and happy to add
missing bits to the bindings.
This being said, the package was orphaned last year and the current
"votes" count on popcon is 2. So I think should remove it from the
archive if/once it's clear that it won't be ported to GTK+ 3.
Cheers!
--
intrigeri
ipt needs a new active upstream.
If this does not happen, then I think we should remove this package
from the archive.
Cheers!
--
intrigeri
I've filed bug reports against all reverse dependencies (normal
severity for now), tracked using the gtk2-removal usertag:
https://udd.debian.org/cgi-bin/bts-usertags.cgi?tag=gtk2-removal&user=debian-perl%40lists.debian.org
All reverse dependencies are leaf packages. The vast majority are
either
after a couple months.
Then removing from sid can wait until close to the Bullseye freeze:
I want to give reverse-deps authors and maintainers as much time as
I can to do the porting, while allowing to keep the GTK+ 2 version in
sid in the meantime.
Cheers,
--
intrigeri
quot; info="label not found" error=-2
> profile="lxc-container-default-cgns" name="system_tor" pid=1881 comm="(tor)"
Now this gets interesting:
> 96 processes are in enforce mode.
> […]
>/usr/bin/tor (1881) lxc-container-default-cgns
>/usr/lib/dovecot/anvil (1884) lxc-container-default-cgns
>/usr/lib/dovecot/log (1885) lxc-container-default-cgns
… and many more processes confined under the
lxc-container-default-cgns profile.
Are you actually running dovecot, tor, postgres, sshd, smdb, Postfix,
dhclient etc. in LXC containers? Or is the lxc-container-default-cgns
profile somehow erroneously applied to these processes?
Cheers,
--
intrigeri
Hi,
Sebastian Andrzej Siewior:
> intrigeri, I added you on Cc since you were a help the last time
> apparmor came around.
Thanks! Sure, happy to give a hand. I've usertagged this bug so it's
on the AppArmor team's radar (and not just on mine). See the
corresponding
the keys :)
Unless upstream and package maintenance are taken over by July 2019,
I'll orphan the package or request it to be removed from sid (I'm
undecided yet, opinions welcome).
Cheers,
--
intrigeri
I should add that I'm not running away because maintaining metche is
particularly troublesome: it is pretty stable software, does its
intended job pretty well, hasn't bitrotted, and does not require much
maintenance work (maybe 4-12 hours a year).
I'm simply cleaning up my plate of things I don't
Hi Paul & others,
Paul Gevers:
> I have decided to accept this regression to migrate to buster for
> apparmor to migrate to buster. Targeted fixes to fix the squid
> autopkgtest can be reason for an unblock.
This makes sense to me. Thanks for caring!
Cheers,
--
intrigeri
for Buster anyway so we have plenty of time to think
about it and experiment with various ideas for Bullseye :)
Cheers,
--
intrigeri
Control: tag -1 + moreinfo
Hi,
intrigeri:
> I'll try to prepare a fix ASAP unless you tell me you're on it.
Well, I've failed to do that in time for the Buster freeze, too bad.
What's the actual impact of this bug? Any user-visible problem?
Makes other profiles useless u
mynetworks: 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
postfix/dynamicmaps_conversion_warning:
postfix/recipient_delim: +
postfix/not_configured:
postfix/compat_conversion_warning: true
postfix/protocols: all
postfix/newaliases: false
--
intrigeri
>From 4d98d0aa5aeb4fbb9941a4239251edfb1
Package: apparmor
Version: 2.13.2-9
Severity: important
… and submit via a MR against
https://salsa.debian.org/ddp-team/release-notes/ (in the "en"
directory).
Actually Jonas (Cc'ed) already submitted something:
https://salsa.debian.org/ddp-team/release-notes/merge_requests/6
Thanks a lot!
p-team/release-notes/merge_requests/6
Funny race condition: I've just filed #924450. See you there :)
Cheers,
--
intrigeri
supported on Debian yet:
Network Rules
DBus rules
Unix socket rules
Cheers,
--
intrigeri
exists before doing anything else, and exit
silently if it doesn't? That's for example what most of the scripts
I see in my /etc/cron.daily/ do.
The beginning of the script would then look like:
set -e
[ -n /usr/bin/cert-sync ] || exit 0
echo "Updating Mono key store"
Cheers,
--
intrigeri
sis and conclusions
make sense to me; they also match what I see other packages do.
I've applied your patch locally and will upload in the next couple
days unless testing displays issues.
