:Depends}
 Recommends: grub-common (>= 1.98+20100804) | isolinux,
 lsb-release,
diff -Nru debirf-0.36/doc/example-profiles/rescue/packages 
debirf-0.37/doc/example-profiles/rescue/packages
--- debirf-0.36/doc/example-profiles/rescue/packages2016-05-08 
20:16:31.0 -0400
+++ debirf-0.37/doc/example-profiles/rescue/packages2017-05-18 
12:10:07.0 -0400
@@ -2,34 +2,51 @@
 +bonnie++
 +chntpw
 +cryptsetup
-+gddrescue
 +diskscan
++dmidecode
 +dosfstools
 +e2tools
 +eject
++ethtool
++fancontrol
 +fatresize
++flashrom
 +foremost
++gddrescue
 +grub2
 +hdparm
 +hfsplus
 +hfsprogs
 +hfsutils
++initramfs-tools-core
++inteltool
++lm-sensors
 +lsof
 +lsscsi
 +lvm2
++memtester
++msrtool
 +mtd-utils
++ntfs-3g
++nvramtool
 +parted
 +partimage
 +pciutils
++rsync
 +screen
 +scrub
 +sdparm
 +sg3-utils
 +smartmontools
 +smp-utils
++socat
++squashfs-tools
++superiotool
 +testdisk
 +testdisk
 +tofrodos
 +u-boot-tools
++usbutils
++wget
 +wipe
 +wodim
diff -Nru debirf-0.36/src/common debirf-0.37/src/common
--- debirf-0.36/src/common  2011-12-05 16:32:14.0 -0500
+++ debirf-0.37/src/common  2017-05-18 11:23:11.0 -0400
@@ -45,7 +45,7 @@
failure "Debirf fakeroot state file '$DEBIRF_FAKEROOT_STATE' does 
not exist."
fi
 # set up $PATH and $HOME as though we are superuser
-   HOME=/root 
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin fakeroot -i 
"$DEBIRF_FAKEROOT_STATE" -s "$DEBIRF_FAKEROOT_STATE" "$@"
+   HOME=/root 
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin bash fakeroot 
-i "$DEBIRF_FAKEROOT_STATE" -s "$DEBIRF_FAKEROOT_STATE" "$@"
 fi
 }
 export -f fakeroot_if_needed
diff -Nru debirf-0.36/src/debirf debirf-0.37/src/debirf
--- debirf-0.36/src/debirf  2016-05-08 20:27:56.0 -0400
+++ debirf-0.37/src/debirf  2017-05-18 12:10:07.0 -0400
@@ -15,6 +15,7 @@
 
 CMD=$(basename $0)
 
+unset CDPATH
 DEBIRF_COMMON=${DEBIRF_COMMON:-/usr/share/debirf/common}
 source "$DEBIRF_COMMON"
 
@@ -158,7 +159,7 @@
 
 # abort with a failure if our attempts to build the rootfs fail:
 set -o pipefail
-fakeroot_if_needed bash -c ". $DEBIRF_COMMON && 
FAKECHROOT_EXCLUDE_PATH=/does-not-exist debirf_exec sh -c 'find * | grep -v -e 
^run/ | cpio --create -H newc'" | gzip -9 > "$1"
+fakeroot_if_needed bash -c ". $DEBIRF_COMMON && 
FAKECHROOT_EXCLUDE_PATH=/does-not-exist debirf_exec sh -c 'find * | grep -v -e 
^run/ | cpio --create -H newc'" | xz -9 > "$1"
 }
 export -f pack_rootfs
 
@@ -214,7 +215,7 @@
 fi
 cd /newroot
 echo unpacking rootfs...
-gunzip - < /rootfs.cgz | cpio -i
+un

Bug#831335: jessie-pu: package publicsuffix/20160703-1

[Daniel Kahn Gillmor]

On Sat 2016-08-06 17:15:25 -0400, Adam D. Barratt wrote:
> Thanks; please feel free to upload that, with a small tweak:
>
> +publicsuffix (20160703-0+deb8u1) stable; urgency=medium
> +
> +  * prepare for stable-proposed-updates.
>
> "jessie" is generally preferred as the changelog distribution and maybe
> "Upload to stable" or something similar?

changed and uploaded (as a source-only upload; please let me know if
that causes trouble; i always prefer to do source-only uploads where the
build infrastructure supports it)

>> The git tree's jessie branch which i'm proposing is at commit ID
>> 6520ee81d3e2d73192e67685652ef6bccdb2e637, fwiw, so you don't have to
>> worry about it changing.
>
> Thanks for that, but we'd still prefer p-u bug reports to be
> free-standing.

no problem, just providing multiple ways to access the data.

