sion that is **already in the archives**.
I originally tried to fix this RC bug a year ago but my upload
was auto-rejected then and I forgot to mark this issue for followup.
It was an early enough upload that thawab could have landed in Debian
12.
https://alioth-lists.debian.net/pipermail/debian-islamic-maintainers/2023-January/004920.html
Thank you,
Jeremy Bícha
our request for an upgrade?
Thank you,
Jeremy Bícha
://gitlab.gnome.org/jbrummer/msgraph
Thanks,
Jeremy Bícha
For a volunteer-driven community effort, we have to rely on
everyone to exercise their best judgement in these sorts of matters.
--
Jeremy Stanley
signature.asc
Description: PGP signature
claimed secure workflows seems entirely intractable. Sure you could
ask every DD to fill out a questionnaire, but if you don't trust
them to all follow documented practices then why would you trust
them to accurately answer survey questions either?
--
Jeremy Stanley
signature.asc
Description: PGP signature
tate their PPAs’ keys
> (I vaguely recall searching for that and not finding it once).
It is not possible to rotate your PPA keys yourself, but Canonical is
handling it according to
https://discourse.ubuntu.com/t/new-requirements-for-apt-repository-signing-in-24-04/42854
Thank you,
Jeremy Bícha
On Thu, Mar 7, 2024 at 6:06 AM Mathias Krause wrote:
> I, thereby, request to rebuild affected packages.
We are rebuilding thousands of packages for the ongoing 32-bit time_t
transition. Maybe you can propose this again after the rebuilds for
that are finished?
Thank you,
Jeremy Bícha
On Tue, Mar 12, 2024 at 9:30 AM Mathias Krause wrote:
> That works for me. The 32-bit time_t transition Jeremy mentioned seems
> like a good candidate to force a rebuild of a lot of packages. Is there
> an ETA for it? I found [1] which mentions to do the transition in
> January but
a proprietary service who discovered a saboteur in their ranks.
--
Jeremy Stanley
signature.asc
Description: PGP signature
but it's merely your opinion that sdists are *not*
"upstream-created source tarballs" (an opinion *not* shared by
everyone).
--
Jeremy Stanley
signature.asc
Description: PGP signature
messages on the current branch
since the most recent tag if its SemVer-based version-guessing kicks
in (typically if the current commit isn't tagged and the version
string hasn't been overridden with an envvar).
--
Jeremy Stanley
signature.asc
Description: PGP signature
onal information into our source archives.
--
Jeremy Stanley
signature.asc
Description: PGP signature
eam maintainers understand that
downstream distributions want to include source code and can't
necessarily include full copies of our Git repositories, so we
create and cryptographically sign source code tarballs with all that
extracted/assembled metadata in the form of "generated" files, and
present those as our primary source distributions.
--
Jeremy Stanley
signature.asc
Description: PGP signature
e storage first. If that's not
possible, I recommend replacing the OS with a new image of Debian
rather than trying to use apt to upgrade a few packages at a time. As
has already been mentioned, it is not supported to arbitrarily break
apt updates up like that to upgrade from say Debian 12 to the
done for the
Trixie release?
I guess a subdirectory of /usr/share/ would be appropriate for the
extra manpages.
Thank you,
Jeremy Bícha
for free/libre open source software,
remember that AWS, Azure and Google Cloud are the antithesis of it
yet have many, many, many competitors based entirely on F/LOSS you
could be recommending instead.
--
Jeremy Stanley
signature.asc
Description: PGP signature
, honestly. Ubuntu is derived from Debian, if Ubuntu wanted
its LTS series to be byte-compatible with certain Debian stable
releases then they would have designed their release process to make
that possible. Since they didn't, it was probably for a good reason,
but ultimately you should
s. Why compete with that and
compromise Debian's ideals at the same time?
--
Jeremy Stanley
signature.asc
Description: PGP signature
On 2021-01-15 17:27:56 +0100 (+0100), Ansgar wrote:
> On Fri, 2021-01-15 at 15:30 +0000, Jeremy Stanley wrote:
> > On 2021-01-15 12:11:06 +0100 (+0100), Emanuele Rocca wrote:
> > [...]
> > > So the current situation is that we make an active effort to
> > &g
On 2021-01-15 21:45:35 +0500 (+0500), Andrey Rahmatullin wrote:
> On Fri, Jan 15, 2021 at 04:39:47PM +0000, Jeremy Stanley wrote:
> > Thanks for the insightful suggestion! Can we also just get rid of
> > non-free and contrib in that case and put everything in main? If
> >
On 2021-01-15 09:35:01 -0800 (-0800), Russ Allbery wrote:
> Jeremy Stanley writes:
>
> > Yes, I get that. I don't mind having to go out of my way to update
> > non-free firmware even if it means separately downloading with another
> > machine and sneaker-netting on r
the law
and can be fined or put out of business for allowing their users to
alter the way a device functions is still a software freedom
concern, just one over which Debian may hold little sway.
