Bug#670367: pu: package coolkey/1.1.0-6

2012-04-24 Thread A. Maitland Bottoms 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Severity: normal

Coolkey 1.1.0-6 in Debian stable lacks support for new Gemalto TOPDLGX4 144K 
CAC cards.

People who have been using coolkey in Debian are likely to have these new 
cards, as
the old cards have an expiration date and will be replaced with the new 
hardware.

Coolkey 1.1.0-12 in Debian wheezy/sid supports both the old and new card 
hardware.

Not fixing this problem in Debian stable will mean that as new cards are issued,
formerly happy coolkey users will have their browsers crash, as the new hardware
exposes a grave bug in coolkey.

I have good results with my own squeeze backport - but since I am new to the 
stable proposed updates process I would like advice from the release team on 
what
version number I should use to upload to stable. I'll post the package diff
to this bug soon...

- -Maitland


- -- System Information:
Debian Release: 6.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.9 

iEYEARECAAYFAk+XQOQACgkQkwbJvNrxBUyXrwCfcrC/Bkbb1K4tppDrJzxz2N6f
eIQAn1ul6vMn3nrYAqwlG3FWvlPOc+rw
=7xf/
-END PGP SIGNATURE-



-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20375.16624.681170.917...@airborne.nrl.navy.mil

Bug#670367: pu: package coolkey/1.1.0-6

2012-04-25 Thread Jonathan Wiltshire 

On 2012-04-25 01:10, A. Maitland Bottoms wrote:
I have good results with my own squeeze backport - but since I am new 
to the

stable proposed updates process I would like advice from the release
team on what
version number I should use to upload to stable. I'll post the 
package diff

to this bug soon...


Normal convention would be 1.1.0-6+squeeze1, if this is the first 
stable update for Squeeze. You should send a proposed debdiff and get an 
ACK before any uploads take place.


Thanks,


--
Jonathan Wiltshire, on behalf of but not for the release team
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51




--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/05691490770b6bf2cc04a6311605d...@hogwarts.powdarrmonkey.net

Bug#670367: pu: package coolkey/1.1.0-6

2012-05-02 Thread A. Maitland Bottoms 
> "Adam" == Adam D Barratt  writes:

Adam> Even accounting for the patch overhead, the diff is still somewhat
Adam> larger than most we'd usually handle via proposed-updates.  That's not
Adam> necessarily a blocker in and of itself, but we are rapidly approaching
Adam> the cut-off point for the next point release and I don't think I'm
Adam> likely to have time to do a proper review myself before that point.
Adam> Bearing that in mind I'm afraid it's possible that the changes might
Adam> need to be looked at for 6.0.6 rather than the upcoming 6.0.5.

Yes indeed, this is a large change that adds an entirely new capability
(support of cards with PIV (Personal Identity Verification) features).
So this isn't a typical single critical bug fix update.

Time is an issue no matter which update is considered, so let me add
a little more background and triage to help smooth the process.

I've added a squeeze branch in the phg-coolkey subversion repository at
http://anonscm.debian.org/viewvc/pkg-coolkey/coolkey/tags/squeeze/debian/patches/

Patches 01* through 06* are already in squeeze.
Patches 07* though 09* have had some time in testing.
Patch 10* is large, and I suspect few people beyond its author Robert Relyea
really understand all the changes.
Patch 11* and 12* are new to Debian, but are a bit simpler and keep
things from crashing on our users for situtations that have been observed
in practice.

Patches 01*-09* have been in Ubuntu since Natty Narwhal, and follow the
patch series used in RHEL and Fedora distributions. Of cource patch 10*
went through whatever review processes were involved in updateing RHEL:
http://rhn.redhat.com/errata/RHEA-2011-0111.html
All these patches have been around over a year and appear to have a good
record in other distibutions. Of course the fact that user's cards are
expiring and replaced by the new format cards means that the "stable"
Linux distributions are motivated to perform this update.

Robert Relyea has long been involved in the Network Security Services (NSS)
code. Coolkey interoperates well with several NSS using applications. I have
been able to test with both the cards available when squeeze was released and
the newer PIV style cards iceweasel, icedove and evolution in Debian and
with the "DBsign Universal Web Signer" Java applet used by some web sites.

