Bug#935481: stretch-pu: package basez/1.6-3

2019-08-22 Thread Milan Kupcevic 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi Stable Release Managers,

The basez version released in stretch is affected by bug #931041 and is 
consequently not properly decoding base64url stream. This bug has been 
fixed in sid, testing and buster-pu. I'm about to upload fixed 
basez/1.6-3+deb9u1 package for stretch. See attached debdiff.

Milan
diff -Nru basez-1.6/debian/changelog basez-1.6/debian/changelog
--- basez-1.6/debian/changelog  2016-10-27 09:33:37.0 -0400
+++ basez-1.6/debian/changelog  2019-08-22 22:07:39.0 -0400
@@ -1,3 +1,9 @@
+basez (1.6-3+deb9u1) stretch; urgency=medium
+
+  * Properly decode base64url encoded strings (closes: #931041)
+
+ -- Milan Kupcevic   Thu, 22 Aug 2019 22:07:39 -0400
+
 basez (1.6-3) unstable; urgency=medium
 
   * Remove configure getconf libs.
diff -Nru basez-1.6/debian/patches/base64url-decode-bug-931041 
basez-1.6/debian/patches/base64url-decode-bug-931041
--- basez-1.6/debian/patches/base64url-decode-bug-9310411969-12-31 
19:00:00.0 -0500
+++ basez-1.6/debian/patches/base64url-decode-bug-9310412019-08-03 
23:29:13.0 -0400
@@ -0,0 +1,16 @@
+Description: properly decode base64url encoded strings
+Author: Milan Kupcevic 
+Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931041
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/base64.c
 b/base64.c
+@@ -188,7 +188,7 @@
+   bout[0] = bout[0] | c[bin[1]] >> 4;
+   }
+ 
+-  switch(c64d[bin[2]])
++  switch(c[bin[2]])
+   {
+ case 0xfe:
+   if(bin[3] == '=')
diff -Nru basez-1.6/debian/patches/series basez-1.6/debian/patches/series
--- basez-1.6/debian/patches/series 1969-12-31 19:00:00.0 -0500
+++ basez-1.6/debian/patches/series 2019-08-03 22:15:31.0 -0400
@@ -0,0 +1 @@
+base64url-decode-bug-931041

Bug#934537: buster-pu: package basez/1.6-3+deb10u1

2019-08-11 Thread Milan Kupcevic 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Hi Stable Release Managers,

The basez version released in buster is affected by bug #931041 and is 
consequently not properly decoding base64url stream. This bug has been 
fixed in sid and testing. I've prepared fixed basez/1.6-3+deb10u1 package 
for buster. See attached debdiff.

Milan
diff -Nru basez-1.6/debian/changelog basez-1.6/debian/changelog
--- basez-1.6/debian/changelog  2016-10-27 09:33:37.0 -0400
+++ basez-1.6/debian/changelog  2019-08-11 18:59:28.0 -0400
@@ -1,3 +1,9 @@
+basez (1.6-3+deb10u1) buster; urgency=medium
+
+  * Properly decode base64url encoded strings (closes: #931041)
+
+ -- Milan Kupcevic   Sun, 11 Aug 2019 18:59:28 -0400
+
 basez (1.6-3) unstable; urgency=medium
 
   * Remove configure getconf libs.
diff -Nru basez-1.6/debian/patches/base64url-decode-bug-931041 
basez-1.6/debian/patches/base64url-decode-bug-931041
--- basez-1.6/debian/patches/base64url-decode-bug-9310411969-12-31 
19:00:00.0 -0500
+++ basez-1.6/debian/patches/base64url-decode-bug-9310412019-08-03 
23:29:13.0 -0400
@@ -0,0 +1,16 @@
+Description: properly decode base64url encoded strings
+Author: Milan Kupcevic 
+Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931041
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/base64.c
 b/base64.c
+@@ -188,7 +188,7 @@
+   bout[0] = bout[0] | c[bin[1]] >> 4;
+   }
+ 
+-  switch(c64d[bin[2]])
++  switch(c[bin[2]])
+   {
+ case 0xfe:
+   if(bin[3] == '=')
diff -Nru basez-1.6/debian/patches/series basez-1.6/debian/patches/series
--- basez-1.6/debian/patches/series 1969-12-31 19:00:00.0 -0500
+++ basez-1.6/debian/patches/series 2019-08-03 22:15:31.0 -0400
@@ -0,0 +1 @@
+base64url-decode-bug-931041

Re: Proposal: Repository for fast-paced package backports

2018-12-26 Thread Milan Kupcevic 
On 12/25/18 3:46 PM, Dominik George wrote:

[...]

