Control: tag -1 + moreinfo
Hi Paul,
intrigeri:
>>> - Don't bloat the logs with fingerprints of keys that could not
>>>be found (Closes: #900388). Also, hide spurious
>>>"dirmngr:Network:/usr/bin/dirmngr:1:1:" output.
>> This do
Vincas Dargis:
> Cool, I will work on MR.
:)))
Also, would be good to have a 2.13.x upstream release with the
fixes/improvements we need.
> "Why not" could be "don't want to manage backports too much" :) .
Right, at least not without being aware of a real need.
Cheers,
--
intrigeri
Vincas Dargis:
> Also, some temporary files like
> "usr.lib.libreoffice.program.soffice.binc3d3lu5x~"
> are left when aa-enforce fails:
Could you please report a bug upstream
(https://bugs.launchpad.net/apparmor/+filebug)
or worst case a dedicated one in Debian about this?
Thanks in advance!
Vincas Dargis:
> intrigeri, are we getting AppArmor 3 in Buster,
Impossible to predict at this point.
> or else maybe we could backport `mesa` abstraction into AppArmor
> 2.13?
Why not. Create a MR or file a bug against src:apparmor?
Cheers,
--
intrigeri
Vincas Dargis:
> intrigeri, could we get opencl abstractions in 2.13, or we are expecting to
> get AppArmor 3 in Buster?
Sure, gimme a bug against src:apparmor :)
> BTW I have proposed update to use `dri-enumerate` abstraction and remove
> backported rule:
> https://gerrit.libr
Joachim Wuttke:
> see https://superuser.com/questions/1276256
> for a workaround that worked for me.
Can you please share the resulting, modified AppArmor profile that
works for you?
Thanks in advance!
ke target while thunderbird is built.
I see no indication that this bug is caused by AppArmor (quite the
opposite) so I'm hereby removing the tb-apparmor usertag.
Cheers,
--
intrigeri
act apart of noise in
the logs. Could you please extract from your proposed patch the subset
that fits into the first category?
Cheers,
--
intrigeri
ome more info:
- the output of "journalctl -b | grep apparmor"
- the output of "aa-status"
Also, https://wiki.debian.org/AppArmor/Debug might help.
Cheers,
--
intrigeri
Paul Wise:
> On Mon, 2018-07-09 at 22:06 +0000, intrigeri wrote:
>> - parcimonie-applet is officially deprecated and unsupported upstream.
> What has it been replaced by?
Nothing yet. parcimonie-applet(1p) now reads:
DEPRECATION WARNING
The underlying technologi
Control: retitle -1 Disable expression tree simplification via parser.conf
Most likely 2.13-7 will disable expression tree simplification
via debian/lib/apparmor/functions, as a temporary workaround:
Control: severity -1 normal
Justification: to hit this bug, one has to apply two changes to the
default configuration (opt-in for AppArmor confinement and store
profiles in a non-default location).
Hi,
intrigeri:
> Where does /opt/firefox/firefox come from? In other words, how did you
> install this copy of Firefox?
Ping?
Cheers,
--
intrigeri
on a system where
/etc/apparmor/parser.conf does *not* contain
Optimize=no-expr-simplify.
>From a9d5816aed4a8b2dfa1e9505ef862cd9289b370f Mon Sep 17 00:00:00 2001
From: intrigeri
Date: Wed, 1 Aug 2018 00:51:13 +
Subject: [PATCH 1/2] parser.conf: turn off expression tree simplification,
that ma
Randy Stauner:
> I am the most recent releaser, but I do not have time to work on this (or
> anything perl, sadly) any more.
Thanks for letting us know!
a fix
and will upload ASAP.
Thanks for the prompt bug report!
Cheers,
--
intrigeri
FTR I'll be happy to implement a fix for this bug once it does not
require reasoning about multiple init systems' semantics for services
{current,next boot} {enabled,disabled} status.
Control: retitle -1 Move the binary cache from /etc to /var/cache
Control: tag -1 + patch
https://salsa.debian.org/apparmor-team/apparmor/merge_requests/9
ysvinit systems with /var not mounted
by $local_fs" case
Cheers,
--
intrigeri
Control: tag -1 + patch
https://salsa.debian.org/apparmor-team/apparmor/merge_requests/7
Control: tag -1 + moreinfo
Hi,
intrigeri:
> I am basically clueless about multiarch stuff. Is anyone else on the
> team knowledgeable in this area, or should we seek help elsewhere?
