Bug#1037945: bookworm-pu: package aide/aide_0.18.3-1+deb12u1
On Sat, Jun 24, 2023 at 11:11:18AM +0100, Adam D. Barratt wrote: > Please feel free to upload. Done (for bookworm). Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Bug#1037945: bookworm-pu: package aide/aide_0.18.3-1+deb12u1
On Sat, 2023-06-24 at 11:53 +0200, Marc Haber wrote: > On Sat, Jun 24, 2023 at 10:47:31AM +0100, Adam D. Barratt wrote: > > Looking at the upstream issue linked from #1037436, it suggests > > that > > the extended attributes fix is likely to create a large amount of > > noise > > on the next aide run. If that's correct, is it worth adding a > > NEWS.Debian entry to warn users that this is expected? > > I deliberately didnt do that to keep the debdiff small, but I can add > a paragraph if you think that's a good idea. I'd do the same for the > bullseye-pu upload and the next sid upload then. > > However, this bug only shows itself if both the symlink AND the > target of the symlink do have extended attributes. I dont think > that's a very commmon case. > Thanks for clarifying - the detail there wasn't clear to me, and the upstream issue sounded like it would be much noisier. Please feel free to upload. Regards, Adam
Bug#1037945: bookworm-pu: package aide/aide_0.18.3-1+deb12u1
On Sat, Jun 24, 2023 at 10:47:31AM +0100, Adam D. Barratt wrote: > Looking at the upstream issue linked from #1037436, it suggests that > the extended attributes fix is likely to create a large amount of noise > on the next aide run. If that's correct, is it worth adding a > NEWS.Debian entry to warn users that this is expected? I deliberately didnt do that to keep the debdiff small, but I can add a paragraph if you think that's a good idea. I'd do the same for the bullseye-pu upload and the next sid upload then. However, this bug only shows itself if both the symlink AND the target of the symlink do have extended attributes. I dont think that's a very commmon case. Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Bug#1037945: bookworm-pu: package aide/aide_0.18.3-1+deb12u1
On Sat, 2023-06-24 at 10:45 +0200, Marc Haber wrote: > The BTS overview page has this as "awaiting upload", but there is no > message making that clear. Is that the "confirmed" tag? Is there > anything I am supposed to do before going forward with the upload? > That's what the "confirmed" tag means, yes. I realise that the message setting it wasn't quite as clear about that as I'd usually like. Looking at the upstream issue linked from #1037436, it suggests that the extended attributes fix is likely to create a large amount of noise on the next aide run. If that's correct, is it worth adding a NEWS.Debian entry to warn users that this is expected? Regards, Adam
Bug#1037945: bookworm-pu: package aide/aide_0.18.3-1+deb12u1
On Wed, Jun 14, 2023 at 05:27:29PM +0200, Marc Haber wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: a...@packages.debian.org > Control: affects -1 + src:aide The BTS overview page has this as "awaiting upload", but there is no message making that clear. Is that the "confirmed" tag? Is there anything I am supposed to do before going forward with the upload? Greetings Marc
Bug#1037945: bookworm-pu: package aide/aide_0.18.3-1+deb12u1
On Wed, Jun 14, 2023 at 06:20:44PM +0100, Adam D. Barratt wrote: > One small comment: > > +if dpkg --compare-versions "$2" le 0.18.3-1; then > +# we're updating from 0.18-3 or earlier, chown aideinit logs > > That should presumably be "from 0.18.3". In the mean time, 0.18.3-1 has reached testing. Are you ok with me uploading 0.18.3-1+deb12u1 to bookworm-proposed-updates? I guess that I should also file a bug for 0.17.3-4+deb11u2 because the bullseye point release is planned earlier than the bookworm point release, right? Greetings Marc
Bug#1037945: bookworm-pu: package aide/aide_0.18.3-1+deb12u1
On Wed, Jun 14, 2023 at 06:20:44PM +0100, Adam D. Barratt wrote: > On Wed, 2023-06-14 at 17:27 +0200, Marc Haber wrote: > > this pre-upload request for the aide package is filed to ask for > > guidance whether this package is suitable for bookworm-updates. > > Do you actually mean bookworm-updates here (i.e. pushed to users in > advance of 12.1), or simply (bookworm-)proposed-updates, therefore > reaching users with the release of 12.1? I would be fine with either, proposed-updates of course being less invasive. Probably a misunderstanding because of me being too stupidto find the docs. I'll read up on what you linked to me. > I'd be interested in seeing a binary debdiff (for an arbitrary > architecture) with "--controlfiles=ALL" to see the changes made to the > maintainer scripts, but overall I think this looks OK. aide-dynamic: 1 [23/4887]mh@salida:~/packages/aide $ debdiff --controlfiles=ALL 20230614/aide-dynamic_0.18.3-1_all.deb build-area/aide-dynamic_0.18.3-1+deb12u1_all.deb File lists identical (after any