Re: jessie-security packages missing from ftp-master
Hi Adam, Following up on some issues: On Sun, Jun 10, 2018 at 07:35:16PM +0100, Adam D. Barratt wrote: > Is it worth retrying any of these? > > * graphicsmagick 1.3.20-3+deb8u2 (powerpc) Tried a giveback, but it's a persistent test suite which breaks the build. Not sure. > * mariadb-10.0 10.0.32-0+deb8u1 (mips mipsel powerpc s390x) I guess these are arch-specific failures, which won't be fixed, the one for powerpc dates back quite a while. > * openjdk-7 7u151-2.6.11-2~deb8u1 (arm64 s390x) This got superceded by the latest (and final) openjdk-7 update: arm64 and s390x now had a successful build. So openjdk-7 should be complete it seems? Cheers, Moritz
Re: Your upload of goldencheetah to stretch
Jonathan Wiltshireschrieb: > Hi, > > You uploaded goldencheetah 4.0.0~DEV1607-2+deb9u1 to proposed-updates but > with a target suite of stretch-security. Was that meant to go to the > security archive? This was released via the security update, it was part of the compat changes listed in DSA-4203-1. Cheers, Moritz
Re: Scheduling final Jessie point release, 8.11
On Mon, May 14, 2018 at 06:26:08PM +0100, Jonathan Wiltshire wrote: > Hi, > > According to my records main security support for Jessie can end any time > after 17th June. > > So to the security team: do you have a date in mind? The 17th :-) Cheers, Moritz
Re: openafs bug 886768
On Tue, Feb 20, 2018 at 01:56:12PM -0600, Benjamin Kaduk wrote: > On Tue, Feb 20, 2018 at 08:51:16PM +0100, Salvatore Bonaccorso wrote: > > Hi Thorsten, > > > > On Tue, Feb 20, 2018 at 02:45:48PM +0100, Thorsten Alteholz wrote: > > > Hi everybody, > > > > > > the latest security update of the kernel to version 3.2.0-5 in Jessie > > > resulted in #886768 [1] for openafs. > > > > > > Wouldn't it be better to do the openafs upload via security as well? > > > At the moment openafs in Jessie is just broken until the next point > > > release. > > > > Whilest one arguably can say that the issue was introduced/uncovered > > by a security update, the package has already been accepted by the SRM > > (thanks for that to Julien and Adam!). > > > > So affected persons could already install the fixed packages via > > proposed-updates, but maybe Julien and Adam can be conviced that an > > update is important enought to schedule an update earlier via a SUA? > > It's probably also worth noting that this is not the first time that > a linux security update caused an openafs regression, The only sane way to avoid such occasional breakage is to upstream the OpenAFS kernel module into the Linux kernel. As long as this doesn't happen, it'll inevitably happen again. Cheers, Moritz
Bug#885183: stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1
On Mon, Dec 25, 2017 at 09:26:58PM +0100, Ludovico Cavedon wrote: > - #866721 and #866719, which are securirity-related issues. Do you want > me to reach out to the security team about these first? Those are marked no-dsa for quite a while, so not needed. Cheers, Moritz
Re: Bug#885172: transition: libsodium
Emilio Pozuelo Monfortschrieb: > DSA shut down the kfreebsd buildds. Is that a temporary measure or permanently due to the state of the port? (Just wondering since there's unofficial security builds for kfreebsd-* despite not being a release arch; if that also affects those efforts, we should make some kind of EOL announcement). Cheers, Moritz
Bug#882621: stretch-pu: package python2.7/2.7.13-2+deb9u2
On Sun, Nov 26, 2017 at 01:52:04PM +, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Fri, 2017-11-24 at 23:18 +0100, Moritz Muehlenhoff wrote: > > I'd like to add a fix for a minor security issue in Python 2.7 to the > > as a followup update to what's already in spu. debdiff is below. > > > > This is fixed in unstable in 2.7.13-4. > > Please go ahead. Thanks, uploaded. Cheers, Moritz
Re: Proposed (lib)curl switch to openssl 1.1
Sebastian Andrzej Siewiorschrieb: > I did a grep and it seems that all affected users are blocked by > #858398 except for hhvm. I have patches to switch HHVM to openssl 1.1, only need to find some time to prepare an upload. Cheers, Moritz
Bug#873103: [release.debian.org] Plan for imagemagick7 landing before next stable
On Thu, Aug 24, 2017 at 05:23:53PM +0200, Bastien ROUCARIÈS wrote: > Package: release.debian.org > Severity: wishlist > > Hi, > > I plan to release imagemagick 7 before next stable version. And I want to > coexist imagemagick6 and imagemagick7. Why? That means twice the security updates (which are already a big resource hog). We only do that in exceptional cases and this doesn't sound like one. All existing reverse dependencies can be converted before the freeze. Cheers, Moritz
Bug#869414: package smplayer/16.11.0~ds0-1+deb9u1
On Sun, Jul 23, 2017 at 12:20:25PM +0200, Mateusz Łukasik wrote: > Package: release.debian.org > Severity: normal > Tags: stretch > User: release.debian@packages.debian.org > Usertags: pu > > Dear SRMs, > > I would like to update smplayer in Stretch to fix #869411, it was already > fixed in unstable. What about #870233, sounds like a good opportunity to fix that along? Cheers, Moritz
Bug#867461: should ca-certificates certdata.txt synchronize across all suites?
On Fri, Jul 21, 2017 at 09:51:45AM -0400, Antoine Beaupré wrote: > On 2017-07-20 18:15:00, Philipp Kern wrote: > > On 07/17/2017 09:41 PM, Antoine Beaupré wrote: > >> Let's not jump the gun here. We're not shipping NSS in ca-certificates, > >> just a tiny part of it: one text file, more or less. > > > > Yeah, and the consensus of the world external to Debian seems to be that > > this might not be the smartest choice. > > I'm not sure I understand what you are proposing as an alternative > here. Should we stop shipping ca-certificates? Or make it a binary > package of the NSS source package? Most distros rebase to the latest NSS release across all supported suites. We also did this once or twice in -security (for changes which were too instrusive to backport) and upstream apparently usually supports this. But it's quite some effort to test all the reverse deps (that's why backporting isolated fixes is easier in such cases) to ensure no breakage creeps in, so this would need a volunteer to deal with testing reverse deps. Cheers, Moritz
Bug#868459: stretch-pu: package libquicktime/2:1.2.4-10+deb9u1
Salvatore Bonaccorso wrote: > > Unfortunately, I've had to flag the upload for rejection - it's somehow > > picked up a new dependency on "libschroedinger-1.0-0 (>= 1.0.0)", but > > that binary package is not in stretch. > > Hmm, could it be the building chroot was unclean (contained jessie > packages? Meh, indeed. I copied/upgraded my former jessie build environment and that package in fact was still present, will recreate from scratch. > I took jmm's debdiff, and rebuilded in stretch and > as well the debdiff against the resulting binary packages and those in > the archive looked okay. Thanks. Cheers, Moritz
Bug#868459: stretch-pu: package libquicktime/2:1.2.4-10+deb9u1
On Sat, Jul 15, 2017 at 09:19:08PM +0100, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Sat, 2017-07-15 at 19:12 +0200, Moritz Muehlenhoff wrote: > > some minor security fixes for libquicktime, identical to what's > > already in unstable and also tested with reverse deps on stretch. > > > > If it's too late for 9.1, 9.2 is also just fine. > > Feel free to upload, we'll see if it makes it in time. Thanks, uploaded. Cheers, Moritz
Bug#863915: unblock: webkit2gtk/2.16.3-2
Adam wrote: > I'm not entirely sure how you think p-u is better placed to do so, given > the amount of visible testing packages from it get before a point > release. It's not necessarily for the additional testing done on p-u (although I personally use it like that and probably others well), but there's a number of technical features which make spu "suck less" which are currently lacking in the security.debian.org infrastructure: - Lack of visible apt source for people to test (#817286) (biggest blocker) - Bottleneck of not being able to delegate allowing maintainers of webkit rdeps to release compatibility updates via security.debian.org (#817285) - No possibility to trigger binNMUs of rdeps without a sourceful upload (not sure if that's necessary for the changes imposed by newer webkit releases, but it's also a serious problem for go-based apps Especially the first two points are critical to address mid-term if we want to ensure security support is sustainable in the years to come. Either by finding new volunteers to work on that or by funding the development of these features in some way. Cheers, Moritz
Bug#827061: transition: openssl
On Sat, Jan 28, 2017 at 07:37:09PM +0100, Julien Cristau wrote: > On Sat, Jun 11, 2016 at 20:59:53 +0200, Kurt Roeckx wrote: > > > OpenSSL will soon release a new upstream version with a new > > soname. This new version will break various packages, see: > > https://lists.debian.org/debian-devel/2016/06/msg00205.html > > > > I'm currently not sure when the release will be ready. I would > > like to start this transition as soon as possible, but probably > > after it's actually released. I don't expect this to take long. > > > At this point, it seems clear to me that we're getting nowhere fast. > With the freeze looming in a few days, this is growing to be a very big > risk for the stretch release. Why? The last time I saw it status it was down to something like five packages in question. What new RC bugs related to the transition? Cheers, Moritz
Re: Draft for taging 32 RC bugs with can-defer, will-remove or is-blocker
Niels Thykierschrieb: >> 852603 virglrenderer can-defer virglrenderer: >> CVE-2016-10163 >> 852604 virglrenderer can-defer virglrenderer: >> CVE-2017-5580 This hasn't been in a stable release yet and it already orphaned. If noone picks it up or fixes it, let's rather remove it. Cheers, Moritz
Re: embedding openssl source in sslcan
On Thu, Jan 05, 2017 at 09:39:16PM +0100, Sebastian Andrzej Siewior wrote: > On 2016-12-31 17:35:47 [+0100], Julien Cristau wrote: > > Is this really something we need to be shipping? If yes, I'd personally > > really like this to get an explicit exemption from normal policy by the > > security team, so please talk to them (debian-security@ldo is not it). > > I have been made aware of my mistake and I bounced the original email to > security@d.o with no response yet. I haven't got any response from them > yet so it looks like sslscan will link against libssl1.0. I did reply to you (as did Thijs), but as mentioned before there's no need for that code copy in _stretch_, since 1.0.2 should still provide ample legacy support. Cheers, Moritz
Bug#829606: jessie-pu: package duck/0.7+deb8u1
On Sun, Aug 28, 2016 at 03:55:24PM +0100, Adam D. Barratt wrote: > Control: tags -1 +confirmed -moreinfo > > [re-ordered] > > > Am 2016-07-29 um 14:20 schrieb Julien Cristau: > > > Control: tag -1 moreinfo > > > > > > On Mon, Jul 4, 2016 at 18:22:46 +0200, Simon Kainz wrote: > [...] > > >> Paul Wise found out that duck rund untrusted code from the current > > >> directory as > > >> well as the ./lib and ./lib/checks directory. The attached patch fixes > > >> this > > >> issue. > > >> > > > Hi, > > > > > > any chance of a diff from git diff -M or similar so the actual changes > > > are easier to spot? > > On Mon, 2016-08-01 at 20:41 +0200, Simon Kainz wrote: > > Ok, please see the attached patch, which is the same as the previous > > one, but cleaned up - i made a diff without commiting all my changes, > > so git had a hard time recognising rename vs. delete new. > > The changelog says "jessie-security" - with that changed to simply > "jessie", please go ahead. Simon, what't the status here? Cheers, Moritz
Bug#843905: jessie-pu: package akonadi/1.13.0-2+deb8u2