Thanks to Helmut's help on IRC I took a closer look.
1. apparmor
This package is arch:any and
Package: python-apparmor
Version: 2.13-3
Severity: normal
1. They have no reverse-deps on Debian.
2. I'd rather not encourage new software being written using the
Python 2 bindings.
3. There's been 2 Debian stable releases with both Python 2 and Python
3 binding included, which should be
On https://salsa.debian.org/apparmor-team/apparmor/merge_requests/6
I've discussed with Jamie how to more fully align with upstream, which
is required to fix this bug. See the "resolved" discussions there.
ng
[24715:Unnamed thread 0x70e5d451c160]: I/IMAP
0x70e5cbe25000:127.0.0.1:NA:ProcessCurrentURL:imap://intrigeri@127.0.0.1:143/select%3E.INBOX:
= currentUrl
[24715:Unnamed thread 0x70e5d451c160]: D/IMAP ReadNextLine
[stream=0x70e5cd94cb80 nb=121 needmore=0]
[24715:Unnamed thread 0x70e5d451c160
Package: libgtk2-gladexml-perl
Version: 1.007-2
Severity: serious
Let's ship as little GTK+ 2 bindings as we can in Buster.
This package has only 4 reverse-dependencies, 3 of which are unlikely
to be part of Buster anyway:
- libgtk2-gladexml-simple-perl: filed #904551 to avoid shipping it in
Package: gtkorphan
Severity: important
Version: 0.4.4-2
gtkorphan is one of the very few reverse-dependency of
libgtk2-gladexml-perl, which I'd rather not ship in Buster (I've filed
a RC bug to this end).
Please consider porting gtkorphan to GTK+ 3.
Package: macchanger-gtk
Severity: important
macchanger-gtk is one of the very few reverse-dependency of
libgtk2-gladexml-perl, which I'd rather not ship in Buster (I've
filed a RC bug to this end).
Please consider porting macchanger-gtk to GTK+ 3.
Related: this package depends on libgtk2-gladexml-perl, which I'd
rather not include in Buster (I'll probably file a RC bug to this end
once I'm done with the reverse-dependency analysis).
Package: checkgmail
Severity: important
Version: 1.13+svn43-4
X-Debbugs-Cc: hialomu...@gmail.com, mo...@debian.org
checkgmail is the reverse-dependency of libgtk2-trayicon-perl, which
I'd rather not ship in Buster (I've just filed a RC bug to this end:
#904556).
It looks like CheckGmail has been
Package: libgtk2-trayicon-perl
Version: 0.06-2
Severity: serious
GTK+ 2 has been deprecated upstream for years. Let's ship as little
Perl GTK+ 2 bindings as we can in Buster.
This package has only one reverse-dependency in the archive
(checkgmail), which is orphaned and dead upstream. I'll file
Package: libgtk2-traymanager-perl
Version: 0.05-3+b4
Severity: serious
Let's ship as little GTK+ 2 bindings as we can in Buster.
This package has no reverse-dependency in the archive.
Package: libgtk2-notify-perl
Severity: serious
Version: 0.05-5
Let's ship as little GTK+ 2 bindings as we can in Buster.
This package has no reverse-dependency in the archive.
Package: libgtk2-spell-perl
Severity: serious
Version: 1.04-3
Let's ship as little GTK+ 2 bindings as we can in Buster.
This package has no reverse-dependency in the archive.
Package: libgtk2-gladexml-simple-perl
Version: 0.32-3
Severity: serious
Let's ship as little GTK+ 2 bindings as we can in Buster.
This package has no reverse-dependency in the archive.
Package: libgtk2-ex-volumebutton-perl
Severity: serious
Version: 0.07-3
Let's ship as little GTK+ 2 bindings as we can in Buster.
This package has no reverse-dependency in the archive.
Package: libgtk2-ex-simple-list-perl
Severity: serious
Version: 0.50-3
Let's ship as little GTK+ 2 binding as we can in Buster.
This package has only one reverse-dependency in the archive
(libgtk2-ex-podviewer-perl) for which I've filed a RC bug too.
Package: libgtk2-ex-printdialog-perl
Severity: serious
Version: 0.03-4
Let's ship as little GTK+ 2 binding as we can in Buster.
This package has no reverse-dependency in the archive.
