Re: jessie-security packages missing from ftp-master

[Moritz Mühlenhoff]

Hi Adam,

Following up on some issues:

On Sun, Jun 10, 2018 at 07:35:16PM +0100, Adam D. Barratt wrote:
> Is it worth retrying any of these?
> 
> * graphicsmagick 1.3.20-3+deb8u2 (powerpc)

Tried a giveback, but it's a persistent test suite which breaks
the build. Not sure.

> * mariadb-10.0 10.0.32-0+deb8u1 (mips mipsel powerpc s390x)

I guess these are arch-specific failures, which won't be fixed,
the one for powerpc dates back quite a while.

> * openjdk-7 7u151-2.6.11-2~deb8u1 (arm64 s390x)

This got superceded by the latest (and final) openjdk-7 update:
arm64 and s390x now had a successful build. So openjdk-7 should
be complete it seems?

Cheers,
Moritz

Re: Your upload of goldencheetah to stretch

[Moritz Mühlenhoff]

Jonathan Wiltshire  schrieb:
> Hi,
>
> You uploaded goldencheetah 4.0.0~DEV1607-2+deb9u1 to proposed-updates but
> with a target suite of stretch-security. Was that meant to go to the
> security archive?

This was released via the security update, it was part of the compat
changes listed in DSA-4203-1.

Cheers,
Moritz 

Re: Scheduling final Jessie point release, 8.11

[Moritz Mühlenhoff]

On Mon, May 14, 2018 at 06:26:08PM +0100, Jonathan Wiltshire wrote:
> Hi,
> 
> According to my records main security support for Jessie can end any time
> after 17th June. 
> 
> So to the security team: do you have a date in mind?

The 17th :-)

Cheers,
Moritz

Re: openafs bug 886768

[Moritz Mühlenhoff]

On Tue, Feb 20, 2018 at 01:56:12PM -0600, Benjamin Kaduk wrote:
> On Tue, Feb 20, 2018 at 08:51:16PM +0100, Salvatore Bonaccorso wrote:
> > Hi Thorsten,
> > 
> > On Tue, Feb 20, 2018 at 02:45:48PM +0100, Thorsten Alteholz wrote:
> > > Hi everybody,
> > > 
> > > the latest security update of the kernel to version 3.2.0-5 in Jessie
> > > resulted in #886768 [1] for openafs.
> > > 
> > > Wouldn't it be better to do the openafs upload via security as well?
> > > At the moment openafs in Jessie is just broken until the next point 
> > > release.
> > 
> > Whilest one arguably can say that the issue was introduced/uncovered
> > by a security update, the package has already been accepted by the SRM
> > (thanks for that to Julien and Adam!).
> > 
> > So affected persons could already install the fixed packages via
> > proposed-updates, but maybe Julien and Adam can be conviced that an
> > update is important enought to schedule an update earlier via a SUA?
> 
> It's probably also worth noting that this is not the first time that
> a linux security update caused an openafs regression,

The only sane way to avoid such occasional breakage is to upstream
the OpenAFS kernel module into the Linux kernel. As long as this doesn't
happen, it'll inevitably happen again.

Cheers,
Moritz

Bug#885183: stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1

[Moritz Mühlenhoff]

On Mon, Dec 25, 2017 at 09:26:58PM +0100, Ludovico Cavedon wrote:
> - #866721 and #866719, which are securirity-related issues. Do you want
>   me to reach out to the security team about these first? 

Those are marked no-dsa for quite a while, so not needed.

Cheers,
Moritz

Re: Bug#885172: transition: libsodium

[Moritz Mühlenhoff]

Emilio Pozuelo Monfort  schrieb:
> DSA shut down the kfreebsd buildds.

Is that a temporary measure or permanently due to the state of
the port?

(Just wondering since there's unofficial security builds
for kfreebsd-* despite not being a release arch; if that also affects
those efforts, we should make some kind of EOL announcement).

Cheers,
Moritz

Bug#882621: stretch-pu: package python2.7/2.7.13-2+deb9u2

[Moritz Mühlenhoff]

On Sun, Nov 26, 2017 at 01:52:04PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Fri, 2017-11-24 at 23:18 +0100, Moritz Muehlenhoff wrote:
> > I'd like to add a fix for a minor security issue in Python 2.7 to the
> > as a followup update to what's already in spu. debdiff is below.
> > 
> > This is fixed in unstable in 2.7.13-4.
> 
> Please go ahead.

Thanks, uploaded.

Cheers,
Moritz

Re: Proposed (lib)curl switch to openssl 1.1

[Moritz Mühlenhoff]

Sebastian Andrzej Siewior  schrieb:
> I did a grep and it seems that all affected users are blocked by
> #858398 except for hhvm.

I have patches to switch HHVM to openssl 1.1, only need to find some time
to prepare an upload.

Cheers,
Moritz

Bug#873103: [release.debian.org] Plan for imagemagick7 landing before next stable

[Moritz Mühlenhoff]

On Thu, Aug 24, 2017 at 05:23:53PM +0200, Bastien ROUCARIÈS wrote:
> Package: release.debian.org
> Severity: wishlist
> 
> Hi,
> 
> I plan to release imagemagick 7 before next stable version. And I want to 
> coexist imagemagick6 and imagemagick7.

Why? That means twice the security updates (which are already a big
resource hog). We only do that in exceptional cases and this doesn't
sound like one.

All existing reverse dependencies can be converted before the freeze.

Cheers,
Moritz

Bug#869414: package smplayer/16.11.0~ds0-1+deb9u1

[Moritz Mühlenhoff]

On Sun, Jul 23, 2017 at 12:20:25PM +0200, Mateusz Łukasik wrote:
> Package: release.debian.org
> Severity: normal
> Tags: stretch
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> Dear SRMs,
> 
> I would like to update smplayer in Stretch to fix #869411, it was already
> fixed in unstable.

What about #870233, sounds like a good opportunity to fix that along?

Cheers,
Moritz

Bug#867461: should ca-certificates certdata.txt synchronize across all suites?

[Moritz Mühlenhoff]

On Fri, Jul 21, 2017 at 09:51:45AM -0400, Antoine Beaupré wrote:
> On 2017-07-20 18:15:00, Philipp Kern wrote:
> > On 07/17/2017 09:41 PM, Antoine Beaupré wrote:
> >> Let's not jump the gun here. We're not shipping NSS in ca-certificates,
> >> just a tiny part of it: one text file, more or less.
> >
> > Yeah, and the consensus of the world external to Debian seems to be that
> > this might not be the smartest choice.
> 
> I'm not sure I understand what you are proposing as an alternative
> here. Should we stop shipping ca-certificates? Or make it a binary
> package of the NSS source package?

Most distros rebase to the latest NSS release across all supported suites.

We also did this once or twice in -security (for changes which were too
instrusive to backport) and upstream apparently usually supports this.

But it's quite some effort to test all the reverse deps (that's why backporting
isolated fixes is easier in such cases) to ensure no breakage creeps in, so
this would need a volunteer to deal with testing reverse deps.

Cheers,
Moritz

Bug#868459: stretch-pu: package libquicktime/2:1.2.4-10+deb9u1

[Moritz Mühlenhoff]

Salvatore Bonaccorso wrote:
> > Unfortunately, I've had to flag the upload for rejection - it's somehow
> > picked up a new dependency on "libschroedinger-1.0-0 (>= 1.0.0)", but
> > that binary package is not in stretch.
> 
> Hmm, could it be the building chroot was unclean (contained jessie
> packages?

Meh, indeed. I copied/upgraded my former jessie build environment and
that package in fact was still present, will recreate from scratch.

> I took jmm's debdiff, and rebuilded in stretch and
> as well the debdiff against the resulting binary packages and those in
> the archive looked okay.

Thanks.

Cheers,
Moritz

Bug#868459: stretch-pu: package libquicktime/2:1.2.4-10+deb9u1

[Moritz Mühlenhoff]

On Sat, Jul 15, 2017 at 09:19:08PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Sat, 2017-07-15 at 19:12 +0200, Moritz Muehlenhoff wrote:
> > some minor security fixes for libquicktime, identical to what's
> > already in unstable and also tested with reverse deps on stretch.
> > 
> > If it's too late for 9.1, 9.2 is also just fine.
> 
> Feel free to upload, we'll see if it makes it in time.

Thanks, uploaded.

Cheers,
Moritz

Bug#863915: unblock: webkit2gtk/2.16.3-2

[Moritz Mühlenhoff]

Adam wrote:

> I'm not entirely sure how you think p-u is better placed to do so, given 
> the amount of visible testing packages from it get before a point 
> release.

It's not necessarily for the additional testing done on p-u (although
I personally use it like that and probably others well), but there's
a number of technical features which make spu "suck less" which are
currently lacking in the security.debian.org infrastructure:
- Lack of visible apt source for people to test (#817286) (biggest blocker)
- Bottleneck of not being able to delegate allowing maintainers of webkit
  rdeps to release compatibility updates via security.debian.org (#817285)
- No possibility to trigger binNMUs of rdeps without a sourceful upload
  (not sure if that's necessary for the changes imposed by newer webkit
  releases, but it's also a serious problem for go-based apps

Especially the first two points are critical to address mid-term if we
want to ensure security support is sustainable in the years to come.
Either by finding new volunteers to work on that or by funding the
development of these features in some way.

Cheers,
Moritz
 

Bug#827061: transition: openssl

[Moritz Mühlenhoff]

On Sat, Jan 28, 2017 at 07:37:09PM +0100, Julien Cristau wrote:
> On Sat, Jun 11, 2016 at 20:59:53 +0200, Kurt Roeckx wrote:
> 
> > OpenSSL will soon release a new upstream version with a new
> > soname.  This new version will break various packages, see:
> > https://lists.debian.org/debian-devel/2016/06/msg00205.html
> > 
> > I'm currently not sure when the release will be ready.  I would
> > like to start this transition as soon as possible, but probably
> > after it's actually released.  I don't expect this to take long.
> > 
> At this point, it seems clear to me that we're getting nowhere fast.
> With the freeze looming in a few days, this is growing to be a very big
> risk for the stretch release.

Why? The last time I saw it status it was down to something like
five packages in question.

What new RC bugs related to the transition?

Cheers,
Moritz

Re: Draft for taging 32 RC bugs with can-defer, will-remove or is-blocker

[Moritz Mühlenhoff]

Niels Thykier  schrieb:
>> 852603   virglrenderer   can-defer   virglrenderer: 
>> CVE-2016-10163
>> 852604   virglrenderer   can-defer   virglrenderer: 
>> CVE-2017-5580

This hasn't been in a stable release yet and it already orphaned. If noone
picks it up or fixes it, let's rather remove it.

Cheers,
Moritz

Re: embedding openssl source in sslcan

[Moritz Mühlenhoff]

On Thu, Jan 05, 2017 at 09:39:16PM +0100, Sebastian Andrzej Siewior wrote:
> On 2016-12-31 17:35:47 [+0100], Julien Cristau wrote:
> > Is this really something we need to be shipping?  If yes, I'd personally
> > really like this to get an explicit exemption from normal policy by the
> > security team, so please talk to them (debian-security@ldo is not it).
> 
> I have been made aware of my mistake and I bounced the original email to
> security@d.o with no response yet. I haven't got any response from them
> yet so it looks like sslscan will link against libssl1.0.

I did reply to you (as did Thijs), but as mentioned before there's no
need for that code copy in _stretch_, since 1.0.2 should still provide
ample legacy support.

Cheers,
Moritz

Bug#829606: jessie-pu: package duck/0.7+deb8u1

[Moritz Mühlenhoff]

On Sun, Aug 28, 2016 at 03:55:24PM +0100, Adam D. Barratt wrote:
> Control: tags -1 +confirmed -moreinfo
> 
> [re-ordered]
> 
> > Am 2016-07-29 um 14:20 schrieb Julien Cristau:
> > > Control: tag -1 moreinfo
> > > 
> > > On Mon, Jul  4, 2016 at 18:22:46 +0200, Simon Kainz wrote:
> [...]
> > >> Paul Wise found out that duck rund untrusted code from the current 
> > >> directory as
> > >> well as the ./lib and ./lib/checks directory. The attached patch fixes 
> > >> this
> > >> issue.
> > >>
> > > Hi,
> > > 
> > > any chance of a diff from git diff -M or similar so the actual changes
> > > are easier to spot?
> 
> On Mon, 2016-08-01 at 20:41 +0200, Simon Kainz wrote:
> > Ok, please see the attached patch, which is the same as the previous
> > one, but cleaned up - i made a diff without commiting all my changes,
> > so git had a hard time recognising rename vs. delete new.
> 
> The changelog says "jessie-security" - with that changed to simply
> "jessie", please go ahead.

Simon,
what't the status here?

Cheers,
Moritz

Bug#843905: jessie-pu: package akonadi/1.13.0-2+deb8u2

[Moritz Mühlenhoff]

>
> The latest security upload of mysql-5.5 breaks akonadi-backend-mysql in 
> stable, 
> this is due to a change in the compiled-in configuration values that are 
> incompatible with the ones shipped in the akonadi backend *.
>
> In the bug #843520 [1] the mysql maintainers requested this to be fixed on 
> the akonadi side.
>
> The bug #843534 currently tracks the akonadi side of things, sadly we have 
> some contradicting user reports. But according to our tests this upload fixes 
> the issue caused by the mysql-5.5 upload, we may need to further investigate 
> the problems that aren't fixed with this.
>
> I'm not completely sure if it would be better to upload this change as a 
> security upload as a way to retain archive consistency, in any case I would 
> wait for a green flag from the release team before uploading this.

Let's fix this via security.debian.org, it reaches people's systems quicker
and the (legit) mysql change was introduced via a security after all.

> +akonadi (1.13.0-2+deb8u2) stable-proposed-updates; urgency=medium

Please let that point to jessie-security instead of stable-proposed-updates,
build with -sa (since akonadi is new in jessie-security) and upload to
security-master. I'll take care of the update.