> > The latest security upload of mysql-5.5 breaks akonadi-backend-mysql in > stable, > this is due to a change in the compiled-in configuration values that are > incompatible with the ones shipped in the akonadi backend *. > > In the bug #843520 [1] the mysql maintainers requested this to be fixed on > the akonadi side. > > The bug #843534 currently tracks the akonadi side of things, sadly we have > some contradicting user reports. But according to our tests this upload fixes > the issue caused by the mysql-5.5 upload, we may need to further investigate > the problems that aren't fixed with this. > > I'm not completely sure if it would be better to upload this change as a > security upload as a way to retain archive consistency, in any case I would > wait for a green flag from the release team before uploading this. Let's fix this via security.debian.org, it reaches people's systems quicker and the (legit) mysql change was introduced via a security after all. > +akonadi (1.13.0-2+deb8u2) stable-proposed-updates; urgency=medium Please let that point to jessie-security instead of stable-proposed-updates, build with -sa (since akonadi is new in jessie-security) and upload to security-master. I'll take care of the update. Cheers, Moritz
Re: Porter roll call for Debian Stretch
Niels Thykierschrieb: > If I am to support powerpc as a realease architecture for Stretch, I > need to know that there are *active* porters behind it committed to > keeping it in the working. People who would definitely catch such > issues long before the release. People who file bugs / submit patches etc. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832931 is about a powerpc-specific build failure of mariadb in stable. The maintainer said he can't work on it, so if anyone considers himself/herself a powerpc porter, this is something to look it. Cheers, Moritz
Re: Bug#839226: [PATCH] cups : SSL is vulnerable to POODLE
Hi Didier, > Have we removed protocols' support in {old,}stable before?. We have done that on a case-by-case basis via point updates in the past, seems also fine here. Cheers, Moritz
Re: Porter roll call for Debian Stretch
John Paul Adrian Glaubitzschrieb: > This is an OpenPGP/MIME signed message (RFC 4880 and 3156) > --a6PKWkjgHofM7jQeP6IIWOK9h7Ax8iC64 > Content-Type: multipart/mixed; boundary="bwOPGPFUk1EHlmixEJpS4SCMBBipFWjH9"; > protected-headers="v1" > From: John Paul Adrian Glaubitz > To: Niels Thykier , debian-po...@lists.debian.org > Cc: debian-release@lists.debian.org, debian-de...@lists.debian.org > Message-ID: <3e8c329c-85a2-7c29-f9ec-7fa071ab5...@physik.fu-berlin.de> > Subject: Re: Porter roll call for Debian Stretch > References: <20160817200524.c2e23...@bendel.debian.org> > <25ca2f9f-e5a8-87d8-b397-208db2d7d...@thykier.net> > In-Reply-To: <25ca2f9f-e5a8-87d8-b397-208db2d7d...@thykier.net> > > --bwOPGPFUk1EHlmixEJpS4SCMBBipFWjH9 > Content-Type: text/plain; charset=utf-8 > Content-Transfer-Encoding: quoted-printable > > On 09/20/2016 11:16 PM, Niels Thykier wrote: >>- powerpc: No porter (RM blocker) > > I'd be happy to pick up powerpc to keep it for Stretch. Great, please look into the mariadb build failure reported at #832931. Cheers, Moritz
Re: The (uncalled for) toolchain maintainers roll call for stretch
Matthias Klose wrote: > Afaiu the security team also doesn't care > about these ports when they fail to build for security updates. Indeed. The openjdk updates are already really time-consuming, we can't afford additional update rounds for exotic archs without official upstream support. Cheers, Moritz
Bug#829136: jessie-pu: package harfbuzz/0.9.35-2+deb8u1
On Sat, Aug 13, 2016 at 10:33:32AM +0200, Julien Cristau wrote: > Control: tag -1 moreinfo > > On Thu, Jun 30, 2016 at 22:19:11 +0200, Moritz Muehlenhoff wrote: > > > Package: release.debian.org > > Severity: normal > > Tags: jessie > > User: release.debian@packages.debian.org > > Usertags: pu > > > > Attached debdiff fixes a non-severe security issue in harfbuzz. > > I've been using that for a few weeks on my jessie desktop. > > > > Cheers, > > Moritz > > > > diff -Nru harfbuzz-0.9.35/debian/changelog harfbuzz-0.9.35/debian/changelog > > --- harfbuzz-0.9.35/debian/changelog2014-10-30 13:58:05.0 > > +0100 > > +++ harfbuzz-0.9.35/debian/changelog2016-05-30 23:50:45.0 > > +0200 > > @@ -1,3 +1,10 @@ > > +harfbuzz (0.9.35-2+deb8u1) jessie; urgency=medium > > + > > + * Backport upstream commit 613e630617074eb9b62b794cc37c9b42a7fb079b to > > address > > +CVE-2016-2052 > > + > > + -- Moritz Mühlenhoff <j...@debian.org> Mon, 30 May 2016 23:49:46 +0200 > > + > > harfbuzz (0.9.35-2) unstable; urgency=medium > > > >* debain/clean: Remove test/shaping/*.pyc during clean > > According to https://bugzilla.redhat.com/show_bug.cgi?id=1301553#c6 > CVE-2016-2052 is linked to a different commit, can you clarify? Hmm, there seems to have been some reshuffling of CVE mappings, also another minor issue came up. I'll revise. Cheers, Moritz
Re: Bug#834327: jessie-pu: package gnupg2/2.0.26-6+deb8u1
Aurelien Jarnoschrieb: > On 2016-08-14 16:00, Salvatore Bonaccorso wrote: >> Package: release.debian.org >> Severity: normal >> Tags: jessie >> User: release.debian@packages.debian.org >> Usertags: pu >> >> Dear SRM >> >> I would like to propose the following hardening to src:gnupg2 which was >> found during the analysis of a vulnerability report to the security team >> and related to >> https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_razavi.pdf >> and developed by NIIBE Yutaka. The underlying problem in hardware cannot >> be solved in software (and thus we don't want to issue a DSA for it, and >> give possibly this false impression), and as pointed out by Florian > > I wonder if it would be a good idea to release an announcement without > any software change recommending people to not enable KSM on their > hosts? I think a NEWS file for the kernel would be best? Cheers, Moritz
Bug#829135: jessie-pu: package python2.7/2.7.9-2+deb8u1
On Tue, Jul 12, 2016 at 09:55:23PM +0100, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Thu, 2016-06-30 at 22:17 +0200, Moritz Muehlenhoff wrote: > > +python2.7 (2.7.9-2+deb8u1) jessie; urgency=medium > > + > > + * Backport upstream commit b3ce713fb9beebfff9848cefa0acbd59acc68fe9 > > +to address StartTLS stripping attack in smtplib (CVE-2016-0772) > > + * Backport upstream commit 985fc64c60d6adffd1138b6cc46df388ca91ca5d > > +to address integer overflow in zipimporter (CVE-2016-5636) > > + * Backport upstream commit 1c45047c51020d46246385949d5c02e026d47320 > > +to address HTTP header injection (CVE-2016-5699) > > Please go ahead. Uploaded. Cheers, Moritz
Bug#829136: jessie-pu: package harfbuzz/0.9.35-2+deb8u1
On Tue, Jul 12, 2016 at 09:56:12PM +0100, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Thu, 2016-06-30 at 22:19 +0200, Moritz Muehlenhoff wrote: > > +harfbuzz (0.9.35-2+deb8u1) jessie; urgency=medium > > + > > + * Backport upstream commit 613e630617074eb9b62b794cc37c9b42a7fb079b to > > address > > +CVE-2016-2052 > > Please go ahead. Thanks, uploaded. Cheers, Moritz
Re: Dropping src:torque from archive? (was: Re: Bug#767411: torque: should not be released with jessie)
On Sat, May 28, 2016 at 08:32:04PM +0200, Salvatore Bonaccorso wrote: > Hi all, > > On Sat, Nov 01, 2014 at 08:50:05PM +0100, Moritz Mühlenhoff wrote: > > On Sat, Nov 01, 2014 at 02:30:02PM -0400, Michael Gilbert wrote: > > > On Sat, Nov 1, 2014 at 11:46 AM, Salvatore Bonaccorso wrote: > > > > Given Dominique's reply on #767411, from my POV I think the best > > > > solution would be to remove torque completely for jessie (i.e. first > > > > drop support from openmpi to be able to remove the package and > > > > remaining reverse dependencies). > > > > > > 4 wheezy DSAs doesn't necessarily sound that horrible, so I don't > > > think we're clearly at the point where torque should be considered > > > unsupportable. Maybe the patch backports were an incredible amount of > > > work? > > > > Well, but the 2.4 branch is already no longer unsupported upstream > > and we shouldn't knowingly introduce it into a release which will be > > supported for five more years. > > > > > The package does clearly need to be orphaned, so someone can step up > > > post-jessie to get the package in sync with upstream. > > > > As written by Dominique that's no possible for license reasons. > > In meanwhile openmpi has droppend the torque dependency. > > Should we have src:torque and src:pbs-drmaa be removed from the > archive? I think so. Cheers, Moritz
Bug#818549: jessie-pu: package icedtea-web/1.5.3-1
On Tue, May 24, 2016 at 09:34:49PM +0100, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Thu, 2016-03-17 at 23:06 +0100, Moritz Muehlenhoff wrote: > > I'd like to update icedtea-web in jessie to 1.5.3 in the next > > jessie point release. This fixes two security issues (CVE-2015-5234, > > CVE-2015-5235), which are not easily backportable, so I rather made > > the update to the minor point update which fixes those (similar > > to what we do with openjdk-7 itself). > > > > I've tested this on a jessie with various web applets I could > > find (fortunately finding these in the wild is becoming increasingly > > difficult!). > > > > The debdiff is here: https://people.debian.org/~jmm/icedtea-web.debdiff > > (the actual change to the debian/ directory is just the changelog > > entry bump). Ubuntu has also updated to those point bugfix updates > > in USNs for a while now. > > I'm not exactly overjoyed by the size of the diff, but it's Java is > stable, so I'm just going to close my eyes and assume you know what > you're doing. :-) Thanks :-) Uploaded. Cheers, Moritz
Bug#825127: RM: mediawiki/1:1.19.20+dfsg-2.3
On Mon, May 23, 2016 at 09:48:30PM +0100, Adam D. Barratt wrote: > Control: tags -1 + moreinfo jessie > > On Mon, 2016-05-23 at 22:33 +0200, Moritz Muehlenhoff wrote: > > please remove mediawiki in the upcoming jessie point release. Security > > support for it was limited for a year as mentioned in the release notes: > > https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#mediawiki-security > > Checking reverse dependencies... > # Broken Depends: > fusionforge: fusionforge-plugin-mediawiki > mediawiki-math: mediawiki-extensions-math > > mediawiki-math is collateral damage, but dropping fusionforge for the > sake of a single plugin seems a little overkill. :-) Adding Roland Mas to CC. Could you maybe drop the fusionforge-plugin-mediawiki binary package for the upcoming jessie point release? Cheers, Moritz
Bug#818549: jessie-pu: package icedtea-web/1.5.3-1
On Thu, Mar 17, 2016 at 11:06:05PM +0100, Moritz Muehlenhoff wrote: > Package: release.debian.org > Severity: normal > Tags: jessie > User: release.debian@packages.debian.org > Usertags: pu > > Hi, > I'd like to update icedtea-web in jessie to 1.5.3 in the next > jessie point release. This fixes two security issues (CVE-2015-5234, > CVE-2015-5235), which are not easily backportable, so I rather made > the update to the minor point update which fixes those (similar > to what we do with openjdk-7 itself). > > I've tested this on a jessie with various web applets I could > find (fortunately finding these in the wild is becoming increasingly > difficult!). > > The debdiff is here: https://people.debian.org/~jmm/icedtea-web.debdiff > (the actual change to the debian/ directory is just the changelog > entry bump). Ubuntu has also updated to those point bugfix updates > in USNs for a while now. ping for the upcoming point update. Cheers, Moritz
Bug#822616: jessie-pu: package poppler/0.26.5-2+deb8u1
On Mon, Apr 25, 2016 at 07:16:02PM +0200, Pino Toscano wrote: > Package: release.debian.org > Severity: normal > Tags: jessie > User: release.debian@packages.debian.org > Usertags: pu > > Hi, > > simple jessie-pu for poppler, just fixed in unstable, which fixes > CVE-2015-8868; attached debdiff. > > I guess I need to do binary uploads in (old-)stable, right? Let's fix this via security.debian.org. Please change the distribution target to "jessie-security" and build with "-sa" to include the orig tarball (since poppler is new in the jessie security suite). security-master needs binary uploads. Cheers, Moritz
Re: New oldstable-proposed-updates diff: tomcat6 6.0.45+dfsg-1~deb7u1
