subject:"Bug#934206\: buster\-pu\: package golang\-github\-docker\-docker\-credential\-helpers\/0.6.1\-2\+deb10u1"

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

2021-03-28 Thread Arnaud Rebillout

On Fri, 26 Mar 2021 09:33:07 +0100 Salvatore Bonaccorso 
 wrote:

>
> Looks that the collabora address is not anymore valid and mail
> bounced. Let me try directy arna...@debian.org.
>
> Regards,
> Salvatore
>

Thanks, this email reached me. I just uploaded the package. Sorry for 
the very long delay.

I realized (a bit late) that the control file still has my old collabora 
address, so I won't get any notifications if ever the build fails or 
something. Please ping me again at arna...@debian.org or 
arna...@kali.org if there's a problem with the package.

Thanks!

--
Arnaud Rebillout

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

2021-03-26 Thread Salvatore Bonaccorso

On Fri, Mar 26, 2021 at 09:12:08AM +0100, Salvatore Bonaccorso wrote:
> Hi Arnaud,
> 
> On Fri, Jul 31, 2020 at 10:20:12AM +0200, Salvatore Bonaccorso wrote:
> > Hi,
> > 
> > On Mon, Mar 30, 2020 at 10:08:50PM +0100, Adam D. Barratt wrote:
> > > Hi,
> > > 
> > > On Sat, 2019-10-12 at 11:41 +0200, Julien Cristau wrote:
> > > > Control: tag -1 - moreinfo
> > > > Control: tag -1 + confirmed
> > > > 
> > > > On Thu, Aug 08, 2019 at 02:47:55PM +0700, Arnaud Rebillout wrote:
> > > > > The debdiff attached brings in an upstream patch to fix
> > > > > CVE-2019-1020014, hence closes #933801.
> > > > > 
> > > > > This is my first contribution to Debian Stable, please check for
> > > > > beginners mistake ;)
> > > > > 
> > > > Please go ahead with the upload.
> > > 
> > > Ping on that.
> > 
> > Friendly ping on that.
> 
> As there was a go ahead from the SRMs,  could you do the update or
> were some problems encountered with the update?

Looks that the collabora address is not anymore valid and mail
bounced. Let me try directy arna...@debian.org.

Regards,
Salvatore

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

2021-03-26 Thread Salvatore Bonaccorso

Hi Arnaud,

On Fri, Jul 31, 2020 at 10:20:12AM +0200, Salvatore Bonaccorso wrote:
> Hi,
> 
> On Mon, Mar 30, 2020 at 10:08:50PM +0100, Adam D. Barratt wrote:
> > Hi,
> > 
> > On Sat, 2019-10-12 at 11:41 +0200, Julien Cristau wrote:
> > > Control: tag -1 - moreinfo
> > > Control: tag -1 + confirmed
> > > 
> > > On Thu, Aug 08, 2019 at 02:47:55PM +0700, Arnaud Rebillout wrote:
> > > > The debdiff attached brings in an upstream patch to fix
> > > > CVE-2019-1020014, hence closes #933801.
> > > > 
> > > > This is my first contribution to Debian Stable, please check for
> > > > beginners mistake ;)
> > > > 
> > > Please go ahead with the upload.
> > 
> > Ping on that.
> 
> Friendly ping on that.

As there was a go ahead from the SRMs,  could you do the update or
were some problems encountered with the update?

Regards,
Salvatore

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

2020-07-31 Thread Salvatore Bonaccorso

Hi,

On Mon, Mar 30, 2020 at 10:08:50PM +0100, Adam D. Barratt wrote:
> Hi,
> 
> On Sat, 2019-10-12 at 11:41 +0200, Julien Cristau wrote:
> > Control: tag -1 - moreinfo
> > Control: tag -1 + confirmed
> > 
> > On Thu, Aug 08, 2019 at 02:47:55PM +0700, Arnaud Rebillout wrote:
> > > The debdiff attached brings in an upstream patch to fix
> > > CVE-2019-1020014, hence closes #933801.
> > > 
> > > This is my first contribution to Debian Stable, please check for
> > > beginners mistake ;)
> > > 
> > Please go ahead with the upload.
> 
> Ping on that.

Friendly ping on that.