Cheers,
Moritz

Re: Porter roll call for Debian Stretch

[Moritz Mühlenhoff]

Niels Thykier  schrieb:
> If I am to support powerpc as a realease architecture for Stretch, I
> need to know that there are *active* porters behind it committed to
> keeping it in the working.  People who would definitely catch such
> issues long before the release.  People who file bugs / submit patches etc.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832931 is about
a powerpc-specific build failure of mariadb in stable. The maintainer
said he can't work on it, so if anyone considers himself/herself a
powerpc porter, this is something to look it.

Cheers,
Moritz

Re: Bug#839226: [PATCH] cups : SSL is vulnerable to POODLE

[Moritz Mühlenhoff]

Hi Didier,

> Have we removed protocols' support in {old,}stable  before?.

We have done that on a case-by-case basis via point updates in the past,
seems also fine here.

Cheers,
Moritz

Re: Porter roll call for Debian Stretch

[Moritz Mühlenhoff]

John Paul Adrian Glaubitz  schrieb:
> This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
> --a6PKWkjgHofM7jQeP6IIWOK9h7Ax8iC64
> Content-Type: multipart/mixed; boundary="bwOPGPFUk1EHlmixEJpS4SCMBBipFWjH9";
>  protected-headers="v1"
> From: John Paul Adrian Glaubitz 
> To: Niels Thykier , debian-po...@lists.debian.org
> Cc: debian-release@lists.debian.org, debian-de...@lists.debian.org
> Message-ID: <3e8c329c-85a2-7c29-f9ec-7fa071ab5...@physik.fu-berlin.de>
> Subject: Re: Porter roll call for Debian Stretch
> References: <20160817200524.c2e23...@bendel.debian.org>
> <25ca2f9f-e5a8-87d8-b397-208db2d7d...@thykier.net>
> In-Reply-To: <25ca2f9f-e5a8-87d8-b397-208db2d7d...@thykier.net>
>
> --bwOPGPFUk1EHlmixEJpS4SCMBBipFWjH9
> Content-Type: text/plain; charset=utf-8
> Content-Transfer-Encoding: quoted-printable
>
> On 09/20/2016 11:16 PM, Niels Thykier wrote:
>>- powerpc: No porter (RM blocker)
>
> I'd be happy to pick up powerpc to keep it for Stretch.

Great, please look into the mariadb build failure reported at #832931.

Cheers,
Moritz

Re: The (uncalled for) toolchain maintainers roll call for stretch

[Moritz Mühlenhoff]

Matthias Klose wrote:
> Afaiu the security team also doesn't care
> about these ports when they fail to build for security updates.

Indeed. The openjdk updates are already really time-consuming, we can't
afford additional update rounds for exotic archs without official upstream
support.

Cheers,
Moritz

Bug#829136: jessie-pu: package harfbuzz/0.9.35-2+deb8u1

[Moritz Mühlenhoff]

On Sat, Aug 13, 2016 at 10:33:32AM +0200, Julien Cristau wrote:
> Control: tag -1 moreinfo
> 
> On Thu, Jun 30, 2016 at 22:19:11 +0200, Moritz Muehlenhoff wrote:
> 
> > Package: release.debian.org
> > Severity: normal
> > Tags: jessie
> > User: release.debian@packages.debian.org
> > Usertags: pu
> > 
> > Attached debdiff fixes a non-severe security issue in harfbuzz.
> > I've been using that for a few weeks on my jessie desktop.
> > 
> > Cheers,
> > Moritz
> > 
> > diff -Nru harfbuzz-0.9.35/debian/changelog harfbuzz-0.9.35/debian/changelog
> > --- harfbuzz-0.9.35/debian/changelog2014-10-30 13:58:05.0 
> > +0100
> > +++ harfbuzz-0.9.35/debian/changelog2016-05-30 23:50:45.0 
> > +0200
> > @@ -1,3 +1,10 @@
> > +harfbuzz (0.9.35-2+deb8u1) jessie; urgency=medium
> > +
> > +  * Backport upstream commit 613e630617074eb9b62b794cc37c9b42a7fb079b to 
> > address
> > +CVE-2016-2052
> > +
> > + -- Moritz Mühlenhoff <j...@debian.org>  Mon, 30 May 2016 23:49:46 +0200
> > +
> >  harfbuzz (0.9.35-2) unstable; urgency=medium
> >  
> >* debain/clean: Remove test/shaping/*.pyc during clean
> 
> According to https://bugzilla.redhat.com/show_bug.cgi?id=1301553#c6
> CVE-2016-2052 is linked to a different commit, can you clarify?

Hmm, there seems to have been some reshuffling of CVE mappings, also another
minor issue came up. I'll revise.

Cheers,
Moritz

Re: Bug#834327: jessie-pu: package gnupg2/2.0.26-6+deb8u1

[Moritz Mühlenhoff]

Aurelien Jarno  schrieb:
> On 2016-08-14 16:00, Salvatore Bonaccorso wrote:
>> Package: release.debian.org
>> Severity: normal
>> Tags: jessie
>> User: release.debian@packages.debian.org
>> Usertags: pu
>> 
>> Dear SRM
>> 
>> I would like to propose the following hardening to src:gnupg2 which was
>> found during the analysis of a vulnerability report to the security team
>> and related to
>> https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_razavi.pdf
>> and developed by NIIBE Yutaka. The underlying problem in hardware cannot
>> be solved in software (and thus we don't want to issue a DSA for it, and
>> give possibly this false impression), and as pointed out by Florian
>
> I wonder if it would be a good idea to release an announcement without
> any software change recommending people to not enable KSM on their
> hosts?

I think a NEWS file for the kernel would be best?

Cheers,
Moritz

Bug#829135: jessie-pu: package python2.7/2.7.9-2+deb8u1

[Moritz Mühlenhoff]

On Tue, Jul 12, 2016 at 09:55:23PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Thu, 2016-06-30 at 22:17 +0200, Moritz Muehlenhoff wrote:
> > +python2.7 (2.7.9-2+deb8u1) jessie; urgency=medium
> > +
> > +  * Backport upstream commit b3ce713fb9beebfff9848cefa0acbd59acc68fe9
> > +to address StartTLS stripping attack in smtplib (CVE-2016-0772)
> > +  * Backport upstream commit 985fc64c60d6adffd1138b6cc46df388ca91ca5d
> > +to address integer overflow in zipimporter (CVE-2016-5636)
> > +  * Backport upstream commit 1c45047c51020d46246385949d5c02e026d47320
> > +to address HTTP header injection (CVE-2016-5699)
> 
> Please go ahead.

Uploaded.

Cheers,
Moritz

Bug#829136: jessie-pu: package harfbuzz/0.9.35-2+deb8u1

[Moritz Mühlenhoff]

On Tue, Jul 12, 2016 at 09:56:12PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Thu, 2016-06-30 at 22:19 +0200, Moritz Muehlenhoff wrote:
> > +harfbuzz (0.9.35-2+deb8u1) jessie; urgency=medium
> > +
> > +  * Backport upstream commit 613e630617074eb9b62b794cc37c9b42a7fb079b to 
> > address
> > +CVE-2016-2052
> 
> Please go ahead.

Thanks, uploaded.

Cheers,
Moritz

Re: Dropping src:torque from archive? (was: Re: Bug#767411: torque: should not be released with jessie)

[Moritz Mühlenhoff]

On Sat, May 28, 2016 at 08:32:04PM +0200, Salvatore Bonaccorso wrote:
> Hi all,
> 
> On Sat, Nov 01, 2014 at 08:50:05PM +0100, Moritz Mühlenhoff wrote:
> > On Sat, Nov 01, 2014 at 02:30:02PM -0400, Michael Gilbert wrote:
> > > On Sat, Nov 1, 2014 at 11:46 AM, Salvatore Bonaccorso wrote:
> > > > Given Dominique's reply on #767411, from my POV I think the best
> > > > solution would be to remove torque completely for jessie (i.e. first
> > > > drop support from openmpi to be able to remove the package and
> > > > remaining reverse dependencies).
> > > 
> > > 4 wheezy DSAs doesn't necessarily sound that horrible, so I don't
> > > think we're clearly at the point where torque should be considered
> > > unsupportable.  Maybe the patch backports were an incredible amount of
> > > work?
> > 
> > Well, but the 2.4 branch is already no longer unsupported upstream
> > and we shouldn't knowingly introduce it into a release which will be
> > supported for five more years.
> >  
> > > The package does clearly need to be orphaned, so someone can step up
> > > post-jessie to get the package in sync with upstream.
> > 
> > As written by Dominique that's no possible for license reasons.
> 
> In meanwhile openmpi has droppend the torque dependency.
> 
> Should we have src:torque and src:pbs-drmaa be removed from the
> archive?

I think so.

Cheers,
Moritz

Bug#818549: jessie-pu: package icedtea-web/1.5.3-1

[Moritz Mühlenhoff]

On Tue, May 24, 2016 at 09:34:49PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Thu, 2016-03-17 at 23:06 +0100, Moritz Muehlenhoff wrote:
> > I'd like to update icedtea-web in jessie to 1.5.3 in the next
> > jessie point release. This fixes two security issues (CVE-2015-5234,
> > CVE-2015-5235), which are not easily backportable, so I rather made
> > the update to the minor point update which fixes those (similar
> > to what we do with openjdk-7 itself).
> > 
> > I've tested this on a jessie with various web applets I could
> > find (fortunately finding these in the wild is becoming increasingly
> > difficult!).
> > 
> > The debdiff is here: https://people.debian.org/~jmm/icedtea-web.debdiff
> > (the actual change to the debian/ directory is just the changelog
> > entry bump). Ubuntu has also updated to those point bugfix updates
> > in USNs for a while now.
> 
> I'm not exactly overjoyed by the size of the diff, but it's Java is
> stable, so I'm just going to close my eyes and assume you know what
> you're doing. :-)

Thanks :-)  Uploaded.

Cheers,
Moritz

Bug#825127: RM: mediawiki/1:1.19.20+dfsg-2.3

[Moritz Mühlenhoff]

On Mon, May 23, 2016 at 09:48:30PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + moreinfo jessie
> 
> On Mon, 2016-05-23 at 22:33 +0200, Moritz Muehlenhoff wrote:
> > please remove mediawiki in the upcoming jessie point release. Security
> > support for it was limited for a year as mentioned in the release notes:
> > https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#mediawiki-security
> 
> Checking reverse dependencies...
> # Broken Depends:
> fusionforge: fusionforge-plugin-mediawiki
> mediawiki-math: mediawiki-extensions-math
> 
> mediawiki-math is collateral damage, but dropping fusionforge for the
> sake of a single plugin seems a little overkill. :-)

Adding Roland Mas to CC. Could you maybe drop the fusionforge-plugin-mediawiki 
binary
package for the upcoming jessie point release?

Cheers,
Moritz

Bug#818549: jessie-pu: package icedtea-web/1.5.3-1

[Moritz Mühlenhoff]

On Thu, Mar 17, 2016 at 11:06:05PM +0100, Moritz Muehlenhoff wrote:
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> Hi,
> I'd like to update icedtea-web in jessie to 1.5.3 in the next
> jessie point release. This fixes two security issues (CVE-2015-5234,
> CVE-2015-5235), which are not easily backportable, so I rather made
> the update to the minor point update which fixes those (similar
> to what we do with openjdk-7 itself).
> 
> I've tested this on a jessie with various web applets I could
> find (fortunately finding these in the wild is becoming increasingly
> difficult!).
> 
> The debdiff is here: https://people.debian.org/~jmm/icedtea-web.debdiff
> (the actual change to the debian/ directory is just the changelog
> entry bump). Ubuntu has also updated to those point bugfix updates
> in USNs for a while now.

ping for the upcoming point update.

Cheers,
Moritz

Bug#822616: jessie-pu: package poppler/0.26.5-2+deb8u1

[Moritz Mühlenhoff]

On Mon, Apr 25, 2016 at 07:16:02PM +0200, Pino Toscano wrote:
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> Hi,
> 
> simple jessie-pu for poppler, just fixed in unstable, which fixes
> CVE-2015-8868; attached debdiff.
> 
> I guess I need to do binary uploads in (old-)stable, right?

Let's fix this via security.debian.org. Please change the distribution
target to "jessie-security" and build with "-sa" to include the orig
tarball (since poppler is new in the jessie security suite). security-master
needs binary uploads.

Cheers,
Moritz

Re: New oldstable-proposed-updates diff: tomcat6 6.0.45+dfsg-1~deb7u1

[Moritz Mühlenhoff]

On Tue, Mar 29, 2016 at 11:23:30PM +0200, Markus Koschany wrote:
> Am 29.03.2016 um 23:01 schrieb Moritz Mühlenhoff:
> > On Tue, Mar 29, 2016 at 10:03:56PM +0200, Markus Koschany wrote:
> >> The Security Team decided to mark the issues in Jessie as no-dsa because
> >> we only ship the servlet API and documentation in this release which
> >> can't be affected by security vulnerabilities at all. I wouldn't mind
> >> uploading the 6.0.45+dfsg-1~deb8u1 to Jessie but I think we can safely
> >> ignore the version number skew in this case. All Wheezy users who update
> >> to Jessie will keep 6.0.45+dfsg-1~deb7u1 for the servlet API and Jessie
> >> only users will continue to use 6.0.41. They will not be placed in a
> >> worse position.
> >>
> >> If you feel more comfortable with an updated source package in Jessie, I
> >> will gladly upload this one to Jessie.
> > 
> > I missed the wheezy > jessie version skew aspect. In that case let's also
> > upgrade tomcat6 in jessie even though it's a NOP.
> > 
> > But all those rdeps of libservlet2.5-java should really be upgraded
> > to libservlet3.1-java.
> > 
> > Cheers,
> > Moritz
> 
> [putting debian-java in the loop]
> 
> I will upload a Jessie update of Tomcat 6 tomorrow.