Package: libgtk2-ex-podviewer-perl
Severity: serious
Version: 0.18-2
Let's ship as little GTK+ 2 binding as we can in Buster.
This package has no reverse-dependency in the archive.
Cheers,
--
intrigeri
Debian
around the end of August. This of course does not affect the standing
of your module on CPAN.
Thank you for maintaining this module so far!
Cheers,
--
intrigeri
Package: libgtk2-ex-entry-pango-perl
Severity: serious
Version: 0.10-1
Control: block -1 by 885675
User: pkg-perl-maintain...@lists.alioth.debian.org
Usertags: gnome2-removal
Yet another {GNOME,GTK+} 2 cleanup bug for Buster.
Its only reverse-dependency is xacobeo, see #885675.
Package: ftp.debian.org
Severity: normal
Control: block -1 by 904526
This package blocks the GNOME team's process to remove a bunch of
obsolete GNOME 2 area libraries.
Its only reverse-dependency is shutter, for which I've filed a RM
bug too.
--
intrigeri
Package: ftp.debian.org
Severity: normal
Control: block -1 by 904526
This package blocks the GNOME team's process to remove a bunch of
obsolete GNOME 2 area libraries.
Its only reverse-dependency is shutter, for which I've filed a RM
bug too.
Package: ftp.debian.org
Severity: normal
Control: block -1 by 904526
This package blocks the GNOME team's process to remove a bunch of
obsolete GNOME 2 area libraries.
Its only reverse-dependency is shutter, for which I've filed a RM
bug too.
--
intrigeri
Package: ftp.debian.org
Severity: normal
Control: block -1 by 904526
This package blocks the GNOME team's process to remove a bunch of
obsolete GNOME 2 area libraries.
Its only reverse-dependency is shutter, for which I've filed a RM
bug too.
--
intrigeri
Control: block -1 by 904535
Requested removal.
Requested removal: #904534
Package: ftp.debian.org
Severity: normal
This package blocks the GNOME team's process to remove a bunch of
obsolete GNOME 2 area libraries.
Its only reverse-dependencies are libgnome2-perl and shutter, for
which I've filed RM bugs too.
Cheers,
--
intrigeri
Package: ftp.debian.org
Severity: normal
This package blocks the GNOME team's process to remove a bunch of
obsolete GNOME 2 area libraries.
Its only reverse-dependencies are libgnome2-perl and shutter, for
which I've filed RM bugs too.
Cheers,
--
intrigeri
Requested removal: #904531
://udd.debian.org/cgi-bin/bts-usertags.cgi?tag=oldlibs=pkg-gnome-maintainers%40lists.alioth.debian.org)
Its only reverse-dependency is shutter, for which I've just filed a RM
bug (#904526).
Cheers,
--
intrigeri
intrigeri:
> OK. I'll file the removal requests today.
That's #904526.
of libraries, we finally agreed
the only way ahead is to remove Shutter from Debian:
https://bugs.debian.org/870418#122
Cheers,
--
intrigeri
requests today.
Cheers,
--
intrigeri
intrigeri:
> John, could you please tell me how I can benefit from the network
> socket mediation feature that was merged into Linux 4.17?
John answered my question on IRC:
- "you can't yet. You will need an apparmor 3.0 beta which keeps
getting delayed"
- "for various
Hi,
(John, one question for you below, please search for your name :)
Vincas Dargis:
> On 7/22/18 3:48 PM, intrigeri wrote:
>> Vincas Dargis:
>>> I've managed to install 4.17.0-rc3 and 4.18.0-rc4 with equivs hack, and I
>>> did not see
>>> any immediate pr
ould debug this further, in case it affects other
people as well? If you do, then I'll need instructions :)
Cheers,
--
intrigeri
Control: retitle -1 Thunderbird AppArmor config breaks stuff with custom $TMPDIR
Control: severity -1 minor
(Retitling to clarify which condition is needed to trigger the bug,
downgrading severity as this AppArmor profile is disabled by default.)
hear anything we will remove the package from Debian
around the end of August. This of course does not affect the standing
of your module on CPAN.
Thank you for maintaining this module so far!
--
intrigeri
the package from Debian
around the end of August. This of course does not affect the standing
of your module on CPAN.
Thank you for maintaining this module so far!
--
intrigeri
ear anything we will remove the package from Debian
around the end of August. This of course does not affect the standing
of your module on CPAN.