Regards,
Salvatore

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

2020-03-30 Thread Adam D. Barratt

Hi,

On Sat, 2019-10-12 at 11:41 +0200, Julien Cristau wrote:
> Control: tag -1 - moreinfo
> Control: tag -1 + confirmed
> 
> On Thu, Aug 08, 2019 at 02:47:55PM +0700, Arnaud Rebillout wrote:
> > The debdiff attached brings in an upstream patch to fix
> > CVE-2019-1020014, hence closes #933801.
> > 
> > This is my first contribution to Debian Stable, please check for
> > beginners mistake ;)
> > 
> Please go ahead with the upload.

Ping on that.

Regards,

Adam

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

2019-10-12 Thread Adam D. Barratt

On Sat, 2019-10-12 at 11:01 +0100, Adam D. Barratt wrote:
> On a related note, the docker.io armel build from the last DSA
> appears
> to have failed to build. If that's a repeatable issue then we won't
> be
> able to usefully rebuild it here.
> 

I was mistaken, this was an archive issue so shouldn't be an issue for
binNMUs.

Regards,

Adam

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

2019-10-12 Thread Adam D. Barratt

On Mon, 2019-09-02 at 11:26 +0700, Arnaud Rebillout wrote:
> On 8/23/19 9:54 AM, Adam D. Barratt wrote:
> > On 2019-08-18 15:41, Arnaud Rebillout wrote:
> > > On 8/16/19 9:35 PM, Adam D. Barratt wrote:
> > > > So is the conclusion there that docker.io is or is not actually
> > > > affected?
> > > 
> > > Yes docker.io is affected as well.
> > 
> > Which of the binary packages are affected and need rebuilding? The 
> > packages produced are:
> > 
> > docker-doc  | 18.09.1+dfsg1-7.1 | stable |
> > all
> > docker.io   | 18.09.1+dfsg1-7.1 | stable | 
> > source, amd64, arm64, armel, armhf, i386, ppc64el, s390x
> > golang-docker-dev   | 18.09.1+dfsg1-7.1 | stable |
> > all
> > golang-github-docker-docker-dev | 18.09.1+dfsg1-7.1 | stable |
> > all
> > vim-syntax-docker   | 18.09.1+dfsg1-7.1 | stable |
> > all
> > 
> > If the answer is anything other than "just the docker.io binary 
> > package", then this will need to be a separate source upload, as
> > we 
> > can't binNMU arch:all packages.
> 
> Only docker.io needs rebuild

On a related note, the docker.io armel build from the last DSA appears
to have failed to build. If that's a repeatable issue then we won't be
able to usefully rebuild it here.

Regards,

Adam

Processed: Re: Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

2019-10-12 Thread Debian Bug Tracking System

Processing control commands:

> tag -1 - moreinfo
Bug #934206 [release.debian.org] buster-pu: package 
golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1
Removed tag(s) moreinfo.
> tag -1 + confirmed
Bug #934206 [release.debian.org] buster-pu: package 
golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1
Added tag(s) confirmed.

-- 
934206: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934206
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

2019-10-12 Thread Julien Cristau

Control: tag -1 - moreinfo
Control: tag -1 + confirmed

On Thu, Aug 08, 2019 at 02:47:55PM +0700, Arnaud Rebillout wrote:
> The debdiff attached brings in an upstream patch to fix
> CVE-2019-1020014, hence closes #933801.
> 
> This is my first contribution to Debian Stable, please check for
> beginners mistake ;)
> 
Please go ahead with the upload.

Thanks,
Julien

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

2019-09-01 Thread Arnaud Rebillout


On 8/23/19 9:54 AM, Adam D. Barratt wrote:

On 2019-08-18 15:41, Arnaud Rebillout wrote:

On 8/16/19 9:35 PM, Adam D. Barratt wrote:

So is the conclusion there that docker.io is or is not actually
affected?



Yes docker.io is affected as well.