Ok.

> Please note that
> changing the rdeps of libservlet2.5-java to libservlet3.1-java is one of
> our goals for Stretch. [1]

Ok, nice.

Cheers,
Moritz

Bug#818615: jessie-pu: package gtk+2.0

[Moritz Mühlenhoff]

On Thu, Mar 24, 2016 at 06:35:55AM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Wed, 2016-03-23 at 23:12 +0100, Moritz Mühlenhoff wrote:
> [...]
> > > > > On Fri, 2016-03-18 at 19:33 +0100, Moritz Muehlenhoff wrote:
> > > > > > I'd like to fix a security issue in GTK, which doesn't really 
> > > > > > warrant
> > > > > > a DSA. Debdiff below, I've been running this on my jessie
> > > > > > workstation for a day now.
> > > > > > 
> > > > > > Cheers,
> > > > > > Moritz
> > > > > > 
> > > > > > diff -Nru gtk+2.0-2.24.25/debian/changelog 
> > > > > > gtk+2.0-2.24.25/debian/changelog
> > > > > > --- gtk+2.0-2.24.25/debian/changelog2015-03-03 
> > > > > > 19:39:59.0 +0100
> > > > > > +++ gtk+2.0-2.24.25/debian/changelog2016-03-17 
> > > > > > 23:20:16.0 +0100
> > > > > > @@ -1,3 +1,9 @@
> > > > > > +gtk+2.0 (2.24.25-3+deb8u1) jessie; urgency=medium
> > > > > > +
> > > > > > +  * CVE-2013-7447 (Closes: #799275)
> [...]
> > This is now in unstable:
> > https://packages.qa.debian.org/g/gtk+2.0/news/20160323T215045Z.html
> 
> Thanks. Please go ahead.

Uploaded.

Cheers,
Moritz

Bug#819119: jessie-pu: package libsndfile/1.0.25-9.1+deb8u1

[Moritz Mühlenhoff]

On Wed, Mar 23, 2016 at 10:11:32PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Wed, 2016-03-23 at 22:56 +0100, Moritz Muehlenhoff wrote:
> > Another update for no-dsa security issues, this time in libsndfile.
> > The patches have been used in unstable for over four months, the
> > extensive test suite passes and I made additional functionality tests
> > with the resulting build.
> 
> Please go ahead.

Thanks, uploaded.

Cheers,
Moritz

Bug#818615: jessie-pu: package gtk+2.0

[Moritz Mühlenhoff]

tags 818615 -moreinfo
thanks

On Tue, Mar 22, 2016 at 07:56:40PM +, Adam D. Barratt wrote:
> On Fri, 2016-03-18 at 20:58 +0100, Salvatore Bonaccorso wrote:
> > HI Adam,
> > 
> > Not Moritz here but can answer the question as well:
> > 
> > On Fri, Mar 18, 2016 at 07:22:34PM +, Adam D. Barratt wrote:
> > > Control: tags -1 + moreinfo
> > > 
> > > On Fri, 2016-03-18 at 19:33 +0100, Moritz Muehlenhoff wrote:
> > > > I'd like to fix a security issue in GTK, which doesn't really warrant
> > > > a DSA. Debdiff below, I've been running this on my jessie
> > > > workstation for a day now.
> > > > 
> > > > Cheers,
> > > > Moritz
> > > > 
> > > > diff -Nru gtk+2.0-2.24.25/debian/changelog 
> > > > gtk+2.0-2.24.25/debian/changelog
> > > > --- gtk+2.0-2.24.25/debian/changelog2015-03-03 19:39:59.0 
> > > > +0100
> > > > +++ gtk+2.0-2.24.25/debian/changelog2016-03-17 23:20:16.0 
> > > > +0100
> > > > @@ -1,3 +1,9 @@
> > > > +gtk+2.0 (2.24.25-3+deb8u1) jessie; urgency=medium
> > > > +
> > > > +  * CVE-2013-7447 (Closes: #799275)
> > > 
> > > The Security Tracker suggests that this isn't fixed in the version of
> > > gtk+2.0 in unstable; is that correct?
> > 
> > Yes it is as well unfixed there. I just have proposed a NMU in
> > https://bugs.debian.org/799275#39
> 
> Thanks for that.
> 
> If we don't notice, please feel free to remove the "moreinfo" tag once
> the NMU reaches unstable.

This is now in unstable:
https://packages.qa.debian.org/g/gtk+2.0/news/20160323T215045Z.html

Cheers,
Moritz

Bug#818801: jessie-pu: package cairo/1.14.0-2.1+deb8u1

[Moritz Mühlenhoff]

On Sun, Mar 20, 2016 at 06:43:48PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Sun, 2016-03-20 at 19:33 +0100, Moritz Muehlenhoff wrote:
> > +cairo (1.14.0-2.1+deb8u1) jessie; urgency=medium
> > +
> > +  * Fix CVE-2016-3190
> 
> I'd prefer a slightly more detailed changelog, but please go ahead.

Thanks, uploaded.

Cheers,
Moritz

Bug#818150: jessie-pu: package php5/5.6.19+dfsg-0+deb8u1

[Moritz Mühlenhoff]

On Mon, Mar 14, 2016 at 11:00:12AM +0100, Ondřej Surý wrote:
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> Hi,
> 
> security team still seems to be heavily overloaded, so I am hoping we
> can do this via jessie-pu again.
> 
> We need to update 5.6.17+dfsg-0+deb8u1 to 5.6.19+dfsg-0+deb8u1 as
> there were several security updates between the releases:

Ack from my side, there's nothing urgent in there, these could go
via spu.

Cheers,
Moritz

Bug#816198: jessie-pu: package php-dompdf/0.6.1+dfsg-2

[Moritz Mühlenhoff]

On Sun, Feb 28, 2016 at 07:42:46PM +0100, Salvatore Bonaccorso wrote:
> Hi Markus,
> 
> Just one note:
> 
> On Sun, Feb 28, 2016 at 06:22:08PM +0100, Markus Frosch wrote:
> > +php-dompdf (0.6.1+dfsg-2+deb8u1) UNRELEASED; urgency=medium
> > +
> > +  * Non-maintainer upload.
> > +  * [22610bd] Add 0.6.2 hotfix patch (Closes: #813849)
> > +
> > +Fixes CVE:
> > +* CVE-2014-2383
> > +* CVE-2014-5011
> > +* CVE-2014-5012
> > +* CVE-2014-5013
> 
> CVE-2014-2383 should actually be already fixed in 0.6.1+dfsg-1. Is
> that wrong?
> 
>  https://security-tracker.debian.org/tracker/CVE-2014-2383
>  https://bugs.debian.org/745619

Markus?

Cheers,
Moritz

Re: Opinion about linux-grsec in a stable release

[Moritz Mühlenhoff]

On Wed, Mar 02, 2016 at 09:01:34PM +0100, Yves-Alexis Perez wrote:
> On mer., 2016-03-02 at 20:06 +0100, Moritz Muehlenhoff wrote:
> > Before considering that, did anyone approch grsecurity whether we can get
> > access to the grsecurity stable patches? We would most definitely have 
> > Debian
> > funds to become grsecurity sponsors to obtain access to stable patches.
> 
> I think that'd be something nice anyway, but…
> > 
> > Whether that's possible/desirable by grsecurity is the question, though:
> > Having the stable patches in Debian would make them available to the
> > general public (including those sleazy embedded companies which made them
> > change their distribution scheme).
> 
> Indeed, I didn't even bother to ask because when you gain access to the stable
> patches, you commit yourself to not make them available publicly, which is
> obviously exactly what we would do.

It's the release team's call, but IMO unless upstream changes their policy to
allow public access to stable patches again, this seems rather like a case
for a PPA or possibly backports (but they generally require backports from
what is in testing).

Cheers,
Moritz

Dropping jasper from stretch

[Moritz Mühlenhoff]

Hi,
see 812630/816228 (also discussed with Roland): Security team would to drop 
jasper from stretch
(and eventually from the archive). Some high-profile users like gdk-pixbuf 
already had it
dropped some time ago.

Ok with the release team? Could you please setup a removal/transition tracker 
for this for
easier tracking?

Bugs would be filed with "important" severity and bumped to RC grade after some 
weeks
so that autoremovals can work their magic for packages which hadn't been 
adapted by
then.

Cheers,
Moritz

Re: wheezy-security to wheezy-lts transition

[Moritz Mühlenhoff]

On Mon, Feb 22, 2016 at 06:42:20PM +0100, Guido Günther wrote:
> Hi Adam,
> On Sat, Feb 20, 2016 at 02:27:27PM +, Adam D. Barratt wrote:
> > [apologies to anyone who's ended up with three copies of this; the
> > original got eaten due to a misconfiguration on my side - please only
> > reply to this copy]
> > 
> > Hi,
> > 
> > As I understand it, the plan is for wheezy-lts to re-use
> > security.d.o:wheezy/updates directly, rather than a separate suite on
> > ftp-master. Is that correct?
> 
> I think so. See
> 
> 
> https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=prep-wheezy-lts;users=debian-...@lists.debian.org

While these two are long-standing enhancement bugs which would make
the security team work much easier, they are unrelated to the plan
outlined above.

That plan was mentioned during the DebConf BoF, but I'm not aware that anyone
is working on that and I'm unsure whether it's feasible to implement in time?

Especially since even far simpler changes like the two mentioned above are
open for quite a long time.

Cheers,
Moritz

Re: Kernel version for stretch

[Moritz Mühlenhoff]

On Thu, Jan 28, 2016 at 08:15:30PM +, Ben Hutchings wrote:
> On Thu, 2016-01-28 at 20:01 +0100, Moritz Mühlenhoff wrote:
> > Ben Hutchings <b...@decadent.org.uk> wrote:
> > > For stretch, I would very much like to choose a kernel version for
> > > stretch that gets longterm maintenance by Greg Kroah-Hartman. That
> > > lasts 2 years from release, after which someone else (maybe me) can
> > > take over.
> > 
> > Luis Henriques and Kamal Mostafa maintain the ckt stable kernels
> > for Ubuntu-non-LTS releases for two years.
> 
> Not in general; it can be as little as 12 months (e.g. 3.11-ckt).

I would need to confirm that, but AFAICS the non-LTS kernels after 3.11 are
all maintained for two years (since they are now made available at "hardware
enablement kernels" for the Ubuntu LTS releases.

> > We could base the stretch kernel on the underlying ckt kernel
> > series used for Ubuntu 16.04 or 16.10?
> 
> Given the politics involved, I would rather not do that twice in a row.

Ok.

Cheers,
Moritz

Re: Request for release team decision on MySQL and MariaDB [was: Re: Bug#793316: [debian-mysql] Bug#793316: transition: mysql-5.6]

[Moritz Mühlenhoff]

On Fri, Jan 15, 2016 at 04:09:58PM +0100, Norvald H. Ryeng wrote:
> so I'll need the complete list of
> requirements first. The Debian MySQL team has asked for a list, in
> writing, several times now, but that list has not been produced.

Here's what it essentially boils down to:

- Public, non-discriminatory access, we don't sign NDAs
- Public mapping between CVE IDs and patches (or commit IDs to a public VCS)
- If the patches don't have meaningful commits messages on the nature of the
  change, provide a contact who is willing to answer questions for backports
  or impact

Cheers,
Moritz

Re: Request for release team decision on MySQL and MariaDB [was: Re: Bug#793316: [debian-mysql] Bug#793316: transition: mysql-5.6]

[Moritz Mühlenhoff]

On Mon, Jan 11, 2016 at 08:14:06PM +, Robie Basak wrote:
> On Mon, Jan 11, 2016 at 07:27:30PM +0100, Moritz Mühlenhoff wrote:
> > *Sigh*. And that is exactly the problem (and we've already pointed this
> > out at DebConf half a year ago)
> > 
> > We should really go ahead and move forward, the freeze isn't terribly far 
> > away.
> 
> I don't think it's reasonable to use a security question raised by
> MariaDB as an excuse to kick out MySQL. Because whether you do so or
> not, your situation with getting information about CVEs in relation to
> MariaDB will not change.
>
> Let's treat the situation with each on their own merits and be
> constructive about this.

This policy equally hurts us for mysql alone. Debian LTS had go through
a messy 5.1-5.5 transition because of Oracle's policies.
 
> That *is* something that might be able to be addressed directly by
> Oracle, and if it does get addressed then MariaDB's situation could
> improve too, and Debian wins.

We've already raised this at DebConf with Norvald from Oracle half a year
ago and nothing happened. Several other parties didn't get these infos
from Oracle in the past (not even Red Hat). The VirtualBox developers
were equally shut down by Oracle (after being cooperative for a while).

I see no chance that this will really happen. We'll definitely not
wait for it and we need to make a move ASAP. The freeze is only like
eight months away and a transition from mysql to mariadb takes it's
time.

> So please: the security team needs to engage directly with Oracle by
> responding to Norvald's email and enumerating exactly what is wrong.
> Otherwise nobody can reasonably claim about what Oracle is not doing in
> relation to security, because the security team refuses to say what the
> problem is.

*sigh* That as already been raised multiple times and it was all reported
to Oracle at DebConf. Information about specific security issues and
their mapping to fixes (just like raised by Otto, which explains the
need very well) need to be publicly available (we're unable and unwilling
to sign an NDA).

This is EOD from my side. This has all been discussed to death and
I won't spend further time on this.