> Every couple of months is when we aim (not always successfully) to do a
> stable point release, so that hopefully works out well all around.

I've never maintained this class of package before.  do i just do
regular uploads to "jessie" as new versions of the package become
available, or do i need to do a jessie-pu bug report for each one?

   --dkg


signature.asc
Description: PGP signature

Bug#831335: jessie-pu: package publicsuffix/20160703-1

[Daniel Kahn Gillmor]

On Mon 2016-08-08 18:51:32 -0400, Daniel Kahn Gillmor wrote:
> On Sat 2016-08-06 17:15:25 -0400, Adam D. Barratt wrote:
>> Thanks; please feel free to upload that, with a small tweak:
>>
>> +publicsuffix (20160703-0+deb8u1) stable; urgency=medium
>> +
>> +  * prepare for stable-proposed-updates.
>>
>> "jessie" is generally preferred as the changelog distribution and maybe
>> "Upload to stable" or something similar?
>
> changed and uploaded (as a source-only upload; please let me know if
> that causes trouble; i always prefer to do source-only uploads where the
> build infrastructure supports it)

hm, it looks like jessie can't handle source-only uploads that generate
arch-indep packages, according to the rejection notice i just got.

That's a shame.  I guess i'll try again and include the arch-indep
binary in my upload.  Is there any chance that the jessie builders can
learn to handle such a thing or is that just for unstable?

--dkg


signature.asc
Description: PGP signature

Bug#831335: jessie-pu: package publicsuffix/20160703-1

[Daniel Kahn Gillmor]

On Thu 2016-07-14 18:25:00 -0400, Daniel Kahn Gillmor wrote:
> On Thu 2016-07-14 20:06:27 +0200, Adam D. Barratt wrote:
>> Please could we have a debdiff, relative to the current package in
>> jessie, in this bug log? (We prefer p-u bugs to be self-contained, and
>> not have to rely on your git tree existing for arbitrary periods in the
>> future, or on it not changing after we give an ack.)
>
> sure.  the debdiff is quite large, primarily due to upstream renaming
> effective_tld_names.dat to public_suffix_list.dat (and adding a
> python-based "linter", and changing how they produce their upstream
> changelog), but i've attached the gzip'ed debdiff below.
>
> The git tree's jessie branch which i'm proposing is at commit ID
> 6520ee81d3e2d73192e67685652ef6bccdb2e637, fwiw, so you don't have to
> worry about it changing.

ping!  I haven't heard back about this.  maybe my earlier reply was
filtered out of some mailbox because of the size of the debdiff as
described above?

 --dkg


signature.asc
Description: PGP signature

Bug#831335: jessie-pu: package publicsuffix/20160703-1

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Control: affects -1 publicsuffix

I think debian should offer publicsuffix via stable-updates.

publicsuffix ships a file that is updated semi-regularly to reflect the
state of the network (a list of all DNS domains which members of the
public might be able to register immediate subzones).  It's used for
HTTP cookie policy and for X.509 wildcard certificate issuance, among
other uses.

In this way, it's similar to tzdata.

I've prepared a "jessie" branch on the debian packaging repo, which
currently builds fine on stable, and is a simple package:

  https://anonscm.debian.org/git/collab-maint/publicsuffix

The only difference in the resultant package (beyond the updated data)
is that the version in jessie (20140902-1) ships with only the legacy
location for the data file
(/usr/share/publicsuffix/effective_tld_names.dat) while the updated
file ships that as a symlink to the modern location of the file
(/usr/share/publicsuffix/public_suffix_list.dat)

Any concerns if i upload this to proposed-updates with an eye toward
stable-updates?