Which of the binary packages are affected and need rebuilding? The 
packages produced are:


docker-doc  | 18.09.1+dfsg1-7.1 | stable | all
docker.io   | 18.09.1+dfsg1-7.1 | stable | 
source, amd64, arm64, armel, armhf, i386, ppc64el, s390x

golang-docker-dev   | 18.09.1+dfsg1-7.1 | stable | all
golang-github-docker-docker-dev | 18.09.1+dfsg1-7.1 | stable | all
vim-syntax-docker   | 18.09.1+dfsg1-7.1 | stable | all

If the answer is anything other than "just the docker.io binary 
package", then this will need to be a separate source upload, as we 
can't binNMU arch:all packages.



Only docker.io needs rebuild

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

2019-08-23 Thread Adam D. Barratt


On 2019-08-18 15:41, Arnaud Rebillout wrote:

On 8/16/19 9:35 PM, Adam D. Barratt wrote:

So is the conclusion there that docker.io is or is not actually
affected?



Yes docker.io is affected as well.


Which of the binary packages are affected and need rebuilding? The 
packages produced are:


docker-doc  | 18.09.1+dfsg1-7.1 | stable | all
docker.io   | 18.09.1+dfsg1-7.1 | stable | 
source, amd64, arm64, armel, armhf, i386, ppc64el, s390x

golang-docker-dev   | 18.09.1+dfsg1-7.1 | stable | all
golang-github-docker-docker-dev | 18.09.1+dfsg1-7.1 | stable | all
vim-syntax-docker   | 18.09.1+dfsg1-7.1 | stable | all

If the answer is anything other than "just the docker.io binary 
package", then this will need to be a separate source upload, as we 
can't binNMU arch:all packages.


Regards,

Adam

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

2019-08-18 Thread Arnaud Rebillout




On 8/16/19 9:35 PM, Adam D. Barratt wrote:

So is the conclusion there that docker.io is or is not actually
affected?



Yes docker.io is affected as well.

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

2019-08-16 Thread Adam D. Barratt

On Sat, 2019-08-10 at 15:38 +0700, Arnaud Rebillout wrote:
> On 8/10/19 2:07 PM, Shengjing Zhu wrote:
> > On Sat, Aug 10, 2019 at 2:56 PM Shengjing Zhu 
> > wrote:
> > > On Fri, Aug 9, 2019 at 10:09 PM Arnaud Rebillout
> > >  wrote:
> > > > On 8/9/19 5:15 PM, Adam D. Barratt wrote:
> > > > > The module apparently has three reverse build-dependencies:
> > > > > 
> > > > > amazon-ecr-credential-helper:
> > > > > golang-github-docker-docker-credential-helpers-dev
> > > > > docker-pycreds: golang-docker-credential-helpers
> > > > > docker.io: golang-github-docker-docker-credential-helpers-dev 
> > > > > (>= 0.6.1~)
> > > > > 
> > > > > Would this update imply any of those needing to be rebuilt?
> > > > > If so, is
> > > > > that the end of the tree, or do we end up down a rabbit hole
> > > > > of Go
> > > > > libraries?
[...]
> > > I think checking Built-Using is the right answer (for buster).
> > > 
> > > For src:golang-github-docker-docker-credential-helpers, the
> > > following
> > > packages need rebuild:
> > > 
> > > src:amazon-ecr-credential-helper
> > > 
[...]
> > > The pkg:docker.io maybe is affected, but I'm not sure.
> > src:golang-github-docker-docker-credential-helpers is embedded, but
> > it's not shown in the Built-Using field of pkg:docker.io.
> > 
> > This could be either a bug in docker.io or dh-golang.
> 
> 
> This is due to this dh-golang bug AFAIK: https://bugs.debian.org/9085
> 52

So is the conclusion there that docker.io is or is not actually
affected?