Thanks for consideration,
-Maitland



-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20385.55960.957135.45...@airborne.nrl.navy.mil

Bug#670367: pu: package coolkey/1.1.0-6

2012-05-03 Thread Adam D. Barratt 
On Wed, 2012-05-02 at 21:08 -0400, A. Maitland Bottoms wrote:
> > "Adam" == Adam D Barratt  writes:
> 
> Adam> Even accounting for the patch overhead, the diff is still somewhat
> Adam> larger than most we'd usually handle via proposed-updates.  That's not
> Adam> necessarily a blocker in and of itself, but we are rapidly approaching
> Adam> the cut-off point for the next point release and I don't think I'm
> Adam> likely to have time to do a proper review myself before that point.
[...]
> Time is an issue no matter which update is considered, so let me add
> a little more background and triage to help smooth the process.

Indeed, but larger and/or more involved updates obviously require more
time.  They also tend to benefit from more time in proposed-updates
before the point release in order to allow for them to be tested.

> I've added a squeeze branch in the phg-coolkey subversion repository at
> http://anonscm.debian.org/viewvc/pkg-coolkey/coolkey/tags/squeeze/debian/patches/
[...]
> Patch 10* is large, and I suspect few people beyond its author Robert Relyea
> really understand all the changes.
> Patch 11* and 12* are new to Debian, but are a bit simpler and keep
> things from crashing on our users for situtations that have been observed
> in practice.

You say "new to Debian", but afaict the content is already in the
unstable/testing package.

> Of cource patch 10*
> went through whatever review processes were involved in updateing RHEL:
> http://rhn.redhat.com/errata/RHEA-2011-0111.html

Apparently that review process didn't notice - or didn't care about -
the fact that the changes in the above patch cause an ABI break in
libckyapplet1.  The Debian packages should really have changed SONAME at
that point; looking at the packages in testing/sid, it appears that
didn't happen.  This would also be an issue for partial squeeze to
wheezy upgrades already - installing wheezy's libckyapplet1 on a system
with squeeze's coolkey will break if the affected functions are called.

Specifically:

459  CKYStatus
460 -CACAppletFactory_SignDecrypt(CKYAPDU *apdu, const void *param)
461 +CACAppletFactory_SignDecryptStep(CKYAPDU *apdu, const void *param)
[...]
467 +CKYStatus
468 +CACAppletFactory_SignDecryptFinal(CKYAPDU *apdu, const void *param)
[...]
955 CKYStatus
956 -CACAPDUFactory_SignDecrypt(CKYAPDU *apdu, const CKYBuffer *data)
957 +CACAPDUFactory_SignDecrypt(CKYAPDU *apdu, CKYByte type, const 
CKYBuffer *data)

Both CACAPDUFactory_SignDecrypt and CACAppletFactory_SignDecrypt are
exported from the library.

Regards,

Adam




-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/1336077542.1724.23.ca...@jacala.jungle.funky-badger.org

Bug#670367: pu: package coolkey/1.1.0-6 debdiff attached

2012-04-26 Thread A. Maitland Bottoms 
Proposed debdiff for coolkey 1.1.0-6+squeeze1 is attached.
Patches are the same from coolkey 1.1.0-12 in testing, but
added to debian/patches using dpatch since 1.1.0-6 used dpatch.
Same source tarball coolkey_1.1.0.orig.tar.gz in testing and stable.

- -Maitland
[ATTACHMENT ~/coolkeyspu.debdiff, text/plain]
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEABECAAYFAk+ZupQACgkQkwbJvNrxBUy2AgCeNKRQwm2pJ/dzqJ+4Z4KyR5d9
6RQAn3xuYxY6FCrDUaTko8Lv8itJ4lDc
=p8CR
-END PGP SIGNATURE-

Bug#670367: pu: package coolkey/1.1.0-6 debdiff attached

2012-04-26 Thread Adam D. Barratt 
On Thu, 2012-04-26 at 17:16 -0400, A. Maitland Bottoms wrote:
> Proposed debdiff for coolkey 1.1.0-6+squeeze1 is attached.

I think something may not have gone according to plan there.  What was
actually attached was just:

> plain text document attachment (coolkeyspu.debdiff.asc)
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.10 (GNU/Linux)
> 
> iEYEABECAAYFAk+ZupQACgkQkwbJvNrxBUy2AgCeNKRQwm2pJ/dzqJ+4Z4KyR5d9
> 6RQAn3xuYxY6FCrDUaTko8Lv8itJ4lDc
> =p8CR
> -END PGP SIGNATURE-

Regards,

Adam




-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/1335475580.28116.9.ca...@jacala.jungle.funky-badger.org

Bug#670367: pu: package coolkey/1.1.0-6 debdiff attached

2012-04-28 Thread Adam D. Barratt 
On Thu, 2012-04-26 at 18:08 -0400, A. Maitland Bottoms wrote:
> +coolkey (1.1.0-6+squeeze1) stable; urgency=low
> +
> +  * updated to follow the new Card Compatibility Container (CCC) 
> specification
> +to support recently issued smartcards in Debian stable. (Closes: #670367)

Please don't close release.debian.org bugs in your changelog; they'll
get closed once the package has been included in a point release.  If
there's a bug report asking for support for the cards to be added, that
{c,sh}ould be used instead.