On Tue, Mar 29, 2016 at 11:23:30PM +0200, Markus Koschany wrote: > Am 29.03.2016 um 23:01 schrieb Moritz Mühlenhoff: > > On Tue, Mar 29, 2016 at 10:03:56PM +0200, Markus Koschany wrote: > >> The Security Team decided to mark the issues in Jessie as no-dsa because > >> we only ship the servlet API and documentation in this release which > >> can't be affected by security vulnerabilities at all. I wouldn't mind > >> uploading the 6.0.45+dfsg-1~deb8u1 to Jessie but I think we can safely > >> ignore the version number skew in this case. All Wheezy users who update > >> to Jessie will keep 6.0.45+dfsg-1~deb7u1 for the servlet API and Jessie > >> only users will continue to use 6.0.41. They will not be placed in a > >> worse position. > >> > >> If you feel more comfortable with an updated source package in Jessie, I > >> will gladly upload this one to Jessie. > > > > I missed the wheezy > jessie version skew aspect. In that case let's also > > upgrade tomcat6 in jessie even though it's a NOP. > > > > But all those rdeps of libservlet2.5-java should really be upgraded > > to libservlet3.1-java. > > > > Cheers, > > Moritz > > [putting debian-java in the loop] > > I will upload a Jessie update of Tomcat 6 tomorrow. Ok. > Please note that > changing the rdeps of libservlet2.5-java to libservlet3.1-java is one of > our goals for Stretch. [1] Ok, nice. Cheers, Moritz
Bug#818615: jessie-pu: package gtk+2.0
On Thu, Mar 24, 2016 at 06:35:55AM +, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Wed, 2016-03-23 at 23:12 +0100, Moritz Mühlenhoff wrote: > [...] > > > > > On Fri, 2016-03-18 at 19:33 +0100, Moritz Muehlenhoff wrote: > > > > > > I'd like to fix a security issue in GTK, which doesn't really > > > > > > warrant > > > > > > a DSA. Debdiff below, I've been running this on my jessie > > > > > > workstation for a day now. > > > > > > > > > > > > Cheers, > > > > > > Moritz > > > > > > > > > > > > diff -Nru gtk+2.0-2.24.25/debian/changelog > > > > > > gtk+2.0-2.24.25/debian/changelog > > > > > > --- gtk+2.0-2.24.25/debian/changelog2015-03-03 > > > > > > 19:39:59.0 +0100 > > > > > > +++ gtk+2.0-2.24.25/debian/changelog2016-03-17 > > > > > > 23:20:16.0 +0100 > > > > > > @@ -1,3 +1,9 @@ > > > > > > +gtk+2.0 (2.24.25-3+deb8u1) jessie; urgency=medium > > > > > > + > > > > > > + * CVE-2013-7447 (Closes: #799275) > [...] > > This is now in unstable: > > https://packages.qa.debian.org/g/gtk+2.0/news/20160323T215045Z.html > > Thanks. Please go ahead. Uploaded. Cheers, Moritz
Bug#819119: jessie-pu: package libsndfile/1.0.25-9.1+deb8u1
On Wed, Mar 23, 2016 at 10:11:32PM +, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Wed, 2016-03-23 at 22:56 +0100, Moritz Muehlenhoff wrote: > > Another update for no-dsa security issues, this time in libsndfile. > > The patches have been used in unstable for over four months, the > > extensive test suite passes and I made additional functionality tests > > with the resulting build. > > Please go ahead. Thanks, uploaded. Cheers, Moritz
Bug#818615: jessie-pu: package gtk+2.0
tags 818615 -moreinfo thanks On Tue, Mar 22, 2016 at 07:56:40PM +, Adam D. Barratt wrote: > On Fri, 2016-03-18 at 20:58 +0100, Salvatore Bonaccorso wrote: > > HI Adam, > > > > Not Moritz here but can answer the question as well: > > > > On Fri, Mar 18, 2016 at 07:22:34PM +, Adam D. Barratt wrote: > > > Control: tags -1 + moreinfo > > > > > > On Fri, 2016-03-18 at 19:33 +0100, Moritz Muehlenhoff wrote: > > > > I'd like to fix a security issue in GTK, which doesn't really warrant > > > > a DSA. Debdiff below, I've been running this on my jessie > > > > workstation for a day now. > > > > > > > > Cheers, > > > > Moritz > > > > > > > > diff -Nru gtk+2.0-2.24.25/debian/changelog > > > > gtk+2.0-2.24.25/debian/changelog > > > > --- gtk+2.0-2.24.25/debian/changelog2015-03-03 19:39:59.0 > > > > +0100 > > > > +++ gtk+2.0-2.24.25/debian/changelog2016-03-17 23:20:16.0 > > > > +0100 > > > > @@ -1,3 +1,9 @@ > > > > +gtk+2.0 (2.24.25-3+deb8u1) jessie; urgency=medium > > > > + > > > > + * CVE-2013-7447 (Closes: #799275) > > > > > > The Security Tracker suggests that this isn't fixed in the version of > > > gtk+2.0 in unstable; is that correct? > > > > Yes it is as well unfixed there. I just have proposed a NMU in > > https://bugs.debian.org/799275#39 > > Thanks for that. > > If we don't notice, please feel free to remove the "moreinfo" tag once > the NMU reaches unstable. This is now in unstable: https://packages.qa.debian.org/g/gtk+2.0/news/20160323T215045Z.html Cheers, Moritz
Bug#818801: jessie-pu: package cairo/1.14.0-2.1+deb8u1
On Sun, Mar 20, 2016 at 06:43:48PM +, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Sun, 2016-03-20 at 19:33 +0100, Moritz Muehlenhoff wrote: > > +cairo (1.14.0-2.1+deb8u1) jessie; urgency=medium > > + > > + * Fix CVE-2016-3190 > > I'd prefer a slightly more detailed changelog, but please go ahead. Thanks, uploaded. Cheers, Moritz
Bug#818150: jessie-pu: package php5/5.6.19+dfsg-0+deb8u1
On Mon, Mar 14, 2016 at 11:00:12AM +0100, Ondřej Surý wrote: > Package: release.debian.org > Severity: normal > Tags: jessie > User: release.debian@packages.debian.org > Usertags: pu > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Hi, > > security team still seems to be heavily overloaded, so I am hoping we > can do this via jessie-pu again. > > We need to update 5.6.17+dfsg-0+deb8u1 to 5.6.19+dfsg-0+deb8u1 as > there were several security updates between the releases: Ack from my side, there's nothing urgent in there, these could go via spu. Cheers, Moritz
Bug#816198: jessie-pu: package php-dompdf/0.6.1+dfsg-2
On Sun, Feb 28, 2016 at 07:42:46PM +0100, Salvatore Bonaccorso wrote: > Hi Markus, > > Just one note: > > On Sun, Feb 28, 2016 at 06:22:08PM +0100, Markus Frosch wrote: > > +php-dompdf (0.6.1+dfsg-2+deb8u1) UNRELEASED; urgency=medium > > + > > + * Non-maintainer upload. > > + * [22610bd] Add 0.6.2 hotfix patch (Closes: #813849) > > + > > +Fixes CVE: > > +* CVE-2014-2383 > > +* CVE-2014-5011 > > +* CVE-2014-5012 > > +* CVE-2014-5013 > > CVE-2014-2383 should actually be already fixed in 0.6.1+dfsg-1. Is > that wrong? > > https://security-tracker.debian.org/tracker/CVE-2014-2383 > https://bugs.debian.org/745619 Markus? Cheers, Moritz
Re: Opinion about linux-grsec in a stable release
On Wed, Mar 02, 2016 at 09:01:34PM +0100, Yves-Alexis Perez wrote: > On mer., 2016-03-02 at 20:06 +0100, Moritz Muehlenhoff wrote: > > Before considering that, did anyone approch grsecurity whether we can get > > access to the grsecurity stable patches? We would most definitely have > > Debian > > funds to become grsecurity sponsors to obtain access to stable patches. > > I think that'd be something nice anyway, but… > > > > Whether that's possible/desirable by grsecurity is the question, though: > > Having the stable patches in Debian would make them available to the > > general public (including those sleazy embedded companies which made them > > change their distribution scheme). > > Indeed, I didn't even bother to ask because when you gain access to the stable > patches, you commit yourself to not make them available publicly, which is > obviously exactly what we would do. It's the release team's call, but IMO unless upstream changes their policy to allow public access to stable patches again, this seems rather like a case for a PPA or possibly backports (but they generally require backports from what is in testing). Cheers, Moritz
Dropping jasper from stretch
Hi, see 812630/816228 (also discussed with Roland): Security team would to drop jasper from stretch (and eventually from the archive). Some high-profile users like gdk-pixbuf already had it dropped some time ago. Ok with the release team? Could you please setup a removal/transition tracker for this for easier tracking? Bugs would be filed with "important" severity and bumped to RC grade after some weeks so that autoremovals can work their magic for packages which hadn't been adapted by then. Cheers, Moritz
Re: wheezy-security to wheezy-lts transition
On Mon, Feb 22, 2016 at 06:42:20PM +0100, Guido Günther wrote: > Hi Adam, > On Sat, Feb 20, 2016 at 02:27:27PM +, Adam D. Barratt wrote: > > [apologies to anyone who's ended up with three copies of this; the > > original got eaten due to a misconfiguration on my side - please only > > reply to this copy] > > > > Hi, > > > > As I understand it, the plan is for wheezy-lts to re-use > > security.d.o:wheezy/updates directly, rather than a separate suite on > > ftp-master. Is that correct? > > I think so. See > > > https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=prep-wheezy-lts;users=debian-...@lists.debian.org While these two are long-standing enhancement bugs which would make the security team work much easier, they are unrelated to the plan outlined above. That plan was mentioned during the DebConf BoF, but I'm not aware that anyone is working on that and I'm unsure whether it's feasible to implement in time? Especially since even far simpler changes like the two mentioned above are open for quite a long time. Cheers, Moritz
Re: Kernel version for stretch
On Thu, Jan 28, 2016 at 08:15:30PM +, Ben Hutchings wrote: > On Thu, 2016-01-28 at 20:01 +0100, Moritz Mühlenhoff wrote: > > Ben Hutchings <b...@decadent.org.uk> wrote: > > > For stretch, I would very much like to choose a kernel version for > > > stretch that gets longterm maintenance by Greg Kroah-Hartman. That > > > lasts 2 years from release, after which someone else (maybe me) can > > > take over. > > > > Luis Henriques and Kamal Mostafa maintain the ckt stable kernels > > for Ubuntu-non-LTS releases for two years. > > Not in general; it can be as little as 12 months (e.g. 3.11-ckt). I would need to confirm that, but AFAICS the non-LTS kernels after 3.11 are all maintained for two years (since they are now made available at "hardware enablement kernels" for the Ubuntu LTS releases. > > We could base the stretch kernel on the underlying ckt kernel > > series used for Ubuntu 16.04 or 16.10? > > Given the politics involved, I would rather not do that twice in a row. Ok. Cheers, Moritz
Re: Request for release team decision on MySQL and MariaDB [was: Re: Bug#793316: [debian-mysql] Bug#793316: transition: mysql-5.6]
On Fri, Jan 15, 2016 at 04:09:58PM +0100, Norvald H. Ryeng wrote: > so I'll need the complete list of > requirements first. The Debian MySQL team has asked for a list, in > writing, several times now, but that list has not been produced. Here's what it essentially boils down to: - Public, non-discriminatory access, we don't sign NDAs - Public mapping between CVE IDs and patches (or commit IDs to a public VCS) - If the patches don't have meaningful commits messages on the nature of the change, provide a contact who is willing to answer questions for backports or impact Cheers, Moritz
Re: Request for release team decision on MySQL and MariaDB [was: Re: Bug#793316: [debian-mysql] Bug#793316: transition: mysql-5.6]
On Mon, Jan 11, 2016 at 08:14:06PM +, Robie Basak wrote: > On Mon, Jan 11, 2016 at 07:27:30PM +0100, Moritz Mühlenhoff wrote: > > *Sigh*. And that is exactly the problem (and we've already pointed this > > out at DebConf half a year ago) > > > > We should really go ahead and move forward, the freeze isn't terribly far > > away. > > I don't think it's reasonable to use a security question raised by > MariaDB as an excuse to kick out MySQL. Because whether you do so or > not, your situation with getting information about CVEs in relation to > MariaDB will not change. > > Let's treat the situation with each on their own merits and be > constructive about this. This policy equally hurts us for mysql alone. Debian LTS had go through a messy 5.1-5.5 transition because of Oracle's policies. > That *is* something that might be able to be addressed directly by > Oracle, and if it does get addressed then MariaDB's situation could > improve too, and Debian wins. We've already raised this at DebConf with Norvald from Oracle half a year ago and nothing happened. Several other parties didn't get these infos from Oracle in the past (not even Red Hat). The VirtualBox developers were equally shut down by Oracle (after being cooperative for a while). I see no chance that this will really happen. We'll definitely not wait for it and we need to make a move ASAP. The freeze is only like eight months away and a transition from mysql to mariadb takes it's time. > So please: the security team needs to engage directly with Oracle by > responding to Norvald's email and enumerating exactly what is wrong. > Otherwise nobody can reasonably claim about what Oracle is not doing in > relation to security, because the security team refuses to say what the > problem is. *sigh* That as already been raised multiple times and it was all reported to Oracle at DebConf. Information about specific security issues and their mapping to fixes (just like raised by Otto, which explains the need very well) need to be publicly available (we're unable and unwilling to sign an NDA). This is EOD from my side. This has all been discussed to death and I won't spend further time on this. Cheers, Moritz
