You are copied on this message because you raised objections noted by
the policy editors during the discussion of menu policy or seconded the
proposal in #707851.
The TC is currently evaluating a request to review that proposal and the
process surrounding it.
If you seconded the proposal, I'd lik
> "Lisandro" == Lisandro Damián Nicanor Pérez Meyer
> writes:
Lisandro> Hi Sam! A long time has passed since then and I should re
Lisandro> read the full and extensive bug log to assert whatever you
Lisandro> want to ask. But I can be sure on one thing: at the time
Lisand
Package: config-package-dev
Version: 5.1.2
Severity: normal
Hi. According to the dh_configpackage man page, the paths in debian/*.displace
need not have a leading slash, just like other debhelper inputs.
However, the code generates errors like the following if you leave out the
leading slash.
d
You should be aware that Debian 7.x is the last version of Debian that
has krb5-clients.
The package has been desupported and is no longer maintained and has
been removed from future versions of Debian.
The Kerberos telnet application is insecure. While I don't know of
specific security problems w
> "Andreas" == Andreas Barth writes:
Andreas> * ravi (r...@linux.vnet.ibm.com) [140910 13:56]:
>> We have also successfully verified building "libverto" source
>> package on ppc64el build machine after applying attached patch.
Andreas> As ppc64el is now in Debian, I'd be will
> "josh" == josh writes:
josh> I wouldn't necessarily suggest using this as an argument
josh> against the proposed resolution. Instead, I'd recommend
josh> making sure that cgmanager is just as harmless under systemd
josh> as systemd-shim 8-4 currently is, by making it not r
I don't think this matters for the vote, and apologies because there's
probably a better place to send this advice. I was thinking last night
about the apt and debootstrap resolver issues and was wondering whether
the following solution might help.
I realize the issue is minor and is more about
I've been working with this a bit more. One possibility would be to add
an export option or some git dpm option to generate a dsc or a tree that
could be used to generate a dsc. At that point you could either add the
changes as a final patch or unapply them. What I'm doing now is running
dpkg-so
>>>>> "Bernhard" == Bernhard R Link writes:
Bernhard> * Sam Hartman [141109 19:15]:
>> I've been working with this a bit more. One possibility would be
>> to add an export option or some git dpm option to generate a dsc
>>
I'd like to better understand the severity issue.
Are you saying that there's no order I can install shibboleth and apache
in wheezy that will work?
I.E. even if I manually install the module first?
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscr
package: wnpp
severity: wishlist
owner: hartm...@debian.org
x-debbugs-cc: debian-de...@lists.debian.org
source: git://git.project-moonshot.org/mech_eap.git
license: BSD-3-Clause
Description: Project moonshot provides federated access to a wide range
of applications. This package adds a GSS-API m
Convince heimdal to emit -Isystem as well? Just to play nice?
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
package: wnpp
severity: wishlist
owner: hartm...@debian.org
URL: http://www.project-moonshot.org/
source: git://git.project-moonshot.org/moonshot-ui.git
license: BSD-3-Clause
Description: This package manages the Moonshot identity store,
permitting users to add and remove identities as well as to
package: debhelper
version: 9.20141003
severity: wishlist
I suspect a lot of folks will be writing systemd service units in the
future.
While writing units for krb5-kdc, I ran across an issue.
On first install, until you set up your database, it's kind of expected
that krb5-kdc will fail to sta
package: moonshot-trust-router
severity: serious
justification: ROM
version: 1.4.1-1
Based on upstream discussion, the trust router without FreeRADIUS
integration does not provide sufficient value to expend the effort for
supporting for the length of the Jessie release.
Since we're not willing to
Perhaps, although I'll note that the krb5 maintainers are unaware of
what's exactly going on in 764669.
So, feel free to merge, but if you actually have an idea of the problem,
please enlighten us, as we don't see that behavior at all.
--Sam
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@
package: moonshot-gss-eap
version: 0.9.2-1
severity: serious
>From the TODO.debian:
* Give the security team a change to comment on the included code from
wpa_supplicant. There's really no other way; their ABI is not
stable enough that it would make sense to build eap shared libraries
out o
control: owner -1 !
