Bug#1040623: bookworm-pu: package bup/0.33.2-1+deb12u1
Adam D. Barratt wrote: > On Sat, 2023-07-08 at 02:24 -0400, Robert Edmonds wrote: > > I'd like to update the version of bup in bookworm from 0.33-2 to > > 0.33.2-1+deb12u1, which incorporates two upstream bugfix releases for > > a bug deemed important enough by upstream to issue point releases. > > > > The version number for p-u needs to be lower than unstable. This looks > like a backport of 0.33.2-1 from unstable, so the convention would be > 0.33.2-1~deb12u1. > > Feel free to re-upload with the corrected version number; there's no > need to wait for the original upload to be rejected. Uploaded with the corrected version number. Interdebdiff from the rejected version below. Thanks! diff -u bup-0.33.2/debian/changelog bup-0.33.2/debian/changelog --- bup-0.33.2/debian/changelog 2023-07-08 01:17:38.0 -0400 +++ bup-0.33.2/debian/changelog 2023-07-08 16:11:59.0 -0400 @@ -1,9 +1,9 @@ -bup (0.33.2-1+deb12u1) bookworm; urgency=medium +bup (0.33.2-1~deb12u1) bookworm; urgency=medium * Upstream version 0.33.2, with a fix for a problem that can cause POSIX.1e ACLs to be restored incorrectly. - -- Robert Edmonds Sat, 08 Jul 2023 01:17:38 -0400 + -- Robert Edmonds Sat, 08 Jul 2023 16:11:59 -0400 bup (0.33.2-1) unstable; urgency=medium diff -u bup-0.33.2/debian/patches/debian-changes bup-0.33.2/debian/patches/debian-changes --- bup-0.33.2/debian/patches/debian-changes2023-07-08 01:17:38.0 -0400 +++ bup-0.33.2/debian/patches/debian-changes2023-07-08 16:11:59.0 -0400 @@ -30,4 +30,4 @@ -date='2023-07-01 15:08:43 -0500' -+commit='61307904e4133b55acf7c2794da47fafecedf5af' -+date='2023-07-08 01:27:47 -0400' ++commit='db4734ba24249fee8060a186e03e6173ce2e5d55' ++date='2023-07-08 16:12:37 -0400' modified=False -- Robert Edmonds edmo...@debian.org
Bug#1040623: bookworm-pu: package bup/0.33.2-1+deb12u1
3 - Changes in 0.33 as compared to 0.32 - Changes in 0.32 as compared to 0.31 - Changes in 0.31 as compared to 0.30.1 @@ -103,9 +105,9 @@ Test status === -| master | +| main | || -| [![master branch test status](https://api.cirrus-ci.com/github/bup/bup.svg?branch=master)](https://cirrus-ci.com/github/bup/bup) | +| [![main branch test status](https://api.cirrus-ci.com/github/bup/bup.svg?branch=main)](https://cirrus-ci.com/github/bup/bup) | Getting started === @@ -119,12 +121,12 @@ git clone https://github.com/bup/bup ``` - - This will leave you on the master branch, which is perfect if you + - This will leave you on the main branch, which is perfect if you would like to help with development, but if you'd just like to use bup, please check out the latest stable release like this: ```sh -git checkout 0.33 +git checkout 0.33.2 ``` You can see the latest stable release here: diff -Nru bup-0.33/config/configure bup-0.33.2/config/configure --- bup-0.33/config/configure 2022-10-16 17:18:38.0 -0400 +++ bup-0.33.2/config/configure 2023-07-01 16:08:43.0 -0400 @@ -86,6 +86,12 @@ bup-add-cflag-if-supported -Wno-unused-command-line-argument +# Since ./configure changes pwd, fix MAKE if it's relative +case "$MAKE" in +/*) ;; +*/*) MAKE="../../$MAKE";; +esac + for make_candidate in make gmake; do found_make="$(bup_find_prog "$make_candidate" "$MAKE")" if test "$found_make" \ @@ -119,7 +125,7 @@ "$BUP_PYTHON_CONFIG") fi else -for py_min_ver in 10 9 8 7 6; do +for py_min_ver in 11 10 9 8 7; do bup_python_config="$(bup_find_prog "python3.$py_min_ver-config" '')" test -z "$bup_python_config" || break done diff -Nru bup-0.33/debian/changelog bup-0.33.2/debian/changelog --- bup-0.33/debian/changelog 2022-12-26 22:27:53.0 -0500 +++ bup-0.33.2/debian/changelog 2023-07-08 01:17:38.0 -0400 @@ -1,3 +1,50 @@ +bup (0.33.2-1+deb12u1) bookworm; urgency=medium + + * Upstream version 0.33.2, with a fix for a problem that can cause POSIX.1e +ACLs to be restored incorrectly. + + -- Robert Edmonds Sat, 08 Jul 2023 01:17:38 -0400 + +bup (0.33.2-1) unstable; urgency=medium + + [ Rob Browning ] + * 0.33.2 +- Update base_version for 0.33.2 development +- correct_posix1e_v1_delimiters: provide path for error messages + (Closes: #1039089) +- Update docs for 0.33.2 release +- Update base_version for 0.33.2 release + + [ Robert Edmonds ] + * New upstream version 0.33.2 + * debian/docs: Include upstream release note '0.33.2-from-0.33.1.md' + + -- Robert Edmonds Sat, 01 Jul 2023 18:51:02 -0400 + +bup (0.33.1-1) unstable; urgency=medium + + [ Rob Browning ] + * 0.33.1 +- conftest.py: switch to Path to support pytest 7+ +- conftest.py: restore support for pytest < 7 +- configure: handle relative MAKE paths +- test_get: remove vestigial debug messages +- configure: allow and prefer python3.11-config; ignore 3.6 +- buptest init: get quote from shlex not pipes +- test-comparative-split-join: accommodate varying HEAD names +- cirrus: move to freebsd 12.4 to fix rsync-related test failures +- compare-trees: add --features and disallow args with it and -h +- Restore posix1e default acls as default, not access; improve tests +- Fix ACL metadata format; delimit short form entries with commas +- Update docs for 0.33.1 release +- Update base_version for 0.33.1 release + + [ Robert Edmonds ] + * New upstream version 0.33.1 (Closes: #1038609) + * debian/docs: Include upstream release note '0.33.1-from-0.33.md' + + -- Robert Edmonds Sun, 18 Jun 2023 19:57:44 -0400 + bup (0.33-2) unstable; urgency=medium * Upload to unstable. diff -Nru bup-0.33/debian/docs bup-0.33.2/debian/docs --- bup-0.33/debian/docs2022-12-26 22:27:53.0 -0500 +++ bup-0.33.2/debian/docs 2023-07-08 01:17:38.0 -0400 @@ -1,2 +1,4 @@ README README.md +note/0.33.1-from-0.33.md +note/0.33.2-from-0.33.1.md diff -Nru bup-0.33/debian/patches/debian-changes bup-0.33.2/debian/patches/debian-changes --- bup-0.33/debian/patches/debian-changes 2022-12-26 22:27:53.0 -0500 +++ bup-0.33.2/debian/patches/debian-changes2023-07-08 01:17:38.0 -0400 @@ -3,8 +3,8 @@ in some VCS, and exported as a single patch instead of more manageable atomic patches. bup-0.33.orig/GNUmakefile -+++ bup-0.33/GNUmakefile +--- bup-0.33.2.orig/GNUmakefile bup-0.33.2/GNUmakefile @@ -61,7 +61,7 @@ else test_tmp := $(CURDIR)/test/tmp endif @@ -23,11 +23,11 @@ $(current_sampledata) $(current_sampledata): bup-0.33.orig/lib/bup/source_info.py -+++ bup-0.33/lib/bup/source_info.py +--- bup-0.33.2.orig/lib/bup/source_inf
Bug#985380: unblock: dnsviz/0.9.3-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: ca...@deccio.net Hi, I'd like to unblock the dnsviz package. The 0.9.3 upstream release specifically targets the release of bullseye. Per the upstream author (X-Debbugs-Cc'd): "FYI, it looks like I'm going to need to push one more fix, as version 0.9.3. There was some backwards incompatibility introduced in dnspython 2.0 that I didn't find until after 0.9.2. Since dnspython 2.0 is what is in bullseye, it will be important to have that fix." Further details are available at: * https://github.com/dnsviz/dnsviz/issues/74 * https://github.com/dnsviz/dnsviz/commit/37864bba6a90aaa634a9f867c32ed553b2780b9c The debdiff is attached. It is very similar to the diff between the upstream tags v0.9.2 and v0.9.3: * https://github.com/dnsviz/dnsviz/compare/v0.9.2...v0.9.3 The bullseye freeze policy advises that, "In most cases, it's not appropriate to upload a new upstream release at this point. New upstream release usually contain unrelated changes, which might be inappropriate or make review much more difficult. Uploading a new upstream release is only appropriate when the resulting debdiff doesn't contain changes that wouldn't be in the debdiff of a targeted change." In this case, the entirety of the changes in the new upstream release contain the targeted fix (other than trivial changes due to the upstream version number bump). Thanks. unblock dnsviz/0.9.3-1 -- Robert Edmonds edmo...@debian.org diff -Nru dnsviz-0.9.2/PKG-INFO dnsviz-0.9.3/PKG-INFO --- dnsviz-0.9.2/PKG-INFO 2021-02-05 23:49:51.0 -0500 +++ dnsviz-0.9.3/PKG-INFO 2021-03-11 18:03:26.0 -0500 @@ -1,6 +1,6 @@ Metadata-Version: 1.1 Name: dnsviz -Version: 0.9.2 +Version: 0.9.3 Summary: DNS analysis and visualization tool suite Home-page: https://github.com/dnsviz/dnsviz/ Author: Casey Deccio diff -Nru dnsviz-0.9.2/contrib/dnsviz.spec dnsviz-0.9.3/contrib/dnsviz.spec --- dnsviz-0.9.2/contrib/dnsviz.spec 2021-02-05 23:49:19.0 -0500 +++ dnsviz-0.9.3/contrib/dnsviz.spec 2021-03-11 18:03:07.0 -0500 @@ -1,5 +1,5 @@ Name: dnsviz -Version:0.9.2 +Version:0.9.3 Release:1%{?dist} Summary:Tools for analyzing and visualizing DNS and DNSSEC behavior @@ -58,6 +58,8 @@ %{_mandir}/man1/%{name}-query.1* %changelog +* Thu Mar 11 2021 Casey Deccio + 0.9.3 release * Fri Feb 5 2021 Casey Deccio 0.9.2 release * Tue Jan 19 2021 Casey Deccio diff -Nru dnsviz-0.9.2/debian/changelog dnsviz-0.9.3/debian/changelog --- dnsviz-0.9.2/debian/changelog 2021-02-06 17:55:58.0 -0500 +++ dnsviz-0.9.3/debian/changelog 2021-03-16 16:46:46.0 -0400 @@ -1,3 +1,10 @@ +dnsviz (0.9.3-1) unstable; urgency=medium + + * New upstream version 0.9.3 +- Targeted upstream fix for dnspython 2.0.0 + + -- Robert Edmonds Tue, 16 Mar 2021 16:46:46 -0400 + dnsviz (0.9.2-1) unstable; urgency=medium * New upstream version 0.9.2 diff -Nru dnsviz-0.9.2/debian/patches/debian-changes dnsviz-0.9.3/debian/patches/debian-changes --- dnsviz-0.9.2/debian/patches/debian-changes 2021-02-06 17:55:58.0 -0500 +++ dnsviz-0.9.3/debian/patches/debian-changes 2021-03-16 16:46:46.0 -0400 @@ -8,72 +8,72 @@ For full commit history and separated commits, see the packaging Git repository. dnsviz-0.9.2.orig/bin/dnsviz -+++ dnsviz-0.9.2/bin/dnsviz +--- dnsviz-0.9.3.orig/bin/dnsviz dnsviz-0.9.3/bin/dnsviz @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # # This file is a part of DNSViz, a tool suite for DNS/DNSSEC monitoring, # analysis, and visualization. dnsviz-0.9.2.orig/contrib/digviz -+++ dnsviz-0.9.2/contrib/digviz +--- dnsviz-0.9.3.orig/contrib/digviz dnsviz-0.9.3/contrib/digviz @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # # This file is a part of DNSViz, a tool suite for DNS/DNSSEC monitoring, # analysis, and visualization. dnsviz-0.9.2.orig/contrib/dnsviz-lg.cgi -+++ dnsviz-0.9.2/contrib/dnsviz-lg.cgi +--- dnsviz-0.9.3.orig/contrib/dnsviz-lg.cgi dnsviz-0.9.3/contrib/dnsviz-lg.cgi @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # # This file is a part of DNSViz, a tool suite for DNS/DNSSEC monitoring, # analysis, and visualization. dnsviz-0.9.2.orig/dnsviz/commands/graph.py -+++ dnsviz-0.9.2/dnsviz/commands/graph.py +--- dnsviz-0.9.3.orig/dnsviz/commands/graph.py dnsviz-0.9.3/dnsviz/commands/graph.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # # This file is a part of DNSViz, a tool suite for DNS/DNSSEC monitoring, # analysis, and visualization. dnsviz-0.9.2.orig/dnsviz/commands/grok.py -+++ dnsviz-0.9.2/dnsviz/commands/grok.py +--- dnsviz-0.9.3.orig/dnsviz/commands/grok.py dnsviz-0.9.3/dnsviz/commands/grok.py @@ -1,4 +1,4 @@ -#
Bug#891801: stretch-pu: package unbound/1.6.0-3+deb9u2
Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On 2018-07-14 07:46, Salvatore Bonaccorso wrote: > > Control: tags -1 - moreinfo > > > > On Fri, Mar 02, 2018 at 05:49:52PM +, Adam D. Barratt wrote: > > > Control: tags -1 + moreinfo > > > > > > On Wed, 2018-02-28 at 17:47 -0500, Robert Edmonds wrote: > > > > I would like to fix a DNSSEC validation bug (CVE-2017-15105) in the > > > > unbound package shipped in stretch. After discussion with the > > > > security > > > > team, this bug was deemed minor enough that the fix could be shipped > > > > in > > > > a point release: > > > > > > > > https://security-tracker.debian.org/tracker/CVE-2017-15105 > > > > > > > > > > According to the above Security Tracker entry, this issue has not yet > > > been fixed in unstable. Assuming that's correct, I'm afraid that's a > > > blocker for looking at an update in stable. > > > > This happened later on with the 1.7.1-1 upload. > > Thanks, Salvatore. Robert, please feel free to upload. > > Regards, > > Adam Uploaded. Thanks! -- Robert Edmonds edmo...@debian.org
Bug#901015: transition: protobuf
Hi, I've released a new upstream version of protobuf-c that fixes the FTBFS issue with protobuf 3.6, which fixes #900621. I will upload it to unstable shortly. László Böszörményi (GCS) wrote: > On Thu, Jul 12, 2018 at 10:14 AM Pirate Praveen > wrote: > > On Fri, 6 Jul 2018 10:55:03 +0200 > > =?UTF-8?B?TMOhc3psw7MgQsO2c3rDtnJtw6lueWkgKEdDUyk=?= > > wrote: > > > The most problematic point is the protobuf-c dependency package. It > > > was developed (and packaged) by one of us (an other DD), Robert S. > > > Edmonds. It is the most complete C language implementation of Protocol > > > Buffers. While it has a newer upstream release in Git than the > > > packaged version, it's still not compatible with protobuf 3.6.0.1 > > > which is in experimental. > [...] > > What do you think about providing protobuf3.0 in parallel to updating > > protobuf to 3.6? That way we can move ahead with gitlab and provide more > > time for either updating protobuf-c or porting packages to protobluff. > > We can drop protobuf3.0 when protobuf-c issue is resolved. > Actually I would like to investigate every possibility. > 1) Check the list of protobuf-c main contributors[1] if any of them > can / want to continue its development. > 2) Try to update protobuf-c for version 3.6 of protobuf, but I can't > be its upstream developer on the long run. > 3) Patch protobuf-c to use the implementation of scoped_array in Boost. > 4) At least check the required porting needs of dependencies to > protobluff. Ask their maintainers if they want / can do the porting. > Maybe they know other alternatives. > > If these fail and RMs ACK to carry two versions of protobuf then of > course, do it. Emilio? > How quick do you need to solve this GitLab update? I guess, quick. -- Robert Edmonds edmo...@debian.org
Bug#891801: stretch-pu: package unbound/1.6.0-3+deb9u2