--
Jeremy Stanley
signature.asc
Description: PGP signature
On 2021-01-22 06:56:27 +0100 (+0100), Emanuele Rocca wrote:
> On 15/01 03:30, Jeremy Stanley wrote:
> > This boils down to a debate over whether the Debian community values
> > convenience over ideals.
>
> This is not about convenience, it's about being able to install
On 2021-01-23 11:14:52 +0100 (+0100), Emanuele Rocca wrote:
> On 22/01 08:30, Jeremy Stanley wrote:
> > Taking away the choice for users who care about software freedom
> > to opt out of non-free content in the installer and find
> > alternative options would be a loss of f
beyond the fact that by employing that word you're maligning anyone
with a physical handicap by comparing them to what you see as
defective equipment).
Let's please stay focused on facts, and not devolve further into
such argumentum ad hominem.
--
Jeremy Stanley
signature.asc
Description: PGP signature
me record of
whether there were changes in upstream signing practices (same key
ID with a new expiration date? different key but the keyserver
network contains keysigs for it from the previous one?). Actually
verifying signatures made with it after the source package has
appeared in the Debian arch
/github.com/radxa/oshw/tree/master/rock_pro
Definitely worth checking out.
--
Jeremy Stanley
signature.asc
Description: PGP signature
digest, fitting the names of all the
relevant software into the subject would be unlikely a lot of the
time. As such, list subscribers are far less likely to spot one for
software they might care about.
--
Jeremy Stanley
signature.asc
Description: PGP signature
ome other package repository which they've
surreptitiously signed with their key, nor try to sneak into your
system with conflicting package names, they can simply stick
backdoors in the maintscripts of the packages you already want to
install from them.
--
Jeremy Stanley
signature.asc
Description: PGP signature
On 2021-07-01 09:35:16 -0400 (-0400), Kyle Edwards wrote:
> On 7/1/21 9:27 AM, Jeremy Stanley wrote:
> > It's not clear (to me at least) that placing keys into
> > /etc/apt/trusted.gpg.d is deprecated
>
> According to
> https://wiki.debian.org/DebianRepository/UseThi
. On top of that, you can embed Signed-By fields with
your key fingerprint in your repository's Release files, in order to
highlight if someone gets an updated index which is signed by a
different key than you previously indicated it should be. I think
anything as recent as Stretch should su
On 2021-07-01 14:26:48 -0400 (-0400), Kyle Edwards wrote:
> On 7/1/21 2:19 PM, Jeremy Stanley wrote:
> > Also, as other's have stated, deb822 might be a cleaner way to
> > express this.
>
> I'm a little confused - I thought deb822 was just a generic format
>
do think it's a useful feature, but my knee jerks
whenever people blindly follow "security advice" to complicate their
lives or the lives of users without applying common sense about what
risks are actually being mitigated to warrant that additional
burden.
> On Thu, Jul 01, 2021
On 2021-07-01 20:19:55 + (+), Jeremy Stanley wrote:
[...]
> > Lets not throw the baby out with the bathwater, shall we?
> [...snip bits about the abject horrors of apt-key...]
>
> This was in response to the linked wiki article you helped edit,
> purporting to represen
On 2021-07-02 01:24:09 + (+), Paul Wise wrote:
> On Thu, Jul 1, 2021 at 1:27 PM Jeremy Stanley wrote:
>
> > There's nothing especially wrong about using signed-by, but
> > it's not the security fix some people seem to believe. In short,
> > *any* pac
f your MitM knows the right people, and CDNs are now in
the business of snooping on everyone's traffic for sites where they
handle SSL/TLS termination. HTTPS as deployed on the open Internet
is a sip of security with several gulps of theater.
--
Jeremy Stanley
signature.asc
Description: PGP signature
On 2021-08-20 11:36:41 +0200 (+0200), Bjørn Mork wrote:
> Jeremy Stanley writes:
>
> > While this does complicate it, a snooping party can still know the
> > site they're connecting to via SNI happening unencrypted,
>
> I believe this can be fixed with TLS 1.3?
&
date applications or protocols, but the time
developers will spend having to explain why they're using MD5 or
SHA-1 hashes can be orders of magnitude greater still.