Cheers,
Moritz

Re: Request for release team decision on MySQL and MariaDB [was: Re: Bug#793316: [debian-mysql] Bug#793316: transition: mysql-5.6]

[Moritz Mühlenhoff]

On Mon, Jan 11, 2016 at 02:13:40PM +0100, Norvald H. Ryeng wrote:
> On Mon, 11 Jan 2016 13:59:07 +0100, Otto Kekäläinen  wrote:
> 
> >2016-01-11 13:54 GMT+02:00 Norvald H. Ryeng :
> >>On Mon, 28 Dec 2015 13:28:18 +0100, Otto Kekäläinen 
> >>wrote:
> >>
> >>>Hello!
> >>>
> >>>2015-12-23 16:39 GMT+02:00 Norvald H. Ryeng :
> >>>..
> 
> I know we are a bit tight with info about security issues upstream,
> but
> all
> security bugfixes are available at
> https://github.com/mysql/mysql-server
> as
> individual commits, and a list of CVEs fixed is reported quarterly
> according
> to a published schedule. Apparently that's not enough.
> >>>
> >>>
> >>>As a side note related to this, can you please tell us in what commit
> >>>CVE-2015-4913 and CVE-2015-4737 were fixed? You probably have access to
> >>>some
> >>>internal security tracker where you can look this up, and both CVEs are
> >>>already relatively old, so you would not be releasing any sensitive
> >>>security
> >>>info.
> >>
> >>
> >>All I have is what is public: CVE-2015-4913 was included in the latest
> >>Critical Patch Update in October and was fixed in 5.5.46 and 5.6.27.
> >>CVE-2015-4737 was included in the July Critical Patch Update and was
> >>fixed
> >>in 5.5.44 and 5.6.24. Since Debian is already at 5.5.46, these don't
> >>affect
> >>Debian any more.
> >>
> >>If you're asking because you want to know if these have been fixed in
> >>MariaDB, I think you should ask MariaDB upstream instead.
> >
> >Nobody outside Oracle can answer this. Oracle has reserved certain CVE
> >numbers for their use and as there no details in the CVE entries (just
> >a version number when it was fixed) nobody outside Oracle can actually
> >tell what the security issue or the fix was. Above you indicated that
> >those fixes are visible in individual commits, so I was trying my luck
> >if you would be able to give the information which commits those CVEs
> >are.
> 
> I usually don't work on security issues, and I don't have the mapping you're
> asking for.

*Sigh*. And that is exactly the problem (and we've already pointed this
out at DebConf half a year ago)

We should really go ahead and move forward, the freeze isn't terribly far away.

Cheers,
Moritz

Bug#765639: Bug#802159: New OpenSSL upstream version

[Moritz Mühlenhoff]

Hi,
Personally I'm in favour of following the openssl point updates and I'd
like to add an additional data point to the discussion:

CVE-2015-3196 was already fixed as a plain bugfix in an earlier point
release, but the security impact was only noticed later on, so following
the point updates would have fixed this bug five months ago.

(http://www.openssl.org/news/secadv/20151203.txt for details)

Cheers,
Moritz

Bug#803336: RM: mopidy/1.1.1-1

[Moritz Mühlenhoff]

On Thu, Oct 29, 2015 at 08:48:27AM +, Julien Cristau wrote:
> On Wed, Oct 28, 2015 at 23:06:07 +0100, Moritz Muehlenhoff wrote:
> 
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian@packages.debian.org
> > Usertags: rm
> > 
> > Hi,
> > please remove mopidy as part of the gstreamer 0.10
> > removal. According to the PTS this should have been
> > auto-removed, but some reason that didn't happen:
> > 
> > Marked for autoremoval on 16 October:
> > * The removal of mopidy will also cause the removal of
> >   (transitive) reverse dependencies: mopidy-alsamixer
> >   mopidy-beets mopidy-dirble mopidy-local-sqlite mopidy-mpris
> >   mopidy-scrobbler mopidy-tunein mopidy-youtube
> > 
> britney says:
> 
> * amd64: mopidy-alsamixer, mopidy-beets, mopidy-dirble, 
> mopidy-local-sqlite, mopidy-mpris, mopidy-scrobbler, mopidy-tunein, 
> mopidy-youtube
> 
> Those rdeps aren't marked for removal yet:

Oh, I thought these were removed along rightaway automatically.

Can we do that manually instead? mopidy is the last blocker for the
removal of further gst0.10-plugins and the 0.10 python bindings from
testing:

remove mopidy-alsamixer/1.0.3-3 mopidy-beets/2.0.0-2 mopidy-dirble/1.1.2-2 
mopidy-local-sqlite/1.0.0-1 mopidy-mpris/1.3.1-1 mopidy-scrobbler/1.1.1-3 
mopidy-tunein/0.2.2-2 mopidy-youtube/2.0.0-2
remove mopidy/1.1.1-1

Cheers,
Moritz

Bug#803410: jessie-pu: package libvdpau/0.8-3+deb8u2

[Moritz Mühlenhoff]

On Thu, Oct 29, 2015 at 07:52:23PM +, luca wrote:
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> Dear release team,
> 
> We would like to update libvdpau in jessie to address a segmentation fault in 
> a
> particular use case.
> 
> 0.8-3+deb8u1 was uploaded through jessie-security with an upstream fix for 3
> security bugs: CVE-2015-5198 CVE-2015-5199 CVE-2015-5200 (see
> https://bugs.debian.org/797895).

If that bug was introduced through a security update, we usually also
fix the regression in a DSA.

Alessandro, since you took care of the DSA for libvdpau, could you
look into this?

Cheers,
Moritz

Bug#796281: jessie-pu: package pcre3/2:8.35-3.3+deb8u1

[Moritz Mühlenhoff]

On Tue, Sep 15, 2015 at 09:16:48PM +0100, Adam D. Barratt wrote:
> Control: tags -1 -moreinfo +confirmed
> 
> On Fri, 2015-09-11 at 20:24 +0200, Moritz Mühlenhoff wrote:
> > On Fri, Aug 21, 2015 at 03:59:15PM +0100, Adam D. Barratt wrote:
> > > Control: tags -1 + moreinfo
> > > 
> > > On Fri, 2015-08-21 at 01:35 +0200, Moritz Muehlenhoff wrote:
> > > > This update fixes four minor security issues which don't warrant
> > > > a DSA. These have been tested in a production setup and were
> > > > working fine there.
> > > [...]
> > > > +  * CVE-2015-2325 CVE-2015-2326 CVE-2015-3210 CVE-2015-5073
> > > 
> > > The BTS and Security Tracker indicate that the first three of those
> > > aren't fixed in unstable yet; is that correct?
> > 
> > Now fixed in unstable in 2:8.35-7.2.
> 
> Thanks; please feel free to upload.

Done.

Cheers,
Moritz

Bug#796281: jessie-pu: package pcre3/2:8.35-3.3+deb8u1

[Moritz Mühlenhoff]

On Fri, Aug 21, 2015 at 03:59:15PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + moreinfo
> 
> On Fri, 2015-08-21 at 01:35 +0200, Moritz Muehlenhoff wrote:
> > This update fixes four minor security issues which don't warrant
> > a DSA. These have been tested in a production setup and were
> > working fine there.
> [...]
> > +  * CVE-2015-2325 CVE-2015-2326 CVE-2015-3210 CVE-2015-5073
> 
> The BTS and Security Tracker indicate that the first three of those
> aren't fixed in unstable yet; is that correct?

Now fixed in unstable in 2:8.35-7.2.

Cheers,
Moritz

Bug#786830: wheezy-pu: package debian-security-support

[Moritz Mühlenhoff]

On Sat, Aug 29, 2015 at 04:15:55PM +0100, Adam D. Barratt wrote:
 Control: tags -1 + confirmed
 
 On Mon, 2015-05-25 at 23:13 +0200, Moritz Muehlenhoff wrote:
  it has been requested multiple times to also provide
  debian-security-support for wheezy.
  
  All the data relevant for wheezy is already present in the version
  in unstable, so this boils down to a simple rebuild.
  
  I've tested the package on a wheezy system. May I upload?
 
 Please go ahead, and let us know once the package hits NEW so that we
 can poke the ftp team.

I've just uploaded it.

 On a related note, what's the plan for keeping the package updated in
 wheezy and jessie? Will e.g. 2015.07.11 be backported, or will there be
 wheezy / jessie-specific uploads from now on?

If we need to end-of-life a package in jessie or wheezy, we'll update it
through security.debian.org, but these will be limited to updating the
security-support-ended.deb[89] files unless there's some bugfix which
needs to be backported.

Cheers,
Moritz

Bug#796281: jessie-pu: package pcre3/2:8.35-3.3+deb8u1

[Moritz Mühlenhoff]

On Fri, Aug 21, 2015 at 03:59:15PM +0100, Adam D. Barratt wrote:
 Control: tags -1 + moreinfo
 
 On Fri, 2015-08-21 at 01:35 +0200, Moritz Muehlenhoff wrote:
  This update fixes four minor security issues which don't warrant
  a DSA. These have been tested in a production setup and were
  working fine there.
 [...]
  +  * CVE-2015-2325 CVE-2015-2326 CVE-2015-3210 CVE-2015-5073
 
 The BTS and Security Tracker indicate that the first three of those
 aren't fixed in unstable yet; is that correct?

No, but these are backports from current upstream and I suppose Matthew
will simply move to a new upstream version at some point.

Cheers,
Moritz

Re: Bug#793316: [debian-mysql] Bug#793316: transition: mysql-5.6

[Moritz Mühlenhoff]

Clint Byrum spam...@debian.org schrieb:
 I'd be interested to hear the security team's impressions on how shipping
 micro releases of MySQL has gone for them.

We're planning to discuss that at DebConf (and will also include the
release team).

 Sure they have a _ridiculous_ policy about not telling us what
 the actual security problems were.

And this is actually a grave problem: Due to that policy there's no
longer any security support for mysql in squeeze.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/slrnmr242b.dkr@inutil.org

Re: Bug#763148: Prevent migration to jessie

[Moritz Mühlenhoff]

Andreas Cadhalpun wrote:

 But having mysql-5.5 and mariadb-10.0 in jessie is apparently no
 problem, despite previous claims. What's the difference?

To properly migrate over a daemon they need to co-exist for a stable
release, while a lib does not. Stretch will only have one of them.

 How do you think this should go forward?

When someone made a strawpoll amongst the multimedia maintainers
last year it boiled down to libav for jessie, since it's now to late.
You should revisit that decision now that the release cycle has started.
(Beside pkg-multimedia-maintainers, this certainly also includes
maintainers like Balint which maintain relevant multimedia apps outside of
pkg-multimedia-maintainers.)

If no convinging/clear majority can be reached, let the CTTE decide.

Having both for a year along each other will only waste people's time. Now
at the beginning of the release cycle is the time to make a decision,
not by dragging things into a year as of today. Picking one of the two
won't be any simpler in 12 months.

Cheers,
Moritz





-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150429182256.GA28385@pisco.westfalen.local

Re: Bug#763148: Prevent migration to jessie

[Moritz Mühlenhoff]

On Wed, Apr 29, 2015 at 08:33:07PM +0200, Andreas Cadhalpun wrote:
  Having both for a year along each other will only waste people's time. Now
  at the beginning of the release cycle is the time to make a decision,
  not by dragging things into a year as of today. Picking one of the two
  won't be any simpler in 12 months.
 
 I just fear that the decision making process will take long, especially
 if the TC has to get involved. (The libjpeg-turbo TC decision took 1 year.)
 
 Having ffmpeg in testing during this time would be nice, e.g. so that people
 using testing can easily compare them.
 
 Was that not what you meant with [1]:
 It certainly possible to have them co-exist for a year or so

Honestly at this point I don't believe we'll need a year to sort out whether
it'll be libav or ffmpeg.

I'll refrain from mentioning my personal preference for now, but IMO
one of the two is preferable in almost all aspects, so picking the lib for
stretch shouldn't take that long.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150429184711.GA28679@pisco.westfalen.local

Bug#782769: unblock: chromium-browser/42.0.2311.90-1

[Moritz Mühlenhoff]

On Sun, Apr 26, 2015 at 11:57:43AM +0100, Jonathan Wiltshire wrote:
 On Fri, Apr 17, 2015 at 05:21:05PM +0200, Moritz Muehlenhoff wrote:
  Please unblock package chromium-browser. It fixes multiple
  security issues (and would also need some aging at this
  point)
 
 Should this be progressed to proposed-updates or left for a DSA?

Michael already built it for jessie-security, you can close the unblock
bug.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150426110734.GA8959@pisco.westfalen.local

Bug#782770: unblock: openjdk-7/7u79-2.5.5-1

[Moritz Mühlenhoff]

tOn Thu, Apr 23, 2015 at 10:03:02PM +0100, Jonathan Wiltshire wrote:
 Control: tag -1 moreinfo
 
 On Fri, Apr 17, 2015 at 05:23:39PM +0200, Moritz Muehlenhoff wrote:
  Please unblock package openjdk-7. It fixes multiple security
  issues. ATM the build failed on mips (that was sorted
  out with a rebuild the last time w/o any source changes)
 
 I can't get MIPS to build and this isn't going to make the final migrations
 before release. Would you rather a DSA or proposed-updates?

Then we'll need an additional DSA for jessie-security, stealing
our time for a toy port noone uses in practice. Awesome.

I'm really annoyed with the MIPS porters. If openjdk fails to
build on MIPS w/o manual builds, why did they paper over this
with manual builds? If openjdk fails to autobuild on mips, by
all mean drop support for it!

For stretch we should limit openjdk support archs official
supported by upstream, even if it means killing lots of Java
reverse deps for fringe ports.

We haven't had openjdk built across all supported archs
for a long time. Look at the mess in proposed-updates:
https://release.debian.org/proposed-updates/stable.html

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150423212606.GA5229@pisco.westfalen.local

Re: Bug#746946: wheezy-pu: package distro-info-data/0.23~deb7u1

[Moritz Mühlenhoff]

On Thu, Apr 16, 2015 at 04:02:23PM +0200, Raphael Hertzog wrote:
 Yes there are packages which are unsupported in Squeeze but very much
 like there are unsupported packages in Wheezy right now:

Also, all other distros with long support have some level of reduced
support over time, see for example the requirements for
fixes in RHEL in it's later support stages, so having a few packages
not supported in squeeze-lts is fairly common.