Regards,

Adam

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

2019-08-10 Thread Shengjing Zhu

On Sat, Aug 10, 2019 at 4:38 PM Arnaud Rebillout
 wrote:
>
> On 8/10/19 2:07 PM, Shengjing Zhu wrote:
> > On Sat, Aug 10, 2019 at 2:56 PM Shengjing Zhu  wrote:
> >> On Fri, Aug 9, 2019 at 10:09 PM Arnaud Rebillout
> >>  wrote:
> >>> On 8/9/19 5:15 PM, Adam D. Barratt wrote:
>  The module apparently has three reverse build-dependencies:
> 
>  amazon-ecr-credential-helper:
>  golang-github-docker-docker-credential-helpers-dev
>  docker-pycreds: golang-docker-credential-helpers
>  docker.io: golang-github-docker-docker-credential-helpers-dev (>= 0.6.1~)
> 
>  Would this update imply any of those needing to be rebuilt? If so, is
>  that the end of the tree, or do we end up down a rabbit hole of Go
>  libraries?
> >>> That's a good question. FWIW I tried this command, I got a different
> >>> result from you:
> >>>
> >>> $ dose-ceve -T deb \
> >>>   --deb-native-arch=amd64 \
> >>>   -r golang-github-docker-docker-credential-helpers-dev \
> >>>
> >>> debsrc:///var/lib/apt/lists/deb.debian.org_debian_dists_buster_main_source_Sources
> >>> \
> >>>
> >>> deb:///var/lib/apt/lists/deb.debian.org_debian_dists_buster_main_binary-amd64_Packages
> >>> \
> >>>   | grep-dctrl -n -s Package '' \
> >>>   | sort -u
> >>> golang-docker-dev
> >>> golang-github-docker-docker-credential-helpers-dev
> >>> golang-github-docker-docker-dev
> >>> golang-github-fsouza-go-dockerclient-dev
> >>> golang-github-samalba-dockerclient-dev
> >>>
> >>> I suppose that for every package ending with -dev in this list, we
> >>> should also get the reverse build-depends? Then we're going down the
> >>> rabbit hole.
> >>>
> >>> But I'm not sure that following the reverse build-depends is the right
> >>> way to do it. Maybe following the Built-Using field is better.
> >>>
> >>> Let me CC the Go team (question is: how to figure out which package to
> >>> rebuild after uploading
> >>> golang-github-docker-docker-credential-helpers-dev to stable).
> >> I think checking Built-Using is the right answer (for buster).
> >>
> >> For src:golang-github-docker-docker-credential-helpers, the following
> >> packages need rebuild:
> >>
> >> src:amazon-ecr-credential-helper
> >>
> >> Other packages you find with build-depends don't build an arch:any
> >> package, so no need of binNMU.
>
>
> What command do you use to get the list of packages who have a
> Built-Using on a specific package?
>

ben query -s Source ".built-using ~
/golang-github-docker-docker-credential-helpers/"
/path/to/some/stable_main_binary-amd64_Packages

PS, ben needs version >=0.8.3



--
Shengjing Zhu

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

2019-08-10 Thread Arnaud Rebillout

On 8/10/19 2:07 PM, Shengjing Zhu wrote:
> On Sat, Aug 10, 2019 at 2:56 PM Shengjing Zhu  wrote:
>> On Fri, Aug 9, 2019 at 10:09 PM Arnaud Rebillout
>>  wrote:
>>> On 8/9/19 5:15 PM, Adam D. Barratt wrote:
 The module apparently has three reverse build-dependencies:

 amazon-ecr-credential-helper:
 golang-github-docker-docker-credential-helpers-dev
 docker-pycreds: golang-docker-credential-helpers
 docker.io: golang-github-docker-docker-credential-helpers-dev (>= 0.6.1~)

 Would this update imply any of those needing to be rebuilt? If so, is
 that the end of the tree, or do we end up down a rabbit hole of Go
 libraries?
>>> That's a good question. FWIW I tried this command, I got a different
>>> result from you:
>>>
>>> $ dose-ceve -T deb \
>>>   --deb-native-arch=amd64 \
>>>   -r golang-github-docker-docker-credential-helpers-dev \
>>>
>>> debsrc:///var/lib/apt/lists/deb.debian.org_debian_dists_buster_main_source_Sources
>>> \
>>>
>>> deb:///var/lib/apt/lists/deb.debian.org_debian_dists_buster_main_binary-amd64_Packages
>>> \
>>>   | grep-dctrl -n -s Package '' \
>>>   | sort -u
>>> golang-docker-dev
>>> golang-github-docker-docker-credential-helpers-dev
>>> golang-github-docker-docker-dev
>>> golang-github-fsouza-go-dockerclient-dev
>>> golang-github-samalba-dockerclient-dev
>>>
>>> I suppose that for every package ending with -dev in this list, we
>>> should also get the reverse build-depends? Then we're going down the
>>> rabbit hole.
>>>
>>> But I'm not sure that following the reverse build-depends is the right
>>> way to do it. Maybe following the Built-Using field is better.
>>>
>>> Let me CC the Go team (question is: how to figure out which package to
>>> rebuild after uploading
>>> golang-github-docker-docker-credential-helpers-dev to stable).
>> I think checking Built-Using is the right answer (for buster).
>>
>> For src:golang-github-docker-docker-credential-helpers, the following
>> packages need rebuild:
>>
>> src:amazon-ecr-credential-helper
>>
>> Other packages you find with build-depends don't build an arch:any
>> package, so no need of binNMU.


