Re: Can not install both "brasero" and "lvm2"

[Mike Hommey]

On Sun, Oct 18, 2009 at 02:59:43AM +0100, Ben Hutchings wrote:
> On Sun, 2009-10-18 at 08:36 +0800, John Wong wrote:
> > I want install both "braseor" and "lvm2", but when i install "braseor",
> > apt-get must remove "lvm2".
> > whan i "apt-get install brasero"
> > 
> > The following extra packages will be installed:
> > devicekit-disks gvfs hdparm
> > Suggested packages:
> > dvdauthor vcdimager gvfs-backends apmd
> > The following packages will be REMOVED:
> > dmsetup lvm2
> > The following NEW packages will be installed:
> > brasero devicekit-disks gvfs hdparm
> > 0 upgraded, 4 newly installed, 2 to remove and 0 not upgraded.
> > Need to get 2,199kB of archives.
> > After this operation, 4,820kB of additional disk space will be used.
> > Do you want to continue [Y/n]?
> > 
> > How to solve it?
> [...]
> 
> dmsetup conflicts with devicekit-disks due to #545032 (closed, but
> reportedly not actually fixed).  Until this is resolved, you will have
> to choose between them.

What exactly is not fixed by
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=121;bug=545032 ?

Mike


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Bug#551386: Per-package link to upstreams bugtracker

[gregor herrmann]

On Sun, 18 Oct 2009 10:23:02 +0800, Paul Wise wrote:

> > In order not to bloat the Packages file we where thinking about a
> > header in debian/copyright (which has, according to DEP5, already
> > information about the Upstream-Author and Upstream-Source).
> I'd like to re-iterate my earlier mail on this subject about splitting
> up the Packages file:
> http://lists.debian.org/debian-devel/2009/08/msg00057.html

Good point.

Another approach would be to make some of our tools more VCS-aware
(or UDD-aware if UDD imports data from VCSses).
 
Cheers,
gregor 
-- 
 .''`.   http://info.comodo.priv.at/ -- GPG Key IDs: 0x00F3CFE4, 0x8649AA06
 : :' :  Debian GNU/Linux user, admin, & developer - http://www.debian.org/
 `. `'   Member of VIBE!AT, SPI Inc., fellow of FSFE | http://got.to/quote/
   `-NP: Spider Murphy Gang: Sch-Bum ('s Leb'n is wiar a Traum)


signature.asc
Description: Digital signature

Bug#551485: ITP: python-jpype -- Binding the worlds of Java and Python

[TANIGUCHI Takaki]

Package: wnpp
Owner: tak...@debian.org
Severity: wishlist

* Package name: python-jpype
  Version : 0.5.4.1
  Upstream Author : Steve Menard 
* URL or Web page : http://jpype.sourceforge.net/
* License : Apache License 2.0
  Description : Binding the worlds of Java and Python

 JPype is an effort to allow Python programs full access to java class
 libraries. This is achieved not through re-implementing Python, as
 Jython/JPython has done, but rather through interfacing at the native
 level in both Virtual Machines.

 Eventually, it should be possible to replace Java with Python in many,
 though not all, situations. JSP, Servlets, RMI servers and IDE plugins
 are good candidates.



-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#551495: ITP: libdate-calc-xs-perl -- Perl library for accessing dates

[Jonathan Yu]

Package: wnpp
Owner: Jonathan Yu 
Severity: wishlist
X-Debbugs-CC: debian-devel@lists.debian.org,debian-p...@lists.debian.org

* Package name: libdate-calc-xs-perl
  Version : 6.2
  Upstream Author : Steffen Beyer 
* URL : http://search.cpan.org/dist/Date-Calc-XS/
* License : Artistic | GPL-1+
  Programming Lang: Perl
  Description : Perl library for accessing dates

 Date::Calc::XS is a C/XS-based implementation of the Date::Calc Perl module.
 It interfaces with a C library to provide a wide variety of calculations
 based on the Gregorian calendar. This package is never used directly. See
 Date::Calc's documentation (libdate-calc-perl) for usage details.

NOTE: this package used to be part of Date::Calc (libdate-calc-perl),
which is now an Arch: all package.



-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#551520: ITP: python-tornado -- scalable, non-blocking web server and tools

[Angel Abad]

Package: wnpp
Severity: wishlist
Owner: Angel Abad 


* Package name: python-tornado
  Version : 0.2
  Upstream Author : Facebook
* URL : http://www.tornadoweb.org/
* License : Apache 2.0
  Programming Lang: (C, Python)
  Description : scalable, non-blocking web server and tools

Tornado is an open source version of the scalable, non-blocking
web server and tools that power FriendFeed. The FriendFeed application
is written using a web framework that looks a bit like web.py or
Google's webapp, but with additional tools and optimizations to take
advantage of the underlying non-blocking infrastructure.