Aaaargh.
I am going to disable the openssl version check entirely because
freeradius has no business getting in the way of Debian security
updates.
Thanks for the heads up and I hope to have an upload tonight.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debia
Hi.
I seem to have missed this somehow.
I don't think the -config interface is well defined. In particular, I
don't think it's clear what flags can be included in foo-config output
and what cannot.
When including the -isystem patch, we evaluated and made sure all the
compilers in Debian could pa
soname, Closes: #765871
* Non-Maintainer Upload
-- Sam Hartman Thu, 23 Oct 2014 21:45:36 -0400
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
> "Josh" == Josh Triplett writes:
Josh> - It can't check for generated lines for serial consoles or
Josh> similar; finish-install can generate various additional
Josh> inittab lines, which the check should include.
Since when did systemd actually handle these correctly?
I've gene
control: tags -1 -moreinfo
> "Adam" == Adam D Barratt writes:
Adam> Control: tags -1 + moreinfo
>> freeradius (2.2.5+dfsg-0.2) unstable; urgency=high
>>
>> * Disable OpenSSL version check; Debian will maintain ABI
>> stability or change the soname, Closes: #765871 * Non-
source: gnome-orca
source-version: 3.14
Yeah, I agree this no longer seems to be an issue.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
on 3.9.5, no changes
* New upstream version, Closes: #740857, #691770
- Include dictionary.mikrotik, Closes: #672200
Author: Sam Hartman
Bug-Debian: http://bugs.debian.org/661915
Bug-Debian: http://bugs.debian.org/669741
Bug-Debian: http://bugs.debian.org/672200
Bug-Debian: http://bugs.d
Are you using systemd or sysvinit?
If you have krb5-kdc-ldap installed, I'd expect that we already have a
dependency on slapd set up with an innserv-override in krb5-kdc-ldap.
If you are using systemd this is a known problem.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
> "Russ" == Russ Allbery writes:
Russ> The real long-term solution is to convert both services to use
Russ> systemd socket activation.
Josh Tripplet (SP?) and I had a long conversation about socket
activation at Debconf.
my position is that socket activation is a bad choice for net
>>>>> "Russ" == Russ Allbery writes:
Russ> Sam Hartman writes:
>> my position is that socket activation is a bad choice for network
>> services where the primary user of the socket is non-local. The
>> issue is that in
>>>>> "Russ" == Russ Allbery writes:
Russ> Sam Hartman writes:
>> Are you using systemd or sysvinit?
>> If you have krb5-kdc-ldap installed, I'd expect that we already
>> have a dependency on slapd set up with an innserv-
package: syslog-ng-core
severity: important
version:3.3.5-4
justification: does not enable systemd unit.
syslog-ng-core's postinst does not enable its syslog unit.
I'm guessing that including systemd in the dh sequence is not quite
doing enough to actually turn it on.
Unfortunately dh-systemd i
>>>>> "Simon" == Simon McVittie writes:
Simon> On 14/11/14 03:50, Sam Hartman wrote:
>> # Automatically added by dh_installinit if [ -x
>> "/etc/init.d/syslog-ng" ]; then update-rc.d syslog-ng defaults 10
>> 90 >
I've done the import and rebase and have confirmed the result builds.
I need to adjust symbols files, pull in a few patches from the 1.14
branch, etc.
But progress is happening here.
Hi.
I've pushed an experimental, upstream and pristine-tar branch.
I think the package is more or less ready to build for experimental,
except that I'd like to merge in the patches to splint out slave support
into its own package and to include init scripts there.
I've picked up most of the patche
I have an upgrade to 1.14 (plus these patches and a few others) sitting
on the experimental branch of the git repo. I had be planning to push
that to experimental and then if there were no problems through to sid
and stretch. I had not been planning to make a specific upload to sid.
I guess it w
I've merged the patch into the 1.14 upload I'm preparing.
