Hi Flo,
On Thu, 31 Mar 2022 17:42:37 +0200
Florian Ernst wrote:
> [...]
> On Wed, Mar 30, 2022 at 07:47:52PM -0400, Andrew Ayer wrote:
> > [...]
> > I am thinking of putting libndp up for adoption - might you be
> > willing to take over?
>
> Well, I am willing to
Hey Flo,
Many thanks for preparing the update and my apologies to you and
Sebastien for not getting back sooner.
I am totally OK with your changes at
https://salsa.debian.org/florian/libndp/-/tree/734771d97899e2c942c3802251f816135760f332
Unfortunately, I never got set up with Salsa after Alioth
Package: ca-certificates
Version: 20190110
Severity: normal
Hi Michael,
ca-certificates currently contains several CAs that have been distrusted
by Mozilla:
Certplus
Certinomis
Deutsche Telekom AG
Certinomis is particularly concerning because they were distrusted after
numerous misissuances and
Package: iproute2
Version: 4.20.0-2
Severity: normal
Dear Maintainer,
Currently, iproute2 is built with the default NETNS_RUN_DIR of
/var/run/netns[1]. Consequentially, if /var is a separate filesystem,
it is not possible to use ip netns to manage network namespaces early
in boot before /var is
Package: libxslt
Version: 1.1.29-2.1
Severity: important
X-Debbugs-CC: reproducible-bui...@lists.alioth.debian.org
Dear Maintainer,
Nick Bowler has pointed out on the libxslt bug tracker that
debian/patches/0004-Make-generate-id-deterministic.patch has issues,
most notably that generate-id() is n
On Thu, 9 Feb 2017 03:18:11 +
Daniel Shahaf wrote:
> Chris Lamb wrote on Wed, Feb 08, 2017 at 22:12:35 +1300:
> > Andrew Ayer wrote:
> >
> > > print log entry when fixing a file
> >
> > This should probably be enabled when DH_VERBOSE=1.
> >
>
On Tue, 13 Sep 2016 17:06:17 +0100
Chris Lamb wrote:
> > Perhaps we could guarantee that the shuffle results in a different
> > order? I think that would resolve any objection to making shuffling
> > the default.
>
> .. at the cost of a rather bizarre "shuffle ___ but won't produce the
> origina
On Tue, 13 Sep 2016 16:33:25 +0100
Chris Lamb wrote:
> Hi Reiner,
>
> > If I remember correctly, the reason why reversing the order is the
> > default, was that this guarantees a different order.
Reiner's recollection is correct.
> Whilst this is true and really useful feature of disorderfs, i
On Tue, 10 May 2016 13:58:21 +0200
Emmanuel Bourg wrote:
> I noticed that the bnd package fails to build reproducibly because
> one of the jar files installed (/usr/share/java/bnd-2.4.1.jar)
> contains a nested jar (embedded-repo.jar) that isn't processed by
> dh_strip_nondeterminism. The timesta
Hi Ceridwen,
Thanks for reporting this! I've identified and fixed the bug. This fix
is in disorderfs 0.4.3-1, which I'm uploading to Unstable right now.
Cheers,
Andrew
On Fri, 11 Mar 2016 21:17:14 +0100
Sebastian Andrzej Siewior wrote:
> After `dh_strip_nondeterminism':
>
> |$ unzip clam.bz2.zip
> |Archive: clam.bz2.zip
> | bunzipping: clam.exe
> | error: invalid compressed data to bunzip
> |$ ls -lh clam.exe
> |-rw-r--r-- 1 bigeasy bigeas
On Tue, 22 Dec 2015 21:18:34 +0100
Reiner Herrmann wrote:
> Hi Andrew!
>
> I just noticed that disorderfs isn't working when --multi-user=yes is
> specified. Instead of reversing the readdir order or shuffling the
> order, it is only returning the files in normal readdir order (i.e.,
> what you
Hi Michael,
On Mon, 14 Dec 2015 21:59:27 -0600
Michael Shuler wrote:
> Thanks for your thoughts. A separate package is an interesting interim
> idea, but in looking at what redhat has done, I think a more complete
> transition to trust type buckets is preferred, along with including a
> code-sig
On Mon, 14 Dec 2015 18:45:40 -0600
Michael Shuler wrote:
> > As always, let me know if you could use any help. I'm going to
> > start looking through the reverse depends for ca-certificates to
> > identify packages that might be relying on roots for email
> > authentication.