> 
> Name of the new repository
> ==
> 
> In the past, the name “volatile” was used for a similar repository, but
> with a different scope (limited to data packages for things like virus
> scanners). I will thus use the working title volatile throughout this
> proposal, although this may change.
> 
> Other ideas: fastlane, unsupported
> 

"rolling" sounds like a good fit

[...]

> 
> Building packages and package dependencies
> ==
> 
> Packages for volatile are built the same way as formal backports, only
> that the source is taken from unstable rather than testing. In
> particular:
> 
>  - Changes shall be kept as small as possible.
>  - The package is rebuilt against stable.
>  - The package may depend on packages in stable, stable-backports or 
> stable-volatile.
> 

stable-rolling sounds more appropriate than stable-volatile.

> Dependencies on other packages in volatile should be avoided if
> possible. 
How to handle upgrades from stable to stable+1. Packages from backports
upgrade with no issues as stable+1 contains the same packages already
compiled for the stable+1.

How about LTS? As stable-rolling repository would be usable in
conjunction with stable-backports and stable, would then
oldstable-rolling continue to roll or just freeze in place at the moment
when the stable becomes oldstable?

[...]

> 
> 
> Implications for the situation at hand (gitlab)
> ===
> 
> As there were quite a few concerns raised (some of which I share, and
> some I don’t): Of course, if a software intended for volatile has a ton
> of dependencies (intended to go into backports), all backports rules and
> powers of the ftp-masters apply. Repeating myself: volatile is not meant
> to ease the life of maintainers.
> 

Continuous delivery development model based upstream applications are
not quite a good fit for a stable release distribution.


Milan







signature.asc
Description: OpenPGP digital signature

Re: Porter roll call for Debian Stretch

2016-09-30 Thread Milan Kupcevic 
On 09/20/2016 05:46 PM, John Paul Adrian Glaubitz wrote:
> On 09/20/2016 11:16 PM, Niels Thykier wrote:
>>- powerpc: No porter (RM blocker)
> 
> I'd be happy to pick up powerpc to keep it for Stretch. I'm already
> maintaining powerpcspe which is very similar to powerpc.
> 


Thank you Adrian for stepping up. You will have my support in this
endeavor for the Stretch release.

Milan




signature.asc
Description: OpenPGP digital signature

Bug#793556: jessie-pu: package mkvmlinuz/37+deb8u1

2015-12-13 Thread Milan Kupcevic 

Hi Adam,

We've got third party confirmations and requests[0][1] for this fix.
Should I upload mkvmlinuz/37+deb8u1 to s-p-u?

Milan


[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793556#28
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741642#56



signature.asc
Description: OpenPGP digital signature

Bug#793556: jessie-pu: package mkvmlinuz/37+deb8u1

2015-12-13 Thread Milan Kupcevic 
On 12/13/2015 05:21 PM, Adam D. Barratt wrote:
> Control: tags -1 -moreinfo +confirmed
> 
> On Sun, 2015-12-13 at 13:01 -0500, Milan Kupcevic wrote:
>> Hi Adam,
>>
>> We've got third party confirmations and requests[0][1] for this fix.
>> Should I upload mkvmlinuz/37+deb8u1 to s-p-u?
> 
> I was rather hoping that your poking of debian-kernel might elicit some
> response, but apparently not. Please go ahead.
> 

Thanks. Uploaded.

Milan



signature.asc
Description: OpenPGP digital signature

Bug#793556: jessie-pu: package mkvmlinuz/37+deb8u1

2015-12-12 Thread Milan Kupcevic 
On 12/08/2015 01:10 PM, Gerhard Pircher wrote:

[ ... ]

> It has been verified that the bugfix in version mkvmlinuz/37+deb8u1
> fixes this problem. Thus I would to ask, if this new mkvmlinuz
> version will be available anytime soon in Debian stable?
> 

I'm waiting for release managers decision at this point.