Re: Request for release team decision on MySQL and MariaDB [was: Re: Bug#793316: [debian-mysql] Bug#793316: transition: mysql-5.6]
On Mon, Jan 11, 2016 at 02:13:40PM +0100, Norvald H. Ryeng wrote: > On Mon, 11 Jan 2016 13:59:07 +0100, Otto Kekäläinenwrote: > > >2016-01-11 13:54 GMT+02:00 Norvald H. Ryeng : > >>On Mon, 28 Dec 2015 13:28:18 +0100, Otto Kekäläinen > >>wrote: > >> > >>>Hello! > >>> > >>>2015-12-23 16:39 GMT+02:00 Norvald H. Ryeng : > >>>.. > > I know we are a bit tight with info about security issues upstream, > but > all > security bugfixes are available at > https://github.com/mysql/mysql-server > as > individual commits, and a list of CVEs fixed is reported quarterly > according > to a published schedule. Apparently that's not enough. > >>> > >>> > >>>As a side note related to this, can you please tell us in what commit > >>>CVE-2015-4913 and CVE-2015-4737 were fixed? You probably have access to > >>>some > >>>internal security tracker where you can look this up, and both CVEs are > >>>already relatively old, so you would not be releasing any sensitive > >>>security > >>>info. > >> > >> > >>All I have is what is public: CVE-2015-4913 was included in the latest > >>Critical Patch Update in October and was fixed in 5.5.46 and 5.6.27. > >>CVE-2015-4737 was included in the July Critical Patch Update and was > >>fixed > >>in 5.5.44 and 5.6.24. Since Debian is already at 5.5.46, these don't > >>affect > >>Debian any more. > >> > >>If you're asking because you want to know if these have been fixed in > >>MariaDB, I think you should ask MariaDB upstream instead. > > > >Nobody outside Oracle can answer this. Oracle has reserved certain CVE > >numbers for their use and as there no details in the CVE entries (just > >a version number when it was fixed) nobody outside Oracle can actually > >tell what the security issue or the fix was. Above you indicated that > >those fixes are visible in individual commits, so I was trying my luck > >if you would be able to give the information which commits those CVEs > >are. > > I usually don't work on security issues, and I don't have the mapping you're > asking for. *Sigh*. And that is exactly the problem (and we've already pointed this out at DebConf half a year ago) We should really go ahead and move forward, the freeze isn't terribly far away. Cheers, Moritz
Bug#765639: Bug#802159: New OpenSSL upstream version
Hi, Personally I'm in favour of following the openssl point updates and I'd like to add an additional data point to the discussion: CVE-2015-3196 was already fixed as a plain bugfix in an earlier point release, but the security impact was only noticed later on, so following the point updates would have fixed this bug five months ago. (http://www.openssl.org/news/secadv/20151203.txt for details) Cheers, Moritz
Bug#803336: RM: mopidy/1.1.1-1
On Thu, Oct 29, 2015 at 08:48:27AM +, Julien Cristau wrote: > On Wed, Oct 28, 2015 at 23:06:07 +0100, Moritz Muehlenhoff wrote: > > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: rm > > > > Hi, > > please remove mopidy as part of the gstreamer 0.10 > > removal. According to the PTS this should have been > > auto-removed, but some reason that didn't happen: > > > > Marked for autoremoval on 16 October: > > * The removal of mopidy will also cause the removal of > > (transitive) reverse dependencies: mopidy-alsamixer > > mopidy-beets mopidy-dirble mopidy-local-sqlite mopidy-mpris > > mopidy-scrobbler mopidy-tunein mopidy-youtube > > > britney says: > > * amd64: mopidy-alsamixer, mopidy-beets, mopidy-dirble, > mopidy-local-sqlite, mopidy-mpris, mopidy-scrobbler, mopidy-tunein, > mopidy-youtube > > Those rdeps aren't marked for removal yet: Oh, I thought these were removed along rightaway automatically. Can we do that manually instead? mopidy is the last blocker for the removal of further gst0.10-plugins and the 0.10 python bindings from testing: remove mopidy-alsamixer/1.0.3-3 mopidy-beets/2.0.0-2 mopidy-dirble/1.1.2-2 mopidy-local-sqlite/1.0.0-1 mopidy-mpris/1.3.1-1 mopidy-scrobbler/1.1.1-3 mopidy-tunein/0.2.2-2 mopidy-youtube/2.0.0-2 remove mopidy/1.1.1-1 Cheers, Moritz
Bug#803410: jessie-pu: package libvdpau/0.8-3+deb8u2
On Thu, Oct 29, 2015 at 07:52:23PM +, luca wrote: > Package: release.debian.org > Severity: normal > Tags: jessie > User: release.debian@packages.debian.org > Usertags: pu > > Dear release team, > > We would like to update libvdpau in jessie to address a segmentation fault in > a > particular use case. > > 0.8-3+deb8u1 was uploaded through jessie-security with an upstream fix for 3 > security bugs: CVE-2015-5198 CVE-2015-5199 CVE-2015-5200 (see > https://bugs.debian.org/797895). If that bug was introduced through a security update, we usually also fix the regression in a DSA. Alessandro, since you took care of the DSA for libvdpau, could you look into this? Cheers, Moritz
Bug#796281: jessie-pu: package pcre3/2:8.35-3.3+deb8u1
On Tue, Sep 15, 2015 at 09:16:48PM +0100, Adam D. Barratt wrote: > Control: tags -1 -moreinfo +confirmed > > On Fri, 2015-09-11 at 20:24 +0200, Moritz Mühlenhoff wrote: > > On Fri, Aug 21, 2015 at 03:59:15PM +0100, Adam D. Barratt wrote: > > > Control: tags -1 + moreinfo > > > > > > On Fri, 2015-08-21 at 01:35 +0200, Moritz Muehlenhoff wrote: > > > > This update fixes four minor security issues which don't warrant > > > > a DSA. These have been tested in a production setup and were > > > > working fine there. > > > [...] > > > > + * CVE-2015-2325 CVE-2015-2326 CVE-2015-3210 CVE-2015-5073 > > > > > > The BTS and Security Tracker indicate that the first three of those > > > aren't fixed in unstable yet; is that correct? > > > > Now fixed in unstable in 2:8.35-7.2. > > Thanks; please feel free to upload. Done. Cheers, Moritz
Bug#796281: jessie-pu: package pcre3/2:8.35-3.3+deb8u1
On Fri, Aug 21, 2015 at 03:59:15PM +0100, Adam D. Barratt wrote: > Control: tags -1 + moreinfo > > On Fri, 2015-08-21 at 01:35 +0200, Moritz Muehlenhoff wrote: > > This update fixes four minor security issues which don't warrant > > a DSA. These have been tested in a production setup and were > > working fine there. > [...] > > + * CVE-2015-2325 CVE-2015-2326 CVE-2015-3210 CVE-2015-5073 > > The BTS and Security Tracker indicate that the first three of those > aren't fixed in unstable yet; is that correct? Now fixed in unstable in 2:8.35-7.2. Cheers, Moritz
Bug#786830: wheezy-pu: package debian-security-support
On Sat, Aug 29, 2015 at 04:15:55PM +0100, Adam D. Barratt wrote: Control: tags -1 + confirmed On Mon, 2015-05-25 at 23:13 +0200, Moritz Muehlenhoff wrote: it has been requested multiple times to also provide debian-security-support for wheezy. All the data relevant for wheezy is already present in the version in unstable, so this boils down to a simple rebuild. I've tested the package on a wheezy system. May I upload? Please go ahead, and let us know once the package hits NEW so that we can poke the ftp team. I've just uploaded it. On a related note, what's the plan for keeping the package updated in wheezy and jessie? Will e.g. 2015.07.11 be backported, or will there be wheezy / jessie-specific uploads from now on? If we need to end-of-life a package in jessie or wheezy, we'll update it through security.debian.org, but these will be limited to updating the security-support-ended.deb[89] files unless there's some bugfix which needs to be backported. Cheers, Moritz
Bug#796281: jessie-pu: package pcre3/2:8.35-3.3+deb8u1
On Fri, Aug 21, 2015 at 03:59:15PM +0100, Adam D. Barratt wrote: Control: tags -1 + moreinfo On Fri, 2015-08-21 at 01:35 +0200, Moritz Muehlenhoff wrote: This update fixes four minor security issues which don't warrant a DSA. These have been tested in a production setup and were working fine there. [...] + * CVE-2015-2325 CVE-2015-2326 CVE-2015-3210 CVE-2015-5073 The BTS and Security Tracker indicate that the first three of those aren't fixed in unstable yet; is that correct? No, but these are backports from current upstream and I suppose Matthew will simply move to a new upstream version at some point. Cheers, Moritz
Re: Bug#793316: [debian-mysql] Bug#793316: transition: mysql-5.6
Clint Byrum spam...@debian.org schrieb: I'd be interested to hear the security team's impressions on how shipping micro releases of MySQL has gone for them. We're planning to discuss that at DebConf (and will also include the release team). Sure they have a _ridiculous_ policy about not telling us what the actual security problems were. And this is actually a grave problem: Due to that policy there's no longer any security support for mysql in squeeze. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/slrnmr242b.dkr@inutil.org
Re: Bug#763148: Prevent migration to jessie
Andreas Cadhalpun wrote: But having mysql-5.5 and mariadb-10.0 in jessie is apparently no problem, despite previous claims. What's the difference? To properly migrate over a daemon they need to co-exist for a stable release, while a lib does not. Stretch will only have one of them. How do you think this should go forward? When someone made a strawpoll amongst the multimedia maintainers last year it boiled down to libav for jessie, since it's now to late. You should revisit that decision now that the release cycle has started. (Beside pkg-multimedia-maintainers, this certainly also includes maintainers like Balint which maintain relevant multimedia apps outside of pkg-multimedia-maintainers.) If no convinging/clear majority can be reached, let the CTTE decide. Having both for a year along each other will only waste people's time. Now at the beginning of the release cycle is the time to make a decision, not by dragging things into a year as of today. Picking one of the two won't be any simpler in 12 months. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150429182256.GA28385@pisco.westfalen.local
Re: Bug#763148: Prevent migration to jessie
On Wed, Apr 29, 2015 at 08:33:07PM +0200, Andreas Cadhalpun wrote: Having both for a year along each other will only waste people's time. Now at the beginning of the release cycle is the time to make a decision, not by dragging things into a year as of today. Picking one of the two won't be any simpler in 12 months. I just fear that the decision making process will take long, especially if the TC has to get involved. (The libjpeg-turbo TC decision took 1 year.) Having ffmpeg in testing during this time would be nice, e.g. so that people using testing can easily compare them. Was that not what you meant with [1]: It certainly possible to have them co-exist for a year or so Honestly at this point I don't believe we'll need a year to sort out whether it'll be libav or ffmpeg. I'll refrain from mentioning my personal preference for now, but IMO one of the two is preferable in almost all aspects, so picking the lib for stretch shouldn't take that long. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150429184711.GA28679@pisco.westfalen.local
Bug#782769: unblock: chromium-browser/42.0.2311.90-1
On Sun, Apr 26, 2015 at 11:57:43AM +0100, Jonathan Wiltshire wrote: On Fri, Apr 17, 2015 at 05:21:05PM +0200, Moritz Muehlenhoff wrote: Please unblock package chromium-browser. It fixes multiple security issues (and would also need some aging at this point) Should this be progressed to proposed-updates or left for a DSA? Michael already built it for jessie-security, you can close the unblock bug. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150426110734.GA8959@pisco.westfalen.local
Bug#782770: unblock: openjdk-7/7u79-2.5.5-1