>
> Exactly. I also
On Fri, 4 Dec 2015 23:36:57 -0600
Michael Shuler wrote:
> Hi release team,
>
> I just requested an upload of ca-certificates (20151204) to unstable,
> and I would like to follow that up with stable-pu and oldstable-pu
> updates to include the current Mozilla CA bundle changes for jessie
> and w
Hi Michael,
Have you given any more thought to a redesign of ca-certificates that
separates the email certificates from the TLS certificates? I suspect
that the vast majority of packages that depend on ca-certificates use
it for TLS server auth, and yet there are currently 21 roots in the NSS
sto
Package: strip-nondeterminism
Severity: wishlist
It would be nice for strip-nondeterminism to ignore signed JARs (but
print a warning), since its modifications will break the signature.
According to the jarsigner(1) man page, a signed JAR will have .DSA
and .SF files in the META-INF, so we can lo
Hi Sophie,
I took a look at dirbuster, and it looks like it doesn't actually build
anything; instead it just installs a signed .jar that is shipped with
the source, and strip-nondeterminism's modifications break the
signature.
Therefore, my recommendation is that you continue to disable
strip-non
Hi Stable Release Managers,
We're currently discussing in #806239 how to keep the
ca-certificates package more up-to-date in (old)stable. Since
ca-certificates is a data package that needs timely updating (when CAs
are removed due to lapsed audits, they should be distrusted
immediately), it satis
Hi Michael,
On Wed, 25 Nov 2015 12:30:18 -0600
Michael Shuler wrote:
> Control: tags -1 + pending
>
> On 11/25/2015 11:28 AM, Andrew Ayer wrote:
> > ca-certificates hasn't been updated since April 2015. Since then,
> > 14 CAs have been removed from the NS
Package: ca-certificates
Version: 20150426
Severity: important
Dear maintainer and security team,
ca-certificates hasn't been updated since April 2015. Since then, 14
CAs have been removed from the NSS root store[1, 2]. ca-certificates in
stable hasn't been updated since October 2014. Since th
Thanks Roland for the report and Niko for the really helpful
debugging. This PNG file is technically non-conformant[1], but
strip-nondeterminism should handle it nevertheless. I've changed
strip-nondeterminism to stop processing after the IEND chunk and copy
through any remaining junk. A new ver
tags 800063 + confirmed
thanks
On Sat, 26 Sep 2015 12:18:34 +0300
Niko Tyni wrote:
> libsearch-xapian-perl_1.2.21.0-1 started to FTBFS under
> disorderfs when the latter was upgraded from 0.2.0-1 to
> 0.4.0-1.
>
>
> https://reproducible.debian.net/rb-pkg/unstable/amd64/libsearch-xapian-perl.h
tags 796366 + pending
thanks
Thanks Stéphane for reporting this. Fixed in 0.010-1, which is pending
upload.
Cheers,
Andrew
Package: wnpp
Severity: wishlist
Owner: Andrew Ayer
* Package name: disorderfs
Version : 0.1.0
Upstream Author : Andrew Ayer
* License : GPL-3+
Programming Lang: C++
Description : FUSE filesystem that introduces non-determinism
disorderfs is an overlay FUSE
tags 793244 + confirmed
thanks
On Wed, 22 Jul 2015 13:33:34 +
Matthias Klose wrote:
> GCC PR libstdc++/66145 is a regression in GCC 5 which won't be fixed
> upstream in time for the GCC defaults change. The work around is to
> rebuild the affected packages after GCC 5 is the default compile
On Fri, 17 Jul 2015 21:37:40 +
Mattia Rizzolo wrote:
> Looks like python-astropy build-dep on strip-nondetermism, and that
> (sadly) you (= astro team) did [1]. Personally I find shameful that a
> maintainer need such hack for a fail on our parts, please DO poke use
> more hardly the next tim
On Fri, 17 Jul 2015 19:53:27 +
Mattia Rizzolo wrote:
> i was aware some packages started build-depending on it, but nothing
> like this. Also, broken (and also missing, fwiw) build-dep does not
> causes removal from testing [1], so that's sound weird+wrong.