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, I would like to fix a DNSSEC validation bug (CVE-2017-15105) in the unbound package shipped in stretch. After discussion with the security team, this bug was deemed minor enough that the fix could be shipped in a point release: https://security-tracker.debian.org/tracker/CVE-2017-15105 Please see attached a debdiff for unbound 1.6.0-3+deb9u2 containing the backported fix from upstream version 1.6.8. I'd like to have this considered for the upcoming stable point release. Details on the bug and its impact are available in this upstream advisory: https://unbound.net/downloads/CVE-2017-15105.txt I have cherry-picked two commits (svn r4441, r4528) from the upstream repository containing the fix and a test case. Those upstream commits are available here: https://github.com/NLnetLabs/unbound/commit/2a6250e3fb3ccd6e9a0a16b6908c5cfb76d8d6f3 https://github.com/NLnetLabs/unbound/commit/eff62cecac1388214032906eb6944ceb9c0e6d41 (There was a minor conflict when merging the cherry-picked commit r4441 due to the renaming of some internal types in svn r3989.) A very similar fix has already been shipped for wheezy-lts in 1.4.17-3+deb7u3. Thanks! -- Robert Edmonds edmo...@debian.org diff -Nru unbound-1.6.0/debian/changelog unbound-1.6.0/debian/changelog --- unbound-1.6.0/debian/changelog 2017-08-27 00:43:42.0 -0400 +++ unbound-1.6.0/debian/changelog 2018-02-28 17:00:51.0 -0500 @@ -1,3 +1,12 @@ +unbound (1.6.0-3+deb9u2) stretch; urgency=high + + * Cherry-pick upstream commit svn r4441, "patch for CVE-2017-15105: +vulnerability in the processing of wildcard synthesized NSEC records." + * Cherry-pick upstream commit svn r4528, "Added tests with wildcard +expanded NSEC records (CVE-2017-15105 test)". + + -- Robert Edmonds <edmo...@debian.org> Wed, 28 Feb 2018 17:00:51 -0500 + unbound (1.6.0-3+deb9u1) stretch; urgency=high * Cherry-pick upstream commit svn r4301, "Fix install of trust anchor diff -Nru unbound-1.6.0/debian/patches/debian-changes unbound-1.6.0/debian/patches/debian-changes --- unbound-1.6.0/debian/patches/debian-changes 2017-08-27 00:43:42.0 -0400 +++ unbound-1.6.0/debian/patches/debian-changes 2018-02-28 17:00:51.0 -0500 @@ -5,14 +5,12 @@ information below has been extracted from the changelog. Adjust it or drop it. . - unbound (1.6.0-3+deb9u1) stretch; urgency=high + unbound (1.6.0-3+deb9u2) stretch; urgency=high . - * Cherry-pick upstream commit svn r4301, "Fix install of trust anchor - when two anchors are present, makes both valid. Checks hash of DS but - not signature of new key. This fixes installs between sep11 and oct11 - 2017." - * debian/control: unbound: Add versioned dependency on dns-root-data (>= - 2017072601~) for KSK-2017 in RFC 5011 state VALID. + * Cherry-pick upstream commit svn r4441, "patch for CVE-2017-15105: + vulnerability in the processing of wildcard synthesized NSEC records." + * Cherry-pick upstream commit svn r4528, "Added tests with wildcard + expanded NSEC records (CVE-2017-15105 test)". Author: Robert Edmonds <edmo...@debian.org> --- @@ -26,7 +24,7 @@ Bug-Ubuntu: https://launchpad.net/bugs/ Forwarded: <no|not-needed|url proving that it has been forwarded> Reviewed-By: -Last-Update: 2017-08-27 +Last-Update: 2018-02-28 --- unbound-1.6.0.orig/acx_python.m4 +++ unbound-1.6.0/acx_python.m4 @@ -79,6 +77,165 @@ +echo "Setup success. Certificates created." exit 0 +--- unbound-1.6.0.orig/testcode/unitverify.c unbound-1.6.0/testcode/unitverify.c +@@ -186,7 +186,9 @@ verifytest_rrset(struct module_env* env, + ntohs(rrset->rk.rrset_class)); + } + setup_sigalg(dnskey, sigalg); /* check all algorithms in the dnskey */ +- sec = dnskeyset_verify_rrset(env, ve, rrset, dnskey, sigalg, ); ++ /* ok to give null as qstate here, won't be used for answer section. */ ++ sec = dnskeyset_verify_rrset(env, ve, rrset, dnskey, sigalg, , ++ LDNS_SECTION_ANSWER, NULL); + if(vsig) { + printf("verify outcome is: %s %s\n", sec_status_to_string(sec), + reason?reason:""); +--- /dev/null unbound-1.6.0/testdata/val_nodata_failwc.rpl +@@ -0,0 +1,71 @@ ++; config options ++; The island of trust is at nsecwc.nlnetlabs.nl ++server: ++ trust-anchor: "nsecwc.nlnetlabs.nl. 10024 IN DS 565 8 2 0C15C04C022700C8713028F6F64CF2343DE627B8F83CDA1C421C65DB 52908A2E" ++ val-override-date: "20181202115531" ++ target-fetch-policy: "0 0 0 0 0" ++ fake-sha1: yes ++ trust-anchor-signaling: no ++stub-zone: ++ name: "nsecwc.nlnetlabs.nl" ++ stub-addr: "185.49.140.60" ++
Re: KSK-2017 SUAs
Adam D. Barratt wrote: > Hi, > > It's not clear whether there will have been a stretch point release > before the KSK rollover in October, but there definitely won't have > been a jessie point release, and in any case we need to update unbound > in the next couple of days (to avoid new installs on stretch having > broken DNSSEC validation for the next month). > > Assuming I've not missed any packages that have been updated, we need > four SUAs. I've included draft text for each below - review, comments > and suggestions welcome. Hi, Adam: Thanks for writing these! The text mostly looks good to me. The only nit I have is that I would write "The keys used to authenticate the root DNS zone" instead of "The keys used to [sign] the root DNS zone[s]". Technically, there is a chain of signatures and the KSKs do not directly sign the root zone, and there is only a singular root zone. -- Robert Edmonds edmo...@debian.org
Bug#873371: stretch-pu: package unbound/1.6.0-3+deb9u1
Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Sun, 2017-08-27 at 09:19 +0100, Adam D. Barratt wrote: > > Control: block -1 by 873054 > > > > On Sun, 2017-08-27 at 01:25 -0400, Robert Edmonds wrote: > > > There is a bug in the unbound package shipped in stretch (1.6.0-3) > > > that > > > will cause DNS resolution to fail on systems that install the > > > unbound > > > package between September 11 and October 11, 2017. The upstream > > > developers have released 1.6.5 with a fix for this problem: > [...] > > > Additionally, since new installs of the unbound package initialize > > > the > > > autotrust anchor file for the DNS root (/var/lib/unbound/root.key) > > > from > > > a copy shipped in the dns-root-data package > > > (/usr/share/dns/root.key), > > > the dns-root-data package in stretch needs to be updated to > > > transition > > > the root zone trust anchor KSK-2017 to the RFC 5011 "VALID" state. > > > (The > > > stretch-pu request for the dns-root-data package is #873054.) > > > Accordingly, the proposed unbound 1.6.0-3+deb9u1 implements a > > > versioned > > > dependency on the dns-root-data package that would be shipped in > > > #873054. > > > > That means that we'd also need to release dns-root-data via -updates, > > otherwise most users won't be able to install the fixed unbound. It > > also imposes an ordering on the p-u requests, so adding a blocking > > relationship to indicate that. > > That happened now, please feel free to upload. Uploaded. Thanks! -- Robert Edmonds edmo...@debian.org
Bug#873054: stretch-pu: package dns-root-data/2017072601~deb9u1
Robert Edmonds wrote: > Adam D. Barratt wrote: > > Control: tags -1 +confirmed -moreinfo > > > > On Thu, 2017-08-24 at 08:55 +0200, Ondřej Surý wrote: > > > I forgot to attach the debdiff and rest. So here it is. > > > > Please go ahead. > > Hi, > > Given that September 11 is coming up in a few days and this package is > needed for #873371, I've gone ahead and uploaded > dns-root-data/2017072601~deb9u1 on behalf of the pkg-dns team. > > Thanks! Ah, OK, looks like it was already uploaded according to https://release.debian.org/proposed-updates/stable.html. Sorry for the noise! -- Robert Edmonds edmo...@debian.org
Bug#873054: stretch-pu: package dns-root-data/2017072601~deb9u1
Adam D. Barratt wrote: > Control: tags -1 +confirmed -moreinfo > > On Thu, 2017-08-24 at 08:55 +0200, Ondřej Surý wrote: > > I forgot to attach the debdiff and rest. So here it is. > > Please go ahead. Hi, Given that September 11 is coming up in a few days and this package is needed for #873371, I've gone ahead and uploaded dns-root-data/2017072601~deb9u1 on behalf of the pkg-dns team. Thanks! -- Robert Edmonds edmo...@debian.org signature.asc Description: PGP signature
Bug#873466: jessie-pu: package unbound/1.4.22-3+deb8u3
Adam D. Barratt wrote: > On Mon, 2017-08-28 at 00:38 -0400, Robert Edmonds wrote: > > I'd like to update jessie's unbound with a fix for the same RFC 5011 > > issue described in #873371 for stretch, fast-tracked via the *-updates > > mechanism due to the time component of the bug. Please see attached a > > debdiff for unbound 1.4.22-3+deb8u3. > > > > The fix for jessie requires an additional patch adding the root zone > > trust anchor KSK-2017 to the unbound-anchor utility. This change is > > nearly identical to a freeze exemption approved for stretch, #855635. > > Please go ahead. Uploaded. Thanks! -- Robert Edmonds edmo...@debian.org
Bug#873466: jessie-pu: package unbound/1.4.22-3+deb8u3
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, I'd like to update jessie's unbound with a fix for the same RFC 5011 issue described in #873371 for stretch, fast-tracked via the *-updates mechanism due to the time component of the bug. Please see attached a debdiff for unbound 1.4.22-3+deb8u3. The fix for jessie requires an additional patch adding the root zone trust anchor KSK-2017 to the unbound-anchor utility. This change is nearly identical to a freeze exemption approved for stretch, #855635. Thanks! -- Robert Edmonds edmo...@debian.org diff -Nru unbound-1.4.22/debian/changelog unbound-1.4.22/debian/changelog --- unbound-1.4.22/debian/changelog 2016-07-04 15:58:35.0 -0400 +++ unbound-1.4.22/debian/changelog 2017-08-28 00:17:29.0 -0400 @@ -1,3 +1,14 @@ +unbound (1.4.22-3+deb8u3) jessie; urgency=high + + * Cherry-pick upstream commit svn r4301, "Fix install of trust anchor +when two anchors are present, makes both valid. Checks hash of DS but +not signature of new key. This fixes installs between sep11 and oct11 +2017." + * Cherry-pick upstream commit svn r4000, "Include root trust anchor id +20326 in unbound-anchor". + + -- Robert Edmonds <edmo...@debian.org> Mon, 28 Aug 2017 00:17:29 -0400 + unbound (1.4.22-3+deb8u2) jessie; urgency=medium * debian/unbound.init: Add "pidfile" magic comment (Closes: #807132) diff -Nru unbound-1.4.22/debian/patches/debian-changes unbound-1.4.22/debian/patches/debian-changes --- unbound-1.4.22/debian/patches/debian-changes2016-07-04 16:06:41.0 -0400 +++ unbound-1.4.22/debian/patches/debian-changes2017-08-28 00:18:52.0 -0400 @@ -5,13 +5,15 @@ information below has been extracted from the changelog. Adjust it or drop it. . - unbound (1.4.22-3+deb8u2) jessie; urgency=medium + unbound (1.4.22-3+deb8u3) jessie; urgency=high . - * debian/unbound.init: Add "pidfile" magic comment (Closes: #807132) - * debian/unbound.init: Call start-stop-daemon with --retry for 'stop' - action (patch from Julien Cristau) + * Cherry-pick upstream commit svn r4301, "Fix install of trust anchor + when two anchors are present, makes both valid. Checks hash of DS but + not signature of new key. This fixes installs between sep11 and oct11 + 2017." + * Cherry-pick upstream commit svn r4000, "Include root trust anchor id + 20326 in unbound-anchor". Author: Robert Edmonds <edmo...@debian.org> -Bug-Debian: https://bugs.debian.org/807132 --- The information above should follow the Patch Tagging Guidelines, please @@ -24,7 +26,7 @@ Bug-Ubuntu: https://launchpad.net/bugs/ Forwarded: <no|not-needed|url proving that it has been forwarded> Reviewed-By: -Last-Update: 2016-07-04 +Last-Update: 2017-08-28 --- unbound-1.4.22.orig/acx_python.m4 +++ unbound-1.4.22/acx_python.m4 @@ -229,6 +231,20 @@ /** * The query must store NS records from referrals as parentside RRs +--- unbound-1.4.22.orig/smallapp/unbound-anchor.c unbound-1.4.22/smallapp/unbound-anchor.c +@@ -239,7 +239,10 @@ static const char* + get_builtin_ds(void) + { + return +-". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n"; ++/* anchor 19036 is from 2010 */ ++/* anchor 20326 is from 2017 */ ++". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n" ++". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n"; + } + + /** print hex data */ --- unbound-1.4.22.orig/smallapp/unbound-control-setup.sh +++ unbound-1.4.22/smallapp/unbound-control-setup.sh @@ -157,6 +157,6 @@ chmod o-rw $SVR_BASE.pem $SVR_BASE.key $ @@ -259,3 +275,25 @@ cfg->control_ifs = NULL; cfg->control_port = UNBOUND_CONTROL_PORT; cfg->minimal_responses = 0; +--- unbound-1.4.22.orig/validator/autotrust.c unbound-1.4.22/validator/autotrust.c +@@ -1557,6 +1557,11 @@ key_matches_a_ds(struct module_env* env, + verbose(VERB_ALGO, "DS match attempt failed"); + continue; + } ++ /* match of hash is sufficient for bootstrap of trust point */ ++ (void)reason; ++ (void)ve; ++ return 1; ++ /* no need to check RRSIG, DS hash already matched with source + if(dnskey_verify_rrset(env, ve, dnskey_rrset, + dnskey_rrset, key_idx, ) == sec_status_secure) { + return 1; +@@ -1564,6 +1569,7 @@ key_matches_a_ds(struct module_env* env, + verbose(VERB_ALGO, "DS match failed because the key " + "does not verify the keyset: %s", reason); + } ++ */ + } + return 0; + } signature.asc Description: PGP signature
Bug#873371: stretch-pu: package unbound/1.6.0-3+deb9u1
Adam D. Barratt wrote: > I'm assuming that this also affects the unbound package shipping in > jessie currently? Are you planning on fixing the issue there as well? Yes, will open a jessie-pu bug shortly. The fix there is a bit simpler since the dns-root-data method of initializing the root trust anchor was introduced after jessie. -- Robert Edmonds edmo...@debian.org
Bug#873371: stretch-pu: package unbound/1.6.0-3+deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, There is a bug in the unbound package shipped in stretch (1.6.0-3) that will cause DNS resolution to fail on systems that install the unbound package between September 11 and October 11, 2017. The upstream developers have released 1.6.5 with a fix for this problem: https://unbound.nlnetlabs.nl/pipermail/unbound-users/2017-August/004883.html https://unbound.nlnetlabs.nl/pipermail/unbound-users/2017-August/004884.html After discussing this issue with the security team, it was suggested that a fix be released via a stable point release, as well as being fast-tracked via the *-updates mechanism, due to the time component of the bug. Please see attached a debdiff for unbound 1.6.0-3+deb9u1 containing the backported fix from upstream version 1.6.5. Additionally, since new installs of the unbound package initialize the autotrust anchor file for the DNS root (/var/lib/unbound/root.key) from a copy shipped in the dns-root-data package (/usr/share/dns/root.key), the dns-root-data package in stretch needs to be updated to transition the root zone trust anchor KSK-2017 to the RFC 5011 "VALID" state. (The stretch-pu request for the dns-root-data package is #873054.) Accordingly, the proposed unbound 1.6.0-3+deb9u1 implements a versioned dependency on the dns-root-data package that would be shipped in #873054. Thanks! -- Robert Edmonds edmo...@debian.org diff -Nru unbound-1.6.0/debian/changelog unbound-1.6.0/debian/changelog --- unbound-1.6.0/debian/changelog 2017-02-19 20:04:34.0 -0500 +++ unbound-1.6.0/debian/changelog 2017-08-27 00:43:42.0 -0400 @@ -1,3 +1,14 @@ +unbound (1.6.0-3+deb9u1) stretch; urgency=high + + * Cherry-pick upstream commit svn r4301, "Fix install of trust anchor +when two anchors are present, makes both valid. Checks hash of DS but +not signature of new key. This fixes installs between sep11 and oct11 +2017." + * debian/control: unbound: Add versioned dependency on dns-root-data (>= +2017072601~) for KSK-2017 in RFC 5011 state VALID. + + -- Robert Edmonds <edmo...@debian.org> Sun, 27 Aug 2017 00:43:42 -0400 + unbound (1.6.0-3) unstable; urgency=medium * Cherry-pick upstream commit svn r4000, "Include root trust anchor id diff -Nru unbound-1.6.0/debian/control unbound-1.6.0/debian/control --- unbound-1.6.0/debian/control2017-02-19 20:04:34.0 -0500 +++ unbound-1.6.0/debian/control2017-08-27 00:43:42.0 -0400 @@ -96,7 +96,7 @@ Architecture: any Depends: adduser, - dns-root-data, + dns-root-data (>= 2017072601~), openssl, unbound-anchor, ${misc:Depends}, diff -Nru unbound-1.6.0/debian/patches/debian-changes unbound-1.6.0/debian/patches/debian-changes --- unbound-1.6.0/debian/patches/debian-changes 2017-02-19 20:04:34.0 -0500 +++ unbound-1.6.0/debian/patches/debian-changes 2017-08-27 00:43:42.0 -0400 @@ -5,12 +5,15 @@ information below has been extracted from the changelog. Adjust it or drop it. . - unbound (1.6.0-3) unstable; urgency=medium + unbound (1.6.0-3+deb9u1) stretch; urgency=high . - * Cherry-pick upstream commit svn r4000, "Include root trust anchor id - 20326 in unbound-anchor". (Closes: #855484) + * Cherry-pick upstream commit svn r4301, "Fix install of trust anchor + when two anchors are present, makes both valid. Checks hash of DS but + not signature of new key. This fixes installs between sep11 and oct11 + 2017." + * debian/control: unbound: Add versioned dependency on dns-root-data (>= + 2017072601~) for KSK-2017 in RFC 5011 state VALID. Author: Robert Edmonds <edmo...@debian.org> -Bug-Debian: https://bugs.debian.org/855484 --- The information above should follow the Patch Tagging Guidelines, please @@ -23,7 +26,7 @@ Bug-Ubuntu: https://launchpad.net/bugs/ Forwarded: <no|not-needed|url proving that it has been forwarded> Reviewed-By: -Last-Update: 2017-02-20 +Last-Update: 2017-08-27 --- unbound-1.6.0.orig/acx_python.m4 +++ unbound-1.6.0/acx_python.m4 @@ -118,3 +121,25 @@ free($2); } ; +--- unbound-1.6.0.orig/validator/autotrust.c unbound-1.6.0/validator/autotrust.c +@@ -1571,6 +1571,11 @@ key_matches_a_ds(struct module_env* env, + verbose(VERB_ALGO, "DS match attempt failed"); + continue; + } ++ /* match of hash is sufficient for bootstrap of trust point */ ++ (void)reason; ++ (void)ve; ++ return 1; ++ /* no need to check RRSIG, DS hash already matched with source + if(dnskey_verify_rrset(env, ve, dnskey_rrset, + dnskey_rrset, key_idx, ) == sec_status_secure) { + return 1; +@@ -1578,6 +1583,7 @@ key_m