tOn Thu, Apr 23, 2015 at 10:03:02PM +0100, Jonathan Wiltshire wrote: Control: tag -1 moreinfo On Fri, Apr 17, 2015 at 05:23:39PM +0200, Moritz Muehlenhoff wrote: Please unblock package openjdk-7. It fixes multiple security issues. ATM the build failed on mips (that was sorted out with a rebuild the last time w/o any source changes) I can't get MIPS to build and this isn't going to make the final migrations before release. Would you rather a DSA or proposed-updates? Then we'll need an additional DSA for jessie-security, stealing our time for a toy port noone uses in practice. Awesome. I'm really annoyed with the MIPS porters. If openjdk fails to build on MIPS w/o manual builds, why did they paper over this with manual builds? If openjdk fails to autobuild on mips, by all mean drop support for it! For stretch we should limit openjdk support archs official supported by upstream, even if it means killing lots of Java reverse deps for fringe ports. We haven't had openjdk built across all supported archs for a long time. Look at the mess in proposed-updates: https://release.debian.org/proposed-updates/stable.html Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150423212606.GA5229@pisco.westfalen.local
Re: Bug#746946: wheezy-pu: package distro-info-data/0.23~deb7u1
On Thu, Apr 16, 2015 at 04:02:23PM +0200, Raphael Hertzog wrote: Yes there are packages which are unsupported in Squeeze but very much like there are unsupported packages in Wheezy right now: Also, all other distros with long support have some level of reduced support over time, see for example the requirements for fixes in RHEL in it's later support stages, so having a few packages not supported in squeeze-lts is fairly common. We shouldn't label the LTS phase as second class. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150416160236.GB7902@pisco.westfalen.local
Bug#778332: RM: oss4/4.2-build2010-1.1
On Wed, Mar 04, 2015 at 09:46:20AM +0100, Ivo De Decker wrote: Hi, On Fri, Feb 13, 2015 at 05:52:36PM +0100, Moritz Muehlenhoff wrote: please remove oss4 from jessie. There's been no maintainer followup since a month (plus no action back then we Ben initially reported it to the maintainers privately). Removal hint added. I tried to check why this hasn't been removed, but I don't understand why. The simulated removal dak rm -s testing run show many dependencies on ALSA, e.g. Checking reverse dependencies... # Broken Depends: a2jmidid: a2jmidid [amd64 armel armhf i386 mips mipsel powerpc s390x] abx: abx [amd64 arm64 armel armhf i386 mips mipsel powerpc ppc64el s390x] aconnectgui: aconnectgui [amd64 arm64 armel armhf i386 mips mipsel powerpc ppc64el s390x] adplay: adplay [amd64 armel armhf i386 mips mipsel powerpc ppc64el s390x] aegisub: aegisub [amd64 armhf i386 mips mipsel powerpc ppc64el s390x] aeolus: aeolus [amd64 arm64 armel armhf i386 mips mipsel powerpc ppc64el s390x] (..) Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150309192943.GA18463@pisco.westfalen.local
Bug#775892: unblock (pre-approval): python-django/1.7.3-1
On Fri, Jan 23, 2015 at 02:26:06PM +0100, Raphael Hertzog wrote: On Wed, 21 Jan 2015, Raphael Hertzog wrote: Some notes: - the final upload will include the bug closure of #775375 - there's a small tweak of a Suggests dependency, it was not intended for jessie but I don't see how it can hurt and did not bother to revert it I have uploaded 1.7.3-1~exp1 to experimental which is basically what I'd like to upload to unstable. It contains one more patch compared to the debdiff I sent to fix a build failure with Python 3.4 (https://github.com/django/django/commit/b1bf8d64fbadcab860eb98662c49b8db33db0c3c). Cheers, PS: I know that Neil Williams uploaded an NMU to fix the security issues but I still want to include 1.7.3. It would still be good to unblock the NMU first to get the security fixes into jessie. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150126125526.GA18029@pisco.westfalen.local
Bug#774211: freeze exception for binutils 2.25-3
On Tue, Dec 30, 2014 at 12:29:35PM +0100, Matthias Klose wrote: forgot to mention that there are no regression in the binutils testsuite on all release architectures, and that there are no regression in the gcc-4.8 and gcc-4.9 testsuites on all release architectures. Did someone from the release team have a chance to look into these? If the version from sid isn't acceptable we'll need some time to fix this through tpu (and binutils-mingw-w64 needs to be dealt with as well) Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150126113032.GA6532@pisco.westfalen.local
Bug#774299: wheezy-pu: openssl: disable SSLv3 by default
On Wed, Dec 31, 2014 at 04:41:29PM +0100, Kurt Roeckx wrote: On Wed, Dec 31, 2014 at 02:00:23PM +, Adam D. Barratt wrote: Control: tags -1 + moreinfo On Wed, 2014-12-31 at 13:52 +0100, Kurt Roeckx wrote: I would like to disable SSLv3 by default in wheezy. Do we know how well other packages in wheezy cope with that? (I'm going to guess not as well as in jessie.) I have no reason to believe there is a difference between jessie and wheezy in how packages cope with SSLv3 being disabled. Please note that this only affects the SSLv23_* methods and that it just sets SSL_OP_NO_SSLv3 by default now. In jessie SSLv3 is just disabled, for wheezy I would change it to disabled by default with a way to turn it back on. What could break is that apache for instance will now disable SSLv3 by default even though the config file doesn't seem to indicate that it's disabled. That could then result in it not working with some clients that do not support TLSv1 or newer. But that is also already the case in jessie. One package that might be affected by this change is that python has a test suite that tries all possible combinations of settings and the test suite is probably going to fail because it's going to expect to be able to set up an SSLv3 connection. I will rebuild python in wheezy to check that. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150118105905.GA8835@pisco.westfalen.local
Bug#770463: unblock: dhcpcd5/6.0.5-2
On Fri, Nov 21, 2014 at 08:30:37PM +0100, Niels Thykier wrote: On 2014-11-21 14:56, Salvatore Bonaccorso wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi Release Team, Please unblock package dhcpcd5, which fixed as denial-of-service vulnerability (CVE-2014-6060). Relevant bug in the BTS is #770043. Additionally to the patch I have updated the maintainer field to Debian QA group as previous maintainer orphaned the package. Full changelog is as follows: [...] unblock dhcpcd5/6.0.5-2 Many thanks in advance! Regards, Salvatore Unblocked, thanks. According to the PTS the transition to testing is blocked by missing kfreebsd-* builds, but kfreebsd is no longer a release arch? Can you force-wrestle this? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141203204232.GA4073@pisco.westfalen.local
Re: binNMUs for dpkg-buildflags / -fstack-protector-strong
On Sat, Nov 08, 2014 at 03:27:26PM +, Julien Cristau wrote: On Sat, Nov 8, 2014 at 10:29:17 +0100, Moritz Mühlenhoff wrote: On Sun, Nov 02, 2014 at 11:53:44PM +0100, Moritz Muehlenhoff wrote: On Sun, Nov 02, 2014 at 06:19:51PM +0100, Julien Cristau wrote: On Tue, Sep 23, 2014 at 22:36:43 +0200, Moritz Mühlenhoff wrote: Sorry I didn't get to these quickly. Do you have an updated list and/or package versions? Otherwise I'll just go ahead with the original list. I can filter out packages which have been uploaded since then. I'll send you the updated list in a few days. Here's the updated - and compared to the last one - greatly reduced list, also including three packages using hardening-[wrapper|includes] not yet built after these also enabled -strong. A few packages are included which have been an upload to sid, but which didn't make the cutoff for the freeze. I'm including these to ensure that the version in testing is rebuilt, even if some of these later uploads might still be unblocked later: I've scheduled the ones for sid. A mixed list with some jessie and some sid rebuilds is not something I can use, especially if the requested distribution is implicit. Thanks, is something required to migrate these to jessie? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141119220847.GA18108@pisco.westfalen.local
Re: binNMUs for dpkg-buildflags / -fstack-protector-strong
On Sun, Nov 02, 2014 at 11:53:44PM +0100, Moritz Muehlenhoff wrote: On Sun, Nov 02, 2014 at 06:19:51PM +0100, Julien Cristau wrote: On Tue, Sep 23, 2014 at 22:36:43 +0200, Moritz Mühlenhoff wrote: Sorry I didn't get to these quickly. Do you have an updated list and/or package versions? Otherwise I'll just go ahead with the original list. I can filter out packages which have been uploaded since then. I'll send you the updated list in a few days. Here's the updated - and compared to the last one - greatly reduced list, also including three packages using hardening-[wrapper|includes] not yet built after these also enabled -strong. A few packages are included which have been an upload to sid, but which didn't make the cutoff for the freeze. I'm including these to ensure that the version in testing is rebuilt, even if some of these later uploads might still be unblocked later: Cheers, Moritz afuse alsaplayer antiword aptitude audiofile avahi barnowl bip bogofilter bzip2 cabextract chmlib chrony citadel courier-authlib cpio cups-pk-helper dash debianutils diffutils dvipng ecryptfs-utils ekg elinks enscript exiftags expat fetchmail findutils firebird2.5 flac flex fontforge fuse gdbm gmime heimdal hplip hylafax icinga id3lib3.8.3 imlib2 inotify-tools iptables iputils ircd-ratbox iscsitarget kaffeine ktorrent kvirc l2tpns lcms2 libapache-mod-jk libapache2-mod-auth-pgsql libapache2-mod-authnz-external libapache2-mod-fcgid libcdaudio libdmx libdumb libfs libgtop2 libhtml-parser-perl libmodplug libnss-ldap libpam-krb5 libpam-ldap libpng libproxy libsmi libsndfile libtar libtk-img libwmf libwpd libxcb libxcursor libxfixes libxfont libxi libxinerama libxrandr libxrender libxres libxslt libxt libxtst libxv libxvmc libxxf86dga libxxf86vm libyaml-libyaml-perl links2 linux-ftpd logrotate lurker lynx-cur mailman mapserver maradns mimetex mlmmj nas nbd ndiswrapper net-tools newt ntp nut openconnect opensaml2 tiff xmlsec1 mysql-5.5 znc tar raptor ldns opensc pimd pmount pptpd psi pstotext python-crypto readline6 rssh rsync ruby-gnome2 sdl-image1.2 sed shadow snmptrapfmt socat spamass-milter splitvt super tcpreen telepathy-gabble tinc tinyproxy traceroute unalz unzip x11-xserver-utils xfce4-terminal xml-security-c xz-utils zoo -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141108092917.GA10690@pisco.westfalen.local
Re: Bug#767411: torque: should not be released with jessie
On Sat, Nov 01, 2014 at 02:30:02PM -0400, Michael Gilbert wrote: On Sat, Nov 1, 2014 at 11:46 AM, Salvatore Bonaccorso wrote: Given Dominique's reply on #767411, from my POV I think the best solution would be to remove torque completely for jessie (i.e. first drop support from openmpi to be able to remove the package and remaining reverse dependencies). 4 wheezy DSAs doesn't necessarily sound that horrible, so I don't think we're clearly at the point where torque should be considered unsupportable. Maybe the patch backports were an incredible amount of work? Well, but the 2.4 branch is already no longer unsupported upstream and we shouldn't knowingly introduce it into a release which will be supported for five more years. The package does clearly need to be orphaned, so someone can step up post-jessie to get the package in sync with upstream. As written by Dominique that's no possible for license reasons. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141101195005.GA2660@pisco.westfalen.local
Re: Bug#763278: wheezy-pu: gcc-4.9/4.9.1-14~deb7u1
Adam D. Barratt a...@adam-barratt.org.uk schrieb: On 2014-10-01 13:25, Moritz Mühlenhoff wrote: Adam D. Barratt a...@adam-barratt.org.uk schrieb: The alternative is to drop chromium security support for wheezy way too soon. They're not the only alternatives. Granted, they may be the only ones which you're willing to support. What other alternatives do you have in mind? Well, someone could attempt to persuade upstream to delay the change, or work on fixing things up to work with 4.7 where required. I didn't say they were great alternatives, simply that they exist. Unfortunately they're not viable: Upstream wants to use C++11 features and even if someone were to start on a Debian-specific patchset it would only get bigger with every new Chromium release (and they make new releases every few weeks). Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/slrnm2qvkk.3ef@inutil.org