>
> Can you tell me of such packag
severity 791574 important
thanks
On Fri, 17 Jul 2015 20:08:13 +0200
Andreas Tille wrote:
> Ahhh, that's interesting. My situation is that I just wanted to find
> out why some of our team packages are about to be removed. I do not
> expect myself to be very helpful in fixing the problem. The o
tags 791574 + fixed-upstream
tags 791574 + pending
thanks
This was caused by a zip64 archive in the golang test suite.
Archive::Zip, and hence strip-nondeterminism, doesn't support zip64
archives. Fortunately, zip64 archives are rare and the one in the
golang source doesn't contain any nondetermi
On Mon, 1 Jun 2015 16:46:35 +0900
Mike Hommey wrote:
> > It's up to Mike whether to fix that in the upcoming point release.
> > We're not planning a DSA for this issue alone, but it can be fixed
> > along when upstream releases changes to address the weakdh issue.
>
> ... which, afaik, is in 3.1
On Wed, 27 May 2015 08:11:35 +0200
Moritz Mühlenhoff wrote:
> It's up to Mike whether to fix that in the upcoming point release.
> We're not planning a DSA for this issue alone, but it can be fixed
> along when upstream releases changes to address the weakdh issue.
Mike, are you planning to uplo
tags 785742 + pending
thanks
On Tue, 19 May 2015 20:56:17 +0200
Niels Thykier wrote:
> Debugging the lintian FTBFS on reproducible.d.n[1], I have found that
> if I override on dh_strip-nondeterminism in the test's rules file, the
> unexpected package-contains-timestamped-gzip tag goes away.
>
>
+deb8u1) UNRELEASED; urgency=medium
+
+ * Apply upstream patch (99_prefer_stronger_cert_chains.patch) to fix
+certificate chain generation to prefer stronger/newer certificates
+ over weaker/older certs. Closes: #774195.
+
+ -- Andrew Ayer Mon, 25 May 2015 09:21:06 -0700
+
nss (2:3.17.2-1.1) unsta
tags 780398 + security
severity 780398 important
thanks
New research was released yesterday that estimates the cost of
breaking a commonly-used 1024 bit Diffie-Hellman group to be alarmingly
low, and within the reach of state-level adversaries[1]. Specifically,
an adversary can do pre-computation
Package: wnpp
Severity: wishlist
Owner: Andrew Ayer
* Package name: git-crypt
Version : 0.4.2
Upstream Author : Andrew Ayer
* URL : https://www.agwa.name/projects/git-crypt
* License : GPL3+ with OpenSSL linking exception
Programming Lang: C++
Description
Package: libndp
Severity: wishlist
libndp 1.5 has been released. It incorporates
0001-ndptool-support-kfreebsd-by-avoiding-signalfd.patch.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Thanks, Andreas and Holger.
I reproduced the problem with jruby and determined that it's a bug in
Archive::Zip, which I've reported here:
https://github.com/redhotpenguin/perl-Archive-Zip/issues/13
Archive::Zip is unfortunately proving to be rather buggy.
-- Andrew
--
To UNSUBSCRIBE, email t
Package: strip-nondeterminism
Severity: wishlist
strip-nondeterminism should print a log line when it fixes a file, so
we can track what needs to be done upstream, at some point.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Cont
I tracked down the bug in Archive::Zip, which was a doozy, and reported
it upstream:
https://github.com/redhotpenguin/perl-Archive-Zip/issues/11
Meanwhile, I've worked around it in strip-nondeterminism, so this
shouldn't be an issue for us anymore.