Bug#864283: unblock: dns-root-data/2017041102
Ondřej Surý wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > > Please unblock package dns-root-data > > Dear release team, > > Robert Edmonds has prepared patch to fix the regression caused by > dns-root-data package in dnsmasq, so the root.ds format can now be > parsed by both dnsmasq in testing and in unstable. > > Thanks goes to Robert to thinking better than me and preparing the > fix. > > unblock dns-root-data/2017041102 Hi, release team: There are further details about the fix in the commit message: https://anonscm.debian.org/cgit/pkg-dns/dns-root-data.git/commit/?id=be97d5a000cc592cacc50623883fb2d67f2b7432 This will fix the following bugs in stretch: #860064, #858506, #860274, #864016 Since this restores compatibility with the version of dnsmasq in stretch, it will also obsolete the unblock request for dnsmasq: #864085 The following transcript of a stretch machine running dnsmasq exhibits the buggy behavior with dns-root-data 2017041101 (testing) and the fixed behavior with dns-root-data 2017041102 (unstable). Thanks! root@845s:~# dpkg -l dnsmasq dns-root-data Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==---== hi dns-root-data 2015052300+h+1 all DNS root data including root zone and DNSSEC key ii dnsmasq2.76-5 all Small caching DNS proxy and DHCP/TFTP server root@845s:~# systemctl -l -n0 status dnsmasq ● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2017-06-06 10:46:39 EDT; 1h 2min ago Main PID: 8015 (dnsmasq) CGroup: /system.slice/dnsmasq.service └─8015 /usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq.pid -u dnsmasq -r /run/dnsmasq/resolv.conf -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new --local-service --trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 root@845s:~# apt install dns-root-data/stretch Reading package lists... Done Building dependency tree Reading state information... Done Selected version '2017041101' (Debian:testing [all]) for 'dns-root-data' The following held packages will be changed: dns-root-data (2015052300+h+1 => 2017041101) The following packages will be upgraded: dns-root-data (2015052300+h+1 => 2017041101) 1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 4,670 B of archives. After this operation, 38.9 kB disk space will be freed. Do you want to continue? [Y/n] y Get:1 http://ftp.us.debian.org/debian stretch/main amd64 dns-root-data all 2017041101 [4,670 B] Fetched 4,670 B in 0s (25.3 kB/s) Reading changelogs... Done apt-listchanges: Changelogs --- dns-root-data (2017041101) unstable; urgency=medium * Fix parse-root-anchors.sh in non-dash shells (Closes: #862252) * Update to 2017041101 version of root zone * Remove timestamps from root.key to make the build reproducible * Shell syntax cleanup -- Ondřej Surý <ond...@debian.org> Mon, 29 May 2017 14:05:37 +0200 dns-root-data (2017020200) unstable; urgency=medium * Update to 2016102001 version of the root.zone * Add KSK-2017 (valid from 2017-02-02) into root.key file * Reduce number of IANA files as they don't exist at upstream anymore * draft-icann-dnssec-trust-anchor is now RFC 7958 * Update all other IANA DNSSEC files to 2017-02-02 versions * Strip the GPG verification as IANA doesn't provide the GPG signatures anymore * Rewrite DS creation check to xml2 and ldnsutils, as neither xmllint nor bind9utils handle multiple DNSKEY in one file correctly -- Ondřej Surý <ond...@debian.org> Wed, 22 Mar 2017 09:06:08 +0100 apt-listchanges: Do you want to continue? [Y/n] y (Reading database ... 51072 files and directories currently installed.) Preparing to unpack .../dns-root-data_2017041101_all.deb ... Unpacking dns-root-data (2017041101) over (2015052300+h+1) ... Setting up dns-root-data (2017041101) ... root@845s:~# systemctl -l -n0 status dnsmasq ● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2017-06-06 10:46:39 EDT; 1h 3min ago Main PID: 8015 (dnsmasq) CGroup: /system.slice/dnsmasq.service └─8015 /usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq.pid
Bug#859296: unblock: bup/0.29-3
Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock Severity: normal Hi, I'd like to request a freeze unblock for bup 0.29-3. This package contains a targeted fix (recommended by upstream) from the bup 0.29.1 release for RC bug #859295. This bug affects testing and can cause serious data loss, potentially corrupting a bup backup repository in certain situations if the 'bup gc' command is used. The source debdiff is attached. unblock bup/0.29-3 Thanks! -- Robert Edmonds edmo...@debian.org diff -Nru bup-0.29/debian/changelog bup-0.29/debian/changelog --- bup-0.29/debian/changelog 2017-01-01 14:42:37.0 -0500 +++ bup-0.29/debian/changelog 2017-04-01 14:38:19.0 -0400 @@ -1,3 +1,11 @@ +bup (0.29-3) unstable; urgency=medium + + [ Tim Riemenschneider ] + * Safeguard against deleting new pack-file (f.e. with threshold=0) +(Closes: #859295) + + -- Robert Edmonds <edmo...@debian.org> Sat, 01 Apr 2017 14:38:19 -0400 + bup (0.29-2) unstable; urgency=medium [ James Cowgill ] diff -Nru bup-0.29/debian/patches/debian-changes bup-0.29/debian/patches/debian-changes --- bup-0.29/debian/patches/debian-changes 2017-01-01 14:42:37.0 -0500 +++ bup-0.29/debian/patches/debian-changes 2017-04-01 14:38:19.0 -0400 @@ -5,15 +5,13 @@ information below has been extracted from the changelog. Adjust it or drop it. . - bup (0.29-2) unstable; urgency=medium + bup (0.29-3) unstable; urgency=medium . - [ James Cowgill ] - * Build-Depend on tzdata to fix FTBFS. (Closes: #839498) - . - [ Robert Edmonds ] - * debian/changelog: Acknowledge 0.28.1-1.1 NMU + [ Tim Riemenschneider ] + * Safeguard against deleting new pack-file (f.e. with threshold=0) + (Closes: #859295) Author: Robert Edmonds <edmo...@debian.org> -Bug-Debian: https://bugs.debian.org/839498 +Bug-Debian: https://bugs.debian.org/859295 --- The information above should follow the Patch Tagging Guidelines, please @@ -26,7 +24,7 @@ Bug-Ubuntu: https://launchpad.net/bugs/ Forwarded: <no|not-needed|url proving that it has been forwarded> Reviewed-By: -Last-Update: 2017-01-01 +Last-Update: 2017-04-01 --- bup-0.29.orig/Makefile +++ bup-0.29/Makefile @@ -63,7 +61,7 @@ +++ bup-0.29/config/config.h.tmp @@ -0,0 +1,27 @@ +/* -+ * configuration for bup, generated Sun Jan 1 19:47:37 UTC 2017 ++ * configuration for bup, generated Sat Apr 1 18:42:19 UTC 2017 + * by pbuilder@chase + */ +#ifndef __AC_BUP_D @@ -98,6 +96,43 @@ -COMMIT='$Format:%H$' -NAMES='$Format:%d$' -DATE='$Format:%ci$' -+COMMIT='5c71e0f3540c7950185f2747efce4b7ef5b29980' -+NAMES=' (HEAD -> branches/0.29, tag: debian/0.29-2)' -+DATE='2017-01-01 14:43:38 -0500' ++COMMIT='3cf1801c6937bd0b07cd42eadf14dcb684a6f788' ++NAMES=' (HEAD -> branches/0.29, tag: debian/0.29-3)' ++DATE='2017-04-01 14:39:51 -0400' +--- bup-0.29.orig/lib/bup/gc.py bup-0.29/lib/bup/gc.py +@@ -135,6 +135,8 @@ def sweep(live_objects, existing_count, + if verbosity and new_pack_prefix: + log('created ' + basename(new_pack_prefix) + '\n') + for p in ns.stale_files: ++if new_pack_prefix and p.startswith(new_pack_prefix): ++continue # Don't remove the new pack file + if verbosity: + log('removing ' + basename(p) + '\n') + os.unlink(p) +--- bup-0.29.orig/t/test-gc.sh bup-0.29/t/test-gc.sh +@@ -219,4 +219,23 @@ WVPASSEQ 1 $(echo "$only_in_before" | wc + WVPASSEQ 1 $(echo "$only_in_after" | wc -l) + WVPASSEQ 1 $(echo "$in_both" | wc -l) + ++WVSTART "gc (threshold 0)" ++ ++WVPASS rm -rf "$BUP_DIR" ++WVPASS bup init ++WVPASS rm -rf src && mkdir src ++WVPASS echo 0 > src/0 ++WVPASS echo 1 > src/1 ++ ++WVPASS bup index src ++WVPASS bup save -n src-1 src ++ ++packs_before="$(ls "$BUP_DIR/objects/pack/"*.pack)" || exit $? ++WVPASS bup gc -v $GC_OPTS --threshold 0 2>&1 | tee gc.log ++packs_after="$(ls "$BUP_DIR/objects/pack/"*.pack)" || exit $? ++# Check that the pack was rewritten, but not removed (since the ++# result-pack is equal to the source pack) ++WVPASSEQ 1 "$(grep -cE '^rewriting ' gc.log)" ++WVPASSEQ "$packs_before" "$packs_after" ++ + WVPASS rm -rf "$tmpdir" signature.asc Description: PGP signature
Bug#855635: unblock: unbound/1.6.0-3
Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock Severity: normal Hi, I'd like to request a freeze unblock for unbound 1.6.0-3. The only difference between 1.6.0-2 (testing) and 1.6.0-3 (unstable) is that I've cherry-picked an update from upstream that adds the DNSSEC trust anchor for the new key-signing key generated for the root. See bug #855484 for more details. See https://www.icann.org/resources/pages/ksk-rollover for details about the root DNSSEC key-signing key rollover. (If this change is approved, you should verify that the debdiff matches what is in the source package in the archive, and that the trust anchors in the package match what is published by IANA at https://data.iana.org/root-anchors/root-anchors.xml.) unblock unbound/1.6.0-3 Thanks! -- Robert Edmonds edmo...@debian.org diff -Nru unbound-1.6.0/debian/changelog unbound-1.6.0/debian/changelog --- unbound-1.6.0/debian/changelog 2016-12-18 15:00:12.0 -0500 +++ unbound-1.6.0/debian/changelog 2017-02-19 20:04:34.0 -0500 @@ -1,3 +1,10 @@ +unbound (1.6.0-3) unstable; urgency=medium + + * Cherry-pick upstream commit svn r4000, "Include root trust anchor id +20326 in unbound-anchor". (Closes: #855484) + + -- Robert Edmonds <edmo...@debian.org> Sun, 19 Feb 2017 20:04:34 -0500 + unbound (1.6.0-2) unstable; urgency=high [ Helmut Grohne ] diff -Nru unbound-1.6.0/debian/patches/debian-changes unbound-1.6.0/debian/patches/debian-changes --- unbound-1.6.0/debian/patches/debian-changes 2016-12-18 15:00:12.0 -0500 +++ unbound-1.6.0/debian/patches/debian-changes 2017-02-19 20:04:34.0 -0500 @@ -5,12 +5,12 @@ information below has been extracted from the changelog. Adjust it or drop it. . - unbound (1.6.0-2) unstable; urgency=high + unbound (1.6.0-3) unstable; urgency=medium . - [ Helmut Grohne ] - * Only use fake_dsa when HAVE_SSL is defined (Closes: #848339) + * Cherry-pick upstream commit svn r4000, "Include root trust anchor id + 20326 in unbound-anchor". (Closes: #855484) Author: Robert Edmonds <edmo...@debian.org> -Bug-Debian: https://bugs.debian.org/848339 +Bug-Debian: https://bugs.debian.org/855484 --- The information above should follow the Patch Tagging Guidelines, please @@ -23,7 +23,7 @@ Bug-Ubuntu: https://launchpad.net/bugs/ Forwarded: <no|not-needed|url proving that it has been forwarded> Reviewed-By: -Last-Update: 2016-12-18 +Last-Update: 2017-02-20 --- unbound-1.6.0.orig/acx_python.m4 +++ unbound-1.6.0/acx_python.m4 @@ -52,6 +52,20 @@ If turned off, the server does not listen for control commands. .TP 5 .B control\-interface: \fI +--- unbound-1.6.0.orig/smallapp/unbound-anchor.c unbound-1.6.0/smallapp/unbound-anchor.c +@@ -241,7 +241,10 @@ static const char* + get_builtin_ds(void) + { + return +-". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n"; ++/* anchor 19036 is from 2010 */ ++/* anchor 20326 is from 2017 */ ++". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n" ++". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n"; + } + + /** print hex data */ --- unbound-1.6.0.orig/smallapp/unbound-control-setup.sh.in +++ unbound-1.6.0/smallapp/unbound-control-setup.sh.in @@ -155,6 +155,6 @@ chmod o-rw $SVR_BASE.pem $SVR_BASE.key $ signature.asc Description: PGP signature
Bug#835170: [Pkg-protobuf-devel] Bug#835170: transition: protobuf
Dmitry Smirnov wrote: > On Tuesday, 23 August 2016 8:51:23 PM AEST Adam D. Barratt wrote: > > That's not an excuse for causing disruption in unstable. > > I'm not sure when it is OK to cause disruption in unstable. For example > uploading new GCC seems to cause a lot of problems despite attempts to > mitigate FTBFS. It's a very easy rule for protobuf, since protobuf has a non-trivial set of reverse build-dependencies: every ABI bump for protobuf needs a corresponding, coordinated ABI transition. For previous protobuf transitions (2.5.0, 2.6.0), please review #726165 and #760343. It's not as simple as just uploading a new release to unstable. Probably it should have been uploaded to experimental first, to check that the package would build and pass its test suite on all architectures. (E.g., see #572923 for an example of architecture-specific breakage in protobuf.) > Also do you have a clue why protobuf FTBFS on build servers? I'm unable to > reproduce the problem... I built it on amd64 in an up-to-date sid pbuilder chroot and it failed in the same manner as it did on all the buildd's. -- Robert Edmonds edmo...@debian.org
Bug#828177: jessie-pu: package unbound/1.4.22-3+deb8u2
Adam D. Barratt wrote: > On Mon, 2016-07-04 at 16:11 -0400, Robert Edmonds wrote: > > +unbound (1.4.22-3+deb8u2) jessie; urgency=medium > > + > > + * debian/unbound.init: Add "pidfile" magic comment (Closes: #807132) > > + * debian/unbound.init: Call start-stop-daemon with --retry for 'stop' > > +action (patch from Julien Cristau) > > Sorry for the delay in getting back to you; please go ahead. Uploaded. Thanks! -- Robert Edmonds edmo...@debian.org
Bug#828177: jessie-pu: package unbound/1.4.22-3+deb8u2