substitutions) Control files: lines which differ (wdiff format) Recommends: aide-common (= [-0.18.3-1)-] {+0.18.3-1+deb12u1)+} Version: [-0.18.3-1-] {+0.18.3-1+deb12u1+} 1 [24/4888]mh@salida:~/packages/aide $ aide: [19/4883]mh@salida:~/packages/aide $ debdiff --controlfiles=ALL 20230614/aide_0.18.3-1_amd64.deb build-area/aide_0.18.3-1+deb12u1_amd64.deb File lists identical (after any substitutions) Control files: lines which differ (wdiff format) Installed-Size: [-289-] {+293+} Recommends: aide-common (= [-0.18.3-1)-] {+0.18.3-1+deb12u1)+} Version: [-0.18.3-1-] {+0.18.3-1+deb12u1+} 1 [20/4884]mh@salida:~/packages/aide $ aide-common is attached. > > One small comment: > > +if dpkg --compare-versions "$2" le 0.18.3-1; then > +# we're updating from 0.18-3 or earlier, chown aideinit logs > > That should presumably be "from 0.18.3". Yes. fixed in git and master. Thanks for spotting this. Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 [The following lists of changes regard files as different if they have different names, permissions or owners.] Files in second .deb but not in first - -rw-r--r-- root/root /usr/lib/sysusers.d/aide-common.conf No differences were encountered between the config files Control files: lines which differ (wdiff format) Depends: aide (>= 0.17), liblockfile1, ucf (>= 2.0020), debconf (>= 0.5) | [-debconf-2.0-] {+debconf-2.0, systemd | systemd-standalone-sysusers | systemd-sysusers+} Installed-Size: [-449-] {+451+} Version: [-0.18.3-1-] {+0.18.3-1+deb12u1+} Postinst files: lines which differ (wdiff format) - [-if dpkg --compare-versions "$2" lt 0.17.5-1; then-] [-# we're updating from a version earlier than 0.17.5, chown logs-] [-# and databases-] [-chown --quiet _aide:adm /var/log/aide /var/log/aide/aide.log /var/log/aide/aide.log.* || true-] [-chmod --quiet 2755 /var/log/aide || true-] [-chown --quiet _aide:root /var/lib/aide/aide.db /var/lib/aide/aide.db.new || true-] [-fi-] [-if dpkg --compare-versions "$2" lt 0.18-3; then-] [-# we're updating from a version earlier than 0.18-3, chown aideinit logs-] [-chown --quiet _aide:adm /var/log/aide/aideinit.log /var/log/aide/aideinit.errors|| true-] [-fi-] # Automatically added by {+dh_installsysusers/13.11.4+} {+if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then+} {+ systemd-sysusers ${DPKG_ROOT:+--root="$DPKG_ROOT"} aide-common.conf+} {+fi+} {+# End automatically added section+} {+# Automatically added by+} dh_installtmpfiles/13.11.4 {+# this needs to be after debhelper, otherwise the account doesn't+} {+# yet exist.+} {+if dpkg --compare-versions "$2" lt 0.17.5-1; then+} {+# we're updating from a version earlier than 0.17.5, chown logs+} {+# and databases+} {+chown --quiet _aide:adm /var/log/aide /var/log/aide/aide.log /var/log/aide/aide.log.* || true+} {+chmod --quiet 2755 /var/log/aide || true+} {+chown --quiet _aide:root /var/lib/aide/aide.db /var/lib/aide/aide.db.new || true+} {+fi+} {+if dpkg --compare-versions "$2" le 0.18.3-1; then+} {+# we're updating from 0.18-3 or earlier, chown aideinit logs+} {+chown --quiet _aide:adm /var/log/aide/aideinit.log /var/log/aide/aideinit.errors|| true+} {+fi+} No differences were encountered between the postrm files No differences were encountered between the prerm files No differences were encountered between the
Bug#1037945: bookworm-pu: package aide/aide_0.18.3-1+deb12u1
Control: tags -1 + confirmed On Wed, 2023-06-14 at 17:27 +0200, Marc Haber wrote: > this pre-upload request for the aide package is filed to ask for > guidance whether this package is suitable for bookworm-updates. Do you actually mean bookworm-updates here (i.e. pushed to users in advance of 12.1), or simply (bookworm-)proposed-updates, therefore reaching users with the release of 12.1? > I have > never done this before and am open for suggestions to improve and for > documentation pointers. I haven't found the bookwork point release > policy yet, for example. > There's been no substantial changes to the policy for a while. The "workflow" section of https://lists.debian.org/debian-devel-announce/2019/08/msg0.html (as linked from https://release.debian.org/ ) is still basically appropriate, and the basis of https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions (The "must be severity:important" bit isn't strictly enforced, more a guide as to the expected impact of the issue being resolved.) Maybe we should re-post it. I'd be interested in seeing a binary debdiff (for an arbitrary architecture) with "--controlfiles=ALL" to see the changes made to the maintainer scripts, but overall I think this looks OK. One small comment: +if dpkg --compare-versions "$2" le 0.18.3-1; then +# we're updating from 0.18-3 or earlier, chown aideinit logs That should presumably be "from 0.18.3". Regards, Adam
Processed: Re: Bug#1037945: bookworm-pu: package aide/aide_0.18.3-1+deb12u1