> "Christopher" == Christopher Odenbach writes:
Christopher> Hi,
Christopher> Any chance to see this small change in jessie?
I think it would be a good idea, but realistically unless I'm preparing
another jessie update I probably won't get to it.
I don't mind if someone else does.
How can a memory leak be grave?
Hi.
I hope to get to this in the next week or so; sorry about the delay.
control: -1 severity important
I'm not sure what the best way to avoid freeradius being pulled out of
jessie is besides dropping the severity.
If tagging it wheezy and bringing the severity back up would work feel
free to do that.
Is anyone seeing this with jessie or is this a wheezy-only issue?
Not really.
The acl is clearly not a conffile, because there is no default that is
correct for a majority of sites.
So, it's not appropriate to ship in a package, but instead should be
created by a postinst somewhere.
(I've been planning to get rid of krb5_newrealm and move realm setup
into postins
Policy says that one package can't mess with another package's
configuration. That is, it's not really OK from a policy POV for
anything besides krb5 to mess with the configuration files for krb5.
However, you can of course coordinate other things.
I can dig up specific citations if you'd like.
bu
control: tags -1 moreinfo
I'm confused.
krb5 has had a de.po for several years.
Why are you sending in an initial po again?
control: tags -1 -moreinfo
O, you're talking about upstream translations for the source (error
messages), not for debconf.
I'm sorry.
Thanks very much, and yes I do know what to do with this.
control: severity -1 important
It might be worth getting these two into jessie if the release team is
willing. I think pre-approved fixes are valid until KJanuary 5 and so
we should figure out how to get pre-approval if you agree.
--sam
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lis
> "David" == David Bremner writes:
David> Philip Hands writes:
>> I presume we'd want to continue providing /usr/bin/nodejs for
>> people that have switched to using that, so that might as well
>> continue to be the name of the binary, since that gives us a
>> 'node' syml
source package libradsec
dpkg-buildpackage: info: source version 0.0.5-3
dpkg-buildpackage: info: source distribution unstable
dpkg-buildpackage: info: source changed by Sam Hartman
dpkg-buildpackage: info: host architecture amd64
fakeroot debian/rules clean
dh clean --with autoreconf --pa
package: dgit
version: 3.12
What I'm really trying to do is to have dgit build my package with
sbuild, checking out the pristine-tar if necessary.
Why do I like that better than dgit fetch to guarantee I have the
tarball?
Well, perhaps I trust my local state more than the archive (I understand
I'l
> "Ian" == Ian Jackson writes:
That bug appears to be about a case where there are submodules in the
repository I give to dgit as input.
My case is different.
I have a super-repository of a lot of related packages with each
submodule corresponding to one complete Debian package.
It seems lik
r CVE-2016-3120 (kdc crash on restrict_anon_to_tgt), , Closes:
+#832572
+ * fix for CVE-2016-3119: remote DOS with ldap for authenticated
+attackers, Closes: #819468
+ * Prevent requires_preauth bypass (CVE-2015-2694), Closes: #783557
+
+ -- Sam Hartman Sun, 13 Aug 2017 18:02:34 -0400
Hi. I will check this later today once I finish catching up from
debconf at $dayjob.
That said:
1) I did already confirm that if you handle .git correctly, everything
else works. That is, I moved the git directory to be a directory,
changed .git/config to remove a no-longer-necessary override o
Hi.
I tested with dgit 4.1 and it worked well enough to dgit build-source.
I did not check through a full push mostly because I don't have any
packages to push ATM.
However if it works that well, I think it is conclusive.
> "Sean" == Sean Whitton writes:
Sean> Hello,
Sean> On Mon, Aug 14 2017, Ian Jackson wrote:
>> There are three situations I think:
>>
>> 1. fetch. There is a pristine-tar branch available somewhere.