--
To UNSUBSCRIBE, email to debian-bugs-dist-
On Tue, 20 Jan 2015 23:30:14 +0100
Peter De Wachter wrote:
> Javadoc files, at least the ones I've looked at, have, in addition
> to the "Generated by javadoc" comment, a timestamp in a name="date"> tag.
Excellent catch; thanks! I've enhanced the javadoc handler to also
normalize this tag. It
On Tue, 06 Jan 2015 23:14:33 +0100
Reiner Herrmann wrote:
> In the case the local fields can't be read, they also are not
> (over)written:
Thanks for checking that. Patch is now applied.
One thing to note is that some fields have a different format depending
on whether they are in the local he
On Tue, 06 Jan 2015 19:27:37 +0100
Reiner Herrmann wrote:
> the attached patch also normalizes the local extra fields.
Thanks!
> I discovered also a bug in Archive::Zip, that local extra fields
> are currently only working for directories:
> https://rt.cpan.org/Public/Bug/Display.html?id=10129
Package: openntpd
Version: 20080406p-10
Severity: normal
Tags: patch
Dear Maintainer,
Currently, openntpd's init script restarts openntpd by killing it (with
start-stop-daemon --stop), sleeping 1 second, and then starting it.
This has a race condition: if openntpd takes longer than 1 second to
te
On Fri, 12 Dec 2014 19:30:12 +0100
"Reiner Herrmann" wrote:
> lib/File/StripNondeterminism/handlers/zip.pm | 24 +++
> + 1 file changed, 24 insertions(+)
Thanks! Patch applied, with a couple adjustments (to make pack/unpack
safe on big-endian systems, and to handle the edge
I've prepared packaging for 0.5.66 in the following Git repo:
https://anonscm.debian.org/cgit/users/agwa-guest/xmltv.git
Specifically, I imported the 0.5.66 tarball and updated the install list
for the added/removed grabbers.
The package builds, though there are a few issues:
1. The dk_
Package: strip-nondeterminism
Severity: wishlist
strip-nondeterminism should treat more filename extensions as possible
gzipped files, such as .svgz.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.o
Package: strip-nondeterminism
Severity: wishlist
strip-nondeterminism should remove the Bnd-LastModified field (another
timestamp) and the Built-By field (it contains the system username) from
MANIFEST.MF files inside jar archives.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debi
Package: strip-nondeterminism
Severity: wishlist
Zip files created on Unix contain non-deterministic information in
extra fields such as "UT extra field modtime." They can be seen
by `zipinfo -v`. strip-nondeterminism should strip/normalize these
fields.
--
To UNSUBSCRIBE, email to debian-bug
Package: strip-nondeterminism
Severity: wishlist
Example package: vdr-plugin-xineliboutput
debbindiff:
https://jenkins.debian.net/userContent/rb-pkg/vdr-plugin-xineliboutput.html
Timestamps look like: "POT-Creation-Date: 2014-10-12 23:36+\n"
--
To UNSUBSCRIBE, email to debian-bugs-dist-r
Package: strip-nondeterminism
Severity: wishlist
Some Java packages produce jar files with the .war and .hpi extension.
strip-nondeterminism should support this.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@li
Package: strip-nondeterminism
Severity: wishlist
It should be possible to tell File::StripNondeterminism to replace
timestamps with a specific time instead of removing them or using a
zero timestamp. When using the strip-nondeterminism command, this
timestamp should be specified by a command line
Package: strip-nondeterminism
Version: 0.003-1
Severity: normal
Line 59 of handlers/zip.pm triggers an infinite loop in Archive::Zip,
but only with certain jar files. I need to create a minimal test case
and file a bug report with Archive::Zip.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ
On Sun, 12 Oct 2014 23:20:44 +0200
Emmanuel Bourg wrote:
> Le 12/10/2014 22:14, Andrew Ayer a écrit :
>
> > * Sets the timestamp of every Zip entry to January 1, 1980 (the
> >earliest date that can be represented in a Zip archive).
>
> Would it be possible to
On Sun, 12 Oct 2014 21:59:44 +0200
Emmanuel Bourg wrote:
> How does dh_strip_nondeterminism affect the jar files exactly? I
> understand that it normalizes the timestamps of the zip entries, but
> what date is used?