--dkg

-- System Information:
Debian Release: stretch/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (200, 
'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#803199: jessie-pu: package gnupg/1.4.18-7

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

https://bugs.debian.org/787046 shows a reasonable patch from noodles
(imported from GnuPG upstream) that makes gnupg 1.4.x behave sensibly
when previously unknown key types are encountered.

since Curve25519 keys are becoming more visible, we need gpg to at
least ignore them cleanly.  This patch has already been included
upstream and is in debian testing and stable without any bad
consequences.

Is it ok to upload to stable?

   --dkg

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.3.0-rc3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
>From eb0a483d83d15f4dc053065a44373aba56c7f3cb Mon Sep 17 00:00:00 2001
From: Jonathan McDowell <nood...@earth.li>
Date: Mon, 17 Aug 2015 18:36:31 +0200
Subject: [STABLE-BRANCH-1-4 PATCH] import fix for unknown subkey types to
 jessie

---
 debian/changelog   |  7 ++
 ...10-fix-cmp_public_key-and-cmp_secret_keys.patch | 94 ++
 debian/patches/series  |  1 +
 3 files changed, 102 insertions(+)
 create mode 100644 debian/patches/0045-g10-fix-cmp_public_key-and-cmp_secret_keys.patch

diff --git a/debian/changelog b/debian/changelog
index 4488965..0972f28 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+gnupg (1.4.18-7+deb8u1) stable; urgency=medium
+
+  [ Jonathan McDowell ]
+  * Import upstream bugfix for handling unknown subkey types (Closes: #787046)
+
+ -- Daniel Kahn Gillmor <d...@fifthhorseman.net>  Tue, 27 Oct 2015 15:39:42 -0400
+
 gnupg (1.4.18-7) unstable; urgency=medium
 
   * import a series of DoS and vulnerabilities from upstream, including
diff --git a/debian/patches/0045-g10-fix-cmp_public_key-and-cmp_secret_keys.patch b/debian/patches/0045-g10-fix-cmp_public_key-and-cmp_secret_keys.patch
new file mode 100644
index 000..9fac4e5
--- /dev/null
+++ b/debian/patches/0045-g10-fix-cmp_public_key-and-cmp_secret_keys.patch
@@ -0,0 +1,94 @@
+From: NIIBE Yutaka <gni...@fsij.org>
+Date: Thu, 30 Apr 2015 17:20:08 +0900
+Subject: g10: fix cmp_public_key and cmp_secret_keys.
+
+* g10/free-packet.c (cmp_public_keys, cmp_secret_keys): Compare opaque
+data at the first entry of the array when it's unknown algo.
+* mpi/mpi-cmp.c (mpi_cmp): Backport libgcrypt 1.5.0's semantics.
+
+--
+
+(backported from 2.0 commit 43429c7869152f301157e4b24790b3801dce0f0a)
+
+GnuPG-bug-id: 1962
+---
+ g10/free-packet.c | 22 ++
+ mpi/mpi-cmp.c | 16 
+ 2 files changed, 30 insertions(+), 8 deletions(-)
+
+diff --git a/g10/free-packet.c b/g10/free-packet.c
+index 0f8e0e8..e772c08 100644
+--- a/g10/free-packet.c
 b/g10/free-packet.c
+@@ -452,11 +452,14 @@ cmp_public_keys( PKT_public_key *a, PKT_public_key *b )
+ 	return -1;
+ 
+ n = pubkey_get_npkey( b->pubkey_algo );
+-if( !n )
+-	return -1; /* can't compare due to unknown algorithm */
+-for(i=0; i < n; i++ ) {
+-	if( mpi_cmp( a->pkey[i], b->pkey[i] ) )
++if( !n ) { /* unknown algorithm, rest is in opaque MPI */
++	if( mpi_cmp( a->pkey[0], b->pkey[0] ) )
+ 	return -1;
++} else {
++	for(i=0; i < n; i++ ) {
++	if( mpi_cmp( a->pkey[i], b->pkey[i] ) )
++		return -1;
++	}
+ }
+ 
+ return 0;
+@@ -479,11 +482,14 @@ cmp_secret_keys( PKT_secret_key *a, PKT_secret_key *b )
+ 	return -1;
+ 
+ n = pubkey_get_npkey( b->pubkey_algo );
+-if( !n )
+-	return -1; /* can't compare due to unknown algorithm */
+-for(i=0; i < n; i++ ) {
+-	if( mpi_cmp( a->skey[i], b->skey[i] ) )
++if( !n ) { /* unknown algorithm, rest is in opaque MPI */
++	if( mpi_cmp( a->skey[0], b->skey[0] ) )
+ 	return -1;
++} else {
++	for(i=0; i < n; i++ ) {
++	if( mpi_cmp( a->skey[i], b->skey[i] ) )
++		return -1;
++	}
+ }
+ 
+ return 0;
+diff --git a/mpi/mpi-cmp.c b/mpi/mpi-cmp.c
+index e119fad..3c1322a 100644
+--- a/mpi/mpi-cmp.c
 b/mpi/mpi-cmp.c
+@@ -20,6 +20,7 @@
+ #include 
+ #include 
+ #include 
++#include 
+ #include "mpi-internal.h"
+ 
+ int
+@@ -49,6 +50,21 @@ mpi_cmp( MPI u, MPI v )
+ mpi_size_t usize, vsize;
+ int cmp;
+ 
++if (mpi_is_opaque (u) || mpi_is_opaque (v))
++  {
++	if (mpi_is_opaque (u) && !mpi_is_opaque (v))
++	  return -1;
++	if (!mpi_is_opaque (u) && mpi_is_opaque (v))
++	  return 1;
++	if (!u->nbits && !v->nbits)
++	  return 0; /* Empty buffers are identical.  */
++	if (u->nbits < v->nbits)
++	  return -1;
++	if (u->nbits > v->nbits)
++	  return 1;
++	return memcmp (u->d, v->d, u->nbits);
++