Robert Edmonds wrote: > Julien Cristau wrote: > > May I take the opportunity to ask you to also fix the 'stop' action from > > the init script? > > > > We've been using this patch on the debian.org hosts for a year now. > > Previously restarting the service would quite often result in no running > > unbound, because (AIUI) systemd doesn't use the init script 'restart' > > action (uses stop && start instead), the 'stop' action would not wait > > for the process to actually die before returning, and then 'start' would > > say "I'm already running, nothing to do". > > Wow, thanks for pointing that out. Yes, I'd be happy to fix that one too > in a stable update. Here is the updated debdiff for the package I'd like to upload to jessie. diff -Nru unbound-1.4.22/debian/changelog unbound-1.4.22/debian/changelog --- unbound-1.4.22/debian/changelog 2016-02-21 18:43:22.0 -0500 +++ unbound-1.4.22/debian/changelog 2016-07-04 15:58:35.0 -0400 @@ -1,3 +1,11 @@ +unbound (1.4.22-3+deb8u2) jessie; urgency=medium + + * debian/unbound.init: Add "pidfile" magic comment (Closes: #807132) + * debian/unbound.init: Call start-stop-daemon with --retry for 'stop' +action (patch from Julien Cristau) + + -- Robert Edmonds <edmo...@debian.org> Mon, 04 Jul 2016 15:58:01 -0400 + unbound (1.4.22-3+deb8u1) jessie; urgency=medium * iterator/iter_hints.c: Update hints for H.ROOT-SERVERS.NET diff -Nru unbound-1.4.22/debian/patches/debian-changes unbound-1.4.22/debian/patches/debian-changes --- unbound-1.4.22/debian/patches/debian-changes2016-02-22 10:58:04.0 -0500 +++ unbound-1.4.22/debian/patches/debian-changes2016-07-04 16:06:41.0 -0400 @@ -5,12 +5,13 @@ information below has been extracted from the changelog. Adjust it or drop it. . - unbound (1.4.22-3+deb8u1) jessie; urgency=medium + unbound (1.4.22-3+deb8u2) jessie; urgency=medium . - * iterator/iter_hints.c: Update hints for H.ROOT-SERVERS.NET - (Closes: #815370) + * debian/unbound.init: Add "pidfile" magic comment (Closes: #807132) + * debian/unbound.init: Call start-stop-daemon with --retry for 'stop' + action (patch from Julien Cristau) Author: Robert Edmonds <edmo...@debian.org> -Bug-Debian: https://bugs.debian.org/815370 +Bug-Debian: https://bugs.debian.org/807132 --- The information above should follow the Patch Tagging Guidelines, please @@ -23,7 +24,7 @@ Bug-Ubuntu: https://launchpad.net/bugs/ Forwarded: <no|not-needed|url proving that it has been forwarded> Reviewed-By: -Last-Update: +Last-Update: 2016-07-04 --- unbound-1.4.22.orig/acx_python.m4 +++ unbound-1.4.22/acx_python.m4 diff -Nru unbound-1.4.22/debian/unbound.init unbound-1.4.22/debian/unbound.init --- unbound-1.4.22/debian/unbound.init 2016-02-21 18:43:22.0 -0500 +++ unbound-1.4.22/debian/unbound.init 2016-07-04 15:58:35.0 -0400 @@ -7,6 +7,7 @@ # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 ### END INIT INFO +# pidfile: /run/unbound.pid NAME=unbound DESC="recursive DNS server" @@ -121,7 +122,7 @@ stop) if $UNBOUND_ENABLE; then log_daemon_msg "Stopping $DESC" "$NAME" -if start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE --name $NAME; then +if start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE --name $NAME --retry 5; then do_resolvconf_stop log_end_msg 0 else -- Robert Edmonds edmo...@debian.org
Bug#828177: jessie-pu: package unbound/1.4.22-3+deb8u2
Julien Cristau wrote: > May I take the opportunity to ask you to also fix the 'stop' action from > the init script? > > We've been using this patch on the debian.org hosts for a year now. > Previously restarting the service would quite often result in no running > unbound, because (AIUI) systemd doesn't use the init script 'restart' > action (uses stop && start instead), the 'stop' action would not wait > for the process to actually die before returning, and then 'start' would > say "I'm already running, nothing to do". Wow, thanks for pointing that out. Yes, I'd be happy to fix that one too in a stable update. > --- /tmp/unbound-1.4.22/debian/unbound.init 2016-02-22 01:43:22.0 > +0200 > +++ modules/unbound/files/unbound.init 2015-05-17 16:50:09.699383800 +0200 > @@ -121,7 +121,7 @@ > stop) > if $UNBOUND_ENABLE; then > log_daemon_msg "Stopping $DESC" "$NAME" > -if start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE > --name $NAME; then > +if start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE > --name $NAME --retry 5; then > do_resolvconf_stop > log_end_msg 0 > else > > Cheers, > Julien -- Robert Edmonds edmo...@debian.org
Bug#828177: jessie-pu: package unbound/1.4.22-3+deb8u2
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, The unbound package in jessie is affected by #807132 ("unbound-control breaks systemctl stop/start"). The bug report is long, but briefly, the unbound daemon can fail to start in several common scenarios, such as when the "unbound-control" utility is used to stop the daemon. One user reports that the unbound daemon is stopped but not subsequently started every time the unbound package is upgraded. This bug has been fixed in unstable by 1.5.9-1 and is currently marked severity important, though in my opinion this bug is severe enough to make it unsuitable for a release. The fix for this is shown below and is relatively simple, and was suggested by a member of the pkg-systemd team (Michael Biebl). I'd like to upload this to jessie. Thanks! diff -Nru unbound-1.4.22/debian/changelog unbound-1.4.22/debian/changelog --- unbound-1.4.22/debian/changelog 2016-02-21 18:43:22.0 -0500 +++ unbound-1.4.22/debian/changelog 2016-06-25 14:49:32.0 -0400 @@ -1,3 +1,9 @@ +unbound (1.4.22-3+deb8u2) jessie; urgency=medium + + * debian/unbound.init: Add "pidfile" magic comment (Closes: #807132) + + -- Robert Edmonds <edmo...@debian.org> Sat, 25 Jun 2016 14:49:31 -0400 + unbound (1.4.22-3+deb8u1) jessie; urgency=medium * iterator/iter_hints.c: Update hints for H.ROOT-SERVERS.NET diff -Nru unbound-1.4.22/debian/patches/debian-changes unbound-1.4.22/debian/patches/debian-changes --- unbound-1.4.22/debian/patches/debian-changes2016-02-22 10:58:04.0 -0500 +++ unbound-1.4.22/debian/patches/debian-changes2016-06-25 14:50:22.0 -0400 @@ -5,12 +5,11 @@ information below has been extracted from the changelog. Adjust it or drop it. . - unbound (1.4.22-3+deb8u1) jessie; urgency=medium + unbound (1.4.22-3+deb8u2) jessie; urgency=medium . - * iterator/iter_hints.c: Update hints for H.ROOT-SERVERS.NET - (Closes: #815370) + * debian/unbound.init: Add "pidfile" magic comment (Closes: #807132) Author: Robert Edmonds <edmo...@debian.org> -Bug-Debian: https://bugs.debian.org/815370 +Bug-Debian: https://bugs.debian.org/807132 --- The information above should follow the Patch Tagging Guidelines, please diff -Nru unbound-1.4.22/debian/unbound.init unbound-1.4.22/debian/unbound.init --- unbound-1.4.22/debian/unbound.init 2016-02-21 18:43:22.0 -0500 +++ unbound-1.4.22/debian/unbound.init 2016-06-25 14:49:32.0 -0400 @@ -7,6 +7,7 @@ # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 ### END INIT INFO +# pidfile: /run/unbound.pid NAME=unbound DESC="recursive DNS server" -- Robert Edmonds edmo...@debian.org signature.asc Description: PGP signature
Bug#815517: jessie-pu: package unbound/1.4.22-3+deb8u1
Adam D. Barratt wrote: > On 2016-02-22 0:09, Robert Edmonds wrote: > >diff --git a/debian/changelog b/debian/changelog > >index af91f28..2c6d115 100644 > >--- a/debian/changelog > >+++ b/debian/changelog > >@@ -1,3 +1,10 @@ > >+unbound (1.4.22-3+deb8u1) jessie; urgency=medium > >+ > >+ * iterator/iter_hints.c: Update hints for H.ROOT-SERVERS.NET > >+(Closes: #815370) > > Please go ahead. Uploaded, thanks! -- Robert Edmonds edmo...@debian.org
Bug#815517: jessie-pu: package unbound/1.4.22-3+deb8u1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, The unbound package in jessie has outdated root DNS server address hints for h.root-servers.net, see #815370. I'd like to upload a new version to jessie with the following changes. Thanks! diff --git a/debian/changelog b/debian/changelog index af91f28..2c6d115 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +unbound (1.4.22-3+deb8u1) jessie; urgency=medium + + * iterator/iter_hints.c: Update hints for H.ROOT-SERVERS.NET +(Closes: #815370) + + -- Robert Edmonds <edmo...@debian.org> Sun, 21 Feb 2016 18:36:43 -0500 + unbound (1.4.22-3) unstable; urgency=medium * Fix CVE-2014-8602: denial of service by making resolver chase endless diff --git a/iterator/iter_hints.c b/iterator/iter_hints.c index 7fa07a7..8e51424 100644 --- a/iterator/iter_hints.c +++ b/iterator/iter_hints.c @@ -135,7 +135,7 @@ compile_time_root_prime(int do_ip4, int do_ip6) if(!ah(dp, "E.ROOT-SERVERS.NET.", "192.203.230.10")) goto failed; if(!ah(dp, "F.ROOT-SERVERS.NET.", "192.5.5.241")) goto failed; if(!ah(dp, "G.ROOT-SERVERS.NET.", "192.112.36.4")) goto failed; - if(!ah(dp, "H.ROOT-SERVERS.NET.", "128.63.2.53")) goto failed; + if(!ah(dp, "H.ROOT-SERVERS.NET.", "198.97.190.53")) goto failed; if(!ah(dp, "I.ROOT-SERVERS.NET.", "192.36.148.17")) goto failed; if(!ah(dp, "J.ROOT-SERVERS.NET.", "192.58.128.30")) goto failed; if(!ah(dp, "K.ROOT-SERVERS.NET.", "193.0.14.129")) goto failed; @@ -146,7 +146,7 @@ compile_time_root_prime(int do_ip4, int do_ip6) if(!ah(dp, "A.ROOT-SERVERS.NET.", "2001:503:ba3e::2:30")) goto failed; if(!ah(dp, "D.ROOT-SERVERS.NET.", "2001:500:2d::d")) goto failed; if(!ah(dp, "F.ROOT-SERVERS.NET.", "2001:500:2f::f")) goto failed; - if(!ah(dp, "H.ROOT-SERVERS.NET.", "2001:500:1::803f:235")) goto failed; + if(!ah(dp, "H.ROOT-SERVERS.NET.", "2001:500:1::53")) goto failed; if(!ah(dp, "I.ROOT-SERVERS.NET.", "2001:7fe::53")) goto failed; if(!ah(dp, "J.ROOT-SERVERS.NET.", "2001:503:c27::2:30")) goto failed; if(!ah(dp, "K.ROOT-SERVERS.NET.", "2001:7fd::1")) goto failed; -- Robert Edmonds edmo...@debian.org
Bug#772684: unblock: unbound/1.4.22-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi, Please unblock unbound 1.4.22-3. This version addresses CVE-2014-8602, denial of service by making resolver chase endless series of delegations, based on upstream's patch: http://unbound.net/downloads/CVE-2014-8602.txt Actually, I cherry picked upstream's svn r3289 and applied it against the version of unbound in testing: http://anonscm.debian.org/cgit/users/edmonds/unbound.git/commit/?h=branches/1.4.22%2bjessieid=15037ee5f483ad5ef10ad7c99221b3b77018413b The Debian bug tracking this issue is #772622. This issue was found in at least three recursive DNS servers: BIND, Unbound, and PowerDNS Recursor and was fixed in coordinated releases. See also: https://kb.isc.org/article/AA-01216/ A Defect in Delegation Handling Can Be Exploited to Crash BIND [CVE-2014-8500] (And Debian #772610.) http://doc.powerdns.com/md/security/powerdns-advisory-2014-02/ PowerDNS Recursor 3.6.1 and earlier can be made to provide bad service [CVE-2014-8601] The debdiff is below. Thanks! diff -Nru unbound-1.4.22/debian/changelog unbound-1.4.22/debian/changelog --- unbound-1.4.22/debian/changelog 2014-08-18 16:22:31.0 -0400 +++ unbound-1.4.22/debian/changelog 2014-12-09 17:55:16.0 -0500 @@ -1,3 +1,10 @@ +unbound (1.4.22-3) unstable; urgency=medium + + * Fix CVE-2014-8602: denial of service by making resolver chase endless +series of delegations; closes: #772622. + + -- Robert Edmonds edmo...@debian.org Tue, 09 Dec 2014 17:52:08 -0500 + unbound (1.4.22-2) unstable; urgency=medium * Drop unneeded Build-Dependency on doxygen. diff -Nru unbound-1.4.22/debian/patches/debian-changes unbound-1.4.22/debian/patches/debian-changes --- unbound-1.4.22/debian/patches/debian-changes2014-08-18 16:23:10.0 -0400 +++ unbound-1.4.22/debian/patches/debian-changes2014-12-09 17:58:56.0 -0500 @@ -5,15 +5,12 @@ information below has been extracted from the changelog. Adjust it or drop it. . - unbound (1.4.22-2) unstable; urgency=medium + unbound (1.4.22-3) unstable; urgency=medium . - * Drop unneeded Build-Dependency on doxygen. - * Drop unneeded Build-Dependency on automake. (Unbound does not use - automake.) - * Use dh_autotools-dev_updateconfig to update the config.{guess,sub} files - at build time; closes: #746313. -Author: Robert S. Edmonds edmo...@debian.org -Bug-Debian: http://bugs.debian.org/746313 + * Fix CVE-2014-8602: denial of service by making resolver chase endless + series of delegations; closes: #772622. +Author: Robert Edmonds edmo...@debian.org +Bug-Debian: http://bugs.debian.org/772622 --- The information above should follow the Patch Tagging Guidelines, please @@ -66,6 +63,151 @@ If turned off, the server does not listen for control commands. .TP 5 .B control\-interface: ip address +--- unbound-1.4.22.orig/iterator/iterator.c unbound-1.4.22/iterator/iterator.c +@@ -120,6 +120,7 @@ iter_new(struct module_qstate* qstate, i + iq-query_restart_count = 0; + iq-referral_count = 0; + iq-sent_count = 0; ++ iq-target_count = NULL; + iq-wait_priming_stub = 0; + iq-refetch_glue = 0; + iq-dnssec_expected = 0; +@@ -445,6 +446,26 @@ handle_cname_response(struct module_qsta + return 1; + } + ++/** create target count structure for this query */ ++static void ++target_count_create(struct iter_qstate* iq) ++{ ++ if(!iq-target_count) { ++ iq-target_count = (int*)calloc(2, sizeof(int)); ++ /* if calloc fails we simply do not track this number */ ++ if(iq-target_count) ++ iq-target_count[0] = 1; ++ } ++} ++ ++static void ++target_count_increase(struct iter_qstate* iq, int num) ++{ ++ target_count_create(iq); ++ if(iq-target_count) ++ iq-target_count[1] += num; ++} ++ + /** + * Generate a subrequest. + * Generate a local request event. Local events are tied to this module, and +@@ -516,6 +537,10 @@ generate_sub_request(uint8_t* qname, siz + subiq = (struct iter_qstate*)subq-minfo[id]; + memset(subiq, 0, sizeof(*subiq)); + subiq-num_target_queries = 0; ++ target_count_create(iq); ++ subiq-target_count = iq-target_count; ++ if(iq-target_count) ++ iq-target_count[0] ++; /* extra reference */ + subiq-num_current_queries = 0; + subiq-depth = iq-depth+1; + outbound_list_init(subiq-outlist); +@@ -1342,6 +1367,12 @@ query_for_targets(struct module_qstate* + + if(iq-depth == ie-max_dependency_depth) + return 0; ++ if(iq-depth 0 iq-target_count ++ iq-target_count[1] MAX_TARGET_COUNT) { ++ verbose(VERB_QUERY, request has exceeded the maximum
Bug#760343: transition: protobuf 2.6.0
Robert Edmonds wrote: Robert Edmonds wrote: node-mapnik --- This package Build-Depends against mapnik-vector-tile, which ships a .pb.h file in /usr/include (a bad upstream practice). mapnik-vector-tile needs to be binNMU'd first before node-mapnik can be binNMU'd. It turns out node-mapnik FTBFS (#759843) due to a problem with mapnik-vector-tile (#762643) unrelated to the protobuf transition. I've uploaded a fix for this to DELAYED, so once mapnik-vector-tile 0.5.1+dfsg-1.3 is in the archive, node-mapnik can be binNMU'd. (And I think that will complete the transition?) Hi, mapnik-vector-tile 0.5.1+dfsg-1.3 is in unstable and I've confirmed that it fixes #759843, so node-mapnik can be binNMU'd now. -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140927174922.ga19...@mycre.ws
Bug#760343: Python3 Package?