What command do you use to get the list of packages who have a
Built-Using on a specific package?


> The pkg:docker.io maybe is affected, but I'm not sure.
> src:golang-github-docker-docker-credential-helpers is embedded, but
> it's not shown in the Built-Using field of pkg:docker.io.
>
> This could be either a bug in docker.io or dh-golang.


This is due to this dh-golang bug AFAIK: https://bugs.debian.org/908552

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

2019-08-10 Thread Shengjing Zhu

On Sat, Aug 10, 2019 at 2:56 PM Shengjing Zhu  wrote:
>
> On Fri, Aug 9, 2019 at 10:09 PM Arnaud Rebillout
>  wrote:
> >
> > On 8/9/19 5:15 PM, Adam D. Barratt wrote:
> > > The module apparently has three reverse build-dependencies:
> > >
> > > amazon-ecr-credential-helper:
> > > golang-github-docker-docker-credential-helpers-dev
> > > docker-pycreds: golang-docker-credential-helpers
> > > docker.io: golang-github-docker-docker-credential-helpers-dev (>= 0.6.1~)
> > >
> > > Would this update imply any of those needing to be rebuilt? If so, is
> > > that the end of the tree, or do we end up down a rabbit hole of Go
> > > libraries?
> >
> > That's a good question. FWIW I tried this command, I got a different
> > result from you:
> >
> > $ dose-ceve -T deb \
> >   --deb-native-arch=amd64 \
> >   -r golang-github-docker-docker-credential-helpers-dev \
> >
> > debsrc:///var/lib/apt/lists/deb.debian.org_debian_dists_buster_main_source_Sources
> > \
> >
> > deb:///var/lib/apt/lists/deb.debian.org_debian_dists_buster_main_binary-amd64_Packages
> > \
> >   | grep-dctrl -n -s Package '' \
> >   | sort -u
> > golang-docker-dev
> > golang-github-docker-docker-credential-helpers-dev
> > golang-github-docker-docker-dev
> > golang-github-fsouza-go-dockerclient-dev
> > golang-github-samalba-dockerclient-dev
> >
> > I suppose that for every package ending with -dev in this list, we
> > should also get the reverse build-depends? Then we're going down the
> > rabbit hole.
> >
> > But I'm not sure that following the reverse build-depends is the right
> > way to do it. Maybe following the Built-Using field is better.
> >
> > Let me CC the Go team (question is: how to figure out which package to
> > rebuild after uploading
> > golang-github-docker-docker-credential-helpers-dev to stable).
>
> I think checking Built-Using is the right answer (for buster).
>
> For src:golang-github-docker-docker-credential-helpers, the following
> packages need rebuild:
>
> src:amazon-ecr-credential-helper
>
> Other packages you find with build-depends don't build an arch:any
> package, so no need of binNMU.

The pkg:docker.io maybe is affected, but I'm not sure.
src:golang-github-docker-docker-credential-helpers is embedded, but
it's not shown in the Built-Using field of pkg:docker.io.

This could be either a bug in docker.io or dh-golang.