Cheers,
--
intrigeri
But if the impact is "without
access to /usr/share/drirc.d/00-mesa-defaults.conf, apps are seriously
broken", then it could be a candidate.
Cheers,
--
intrigeri
ups dir
I was not able to find any reference to the "trap profile" idea
in our documentation. Could you please point me in the right
direction? Thanks in advance!
Cheers,
--
intrigeri
package :)
Cheers,
--
intrigeri
file or is this something
> that is not supported?
Indeed, unionfs in general are pretty poorly supported by AppArmor at
the moment. Adding the attach_disconnected flag, as suggested by
Vincas, often helps, but it's not always sufficient.
To make AppArmor work with aufs, in Tails we need quite a few custom
tricks; and overlayfs will need yet another set of tricks.
Cheers,
--
intrigeri
reads:
Some features are not supported on Debian yet:
- Network Rules
- DBus rules
- Unix socket rules
… and I would hope I did check back then, so I *think* fine-grained
ptrace rules are enforced by Linux 4.19 mainline. Now, that's easy to
test :)
Cheers,
--
intrigeri
Vincas Dargis:
> I'm sorry, but relevant update is in flight:
> https://gitlab.com/apparmor/apparmor/merge_requests/314
> mesa abstraction selection was incorrect decision.
OK. Merged upstream and cherry-picked into the packaging repo locally.
Will be part of next upload, presumably today! :)
. But time has flown since then, and I would
understand if the maintainers don't feel comfortable with this option
so close to the freeze. I can live with option (A) too, and worst
case, well, with the fallback option if that's how it is.
Cheers,
--
intrigeri
https://bugs.debian.org/883948#25
[2] https://codesearch.debian.net/search?q=%40%7BXDG_
[3]
https://codesearch.debian.net/search?q=abstractions%2Fuser-%28download%7Cwrite%29
Cheers,
--
intrigeri
Control: severity -1 minor
Control: tag -1 + upstream
Control: forcemerge -1 918548
Rationale for the metadata changes:
- This bug is about a given proposed solution to a broad class
of problems.
- Bumping severity to minor, as the lack of a solution to this
problem may lead to writin
interface, and then by Debian
convention /etc/cups is world-readable. But perhaps one of these could
change, e.g. does /etc/cups really have to be world-readable?
Cheers,
--
intrigeri
ng it if it was too crazy, right?
(I mean, BIND does not run as root, does it?)
So all in all, if these rules work for you, I think the main
issue is about the possible security boundary violations.
Cheers,
--
intrigeri
Hi,
Jonas Meurer:
> I'll see whether I find time during the next days to work out something
> for option a, but I have my doubts that we'll make it in time for Buster.
Thanks a lot for your work on this!
I'll reply on #910493.
Cheers,
--
intrigeri
Hi,
Daniel Kahn Gillmor:
> On Sun 2018-10-07 10:31:13 +0200, intrigeri wrote:
>> intrigeri:
>>> What matters to me is the users' perspective. I think we should
>>> provide a clear, unambiguous transition path and avoid leaking
>>> technical details to u
Hi,
intrigeri:
> Helmut Grohne:
>> I've concluded that regardless of whether this is a bug in gcc, it is a
>> bug in libapparmor-dev. I think that putting static and dynamic
>> libraries in different directories is a recipe for breakage. You really
>> should put
com/apparmor/apparmor/blob/master/profiles/apparmor.d/abstractions/audio
Cheers,
--
intrigeri
ob/master/profiles/apparmor.d/abstractions/audio
Cheers,
--
intrigeri
e latest upload to sid :)
(Tagging "moreinfo" as you've acknowledged that these patches need
updates as per Jamie's feedback.)
Cheers,
--
intrigeri
Hi Bernhard, AppArmor folks and bystanders,
intrigeri:
> All this is doable but requires quite more work (and risks) than
> I thought initially.
> I'm starting to think that it would be vastly easier to do that via
> autopkgtests: […]
It's unfortunately too late to get all
.org/apparmor-team/apparmor/commit/0d642c21828a0c4eb51a70b058c3ebb695a770a4
… and report back whether it fixes the problem for you?
Thanks in advance!
Cheers,
--
intrigeri
ry
cannot be moved out of /etc/" (#883584). Now that we've moved the
cache to /var/cache, I agree we can stop shipping CACHEDIR.TAG in the
apparmor package.
Marco, do you have anything to add on this topic before I go ahead?