--
Jeremy Stanley
signature.asc
Description: PGP signature
d directly by a particular package, I think D-I and
various bootstrapping tools independently write it at installation,
so the "fixes" for this are likely to be in a variety of places.
--
Jeremy Stanley
signature.asc
Description: PGP signature
block you from downloading security updates until the
old indices they're injecting expire, but they can also more noisily
prevent you from downloading security updates for far longer,
regardless of whether you use HTTPS as a transport.
--
Jeremy Stanley
signature.asc
Description: PGP signature
onsidered unhygienic. Transparent "web accelerators"
used to be popular in such environments, but the modern trend to
switch most communications to HTTPS has rendered them essentially
useless since years.
--
Jeremy Stanley
signature.asc
Description: PGP signature
some extra time to work on
exploiting that vulnerability. The practicality of this particular
attack isn't all that high, as there are often going to be other
avenues of compromise which involve less effort on the part of the
attacker anyway. Still, people are correct to call it out as some
form
rce package build time does seem marginally
obsessive (though I suppose that's fine so long as you actually
remember to do it).
--
Jeremy Stanley
signature.asc
Description: PGP signature
nt-side bugs will almost certainly never be
fixed.
--
Jeremy Stanley
signature.asc
Description: PGP signature
posed by plain HTTP when used for unrelated
purposes, and no longer needing to repeatedly explain to users that
Debian has gone to great lengths to implement package distribution
security which doesn't really depend at all on transport layer
encryption.
--
Jeremy Stanley
signature.asc
Description: PGP signature
nificant amount of new security or
privacy for Debian users, that would be disingenuous. Just say the
default is switching to HTTPS because that's what users, by and
large, expect today.
--
Jeremy Stanley
signature.asc
Description: PGP signature
for GNOME: GNOME Connections.
This app will be maintained by the Debian GNOME team. Packaging is at
https://salsa.debian.org/gnome-team/gnome-connections
Thanks,
Jeremy Bicha
entirely from scratch. Ideally, many of the
build dependencies could be satisfied initially from unadulterated
packages already available in Debian, and then replaced with custom
patched versions once any problem dependency cycles have been
broken.
--
Jeremy Stanley
signature.asc
Description: PGP signature
On 2021-09-19 01:24:32 + (+), Paul Wise wrote:
> On Sat, Sep 18, 2021 at 2:35 PM Jeremy Stanley wrote:
[...]
> > http://lists.starlingx.io/pipermail/starlingx-discuss/2021-September/012058.html
>
> Hmm, this site has a confusing way of not supporting https.
[...]
Thanks f
On 2021-09-19 01:24:17 + (+), Paul Wise wrote:
[...]
> Jeremy Stanley pointed out that this is for the StarlingX project,
> please consider merging StarlingX changes back to Debian and our
> upstream projects and contributing new packages back into Debian
> itself.
[...]
istribution might be in their best interests... but they've only
just begun to investigate what building a Debian derivative might
mean for them (for example, they've been relying on OpenSuse's OBS
to build all their distro packages up till now, and that may not be
a great fit for tryi
vides a modern password reset solution which
won't leak plaintext passwords to people sniffing SMTP
communications, so we do intend to add HTTPS when upgrading to that,
which ought to be fairly soon.
--
Jeremy Stanley
signature.asc
Description: PGP signature
a few people involved in upstream Kernel development, so hopefully
that's not a stretch for them.
--
Jeremy Stanley
signature.asc
Description: PGP signature
es could
also be distributed separately in non-free from different source
packages (so long as their licenses permit their distribution at
all, which is another fun problem these bits sometimes raise).
--
Jeremy Stanley
signature.asc
Description: PGP signature
x27;s not actually true. Either
way, the object really shouldn't be copied into the binary package
though, and should be rebuilt at package build time instead in order
to confirm all of the compiled form can be built exclusively with
tools available in main.
--
Jeremy Stanley
signature.asc
Description: PGP signature
-4-to-5.html
And since you'll need to port from GTK3 to GTK4 to use gtksourceview5:
https://docs.gtk.org/gtk4/migrating-3to4.html
Thanks,
Jeremy Bicha
default. gedit will still be
available and offers more complex features.
GNOME Text Editor uses GTK4 and libadwaita.
Thanks,
Jeremy Bicha
nd need to be able to
"skip" between arbitrary numbers of intermediate releases, so not
trivial either.