-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: lintian error weak-library-dev-dependency

[Dominic Hargreaves]

On Thu, Sep 24, 2009 at 05:53:21PM +0200, Norbert Preining wrote:
> On Do, 24 Sep 2009, James Vega wrote:
> > On Thu, Sep 24, 2009 at 11:33 AM, Norbert Preining  
> > wrote:
> > > Now we have
> > >        libkpathsea-dev depends libkpathsea4 (= 2007.dfsg.2-7)
> > > and I still get these errors. libkpathsea-dev is at version 
> > > 2007.dfsg.2-7..
> > 
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=547773
> > 
> > Fixed in Lintian 2.2.17
> 
> Than it has to be reopened, because I have lintian 2.2.17 installed.
> And the description in to the fix does not match with the behaviour
> I have here.

Not only that, but weak-library-dev-dependency and
not-binnmuable-all-depends-any seem to be fighting! The latter suggests
Depends: arch_any (>= ${source:Version}), arch_any (<< ${source:Version}.1~)
which triggers the former...

What's correct in this case?

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#551550: general: many Java packages needlessly depend on java?-runtime

[brian m. carlson]

Package: general
Severity: normal

Many Java packages work successfully with a headless JRE; that is, one
that does not support graphics.  However, some of these packages depend
on java?-runtime instead of java?-runtime-headless.  As a consequence,
graphical JREs are installed when they are not needed (such as on
servers).

Java applications and libraries that correctly function with a headless
JRE should depend only on such a JRE, possibly with a recommends or
suggests on a graphical JRE if the program can benefit from it.

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.31-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187


signature.asc
Description: Digital signature

Proposed mass prototypejs bug filing for multiple security issues

[Michael S Gilbert]

Hi,

The prototypejs script has been found to be vulnerable to a couple
security issues [0],[1].  This script is embedded in about 32 other
packages and I would like to file bugs against all of those that are
affected. Since this would probably be considered a mass filing, I am
running it past -devel first.

I intend to send the following two bug reports for each vulnerable
package; one bug on the vulnerabilities themselves and the other bug
asking for the maintainer to switch to the system/shared prototypejs.
I will fill in affected version numbers (Y.Y.Y) on a per-package basis.

Let me know if this is OK, and whether there is anything else I should
be aware of.

Here are the affected source packages:
- auth2db  (embed)
- webcit  (embed)
- asterisk  (embed)
- doc-iana  (embed)
- libaws  (embed)
- libgettext-ruby  (embed)
- libjson-ruby  (embed)
- lucene2  (embed)
- libopenid-ruby  (embed)
- solr  (embed)
- glpi  (embed)
- mnemo2  (embed)
- nag2  (embed)
- knowledgeroot  (embed)
- mediatomb  (embed)
- mt-daapd  (embed)
- op-panel  (embed)
- ebug-http  (embed)
- phpgedview  (embed)
- poker-network  (embed)
- webhelpers  (embed)
- qwik  (embed)
- rails  (embed)
- typo3-src  (embed)
- wordpress 2.5.0-2 (embed)
- zope  (embed)
- smokeping  (embed)
- ampache 3.4.1-2 (embed)
- exaile  (embed)
- hobix  (embed)
- pixelpost  (embed)
- symfony  (embed)
- zabbix  (embed)
- turba2  (embed)

Mike

-
package: auth2db
version: 0.2.5-2+dfsg-1
severity: serious
tags: security

Hi,

Your package contains an embedded version of prototypejs that is
vulnerable to either CVE-2007-2383 (affecting prototypejs 1.5.1 and
earlier) [0], CVE-2008-7220 (affecting prototypejs 1.6.0.2 and
earlier) [1], or both.

Your package embeds prototypejs version Y.Y.Y and is affected [only
by CVE-2007-2383 / only by CVE-2008-7220 / by both issues].

This is a mass-filing, and the only checking done so far is a version
comparison, so please determine whether or not your package is itself
affected or not.  If it is not affected please close the bug with a
message indicating this along with what you did to check.

The version of your package specified above is the earliest version
with the affected embedded code.  If this version is in one or both of
the stable releases and you are affected, please coordinate with the
release team to prepare a proposed-update for your package to
stable/oldstable.