Cheers,
--
intrigeri
Josh Triplett:
> I've submitted a debian-policy patch to document it.
Amazing! :)
gregor herrmann:
> On Mon, 28 Jan 2019 16:23:59 +0100, Jakub Wilk wrote:
>> Yes, it does. Thanks!
> Confirmed as well, thanks.
Thank you both!
igure --priority=low ubuntu-archive-keyring
… and answer "Yes" to the "Add the Ubuntu archive keys to the list
of trusted keys used by apt to authenticate packages?" question.
Cheers,
--
intrigeri
Control: tag -1 + pending
Laurent Bigonville:
> Could you please apply the attached patch?
Thanks! Applied in Vcs-Git (debian/experimental branch, which should
be uploaded to sid by the end of DebConf).
d before the /usr/bin/freshclam AppArmor profile
is loaded.
I think this is potentially racy, which might be why the problem can't
trivially be reproduced in sid.
Cheers,
--
intrigeri
x27;t think we need to make things
complicated to maintain/update/etc. and I suggest we merely silence
these with "deny" rules.
Cheers,
--
intrigeri
robably has AppArmor enabled. But perhaps you don't have the apparmor
package installed? If it's installed, please share the output of
"journalctl -B -u apparmor.service".
Cheers,
--
intrigeri
or now, if flags=(attach_disconnected) fixes
user-visible issues, it'll be good enough ⇒ feel free to add it :)
Cheers,
--
intrigeri
enable the new features? If the latter, can you please share the
exact feature-set you've used?
> Though it would be really nice to have some sort of integration test suite for
> apparmor-confined packages to do some serious testing before releasing
> upgrades...
Absolutely.
Cheers,
--
intrigeri
Hi,
Sebastian Andrzej Siewior:
> On 2018-07-22 20:10:08 [+0800], intrigeri wrote:
>> Looking at the Journal, it looks very much like the clamav-freshclam
>> service is started before the /usr/bin/freshclam AppArmor profile
>> is loaded.
>>
>> I think this is pot
to bring a new Shutter
version that does not depend on these obsolete libraries. Dominique,
what do you think?
Jeremy, what's the plan wrt. obsolete GNOME libraries in sid?
Cheers,
--
intrigeri
Package: libdevel-beginlift-perl
Severity: serious
Version: 0.001003-1
Running Mkbootstrap for BeginLift ()
chmod 644 "BeginLift.bs"
"/usr/bin/perl" "-Iinc" -MExtUtils::Command::MM -e 'cp_nonempty' --
BeginLift.bs blib/arch/auto/Devel/BeginLift/BeginLift.bs 644
"/usr/bin/perl" "-Iinc" "/usr/shar
remove the package from Debian in ~1
month. This of course does not affect the standing of your module
on CPAN.
Thank you for maintaining this module so far!
--
intrigeri
7;t hear anything we will remove the package from Debian
around the end of August. This of course does not affect the standing
of your module on CPAN.
Thank you for maintaining this module so far!
--
intrigeri
remove the package from Debian
around the end of August. This of course does not affect the standing
of your module on CPAN.
Thank you for maintaining this module so far!
--
intrigeri
don't hear anything we will remove the package from Debian
around the end of August. This of course does not affect the standing
of your module on CPAN.
Thank you for maintaining this module so far!
--
intrigeri
Control: retitle -1 Thunderbird AppArmor config breaks stuff with custom $TMPDIR
Control: severity -1 minor
(Retitling to clarify which condition is needed to trigger the bug,
downgrading severity as this AppArmor profile is disabled by default.)
. Do you think we should debug this further, in case it affects other
people as well? If you do, then I'll need instructions :)
Cheers,
--
intrigeri
Hi,
(John, one question for you below, please search for your name :)
Vincas Dargis:
> On 7/22/18 3:48 PM, intrigeri wrote:
>> Vincas Dargis:
>>> I've managed to install 4.17.0-rc3 and 4.18.0-rc4 with equivs hack, and I
>>> did not see
>>> any immedia
intrigeri:
> John, could you please tell me how I can benefit from the network
> socket mediation feature that was merged into Linux 4.17?
John answered my question on IRC:
- "you can't yet. You will need an apparmor 3.0 beta which keeps
getting delayed"
- "for variou
moval requests today.
Cheers,
--
intrigeri
ntained stack of libraries, we finally agreed
the only way ahead is to remove Shutter from Debian:
https://bugs.debian.org/870418#122
Cheers,
--
intrigeri
intrigeri:
> OK. I'll file the removal requests today.