Bug#791837: jessie-pu: package monkeysphere/0.37-2

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

On some systems, #778833 appears to be repeatable and reliable, though
i do not control any systems like that.  I tried to fix it in 0.37-2,
and called for testing before the release of jessie, but heard no
feedback.  After the release of jessie, I found out that i had failed
to actually apply the patch in question, which means that it didn't
fix things for people who have machines that exhibit #778833.  0.37-3
does apparently fix things for those people.

Furthermore, the sshd_config settings suggested by
monkeysphere-authentication diagnostics can be improved for the
version of sshd in jesse, as noted upstream and in 0.37-3 (in
testing/unstable).

The debdiff between 0.37-2 and 0.37-3 (attached here) should improve
the situation for users of monkeysphere on jessie.  Is it OK to upload
0.37-3 as 0.37-2+deb8u1?  or should i more narrowly-target just
#778833 (a clear bug that prevents package installation on some
platforms) and leave jessie monkeysphere-authentication diagnostics
with subpotimal sshd_config suggestions?

Sorry for this hassle.

Regards,

--dkg

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.0.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru monkeysphere-0.37/debian/changelog monkeysphere-0.37/debian/changelog
--- monkeysphere-0.37/debian/changelog	2014-11-27 15:01:49.0 -0500
+++ monkeysphere-0.37/debian/changelog	2015-05-06 23:30:56.0 -0400
@@ -1,3 +1,14 @@
+monkeysphere (0.37-3) unstable; urgency=medium
+
+  * actually patch log() to consume all stdin when not given a message
+argument (apparently the fix in 0.37-2 did not get properly applied)
+(Closes: #778833)
+  * also from usptream: improve monkeysphere-authentication diagnostic
+checks.
+  * wrap-and-sort for a cleaner debian/
+
+ -- Daniel Kahn Gillmor d...@fifthhorseman.net  Wed, 06 May 2015 23:14:57 -0400
+
 monkeysphere (0.37-2) unstable; urgency=medium
 