If you correct the problem in unstable, please make sure to include the
CVE number in your changelog.

Thank you for your attention to this problem.

Mike

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220

-
package: auth2db
version: 0.2.5-2+dfsg-1
severity: important
tags: security

Hi,

Your package embeds prototypejs version X.X.X, which makes security
updates very cumbersome, difficult, and potentially error-prone. Please
update your package to make use of the system prototypejsb provided by
the prototypejs package.

Thank you very much for your attention on this matter.

Mike


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Bug#551386: Per-package link to upstreams bugtracker

[Charles Plessy]

Le Sun, Oct 18, 2009 at 02:34:24PM +0200, gregor herrmann a écrit :
> On Sun, 18 Oct 2009 10:23:02 +0800, Paul Wise wrote:
> 
> > > In order not to bloat the Packages file we where thinking about a
> > > header in debian/copyright (which has, according to DEP5, already
> > > information about the Upstream-Author and Upstream-Source).
> > I'd like to re-iterate my earlier mail on this subject about splitting
> > up the Packages file:
> > http://lists.debian.org/debian-devel/2009/08/msg00057.html
> 
> Another approach would be to make some of our tools more VCS-aware
> (or UDD-aware if UDD imports data from VCSses).

For my packages, I am preparing to test the following workflow: store the
upstream metadata in YAML format in the source package, and make some tools
aware of the content of the file as it is in the VCS containing the source
package. In the Debian Med team we need a mechanism to indicate registration
pages to our users. I have not yet figured out if the best is a spider
mechanism, where the tool checks the file from time to time, or a push
mechanism, with a proper commit hook that will advertise that the changes.

Whichever the implementation, if we manage to move out metadata from
debian/control, it means that we will probably expand the fields a lot. How
about briefly documenting them on a wiki page to avoid collisions? 

Lastly, a radically different solution would be to centralise everything in a
big monolithic file, and give commit access to all DDs for instance. That would
also completely untie the update of upstream metadata from package upload, and
if the file is managed in a VCS, it would be easy to revert mistakes and find
misusers, if somebody ever dares.

Have a nice day

-- 
Charles Plessy
Debian Med packaging team,
http://www.debian.org/devel/debian-med
Tsurumi, Kanagawa, Japan


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Proposed mass prototypejs bug filing for multiple security issues

[Paul Wise]

On Mon, Oct 19, 2009 at 8:43 AM, Michael S Gilbert
 wrote:

> Let me know if this is OK, and whether there is anything else I should
> be aware of.

Excellent, please go ahead.

See also the lintian warning (you seem to miss a few):

http://lintian.debian.org/tags/embedded-javascript-library.html

Based on a cursory glance, your list also misses a few found by
apt-file search -i prototype | grep -iF .js

-- 
bye,
pabs

http://wiki.debian.org/PaulWise


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Proposed mass prototypejs bug filing for multiple security issues

[Michael Gilbert]

On Mon, 19 Oct 2009 10:02:59 +0800 Paul Wise wrote:

> On Mon, Oct 19, 2009 at 8:43 AM, Michael S Gilbert
>  wrote:
> 
> > Let me know if this is OK, and whether there is anything else I should
> > be aware of.
> 
> Excellent, please go ahead.
> 
> See also the lintian warning (you seem to miss a few):
> 
> http://lintian.debian.org/tags/embedded-javascript-library.html
> 
> Based on a cursory glance, your list also misses a few found by
> apt-file search -i prototype | grep -iF .js

Thanks for the suggestions!  I will add these packages to the list.

Mike


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#551562: ITP: libmecab-ruby -- mecab binding for Ruby language

[TANIGUCHI Takaki]

Package: wnpp
Owner: tak...@debian.org
Severity: wishlist

* Package name: libmecab-ruby
  Version : 0.98
  Upstream Author : Taku Kudo  
* URL or Web page : http://sourceforge.net/projects/mecab/
* License : GPL | LGPL | BSD
  Description : mecab binding for Ruby language

 Mecab is a morphological analysis system.  It reads Japanese
 sentences from the standard input, segments them into morpheme
 sequences, and outputs them to the standard output with many
 additional pieces of information (pronunciation, semantic
 information, etc).



-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Proposed mass prototypejs bug filing for multiple security issues

[Julien BLACHE]

Michael S Gilbert  wrote:

> - mt-daapd  (embed)

Not shipped in the resulting binary package. See Depends:.

JB.

-- 
 Julien BLACHE - Debian & GNU/Linux Developer -  
 
 Public key available on  - KeyID: F5D6 5169 
 GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169 


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org