Thank you for maintaining this module so far!
--
intrigeri
the package from Debian in ~1
month. This of course does not affect the standing of your module
on CPAN.
Thank you for maintaining this module so far!
--
intrigeri
Package: libdevel-beginlift-perl
Severity: serious
Version: 0.001003-1
Running Mkbootstrap for BeginLift ()
chmod 644 "BeginLift.bs"
"/usr/bin/perl" "-Iinc" -MExtUtils::Command::MM -e 'cp_nonempty' --
BeginLift.bs blib/arch/auto/Devel/BeginLift/BeginLift.bs 644
"/usr/bin/perl" "-Iinc"
not depend on these obsolete libraries. Dominique,
what do you think?
Jeremy, what's the plan wrt. obsolete GNOME libraries in sid?
Cheers,
--
intrigeri
Hi,
Sebastian Andrzej Siewior:
> On 2018-07-22 20:10:08 [+0800], intrigeri wrote:
>> Looking at the Journal, it looks very much like the clamav-freshclam
>> service is started before the /usr/bin/freshclam AppArmor profile
>> is loaded.
>>
>> I think this is pot
e the new features? If the latter, can you please share the
exact feature-set you've used?
> Though it would be really nice to have some sort of integration test suite for
> apparmor-confined packages to do some serious testing before releasing
> upgrades...
Absolutely.
Cheers,
--
intrigeri
ed) fixes
user-visible issues, it'll be good enough ⇒ feel free to add it :)
Cheers,
--
intrigeri
ly has AppArmor enabled. But perhaps you don't have the apparmor
package installed? If it's installed, please share the output of
"journalctl -B -u apparmor.service".
Cheers,
--
intrigeri
to make things
complicated to maintain/update/etc. and I suggest we merely silence
these with "deny" rules.
Cheers,
--
intrigeri
ore the /usr/bin/freshclam AppArmor profile
is loaded.
I think this is potentially racy, which might be why the problem can't
trivially be reproduced in sid.
Cheers,
--
intrigeri
Control: tag -1 + pending
Laurent Bigonville:
> Could you please apply the attached patch?
Thanks! Applied in Vcs-Git (debian/experimental branch, which should
be uploaded to sid by the end of DebConf).
--priority=low ubuntu-archive-keyring
… and answer "Yes" to the "Add the Ubuntu archive keys to the list
of trusted keys used by apt to authenticate packages?" question.
Cheers,
--
intrigeri
Control: reassign -1 dirmngr
Control: found -1 2.1.18-8~deb9u1
Control: found -1 2.1.18-8~deb9u2
Control: fixed -1 2.2.8-3
Hi,
intrigeri:
> I'm sure I've noticed this problem before and we've discussed it
> already, either with dkg or weasel, and I hope it's well tracked
> somewhere. I
ctl restart tor@default
Can you please confirm that one of those fixes the problem
you're facing?
I'm sure I've noticed this problem before and we've discussed it
already, either with dkg or weasel, and I hope it's well tracked
somewhere. I'll check and will then adjust BTS metadata accordingly.
Cheers,
--
intrigeri
hould be tracked either. Perhaps you could ask
debia...@lists.debian.org?
FWIW I've not been affected by this bug on GNOME Wayland.
Cheers,
--
intrigeri
Vincas Dargis:
> I am proposing new abstraction for Mesa libraries:
> https://gitlab.com/apparmor/apparmor/merge_requests/137
> Once it's in, I'll backport needed changes to Thunderbird profile.
Vincas did that, then I've reviewed'n'merged that upstream and pushed
to Vcs-Git.
Control: notfixed -1 2.13-1
Control: found -1 2.13-1
Control: found -1 2.13-2
Control: tag -1 - upstream
I got it wrong. Tentatively fixed on the debian/experimental branch,
will test before uploading 2.13-3 (probably to sid and probably
during DebCamp).
as we speak.
Cheers,
--
intrigeri
Cyril Brulebois:
> intrigeri (2018-06-30):
>> May I assume that you have no tor service running?
> Well:
> kibi@armor:~$ gpg --search-keys k...@mraw.org
> gpg: WARNING: Tor is not properly configured
> gpg: error searching keyserver: Permission denied
>
y
de-installed tor, or manually disabled the tor service)
- not running Tor Browser
- having installed parcimonie
Cheers,
--
intrigeri
, which
is why these problems appeared on my radar.