Re: Bug#763278: wheezy-pu: gcc-4.9/4.9.1-14~deb7u1
Adam D. Barratt a...@adam-barratt.org.uk schrieb: The alternative is to drop chromium security support for wheezy way too soon. They're not the only alternatives. Granted, they may be the only ones which you're willing to support. What other alternatives do you have in mind? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/slrnm2nskv.3qp@inutil.org
Re: Bug#763148: Prevent migration to jessie
On Wed, Oct 01, 2014 at 04:32:24PM +0200, Andreas Cadhalpun wrote: However, I can understand why one embedded code copy is better than one embedded code copy plus a library in addition to it. This would be understandable, yes. There are now two options: a) Let FFmpeg migrate to testing and make chromium use it. b) Don't let FFmpeg migrate and let chromium continue to use the embedded copy, in spite of the policy violation. If this really would be preferred, then the FFmpeg libraries and tools could be build from the chromium source package, because that can't increase the security workload, as the source is already in wheezy. Chromium is actually a special case. It's a huge monster package which is very difficult to integrate and maintain. You seem to have missed that for Chromium we rebuild the current upstream releases in stable. Since there're not guarantees for any kind of API stability in the local ffmpeg copy that is obviously not a good idea. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141002164349.GA4870@pisco.westfalen.local
Re: Bug#763148: Prevent migration to jessie
On Sun, Sep 28, 2014 at 11:27:03AM +0200, Andreas Cadhalpun wrote: So would you please explain why you see a problem? It has all been written before, I'm not going to repeat it all over again. We can pick libav _or_ ffmpeg for jessie+1. EOD for me. Chromium using a local copy of the lib doesn't matter in practice since we need to spin updates for the browser security bugs anyway. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140930204537.GA3785@pisco.westfalen.local
Re: FFmpeg in Jessie
Alessio Treglia ales...@debian.org schrieb: On Fri, Sep 26, 2014 at 10:28 PM, Andreas Barth a...@ayous.org wrote: That sounds like we should drop libav and release with ffmpeg. Is this also the opinion of the libav maintainers? Or is there a strong reason why this is not possible? Although no consensus has been reached, some members of the team which maintains libav have expressed their opinions: I've filed a blocker bug to prevent testing migration of ffmpeg. We can sort this out at the beginning of the jessie+1 development cycle. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/slrnm2fhja.36c@inutil.org
Re: [debian-mysql] MySQL in Jessie
On Sat, Sep 20, 2014 at 04:04:11PM +0300, Otto Kekäläinen wrote: Hello! 2014-09-17 22:57 GMT+03:00 Moritz Mühlenhoff j...@inutil.org: Has there been any progress? The freeze is coming closer. Both MySQL 5.6 and MariaDB 10.0 are still only in experimental. The 5.5 versions are in testing and functional and well tested, so it looks like that those will go to Jessie. Well, as said before in the thread you need to settle on either mysql or mariadb. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140926175410.GA3969@pisco.westfalen.local
Re: binNMUs for dpkg-buildflags / -fstack-protector-strong
On Sat, Sep 20, 2014 at 02:18:34PM +0200, Julien Cristau wrote: On Sat, Sep 20, 2014 at 12:53:54 +0200, Moritz Muehlenhoff wrote: On Sat, Sep 20, 2014 at 10:45:00AM +0200, Julien Cristau wrote: On Wed, Sep 17, 2014 at 22:29:10 +0200, Moritz Muehlenhoff wrote: Hi release team, dpkg-buildflags was switched to the strong stack protector on the 10th of August. Many security-sensitive packages have already been uploaded to unstable since then and I'm tracking which are missing. For the remaining ones I'd like to request binNMUs. Is that ok with and when's the best time? Probably not to early before the freeze since some maintainer uploads will follow anyway, but also not to close to the freeze. Maybe mid-October? I think if you have a list now, that would be fine. We can always give them low build priority to not monopolize the buildds. Ok, will send the latest list in a few days. Is a list of source packages enough or do you need to current version in unstable as well? A version would allow us to not do unnecessary rebuilds if there's been a new upload after you generated the list. But if it's painful for you to generate, it's not actually mandatory. ATM I only have a list of source packages, see below. I can whip up a script to generate versions over the weekend, but since these packages haven't seen an upload since August 10th, there's probably little overhead if one or two would be built twice. afuse alsaplayer antiword apr-util aptitude aria2 arpwatch audiofile avahi barnowl bip bogofilter bsdmainutils bzip2 cabextract chmlib chrony citadel clamav collectd courier courier-authlib cpio cron cups-pk-helper cvs cwidget dash debianutils diffutils dvipng ecryptfs-utils ekg elinks enscript exiftags expat fbi fetchmail findutils firebird2.5 flac flex fontforge freeradius fuse gdbm gmime gnash gnumeric gzip heimdal hplip httrack hylafax icinga icu id3lib3.8.3 ifupdown imlib2 inetutils inotify-tools inspircd iptables iputils ircd-ratbox iscsitarget jasper kaffeine ktorrent kvirc l2tpns lcms2 libapache-mod-auth-kerb libapache-mod-jk libapache2-mod-auth-pgsql libapache2-mod-authnz-external libapache2-mod-fcgid libapache2-mod-rpaf libcdaudio libcgroup libdmx libdumb libextractor libfishsound libfs libgd2 libgdata libgsf libgtop2 libhtml-parser-perl libmodplug libnss-ldap libotr libpam-krb5 libpam-ldap libpipeline libpng libproxy libsigc++-2.0 libsmi libsndfile libspf2 libtar libtheora libtk-img libupnp libupnp4 libusb libvorbis libwmf libwpd libxcb libxcursor libxext libxfixes libxfont libxi libxinerama libxml2 libxrandr libxrender libxres libxslt libxt libxtst libxv libxvmc libxxf86dga libxxf86vm libyaml-libyaml-perl links2 linux-ftpd logrotate lurker lynx-cur maildrop mailman mapserver maradns memcached mimetex mlmmj modsecurity-apache mon mono mtr nas nbd ncompress ndiswrapper net-tools netrik newt notmuch nss-pam-ldapd ntp nut openarena openconnect openjpeg opensaml2 opensc openssh pam-pgsql pcsc-lite pdns pimd pmount postgresql-9.4 pound ppp pptpd procps proftpd-dfsg psi pstotext pulseaudio pymongo python-crypto quagga radsecproxy raptor readline6 rssh rsync ruby-gnome2 samba screen sdl-image1.2 sed shadow slang2 slurm-llnl snmptrapfmt socat spamass-milter spamassassin splitvt stunnel4 super sympa systemtap tar tcpreen telepathy-gabble texinfo tiff tinc tinyproxy traceroute unalz unzip util-linux uw-imap varnish vino vsftpd wget wireshark wpa x11-xserver-utils xapian-omega xfce4-terminal xml-security-c xmlsec1 xz-utils zoo Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140923203642.GA6088@pisco.westfalen.local
Re: [debian-mysql] MySQL in Jessie
On Wed, Aug 27, 2014 at 12:55:15PM +0200, Bjoern Boschman wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 moin, to sum things up: * mariadb-5.5 within testing * mariadb-10.0 within experimental * mysql-5.5 within testing * mysql-5.6 within experimental * percona-xtradb-cluster-server-5.5 within sid - From my point of view we should not talk about percona-xtradb-cluster-server as a mysql replacement as it does not provide any libs nor -dev packages and will always be a very close relative to mysql. Although my opinion is to let Debian users decide which fork to use I can fully understand release/security team concerns. So which way to go? * stick with mysql and start transition - 5.6 * replace mysql with mariadb and start transition - 10.0 * create an ecosystem where several forks may live side by side pkg-mysql is unfortunately not one of the strongest teams in terms of manpower, but even though we tried to come up with a solution to fullfil anybodys wishes. As the transition timeframe is quite close we need a decision! This decision should be done by the release team agreed together with your collegues at ubuntu/canonical as we should definately *not* fork this decision! Maybe the tech-ctte could also be involved? Has there been any progress? The freeze is coming closer. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140917195709.GA5801@pisco.westfalen.local
Bug#757342: wheezy-pu: package php5/5.4.31-0+deb7u1
On Wed, Aug 20, 2014 at 12:07:03PM +0200, Ondřej Surý wrote: On Wed, Aug 20, 2014, at 11:53, Moritz Mühlenhoff wrote: On Thu, Aug 07, 2014 at 11:37:30AM +0200, Ondřej Surý wrote: Package: release.debian.org Severity: normal Tags: wheezy User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dear release team, as discussed on #debian-release about possibility of having minor PHP5 updates instead of hoarding various upstream patches, I am submitting a w-p-u bug to discuss that and to summarize my findings (and my positive attitude :). If you as the primary PHP maintainer consider upstream QA work on minor point updates to be of sufficient quality, we can follow them for future security updates. That policy has served us very well for psql, e.g. Do I read that correctly as no need to go through s-p-u? If there are security issues worth a DSA, the PHP point relesae can be released through security.debian.org, otherwise they need to go through s-p-u. That's the same way we handled Postgres or the kernel (which also is based on the 3.2.x point releases) Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140826115408.GF11078@pisco.westfalen.local
Bug#757342: wheezy-pu: package php5/5.4.31-0+deb7u1
On Thu, Aug 07, 2014 at 11:37:30AM +0200, Ondřej Surý wrote: Package: release.debian.org Severity: normal Tags: wheezy User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dear release team, as discussed on #debian-release about possibility of having minor PHP5 updates instead of hoarding various upstream patches, I am submitting a w-p-u bug to discuss that and to summarize my findings (and my positive attitude :). If you as the primary PHP maintainer consider upstream QA work on minor point updates to be of sufficient quality, we can follow them for future security updates. That policy has served us very well for psql, e.g. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140820095335.GA2887@pisco.westfalen.local
Re: Bug#758492: RM: lcms/1.19.dfsg2-1.5
Niels Thykier ni...@thykier.net schrieb: This in fact requires a bit more time, see below: Checking reverse dependencies... # Broken Depends: devil: libdevil1c2 I've reopened the bug, a resolution is pending. foo2zjs: printer-driver-foo2zjs This is #757384 gimp: gimp I've reopened the bug and bumped to RC severity. imagemagick: libmagickcore-dev This will be fixed along with the imagemagick transition. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/slrnlv7e69.30o@inutil.org
Bug#751976: pu: package cmus/2.4.3-2+deb7u1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: pu Hi, attached debdiff fixes a FTBFS of cmus in stable. [Adding Alessio to CC] Cheers, Moritz -- System Information: Debian Release: 7.5 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -Nru cmus-2.4.3/debian/changelog cmus-2.4.3/debian/changelog --- cmus-2.4.3/debian/changelog 2012-06-02 20:08:09.0 +0200 +++ cmus-2.4.3/debian/changelog 2014-06-18 14:18:17.0 +0200 @@ -1,3 +1,10 @@ +cmus (2.4.3-2+deb7u1) wheezy; urgency=low + + * Fix FTBFS related to the libmodplug upgrade in DSA 2751, patch as used in +2.5.0-4 (Closes: #724181) + + -- Moritz Mühlenhoff muehlenh...@univention.de Wed, 18 Jun 2014 14:16:56 +0200 + cmus (2.4.3-2) unstable; urgency=low [ Ryan Kavanagh ] diff -Nru cmus-2.4.3/debian/patches/fix-modplug-build.patch cmus-2.4.3/debian/patches/fix-modplug-build.patch --- cmus-2.4.3/debian/patches/fix-modplug-build.patch 1970-01-01 01:00:00.0 +0100 +++ cmus-2.4.3/debian/patches/fix-modplug-build.patch 2014-06-18 14:16:49.0 +0200 @@ -0,0 +1,19 @@ +Description: Horrible fix for misdetection of modplug. +Author: Alessio Treglia ales...@debian.org +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=724181 +Forwarded: no +--- + + Makefile |2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) +--- cmus-2.4.3.orig/Makefile cmus-2.4.3/Makefile +@@ -90,7 +90,7 @@ ip-$(CONFIG_FFMPEG) += ffmpeg.so + $(flac-objs): CFLAGS += $(FLAC_CFLAGS) + $(mad-objs): CFLAGS += $(MAD_CFLAGS) + $(mikmod-objs): CFLAGS += $(MIKMOD_CFLAGS) +-$(modplug-objs): CFLAGS += $(MODPLUG_CFLAGS) ++$(modplug-objs): CFLAGS += $(MODPLUG_CFLAGS) -I/usr/include/libmodplug + $(mpc-objs): CFLAGS += $(MPC_CFLAGS) + $(vorbis-objs): CFLAGS += $(VORBIS_CFLAGS) + $(wavpack-objs): CFLAGS += $(WAVPACK_CFLAGS) diff -Nru cmus-2.4.3/debian/patches/series cmus-2.4.3/debian/patches/series --- cmus-2.4.3/debian/patches/series 1970-01-01 01:00:00.0 +0100 +++ cmus-2.4.3/debian/patches/series 2014-06-18 14:16:25.0 +0200 @@ -0,0 +1 @@ +fix-modplug-build.patch