Hi Emmanuel,
dh_strip_nondeterminism does the following:
* Sets the timestamp
Package: yorick-spydr
Version: 0.8.2-3
Severity: wishlist
Tags: patch
User: reproducible-bui...@lists.alioth.debian.org
Usertags: timestamps
Hi!
As part of the Reproducible Builds effort[1], we have identified that the
spydr48.png file in yorick-spydr contains the time at which the package
was bu
Package: javahelper
Version: 0.47
Severity: wishlist
Tags: patch
User: reproducible-bui...@lists.alioth.debian.org
Usertags: toolchain
Hi!
As part of the Reproducible Builds effort [1], we have developed a new
debhelper add-on, dh_strip_nondeterminism, that strips non-deterministic
data from buil
Dear Maintainer,
I do not believe that this bug constitutes a security vulnerability or
that it deserves grave severity.
To be exploited remotely, you have to execute an untrusted XSLT
stylesheet, which is similar to executing untrusted arbitrary code, and
is a bad idea for reasons much more seve
On Mon, 8 Sep 2014 07:39:02 -0300
Henrique de Moraes Holschuh wrote:
> From *which* files? linker objects? executables? libraries?
>
> Maybe it would be helpful to mention reproducible builds in the long
> description to ease searches?
Yes, that's a good idea. I'll flesh out the long descript
Package: wnpp
Severity: wishlist
Owner: Andrew Ayer
* Package name: strip-nondeterminism
Version : 0.001
Upstream Author : Andrew Ayer
* URL :
https://anonscm.debian.org/cgit/reproducible/strip-nondeterminism.git
* License : GPL-3+
Programming Lang: Perl
On Sun, 31 Aug 2014 15:34:57 -0700
Joey Hess wrote:
> Jérémy Bobbio wrote:
> > Andrew Ayer has been working on a `dh_strip_nondeterminism` helper:
> > http://anonscm.debian.org/cgit/reproducible/strip-nondeterminism.git/
> >
> > We can move that chunk of code to it
Hi Thijs,
On Fri, 22 Aug 2014 13:41:20 +0200
"Thijs Kinkhorst" wrote:
> This bug has been fixed in GnuPG 1.4.17.
>
> Although it's a good robustness and anti-keyring-polution measure, I
> don't think it's an acute security issue in stable that needs to be
> fixed in a DSA, because the threat mo
Hi,
An updated package has been prepared. Just waiting for my sponsor to
upload.
Regards,
Andrew
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
On Tue, 15 Jul 2014 20:30:21 -0400
Filipus Klutiero wrote:
> Source: libndp
> Version: 1.3-1
> Severity: minor
>
> Extended descriptions starts with:
> > libndp is a library the IPv6 Neighbor Discovery Protocol (NDP).
>
> Something like a "for" is missing between "a library" and "the IPv6
> Ne
Hi Michael,
On Sat, 14 Jun 2014 12:42:07 +0200
Michael Biebl wrote:
> Hi Andrew,
>
> On Sat, Mar 29, 2014 at 11:01:31AM -0700, Andrew Ayer wrote:
> > Initial packaging for libndp can be found in the following Git repo:
> >
> > https://www.agwa.name/git/libn
Initial packaging for libndp can be found in the following Git repo:
https://www.agwa.name/git/libndp-debian.git
(GitHub mirror: https://github.com/AGWA/libndp-debian)
I will soon be uploading this to mentors.debian.net.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lis
Package: wnpp
Severity: wishlist
Owner: Andrew Ayer
* Package name: libndp
Version : 1.2
Upstream Author : Jiri Pirko
* URL : http://libndp.org/
* License : GPL-2+
Programming Lang: C
Description : Library for IPv6 Neighbor Discovery Protocol
libndp
Package: libhdhomerun-dev
Version: 20120405-1
Severity: serious
Justification: Policy 9.1.1
Dear Maintainer,
Thanks for maintaining libhdhomerun in Debian. I noticed that
libhdhomerun-dev installs its header files to /usr/lib/libhdhomerun.