That's #904526.
ebian.org,
https://udd.debian.org/cgi-bin/bts-usertags.cgi?tag=oldlibs&user=pkg-gnome-maintainers%40lists.alioth.debian.org)
Its only reverse-dependency is shutter, for which I've just filed a RM
bug (#904526).
Cheers,
--
intrigeri
Requested removal: #904531
Package: ftp.debian.org
Severity: normal
This package blocks the GNOME team's process to remove a bunch of
obsolete GNOME 2 area libraries.
Its only reverse-dependencies are libgnome2-perl and shutter, for
which I've filed RM bugs too.
Cheers,
--
intrigeri
Package: ftp.debian.org
Severity: normal
This package blocks the GNOME team's process to remove a bunch of
obsolete GNOME 2 area libraries.
Its only reverse-dependencies are libgnome2-perl and shutter, for
which I've filed RM bugs too.
Cheers,
--
intrigeri
Control: block -1 by 904535
Requested removal.
Requested removal: #904534
Package: ftp.debian.org
Severity: normal
Control: block -1 by 904526
This package blocks the GNOME team's process to remove a bunch of
obsolete GNOME 2 area libraries.
Its only reverse-dependency is shutter, for which I've filed a RM
bug too.
--
intrigeri
Package: ftp.debian.org
Severity: normal
Control: block -1 by 904526
This package blocks the GNOME team's process to remove a bunch of
obsolete GNOME 2 area libraries.
Its only reverse-dependency is shutter, for which I've filed a RM
bug too.
--
intrigeri
Package: ftp.debian.org
Severity: normal
Control: block -1 by 904526
This package blocks the GNOME team's process to remove a bunch of
obsolete GNOME 2 area libraries.
Its only reverse-dependency is shutter, for which I've filed a RM
bug too.
Package: ftp.debian.org
Severity: normal
Control: block -1 by 904526
This package blocks the GNOME team's process to remove a bunch of
obsolete GNOME 2 area libraries.
Its only reverse-dependency is shutter, for which I've filed a RM
bug too.
--
intrigeri
Package: libgtk2-ex-entry-pango-perl
Severity: serious
Version: 0.10-1
Control: block -1 by 885675
User: pkg-perl-maintain...@lists.alioth.debian.org
Usertags: gnome2-removal
Yet another {GNOME,GTK+} 2 cleanup bug for Buster.
Its only reverse-dependency is xacobeo, see #885675.
he package from Debian
around the end of August. This of course does not affect the standing
of your module on CPAN.
Thank you for maintaining this module so far!
Cheers,
--
intrigeri
Package: libgtk2-ex-printdialog-perl
Severity: serious
Version: 0.03-4
Let's ship as little GTK+ 2 binding as we can in Buster.
This package has no reverse-dependency in the archive.
Package: libgtk2-ex-podviewer-perl
Severity: serious
Version: 0.18-2
Let's ship as little GTK+ 2 binding as we can in Buster.
This package has no reverse-dependency in the archive.
Cheers,
--
intrigeri
Package: libgtk2-gladexml-simple-perl
Version: 0.32-3
Severity: serious
Let's ship as little GTK+ 2 bindings as we can in Buster.
This package has no reverse-dependency in the archive.
Package: libgtk2-ex-volumebutton-perl
Severity: serious
Version: 0.07-3
Let's ship as little GTK+ 2 bindings as we can in Buster.
This package has no reverse-dependency in the archive.
Package: libgtk2-ex-simple-list-perl
Severity: serious
Version: 0.50-3
Let's ship as little GTK+ 2 binding as we can in Buster.
This package has only one reverse-dependency in the archive
(libgtk2-ex-podviewer-perl) for which I've filed a RC bug too.
Package: libgtk2-notify-perl
Severity: serious
Version: 0.05-5
Let's ship as little GTK+ 2 bindings as we can in Buster.
This package has no reverse-dependency in the archive.
Package: libgtk2-spell-perl
Severity: serious
Version: 1.04-3
Let's ship as little GTK+ 2 bindings as we can in Buster.
This package has no reverse-dependency in the archive.
Package: libgtk2-traymanager-perl
Version: 0.05-3+b4
Severity: serious
Let's ship as little GTK+ 2 bindings as we can in Buster.
This package has no reverse-dependency in the archive.
Package: libgtk2-trayicon-perl
Version: 0.06-2
Severity: serious
GTK+ 2 has been deprecated upstream for years. Let's ship as little
Perl GTK+ 2 bindings as we can in Buster.