Bug#751976: pu: package cmus/2.4.3-2+deb7u1
Hi all, I've just noticed the last message on #724181, and I am sorry about the late reply. On Wed, Jun 18, 2014 at 1:25 PM, Moritz Mühlenhoff muehlenh...@univention.de wrote: Hi, attached debdiff fixes a FTBFS of cmus in stable. Should I wait for the ACK from the release team then or just upload it to s-p-u straightaway? I have created a tested update for wheezy, I could upload once the stable RMs have acked it. But of course, if you handle it yourself, please go ahead! Cheers, Moritz -- Moritz Mühlenhoff Open Source Software Engineer Univention GmbH be open. Mary-Somerville-Str.1 28359 Bremen Tel. : +49 421 22232-0 [.] Fax : +49 421 22232-99 muehlenh...@univention.de http://www.univention.de Geschäftsführer: Peter H. Ganten HRB 20755 Amtsgericht Bremen Steuer-Nr.: 71-597-02876 -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/201406181449.43213.muehlenh...@univention.de
Re: Updating tor (was: Upcoming stable point release (7.6))
Peter Palfrader wea...@debian.org schrieb: Hi! On Wed, 11 Jun 2014, Adam D. Barratt wrote: The next point release for wheezy (7.6) is scheduled for Saturday, July 12th. Stable NEW will be frozen during the preceding weekend. I propose to update Tor in stable to the version that is now in jessie. One additional note: We already moved to a new upstream release in a previous DSA (DSA-2363-1, from 0.2.1.31-1 to 0.2.2.35-1) and it worked out well. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/slrnlpuoab.2kg@inutil.org
Bug#744850: pu: package gst-plugins-bad0.10/0.10.23-7.1+deb7u1
Control: tags -1 + confirmed On Tue, 2014-04-15 at 14:51 +0200, Moritz Mühlenhoff wrote: Attached debdiff fixes a FTBFS of gst-plugins-bad0.10 in stable (caused by the libmodplug update in DSA 2751) Please go ahead. Uploaded. Cheers, Moritz -- Moritz Mühlenhoff Open Source Software Engineer Univention GmbH be open. Mary-Somerville-Str.1 28359 Bremen Tel. : +49 421 22232-0 [.] Fax : +49 421 22232-99 muehlenh...@univention.de http://www.univention.de Geschäftsführer: Peter H. Ganten HRB 20755 Amtsgericht Bremen Steuer-Nr.: 71-597-02876 -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/201404160932.46979.muehlenh...@univention.de
Bug#744850: pu: package gst-plugins-bad0.10/0.10.23-7.1+deb7u1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: pu Hi, (this update has been coordinated with Sebastian Dröge) Attached debdiff fixes a FTBFS of gst-plugins-bad0.10 in stable (caused by the libmodplug update in DSA 2751) Cheers, Moritz -- System Information: Debian Release: 7.4 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -Nru gst-plugins-bad0.10-0.10.23/debian/changelog gst-plugins-bad0.10-0.10.23/debian/changelog --- gst-plugins-bad0.10-0.10.23/debian/changelog 2012-12-31 20:43:40.0 +0100 +++ gst-plugins-bad0.10-0.10.23/debian/changelog 2014-04-07 15:58:11.0 +0200 @@ -1,3 +1,9 @@ +gst-plugins-bad0.10 (0.10.23-7.1+deb7u1) stable; urgency=low + + * Fix FTBFS related to the libmodplug upgrade in DSA 2751 (Closes: #726871) + + -- Moritz Mühlenhoff muehlenh...@univention.de Mon, 07 Apr 2014 15:56:32 +0200 + gst-plugins-bad0.10 (0.10.23-7.1) unstable; urgency=low * Non-maintainer upload. diff -Nru gst-plugins-bad0.10-0.10.23/debian/patches/0032-fix-compat-with-updated-libmodplug.patch gst-plugins-bad0.10-0.10.23/debian/patches/0032-fix-compat-with-updated-libmodplug.patch --- gst-plugins-bad0.10-0.10.23/debian/patches/0032-fix-compat-with-updated-libmodplug.patch 1970-01-01 01:00:00.0 +0100 +++ gst-plugins-bad0.10-0.10.23/debian/patches/0032-fix-compat-with-updated-libmodplug.patch 2014-04-07 15:56:28.0 +0200 @@ -0,0 +1,16 @@ +Description: Fix compatibility with current libmodplug + libmodplug was updated to a new upstream release in DSA 2751. This patch + fixes a FTBFS with that new version. +Bug-Debian: http://bugs.debian.org/726871 + +--- gst-plugins-bad0.10-0.10.23.orig/ext/modplug/gstmodplug.cc gst-plugins-bad0.10-0.10.23/ext/modplug/gstmodplug.cc +@@ -50,7 +50,7 @@ + #define WORDS_BIGENDIAN 0 + #endif + +-#include stdafx.h ++#include libmodplug/stdafx.h + #include libmodplug/sndfile.h + + #include gstmodplug.h diff -Nru gst-plugins-bad0.10-0.10.23/debian/patches/series gst-plugins-bad0.10-0.10.23/debian/patches/series --- gst-plugins-bad0.10-0.10.23/debian/patches/series 2012-12-31 20:43:40.0 +0100 +++ gst-plugins-bad0.10-0.10.23/debian/patches/series 2014-04-07 15:56:28.0 +0200 @@ -12,3 +12,4 @@ 0017-opusdec-read-gain-from-the-right-place-in-the-header.patch 0020-opusenc-add-missing-mutex-unlock-on-error-path.patch 0030-really-fix-h264-parsing.patch +0032-fix-compat-with-updated-libmodplug.patch
Bug#742703: pu: package gorm.app/1.2.16-1+deb7u1
Control: tags -1 + confirmed On Wed, 2014-03-26 at 15:05 +0100, Moritz Mühlenhoff wrote: gorm.app FTBFSes in stable. The attached debdiff fixes the build using the same patch already used in the NMU for unstable. Please go ahead; thanks. Uploaded. Cheers, Moritz -- Moritz Mühlenhoff Open Source Software Engineer Univention GmbH be open. Mary-Somerville-Str.1 28359 Bremen Tel. : +49 421 22232-0 [.] Fax : +49 421 22232-99 muehlenh...@univention.de http://www.univention.de Geschäftsführer: Peter H. Ganten HRB 20755 Amtsgericht Bremen Steuer-Nr.: 71-597-02876 -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/201404141406.36080.muehlenh...@univention.de
Re: Bug#739069: wheezy-pu: package sage-extension/1.5.2-1~deb7u1
Adam D. Barratt a...@adam-barratt.org.uk schrieb: Control: tags -1 + moreinfo Apologies for the delays in getting back to this. On Sat, 2014-02-15 at 17:53 +0100, Sébastien Villemot wrote: The version of sage-extension currently in wheezy does not work against iceweasel 24 (in stable-security), see #738678. The new upstream versions work fine with iceweasel 24, but there seems to be no easy way of backporting a simple fix to the wheezy package. [...] Note that the new version does not work with iceweasel 17, and this is reflected in package dependencies. As with firebug, the issue I have here is that due to FTBFS on a few architectures, stable is still likely to have iceweasel 17 after the next point release. I've just written to debian-mips and debian-ia64 to ask for porter's help in fixing these. Thus we either have to assume that most users have already upgraded to 24 from security and that the extension packages are most likely not used on the missing architectures (ia64 and mips*), If there's no reaction soon I recommend to follow this path. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/slrnlknu75.306@inutil.org
Bug#742793: RM: t1lib/5.1.2-4
On Thu, Mar 27, 2014 at 10:05:09PM +0100, Mehdi Dogguy wrote: Le 2014-03-27 20:08, Niels Thykier a écrit : I noticed that the fix for gtkmathview is sadly incomplete (see #638761). AFAICT lablgtkmathview does not have an (open) RC bug for this problem. I hace CC'ed the OCAML maintainers to make them aware of it - but I would like to see an RC bug against lablgtkmathview as well. Well, no. In fact, there is nothing to do in lablgtkmathview except rebuilding it once gtkmathview is fixed. So once 638761 is closed, we can launch a binNMU and it should be enough to make the dependency go away from binary packages of lablgtkmathview. The fixed gtkmathview has now entered testing. Please schedule the binNMU, after that t1lib should be ready to go: jmm@coccia:~$ dak rm -nR -s testing t1lib (..) Checking reverse dependencies... # Broken Depends: lablgtkmathview: liblablgtkmathview-ocaml Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140414154555.GC6419@pisco.westfalen.local
Re: Bug#739069: wheezy-pu: package sage-extension/1.5.2-1~deb7u1
Moritz Mühlenhoff j...@inutil.org schrieb: Thus we either have to assume that most users have already upgraded to 24 from security and that the extension packages are most likely not used on the missing architectures (ia64 and mips*), If there's no reaction soon I recommend to follow this path. soon as in in time for Wheezy 7.5 Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/slrnlko1p3.do4@inutil.org
Bug#742703: pu: package gorm.app/1.2.16-1+deb7u1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: pu Hi, gorm.app FTBFSes in stable. The attached debdiff fixes the build using the same patch already used in the NMU for unstable. Cheers, Moritz diff -u gorm.app-1.2.16/debian/changelog gorm.app-1.2.16/debian/changelog --- gorm.app-1.2.16/debian/changelog +++ gorm.app-1.2.16/debian/changelog @@ -1,3 +1,10 @@ +gorm.app (1.2.16-1+deb7u1) stable; urgency=low + + * Fix FTBFS using the same patch already used in the 1.2.16-1.1 NMU by +Gregor Herrmann (Closes: #707393) + + -- Moritz Mühlenhoff muehlenh...@univention.de Mon, 03 Feb 2014 12:06:03 +0100 + gorm.app (1.2.16-1) unstable; urgency=low * New upstream version. (Closes: #671393) only in patch2: unchanged: --- gorm.app-1.2.16.orig/GormCore/GormPrivate.m +++ gorm.app-1.2.16/GormCore/GormPrivate.m @@ -79,12 +79,14 @@ @end @implementation NSObject (GormPrivate) +/* + (void) poseAsClass: (Class)aClassObject { // disable poseAs: while in Gorm. class_pose_as(self, aClassObject); NSLog(@WARNING: poseAs: called in Gorm.); } +*/ + (BOOL) canSubstituteForClass: (Class)origClass {
Bug#741232: pu: package newsbeuter/2.5-2+deb7u1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: pu This update fixes a FTBFS in stable. This was already fixed in unstable, but the fix didn't make it into Wheezy. (The upload has been coordinated/agreed with the maintainer) Debdiff attached. Cheers, Moritz diff -Nru newsbeuter-2.5/debian/changelog newsbeuter-2.5/debian/changelog --- newsbeuter-2.5/debian/changelog 2012-05-07 21:37:51.0 +0200 +++ newsbeuter-2.5/debian/changelog 2014-02-27 14:43:15.0 +0100 @@ -1,3 +1,9 @@ +newsbeuter (2.5-2+deb7u1) stable; urgency=low + + * Fix FTBFS issue due to json's switch from boolean to json_bool (Closes: #689225) + + -- Moritz Mühlenhoff muehlenh...@univention.de Thu, 27 Feb 2014 14:42:50 +0100 + newsbeuter (2.5-2) unstable; urgency=low * Fix build errors with gcc-4.7 (Closes: #667296). diff -Nru newsbeuter-2.5/debian/patches/fix_json_boolean_include.patch newsbeuter-2.5/debian/patches/fix_json_boolean_include.patch --- newsbeuter-2.5/debian/patches/fix_json_boolean_include.patch 1970-01-01 01:00:00.0 +0100 +++ newsbeuter-2.5/debian/patches/fix_json_boolean_include.patch 2014-02-27 14:42:37.0 +0100 @@ -0,0 +1,29 @@ +Description: propagate boolean json type +Apparently the libjson project decided to rename their boolean type to +json_bool... +Author: Nico Golde n...@debian.org +Bug-Debian: http://bugs.debian.org/689225 + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: vendor +Bug: http://bugs.debian.org/689225 +Bug-Debian: http://bugs.debian.org/689225 +Forwarded: + +Index: newsbeuter-2.5/src/ttrss_api.cpp +=== +--- newsbeuter-2.5.orig/src/ttrss_api.cpp 2012-09-30 17:25:23.0 +0200 newsbeuter-2.5/src/ttrss_api.cpp 2012-09-30 17:43:24.0 +0200 +@@ -220,7 +220,7 @@ + const char * link = json_object_get_string(json_object_object_get(item_obj, link)); + const char * content = json_object_get_string(json_object_object_get(item_obj, content)); + time_t updated = (time_t)json_object_get_int(json_object_object_get(item_obj, updated)); +- boolean unread = json_object_get_boolean(json_object_object_get(item_obj, unread)); ++ json_bool unread = json_object_get_boolean(json_object_object_get(item_obj, unread)); + + rsspp::item item; + diff -Nru newsbeuter-2.5/debian/patches/series newsbeuter-2.5/debian/patches/series --- newsbeuter-2.5/debian/patches/series 2012-05-07 21:31:34.0 +0200 +++ newsbeuter-2.5/debian/patches/series 2014-02-27 14:42:37.0 +0100 @@ -1 +1,2 @@ fix_gcc-4.7_ftbfs.patch +fix_json_boolean_include.patch