We shouldn't label the LTS phase as second class.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150416160236.GB7902@pisco.westfalen.local

Bug#778332: RM: oss4/4.2-build2010-1.1

[Moritz Mühlenhoff]

On Wed, Mar 04, 2015 at 09:46:20AM +0100, Ivo De Decker wrote:
 Hi,
 
 On Fri, Feb 13, 2015 at 05:52:36PM +0100, Moritz Muehlenhoff wrote:
  please remove oss4 from jessie. There's been no maintainer
  followup since a month (plus no action back then we Ben
  initially reported it to the maintainers privately).
 
 Removal hint added.

I tried to check why this hasn't been removed, but I don't
understand why. The simulated removal dak rm -s testing
run show many dependencies on ALSA, e.g.

Checking reverse dependencies...
# Broken Depends:
a2jmidid: a2jmidid [amd64 armel armhf i386 mips mipsel powerpc s390x]
abx: abx [amd64 arm64 armel armhf i386 mips mipsel powerpc ppc64el s390x]
aconnectgui: aconnectgui [amd64 arm64 armel armhf i386 mips mipsel powerpc 
ppc64el s390x]
adplay: adplay [amd64 armel armhf i386 mips mipsel powerpc ppc64el s390x]
aegisub: aegisub [amd64 armhf i386 mips mipsel powerpc ppc64el s390x]
aeolus: aeolus [amd64 arm64 armel armhf i386 mips mipsel powerpc ppc64el s390x]
(..)

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150309192943.GA18463@pisco.westfalen.local

Bug#775892: unblock (pre-approval): python-django/1.7.3-1

[Moritz Mühlenhoff]

On Fri, Jan 23, 2015 at 02:26:06PM +0100, Raphael Hertzog wrote:
 On Wed, 21 Jan 2015, Raphael Hertzog wrote:
  Some notes:
  - the final upload will include the bug closure of #775375
  - there's a small tweak of a Suggests dependency, it was not intended for
jessie but I don't see how it can hurt and did not bother to revert it
 
 I have uploaded 1.7.3-1~exp1 to experimental which is basically what I'd
 like to upload to unstable. It contains one more patch compared to the
 debdiff I sent to fix a build failure with Python 3.4
 (https://github.com/django/django/commit/b1bf8d64fbadcab860eb98662c49b8db33db0c3c).
 
 Cheers,
 
 PS: I know that Neil Williams uploaded an NMU to fix the security issues but I
 still want to include 1.7.3.

It would still be good to unblock the NMU first to get the security
fixes into jessie.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150126125526.GA18029@pisco.westfalen.local

Bug#774211: freeze exception for binutils 2.25-3

[Moritz Mühlenhoff]

On Tue, Dec 30, 2014 at 12:29:35PM +0100, Matthias Klose wrote:
 forgot to mention that there are no regression in the binutils testsuite on 
 all
 release architectures, and that there are no regression in the gcc-4.8 and
 gcc-4.9 testsuites on all release architectures.

Did someone from the release team have a chance to look into these?
If the version from sid isn't acceptable we'll need some time to
fix this through tpu (and binutils-mingw-w64 needs to be dealt with
as well)

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150126113032.GA6532@pisco.westfalen.local

Bug#774299: wheezy-pu: openssl: disable SSLv3 by default

[Moritz Mühlenhoff]

On Wed, Dec 31, 2014 at 04:41:29PM +0100, Kurt Roeckx wrote:
 On Wed, Dec 31, 2014 at 02:00:23PM +, Adam D. Barratt wrote:
  Control: tags -1 + moreinfo
  
  On Wed, 2014-12-31 at 13:52 +0100, Kurt Roeckx wrote:
   I would like to disable SSLv3 by default in wheezy.

  Do we know how well other packages in wheezy cope with that? (I'm going
  to guess not as well as in jessie.)
 
 I have no reason to believe there is a difference between jessie
 and wheezy in how packages cope with SSLv3 being disabled.  Please
 note that this only affects the SSLv23_* methods and that it just
 sets SSL_OP_NO_SSLv3 by default now.  In jessie SSLv3 is just
 disabled, for wheezy I would change it to disabled by default
 with a way to turn it back on.

 What could break is that apache for instance will now disable
 SSLv3 by default even though the config file doesn't seem to
 indicate that it's disabled.  That could then result in it not
 working with some clients that do not support TLSv1 or newer.  But
 that is also already the case in jessie.
 
 One package that might be affected by this change is that python
 has a test suite that tries all possible combinations of settings
 and the test suite is probably going to fail because it's going to
 expect to be able to set up an SSLv3 connection.

I will rebuild python in wheezy to check that.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150118105905.GA8835@pisco.westfalen.local

Bug#770463: unblock: dhcpcd5/6.0.5-2

[Moritz Mühlenhoff]

On Fri, Nov 21, 2014 at 08:30:37PM +0100, Niels Thykier wrote:
 On 2014-11-21 14:56, Salvatore Bonaccorso wrote:
  Package: release.debian.org
  Severity: normal
  User: release.debian@packages.debian.org
  Usertags: unblock
  
  Hi Release Team,
  
  Please unblock package dhcpcd5, which fixed as denial-of-service 
  vulnerability
  (CVE-2014-6060). Relevant bug in the BTS is #770043.  Additionally to the 
  patch
  I have updated the maintainer field to Debian QA group as previous 
  maintainer
  orphaned the package. Full changelog is as follows:
  
  [...]
  
  unblock dhcpcd5/6.0.5-2
  
  Many thanks in advance!
  
  Regards,
  Salvatore
  
 
 Unblocked, thanks.

According to the PTS the transition to testing is blocked by missing kfreebsd-*
builds, but kfreebsd is no longer a release arch? Can you force-wrestle this?

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20141203204232.GA4073@pisco.westfalen.local

Re: binNMUs for dpkg-buildflags / -fstack-protector-strong

[Moritz Mühlenhoff]

On Sat, Nov 08, 2014 at 03:27:26PM +, Julien Cristau wrote:
 On Sat, Nov  8, 2014 at 10:29:17 +0100, Moritz Mühlenhoff wrote:
 
  On Sun, Nov 02, 2014 at 11:53:44PM +0100, Moritz Muehlenhoff wrote:
   On Sun, Nov 02, 2014 at 06:19:51PM +0100, Julien Cristau wrote:
On Tue, Sep 23, 2014 at 22:36:43 +0200, Moritz Mühlenhoff wrote:

Sorry I didn't get to these quickly.  Do you have an updated list and/or
package versions?  Otherwise I'll just go ahead with the original list.
   
   I can filter out packages which have been uploaded since then. I'll
   send you the updated list in a few days.
  
  Here's the updated - and compared to the last one - greatly reduced 
  list, also including three packages using hardening-[wrapper|includes] 
  not yet built after these also enabled -strong.
  
  A few packages are included which have been an upload to sid, but which 
  didn't make the cutoff for the freeze. I'm including these to ensure 
  that the version in testing is rebuilt, even if some of these later 
  uploads might still be unblocked later:
  
 I've scheduled the ones for sid.  A mixed list with some jessie and some
 sid rebuilds is not something I can use, especially if the requested
 distribution is implicit.

Thanks, is something required to migrate these to jessie?

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20141119220847.GA18108@pisco.westfalen.local

Re: binNMUs for dpkg-buildflags / -fstack-protector-strong

[Moritz Mühlenhoff]

On Sun, Nov 02, 2014 at 11:53:44PM +0100, Moritz Muehlenhoff wrote:
 On Sun, Nov 02, 2014 at 06:19:51PM +0100, Julien Cristau wrote:
  On Tue, Sep 23, 2014 at 22:36:43 +0200, Moritz Mühlenhoff wrote:
  
  Sorry I didn't get to these quickly.  Do you have an updated list and/or
  package versions?  Otherwise I'll just go ahead with the original list.
 
 I can filter out packages which have been uploaded since then. I'll
 send you the updated list in a few days.

Here's the updated - and compared to the last one - greatly reduced 
list, also including three packages using hardening-[wrapper|includes] 
not yet built after these also enabled -strong.

A few packages are included which have been an upload to sid, but which 
didn't make the cutoff for the freeze. I'm including these to ensure 
that the version in testing is rebuilt, even if some of these later 
uploads might still be unblocked later:

Cheers,
Moritz

afuse
alsaplayer
antiword
aptitude
audiofile
avahi
barnowl
bip
bogofilter
bzip2
cabextract
chmlib
chrony
citadel
courier-authlib
cpio
cups-pk-helper
dash
debianutils
diffutils
dvipng
ecryptfs-utils
ekg
elinks
enscript
exiftags
expat
fetchmail
findutils
firebird2.5
flac
flex
fontforge
fuse
gdbm
gmime
heimdal
hplip
hylafax
icinga
id3lib3.8.3
imlib2
inotify-tools
iptables
iputils
ircd-ratbox
iscsitarget
kaffeine
ktorrent
kvirc
l2tpns
lcms2
libapache-mod-jk
libapache2-mod-auth-pgsql
libapache2-mod-authnz-external
libapache2-mod-fcgid
libcdaudio
libdmx
libdumb
libfs
libgtop2
libhtml-parser-perl
libmodplug
libnss-ldap
libpam-krb5
libpam-ldap
libpng
libproxy
libsmi
libsndfile
libtar
libtk-img
libwmf
libwpd
libxcb
libxcursor
libxfixes
libxfont
libxi
libxinerama
libxrandr
libxrender
libxres
libxslt
libxt
libxtst
libxv
libxvmc
libxxf86dga
libxxf86vm
libyaml-libyaml-perl
links2
linux-ftpd
logrotate
lurker
lynx-cur
mailman
mapserver
maradns
mimetex
mlmmj
nas
nbd
ndiswrapper
net-tools
newt
ntp
nut
openconnect
opensaml2
tiff
xmlsec1
mysql-5.5
znc
tar
raptor
ldns
opensc
pimd
pmount
pptpd
psi
pstotext
python-crypto
readline6
rssh
rsync
ruby-gnome2
sdl-image1.2
sed
shadow
snmptrapfmt
socat
spamass-milter
splitvt
super
tcpreen
telepathy-gabble
tinc
tinyproxy
traceroute
unalz
unzip
x11-xserver-utils
xfce4-terminal
xml-security-c
xz-utils
zoo


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20141108092917.GA10690@pisco.westfalen.local

Re: Bug#767411: torque: should not be released with jessie

[Moritz Mühlenhoff]

On Sat, Nov 01, 2014 at 02:30:02PM -0400, Michael Gilbert wrote:
 On Sat, Nov 1, 2014 at 11:46 AM, Salvatore Bonaccorso wrote:
  Given Dominique's reply on #767411, from my POV I think the best
  solution would be to remove torque completely for jessie (i.e. first
  drop support from openmpi to be able to remove the package and
  remaining reverse dependencies).
 
 4 wheezy DSAs doesn't necessarily sound that horrible, so I don't
 think we're clearly at the point where torque should be considered
 unsupportable.  Maybe the patch backports were an incredible amount of
 work?

Well, but the 2.4 branch is already no longer unsupported upstream
and we shouldn't knowingly introduce it into a release which will be
supported for five more years.
 
 The package does clearly need to be orphaned, so someone can step up
 post-jessie to get the package in sync with upstream.

As written by Dominique that's no possible for license reasons.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20141101195005.GA2660@pisco.westfalen.local

Re: Bug#763278: wheezy-pu: gcc-4.9/4.9.1-14~deb7u1

[Moritz Mühlenhoff]

Adam D. Barratt a...@adam-barratt.org.uk schrieb:
 On 2014-10-01 13:25, Moritz Mühlenhoff wrote:
 Adam D. Barratt a...@adam-barratt.org.uk schrieb:
 The alternative is to drop chromium security support for wheezy way 
 too soon.
 
 They're not the only alternatives. Granted, they may be the only ones
 which you're willing to support.
 
 What other alternatives do you have in mind?

 Well, someone could attempt to persuade upstream to delay the change, or 
 work on fixing things up to work with 4.7 where required.

 I didn't say they were great alternatives, simply that they exist.

Unfortunately they're not viable: Upstream wants to use C++11 features
and even if someone were to start on a Debian-specific patchset it
would only get bigger with every new Chromium release (and they make
new releases every few weeks).

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/slrnm2qvkk.3ef@inutil.org

Re: Bug#763278: wheezy-pu: gcc-4.9/4.9.1-14~deb7u1

[Moritz Mühlenhoff]

Adam D. Barratt a...@adam-barratt.org.uk schrieb:
 The alternative is to drop chromium security support for wheezy way too soon.

 They're not the only alternatives. Granted, they may be the only ones
 which you're willing to support.

What other alternatives do you have in mind?

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/slrnm2nskv.3qp@inutil.org

Re: Bug#763148: Prevent migration to jessie

[Moritz Mühlenhoff]

On Wed, Oct 01, 2014 at 04:32:24PM +0200, Andreas Cadhalpun wrote:
 However, I can understand why one embedded
 code copy is better than one embedded code copy plus a library in
 addition to it.
 
 This would be understandable, yes.
 
 There are now two options:
 a) Let FFmpeg migrate to testing and make chromium use it.
 b) Don't let FFmpeg migrate and let chromium continue to use the
embedded copy, in spite of the policy violation.
If this really would be preferred, then the FFmpeg libraries and
tools could be build from the chromium source package, because that
can't increase the security workload, as the source is already in
wheezy.