Milan



signature.asc
Description: OpenPGP digital signature

Bug#793556: jessie-pu: package mkvmlinuz/37+deb8u1

2015-07-25 Thread Milan Kupcevic 
On 07/25/2015 06:38 AM, Adam D. Barratt wrote:
 Control: tags -1 + moreinfo
 
 On Fri, 2015-07-24 at 22:32 -0400, Milan Kupcevic wrote:
 mkvmlinuz/37+deb8u1 is fixing bug #741642 already fixed in sid/testing 
 to allow for smooth upgrade from wheezy to jessie. See attached diff.

  changelog |6 ++
  kernel-image/postinst |2 ++
  kernel-image/postrm   |2 ++
 
 --- mkvmlinuz-37/debian/kernel-image/postinst   2012-06-28 21:01:13.0 
 -0400
 +++ mkvmlinuz-37+deb8u1/debian/kernel-image/postinst2015-07-23 
 22:45:48.0 -0400
 @@ -1,5 +1,7 @@
  #!/bin/sh
  
 +echo 2
 
 Will the mkvmlinuz invocation later in the postinst ever possibly
 produce output on stdout?


The db_get debconf call does communicate with debconf through
stdin/stdout by design. That is why nothing else should use stdin nor
stdout at stake for not to interfere with such communication. The
violation actually comes from 'run-parts --report' itself, not from the
hook.

Wheezy kernel package has been using 'run-parts --verbose' to run the
hooks. This worked fine as run-parts printed out to stderr only. Jessie
kernel package is using 'run-parts --report' instead where output
depends on the behavior of the hook in question. See run-parts manual
for the exact --report run-parts option description.

I'm dealing with this problem by printing out a newline character to
stderr from the hook itself, therefore pushing run-parts to output the
hook's name to stderr, thus causing run-parts to leave the debconf
communication alone.

This fix is as minimalist as you possibly could get for a bug fix in a
stable release.

CC: debian-kernel to get possible input from there


 
 While I can see the intent behind the above (forcing run-parts
 --report to output the script name to stderr rather than stdout), it
 wasn't immediately obvious. The kernel handbook (in
 https://kernel-handbook.alioth.debian.org/ch-update-hooks.html ),
 suggests exec /dev/null 2, which seems much more idiomatic.
 


The kernel-handbook suggestion won't fix this issue because run-parts
interprets debconf communication as hook output and decides that it has
to print out the hook script name to the same place, thus interfering
with debconf communication and causing the error described in bug
reports #791868 and #741642.


Milan





signature.asc
Description: OpenPGP digital signature

Bug#793556: jessie-pu: package mkvmlinuz/37+deb8u1

2015-07-24 Thread Milan Kupcevic 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

mkvmlinuz/37+deb8u1 is fixing bug #741642 already fixed in sid/testing 
to allow for smooth upgrade from wheezy to jessie. See attached diff.

 changelog |6 ++
 kernel-image/postinst |2 ++
 kernel-image/postrm   |2 ++
 3 files changed, 10 insertions(+)

-- System Information:
Debian Release: 8.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: powerpc (ppc64)

Kernel: Linux 3.16.0-4-powerpc64 (SMP w/4 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru mkvmlinuz-37/debian/changelog mkvmlinuz-37+deb8u1/debian/changelog
--- mkvmlinuz-37/debian/changelog	2015-04-10 07:14:08.0 -0400
+++ mkvmlinuz-37+deb8u1/debian/changelog	2015-07-23 23:40:49.0 -0400
@@ -1,3 +1,9 @@
+mkvmlinuz (37+deb8u1) stable; urgency=medium
+
+  * Push run-parts output to stderr. (Closes: #741642)
+
+ -- Milan Kupcevic mi...@physics.harvard.edu  Thu, 23 Jul 2015 23:00:46 -0400
+
 mkvmlinuz (37) unstable; urgency=medium
 
   * Include only necessary modules to further reduce vmlinuz size on Pegasos. 
diff -Nru mkvmlinuz-37/debian/kernel-image/postinst mkvmlinuz-37+deb8u1/debian/kernel-image/postinst
--- mkvmlinuz-37/debian/kernel-image/postinst	2012-06-28 21:01:13.0 -0400
+++ mkvmlinuz-37+deb8u1/debian/kernel-image/postinst	2015-07-23 22:45:48.0 -0400
@@ -1,5 +1,7 @@
 #!/bin/sh
 
+echo 2
+
 set -e
 
 . /usr/share/debconf/confmodule
diff -Nru mkvmlinuz-37/debian/kernel-image/postrm mkvmlinuz-37+deb8u1/debian/kernel-image/postrm
--- mkvmlinuz-37/debian/kernel-image/postrm	2012-06-28 21:01:13.0 -0400
+++ mkvmlinuz-37+deb8u1/debian/kernel-image/postrm	2015-07-23 22:45:48.0 -0400
@@ -1,5 +1,7 @@
 #!/bin/sh
 
+echo 2
+
 set -e
 
 . /usr/share/debconf/confmodule

Bug#782352: unblock: mkvmlinuz/37

2015-04-13 Thread Milan Kupcevic 
Control: tags -1 - moreinfo

Hi,

On 04/12/2015 04:19 PM, Ivo De Decker wrote:
 Control: tags -1 confirmed moreinfo
 
 Hi,
 
 On Fri, Apr 10, 2015 at 02:09:16PM -0400, Milan Kupcevic wrote:
 About to upload mkvmlinuz/37 fixing bug #782278
 Pegasos II won't boot after kernel upgrade
 
 Please go ahead and remove the moreinfo tag from this bug once the upload is
 in unstable.
 