>> You want to avoid downloading the .orig, and instead use
>>
Package: asterisk-opus
Version: 13.7+20161113-3
Severity: grave
Justification: renders package unusable
The asterisk package in unstable provides
asterisk-1fb7f5c06d7a2052e38d021b3d8ca151
but asterisk-opus depends on asterisk-fa819827cbff2ea35341af5458859233
It looks like this is a system that
OK, if the checksum doesn't change regularly, I can understand why the
current arrangement makes sense.
It would bxe great to get asterisk-opus rebuilt though:-)
I wonder if your nss stack is somehow caching something about the
network and the name servers and that kstart process is no longer able
to resolve KDCs.
It would be interesting to set KRB5_TRACE to a file, run kstart such
that it is failing and see what specifically is not working.
My bet is on DN
===BEGIN
The Technical Committee recommends that Niko Tyni be
appointed by the Debian Project Leader to the Technical Committee.
N: Recommend to Appoint Niko Tyni
F: Further Discussion
===END
I vote N>F
signature.asc
Description: PGP signature
I just uploaded the jessie update after fixing the extra comma in the
changelog. I did run tests covering these security updates. I found
that some of the tests included in make check were already failing on
jessie and were still failing after this update. It looks like this may
be related to pa
Wait...
Is that actually even legal under RFC 1964?
Doesn't this lead to leaks for correctly written applications?
--Sam
Ah, looked at the commit.
Yeah.
This makes sense.
This is somewhat of a behavior change.
Do we want to just bring this into unstable, or do we want to backport
it to stable releases?
It seems like there is a possibility of problems in either direction.
> "Thorsten" == Thorsten Glaser writes:
Thorsten> Hi,
>> * Restore /usr/bin/node following CTTE #862051 Let's try to drop
>> /usr/bin/nodejs before buster. Replaces and Conflicts
>> nodejs-legacy. Closes: #754462.
Thorsten> please do NOT completely replace an ABI betwee
OK, let's give the security team some context.
RFC 2744 specifies some kind of unfortunate behavior for error
handling.
gss_init_sec_context and gss_accept_sec_context have an in/out context
parameter (pointer to pointer).
You initialize the pointed to value to null the first time through.
It ge
> "Didier" == Didier 'OdyX' Raboud writes:
Didier> For good reasons, Debian forcibly introduced a special-case
Didier> when Node.js first appeared in a stable release through only
Didier> shipping it under /usr/bin/nodejs. That forced hundreds of
Didier> projects to cope wit
> "Julien" == Julien Puydt writes:
Julien> Hi, Le 31/08/2017 à 13:52, Jérémy Lal a écrit :
>> How about printing a "nice" warning explaining it would be a good
>> idea to move to /usr/bin/node ? Then in next next release drop
>> the nodejs symlink.
Julien> May I suggest t
> "Dominique" == Dominique Dumont writes:
Dominique> On Thursday, 31 August 2017 13:58:23 CEST Thorsten Glaser wrote:
>> > How about printing a "nice" warning explaining it would be a
>> good idea to > move to /usr/bin/node ?
>>
>> That will break scripts that do:
>>
Hi.
d-i preseeding.
I'd be happy to work with you if we can remove that from the equation.
I'd also be interested in why DNS srv lookups aren't good enough for
you.
If I had krb5-config to do again, I probably wouldn't support adding
realms at all.
The goals of krb5-config may not be entirely wh
I'm starting the process of updating to new upstream.
I think that is reasonably likely to fix this. If not, I'll look into
the issue after the update.
I'm OK if moonshot-gss-eap falls out of testing for a few weeks.
--Sam
Thanks for bringing this to my attention.
I'll definitely fix, although I'll end up applying a somewhat different
patch because of the build profiles support included in 1.15.1. SASL,
like LDAP would create a cycle in stage1 builds.
I expect a new version soon.
I don't have a good test environmen
I'm not actually sure I particularly want it removed from the system.
It's fair that it should be removed on purge though and I'll at least do
that.
I'll remove it in purge.; there's another bug open effectively for that.
However, I think it is generally a good thing if the file exists.
Because of the dpkg bug we no longer install it, but I think our users
are better served by leaving the file on upgrades.