Chromium is actually a special case. It's a huge monster package which is 
very difficult to integrate and maintain. 
You seem to have missed that for Chromium we rebuild the current upstream 
releases in stable. Since there're not guarantees for any kind of API stability 
in
the local ffmpeg copy that is obviously not a good idea.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20141002164349.GA4870@pisco.westfalen.local

Re: Bug#763148: Prevent migration to jessie

[Moritz Mühlenhoff]

On Sun, Sep 28, 2014 at 11:27:03AM +0200, Andreas Cadhalpun wrote:
 So would you please explain why you see a problem?

It has all been written before, I'm not going to repeat
it all over again. We can pick libav _or_ ffmpeg for jessie+1.
EOD for me.

Chromium using a local copy of the lib doesn't matter in
practice since we need to spin updates for the browser
security bugs anyway.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140930204537.GA3785@pisco.westfalen.local

Re: FFmpeg in Jessie

[Moritz Mühlenhoff]

Alessio Treglia ales...@debian.org schrieb:
 On Fri, Sep 26, 2014 at 10:28 PM, Andreas Barth a...@ayous.org wrote:
 That sounds like we should drop libav and release with ffmpeg. Is this
 also the opinion of the libav maintainers? Or is there a strong reason
 why this is not possible?

 Although no consensus has been reached, some members of the team which
 maintains libav have expressed their opinions:

I've filed a blocker bug to prevent testing migration of ffmpeg.

We can sort this out at the beginning of the jessie+1 development
cycle.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/slrnm2fhja.36c@inutil.org

Re: [debian-mysql] MySQL in Jessie

[Moritz Mühlenhoff]

On Sat, Sep 20, 2014 at 04:04:11PM +0300, Otto Kekäläinen wrote:
 Hello!
 
 2014-09-17 22:57 GMT+03:00 Moritz Mühlenhoff j...@inutil.org:
  Has there been any progress? The freeze is coming closer.
 
 Both MySQL 5.6 and MariaDB 10.0 are still only in experimental. The
 5.5 versions are in testing and functional and well tested, so it
 looks like that those will go to Jessie.

Well, as said before in the thread you need to settle on either
mysql or mariadb. 

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140926175410.GA3969@pisco.westfalen.local

Re: binNMUs for dpkg-buildflags / -fstack-protector-strong

[Moritz Mühlenhoff]

On Sat, Sep 20, 2014 at 02:18:34PM +0200, Julien Cristau wrote:
 On Sat, Sep 20, 2014 at 12:53:54 +0200, Moritz Muehlenhoff wrote:
 
  On Sat, Sep 20, 2014 at 10:45:00AM +0200, Julien Cristau wrote:
   On Wed, Sep 17, 2014 at 22:29:10 +0200, Moritz Muehlenhoff wrote:
   
Hi release team,
dpkg-buildflags was switched to the strong stack protector on
the 10th of August. Many security-sensitive packages have already
been uploaded to unstable since then and I'm tracking which are
missing.

For the remaining ones I'd like to request binNMUs. Is that
ok with and when's the best time? Probably not to early before
the freeze since some maintainer uploads will follow anyway,
but also not to close to the freeze. Maybe mid-October?

   I think if you have a list now, that would be fine.  We can always give
   them low build priority to not monopolize the buildds.
  
  Ok, will send the latest list in a few days. Is a list of source
  packages enough or do you need to current version in unstable as well?
  
 A version would allow us to not do unnecessary rebuilds if there's been
 a new upload after you generated the list.  But if it's painful for you
 to generate, it's not actually mandatory.

ATM I only have a list of source packages, see below. I can whip up a script
to generate versions over the weekend, but since these packages haven't seen
an upload since August 10th, there's probably little overhead if one or two
would be built twice.

afuse
alsaplayer
antiword
apr-util
aptitude
aria2
arpwatch
audiofile
avahi
barnowl
bip
bogofilter
bsdmainutils
bzip2
cabextract
chmlib
chrony
citadel
clamav
collectd
courier
courier-authlib
cpio
cron
cups-pk-helper
cvs
cwidget
dash
debianutils
diffutils
dvipng
ecryptfs-utils
ekg
elinks
enscript
exiftags
expat
fbi
fetchmail
findutils
firebird2.5
flac
flex
fontforge
freeradius
fuse
gdbm
gmime
gnash
gnumeric
gzip
heimdal
hplip
httrack
hylafax
icinga
icu
id3lib3.8.3
ifupdown
imlib2
inetutils
inotify-tools
inspircd
iptables
iputils
ircd-ratbox
iscsitarget
jasper
kaffeine
ktorrent
kvirc
l2tpns
lcms2
libapache-mod-auth-kerb
libapache-mod-jk
libapache2-mod-auth-pgsql
libapache2-mod-authnz-external
libapache2-mod-fcgid
libapache2-mod-rpaf
libcdaudio
libcgroup
libdmx
libdumb
libextractor
libfishsound
libfs
libgd2
libgdata
libgsf
libgtop2
libhtml-parser-perl
libmodplug
libnss-ldap
libotr
libpam-krb5
libpam-ldap
libpipeline
libpng
libproxy
libsigc++-2.0
libsmi
libsndfile
libspf2
libtar
libtheora
libtk-img
libupnp
libupnp4
libusb
libvorbis
libwmf
libwpd
libxcb
libxcursor
libxext
libxfixes
libxfont
libxi
libxinerama
libxml2
libxrandr
libxrender
libxres
libxslt
libxt
libxtst
libxv
libxvmc
libxxf86dga
libxxf86vm
libyaml-libyaml-perl
links2
linux-ftpd
logrotate
lurker
lynx-cur
maildrop
mailman
mapserver
maradns
memcached
mimetex 
mlmmj
modsecurity-apache
mon
mono
mtr
nas
nbd
ncompress
ndiswrapper
net-tools
netrik
newt
notmuch
nss-pam-ldapd
ntp
nut
openarena
openconnect
openjpeg
opensaml2
opensc
openssh
pam-pgsql
pcsc-lite
pdns
pimd
pmount
postgresql-9.4
pound
ppp
pptpd
procps
proftpd-dfsg
psi
pstotext
pulseaudio
pymongo
python-crypto
quagga
radsecproxy
raptor
readline6
rssh
rsync
ruby-gnome2
samba
screen
sdl-image1.2
sed
shadow
slang2
slurm-llnl
snmptrapfmt
socat
spamass-milter
spamassassin
splitvt
stunnel4
super
sympa
systemtap
tar
tcpreen
telepathy-gabble
texinfo
tiff
tinc
tinyproxy
traceroute
unalz
unzip
util-linux
uw-imap
varnish
vino
vsftpd
wget
wireshark
wpa
x11-xserver-utils
xapian-omega
xfce4-terminal
xml-security-c
xmlsec1
xz-utils
zoo

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140923203642.GA6088@pisco.westfalen.local

Re: [debian-mysql] MySQL in Jessie

[Moritz Mühlenhoff]

On Wed, Aug 27, 2014 at 12:55:15PM +0200, Bjoern Boschman wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 moin,
 
 to sum things up:
 
 * mariadb-5.5 within testing
 * mariadb-10.0 within experimental
 * mysql-5.5 within testing
 * mysql-5.6 within experimental
 * percona-xtradb-cluster-server-5.5 within sid
 
 - From my point of view we should not talk about
 percona-xtradb-cluster-server as a mysql replacement as it does not
 provide any libs nor -dev packages and will always be a very close
 relative to mysql.
 
 Although my opinion is to let Debian users decide which fork to use I
 can fully understand release/security team concerns.
 
 So which way to go?
 * stick with mysql and start transition - 5.6
 * replace mysql with mariadb and start transition - 10.0
 * create an ecosystem where several forks may live side by side
 
 pkg-mysql is unfortunately not one of the strongest teams in terms of
 manpower, but even though we tried to come up with a solution to
 fullfil anybodys wishes.
 
 
 As the transition timeframe is quite close we need a decision!
 This decision should be done by the release team agreed together with
 your collegues at ubuntu/canonical as we should definately *not* fork
 this decision!
 
 Maybe the tech-ctte could also be involved?

Has there been any progress? The freeze is coming closer.

Cheers,
Moritz












-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140917195709.GA5801@pisco.westfalen.local

Bug#757342: wheezy-pu: package php5/5.4.31-0+deb7u1

[Moritz Mühlenhoff]

On Wed, Aug 20, 2014 at 12:07:03PM +0200, Ondřej Surý wrote:
 On Wed, Aug 20, 2014, at 11:53, Moritz Mühlenhoff wrote:
  On Thu, Aug 07, 2014 at 11:37:30AM +0200, Ondřej Surý wrote:
   Package: release.debian.org
   Severity: normal
   Tags: wheezy
   User: release.debian@packages.debian.org
   Usertags: pu
   
   -BEGIN PGP SIGNED MESSAGE-
   Hash: SHA256
   
   Dear release team,
   
   as discussed on #debian-release about possibility of having minor PHP5
   updates instead of hoarding various upstream patches, I am submitting
   a w-p-u bug to discuss that and to summarize my findings (and my
   positive attitude :).
  
  If you as the primary PHP maintainer consider upstream QA work on 
  minor point updates to be of sufficient quality, we can follow them
  for future security updates. That policy has served us very well for
  psql, e.g.
 
 Do I read that correctly as no need to go through s-p-u?

If there are security issues worth a DSA, the PHP point relesae can be released
through security.debian.org, otherwise they need to go through s-p-u. That's
the same way we handled Postgres or the kernel (which also is based on the 3.2.x
point releases)

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140826115408.GF11078@pisco.westfalen.local

Bug#757342: wheezy-pu: package php5/5.4.31-0+deb7u1

[Moritz Mühlenhoff]

On Thu, Aug 07, 2014 at 11:37:30AM +0200, Ondřej Surý wrote:
 Package: release.debian.org
 Severity: normal
 Tags: wheezy
 User: release.debian@packages.debian.org
 Usertags: pu
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256
 
 Dear release team,
 
 as discussed on #debian-release about possibility of having minor PHP5
 updates instead of hoarding various upstream patches, I am submitting
 a w-p-u bug to discuss that and to summarize my findings (and my
 positive attitude :).

If you as the primary PHP maintainer consider upstream QA work on 
minor point updates to be of sufficient quality, we can follow them
for future security updates. That policy has served us very well for
psql, e.g.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140820095335.GA2887@pisco.westfalen.local

Re: Bug#758492: RM: lcms/1.19.dfsg2-1.5

[Moritz Mühlenhoff]

Niels Thykier ni...@thykier.net schrieb:

This in fact requires a bit more time, see below:

 Checking reverse dependencies...
 # Broken Depends:
 devil: libdevil1c2

I've reopened the bug, a resolution is pending.

 foo2zjs: printer-driver-foo2zjs

This is #757384

 gimp: gimp

I've reopened the bug and bumped to RC severity.

 imagemagick: libmagickcore-dev

This will be fixed along with the imagemagick transition.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/slrnlv7e69.30o@inutil.org

Bug#751976: pu: package cmus/2.4.3-2+deb7u1

[Moritz Mühlenhoff]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: pu

Hi,
attached debdiff fixes a FTBFS of cmus in stable.

[Adding Alessio to CC]

Cheers,
Moritz

-- System Information:
Debian Release: 7.5
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru cmus-2.4.3/debian/changelog cmus-2.4.3/debian/changelog
--- cmus-2.4.3/debian/changelog	2012-06-02 20:08:09.0 +0200
+++ cmus-2.4.3/debian/changelog	2014-06-18 14:18:17.0 +0200
@@ -1,3 +1,10 @@
+cmus (2.4.3-2+deb7u1) wheezy; urgency=low
+
+  * Fix FTBFS related to the libmodplug upgrade in DSA 2751, patch as used in
+2.5.0-4 (Closes: #724181)
+
+ -- Moritz Mühlenhoff muehlenh...@univention.de  Wed, 18 Jun 2014 14:16:56 +0200
+
 cmus (2.4.3-2) unstable; urgency=low
 
   [ Ryan Kavanagh ]
diff -Nru cmus-2.4.3/debian/patches/fix-modplug-build.patch cmus-2.4.3/debian/patches/fix-modplug-build.patch
--- cmus-2.4.3/debian/patches/fix-modplug-build.patch	1970-01-01 01:00:00.0 +0100
+++ cmus-2.4.3/debian/patches/fix-modplug-build.patch	2014-06-18 14:16:49.0 +0200
@@ -0,0 +1,19 @@
+Description: Horrible fix for misdetection of modplug.
+Author: Alessio Treglia ales...@debian.org
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=724181
+Forwarded: no
+---
+
+ Makefile |2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+--- cmus-2.4.3.orig/Makefile
 cmus-2.4.3/Makefile
+@@ -90,7 +90,7 @@ ip-$(CONFIG_FFMPEG)	+= ffmpeg.so
+ $(flac-objs):		CFLAGS += $(FLAC_CFLAGS)
+ $(mad-objs):		CFLAGS += $(MAD_CFLAGS)
+ $(mikmod-objs):		CFLAGS += $(MIKMOD_CFLAGS)
+-$(modplug-objs):	CFLAGS += $(MODPLUG_CFLAGS)
++$(modplug-objs):	CFLAGS += $(MODPLUG_CFLAGS) -I/usr/include/libmodplug
+ $(mpc-objs):		CFLAGS += $(MPC_CFLAGS)
+ $(vorbis-objs):		CFLAGS += $(VORBIS_CFLAGS)
+ $(wavpack-objs):	CFLAGS += $(WAVPACK_CFLAGS)
diff -Nru cmus-2.4.3/debian/patches/series cmus-2.4.3/debian/patches/series
--- cmus-2.4.3/debian/patches/series	1970-01-01 01:00:00.0 +0100
+++ cmus-2.4.3/debian/patches/series	2014-06-18 14:16:25.0 +0200
@@ -0,0 +1 @@
+fix-modplug-build.patch

Bug#751976: pu: package cmus/2.4.3-2+deb7u1

[Moritz Mühlenhoff]

 Hi all,
 
 I've just noticed the last message on #724181, and I am sorry about
 the late reply.
 