Bug#739079: transition: libav10
On Tue, Feb 18, 2014 at 08:16:05PM +0100, Sebastian Ramacher wrote: (Putting the bug back into the loop.) On 2014-02-16 21:47:25, Moritz Mühlenhoff wrote: On Sun, Feb 16, 2014 at 03:44:01PM -0500, Reinhard Tartler wrote: On Sun, Feb 16, 2014 at 11:22 AM, Moritz Mühlenhoff j...@inutil.org wrote: Reinhard Tartler siret...@tauware.de schrieb: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hi, We have a new libav transition pending. Libav 10 is prepared in debian/experimental, and I've started to build packges against this new version; in fact, more or more packages require Libav 10 and the new APIs it provides. Is the alpha2 version in experimental final in terms of API deprecations? It should be. I intend to release and upload 10_beta1 to experimental by end of this weekend (tomorrow latest), and includes some additions that happened after alpha2 (i.e., there will be a shlibs, but no SONAME bump). Neverthless, I think it should be safe. Ok. I'll run a test build against libav/exp and file bugs against all packages which fail. Thank you Moritz for doing the test build. I've added usertags to the bugs you've already filed (user pkg-multimeida-maintain...@lists.alioth.debian.org, usertag libav10): https://bugs.debian.org/cgi-bin/pkgreport.cgi?users=pkg-multimedia-maintain...@lists.alioth.debian.org;tag=libav10 I'm already doing the same, haven't announced it yet since the rebuild isn't fully finished. Better use this one instead: http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=libav10;users=j...@debian.org Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140218194828.GA22598@pisco.westfalen.local
Bug#739079: transition: libav10
On Sat, Feb 15, 2014 at 08:57:47PM +0100, Julien Cristau wrote: On Sat, Feb 15, 2014 at 19:37:54 +0100, Sebastian Ramacher wrote: Hi Reinhard On 2014-02-15 17:42:41, Reinhard Tartler wrote: Unfortunately, this new release does break a number of packages in the debian archive. At upstream, we are concerned about this and have conducted a survey about the fallout here: https://etherpad.mozilla.org/mnrZI5XlxP I'm not a member of the Release Team, but have bugs been filed in the BTS for the reverse dependencies that fail to build against libav 10? I think it was rather painful last time when plenty of the FTBFS bugs caused by libav 9 got reported after the transition already started. Agreed, I'm very much not looking forward to a repeat of that experience. I made a rebuild and the transitions isn't ready to go at all. IMO the API changes are far too agressive; if 2/3 of all packages in the archive FTBFS, the affected APIs are clearly not that deprecated. I can understand the removal of ill-designed functions if it helps to streamline/robustify the code, but e.g. the removal of CODEC_ID* causes lots of churn for no measurable benefit. Anyway, here's the results of the test build: The packages compile fine if built against libav10/exp: amarok aqualung aubio cantata chromaprint ffmpegthumbnailer ffmpegthumbs ffms2 gimp-gap gmic goldendict hedgewars kdenlive kid3 kradio4 libextractor mediatomb mlt moc mpd mpv nepomuk-core sox spek squeezelite vlc volview x264 Fixed in experimental: handbrake These packages fail to build from source if built against libav10/exp. Bugs have been filed with the following usertag: http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=libav10;users=j...@debian.org acoustid-fingerprinter (739208) alsa-plugins (739209) amide (739211) audacious-plugins (739212) avbin (739191) avifile (739213) bino (739214) blender (739238) cmus (739301) dff (739240) dvbcut (739220) ffdiaporama (739221) ffmpeg2theora (739237) forked-daapd (739239) freerdp (739242) fuse-emulator-utils (739243) gmerlin-avdecoder (739302) gmerlin-encoders (739425) gnash (739303) gpac (739321) gst-libav1.0 (739322) guvcview (739323) harvid (739304) idjc (739320) jitsi (739432) jugglemaster (739244) k3b (739312) kino (739426) libphash (739336) libquicktime (739325) lightspark (739328) linphone (739314) lives (739327) lynkeos.app (739316) mplayer2 (739337) opal (739439) opencv (739440) openscenegraph (739460) paraview (739434) performous (739433) qmmp (739378) qutecom (739427) shotdetect (739376) silan (739326) strigi (739442) survex (739332) transcode (739428) tupi (739429) vice (739315) vtk (739462) vtk6 (739456) vxl (739457) wxsvg (739454) xbmc (739441) xine-lib (739453) xine-lib-1.2 (739458) xjadeo (739431) xmms2 (739455) xpra (739459) yorick-av (739377) zoneminder (739461) Blocked by other FTBFSes, didn't check further whether compatible with libav10 minidlna dvswitch libomxil-bellagio libvalhalla visp renpy Already broken since libav9 (all packages dropped from jessie anyway) ffmpeg-php gstreamer0.10-ffmpeg / miro libavg motion taoframework Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140218214844.GA5592@pisco.westfalen.local
Re: Bug#739079: transition: libav10
Reinhard Tartler siret...@tauware.de schrieb: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hi, We have a new libav transition pending. Libav 10 is prepared in debian/experimental, and I've started to build packges against this new version; in fact, more or more packages require Libav 10 and the new APIs it provides. Is the alpha2 version in experimental final in terms of API deprecations? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/slrnlg1pf0.3fo@inutil.org
Re: Bug#739079: transition: libav10
On Sun, Feb 16, 2014 at 03:44:01PM -0500, Reinhard Tartler wrote: On Sun, Feb 16, 2014 at 11:22 AM, Moritz Mühlenhoff j...@inutil.org wrote: Reinhard Tartler siret...@tauware.de schrieb: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hi, We have a new libav transition pending. Libav 10 is prepared in debian/experimental, and I've started to build packges against this new version; in fact, more or more packages require Libav 10 and the new APIs it provides. Is the alpha2 version in experimental final in terms of API deprecations? It should be. I intend to release and upload 10_beta1 to experimental by end of this weekend (tomorrow latest), and includes some additions that happened after alpha2 (i.e., there will be a shlibs, but no SONAME bump). Neverthless, I think it should be safe. Ok. I'll run a test build against libav/exp and file bugs against all packages which fail. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140216204725.GA5845@pisco.westfalen.local
Bug#731735: pu: package glance/2012.1.1-5+deb7u1
I have prepared an update for Glance over here: http://archive.gplhost.com/pub/security/glance/ The security tracker lists this issue as potentially open in Wheezy: https://security-tracker.debian.org/tracker/CVE-2013-4354 Does this affect stable and is there a fix which can be included along? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131209171242.GA4385@pisco.westfalen.local
Bug#719632: Prepared a new Wheezy update for Nova
Here's the new changelog, with the remarks of J.Cristau taken into account: [ Thomas Goirand ] * CVE-2013-4261: [OSSA 2013-026] Fix problem with long messages in Qpid. * CVE-2013-2096: [OSSA 2013-012] Check QCOW2 image size during root disk creation (Closes: #710157). The security tracker lists more issues potentially affecting stable: CVE-2013-0326 CVE-2013-2255 Inconsistent and non-validating HTTPS client CVE-2013-4179 The security group extension in OpenStack Compute (Nova) Grizzly ... CVE-2013-4185 Algorithmic complexity vulnerability in OpenStack Compute (Nova) ... CVE-2013-4463 Compressed disk image DoS CVE-2013-4469 OpenStack Compute (Nova) Folsom, Grizzly, and Havana, when ... CVE-2013-4497 The XenAPI backend in OpenStack Compute (Nova) Folsom, Grizzly, and ... Do these affect stable and can they be fixed along? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131209171248.GB4385@pisco.westfalen.local
Bug#717852: pu: package devscripts/2.12.6+deb7u1
On Thu, Oct 03, 2013 at 07:05:46PM +0100, Adam D. Barratt wrote: Control: tags -1 + confirmed On Fri, 2013-07-26 at 16:59 +0200, Moritz Muehlenhoff wrote: On Thu, Jul 25, 2013 at 05:18:02PM +0100, Adam D. Barratt wrote: diff -Nru devscripts-2.12.6/scripts/build-rdeps.pl [...] -my $release_pattern = '(.*_dists_(sid|unstable))_(?:In)*Release$'; +my $release_pattern = '(.*_dists_(wheezy|stable))_(?:In)*Release$'; Hmmm, what are the chances that users on stable might want to derive the information for unstable in any case? Fairly negligable, but | my $release_pattern = '(.*_dists_(sid|unstable|wheezy|stable))_(?:In)*Release$'; makes a Wheezy system with a deb-sec for unstable work as well. I upload that as well. Apologies for the delay in getting back to you. Looking closer I realised that build-rdeps has a --distribution option, so feel free to go ahead with the original patch. Thanks, just uploaded. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131004190641.GA5502@pisco.westfalen.local
Re: Call for Jessie Release Goals
Jonathan Wiltshire j...@debian.org schrieb: Goals which were accepted for the Wheezy cycle, but did not reach completion, can be carried over for Jessie. However, we require re-submission of those goals (and any that have been discussed up until now - we are starting with a clean slate) to ensure that they are still realistic and have active developers working on them. We will in principle accept carried-over goals which still meet the basic criteria. That applies for the hardening release goal. There's been quite some progress and things have started to roll on their own, but there's quite some work todo. So please re-add it for jessie. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/slrnl465pr.48g@inutil.org
Re: Call for Jessie Release Goals
On Wed, Sep 25, 2013 at 07:06:37PM +0200, Niels Thykier wrote: On 2013-09-25 19:02, Moritz Mühlenhoff wrote: Jonathan Wiltshire j...@debian.org schrieb: Goals which were accepted for the Wheezy cycle, but did not reach completion, can be carried over for Jessie. However, we require re-submission of those goals (and any that have been discussed up until now - we are starting with a clean slate) to ensure that they are still realistic and have active developers working on them. We will in principle accept carried-over goals which still meet the basic criteria. That applies for the hardening release goal. There's been quite some progress and things have started to roll on their own, but there's quite some work todo. So please re-add it for jessie. Cheers, Moritz Is the goal page[1] up to date etc.? The wiki suggests it has not been updated in the past year. Are all the advocates from Wheezy still behind it (I took the liberty of CC'ing all of you). Most of the tracking happened inside SVN, AFAICS nothing needs to be updated ATM. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130925191543.GA6247@pisco.westfalen.local
Re: Roll call for porters of architectures in sid and testing (Status update)
John David Anglin dave.ang...@bell.net schrieb: On 21-Sep-13, at 7:23 PM, Ben Hutchings wrote: I'll continue testing/software development activity on ia64 for the Jessie cycle, and more generally, until Debian drops ia64. I'm already waiting for Wayland on ia64 and other big updates. So please, keep ia64 in the bandwagon ;-) But I don't think ia64 is well-supported even in wheezy. The kernel doesn't boot on some common machines and no-one seems to be able to fix it. I don't believe this for a minute. This is about Debian and it's ability to attract capable porters. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=595502 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=671034 Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/slrnl3ttuu.4ck@inutil.org
Bug#706798: transition: Libav 9
On Fri, Sep 06, 2013 at 05:06:03PM +0200, Moritz Mühlenhoff wrote: Hi, two more testing removals related to the libav9 transition: - libavg 1.7.1-3 fails to build for unrelated boost reasons. Popcon is virtually non-existant. - imageshack-uploader 2.2+hg20100408.d802dea89428-5.1 patch is available for libav9, but FTBFS for weird qmake reasons. Popcon is marginal. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130911160248.GA7773@pisco.westfalen.local