Take a look at the stretch branch of
git://git.debian.org/git/pkg-k5-afs/debian-krb5-2013.git
Shall I upload that to stable-security?
Actually, on that note, why does this bug merit a DSA?
It like the other bugs is a simple KDC crash from an authenticated
attacker.
It seems like it should be handled the same.
I can absolutely prepare a stable point update request for stretch.
Is there still going to be a last point release to jessie?
If so I'll look into that too; I'd definitely like to get an update in.
=== Resolution ===
The Technical Committee recognises that circumstances change in ways
that make previous resolutions no longer appropriate. In 2012, it was
resolved that the nodejs package should not provide /usr/bin/node due to
the historical conflict with the ax25-node package.
> "Petter" == Petter Reinholdtsen writes:
>> I think shortly after the release of buster, we can close this
>> bug and let moonshot-trust-router migrate into testing.
Petter> Did this time arrive?
Mostly.
I'm working through all the moonshot software and updating it to new
upstr
to fix handling of explicitly specified v4 wildcard
+address; regression over previous versions, Closes: #860767
+ * Fix SRV lookups to respect udp_preference_limit, regression over
+previous versions with OTP, Closes: #856307
+
+ -- Sam Hartman Wed, 09 Aug 2017 12:19:50 -0400
+
krb5 (1.
It's almost certainly impossible to get 1.15.1 into a point release of
stretch.
I think though the interesting question is whether this fix should go
into stretch.
In general, only important or release critical fixes can be included
after the freeze.
When you filed this bug as normal rather than i
OK.
OK.
If a couple of folks indicate this is an issue for them then it's a
simple enough fix it could be uploaded during the stretch lifecycle.
>
> The chair of the Debian Technical Committee will be:
>
> A: Keith Packard
> B: Didier Raboud
> C: Tollef Fog Heen
> D: Sam Hartman
> E: Phil Hands
> F: Margarita Manterola
> G: David Bremner
> ===END===
I vote B > F > D > C = E = A = G
signature.asc
Description: PGP signature
package: krb5-kdc
version: 1.15-1
severity: important
tags: fixed-upstream
krb5-kdc can fail to work at all on some systems where getaddrinfo(NULL)
returns a v6 wildcard address.
Depending on kernel modules and socket configuration, you can get
address family not supported even though v4 is worki
> "Didier" == Didier 'OdyX' Raboud writes:
Didier> That code is now in Debian (experimental), so yes, I do
Didier> expect you to act in good faith and report bugs you see. You
Didier> are obviously quite versed in how 'global' works, and that's
Didier> undoubtedly valuable to
> "Colin" == Colin Watson writes:
Colin> As a maintainer who has sometimes had cause to do similar
Colin> things, I'm concerned at the standard being applied here.
Colin> Could you perhaps review the history around groff 1.18.1.1 ->
Colin> 1.20 for comparison? This is a case
I've played with systemd-networkd a bit.
It seems capable enough to handle this use case, but it has some
significant drawbacks.
It's not very backward compatible with expected sysadmin patterns. That
is, as a sysadmin, I'd expect ifup and ifdown to work. I expect to be
able to do things like ifd
I was working on the following comments in hopes of turning them into a
draft resolution for the TC.
The TC adopted not to take that approach, but I thought I'd submit these
as my individual opinion in the interest of sharing them and starting
discussion.
In #730978, the Technical Committee was a
I'm not really advocating that the TC would be a very good help promote
your ideas team.
However, I'm struck by the following even if I don't entirely know what
to make of it.
> "Ian" == Ian Jackson writes:
Ian> * To be accessible and approachable, and not judgemental.
Ian> * To
Package: vmdebootstrap
Version: 1.5-1
Severity: normal
ERROR: command failed: ['chroot', '/tmp/tmpuio60u', 'apt-get', '-f', '--no-remov
e', 'install']
Reading package lists...
Building dependency tree...
Correcting dependencies... Done
The following additional packages wi
Why does mountability matter anyway?