 On Wed, Jun 18, 2014 at 1:25 PM, Moritz Mühlenhoff
 
 muehlenh...@univention.de wrote:
  Hi,
  attached debdiff fixes a FTBFS of cmus in stable.
 
 Should I wait for the ACK from the release team then or just upload it
 to s-p-u straightaway?

I have created a tested update for wheezy, I could upload once the stable RMs 
have acked it.

But of course, if you handle it yourself, please go ahead!
 
Cheers,
Moritz
-- 
Moritz Mühlenhoff
Open Source Software Engineer

Univention GmbH
be open.
Mary-Somerville-Str.1
28359 Bremen
Tel. : +49 421 22232-0 [.]
Fax : +49 421 22232-99

muehlenh...@univention.de
http://www.univention.de

Geschäftsführer: Peter H. Ganten
HRB 20755 Amtsgericht Bremen
Steuer-Nr.: 71-597-02876 


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/201406181449.43213.muehlenh...@univention.de

Re: Updating tor (was: Upcoming stable point release (7.6))

[Moritz Mühlenhoff]

Peter Palfrader wea...@debian.org schrieb:
 Hi!

 On Wed, 11 Jun 2014, Adam D. Barratt wrote:

 The next point release for wheezy (7.6) is scheduled for Saturday,
 July 12th.  Stable NEW will be frozen during the preceding weekend.

 I propose to update Tor in stable to the version that is now in jessie.

One additional note: We already moved to a new upstream release in a
previous DSA (DSA-2363-1, from 0.2.1.31-1 to 0.2.2.35-1) and it worked
out well.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/slrnlpuoab.2kg@inutil.org

Bug#744850: pu: package gst-plugins-bad0.10/0.10.23-7.1+deb7u1

[Moritz Mühlenhoff]

 Control: tags -1 + confirmed
 
 On Tue, 2014-04-15 at 14:51 +0200, Moritz Mühlenhoff wrote:
  Attached debdiff fixes a FTBFS of gst-plugins-bad0.10 in stable (caused
  by the libmodplug update in DSA 2751)
 
 Please go ahead.

Uploaded.

Cheers,
Moritz
-- 
Moritz Mühlenhoff
Open Source Software Engineer

Univention GmbH
be open.
Mary-Somerville-Str.1
28359 Bremen
Tel. : +49 421 22232-0 [.]
Fax : +49 421 22232-99

muehlenh...@univention.de
http://www.univention.de

Geschäftsführer: Peter H. Ganten
HRB 20755 Amtsgericht Bremen
Steuer-Nr.: 71-597-02876 


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/201404160932.46979.muehlenh...@univention.de

Bug#744850: pu: package gst-plugins-bad0.10/0.10.23-7.1+deb7u1

[Moritz Mühlenhoff]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: pu

Hi,
(this update has been coordinated with Sebastian Dröge)

Attached debdiff fixes a FTBFS of gst-plugins-bad0.10 in stable (caused
by the libmodplug update in DSA 2751)

Cheers,
Moritz

-- System Information:
Debian Release: 7.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru gst-plugins-bad0.10-0.10.23/debian/changelog gst-plugins-bad0.10-0.10.23/debian/changelog
--- gst-plugins-bad0.10-0.10.23/debian/changelog	2012-12-31 20:43:40.0 +0100
+++ gst-plugins-bad0.10-0.10.23/debian/changelog	2014-04-07 15:58:11.0 +0200
@@ -1,3 +1,9 @@
+gst-plugins-bad0.10 (0.10.23-7.1+deb7u1) stable; urgency=low
+
+  * Fix FTBFS related to the libmodplug upgrade in DSA 2751 (Closes: #726871)
+
+ -- Moritz Mühlenhoff muehlenh...@univention.de  Mon, 07 Apr 2014 15:56:32 +0200
+
 gst-plugins-bad0.10 (0.10.23-7.1) unstable; urgency=low
 
   * Non-maintainer upload.
diff -Nru gst-plugins-bad0.10-0.10.23/debian/patches/0032-fix-compat-with-updated-libmodplug.patch gst-plugins-bad0.10-0.10.23/debian/patches/0032-fix-compat-with-updated-libmodplug.patch
--- gst-plugins-bad0.10-0.10.23/debian/patches/0032-fix-compat-with-updated-libmodplug.patch	1970-01-01 01:00:00.0 +0100
+++ gst-plugins-bad0.10-0.10.23/debian/patches/0032-fix-compat-with-updated-libmodplug.patch	2014-04-07 15:56:28.0 +0200
@@ -0,0 +1,16 @@
+Description: Fix compatibility with current libmodplug
+ libmodplug was updated to a new upstream release in DSA 2751. This patch
+ fixes a FTBFS with that new version.
+Bug-Debian: http://bugs.debian.org/726871
+
+--- gst-plugins-bad0.10-0.10.23.orig/ext/modplug/gstmodplug.cc
 gst-plugins-bad0.10-0.10.23/ext/modplug/gstmodplug.cc
+@@ -50,7 +50,7 @@
+ #define WORDS_BIGENDIAN 0
+ #endif
+ 
+-#include stdafx.h
++#include libmodplug/stdafx.h
+ #include libmodplug/sndfile.h
+ 
+ #include gstmodplug.h
diff -Nru gst-plugins-bad0.10-0.10.23/debian/patches/series gst-plugins-bad0.10-0.10.23/debian/patches/series
--- gst-plugins-bad0.10-0.10.23/debian/patches/series	2012-12-31 20:43:40.0 +0100
+++ gst-plugins-bad0.10-0.10.23/debian/patches/series	2014-04-07 15:56:28.0 +0200
@@ -12,3 +12,4 @@
 0017-opusdec-read-gain-from-the-right-place-in-the-header.patch
 0020-opusenc-add-missing-mutex-unlock-on-error-path.patch
 0030-really-fix-h264-parsing.patch
+0032-fix-compat-with-updated-libmodplug.patch

Bug#742703: pu: package gorm.app/1.2.16-1+deb7u1

[Moritz Mühlenhoff]

 Control: tags -1 + confirmed
 
 On Wed, 2014-03-26 at 15:05 +0100, Moritz Mühlenhoff wrote:
  gorm.app FTBFSes in stable. The attached debdiff fixes the build using
  the same patch already used in the NMU for unstable.
 
 Please go ahead; thanks.

Uploaded.

Cheers,
Moritz
-- 
Moritz Mühlenhoff
Open Source Software Engineer

Univention GmbH
be open.
Mary-Somerville-Str.1
28359 Bremen
Tel. : +49 421 22232-0 [.]
Fax : +49 421 22232-99

muehlenh...@univention.de
http://www.univention.de

Geschäftsführer: Peter H. Ganten
HRB 20755 Amtsgericht Bremen
Steuer-Nr.: 71-597-02876 


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/201404141406.36080.muehlenh...@univention.de

Re: Bug#739069: wheezy-pu: package sage-extension/1.5.2-1~deb7u1

[Moritz Mühlenhoff]

Adam D. Barratt a...@adam-barratt.org.uk schrieb:
 Control: tags -1 + moreinfo

 Apologies for the delays in getting back to this.

 On Sat, 2014-02-15 at 17:53 +0100, Sébastien Villemot wrote:
 The version of sage-extension currently in wheezy does not work against
 iceweasel 24 (in stable-security), see #738678.
 
 The new upstream versions work fine with iceweasel 24, but there seems to be 
 no
 easy way of backporting a simple fix to the wheezy package.
 [...]
 Note that the new version does not work with iceweasel 17, and this is
 reflected in package dependencies.

 As with firebug, the issue I have here is that due to FTBFS on a few
 architectures, stable is still likely to have iceweasel 17 after the
 next point release.

I've just written to debian-mips and debian-ia64 to ask for porter's help
in fixing these. 

 Thus we either have to assume that most users have already upgraded to
 24 from security and that the extension packages are most likely not
 used on the missing architectures (ia64 and mips*), 

If there's no reaction soon I recommend to follow this path.

Cheers,
Moritz




-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/slrnlknu75.306@inutil.org

Bug#742793: RM: t1lib/5.1.2-4

[Moritz Mühlenhoff]

On Thu, Mar 27, 2014 at 10:05:09PM +0100, Mehdi Dogguy wrote:
 Le 2014-03-27 20:08, Niels Thykier a écrit :
 
 I noticed that the fix for gtkmathview is sadly incomplete (see
 #638761).  AFAICT lablgtkmathview does not have an (open) RC bug for
 this problem.  I hace CC'ed the OCAML maintainers to make them aware of
 it - but I would like to see an RC bug against lablgtkmathview as well.
 
 
 Well, no. In fact, there is nothing to do in lablgtkmathview except
 rebuilding
 it once gtkmathview is fixed. So once 638761 is closed, we can launch a
 binNMU
 and it should be enough to make the dependency go away from binary packages
 of
 lablgtkmathview.

The fixed gtkmathview has now entered testing. Please schedule the binNMU,
after that t1lib should be ready to go:

jmm@coccia:~$ dak rm -nR -s testing t1lib

(..)

Checking reverse dependencies...
# Broken Depends:
lablgtkmathview: liblablgtkmathview-ocaml

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140414154555.GC6419@pisco.westfalen.local

Re: Bug#739069: wheezy-pu: package sage-extension/1.5.2-1~deb7u1

[Moritz Mühlenhoff]

Moritz Mühlenhoff j...@inutil.org schrieb:
 Thus we either have to assume that most users have already upgraded to
 24 from security and that the extension packages are most likely not
 used on the missing architectures (ia64 and mips*), 

 If there's no reaction soon I recommend to follow this path.

soon as in in time for Wheezy 7.5

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/slrnlko1p3.do4@inutil.org

Bug#742703: pu: package gorm.app/1.2.16-1+deb7u1

[Moritz Mühlenhoff]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: pu

Hi,
gorm.app FTBFSes in stable. The attached debdiff fixes the build using the same
patch already used in the NMU for unstable.

Cheers,
Moritz
diff -u gorm.app-1.2.16/debian/changelog gorm.app-1.2.16/debian/changelog
--- gorm.app-1.2.16/debian/changelog
+++ gorm.app-1.2.16/debian/changelog
@@ -1,3 +1,10 @@
+gorm.app (1.2.16-1+deb7u1) stable; urgency=low
+
+  * Fix FTBFS using the same patch already used in the 1.2.16-1.1 NMU by
+Gregor Herrmann (Closes: #707393)
+
+ -- Moritz Mühlenhoff muehlenh...@univention.de  Mon, 03 Feb 2014 12:06:03 +0100
+
 gorm.app (1.2.16-1) unstable; urgency=low
 
   * New upstream version. (Closes: #671393)
only in patch2:
unchanged:
--- gorm.app-1.2.16.orig/GormCore/GormPrivate.m
+++ gorm.app-1.2.16/GormCore/GormPrivate.m
@@ -79,12 +79,14 @@
 @end
 
 @implementation NSObject (GormPrivate)
+/*
 + (void) poseAsClass: (Class)aClassObject
 {
   // disable poseAs: while in Gorm.
   class_pose_as(self, aClassObject);
   NSLog(@WARNING: poseAs: called in Gorm.);
 }
+*/
 
 + (BOOL) canSubstituteForClass: (Class)origClass
 {

Bug#741232: pu: package newsbeuter/2.5-2+deb7u1

[Moritz Mühlenhoff]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: pu

This update fixes a FTBFS in stable. This was already fixed in unstable, but
the fix didn't make it into Wheezy.

(The upload has been coordinated/agreed with the maintainer)

Debdiff attached.

Cheers,
Moritz
diff -Nru newsbeuter-2.5/debian/changelog newsbeuter-2.5/debian/changelog
--- newsbeuter-2.5/debian/changelog	2012-05-07 21:37:51.0 +0200
+++ newsbeuter-2.5/debian/changelog	2014-02-27 14:43:15.0 +0100
@@ -1,3 +1,9 @@
+newsbeuter (2.5-2+deb7u1) stable; urgency=low
+
+  * Fix FTBFS issue due to json's switch from boolean to json_bool (Closes: #689225)
+
+ -- Moritz Mühlenhoff muehlenh...@univention.de  Thu, 27 Feb 2014 14:42:50 +0100
+
 newsbeuter (2.5-2) unstable; urgency=low
 
   * Fix build errors with gcc-4.7 (Closes: #667296).
diff -Nru newsbeuter-2.5/debian/patches/fix_json_boolean_include.patch newsbeuter-2.5/debian/patches/fix_json_boolean_include.patch
--- newsbeuter-2.5/debian/patches/fix_json_boolean_include.patch	1970-01-01 01:00:00.0 +0100
+++ newsbeuter-2.5/debian/patches/fix_json_boolean_include.patch	2014-02-27 14:42:37.0 +0100
@@ -0,0 +1,29 @@
+Description: propagate boolean json type
+Apparently the libjson project decided to rename their boolean type to
+json_bool...
+Author: Nico Golde n...@debian.org
+Bug-Debian: http://bugs.debian.org/689225
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: vendor
+Bug: http://bugs.debian.org/689225
+Bug-Debian: http://bugs.debian.org/689225
+Forwarded: 
+
+Index: newsbeuter-2.5/src/ttrss_api.cpp
+===
+--- newsbeuter-2.5.orig/src/ttrss_api.cpp	2012-09-30 17:25:23.0 +0200
 newsbeuter-2.5/src/ttrss_api.cpp	2012-09-30 17:43:24.0 +0200
+@@ -220,7 +220,7 @@
+ 		const char * link = json_object_get_string(json_object_object_get(item_obj, link));
+ 		const char * content = json_object_get_string(json_object_object_get(item_obj, content));
+ 		time_t updated = (time_t)json_object_get_int(json_object_object_get(item_obj, updated));
+-		boolean unread = json_object_get_boolean(json_object_object_get(item_obj, unread));
++		json_bool unread = json_object_get_boolean(json_object_object_get(item_obj, unread));
+ 
+ 		rsspp::item item;
+ 
diff -Nru newsbeuter-2.5/debian/patches/series newsbeuter-2.5/debian/patches/series
--- newsbeuter-2.5/debian/patches/series	2012-05-07 21:31:34.0 +0200
+++ newsbeuter-2.5/debian/patches/series	2014-02-27 14:42:37.0 +0100
@@ -1 +1,2 @@
 fix_gcc-4.7_ftbfs.patch
+fix_json_boolean_include.patch

Bug#739079: transition: libav10

[Moritz Mühlenhoff]

On Tue, Feb 18, 2014 at 08:16:05PM +0100, Sebastian Ramacher wrote:
 (Putting the bug back into the loop.)
 