> +  * debian/patches/
> +06_machdep_cpp_CVE-2007-4129.dpatch
> +07_coolkey_latest.dpatch
> +08_coolkey_simple_bugs.dpatch
> +09_coolkey_thread_fix.dpatch
> +10_coolkey_cac_rhl5.dpatch
> +11_empty_certificates.dpatch
> +12_pcscd_restarting.dpatch

Please forgive my possible ignorance of the field, but are all of the
above patches strictly required in order to support the new format?  If
not then a description of what each patch does and why it's included
would be useful, both in the changelog but also in this thread if it's
more involved.

Actually, that description might be handy in any case - for instance one
of the patch names references CVE-2007-4129, but
http://security-tracker.debian.org/tracker/CVE-2007-4129 indicates that
the package in stable isn't affected.

Regards,

Adam




-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/1335623816.4844.45.ca...@jacala.jungle.funky-badger.org

Bug#670367: pu: package coolkey/1.1.0-6 debdiff attached

2012-04-30 Thread A. Maitland Bottoms 
> "Adam" == Adam D Barratt  writes:
Adam> Please don't close release.debian.org bugs in your changelog;

OK. I uploaded a revision to the debdiff coolkeyspu2.debdiff
which also includes upstream patch descriptions in debian/changelog.

Adam> are all of the above patches strictly required in order to
Adam> support the new format?

Well, not only to support the new format, but there were also cases
that resulted in the coolkey plugin crashing the user's browser that
seem equally worthy of inclusion of patches fixing those known issues.

The coolkey-latest patch set in Debian packages is adopted from the
Fedora coolkey srpm patch set. In RHEL this patch is composed of three
patches: coolkey-cac.fix, coolkey-safenet and coolkey-1.1.0-gemalto.64k.

I'm pretty sure the threading fix is most important when used with
Java applications in the browser. There is an important and widely-used
web application enabled by this capability.

The coolkey_cac_rhl5 is the new card format that motivates this update,
and is an improvement over the Fedora coolkey-cac-1 patch.
This capability was added to RHEL:
http://rhn.redhat.com/errata/RHEA-2011-0111.html
and this likely will fix the Ubuntu bug:
https://bugs.launchpad.net/ubuntu/+source/coolkey/+bug/654400

The empty_certificates and pcscd_restarting avoid crashing the
browser that uses the coolkey plugin.


Adam> Actually, that description might be handy in any case - for instance one
Adam> of the patch names references CVE-2007-4129, but
Adam> http://security-tracker.debian.org/tracker/CVE-2007-4129 indicates that
Adam> the package in stable isn't affected.

Listing that in the current changelog stanze was my mistake - I included that
patch back in coolkey 1.1.0-3 uploaded in 2007, and that patch is already in
Debian's stable release.

-Maitland



-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20383.5410.985184.880...@airborne.nrl.navy.mil

Bug#670367: pu: package coolkey/1.1.0-6 debdiff attached

2012-05-02 Thread Adam D. Barratt 
On Mon, 2012-04-30 at 20:46 -0400, A. Maitland Bottoms wrote:
> OK. The handling of auto* tools in the coolkey 1.1.0-6 package in stable
> means that the clean target in debian/rules doesn't restore the files
> to pre-built state. So there was too much autotools cruft in the 
> previous coolkeyspu2.debdiff. Please ignore it.
> 
> The attached coolkeyspu3.debdiff is much closer to the first atttempt,
> while still elaborating upstream patch descriptions as requested.

Thanks for that.

Even accounting for the patch overhead, the diff is still somewhat
larger than most we'd usually handle via proposed-updates.  That's not
necessarily a blocker in and of itself, but we are rapidly approaching
the cut-off point for the next point release and I don't think I'm
likely to have time to do a proper review myself before that point.
Bearing that in mind I'm afraid it's possible that the changes might
need to be looked at for 6.0.6 rather than the upcoming 6.0.5.

Regards,

Adam




-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/1335996774.24513.37.ca...@jacala.jungle.funky-badger.org