   * patch from upstream: log() should consume all stdin when not given a
diff -Nru monkeysphere-0.37/debian/control monkeysphere-0.37/debian/control
--- monkeysphere-0.37/debian/control	2014-11-27 15:01:33.0 -0500
+++ monkeysphere-0.37/debian/control	2015-05-06 23:30:02.0 -0400
@@ -3,33 +3,29 @@
 Priority: extra
 Maintainer: Jameson Rollins jroll...@finestructure.net
 Uploaders: Daniel Kahn Gillmor d...@fifthhorseman.net
-Build-Depends: debhelper (= 9~),
- cpio,
- socat,
- openssh-server,
- gnupg (= 1.4.10),
- libcrypt-openssl-rsa-perl,
- libdigest-sha-perl,
- lockfile-progs | procmail,
- openssl,
- bash (= 3.2)
+Build-Depends: bash (= 3.2),
+   cpio,
+   debhelper (= 9~),
+   gnupg (= 1.4.10),
+   libcrypt-openssl-rsa-perl,
+   libdigest-sha-perl,
+   lockfile-progs | procmail,
+   openssh-server,
+   openssl,
+   socat
 Standards-Version: 3.9.6
 Homepage: http://web.monkeysphere.info/
 Vcs-Git: git://git.monkeysphere.info/monkeysphere
 
 Package: monkeysphere
 Architecture: all
-Depends:
- gnupg (= 1.4.10),
- libcrypt-openssl-rsa-perl,
- libdigest-sha-perl,
- lockfile-progs | procmail,
- adduser,
- ${misc:Depends}
-Recommends: netcat | socat,
- ssh-askpass,
- cron,
- openssh-client
+Depends: adduser,
+ gnupg (= 1.4.10),
+ libcrypt-openssl-rsa-perl,
+ libdigest-sha-perl,
+ lockfile-progs | procmail,
+ ${misc:Depends}
+Recommends: cron, netcat | socat, openssh-client, ssh-askpass
 Suggests: monkeysphere-validation-agent
 Enhances: openssh-client, openssh-server
 Description: leverage the OpenPGP web of trust for SSH and TLS authentication
@@ -40,6 +36,6 @@
  for users to get validated host keys, and for hosts to authenticate
  users.  Current monkeysphere SSH tools are designed to integrate
  with the OpenSSH implementation of the Secure Shell protocol.
- . 
+ .
  Monkeysphere can also be used by a validation agent to validate TLS
  connections (e.g. https).
diff -Nru monkeysphere-0.37/debian/monkeysphere.dirs monkeysphere-0.37/debian/monkeysphere.dirs
--- monkeysphere-0.37/debian/monkeysphere.dirs	2014-11-27 14:51:28.0 -0500
+++ monkeysphere-0.37/debian/monkeysphere.dirs	2015-05-06 23:30:02.0 -0400
@@ -1,12 +1,12 @@
-var/lib/monkeysphere
+etc/X11
+etc/X11/Xsession.d
+etc/monkeysphere
 usr/bin
 usr/sbin
 usr/share
-usr/share/monkeysphere
 usr/share/man
 usr/share/man/man1
 usr/share/man/man7
 usr/share/man/man8
-etc/monkeysphere
-etc/X11
-etc/X11/Xsession.d
+usr/share/monkeysphere
+var/lib/monkeysphere
diff -Nru monkeysphere-0.37/debian/patches/0001-Always

Bug#774659: gnupg2 2.0.26-4 debdiff w/o l10n

[Daniel Kahn Gillmor]

Attached below is the debdiff for gnupg2 from 2.0.26-3 to 2.0.26-4
without the l10n changes, in the hopes that this makes it past the
mailing list filters :)