Emilio Pozuelo Monfort wrote: On 26/09/14 00:13, Jamie Bliss wrote: Thanks for getting this into jessie. I noticed there isn't a a python3-protobuf package to go with the python-protobuf package. Since 2.6.0 added Python 3 support, shouldn't this be available? You're asking on the wrong place. Please open a wishlist bug against protobuf. Python 3 was mistakenly listed as supported in the 2.6.0 changelog. See upstream issue #7: https://github.com/google/protobuf/issues/7 It's possible Python 3 will be supported by protobuf 2.6.1, which might be released before the freeze. There's also #760129 which needs to be fixed for python3-protobuf to exist. -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140925224245.ga1...@mycre.ws
Bug#760343: transition: protobuf 2.6.0
Robert Edmonds wrote: OK, protobuf 2.6.0-4 with the atomics fix is now in the archive and built on all architectures. Please give back shogun on mips. Oh, nevermind, I see shogun was rebuilt on mips against protobuf 2.6.0-4 a few minutes ago. -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140923165843.gb9...@mycre.ws
Bug#760343: transition: protobuf 2.6.0
Emilio Pozuelo Monfort wrote: On 14/09/14 00:26, Robert Edmonds wrote: I see a build failure on mips in the 'shogun' package: https://buildd.debian.org/status/fetch.php?pkg=shogunarch=mipsver=3.2.0-7.2%2Bb1stamp=1410641206 This is actually an architecture+compiler specific build failure. (Funnily enough, shogun uses clang++ on some architectures but c++ on others as the compiler.) The problem is that the 'generic' atomic implementation fallback is only used when the compiler is actually gcc/g++, rather than clang/clang++. The fix is relatively simple (basically we just need to also detect clang as well as gcc = 4.7), but it has to be done in the protobuf headers, which will mean another protobuf upload. OK, let us know when that happens and we'll give shogun back. OK, protobuf 2.6.0-4 with the atomics fix is now in the archive and built on all architectures. Please give back shogun on mips. Thanks! -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140923165738.ga9...@mycre.ws
Bug#760343: transition: protobuf 2.6.0
Robert Edmonds wrote: node-mapnik --- This package Build-Depends against mapnik-vector-tile, which ships a .pb.h file in /usr/include (a bad upstream practice). mapnik-vector-tile needs to be binNMU'd first before node-mapnik can be binNMU'd. It turns out node-mapnik FTBFS (#759843) due to a problem with mapnik-vector-tile (#762643) unrelated to the protobuf transition. I've uploaded a fix for this to DELAYED, so once mapnik-vector-tile 0.5.1+dfsg-1.3 is in the archive, node-mapnik can be binNMU'd. (And I think that will complete the transition?) -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140924030427.ga17...@mycre.ws
Bug#760343: transition: protobuf 2.6.0
Robert Edmonds wrote: Emilio Pozuelo Monfort wrote: The delay ended but the signature seems invalid: 20140919160333|process-upload|dak|mapnik-vector-tile_0.5.1+dfsg-1.1_multi.changes|Error while loading changes: No valid signature found. (GPG exited with status code 512) Can you re-upload with a good signature (and without a delay of course). You may need to dcut the previous upload first. Funny :-) https://rt.debian.org/Ticket/Display.html?id=5305 My key was replaced in the mean-time. I'll reupload it with a new signature. Hmm, OK. I ran dcut on the previous upload and received: Log of processing your commands file /edmonds-1411144369.commands: cancel mapnik-vector-tile_0.5.1+dfsg-1.1_multi.changes No upload found: mapnik-vector-tile_0.5.1+dfsg-1.1_multi.changes Greetings, Your Debian queue daemon (running on host franck.debian.org) at Fri, 19 Sep 2014 16:34:20 +. Then I re-signed and re-uploaded the package: 2014-09-19 12:35:59,608 - dput[22310]: uploader.invoke_dput - Uploading mapnik-vector-tile using ftp to ftp-master (host: ftp.upload.debian.org; directory: /pub/UploadQueue/) 2014-09-19 12:35:59,609 - dput[22310]: hook.run_hook - running allowed-distribution: check whether a local profile permits uploads to the target distribution 2014-09-19 12:35:59,611 - dput[22310]: hook.run_hook - running protected-distribution: warn before uploading to distributions where a special policy applies 2014-09-19 12:35:59,613 - dput[22310]: hook.run_hook - running checksum: verify checksums before uploading 2014-09-19 12:35:59,618 - dput[22310]: hook.run_hook - running suite-mismatch: check the target distribution for common errors 2014-09-19 12:35:59,620 - dput[22310]: hook.run_hook - running check-debs: makes sure the upload contains a binary package 2014-09-19 12:35:59,621 - dput[22310]: hook.run_hook - running gpg: check GnuPG signatures before the upload 2014-09-19 12:36:00,139 - dput[22310]: uploader.invoke_dput - Uploading mapnik-vector-tile_0.5.1+dfsg-1.1_all.deb 2014-09-19 12:36:00,540 - dput[22310]: uploader.invoke_dput - Uploading mapnik-vector-tile_0.5.1+dfsg-1.1.dsc 2014-09-19 12:36:00,867 - dput[22310]: uploader.invoke_dput - Uploading mapnik-vector-tile_0.5.1+dfsg-1.1.debian.tar.xz 2014-09-19 12:36:01,189 - dput[22310]: uploader.invoke_dput - Uploading mapnik-vector-tile_0.5.1+dfsg-1.1_multi.changes [Time stamp is -0400 from UTC.] Then I see the following message: http://lists.alioth.debian.org/pipermail/pkg-grass-devel/2014-September/022190.html /mapnik-vector-tile_0.5.1+dfsg-1.1_multi.changes is already present on target host: mapnik-vector-tile_0.5.1+dfsg-1.1.debian.tar.xz Either you already uploaded it, or someone else came first. Job mapnik-vector-tile_0.5.1+dfsg-1.1_multi.changes removed. Greetings, Your Debian queue daemon (running on host franck.debian.org) I'm not sure what's going on. Should I just re-build the package with no changes and upload a -1.2? -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140920190258.ga28...@mycre.ws
Bug#760343: transition: protobuf 2.6.0
Jonathan Wiltshire wrote: On 2014-09-20 20:02, Robert Edmonds wrote: Robert Edmonds wrote: Emilio Pozuelo Monfort wrote: The delay ended but the signature seems invalid: 20140919160333|process-upload|dak|mapnik-vector-tile_0.5.1+dfsg-1.1_multi.changes|Error while loading changes: No valid signature found. (GPG exited with status code 512) Can you re-upload with a good signature (and without a delay of course). You may need to dcut the previous upload first. Funny :-) https://rt.debian.org/Ticket/Display.html?id=5305 My key was replaced in the mean-time. I'll reupload it with a new signature. Hmm, OK. I ran dcut on the previous upload and received: Log of processing your commands file /edmonds-1411144369.commands: cancel mapnik-vector-tile_0.5.1+dfsg-1.1_multi.changes No upload found: mapnik-vector-tile_0.5.1+dfsg-1.1_multi.changes cancel is for deferred uploads. You probably want: dcut rm -i changesfile (You need your original .changes file for this; if you don't have it any more, I think you're stuck with listing the individual files.) Do you mean dcut rm -f changesfile? The dcut I'm using (from dput-ng) doesn't have a dcut rm -i. I restored my original .changes file from backup. But I get: Log of processing your commands file /edmonds-1411241724.commands: rm --searchdirs mapnik-vector-tile_0.5.1+dfsg-1.1_all.deb mapnik-vector-tile_0.5.1+dfsg-1.1_all.deb did not match anything No files to delete rm --searchdirs mapnik-vector-tile_0.5.1+dfsg-1.1.dsc mapnik-vector-tile_0.5.1+dfsg-1.1.dsc did not match anything No files to delete rm --searchdirs mapnik-vector-tile_0.5.1+dfsg-1.1.debian.tar.xz mapnik-vector-tile_0.5.1+dfsg-1.1.debian.tar.xz did not match anything No files to delete rm --searchdirs mapnik-vector-tile_0.5.1+dfsg-1.1_multi.changes mapnik-vector-tile_0.5.1+dfsg-1.1_multi.changes did not match anything No files to delete Greetings, Your Debian queue daemon (running on host franck.debian.org) I'm still confused as to why the second upload of mapnik-vector-tile 0.5.1+dfsg-1.1 failed... -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140920194052.ga30...@mycre.ws
Bug#760343: transition: protobuf 2.6.0
Emilio Pozuelo Monfort wrote: The delay ended but the signature seems invalid: 20140919160333|process-upload|dak|mapnik-vector-tile_0.5.1+dfsg-1.1_multi.changes|Error while loading changes: No valid signature found. (GPG exited with status code 512) Can you re-upload with a good signature (and without a delay of course). You may need to dcut the previous upload first. Funny :-) https://rt.debian.org/Ticket/Display.html?id=5305 My key was replaced in the mean-time. I'll reupload it with a new signature. -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140919162914.ga21...@mycre.ws
Bug#760343: transition: protobuf 2.6.0
Emilio Pozuelo Monfort wrote: On 03/09/14 05:27, Robert Edmonds wrote: node-mapnik --- This package Build-Depends against mapnik-vector-tile, which ships a .pb.h file in /usr/include (a bad upstream practice). mapnik-vector-tile needs to be binNMU'd first before node-mapnik can be binNMU'd. mapnik-vector-tile is arch:all, so I can't binNMU it. OK, I will open a bug and upload an NMU to DELAYED. I see on the NmuDep wiki page: Unless you have an excellent reason not to do so, you must then give some time to the maintainer to react (for example, by uploading to the DELAYED queue). Here are some delays that you could use as default values: * Upload fixing only release-critical bugs older than 7 days: 2 days * Upload fixing only release-critical and important bugs: 5 days * Other NMUs: 10 days Those delays are only examples. In some cases (uploads fixing security issues, trivial bugfixes blocking a transition, ...), it is desirable that the fixed package reaches unstable sooner. I would guess that blocking a transition would count as at least important severity, and an NMU with no actual changes would count as a trivial bugfix blocking a transition. Would DELAYED/3 be appropriate? -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140913184644.ga4...@mycre.ws
Bug#760343: transition: protobuf 2.6.0
I see a build failure on mips in the 'shogun' package: https://buildd.debian.org/status/fetch.php?pkg=shogunarch=mipsver=3.2.0-7.2%2Bb1stamp=1410641206 This is actually an architecture+compiler specific build failure. (Funnily enough, shogun uses clang++ on some architectures but c++ on others as the compiler.) The problem is that the 'generic' atomic implementation fallback is only used when the compiler is actually gcc/g++, rather than clang/clang++. The fix is relatively simple (basically we just need to also detect clang as well as gcc = 4.7), but it has to be done in the protobuf headers, which will mean another protobuf upload. -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140913222654.ga14...@mycre.ws
Bug#760343: transition: protobuf 2.6.0
Emilio Pozuelo Monfort wrote: I guess we could do those, better safe than sorry. However since they don't have any dependencies on libproto*, they will probably migrate instantly. I'm not sure that is the intended behaviour either. I have scheduled the first round of binNMUs (all but protobuf-c, node-mapnik, osmium and the 5 packages that don't have the dependencies). OK, great. Note that I'll be doing a sourceful upload of protobuf-c, so it probably won't need a binNMU. (Assuming arm64 builds protobuf before protobuf-c...) Thanks! -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140912184408.ga24...@mycre.ws
Bug#760343: transition: protobuf 2.6.0
Emilio Pozuelo Monfort wrote: My only concern here is that we hit problems like on the previous transitions, this close to the freeze. But ia64 and sparc are no longer release architectures and you tested both on amd64 and s390x, and the last time you did a good job in fixing the regressions, so I'm confident you'll do the same now if any problem arises (hopefully not). So go ahead and let me know when we're ready for the binNMUs. Emilio Thank you very much! I will upload protobuf 2.6.0-3 to unstable soon. It's true that we did see some annoying regressions in the last protobuf transition, but that was largely due to me trying to hack around upstream's lack of explicit support for some of our architectures (they had per-architecture assembly implementations with no generic fallback), which has been corrected in the latest release. I'm also happy to report that upstream has fixed all of our portability issues in the most recent release and I was able to retire all of the Debian-specific portability patches. So I'm hopeful this transition will be a bit smoother than the last one. By the way, I notice on the transition tracker web page: https://release.debian.org/transitions/html/auto-protobuf.html that the affected Ben expression is: .depends ~ /libprotobuf\-lite9|libprotobuf9|libprotoc9|libprotobuf\-lite8|libprotobuf8|libprotoc8/ I think this excludes packages whose source packages have a Build-Dependency on protobuf-compiler, but whose binary packages *don't* have a corresponding dependency on one of protobuf's library packages. Can you clarify whether those packages should be binNMU'd as well, or should the transition be limited strictly to the ABI transition of protobuf's library packages? Looking at the difference between the auto-protobuf transition tracking page and the list of packages I generated with my Ben expression: is_affected = .depends ~ /libprotobuf8|libprotobuf-lite8|libprotoc8/ | .depends ~ /libprotobuf9|libprotobuf-lite9|libprotoc9/ | .build-depends ~ /protobuf-compiler/; The additionally affected packages seem to be: chromium-browser closure-compiler mapnik-vector-tile meson python-shogun At least in the case of mapnik-vector-tile (which ships the output of running the protobuf compiler), which I examined more closely than the others, I am inclined to think that any package that runs the protobuf compiler during its build should be binNMU'd, otherwise FTBFS issues could go unnoticed until a new upload or a QA rebuild. But maybe this is too aggressive. Any advice? -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140910210935.ga25...@mycre.ws
Bug#760343: transition: protobuf 2.6.0
packages), plus a new sourceful upload of protobuf-c, would be sufficient to accomplish the transition. (Besides the two packages that already FTBFS for unrelated reasons.) Thanks for considering my request! -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140903032733.ga8...@mycre.ws
Bug#755212: closed by Emilio Pozuelo Monfort po...@debian.org (Re: Bug#755212: transition: protobuf-c)
Emilio Pozuelo Monfort wrote: On 13/08/14 01:15, Robert Edmonds wrote: Emilio Pozuelo Monfort wrote: On 12/08/14 03:11, Robert Edmonds wrote: Hi, I think the transition is not quite over; there is still #756422, which blocks #755212. We need a sourceful upload of collectd in order to rebuild (or possibly remove) the .pb-c.[ch] files in the collectd-dev package, which is an Architecture: all package. I would be happy to NMU collectd, BTW... Great, then do it :) https://www.debian.org/doc/manuals/developers-reference/pkgs.html#nmu has the guidelines: if you only fix the RC bug, you could upload directly without going through the delayed queue. That's a little aggressive IMO. I've uploaded a fixed version of collectd to DELAYED/7, with just the libprotobuf-c0-dev - libprotobuf-c-dev fix. That's fixed now. Shall we close this? Emilio Yes, please, AFAICT the transition is over. -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140820152305.ga6...@mycre.ws
Bug#755212: closed by Emilio Pozuelo Monfort po...@debian.org (Re: Bug#755212: transition: protobuf-c)
Emilio Pozuelo Monfort wrote: On 12/08/14 03:11, Robert Edmonds wrote: Hi, I think the transition is not quite over; there is still #756422, which blocks #755212. We need a sourceful upload of collectd in order to rebuild (or possibly remove) the .pb-c.[ch] files in the collectd-dev package, which is an Architecture: all package. I would be happy to NMU collectd, BTW... Great, then do it :) https://www.debian.org/doc/manuals/developers-reference/pkgs.html#nmu has the guidelines: if you only fix the RC bug, you could upload directly without going through the delayed queue. That's a little aggressive IMO. I've uploaded a fixed version of collectd to DELAYED/7, with just the libprotobuf-c0-dev - libprotobuf-c-dev fix. -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140812231532.ga24...@mycre.ws