-- 
Shengjing Zhu

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

2019-08-10 Thread Shengjing Zhu

On Fri, Aug 9, 2019 at 10:09 PM Arnaud Rebillout
 wrote:
>
> On 8/9/19 5:15 PM, Adam D. Barratt wrote:
> > The module apparently has three reverse build-dependencies:
> >
> > amazon-ecr-credential-helper:
> > golang-github-docker-docker-credential-helpers-dev
> > docker-pycreds: golang-docker-credential-helpers
> > docker.io: golang-github-docker-docker-credential-helpers-dev (>= 0.6.1~)
> >
> > Would this update imply any of those needing to be rebuilt? If so, is
> > that the end of the tree, or do we end up down a rabbit hole of Go
> > libraries?
>
> That's a good question. FWIW I tried this command, I got a different
> result from you:
>
> $ dose-ceve -T deb \
>   --deb-native-arch=amd64 \
>   -r golang-github-docker-docker-credential-helpers-dev \
>
> debsrc:///var/lib/apt/lists/deb.debian.org_debian_dists_buster_main_source_Sources
> \
>
> deb:///var/lib/apt/lists/deb.debian.org_debian_dists_buster_main_binary-amd64_Packages
> \
>   | grep-dctrl -n -s Package '' \
>   | sort -u
> golang-docker-dev
> golang-github-docker-docker-credential-helpers-dev
> golang-github-docker-docker-dev
> golang-github-fsouza-go-dockerclient-dev
> golang-github-samalba-dockerclient-dev
>
> I suppose that for every package ending with -dev in this list, we
> should also get the reverse build-depends? Then we're going down the
> rabbit hole.
>
> But I'm not sure that following the reverse build-depends is the right
> way to do it. Maybe following the Built-Using field is better.
>
> Let me CC the Go team (question is: how to figure out which package to
> rebuild after uploading
> golang-github-docker-docker-credential-helpers-dev to stable).

I think checking Built-Using is the right answer (for buster).

For src:golang-github-docker-docker-credential-helpers, the following
packages need rebuild:

src:amazon-ecr-credential-helper

Other packages you find with build-depends don't build an arch:any
package, so no need of binNMU.

-- 
Shengjing Zhu

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

2019-08-09 Thread Arnaud Rebillout

On 8/9/19 5:15 PM, Adam D. Barratt wrote:
> The module apparently has three reverse build-dependencies:
>
> amazon-ecr-credential-helper:
> golang-github-docker-docker-credential-helpers-dev
> docker-pycreds: golang-docker-credential-helpers
> docker.io: golang-github-docker-docker-credential-helpers-dev (>= 0.6.1~)
>
> Would this update imply any of those needing to be rebuilt? If so, is
> that the end of the tree, or do we end up down a rabbit hole of Go
> libraries?

That's a good question. FWIW I tried this command, I got a different
result from you:

$ dose-ceve -T deb \
  --deb-native-arch=amd64 \
  -r golang-github-docker-docker-credential-helpers-dev \

debsrc:///var/lib/apt/lists/deb.debian.org_debian_dists_buster_main_source_Sources
\

deb:///var/lib/apt/lists/deb.debian.org_debian_dists_buster_main_binary-amd64_Packages
\
  | grep-dctrl -n -s Package '' \
  | sort -u
golang-docker-dev
golang-github-docker-docker-credential-helpers-dev
golang-github-docker-docker-dev
golang-github-fsouza-go-dockerclient-dev
golang-github-samalba-dockerclient-dev

I suppose that for every package ending with -dev in this list, we
should also get the reverse build-depends? Then we're going down the
rabbit hole.

But I'm not sure that following the reverse build-depends is the right
way to do it. Maybe following the Built-Using field is better.

Let me CC the Go team (question is: how to figure out which package to
rebuild after uploading
golang-github-docker-docker-credential-helpers-dev to stable).

Thanks,

  Arnaud

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

2019-08-09 Thread Adam D. Barratt

On 2019-08-08 19:09, Moritz Mühlenhoff wrote:

On Thu, Aug 08, 2019 at 09:53:16AM +0100, Adam D. Barratt wrote:

Control: tags -1 + moreinfo

On 2019-08-08 08:47, Arnaud Rebillout wrote:

[...]

> The debdiff attached brings in an upstream patch to fix
> CVE-2019-1020014, hence closes #933801.

[...]

>* Fixes for security issues should be co-ordinated with the
>  Security Team, unless they have explicitly stated that they
>  will not issue an DSA for the bug (e.g. via a "no-dsa" marker
>  in the Security Tracker) [SECURITY-TRACKER]

[...]

I've CCed them now, let's see what they say.

It's harmless, stable-proposed-updates sounds good. I'll mark it as 
no-dsa

in the security tracker.