Thanks,

--dkg

diff -Nru gnupg2-2.0.26/debian/changelog gnupg2-2.0.26/debian/changelog
--- gnupg2-2.0.26/debian/changelog	2014-09-30 23:39:26.0 -0400
+++ gnupg2-2.0.26/debian/changelog	2015-01-04 18:30:24.0 -0500
@@ -1,3 +1,35 @@
+gnupg2 (2.0.26-4) unstable; urgency=medium
+
+  [ David Prévot ]
+  * Update POT and PO files, and ensure the translations get rebuild
+  * Update French translation (Closes: #769574)
+  * Update Ukrainian translation, thanks to Yuri Chornoivan
+  * Update German translation, thanks to Werner Koch
+  * Update Danish translation, thanks to Joe Hansen
+  * Update Japanese translation, thanks to NIIBE Yutaka
+  * Update Chinese (traditional) translation, thanks to Jedi Lin
+  * Update Russian translation, thanks to Ineiev
+  * Update Polish translation, thanks to Jakub Bogusz
+  * Update Spanish translation, thanks to Manuel Venturi Porras Peralta
+(Closes: #770727)
+  * New Dutch translation, thanks to Frans Spiesschaert (Closes: #770981)
+
+  [ Daniel Kahn Gillmor ]
+  * bugfix and cryptographic safety changes imported from upstream:
+   - Avoid regression when adding subkeys with strong s2k algorithms
+ (Closes: #772780) Thanks, NIIBE Yutaka
+   - Allow french translation to work when prompting for passphrase.
+   - add build and runtime support for larger RSA keys (Closes: #739424)
+   - fix runtime errors on bad input (Closes: #771987)
+   - deprecate insecure one-argument variant for gpg --verify of detached
+ signatures (Closes: #771992)
+   - initialize trustdb before trying to clear it (Closes: #735363)
+   - default to issuing SHA256 signatures for RSA
+   - avoid relying on MD5 signatures
+   - show v3 key fingerprints as all zero (OpenPGPv3 is deprecated)
+
+ -- Daniel Kahn Gillmor d...@fifthhorseman.net  Sun, 04 Jan 2015 17:17:00 -0500
+
 gnupg2 (2.0.26-3) unstable; urgency=medium
 
   * fix typo in gpg.info (closes: #760273)
diff -Nru gnupg2-2.0.26/debian/clean gnupg2-2.0.26/debian/clean
--- gnupg2-2.0.26/debian/clean	1969-12-31 19:00:00.0 -0500
+++ gnupg2-2.0.26/debian/clean	2015-01-04 17:30:14.0 -0500
@@ -0,0 +1 @@
+po/*.gmo
diff -Nru gnupg2-2.0.26/debian/patches/0001-warn-about-but-don-t-fail-on-scdaemon-options-in-gpg.patch gnupg2-2.0.26/debian/patches/0001-warn-about-but-don-t-fail-on-scdaemon-options-in-gpg.patch
--- gnupg2-2.0.26/debian/patches/0001-warn-about-but-don-t-fail-on-scdaemon-options-in-gpg.patch	2014-09-29 17:46:22.0 -0400
+++ gnupg2-2.0.26/debian/patches/0001-warn-about-but-don-t-fail-on-scdaemon-options-in-gpg.patch	1969-12-31 19:00:00.0 -0500
@@ -1,140 +0,0 @@
-commit c76117f8b0165fe5cec5e7f234f55f5a4cd7f0ab
-Author: Daniel Kahn Gillmor d...@fifthhorseman.net
-Date:   Thu Sep 25 14:45:37 2014 -0400
-
-gpg: Warn about (but don't fail) on scdaemon options in gpg.conf.
-
-* g10/gpg.c: Add config options that should belong in scdaemon.conf
-* g10/main.h, g10/misc.c (obsolete_scdaemon_option): New.
-
---
-
-In gpg2, the following options are only relevant for scdaemon:
-
- reader-port
- ctapi-driver
- pcsc-driver
- disable-ccid
-
-but in gpg1, they are options for gpg itself.
-
-Some users of gpg1 might have these options in their
-~/.gnupg/gpg.conf, which causes gpg2 to fail hard if it reads that
-config file.
-
-gpg2 should not fail hard, though giving a warning (and suggesting a
-move to scdaemon.conf) seems OK.
-
-This patch does *not* reintroduce any documentation for these options
-in gpg.texi, even to indicate that they are dummy options, since
-scdaemon.texi contains the appropriate documentation.
-
-Debian-bug-id: 762844
-
-Program names factored out from obsolete_scdaemon_option to make
-reuse without new translations easier. -wk
-
-This is a backport of commit 371c2b14b0347209efd23b4e54e1981a12d7aeab
-with parts of 20c6da50d4f6264d26d113d7de606971f719a0ca but without those
-which would change existing translated strings. -wk
-
-diff --git a/g10/gpg.c b/g10/gpg.c
-index 1a8e6e7..12d4295 100644
 a/g10/gpg.c
-+++ b/g10/gpg.c
-@@ -358,6 +358,10 @@ enum cmd_and_opt_values
- oKeyidFormat,
- oExitOnStatusWriteError,
- oLimitCardInsertTries,
-+oReaderPort,
-+octapiDriver,
-+opcscDriver,
-+oDisableCCID,
- oRequireCrossCert,
- oNoRequireCrossCert,
- oAutoKeyLocate,
-@@ -506,10 +510,6 @@ static ARGPARSE_OPTS opts[] = {
-   ARGPARSE_s_n (oDryRun, dry-run, N_(do not make any changes)),
-   ARGPARSE_s_n (oInteractive, interactive, N_(prompt before overwriting)),
- 
--  ARGPARSE_s_n (oUseAgent,  use-agent, @),
--  ARGPARSE_s_n (oNoUseAgent, no-use-agent, @),
--  ARGPARSE_s_s (oGpgAgentInfo, gpg-agent-info, @),
--
-   ARGPARSE_s_n (oBatch, batch