The interesting question is whether it boots on the target system,
right? Why do we care if it mounts on a third mac?
>>>>> "Thomas" == Thomas Schmitt writes:
Thomas> Hi,
Thomas> Sam Hartman wrote:
>> Why do we care if it mounts on a third mac?
Thomas> I care in my role as upstream of xorriso.
OK.
I'd ask that when interacting with end users, you
and dirty patch to rescan after login.
From 1392f5c0f1822e7c306ae6d9bdd3ede6f90b37c2 Mon Sep 17 00:00:00 2001
From: Sam Hartman
Date: Fri, 20 Jan 2017 17:24:05 -0500
Subject: [PATCH] Read certs again on token login
PKCS11_login destroys all certs and keys retrieved from the token. So
after logging
If your upload goes in tomorrow, it will superceed mine which will never
get processed.
If you miss a day, yours will still replace mine.
Package: x11-common
Version: 1:7.7+18
Severity: important
Hi. In the brave new world of systemd, /tmp tends to get cleaned fairly
aggressively even while users are logged in.
I've found that after a few days my ssh agent socket gets cleaned up, and I get
grumpy typing long pass phrases and unabl
> "Branden" == Branden Robinson writes:
Branden> Your patch looks good, except that I would quote the
Branden> expansion of $XDG_RUNTIME_DIR when invoking mkdir. If
Branden> $XDG_RUNTIME_DIR contains whitespace, the shell will
Branden> tokenize it in a surprising way and creat
>>>>> "Julien" == Julien Cristau writes:
Julien> On 01/24/2017 03:51 PM, Sam Hartman wrote:
>> Package: x11-common Version: 1:7.7+18 Severity: important
>>
>> Hi. In the brave new world of systemd, /tmp tends to get cleaned
>
Package: imagemagick-6.q16
Version: 8:6.9.7.0+dfsg-2
Severity: normal
In the past, if you passed an xwd file in on stdin using a command like
convert - /tmp/bar.jpg
it worked.
It still works if you do convert xwd:- /tmp/foo.jpg.
What seems to have broken is the autodetection of xwd from file.
as
> "Ole" == Ole Streicher writes:
Hi.
If you go back one meeting further, my interpretation is that the consensus of
the committee seems to be that ultimately this decision belongs to the
installer team.
That is, in this case, a number of members on the TC seem to believe
that the installer t
> "Marco" == Marco d'Itri writes:
Marco> On Jan 31, Ross Vandegrift wrote:
>> Recently, net-tools was made optional. Since cloud-init does not
>> depend on net-tools, this causes breakage:
Marco> Please do not apply this patch! Fix cloud-init to use ip(8)
Marco> instead.
>>>>> "Ole" == Ole Streicher writes:
Ole> Hi Sam, Am 31.01.2017 um 16:26 schrieb Sam Hartman:
>> If you go back one meeting further, my interpretation is that the
>> consensus of the committee seems to be that ultimately this
>> de
>>>>> "Marco" == Marco d'Itri writes:
Marco> On Jan 31, Sam Hartman wrote:
>> Why? I can understand "it would be nice if cloud-init used ip
>> instead", but you seem to have a preference stronger than that.
Marco> To
> "Ole" == Ole Streicher writes:
Georg commented that if we're going to delegate to D-I, we should hurry
up and do so unless this turn into another TC failure.
I personally think we've taken long enough this is already a TC failure
and have expressed regret for my actions that contributed to
I vote A -> FD for the blends-tasks vote.
signature.asc
Description: PGP signature
Hi, first, you've made the point that you were hoping the TC would help
the blends team and the d-i team work together.
I think that Phil's suggestions for a technical approach are quite good,
and I hope that will move forward in the buster cycle.
With regard to stretch, I honestly don't think th
There was a trust router release in October.
At one level, this release is probably functional enough that it would
be nice to have included in stretch.
At another level,there have been enough upstream bugs files that I
don't think it's stable enough to include and support for the lifetime
of
401 - 500 of 1340 matches
Mail list logo