It should install them to /usr/include/libhdhomerun inst
Package: isc-dhcp-client
Version: 4.2.4-7
Severity: normal
Tags: patch
Dear Maintainer,
I recently messed up the value of rfc3442-classless-static-routes
on my DHCP server (I had "16, 10, 150, 0, 0, 10, 150, 3, 1" when
it should have been "16, 10, 150, 10, 150, 3, 1") and this caused
/etc/dhcp/dh
Package: iceweasel
Version: 17.0.10esr-1~deb7u1
Severity: normal
Dear Maintainer,
Iceweasel does not properly set the spell checker language.
This manifests in two ways:
1. If the HTML document specifies a language using the lang attribute,
no language is selected by default and spell checking i
On Thu, 21 Nov 2013, Ra?l S?nchez Siles wrote:
Meanwhile, I've set up a repository with latest packaging stuff [0]
Hi Raul,
I was working on this too but it looks like you're further along than
me so I'll defer to you. A couple things though...
First, the -dev package can't be Multi-Arch
On Thu, 21 Nov 2013 08:44:57 -0800 (PST)
Andrew Ayer wrote:
> I think co-installable -dev packages are very nice though, so I was
> planning to ask upstream if they could refactor those header files to
> not be different on different architectures.
I have created a libsodium issue a
Package: vde2
Version: 2.3.2-4
Severity: wishlist
Dear Maintainer,
Currently, /etc/network/if-pre-up.d/vde2 (also, vde2.postinst) create
/var/run/vde2 as follows:
mkdir -p $RUNDIR
chown vde2-net:vde2-net $RUNDIR
chmod 2770 $RUNDIR
I believe the permissions should be (at
On Sun, 18 Aug 2013 19:35:15 +0200
Arthur de Jong wrote:
> An alternative solution would be to also return shadow information to
> non-root users but leave out the password hashes. This is what pynslcd
> in experimental currently does.
>
> I *think* that is reasonable and don't see any security
Package: libswiften-dev
Version: 2.0~beta1+dev47-1
Severity: normal
Dear Maintainer,
libswiften-dev lacks dependencies on the -dev packages that it needs.
Consequentially, if you try to compile code that uses swiften, it fails
due to missing include files or missing libraries, unless the followin
Package: t1-xfree86-nonfree
Version: 4.2.1-3.1
Severity: grave
Tags: patch
Justification: renders package unusable
Dear Maintainer,
This package does not install any symlinks for its font files in
/usr/share/fonts/X11/Type1/, rendering the fonts completely unusable
in X11. This bug was introduce
Package: libapt-pkg-perl
Version: 0.1.27
Severity: normal
Dear Maintainer,
AptPkg::Cache exhibits some strange behavior with its hash iteration on
multi-arch systems. First, package names returned by the keys method are
duplicated for every architecture, but without any ':architecture' suffix.
(
On Mon, 06 May 2013 21:50:52 +0200
Arthur de Jong wrote:
> [...]
>
> Determining who can see what information consists of basically two
> separate decisions (where those who have access to the hash are a subset
> of those who have access to the other information).
>
> (there is actually a third c
Package: nslcd
Version: 0.8.12-1
Severity: normal
nslcd only allows processes with UID==0 (as determined by credentials
passed over its UNIX domain socket) to query the shadow database.
This check is enforced by lines 449-452 of nslcd/nslcd.c:
case NSLCD_ACTION_SHADOW_BYNAME:if (uid==0)
Package: pidgin
Version: 2.4.3-4lenny6
Severity: important
Since DSA-2038-1, pidgin no longer has support for the Zephyr protocol. It's
absent from the "Protocols" menu when adding an account, and existing Zephyr
accounts no longer work. There is no mention of removing Zephyr support in
eith
Package: uw-imapd
Version: 7:2002edebian1-13.1+etch1
Severity: important
The uw-imapd package "Conflicts:" with the virtual package
"imap-server." I am attempting to migrate IMAP servers right now, and
this is preventing me from having dovecot-imapd and uw-imapd installed
concurrently.
As far a
81 matches
Mail list logo