Bug#755212: closed by Emilio Pozuelo Monfort po...@debian.org (Re: Bug#755212: transition: protobuf-c)
Hi, I think the transition is not quite over; there is still #756422, which blocks #755212. We need a sourceful upload of collectd in order to rebuild (or possibly remove) the .pb-c.[ch] files in the collectd-dev package, which is an Architecture: all package. I would be happy to NMU collectd, BTW... Debian Bug Tracking System wrote: This is an automatic notification regarding your Bug report which was filed against the release.debian.org package: #755212: transition: protobuf-c It has been closed by Emilio Pozuelo Monfort po...@debian.org. Their explanation is attached below along with your original report. If this explanation is unsatisfactory and you have not received a better one in a separate message then please contact Emilio Pozuelo Monfort po...@debian.org by replying to this email. -- 755212: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=755212 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems Date: Fri, 08 Aug 2014 00:00:24 +0200 From: Emilio Pozuelo Monfort po...@debian.org To: 755212-d...@bugs.debian.org Subject: Re: Bug#755212: transition: protobuf-c Return-path: poch...@gmail.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.0 On 18/07/14 22:19, Robert Edmonds wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hello, I am requesting an upload slot to upload protobuf-c 1.0.0-1 to unstable. I am hoping to accomplish a transition to protobuf-c 1.0.0 in time for the jessie release. (Disclaimer: I am also one of the protobuf-c upstream maintainers.) This requires an ABI bump as well as some other changes that affect reverse (build-) dependencies, described below. The transition is over, closing. Emilio -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140812011151.ga6...@mycre.ws
Bug#755212: transition: protobuf-c
Emilio Pozuelo Monfort wrote: I have binNMUed collectd and criu. Let me know if there's anything else that needs binNMUs. Hi, Emilio: I don't see binNMUs for collectd or criu. I see collectd at version 5.4.1-3. But a recent criu upload transitioned the package to libprotobuf-c1. So I think the only thing left for this transition is to get an updated collectd with re-generated .pb-c.h files into the archive. -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140729172950.ga10...@mycre.ws
Bug#755212: transition: protobuf-c
Robert Edmonds wrote: Emilio Pozuelo Monfort wrote: I have binNMUed collectd and criu. Let me know if there's anything else that needs binNMUs. Hi, Emilio: I don't see binNMUs for collectd or criu. I see collectd at version 5.4.1-3. But a recent criu upload transitioned the package to libprotobuf-c1. So I think the only thing left for this transition is to get an updated collectd with re-generated .pb-c.h files into the archive. Oh, nevermind, I see the binNMU for collectd now. However, I think the issue is that the affected package (collectd-dev) is Architecture: all, so it won't get rebuilt during a binNMU. -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140729173223.gb10...@mycre.ws
Bug#755212: transition: protobuf-c
Emilio Pozuelo Monfort wrote: On 18/07/14 22:19, Robert Edmonds wrote: * The header file (protobuf-c.h) which compiled .pb-c.h files must include. This is shipped in the libprotobuf-c0-dev package (protobuf-c 1.0.0), or the libprotobuf-c-dev package (protobuf-c = 1.0.0). (libprotobuf-c-dev Provides: libprotobuf-c0-dev, which smoothes the transition for packages with an unversioned build-dependency on libprotobuf-c0-dev.) I just realized that that's not going to work, because the old libprotobuf-c0-dev is still available, and so packages that build-depend on that will get libprotobuf-c0-dev. So they'll need sourceful uploads to build-depend on the new (unversioned) libprotobuf-c-dev. Hi, Emilio: Are you sure about that? protobuf-c-compiler has: Depends: ${shlibs:Depends}, ${misc:Depends}, libprotobuf-c-dev (= ${binary:Version}) Which will force libprotobuf-c-dev to be installed. And libprotobuf-c-dev has: Depends: libprotobuf-c1 (= ${binary:Version}), ${misc:Depends} Provides: libprotobuf-c0-dev Conflicts: libprotobuf-c0-dev Replaces: libprotobuf-c0-dev Breaks: protobuf-c-compiler ( 1.0.0~) Which will force libprotobuf-c0-dev to be uninstalled. I *think* what will happen is that if a package does: Build-Depends: protobuf-c-compiler or Build-Depends: protobuf-c-compiler, libprotobuf-c0-dev They will end up with protobuf-c-compiler (1.0.0-1) and libprotobuf-c-dev (1.0.0-1) installed, which is what is desired. I think all of the packages I listed in my original email had a build-dep on either protobuf-c-compiler only, or protobuf-c-compiler and libprotobuf-c0-dev. (I don't think there are any with just libprotobuf-c0-dev.) The only package with a versioned build-dep on libprotobuf-c0-dev is osm2pgsql, which needs other sourceful changes anyway. I think with the pending upload of osm2pgsql (#756112) there will be no more packages in the Debian archive with a versioned build-dep on libprotobuf-c0-dev, and it can be removed from the archive? -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140726141855.ga...@mycre.ws
Bug#755212: transition: protobuf-c
Gergely Nagy wrote: I gave this some more thought, and there's a problem: while generating riemann events and similar can be done with opaque types, if I do a query, then I want to access the results, and to do that with opaque types would mean I need a lot of getter functions (and an API + ABI bump). So I'll stick to how it is done today, for the foreseeable future. But I'll keep your suggestions in mind in case I end up writing another library that uses protobuf, I'll hide the protobuf stuff deeper then! :) Ah, OK, I did miss the fact that the protoc-c generated message structures get de-referenced. I am fairly sure that the layout of those structures has not changed in protobuf-c 1.0.0, but I will verify with abi-compliance-checker. The ProtobufCMessageDescriptor structures *have* changed, but I don't think you export those anywhere. -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140722154730.ga3...@mycre.ws
Bug#755212: transition: protobuf-c
Hi, Emilio: Emilio Pozuelo Monfort wrote: Hi Robert, On 18/07/14 22:19, Robert Edmonds wrote: I am requesting an upload slot to upload protobuf-c 1.0.0-1 to unstable. I am hoping to accomplish a transition to protobuf-c 1.0.0 in time for the jessie release. (Disclaimer: I am also one of the protobuf-c upstream maintainers.) This requires an ABI bump as well as some other changes that affect reverse (build-) dependencies, described below. Can you open bug reports for the rdeps that need patches and make them block this bug? Yes, certainly. Also file bugs for your recommendations (e.g. ship .proto files) and the code copy, though those are not blockers IIUC. Will do. Please go ahead with this if you are ready to NMU the rdeps after the transition starts (assuming the maintainers don't do it, of course). OK, IIUC, protobuf-c 1.0.0-1 may be uploaded to unstable? -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140721211317.ga9...@mycre.ws
Bug#755212: transition: protobuf-c
Hi, Marcin: Marcin Owsiany wrote: The problem with libgadu is that the embedded copy also seems to have libgadu-specific modifications applied. I've asked upstream to clarify whether these could be dropped. I was able to build libgadu successfully with libprotobuf-c-dev added to Build-Depends and it picked up the system provided copy of libprotobuf-c automatically. I don't have a Gadu-Gadu account so I was unable to test the libgadu binary built this way, unfortunately. It did pass the test suite, FWIW. I looked over the changes to libgadu's convenience copy of protobuf-c.c and I *believe* that all the changes are relatively minor (fixing up warnings due to libgadu compiling with more -W flags, replacing C++-style comments with C89-compatible comments, etc.), or, at least, they don't change any of the semantics of the protobuf-c library. There might be some changes from libgadu that we might want to rebase and apply to upstream libprotobuf-c, but it doesn't look like anything will break if libgadu is built against the system's protobuf-c. -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140721214102.gb9...@mycre.ws
Bug#755212: transition: protobuf-c
Hi, Gergely: Gergely Nagy wrote: Robert Edmonds edmo...@debian.org writes: riemann-c-client Rebuilt by hand successfully against protobuf-c 1.0.0~rc2-1 from experimental. Has an unversioned build dependency on libprotobuf-c0-dev. This needs to be updated to libprotobuf-c-dev eventually. I can switch that to libprotobuf-c-dev | libprotobuf-c0-dev in the next upload (I'd like to be able to compile the package on wheezy without changes, hence the alternative). Since I just released a new upstream version of the library, I'll be doing an upload at some point anyway, I'll try to make it so that binNMUs won't be required after. OK, Build-Depends: protobuf-c-compiler, libprotobuf-c-dev | libprotobuf-c0-dev will work fine to preserve the ability to build on wheezy. Eventually (post-jessie) I'd like to get rid of the libprotobuf-c0-dev package name entirely. Has a build dependency on protobuf-c-compiler and runs protoc-c during the build. No protoc-c generated symbols are exported by libriemann-client0. The libriemann-client-dev package exports the following header files generated by protoc-c: /usr/include/riemann/proto/riemann.pb-c.h However, I have not found any packages in the Debian archive which utilize this file. The various riemann-c-client headers in /usr/include/riemann include proto/riemann.pb-c.h, and there's syslog-ng-mod-riemann (from syslog-ng-incubator) that uses the library, thus, the generated header too, transitively. Ah, right. From a brief look at the source code for that module it looks like it doesn't require a (bin-)NMU at all, if I'm understanding the libriemann-client API correctly. I would recommend that the upstream developers ship a .proto file instead. I'd rather not ship a .proto file, if at all possible. I'll see if I can hide it completely. This would eliminate the problem, too. It looks like you typedef the structures generated by protoc-c and wrap them in your own API, e.g. from riemann/query.h: #include riemann/proto/riemann.pb-c.h typedef Query riemann_query_t; riemann_query_t *riemann_query_new (const char *string); void riemann_query_free (riemann_query_t *query); int riemann_query_set_string (riemann_query_t *query, const char *string); (Query is from typedef struct _Query Query in riemann.pb-c.h.) If your API callers always use the *_new(), *_free(), etc. functions and never try to dereference or calculate sizeof() on the wrapped struct's it might be possible to remove the #include of the .pb-c.h file and change your typedef to, e.g.: typedef struct _Query riemann_query_t; And then have riemann_query_t be an opaque type. Though this depends on protoc-c continuing to generate structure tags with leading underscores, which may not always be the case. (I've wanted to get rid of the leading underscores for a while now.) (Similiarly for the other riemann_*_t types that wrap protoc-c generated structures.) It might also be possible to wrap the structure types generated by protoc-c in your own opaque structure type and expose that wrapper type via your API. Something like: typedef struct riemann_query riemann_query_t; riemann_query_t *riemann_query_new (const char *string); void riemann_query_free (riemann_query_t *query); int riemann_query_set_string (riemann_query_t *query, const char *string); (In riemann/query.h.) #include proto/riemann.pb-c.h struct riemann_query { Query query; }; /* rest of the implementation... */ (In lib/riemann/query.c.) That's a bit uglier since you have to update accesses to go via the wrapper but would provide the maximum amount of insulation between the libriemann-client API and the underlying structures generated by the protoc-c code generator. -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140721224929.gc9...@mycre.ws
Bug#755212: transition: protobuf-c
navit Embedded copy of libprotobuf-c osm2pgsql Sourceful changes required riemann-c-clientBinNMU possible Here are the details for each package: collectd Rebuilt by hand successfully against protobuf-c 1.0.0~rc2-1 from experimental. Has an unversioned build dependency on libprotobuf-c0-dev. This needs to be updated to libprotobuf-c-dev eventually, but is binNMU safe. Has a build dependency on protobuf-c-compiler and runs protoc-c during the build. No protoc-c generated symbols are exported by libcollectdclient1. The collectd-dev package exports the following header files generated by protoc-c: /usr/include/collectd/core/pinba.pb-c.h /usr/include/collectd/core/riemann.pb-c.h However, I have not found any packages in the Debian archive which utilize these files. I would recommend that the upstream developers ship .proto files instead. criu Rebuilt by hand successfully against protobuf-c 1.0.0~rc2-1 from experimental. Has an unversioned build dependency on libprotobuf-c0-dev. This needs to be updated to libprotobuf-c-dev eventually, but is binNMU safe. Has a build dependency on protobuf-c-compiler and runs protoc-c during the build. The 'criu' binary package ships a shared library which exports symbols generated by protoc-c. However, there are no header files with prototypes for these symbols, and no packages in the Debian archive appear to make use of these symbols or even link against this library. libgadu --- Has a build dependency on protobuf-c-compiler and uses the system's protoc-c during the build, but it uses an embedded copy of libprotobuf-c from protobuf-c 1.0.0. This will cause breakage if libgadu is rebuilt against protobuf-c-compiler = 1.0.0. Adding libprotobuf-c-dev to the build-deps will disable the embedded libprotobuf-c copy. No protoc-c generated symbols are exported by libgadu3. I have attached a patch (libgadu.patch) showing the needed changes. navit - This package has no (build-) dependencies on any of the packages provided by protobuf-c. It has an embedded copy of libprotobuf-c which is used unconditionally and it appears the upstream developer updates the generated .pb-c.c and .pb-c.h files by hand. This package is not affected by a protobuf-c transition but the embedded code copy is a concern. osm2pgsql - Has a too-strict upstream build system check that will cause a FTBFS if the current version is binNMU'd. See the following bug in the upstream issue tracker: https://github.com/openstreetmap/osm2pgsql/issues/129 The build system fix is the first hunk in this commit: https://github.com/openstreetmap/osm2pgsql/commit/8c7c6dbb319e97715b174edd081303174c96b03b.patch There are additional changes needed due to API changes in protobuf-c = 1.0.0 which have not yet been fixed upstream. Has a build-dep on protobuf-c-compiler and runs protoc-c during the build. Has a versioned build-dep on libprotobuf-c0-dev. This needs to be updated to an unversioned build-dep on libprotobuf-c-dev. I have attached a patch (osm2pgsql.patch) showing the needed changes. riemann-c-client Rebuilt by hand successfully against protobuf-c 1.0.0~rc2-1 from experimental. Has an unversioned build dependency on libprotobuf-c0-dev. This needs to be updated to libprotobuf-c-dev eventually. Has a build dependency on protobuf-c-compiler and runs protoc-c during the build. No protoc-c generated symbols are exported by libriemann-client0. The libriemann-client-dev package exports the following header files generated by protoc-c: /usr/include/riemann/proto/riemann.pb-c.h However, I have not found any packages in the Debian archive which utilize this file. I would recommend that the upstream developers ship a .proto file instead. Thanks! -- Robert Edmonds edmo...@debian.org diff -Npru libgadu-1.12.0.orig/debian/control libgadu-1.12.0/debian/control --- libgadu-1.12.0.orig/debian/control 2014-06-15 11:39:00.0 + +++ libgadu-1.12.0/debian/control 2014-07-16 20:04:18.568507791 + @@ -8,7 +8,7 @@ Build-Depends: # build tools autoconf, automake, libtool, pkg-config, protobuf-c-compiler, # runtime dependencies - libgnutls28-dev, zlib1g-dev, ca-certificates, + libgnutls28-dev, zlib1g-dev, ca-certificates, libprotobuf-c-dev, # build-time tests libxml2-dev, # documentation building diff -Npru libgadu-1.12.0.orig/protobufgen.sh libgadu-1.12.0/protobufgen.sh --- libgadu-1.12.0.orig/protobufgen.sh 2014-06-13 18:41:37.0 + +++ libgadu-1.12.0/protobufgen.sh 2014-07-16 20:06:14.570039033 + @@ -6,12 +6,5 @@ if [ $? != 0 ] ; then exit -1 fi -sed -i 's/google\/protobuf-c\/protobuf-c.h