Bug#772803: please do include debian-security-support in the next wheezy point release

[Daniel Kahn Gillmor]

hi folks--

i agree with holger that debian-security-support is a useful piece of
information to have in all versions of debian.

This seems like something that should be included in the next wheezy
point release, if possible.

Thanks for your work on debian,

--dkg


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/5491d189.2060...@fifthhorseman.net

Bug#772998: libgpg-error 1.17-2 to 1.17-3 debdiff followup without l10n

[Daniel Kahn Gillmor]

the debdiff for the unblock request for libgpg-error 1.17-3 (#772998)
was large because of l10n updates.  It might not have made it through
the mailing list filter.

Attached is the debdiff with the l10n updates stripped.

Many thanks to David Prévot for coordinating this work.

 --dkg

diff -Nru libgpg-error-1.17/debian/changelog libgpg-error-1.17/debian/changelog
--- libgpg-error-1.17/debian/changelog	2014-10-24 15:24:34.0 -0400
+++ libgpg-error-1.17/debian/changelog	2014-12-12 15:55:18.0 -0500
@@ -1,3 +1,22 @@
+libgpg-error (1.17-3) unstable; urgency=medium
+
+  [ David Prévot ]
+  * Force rebuild of gmo files
+  * Update Polish translation, thanks to Jakub Bogusz
+  * Update French translation
+  * Update Ukrainian translation, thanks to Yuri Chornoivan
+  * Update Danish translation, thanks to Joe Hansen
+  * Update Dutch translation, thanks to Freek de Kruijf
+  * Update Japanese translation, thanks to NIIBE Yutaka
+  * Add Russian translation, thanks to Ineiev
+  * Update Italian translation, thanks to Milo Casagrande
+  * Add Chinese (traditional) translation, thanks to Jedi Lin
+  * Add Portuguese translation, thanks to Paulo Tomé (Closes: #770893)
+  * Add Serbian translation, thanks to Мирослав Николић
+  * Update Czech translation, thanks to Petr Pisar
+
+ -- Daniel Kahn Gillmor d...@fifthhorseman.net  Fri, 12 Dec 2014 15:55:18 -0500
+
 libgpg-error (1.17-2) unstable; urgency=medium
 