 On 2014-02-16 21:47:25, Moritz Mühlenhoff wrote:
  On Sun, Feb 16, 2014 at 03:44:01PM -0500, Reinhard Tartler wrote:
   On Sun, Feb 16, 2014 at 11:22 AM, Moritz Mühlenhoff j...@inutil.org 
   wrote:
Reinhard Tartler siret...@tauware.de schrieb:
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition
   
Hi,
   
We have a new libav transition pending. Libav 10 is prepared in
debian/experimental, and I've started to build packges against this new
version; in fact, more or more packages require Libav 10 and the new
APIs it provides.
   
Is the alpha2 version in experimental final in terms of API 
deprecations?
   
   It should be. I intend to release and upload 10_beta1 to experimental
   by end of this weekend (tomorrow latest), and includes some additions
   that happened after alpha2 (i.e., there will be a shlibs, but no
   SONAME bump). Neverthless, I think it should be safe.
  
  Ok. I'll run a test build against libav/exp and file bugs against all 
  packages
  which fail.
 
 Thank you Moritz for doing the test build. I've added usertags to the
 bugs you've already filed (user
 pkg-multimeida-maintain...@lists.alioth.debian.org, usertag libav10):
 https://bugs.debian.org/cgi-bin/pkgreport.cgi?users=pkg-multimedia-maintain...@lists.alioth.debian.org;tag=libav10

I'm already doing the same, haven't announced it yet since the rebuild
isn't fully finished. Better use this one instead:
http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=libav10;users=j...@debian.org
 
Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20140218194828.GA22598@pisco.westfalen.local

Bug#739079: transition: libav10

[Moritz Mühlenhoff]

On Sat, Feb 15, 2014 at 08:57:47PM +0100, Julien Cristau wrote:
 On Sat, Feb 15, 2014 at 19:37:54 +0100, Sebastian Ramacher wrote:
 
  Hi Reinhard
  
  On 2014-02-15 17:42:41, Reinhard Tartler wrote:
   Unfortunately, this new release does break a number of packages in the
   debian archive. At upstream, we are concerned about this and have
   conducted a survey about the fallout here:
   https://etherpad.mozilla.org/mnrZI5XlxP
  
  I'm not a member of the Release Team, but have bugs been filed in the
  BTS for the reverse dependencies that fail to build against libav 10? I
  think it was rather painful last time when plenty of the FTBFS bugs
  caused by libav 9 got reported after the transition already started.
  
 Agreed, I'm very much not looking forward to a repeat of that
 experience.

I made a rebuild and the transitions isn't ready to go at all. 

IMO the API changes are far too agressive; if 2/3 of all packages in
the archive FTBFS, the affected APIs are clearly not that deprecated.

I can understand the removal of ill-designed functions if it helps
to streamline/robustify the code, but e.g. the removal of CODEC_ID* 
causes lots of churn for no measurable benefit.


Anyway, here's the results of the test build:

The packages compile fine if built against libav10/exp:
amarok
aqualung
aubio
cantata
chromaprint
ffmpegthumbnailer
ffmpegthumbs
ffms2
gimp-gap
gmic
goldendict
hedgewars
kdenlive
kid3
kradio4
libextractor
mediatomb
mlt
moc
mpd
mpv
nepomuk-core
sox
spek
squeezelite
vlc
volview
x264


Fixed in experimental:
handbrake


These packages fail to build from source if built against
libav10/exp. Bugs have been filed with the following usertag:
http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=libav10;users=j...@debian.org

acoustid-fingerprinter (739208)
alsa-plugins (739209)
amide (739211)
audacious-plugins (739212)
avbin (739191)
avifile (739213)
bino (739214)
blender (739238)
cmus (739301)
dff (739240)
dvbcut (739220)
ffdiaporama (739221)
ffmpeg2theora (739237)
forked-daapd (739239)
freerdp (739242)
fuse-emulator-utils (739243)
gmerlin-avdecoder (739302)
gmerlin-encoders (739425)
gnash (739303)
gpac (739321)
gst-libav1.0 (739322)
guvcview (739323)
harvid (739304)
idjc (739320)
jitsi (739432)
jugglemaster (739244)
k3b (739312)
kino (739426)
libphash (739336)
libquicktime (739325)
lightspark (739328)
linphone (739314)
lives (739327)
lynkeos.app (739316)
mplayer2 (739337)
opal (739439)
opencv (739440)
openscenegraph (739460)
paraview (739434)
performous (739433)
qmmp (739378)
qutecom (739427)
shotdetect (739376)
silan (739326)
strigi (739442)
survex (739332)
transcode (739428)
tupi (739429)
vice (739315)
vtk (739462)
vtk6 (739456)
vxl (739457)
wxsvg (739454)
xbmc (739441)
xine-lib (739453)
xine-lib-1.2 (739458)
xjadeo (739431)
xmms2 (739455)
xpra (739459)
yorick-av (739377)
zoneminder (739461)



Blocked by other FTBFSes, didn't check further whether compatible with libav10
minidlna
dvswitch
libomxil-bellagio
libvalhalla
visp
renpy


Already broken since libav9 (all packages dropped from jessie anyway)
ffmpeg-php
gstreamer0.10-ffmpeg / miro
libavg
motion
taoframework

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20140218214844.GA5592@pisco.westfalen.local

Re: Bug#739079: transition: libav10

[Moritz Mühlenhoff]

Reinhard Tartler siret...@tauware.de schrieb:
 Package: release.debian.org
 Severity: normal
 User: release.debian@packages.debian.org
 Usertags: transition

 Hi,

 We have a new libav transition pending. Libav 10 is prepared in
 debian/experimental, and I've started to build packges against this new
 version; in fact, more or more packages require Libav 10 and the new
 APIs it provides.

Is the alpha2 version in experimental final in terms of API deprecations?

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/slrnlg1pf0.3fo@inutil.org

Re: Bug#739079: transition: libav10

[Moritz Mühlenhoff]

On Sun, Feb 16, 2014 at 03:44:01PM -0500, Reinhard Tartler wrote:
 On Sun, Feb 16, 2014 at 11:22 AM, Moritz Mühlenhoff j...@inutil.org wrote:
  Reinhard Tartler siret...@tauware.de schrieb:
  Package: release.debian.org
  Severity: normal
  User: release.debian@packages.debian.org
  Usertags: transition
 
  Hi,
 
  We have a new libav transition pending. Libav 10 is prepared in
  debian/experimental, and I've started to build packges against this new
  version; in fact, more or more packages require Libav 10 and the new
  APIs it provides.
 
  Is the alpha2 version in experimental final in terms of API deprecations?
 
 It should be. I intend to release and upload 10_beta1 to experimental
 by end of this weekend (tomorrow latest), and includes some additions
 that happened after alpha2 (i.e., there will be a shlibs, but no
 SONAME bump). Neverthless, I think it should be safe.

Ok. I'll run a test build against libav/exp and file bugs against all packages
which fail.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20140216204725.GA5845@pisco.westfalen.local

Bug#731735: pu: package glance/2012.1.1-5+deb7u1

[Moritz Mühlenhoff]

 I have prepared an update for Glance over here:
 http://archive.gplhost.com/pub/security/glance/

The security tracker lists this issue as potentially open in
Wheezy: https://security-tracker.debian.org/tracker/CVE-2013-4354 

Does this affect stable and is there a fix which can be included
along?

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20131209171242.GA4385@pisco.westfalen.local

Bug#719632: Prepared a new Wheezy update for Nova

[Moritz Mühlenhoff]

 Here's the new changelog, with the remarks of J.Cristau taken into account:

 [ Thomas Goirand ]
 * CVE-2013-4261: [OSSA 2013-026] Fix problem with long messages in Qpid.
 * CVE-2013-2096: [OSSA 2013-012] Check QCOW2 image size during root disk
   creation (Closes: #710157).

The security tracker lists more issues potentially affecting stable:

CVE-2013-0326
CVE-2013-2255 Inconsistent and non-validating HTTPS client
CVE-2013-4179 The security group extension in OpenStack Compute (Nova) Grizzly 
...
CVE-2013-4185 Algorithmic complexity vulnerability in OpenStack Compute (Nova) 
...
CVE-2013-4463 Compressed disk image DoS
CVE-2013-4469 OpenStack Compute (Nova) Folsom, Grizzly, and Havana, when ...
CVE-2013-4497 The XenAPI backend in OpenStack Compute (Nova) Folsom, Grizzly, 
and ...

Do these affect stable and can they be fixed along?

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20131209171248.GB4385@pisco.westfalen.local

Bug#717852: pu: package devscripts/2.12.6+deb7u1

[Moritz Mühlenhoff]

On Thu, Oct 03, 2013 at 07:05:46PM +0100, Adam D. Barratt wrote:
 Control: tags -1 + confirmed
 
 On Fri, 2013-07-26 at 16:59 +0200, Moritz Muehlenhoff wrote:
  On Thu, Jul 25, 2013 at 05:18:02PM +0100, Adam D. Barratt wrote:
   diff -Nru devscripts-2.12.6/scripts/build-rdeps.pl
   [...]
   -my $release_pattern = '(.*_dists_(sid|unstable))_(?:In)*Release$';
   +my $release_pattern = '(.*_dists_(wheezy|stable))_(?:In)*Release$';
  
   Hmmm, what are the chances that users on stable might want to derive the 
   information for unstable in any case?
  
  Fairly negligable, but
  
  | my $release_pattern = 
  '(.*_dists_(sid|unstable|wheezy|stable))_(?:In)*Release$';
  
  makes a Wheezy system with a deb-sec for unstable work as well. I upload 
  that
  as well.
 
 Apologies for the delay in getting back to you.
 
 Looking closer I realised that build-rdeps has a --distribution option,
 so feel free to go ahead with the original patch.

Thanks, just uploaded.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20131004190641.GA5502@pisco.westfalen.local

Re: Call for Jessie Release Goals

[Moritz Mühlenhoff]

Jonathan Wiltshire j...@debian.org schrieb:
 Goals which were accepted for the Wheezy cycle, but did not reach
 completion, can be carried over for Jessie. However, we require
 re-submission of those goals (and any that have been discussed up until now
 - we are starting with a clean slate) to ensure that they are still
 realistic and have active developers working on them. We will in principle
 accept carried-over goals which still meet the basic criteria.

That applies for the hardening release goal. There's been quite some
progress and things have started to roll on their own, but there's
quite some work todo.

So please re-add it for jessie. 

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/slrnl465pr.48g@inutil.org

Re: Call for Jessie Release Goals

[Moritz Mühlenhoff]

On Wed, Sep 25, 2013 at 07:06:37PM +0200, Niels Thykier wrote:
 On 2013-09-25 19:02, Moritz Mühlenhoff wrote:
  Jonathan Wiltshire j...@debian.org schrieb:
  Goals which were accepted for the Wheezy cycle, but did not reach
  completion, can be carried over for Jessie. However, we require
  re-submission of those goals (and any that have been discussed up until now
  - we are starting with a clean slate) to ensure that they are still
  realistic and have active developers working on them. We will in principle
  accept carried-over goals which still meet the basic criteria.
  
  That applies for the hardening release goal. There's been quite some
  progress and things have started to roll on their own, but there's
  quite some work todo.
  
  So please re-add it for jessie. 
  
  Cheers,
  Moritz
  
  
 
 Is the goal page[1] up to date etc.?  The wiki suggests it has not been
 updated in the past year.  Are all the advocates from Wheezy still
 behind it (I took the liberty of CC'ing all of you).

Most of the tracking happened inside SVN, AFAICS nothing needs to be updated 
ATM.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130925191543.GA6247@pisco.westfalen.local

Re: Roll call for porters of architectures in sid and testing (Status update)

[Moritz Mühlenhoff]

John David Anglin dave.ang...@bell.net schrieb:
 On 21-Sep-13, at 7:23 PM, Ben Hutchings wrote:

 I'll continue testing/software development activity on ia64 for the
 Jessie cycle, and more generally, until Debian drops ia64. I'm  
 already
 waiting for Wayland on ia64 and other big updates.

 So please, keep ia64 in the bandwagon ;-)

 But I don't think ia64 is well-supported even in wheezy.  The kernel
 doesn't boot on some common machines and no-one seems to be able to  
 fix
 it.

 I don't believe this for a minute.  This is about Debian and it's  
 ability to attract capable
 porters.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=595502
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=671034

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/slrnl3ttuu.4ck@inutil.org

Bug#706798: transition: Libav 9

[Moritz Mühlenhoff]

On Fri, Sep 06, 2013 at 05:06:03PM +0200, Moritz Mühlenhoff wrote:

Hi,
two more testing removals related to the libav9 transition:

- libavg 1.7.1-3 fails to build for unrelated boost reasons. Popcon is 
virtually non-existant.

- imageshack-uploader 2.2+hg20100408.d802dea89428-5.1 patch is available for 
libav9, but FTBFS
for weird qmake reasons. Popcon is marginal.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130911160248.GA7773@pisco.westfalen.local