Thanks for the confirmation.

The module apparently has three reverse build-dependencies:

amazon-ecr-credential-helper: 
golang-github-docker-docker-credential-helpers-dev

docker-pycreds: golang-docker-credential-helpers
docker.io: golang-github-docker-docker-credential-helpers-dev (>= 
0.6.1~)

Would this update imply any of those needing to be rebuilt? If so, is 
that the end of the tree, or do we end up down a rabbit hole of Go 
libraries?

Regards,

Adam

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

2019-08-08 Thread Moritz Mühlenhoff

On Thu, Aug 08, 2019 at 09:53:16AM +0100, Adam D. Barratt wrote:
> Control: tags -1 + moreinfo
> 
> On 2019-08-08 08:47, Arnaud Rebillout wrote:
> > Package: release.debian.org
> > Severity: normal
> > Tags: buster
> > User: release.debian@packages.debian.org
> > Usertags: pu
> > 
> > The debdiff attached brings in an upstream patch to fix
> > CVE-2019-1020014, hence closes #933801.
> > 
> > This is my first contribution to Debian Stable, please check for
> > beginners mistake ;)
> > 
> > Also, the devel-announce "Bits from the Stable Release Managers"
> > mentions:
> > 
> >* Fixes for security issues should be co-ordinated with the
> >  Security Team, unless they have explicitly stated that they
> >  will not issue an DSA for the bug (e.g. via a "no-dsa" marker
> >  in the Security Tracker) [SECURITY-TRACKER]
> > 
> > So, is there anything else I should do here? Like, CC them or something?
> 
> Yes, *before* filing this bug, as if the Security Team want to handle it
> then this bug shouldn't exist to begin with.
> 
> I've CCed them now, let's see what they say.

It's harmless, stable-proposed-updates sounds good. I'll mark it as no-dsa
in the security tracker.

Cheers,
Moritz

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

2019-08-08 Thread Adam D. Barratt


Control: tags -1 + moreinfo

On 2019-08-08 08:47, Arnaud Rebillout wrote:

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

The debdiff attached brings in an upstream patch to fix
CVE-2019-1020014, hence closes #933801.

This is my first contribution to Debian Stable, please check for
beginners mistake ;)

Also, the devel-announce "Bits from the Stable Release Managers"
mentions:

   * Fixes for security issues should be co-ordinated with the
 Security Team, unless they have explicitly stated that they
 will not issue an DSA for the bug (e.g. via a "no-dsa" marker
 in the Security Tracker) [SECURITY-TRACKER]

So, is there anything else I should do here? Like, CC them or 
something?


Yes, *before* filing this bug, as if the Security Team want to handle it 
then this bug shouldn't exist to begin with.


I've CCed them now, let's see what they say.

Regards,

Adam

Processed: Re: Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

2019-08-08 Thread Debian Bug Tracking System

Processing control commands:

> tags -1 + moreinfo
Bug #934206 [release.debian.org] buster-pu: package 
golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1
Added tag(s) moreinfo.

-- 
934206: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934206
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

2019-08-08 Thread Arnaud Rebillout

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

The debdiff attached brings in an upstream patch to fix
CVE-2019-1020014, hence closes #933801.

This is my first contribution to Debian Stable, please check for
beginners mistake ;)

Also, the devel-announce "Bits from the Stable Release Managers"
mentions:

   * Fixes for security issues should be co-ordinated with the
 Security Team, unless they have explicitly stated that they
 will not issue an DSA for the bug (e.g. via a "no-dsa" marker
 in the Security Tracker) [SECURITY-TRACKER]

So, is there anything else I should do here? Like, CC them or something?

Thanks!