Processing control commands: > tags -1 + confirmed Bug #1037945 [release.debian.org] bookworm-pu: package aide/aide_0.18.3-1+deb12u1 Added tag(s) confirmed. -- 1037945: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037945 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1037945: bookworm-pu: package aide/aide_0.18.3-1+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: a...@packages.debian.org Control: affects -1 + src:aide Dear stable release team, this pre-upload request for the aide package is filed to ask for guidance whether this package is suitable for bookworm-updates. I have never done this before and am open for suggestions to improve and for documentation pointers. I haven't found the bookwork point release policy yet, for example. A fixed package has been uploaded to unstable minutes ago, and I do not plan to actually upload the deb12u1 version of the package until the fixes have reached testing. [ Reason ] This update fixes #1037171, a serious bug that prevents new installations and upgrades of aide due to a misunderstanding in the dh code regarding dh_installsysusers. Embarrassing. And it also fixes #1037436, a "just" important bug that will fix correct processing of extended attributes on symlinks that are monitored by aide. This is a fix suggested by upstream (who is also a DD) and I will create a similiar package for bullseye. [ Impact ] Regarding #1037171, Aide will not be useable until the _aide account is manually created and some file permissions fixed. While package installation will succeed, neither aideinit nor the daily aide cronjob are invokeable and will error out. Regarding #1037436, Aide will wrongly process extended attributes for the file a symlink points to, which is not the intended behavior. The fixed aide will process the extended attributes of a symlink. [ Tests ] Both bugs are sadly not covered by automated tests, but I am kind of surprised that piuparts didn't catch #1037171. Regarding #1037171, I tested: - installation of aide in a bookworm VM with no aide installed before - updating 0.18.3-1 to 0.18.3-2 in a bookworm VM - updating 0.17.3-4+deb11u1 (oldstable) to 0.18.3-2 in a bookworm VM Regarding #1037436, I created a symlink with extended attributes pointing to a file with different extended attributes and verified that actually the extended attributes of the symlink show up in the database. [ Risks ] Risks are that I goofed up in the fixes. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] commit 456704ab523c6b7ca088a15ffde543fbac3fa391 Author: Marc Haber Date: Wed Jun 14 16:51:03 2023 +0200 remove trailing whitespace in debian/rules Git-Dch: ignore commit 2c221fd08e6c4d570c4a2c86c87d0a94201fbe9d Author: Marc Haber Date: Wed Jun 14 15:28:15 2023 +0200 chown aide logs even when updating from 0.18.3-1 0.18.3-1 doesn't create the account, so we need to see for correct file ownership when updating to a version that actually creates the account. commit 11547993349b3dffad11f2d6998875d58f6b0395 Author: Marc Haber Date: Wed Jun 14 04:15:51 2023 +0200 Fix handling of extended attributes on symlinks Closes: #1037436 This fixes wrong behavior regarding extended attributes on symlinks. Prior versions of aide would wrongly process the extended attributes of the file a symlink points to. This fix makes aide correctly process the extended attributes of the link itself, which is the intended behavior. The fix for extended attributes on symlinks might lead to reported changed entries during the next AIDE run. You can use the `report_ignore_changed_attrs` option (see aide.conf(5)) to ignore changes of the xattrs attribute; but be aware that this will not only exclude the expected changes (of the symlink files) but also the unexpected changes (of other files). commit 0d0251e639334e0ef139c1f6f9d34b6032378d3d Author: Marc Haber Date: Tue Jun 13 16:53:49 2023 +0200 Move chown calls after #DEBHELPER# This is part of the fix for #1037171, the account is only created in the code inserted by debhelper at the #DEBHELPER# token. We thus cannot use the account after that tag. commit 218fff3fc157b89e53ece470267cb238fac5daac Author: Marc Haber Date: Sun Jun 11 22:54:19 2023 +0200 call dh_installsysusers manually in debian/rules Thanks: Tomasz Ciolek Closes: #1037171 dh_installsysusers is not called in the normal dh calling sequence in dh compat level 13. This resulted in the account not being created in new installs and probably also during upgrades from bullseye. Thix fixes the issue by calling dh_installsysusers explicitly in override_dh_auto_install. [ Other info ] source debdiff attached. Please indicate whether this package might be a valid candidate to be in the next bookworm point relase once 0.18.3-2 has reached testing. Greetings Marc diff -Nru aide-0.18.3/debian/aide-common.postinst aide-0.18.3/debian/aide-common.postinst --- aide-0.18.3/debian/aide-common.postinst