The mkvmlinuz/37 has landed in sid.


Milan




signature.asc
Description: OpenPGP digital signature

Bug#782352: unblock: mkvmlinuz/37 (pre-approval)

2015-04-11 Thread Milan Kupcevic 
Control: retitle -1 Bug#782352: unblock: mkvmlinuz/37 (pre-approval)


Should we go ahead with upload of mkvmlinuz/37?


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/55294357.2040...@physics.harvard.edu

Bug#606441: unblock: yaboot/1.3.13a-1squeeze1

2010-12-10 Thread Milan Kupcevic 
On 12/10/2010 06:21 PM, Lennart Sorensen wrote:
 On Fri, Dec 10, 2010 at 11:42:49PM +0100, Mehdi Dogguy wrote:
 Well, Gaudenz and Milan worked on fixing the reported RC bugs against
 yaboot. And, I'd rather thank them for that. sid's version doesn't look
 like fixing the critical problems experienced by our users. Besides, I
 don't see any bugreport of yours explaining your issue.
 
 Having found the bug reported upstream, fixed in 1.3.14 years ago, and
 seeing how many people had made attemps at getting 1.3.14 into Debian,
 there seemed to be no point filling another bug report.  So I didn't
 bother.  I usually file bug reports, but yaboot seemed obviously futile.
 I am rather surprised to see there now is a new version in unstable.
 A few months too late to really help anyone wanting to run Squeeze though,
 but at least in a couple of years there will be a Debian version that
 might be useful for those machines.

Well, the whole situation you are describing actually motivated me to do
something about it. And I did what was possible to do in short period of
time.

 
 Any bugreport I could read?
 
 Well given I don't even know if an IBM p520 power6+ machine is expected to
 work with Debian, I haven't filled one.  I pointed out a few drivers and
 other issues I hit, although they seemed to get no interest from anyone.
 There is a bug report in grub2 (upstream) about the issues left to solve
 for the IBM pseries servers.

You have hands on that machine, I do not. Fix the issue, produce patch,
we are eager to see the solution. Also take a look at this thread, we
discuss about IBM p520 power6+ machine:

http://lists.debian.org/debian-powerpc/2010/12/msg00032.html

 
 grub2 does work once you manually generate the image and install it on a
 boot partition, and it supports software raid (something yaboot didn't,
 although it appears the 1.3.16 version now in unstable might), so it
 worked out OK for me.  

Please provide fully working and tested yaboot 1.3.16 Debian package and
propose its upload, I'm sure it will override this one. Or even better,
provide fully functional grub2 package for power platform. I'm sure it
will get approved quickly.

 The grub developers helped fix some endianess
 bugs in the md raid 1.x format handling (as well as in mdadm, which has
 been fixed upstream now).  To make life easier, grub needs working
 handling of devices without aliases (which IBM machines don't create,
 unlike apple and sun and most other openfirmware machines).  I don't know
 if that has been completed yet, although some work was being done on it.
 I have created aliases myself for now which made grub happy.
 
 The bug report in grub is: http://savannah.gnu.org/bugs/?30576
 

If we do not get yaboot 1.3.13a-1squeeze1 and fixed yaboot-installer bug
#605932 into squeeze, it will be uninstallable, without manual tweaking,
on all machines with SATA, SAS, and SCSI controllers (this includes all
Mac G5 machines). All Mac G5 machines also need fixed initramfs-tools
bug #603981.


 I sent a question about the missing network driver and console entries in
 securetty to debian-boot and heard nothing:
 http://www.mail-archive.com/debian-b...@lists.debian.org/msg118643.html
 

FYI: a bug report #605774 regarding ehea network driver was submitted on
December 03, 2010 by Xavier Grave and was fixed in SVN promptly. It will
get to squeeze install CD soon.


And finally we should get back to the subject of this message. Do you
advocate for or against getting yaboot/1.3.13a-1squeeze1 into squeeze?

Why, or why not?


Milan





signature.asc
Description: OpenPGP digital signature