This package has only one reverse-dependency in the archive
(checkgmail), which is orphaned and dead upstream. I'll file a
Package: checkgmail
Severity: important
Version: 1.13+svn43-4
X-Debbugs-Cc: hialomu...@gmail.com, mo...@debian.org
checkgmail is the reverse-dependency of libgtk2-trayicon-perl, which
I'd rather not ship in Buster (I've just filed a RC bug to this end:
#904556).
It looks like CheckGmail has been
Related: this package depends on libgtk2-gladexml-perl, which I'd
rather not include in Buster (I'll probably file a RC bug to this end
once I'm done with the reverse-dependency analysis).
Package: macchanger-gtk
Severity: important
macchanger-gtk is one of the very few reverse-dependency of
libgtk2-gladexml-perl, which I'd rather not ship in Buster (I've
filed a RC bug to this end).
Please consider porting macchanger-gtk to GTK+ 3.
Package: gtkorphan
Severity: important
Version: 0.4.4-2
gtkorphan is one of the very few reverse-dependency of
libgtk2-gladexml-perl, which I'd rather not ship in Buster (I've filed
a RC bug to this end).
Please consider porting gtkorphan to GTK+ 3.
Package: libgtk2-gladexml-perl
Version: 1.007-2
Severity: serious
Let's ship as little GTK+ 2 bindings as we can in Buster.
This package has only 4 reverse-dependencies, 3 of which are unlikely
to be part of Buster anyway:
- libgtk2-gladexml-simple-perl: filed #904551 to avoid shipping it in Bu
ntering
[24715:Unnamed thread 0x70e5d451c160]: I/IMAP
0x70e5cbe25000:127.0.0.1:NA:ProcessCurrentURL:imap://intrigeri@127.0.0.1:143/select%3E.INBOX:
= currentUrl
[24715:Unnamed thread 0x70e5d451c160]: D/IMAP ReadNextLine
[stream=0x70e5cd94cb80 nb=121 needmore=0]
[24715:Unnamed thread 0x70e5d45
On https://salsa.debian.org/apparmor-team/apparmor/merge_requests/6
I've discussed with Jamie how to more fully align with upstream, which
is required to fix this bug. See the "resolved" discussions there.
Package: python-apparmor
Version: 2.13-3
Severity: normal
1. They have no reverse-deps on Debian.
2. I'd rather not encourage new software being written using the
Python 2 bindings.
3. There's been 2 Debian stable releases with both Python 2 and Python
3 binding included, which should be eno
Control: tag -1 + moreinfo
Hi,
intrigeri:
> I am basically clueless about multiarch stuff. Is anyone else on the
> team knowledgeable in this area, or should we seek help elsewhere?
Thanks to Helmut's help on IRC I took a closer look.
1. apparmor
This package is arch:any
Control: tag -1 + patch
https://salsa.debian.org/apparmor-team/apparmor/merge_requests/7
ysvinit systems with /var not mounted
by $local_fs" case
Cheers,
--
intrigeri
Control: retitle -1 Move the binary cache from /etc to /var/cache
Control: tag -1 + patch
https://salsa.debian.org/apparmor-team/apparmor/merge_requests/9
FTR I'll be happy to implement a fix for this bug once it does not
require reasoning about multiple init systems' semantics for services
{current,next boot} {enabled,disabled} status.
tly testing a fix
and will upload ASAP.
Thanks for the prompt bug report!
Cheers,
--
intrigeri
Randy Stauner:
> I am the most recent releaser, but I do not have time to work on this (or
> anything perl, sadly) any more.
Thanks for letting us know!
on a system where
/etc/apparmor/parser.conf does *not* contain
Optimize=no-expr-simplify.
>From a9d5816aed4a8b2dfa1e9505ef862cd9289b370f Mon Sep 17 00:00:00 2001
From: intrigeri
Date: Wed, 1 Aug 2018 00:51:13 +
Subject: [PATCH 1/2] parser.conf: turn off expression tree simplification,
th
Hi,
intrigeri:
> Where does /opt/firefox/firefox come from? In other words, how did you
> install this copy of Firefox?
Ping?
Cheers,
--
intrigeri
Control: severity -1 normal
Justification: to hit this bug, one has to apply two changes to the
default configuration (opt-in for AppArmor confinement and store
profiles in a non-default location).
1201 - 1300 of 2180 matches
Mail list logo