Bug#750222: wheezy-pu: package unbound (NMU)
Helmut Grohne wrote: On Mon, Jun 02, 2014 at 04:21:03PM -0400, Robert Edmonds wrote: I've built test binaries from tag debian/1.4.17-3+deb7u1 and they are available here: http://people.debian.org/~edmonds/build/unbound/1.4.17-3+deb7u1/ If this looks good to the release team, I will be happy to upload to -pu, no NMU required. Can you explain why the actual package uploaded to wheezy-pu reverts * Update IPv4 address hint for D.ROOT-SERVERS.NET? The debdiff showing the reversion can be found at https://release.debian.org/proposed-updates/stable_diffs/unbound_1.4.17-3+deb7u1.debdiff Helmut This change was not reverted. The debdiff shows that the same hunk is still present. [...line 59...] unbound-1.4.17.orig/iterator/iter_hints.c -+++ unbound-1.4.17/iterator/iter_hints.c -@@ -129,7 +129,7 @@ compile_time_root_prime(int do_ip4, int - if(!ah(dp, A.ROOT-SERVERS.NET., 198.41.0.4))return 0; - if(!ah(dp, B.ROOT-SERVERS.NET., 192.228.79.201)) return 0; - if(!ah(dp, C.ROOT-SERVERS.NET., 192.33.4.12)) return 0; -- if(!ah(dp, D.ROOT-SERVERS.NET., 128.8.10.90)) return 0; -+ if(!ah(dp, D.ROOT-SERVERS.NET., 199.7.91.13)) return 0; - if(!ah(dp, E.ROOT-SERVERS.NET., 192.203.230.10)) return 0; - if(!ah(dp, F.ROOT-SERVERS.NET., 192.5.5.241)) return 0; - if(!ah(dp, G.ROOT-SERVERS.NET., 192.112.36.4)) return 0; [...line 100...] +--- unbound-1.4.17.orig/iterator/iter_hints.c unbound-1.4.17/iterator/iter_hints.c +@@ -129,7 +129,7 @@ compile_time_root_prime(int do_ip4, int + if(!ah(dp, A.ROOT-SERVERS.NET., 198.41.0.4))return 0; + if(!ah(dp, B.ROOT-SERVERS.NET., 192.228.79.201)) return 0; + if(!ah(dp, C.ROOT-SERVERS.NET., 192.33.4.12)) return 0; +- if(!ah(dp, D.ROOT-SERVERS.NET., 128.8.10.90)) return 0; ++ if(!ah(dp, D.ROOT-SERVERS.NET., 199.7.91.13)) return 0; + if(!ah(dp, E.ROOT-SERVERS.NET., 192.203.230.10)) return 0; + if(!ah(dp, F.ROOT-SERVERS.NET., 192.5.5.241)) return 0; + if(!ah(dp, G.ROOT-SERVERS.NET., 192.112.36.4)) return 0; [...] This package is maintained in git, in the 3.0 (quilt) format with the single-debian-patch option. I guess the ordering of hunks in the debian-changes patch is not guaranteed in that case. -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140609160320.ga27...@mycre.ws
Bug#750222: wheezy-pu: package unbound (NMU)
Helmut Grohne wrote: Package: release.debian.org Severity: normal Tags: wheezy User: release.debian@packages.debian.org Usertags: pu X-Debbugs-CC: Robert S. Edmonds edmo...@debian.org Dear release team and unbound maintainer, I would like to NMU unbound to stable, because it crashes when validating DNSSEC on multiple threads simultaneously. The relevant Debian bug #691528 is fixed upstream, in unstable and I sent a backported patch to that bug (also attached for convenience). Is this patch suitable for wheezy? Helmut Hi, This patch looks suitable for wheezy to me. I've applied it on the wheezy branch in the unbound packaging repository: http://anonscm.debian.org/gitweb/?p=users/edmonds/unbound.git;a=commitdiff;h=0442ec3f7afd3b93a19cb9ad62ff2899f8e31d82;hp=04fea5381cb9a9c257fc2cbacf091f3788439cda I've built test binaries from tag debian/1.4.17-3+deb7u1 and they are available here: http://people.debian.org/~edmonds/build/unbound/1.4.17-3+deb7u1/ If this looks good to the release team, I will be happy to upload to -pu, no NMU required. -- Robert Edmonds edmo...@debian.org signature.asc Description: Digital signature
Bug#726165: mumble +b1 with protobuf 2.5.0-8 works
Chris Knadle wrote: On Monday, February 03, 2014 22:25:23 Robert Edmonds wrote: I've uploaded protobuf 2.5.0-8 to experimental, which has the exact same ABI/API as protobuf 2.5.0-5. Can you tell me if the current version of mumble in the archive works with libprotobuf8 2.5.0-8, once it's available at your mirror? (I suspect that it will, but just want to make sure.) Yes, the existing 1.2.4-0.1+b1 in Unstable works with libprotobuf8 2.5.0-8. OK, I've uploaded -9 to unstable. libprotobuf8's .so is byte identical, at least on amd64. Can you check that mumble still works? (I would be surprised if it did not.) -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140205164916.ga24...@mycre.ws
Bug#726165: mumble with protobuf 2.5.0-7 works
Chris Knadle wrote: On Friday, January 31, 2014 15:18:18 Robert Edmonds wrote: [...] Chris Knadle's input in #737246 makes me believe that the changes in 2.5.0-6 / -7 just aren't correct. I'm thinking we should probably go back to the approach in 2.5.0-5 (though with a fallback atomic implementation for architectures where the default gcc is 4.7). Unfortunately the feedback I gave you about protobuf 2.5.0-6 / -7 turns out to have been wrong; my local cowbuilder had something weird going on. That mumble works when built against protobuf 2.5.0-7 got reported to me in #737223 by Gonéri Le Bouder, with after some efforts was able to replicate with cowbuilder. Hi, Chris: After further investigation, reading upstream bug #351, and commits r409, r410, r413, r414, and r415 [1], I'm not convinced that the changes I made in protobuf 2.5.0-6 / -7 are complete, and in any case I'm now no longer convinced that it's feasible to forward port the once implementation from protobuf = 2.4.1 to later versions. [0] https://code.google.com/p/protobuf/issues/detail?id=351 [1] https://code.google.com/p/protobuf/source/detail?r=409, ?r=410, etc. I've uploaded protobuf 2.5.0-8 to experimental, which has the exact same ABI/API as protobuf 2.5.0-5. Can you tell me if the current version of mumble in the archive works with libprotobuf8 2.5.0-8, once it's available at your mirror? (I suspect that it will, but just want to make sure.) I am pretty sure 2.5.0-8 will not work on ia64 or sparc, where the default compiler is gcc-4.6, but it also seems that this problem is not so serious now. Should I file a release.debian.org bug to binNMU mumble? I think this is a problem in the protobuf transition, so #726165 is the right bug for this discussion :-) That is, with protobuf 2.5.0-8 there should be no additional binNMUs required. If that's the case, I'll upload -8 to unstable as -9, provided it is acceptable to break the architectures with the old gcc-4.6 compiler. -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140204032523.ga9...@mycre.ws
Bug#726165: Acknowledgement (transition: protobuf)
Julien Cristau wrote: On Thu, Jan 30, 2014 at 12:00:35 -0500, Robert Edmonds wrote: Julien Cristau wrote: On Sun, Jan 26, 2014 at 12:19:49 +0100, Julien Cristau wrote: On Sat, Jan 25, 2014 at 16:57:30 -0500, Robert Edmonds wrote: I will upload protobuf 2.5.0-5 to unstable shortly. Is there anything I need to do to schedule binNMUs of the reverse deps or is that handled by the release team? Scheduled now. And they started failing. At least ia64 and sparc look like protobuf itself being broken. Cheers, Julien Hi, I'd like to request binNMUs against protobuf 2.5.0-7. Failed ia64 and sparc builds given back. OK, it looks like my changes in protobuf 2.5.0-6 / -7 did in fact break the ABI from 2.5.0-5, based on the reports in #737246 and #737145. Would it be possible to binNMU protobuf's reverse deps on the other architectures or would we need to do a SONAME bump? I am really sorry about this mess. -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140131194355.ga22...@mycre.ws
Bug#726165: Acknowledgement (transition: protobuf)
Robert Edmonds wrote: Julien Cristau wrote: On Thu, Jan 30, 2014 at 12:00:35 -0500, Robert Edmonds wrote: Julien Cristau wrote: On Sun, Jan 26, 2014 at 12:19:49 +0100, Julien Cristau wrote: On Sat, Jan 25, 2014 at 16:57:30 -0500, Robert Edmonds wrote: I will upload protobuf 2.5.0-5 to unstable shortly. Is there anything I need to do to schedule binNMUs of the reverse deps or is that handled by the release team? Scheduled now. And they started failing. At least ia64 and sparc look like protobuf itself being broken. Cheers, Julien Hi, I'd like to request binNMUs against protobuf 2.5.0-7. Failed ia64 and sparc builds given back. OK, it looks like my changes in protobuf 2.5.0-6 / -7 did in fact break the ABI from 2.5.0-5, based on the reports in #737246 and #737145. Would it be possible to binNMU protobuf's reverse deps on the other architectures or would we need to do a SONAME bump? I am really sorry about this mess. Actually, I'm still investigating this, please ignore my request for more binNMUs above. Chris Knadle's input in #737246 makes me believe that the changes in 2.5.0-6 / -7 just aren't correct. I'm thinking we should probably go back to the approach in 2.5.0-5 (though with a fallback atomic implementation for architectures where the default gcc is 4.7). -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140131201818.ga23...@mycre.ws
Bug#726165: Acknowledgement (transition: protobuf)
Julien Cristau wrote: On Sun, Jan 26, 2014 at 12:19:49 +0100, Julien Cristau wrote: On Sat, Jan 25, 2014 at 16:57:30 -0500, Robert Edmonds wrote: I will upload protobuf 2.5.0-5 to unstable shortly. Is there anything I need to do to schedule binNMUs of the reverse deps or is that handled by the release team? Scheduled now. And they started failing. At least ia64 and sparc look like protobuf itself being broken. Cheers, Julien Hi, I'd like to request binNMUs against protobuf 2.5.0-7. -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140130170035.ga16...@mycre.ws
Bug#726165: Acknowledgement (transition: protobuf)
Julien Cristau wrote: On Sun, Jan 26, 2014 at 12:19:49 +0100, Julien Cristau wrote: On Sat, Jan 25, 2014 at 16:57:30 -0500, Robert Edmonds wrote: I will upload protobuf 2.5.0-5 to unstable shortly. Is there anything I need to do to schedule binNMUs of the reverse deps or is that handled by the release team? Scheduled now. And they started failing. At least ia64 and sparc look like protobuf itself being broken. Ugh, sorry! I see the problem now: the architecture-dependent primitives upstream added in the new version is exported into the protobuf library's public header files *and pulled in by code generated by the protobuf compiler*, which means it has to work with the C++ compiler used to build the packages depending on protobuf, not just protobuf itself. I've prepared a new protobuf source package which reverts upstream's weird architecture-dependent reimplementation of pthread_once() to the portable version that was used in protobuf 2.4.1. The changes since 2.5.0-5 can be seen on the master branch of: git+ssh://git.debian.org/git/collab-maint/protobuf.git This successfully builds for me on amd64, i386, powerpc, and sparc, and I've used the resulting packages to rebuild mosh, mumble, and protobuf-c by hand on amd64. I don't have any reason to think this will cause architecture-specific FTBFS's because all the architecture-specific stuff in libprotobuf-dev's public header files is now gone. Would you like me to upload this to unstable or do you think it should go via experimental first? -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140126195817.ga29...@mycre.ws
Bug#726165: Acknowledgement (transition: protobuf)
Hi, I now have protobuf 2.5.0 building on all architectures in experimental. (Upstream did some... interesting... things to cause FTBFSes on all but a few supported architectures.) Please let me know when I may begin this transition by uploading to unstable. Thanks! -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140125200253.ga16...@mycre.ws
Bug#726165: Acknowledgement (transition: protobuf)
Julien Cristau wrote: Control: tag -1 confirmed On Sat, Jan 25, 2014 at 15:02:53 -0500, Robert Edmonds wrote: Please let me know when I may begin this transition by uploading to unstable. If you're confident binNMUs of the reverse deps will be enough (ie there were no API changes) then go ahead. Cheers, Julien Thanks! My reading of the upstream changelog is that there shouldn't be any breaking API changes introduced. I've test-built a sample of the reverse deps (closure-compiler, cubemap, mosh, mumble, pink-pony, protobuf-c, zbackup) by hand and there were no build issues. I will upload protobuf 2.5.0-5 to unstable shortly. Is there anything I need to do to schedule binNMUs of the reverse deps or is that handled by the release team? -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140125215730.ga21...@mycre.ws
Bug#726165: transition: protobuf
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition hi, protobuf 2.5.0 is on its way to experimental and ought to be uploaded to unstable as soon as the release team approves. the protobuf 2.5.0 has an ABI bump (7 - 8), and there also some changes to the protobuf schema language which i believe are backwards compatible. see the upstream changelog: http://protobuf.googlecode.com/svn/trunk/CHANGES.txt here are the affected packages. these packages have a build dependency on either protobuf-compiler or one of the protobuf -dev packages, or build binaries that depend on one of protobuf's library packages. chromium-browser clementine cubemap drizzle imposm imposm-parser mapnik-vector-tile mixxx monav mosh mozc mumble osmium osmpbf ostinato php-pinba pinba-engine-mysql pink-pony pokerth protobuf-c zbackup Ben file: title = protobuf; is_affected = .depends ~ /libprotobuf7|libprotobuf-lite7|libprotoc7/ | .depends ~ /libprotobuf8|libprotobuf-lite8|libprotoc8/ | .build-depends ~ /protobuf-compiler/; is_good = .depends ~ /libprotobuf8|libprotobuf-lite8|libprotoc8/; is_bad = .depends ~ /libprotobuf7|libprotobuf-lite7|libprotoc7/; -- Robert Edmonds edmo...@debian.org signature.asc Description: Digital signature
Bug#700807: tpu: package unbound/1.4.17-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: tpu i'd like to upload unbound 1.4.17-3 with an updated D.ROOT-SERVERS.NET hint to testing/testing-proposed-updates to fix #697351. unstable has a newer upstream release (1.4.19-1) so the update will need to go via tpu. debdiff is attached. -- Robert Edmonds edmo...@debian.org diff -Nru unbound-1.4.17/debian/changelog unbound-1.4.17/debian/changelog --- unbound-1.4.17/debian/changelog 2012-05-28 14:36:18.0 -0400 +++ unbound-1.4.17/debian/changelog 2013-02-17 12:35:34.0 -0500 @@ -1,3 +1,9 @@ +unbound (1.4.17-3) testing; urgency=low + + * Update IPv4 address hint for D.ROOT-SERVERS.NET. + + -- Robert S. Edmonds edmo...@debian.org Sun, 17 Feb 2013 12:34:39 -0500 + unbound (1.4.17-2) unstable; urgency=low * Build-depend on libldns-dev (= 1.6.13~) for ECDSA support. diff -Nru unbound-1.4.17/debian/patches/debian-changes unbound-1.4.17/debian/patches/debian-changes --- unbound-1.4.17/debian/patches/debian-changes2012-05-28 14:41:58.0 -0400 +++ unbound-1.4.17/debian/patches/debian-changes2013-02-17 12:54:32.0 -0500 @@ -5,9 +5,9 @@ information below has been extracted from the changelog. Adjust it or drop it. . - unbound (1.4.17-2) unstable; urgency=low + unbound (1.4.17-3) testing; urgency=low . - * Build-depend on libldns-dev (= 1.6.13~) for ECDSA support. + * Update IPv4 address hint for D.ROOT-SERVERS.NET. Author: Robert S. Edmonds edmo...@debian.org --- @@ -54,6 +54,17 @@ AC_C_INLINE ACX_CHECK_FORMAT_ATTRIBUTE +--- unbound-1.4.17.orig/iterator/iter_hints.c unbound-1.4.17/iterator/iter_hints.c +@@ -129,7 +129,7 @@ compile_time_root_prime(int do_ip4, int + if(!ah(dp, A.ROOT-SERVERS.NET., 198.41.0.4))return 0; + if(!ah(dp, B.ROOT-SERVERS.NET., 192.228.79.201)) return 0; + if(!ah(dp, C.ROOT-SERVERS.NET., 192.33.4.12)) return 0; +- if(!ah(dp, D.ROOT-SERVERS.NET., 128.8.10.90)) return 0; ++ if(!ah(dp, D.ROOT-SERVERS.NET., 199.7.91.13)) return 0; + if(!ah(dp, E.ROOT-SERVERS.NET., 192.203.230.10)) return 0; + if(!ah(dp, F.ROOT-SERVERS.NET., 192.5.5.241)) return 0; + if(!ah(dp, G.ROOT-SERVERS.NET., 192.112.36.4)) return 0; --- unbound-1.4.17.orig/daemon/unbound.c +++ unbound-1.4.17/daemon/unbound.c @@ -266,8 +266,6 @@ checkrlimits(struct config_file* cfg) signature.asc Description: Digital signature