If you lack time to take care of it yourself soon, I can offer to NMU
these packages in order to set the maintainer address to person listed
in the Uploaders field who did most of the recent uploads. Just let me
know :)
Cheers,
--
intrigeri
to migrate back into
testing, until your team has had time to find out how you want to fix
this. Just let me know :)
Cheers,
--
intrigeri
FWIW it's unlikely that I have time to work on this myself before
DebCamp *but* if they've not been solved by then, fixing these
regressions will be one of my top priorities at DebCamp (ideally with
someone else).
missing.
> apparmor="DENIED" operation="mount" info="failed flags match"
> error=-13 profile="lxc-container-default" name="/" pid=2763
> comm="mount" flags="rw, remount"
I guess the "remount" flag is the problem. I guess it depends on what
LXC template you're using.
Cheers,
--
intrigeri
Vincas Dargis:
> linux-compiler-gcc-7-x86 needs gcc-7 that is not available?
For Tails we work this around with equivs:
https://git-tails.immerda.ch/tails/tree/config/chroot_local-hooks/12-kernel-modules-build-environment
Vincas Dargis:
> On Wed, 13 Jun 2018 19:44:58 +0200 intrigeri wrote:
>> I'll be very busy until DebCamp so it's unlikely I do much on this
>> front until then (best case I'll press the right buttons to enable
>> this on my own system once 4.17 is in sid, but I won't have tim
Control: tag -1 + fixed-upstream
Fixed in upstream commit 1fff379ff6.
?
Cheers,
--
intrigeri
Control: tag -1 + moreinfo
> AppArmor 2.13 fails to start if I set `features-file=` in parser.conf:
[...]
> Before, we used this to disable feature pinning, if I recall correctly.
I'm not sure: at least in previous versions of the conffile shipped in
the package, we commented out the
Control: tag -1 + upstream
Control: tag -1 + fixed-upstream
Control: forwarded -1 https://gitlab.com/apparmor/apparmor/merge_requests/110
Hi Vincas,
Vincas Dargis:
> This is what I get with `aa-logprof` after installing 2.13 from
> experimental (no reboot yet):
At first glance this looks like:
intrigeri:
> Linux v4.17-rc1 now supports basic socket mediation, which will allow
> us to close this bug report:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=56974a6fcfef69ee0825bd66ed13e92070ac5224
… which made it into v4.17 final :)
We could star
new, cloned bug is about.
> Then we could do exactly the same in src:apparmor.
Still the case for both iterations.
Cheers,
--
intrigeri
tus --enabled" takes less than 0.1s to
run, so I probably won't work on this myself.
Cheers,
--
intrigeri
intrigeri:
> Ben Caradoc-Davies:
>> On 20/11/17 09:38, Christian Boltz wrote:
>>> Thanks, but unfortunately I still can't reproduce the problem :-(
>>> Can you add a bit of debugging code in aa.py, please? […]
>> Sure. As requested:
>> # aa-complain thun
intrigeri:
> Update: the systemd unit that's used in openSUSE and Arch Linux was
> imported upstream
> (https://gitlab.com/apparmor/apparmor/merge_requests/81)
> Next step: check if it does everything Debian needs.
While packaging 2.13 I've cleaned up lots of obsolete cruft and
sim
Hi!
For the record we've started some discussion upstream about the
relationship between MAT and MAT2 / the future of MAT v1.
Personally I don't have anything at stake wrt. what's decided
upstream, although I've already shared my thoughts with
Julien privately.
What matters to me is the users'
ght
to src:thunderbird.
Cheers,
--
intrigeri
Vincas Dargis:
> intrigeri: what do we do in this case, I guess we just copy-paste
> dri-enumarate into
> some sort of "# backported from dri-enumarete" block?
yes.
Control: severity -1 minor
Luca Boccassi:
> They should indeed be updated, but note that we ship a mount point to
> provide backward-compatibility for Buster, so nothing should be broken
> for the moment.
Good to know, thanks!
Cheers,
--
intrigeri
nt where systemd-journald is running, please
provide the complete output of "journalctl -b".
Thanks in advance!
Cheers,
--
intrigeri
paths. I did not test what's the exact impact yet but I suspect
it breaks some of live-tools functionality.
Cheers,
--
intrigeri
601 - 700 of 3755 matches
Mail list logo