   * added arch-specific lock-obj header for added
diff -Nru libgpg-error-1.17/debian/clean libgpg-error-1.17/debian/clean
--- libgpg-error-1.17/debian/clean	2014-09-18 11:37:17.0 -0400
+++ libgpg-error-1.17/debian/clean	2014-12-12 15:52:28.0 -0500
@@ -1,2 +1,3 @@
 debian/libgpg-error0.install
 debian/libgpg-error-dev.install
+po/*.gmo
diff -Nru libgpg-error-1.17/debian/patches/0004-Drop-previous-strings-from-PO-files.patch libgpg-error-1.17/debian/patches/0004-Drop-previous-strings-from-PO-files.patch
--- libgpg-error-1.17/debian/patches/0004-Drop-previous-strings-from-PO-files.patch	1969-12-31 19:00:00.0 -0500
+++ libgpg-error-1.17/debian/patches/0004-Drop-previous-strings-from-PO-files.patch	2014-12-12 15:52:28.0 -0500
@@ -0,0 +1,854 @@
+From: =?utf-8?q?David_Pr=C3=A9vot?= taf...@debian.org
+Date: Thu, 27 Nov 2014 15:35:52 -0400
+Subject: Drop previous strings from PO files
+
+The build system drops them.
+---
+ po/de.po| 11 ---
+ po/eo.po| 32 
+ po/ro.po| 19 ---
+ po/sv.po| 19 ---
+ po/vi.po| 19 ---
+ po/zh_CN.po | 18 --
+ 6 files changed, 118 deletions(-)
+
+diff --git a/po/de.po b/po/de.po
+index f44c9a1..ee9d653 100644
+--- a/po/de.po
 b/po/de.po
+@@ -969,19 +969,16 @@ msgstr Falsches Oktal-Zeichen in S-expression
+ 
+ #: src/err-codes.h:242
+ #, fuzzy
+-#| msgid Bad certificate chain
+ msgid No certificate chain
+ msgstr Fehlerhafte Zertifikatkette
+ 
+ #: src/err-codes.h:243
+ #, fuzzy
+-#| msgid Certificate too young
+ msgid Certificate is too large
+ msgstr Zertifikat ist noch nicht gültig
+ 
+ #: src/err-codes.h:244
+ #, fuzzy
+-#| msgid Invalid card
+ msgid Invalid record
+ msgstr Ungültige Karte
+ 
+@@ -991,7 +988,6 @@ msgstr 
+ 
+ #: src/err-codes.h:246
+ #, fuzzy
+-#| msgid Unexpected tag
+ msgid Unexpected message
+ msgstr Unerwartetes \Tag\
+ 
+@@ -1009,7 +1005,6 @@ msgstr 
+ 
+ #: src/err-codes.h:250
+ #, fuzzy
+-#| msgid Invalid cipher algorithm
+ msgid No cipher algorithm
+ msgstr Ungültiges Verschlüsselungsverfahren
+ 
+@@ -1018,37 +1013,31 @@ msgstr Ungültiges Verschlüsselungsverfahren
+ # what might be wrong.
+ #: src/err-codes.h:251
+ #, fuzzy
+-#| msgid Missing issuer certificate
+ msgid Missing client certificate
+ msgstr Fehlendes Herausgeberzertifikat in der Kette
+ 
+ #: src/err-codes.h:252
+ #, fuzzy
+-#| msgid Certificate revoked
+ msgid Close notification received
+ msgstr Zertifikat ist widerrufen
+ 
+ #: src/err-codes.h:253
+ #, fuzzy
+-#| msgid Key expired
+ msgid Ticket expired
+ msgstr Schlüssel abgelaufen
+ 
+ #: src/err-codes.h:254
+ #, fuzzy
+-#| msgid Bad public key
+ msgid Bad ticket
+ msgstr Fehlerhafter öffentlicher Schlüssel
+ 
+ #: src/err-codes.h:255
+ #, fuzzy
+-#| msgid Unknown packet
+ msgid Unknown identity
+ msgstr Unbekanntes Paket
+ 
+ #: src/err-codes.h:256
+ #, fuzzy
+-#| msgid Bad certificate chain
+ msgid Bad certificate message in handshake
+ msgstr Fehlerhafte Zertifikatkette
+ 
+diff --git a/po/eo.po b/po/eo.po
+index 8a1b2bc..868482d 100644
+--- a/po/eo.po
 b/po/eo.po
+@@ -422,7 +422,6 @@ msgstr Neniu agento rulas
+ 
+ #: src/err-codes.h:106
+ #, fuzzy
+-#| msgid agent error
+ msgid Agent error
+ msgstr agent-eraro
+ 
+@@ -828,25 +827,21 @@ msgstr Neniu PIN estis donata
+ 
+ #: src/err-codes.h:207
+ #, fuzzy
+-#| msgid Not locked
+ msgid Not enabled
+ msgstr Ne ŝlosita
+ 
+ #: src/err-codes.h:208
+ #, fuzzy
+-#| msgid Invalid crypto engine