  Arnaud

-- Related links:

- 
- 

-- System Information:
Debian Release: 10.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru golang-github-docker-docker-credential-helpers-0.6.1/debian/changelog 
golang-github-docker-docker-credential-helpers-0.6.1/debian/changelog
--- golang-github-docker-docker-credential-helpers-0.6.1/debian/changelog   
2019-02-28 08:31:29.0 +0700
+++ golang-github-docker-docker-credential-helpers-0.6.1/debian/changelog   
2019-08-05 15:04:28.0 +0700
@@ -1,3 +1,11 @@
+golang-github-docker-docker-credential-helpers (0.6.1-2+deb10u1) buster; 
urgency=medium
+
+  * Add myself to uploaders.
+  * Adjust gbp.conf for buster.
+  * Add upstream patch to fix CVE-2019-1020014 (Closes: #933801).
+
+ -- Arnaud Rebillout   Mon, 05 Aug 2019 
15:04:28 +0700
+
 golang-github-docker-docker-credential-helpers (0.6.1-2) unstable; 
urgency=medium
 
   * Team upload.
diff -Nru golang-github-docker-docker-credential-helpers-0.6.1/debian/control 
golang-github-docker-docker-credential-helpers-0.6.1/debian/control
--- golang-github-docker-docker-credential-helpers-0.6.1/debian/control 
2019-02-28 08:31:29.0 +0700
+++ golang-github-docker-docker-credential-helpers-0.6.1/debian/control 
2019-08-05 15:04:28.0 +0700
@@ -3,7 +3,8 @@
 Priority: optional
 Maintainer: Debian Go Packaging Team 

 Uploaders: Tim Potter ,
-   Jordi Mallach 
+   Jordi Mallach ,
+   Arnaud Rebillout ,  
 Build-Depends: debhelper (>= 11~),
dh-golang,
golang-any,
diff -Nru golang-github-docker-docker-credential-helpers-0.6.1/debian/gbp.conf 
golang-github-docker-docker-credential-helpers-0.6.1/debian/gbp.conf
--- golang-github-docker-docker-credential-helpers-0.6.1/debian/gbp.conf
2019-02-28 08:31:29.0 +0700
+++ golang-github-docker-docker-credential-helpers-0.6.1/debian/gbp.conf
2019-08-05 15:04:28.0 +0700
@@ -1,2 +1,3 @@
 [DEFAULT]
+debian-branch = debian/buster
 pristine-tar = True
diff -Nru 
golang-github-docker-docker-credential-helpers-0.6.1/debian/patches/cve-2019-1020014-Fix-a-double-free-in-the-List-functions.patch
 
golang-github-docker-docker-credential-helpers-0.6.1/debian/patches/cve-2019-1020014-Fix-a-double-free-in-the-List-functions.patch
--- 
golang-github-docker-docker-credential-helpers-0.6.1/debian/patches/cve-2019-1020014-Fix-a-double-free-in-the-List-functions.patch
  1970-01-01 08:00:00.0 +0800
+++ 
golang-github-docker-docker-credential-helpers-0.6.1/debian/patches/cve-2019-1020014-Fix-a-double-free-in-the-List-functions.patch
  2019-08-05 15:04:28.0 +0700
@@ -0,0 +1,85 @@
+From: Justin Cormack 
+Date: Mon, 1 Jul 2019 14:37:24 +0100
+Subject: [PATCH] Fix a double free in the List functions
+
+The code was set up so that it would free the individual items and the data
+in `freeListData`, but there was already a Go `defer` to free the data item,
+resulting in a double free.
+
+Remove the `free` in `freeListData` and leave the original one.
+
+In addition, move the `defer` for freeing the list data before the error
+check, so that the data is also free in the error case. This just removes
+a minor leak.
+
+This vulnerability was discovered by:
+Jasiel Spelman of Trend Micro Zero Day Initiative and Trend Micro Team Nebula
+
+Signed-off-by: Justin Cormack 
+Origin: upstream, 
https://github.com/docker/docker-credential-helpers/commit/87c80bf
+---
+ osxkeychain/osxkeychain_darwin.c | 1 -
+ osxkeychain/osxkeychain_darwin.go| 5 ++---
+ secretservice/secretservice_linux.c  | 1 -
+ secretservice/secretservice_linux.go | 4 ++--
+ 4 files changed, 4 insertions(+), 7 deletions(-)
+
+--- a/osxkeychain/osxkeychain_darwin.c
 b/osxkeychain/osxkeychain_darwin.c
+@@ -223,6 +223,5 @@
+ void freeListData(char *** data, unsigned int length) {
+

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

Processed: Re: Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

Processed: Re: Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

23 matches

Site Navigation

Mail list logo

Footer information