Bug#700367: pu: package unbound/1.4.6-1+squeeze3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: pu hi, i'd like to upload unbound 1.4.6-1+squeeze3 to stable to fix #697351. since the release of squeeze D.ROOT-SERVERS.NET has had its IPv4 address changed, and an IPv6 address added. (i believe there is precedent for an updated package in stable to update DNS root server hints in [0].) the debdiff is attached. [0] http://packages.debian.org/changelogs/pool/main/b/bind9/current/changelog#version1:9.3.4-2etch2 -- Robert Edmonds edmo...@debian.org diff -u unbound-1.4.6/debian/changelog unbound-1.4.6/debian/changelog --- unbound-1.4.6/debian/changelog +++ unbound-1.4.6/debian/changelog @@ -1,3 +1,9 @@ +unbound (1.4.6-1+squeeze3) stable; urgency=low + + * Update IP address hints for D.ROOT-SERVERS.NET. + + -- Robert S. Edmonds edmo...@debian.org Mon, 11 Feb 2013 21:52:49 -0500 + unbound (1.4.6-1+squeeze2) squeeze-security; urgency=high * Apply patch from upstream to fix DNSSEC-related crashes diff -u unbound-1.4.6/debian/patches/series unbound-1.4.6/debian/patches/series --- unbound-1.4.6/debian/patches/series +++ unbound-1.4.6/debian/patches/series @@ -4,0 +5 @@ +40_D_root only in patch2: unchanged: --- unbound-1.4.6.orig/debian/patches/40_D_root +++ unbound-1.4.6/debian/patches/40_D_root @@ -0,0 +1,34 @@ +From 32f138fdd0ed569c324a6c4f1f7d6a796407f4bd Mon Sep 17 00:00:00 2001 +From: Robert S. Edmonds edmo...@debian.org +Date: Mon, 11 Feb 2013 21:49:08 -0500 +Subject: [PATCH] iterator/iter_hints.c: update hint addresses for + D.ROOT-SERVERS.NET + +--- + iterator/iter_hints.c |3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/iterator/iter_hints.c b/iterator/iter_hints.c +index d896d68..38c1fb9 100644 +--- a/iterator/iter_hints.c b/iterator/iter_hints.c +@@ -119,7 +119,7 @@ compile_time_root_prime(struct regional* r, int do_ip4, int do_ip6) + if(!ah(dp, r, A.ROOT-SERVERS.NET., 198.41.0.4)) return 0; + if(!ah(dp, r, B.ROOT-SERVERS.NET., 192.228.79.201)) return 0; + if(!ah(dp, r, C.ROOT-SERVERS.NET., 192.33.4.12))return 0; +- if(!ah(dp, r, D.ROOT-SERVERS.NET., 128.8.10.90))return 0; ++ if(!ah(dp, r, D.ROOT-SERVERS.NET., 199.7.91.13))return 0; + if(!ah(dp, r, E.ROOT-SERVERS.NET., 192.203.230.10)) return 0; + if(!ah(dp, r, F.ROOT-SERVERS.NET., 192.5.5.241))return 0; + if(!ah(dp, r, G.ROOT-SERVERS.NET., 192.112.36.4)) return 0; +@@ -132,6 +132,7 @@ compile_time_root_prime(struct regional* r, int do_ip4, int do_ip6) + } + if(do_ip6) { + if(!ah(dp, r, A.ROOT-SERVERS.NET., 2001:503:ba3e::2:30)) return 0; ++ if(!ah(dp, r, D.ROOT-SERVERS.NET., 2001:500:2d::d)) return 0; + if(!ah(dp, r, F.ROOT-SERVERS.NET., 2001:500:2f::f)) return 0; + if(!ah(dp, r, H.ROOT-SERVERS.NET., 2001:500:1::803f:235)) return 0; + if(!ah(dp, r, I.ROOT-SERVERS.NET., 2001:7fe::53)) return 0; +-- +1.7.10.4 + signature.asc Description: Digital signature
Re: Freeze exception for unbound 1.4.6-1
Julien Cristau wrote: On Wed, Aug 25, 2010 at 14:26:43 -0400, Robert Edmonds wrote: please allow unbound 1.4.6-1 to migrate to testing. this version fixes a FTBFS bug (#593039) and contains a number of upstream bug fixes. I assume the ldns copy isn't used, and you link against the system libldns instead? that has always been the case. -- Robert Edmonds edmo...@debian.org signature.asc Description: Digital signature
Freeze exception for unbound 1.4.6-1
please allow unbound 1.4.6-1 to migrate to testing. this version fixes a FTBFS bug (#593039) and contains a number of upstream bug fixes. some of the more important ones IMO are: Builtin root hints contain for I.ROOT-SERVERS.NET. Max referral count from 30 to 130, because 128 one character domains is valid DNS. Fix assertion failure reported by Kai Storbeck from XS4ALL, the assertion was wrong. Fix handling of corner case reply from lame server, follows rfc2308. It could lead to a nodata reply getting into the cache if the search for a non-lame server turned up other misconfigured servers. Fix RFC4035 compliance with 2.2 statement that the DNSKEY at apex must be signed with all algorithms from the DS rrset at the parent. This is now checked and becomes bogus if not. Fix validation of qtype DNSKEY when a key-cache entry exists but no rr-cache entry is used (it expired or prefetch), it then goes back up to the DS or trust-anchor to validate the DNSKEY. Fix integer underflow in prefetch ttl creation from cache. This fixes a potential negative prefetch ttl. Changed the defaults for num-queries-per-thread/outgoing-range. For builtin-select: 512/960, for libevent 1024/4096 and for windows 24/48 (because of win api). This makes the ratio this way to improve resilience under heavy load. For high performance, use libevent and possibly higher numbers. http://www.unbound.net/download.html -- Robert Edmonds edmo...@debian.org signature.asc Description: Digital signature
freeze exception for unbound 1.0.1-2 (#492243)
unbound in testing currently will fail to start after initial installation (#492243). i'd like to propose the just uploaded 1.0.1-2 for lenny: diff -u unbound-1.0.1/debian/changelog unbound-1.0.1/debian/changelog --- unbound-1.0.1/debian/changelog +++ unbound-1.0.1/debian/changelog @@ -1,3 +1,10 @@ +unbound (1.0.1-2) unstable; urgency=low + + * unbound tries too hard to chroot(); ship a default config that doesn't +fail to start on new installs; closes: #492243. + + -- Robert S. Edmonds [EMAIL PROTECTED] Sat, 02 Aug 2008 17:46:24 -0400 + unbound (1.0.1-1) unstable; urgency=low * New upstream release. diff -u unbound-1.0.1/debian/unbound.README.Debian unbound-1.0.1/debian/unbound.README.Debian --- unbound-1.0.1/debian/unbound.README.Debian +++ unbound-1.0.1/debian/unbound.README.Debian @@ -7,10 +7,7 @@ to enabled a chrooted unbound on Debian, please -1) tell the init script to populate the chroot at /var/lib/unbound by -setting CHROOT=yes in /etc/default/unbound. - -2) configure your logging daemon to read additional log messages from the +1) configure your logging daemon to read additional log messages from the unix socket /var/lib/unbound/dev/log. for sysklogd, add -a /var/lib/unbound/dev/log to the arguments passed to @@ -28,6 +25,6 @@ -3) remove the chroot: line from /etc/unbound/unbound.conf that ships in -the default Debian unbound config file. +2) comment out or remove the line chroot: and uncomment or add the line +chroot: /var/lib/unbound in the config file /etc/unbound/unbound.conf. -4) restart unbound. +3) restart unbound. - -- Robert S. Edmonds [EMAIL PROTECTED] Sun, 15 Jun 2008 17:25:04 -0400 + -- Robert S. Edmonds [EMAIL PROTECTED] Sat, 02 Aug 2008 17:51:18 -0400 diff -u unbound-1.0.1/debian/unbound.default unbound-1.0.1/debian/unbound.default --- unbound-1.0.1/debian/unbound.default +++ unbound-1.0.1/debian/unbound.default @@ -4,2 +4,4 @@ # automatic chroot setup in the init script +# set to 'no' to disable +# see /usr/share/doc/unbound/README.Debian #CHROOT=yes diff -u unbound-1.0.1/debian/unbound.init unbound-1.0.1/debian/unbound.init --- unbound-1.0.1/debian/unbound.init +++ unbound-1.0.1/debian/unbound.init @@ -13,7 +13,7 @@ test -f /etc/default/$NAME . /etc/default/$NAME install_chroot() { -if [ $CHROOT = yes ]; then +if [ $CHROOT != no ]; then uninstall_chroot [ -d $CHROOT_DIR/etc ] || mkdir -p $CHROOT_DIR/etc [ -d $CHROOT_DIR/dev ] || mkdir -p $CHROOT_DIR/dev @@ -33,7 +33,7 @@ test -d $CHROOT_DIR/etc/unbound rm -rf $CHROOT_DIR/etc/unbound } -already_running() { +daemon_stopped() { start-stop-daemon --start --pidfile $PIDFILE \ --startas $DAEMON --test /dev/null 21 } @@ -41,7 +41,7 @@ case $1 in start) log_daemon_msg Starting $DESC $NAME -if ! already_running; then +if daemon_stopped; then install_chroot fi if start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --name $NAME --startas $DAEMON -- $DAEMON_OPTS; then diff -u unbound-1.0.1/debian/patches/series unbound-1.0.1/debian/patches/series --- unbound-1.0.1/debian/patches/series +++ unbound-1.0.1/debian/patches/series @@ -1,0 +2,2 @@ +20_chroot_conf +40_disable_check_chroot_filelist only in patch2: unchanged: --- unbound-1.0.1.orig/debian/patches/20_chroot_conf +++ unbound-1.0.1/debian/patches/20_chroot_conf @@ -0,0 +1,12 @@ +Index: unbound-1.0.1/doc/example.conf.in +=== +--- unbound-1.0.1.orig/doc/example.conf.in 2008-08-02 17:44:40.022591946 -0400 unbound-1.0.1/doc/example.conf.in 2008-08-02 17:44:46.429326566 -0400 +@@ -163,6 +163,7 @@ + # + # If you give no chroot is performed. The path must not end in a /. + # chroot: @UNBOUND_CHROOT_DIR@ ++ chroot: + + # if given, user privileges are dropped (after binding port), + # and the given username is assumed. Default is user unbound. -- Robert Edmonds [EMAIL PROTECTED] signature.asc Description: Digital signature
keeping vmware-package out of lenny
hi, i'd like to keep vmware-package out of lenny for a number of reasons: * changes to dpkg-shlibdeps have broken the fairly hacky technique vmware-package tried to use to opportunistically add library deps to the binary packages make-vmpkg generates. * i do not have time to fix the above, test it, and have it tested by users before the freeze. * vmware has been quite slack in releasing an update that supports the latest linux kernels. * vmware will doubtlessly release new major/minor versions during the lifetime of lenny, and will probably cease security support for older versions. what do i need to do to keep vmware-package out of lenny? just file an RC bug on it or what? -- Robert Edmonds [EMAIL PROTECTED] signature.asc Description: Digital signature
Re: keeping vmware-package out of lenny
Adeodato Simó wrote: Yes, please file an RC bug and let us know the number. We'll remove it then. #491509 -- Robert Edmonds [EMAIL PROTECTED] signature.asc Description: Digital signature
[stable] openvpn in etch crashes on amd64
Hi, (I am not the maintainer.) openvpn in etch randomly crashes on amd64 due to #390697, a side effect of #394695. It is possible that disabling the comp-lzo option in openvpn would eliminate the crashes, but this would also disable compression of the transported VPN traffic. The fix for the version in etch is very simple: -Build-Depends: debhelper (= 4.1.16), libssl-dev ( 0.9.6), liblzo-dev, libpam0g-dev +Build-Depends: debhelper (= 4.1.16), libssl-dev ( 0.9.6), liblzo2-dev, libpam0g-dev I've tested this on a busy VPN and I have not seen any crashes on client or server. Would it be possible to see this fix in a stable update? -- Robert Edmonds [EMAIL PROTECTED] signature.asc Description: Digital signature
Re: [stable] openvpn in etch crashes on amd64
tags 390697 + patch thanks Pierre Habouzit wrote: On Wed, Sep 19, 2007 at 06:07:55PM +, Robert Edmonds wrote: Hi, (I am not the maintainer.) openvpn in etch randomly crashes on amd64 due to #390697, a side effect of #394695. It is possible that disabling the comp-lzo option in openvpn would eliminate the crashes, but this would also disable compression of the transported VPN traffic. The fix for the version in etch is very simple: -Build-Depends: debhelper (= 4.1.16), libssl-dev ( 0.9.6), liblzo-dev, libpam0g-dev +Build-Depends: debhelper (= 4.1.16), libssl-dev ( 0.9.6), liblzo2-dev, libpam0g-dev I've tested this on a busy VPN and I have not seen any crashes on client or server. Would it be possible to see this fix in a stable update? you should open an RC bug on the adequate version, with that fix, tag it patch, contact the maintainer see if he can do a stable update, or else propose to do it as an NMU into tpu. ok, done. do you mean s-p-u, not t-p-u? but this is definitely RC, as it renders the package useless on an architecture. -- Robert Edmonds [EMAIL PROTECTED] signature.asc Description: Digital signature
[SRM] youtube-dl
Hi, youtube-dl is completely broken in etch (#439363). The version in testing/unstable is fixed, and has no issues running on etch. Could youtuble-dl be considered for a stable point release? Here's a diff between the youtube-dl version in etch and the one in testing/unstable: http://people.debian.org/~edmonds/youtube-dl_etch_lenny.diff -- Robert Edmonds [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: TS for Release Assistents
Steve Langasek wrote: On Mon, Sep 10, 2007 at 04:45:13AM +, Robert Edmonds wrote: 368226 Quagga does intentionally not upgrade automatically Maintainer forgot to close the bug. Perhaps you should use a versioned close on this bug, so that the status of the fix can be tracked in etch and lenny? Done. etch and lenny have the fix, in fact. -- Robert Edmonds [EMAIL PROTECTED] signature.asc Description: Digital signature
Re: TS for Release Assistents
On 2007-08-30, Luk Claes [EMAIL PROTECTED] wrote: Once you've done as much as you're able for the two weeks, make sure the bug report includes all the up to date information, then reply to this mail (to debian-release@lists.debian.org) with a brief summary of what's happened and what the next step (if any) is. If you think the package requires removal from testing (or the bug can be fixed by other means from the release team), feel free to forward the proposed fix as soon as possible to the release team. If the above is just too easy, for extra credit you can take on some of the other older bugs from the RC bug list. If you do, include those in your mail next week. If you're not able to fix a bug, ask for help or do as much as you can, then leave it; don't get in over your head, or, worse, upload an NMU that's broken or doesn't completely fix the problem. Here's my report: 423823 retchmail: FTBFS Merged RC bugs 387989, 423823, 423966, 423967. Fixed by uploading wvstreams 4.2.2-2.3. 368226 Quagga does intentionally not upgrade automatically Maintainer forgot to close the bug. 405186 docbook2x: FTBFS According to Daniel Leidert, not reproducible in docbook2x = 0.8.7. Fixed in libxml-sax-perl 0.16-0.1 (verified that docbook2x 0.8.3 built with this version) along with RC bug #419757. For extra credit: Fixed the following bugs blocking the invoke-rc.d transition (#438885): 341413 dict-easton 367734 dict-hitchcock 367725 net-acct 341415 dict-gcide 348259 dict-elements 367729 rbootd (additionally, FTBFS bug #379635) 367733 dict-moby-thesaurus 367737 dict-bouvier 367740 dict-gazetteer2k-zips 367755 tama 440574 memlockd (along with RC bugs #418666, #431529) Fixed: 409473 424601 anon-proxy FTBFS Pending fixes: 441449 memlockd FTBFS anon-proxy is interesting. It looks like it's been abandoned by the maintainer and the upstream[0] has rewritten it in Java. Its open bugs lead me to believe it's not suitable for testing or a release. [0] http://anon.inf.tu-dresden.de/index_en.html -- Robert Edmonds [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: TS for Release Assistents
On 2007-08-30, Robert Edmonds [EMAIL PROTECTED] wrote: On 2007-08-30, Luk Claes [EMAIL PROTECTED] wrote: 423823 retchmail: FTBFS: error: there are no arguments to 'cur' that depend on a template parameter, so a declaration of 'cur' must be available C++ headers are Turing-complete -- the bug is actually in the wvstreams source. Merged with #387989 and #423967, and NMU'd wvstreams (#440245). retchmail will build once wvstreams 4.2.2-2.3 is in the archive. RC bugs #387989, #423823, #423966, #423967 are all fixed by this upload. (But they're all the same bug -- do I get credit for four? :) -- Robert Edmonds [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: TS for Release Assistents
On 2007-08-30, Luk Claes [EMAIL PROTECTED] wrote: 423823 retchmail: FTBFS: error: there are no arguments to 'cur' that depend on a template parameter, so a declaration of 'cur' must be available C++ headers are Turing-complete -- the bug is actually in the wvstreams source. Merged with #387989 and #423967, and NMU'd wvstreams (#440245). retchmail will build once wvstreams 4.2.2-2.3 is in the archive. -- Robert Edmonds [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: TS for Release Assistents
On 2007-08-30, Luk Claes [EMAIL PROTECTED] wrote: 368226 Quagga does intentionally not upgrade automatically It looks like the maintainer rewrote the prerm script to fix this but neglected to note this in the changelog or BTS. -- Robert Edmonds [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]