--
Jeremy Stanley
signature.asc
Description: PGP signature
ouple of years without having to step
through several intermediate versions of everything in order to do
so. A big part of the problem is testing though: if we want to
continuously test upgrade viability, then the number of possible
combinations of start and end versions for those upgrade tests
presen
ty team so it's easy for these packages to
follow GNOME style without conflicting with a different team's style.
Thanks,
Jeremy Bicha
ype and maybe package
parameters as well as your search regex.
--
Jeremy Stanley
signature.asc
Description: PGP signature
big deal to bump your
version from 0.9 to 14. After that, you don't have any obligation to
do year.month versioning.
Thanks,
Jeremy Bicha
is
Cinnamon. It is hoped that Cinnamon will be able to switch to mozjs91
soon too.
https://discourse.gnome.org/t/spidermonkey-91/8665
Thanks,
Jeremy Bicha
are ported.
Migration Guide: https://libsoup.org/libsoup-3.0/ch02.html
Upstream porting status tracker:
https://gitlab.gnome.org/GNOME/libsoup/-/issues/218
Thanks,
Jeremy Bicha
-]depend on valgrind-if-available.
Do you have any suggestions on how to handle this when the valgrind
test is set by a configure flag?
The way I've been handling it is to just keep a hard-coded list of
valgrind architectures in sync between my debian/control and
debian/rules.
Thank you,
Jeremy Bicha
quot;.
>
> The packages work just fine, the source format is still supported, I
> have better things to do with my time?
I guess you'd be ok with orphaning aspic to allow others to more
easily modernize the packaging?
https://bugs.debian.org/657083
Thank you,
Jeremy Bicha
ave Salsa commit privileges for.
Thanks,
Jeremy Bicha
irtues
of open firmware.
4. Consider (as you mentioned) working on my own reimplementation.
--
Jeremy Stanley
signature.asc
Description: PGP signature
On 2022-04-19 22:51:59 +0200 (+0200), Bastian Blank wrote:
> On Tue, Apr 19, 2022 at 12:17:06PM +0000, Jeremy Stanley wrote:
> > It's probably what you meant, but just to be clear, as a user I'd
> > also want to know which of the firmware packages used/installed were
>
ion=article;sid=20210722072359
--
Jeremy Stanley
signature.asc
Description: PGP signature
urce package naming has been adopted by other distros:
https://repology.org/project/glibmm/versions
Thanks,
Jeremy Bicha
e (Debian 11) point
releases or bookworm (testing) daily snapshots, the old "openstack"
images have been superseded by the "cloud" images now, so you can
find them here instead:
https://cdimage.debian.org/cdimage/cloud/bullseye/latest/
https://cdimage.debian.org/cdimage/c
s
This is a "native" package and will be maintained by the Ayatana
Packagers team. Packaging is at
https://salsa.debian.org/debian-ayatana-team/session-migration
Thanks,
Jeremy Bicha
like it's only used by
about 6 current Ubuntu source packages so a rename is doable if
needed. I think I wouldn't even need a transitional package since we'd
rebuild all those Ubuntu packages which would get them the properly
named dependency.
Here's a suggestion:
user-session-migration
dh-migrate-user-session Providing dh-sequence-migrate-user-session
Thank you,
Jeremy Bicha
I didn't get a reply yet and we need to make a decision.
Thank you,
Jeremy Bicha
On Tue, Jun 28, 2022 at 9:51 PM Jeremy Bicha wrote:
> On Tue, Jun 28, 2022 at 8:07 PM Guillem Jover wrote:
> > > Package: session-migration
> > > Description: Tool to migrate in user se
;t really have limits. You
must trust the .deb publisher. Otherwise, you can use something like
Snap which has significant restrictions on what Snap publishers can do
with the apps they publish.
Thanks,
Jeremy Bicha
link in my ITP bug which makes it easy for
someone to review it if they want.
Thank you,
Jeremy Bicha
n-binary people face a lot of discrimination, harrassment and
bullying around the world. That bad treatment of these people is
against Debian's core values. Therefore, the Debian Project wouldn't
want to distribute software that appears to facilitate that kind of
harassment, regardless of the software license it is released under.
We might not want to distribute such software even if it also has
non-harmful uses. We don't have to distribute *everything* ourselves.
[1] https://www.debian.org/intro/diversity
Thank you,
Jeremy Bicha
a Telnet client, it makes sense to
include at least a reference implementation of a Telnet server in
order to be able to validate its functionality.
--
Jeremy Stanley
signature.asc
Description: PGP signature
to a target - even if it means fiddling
> increasingly with flags.
This is getting increasingly off-topic, but you're able to get a
modern SSH client to successfully connect to an old device which
only speaks SSHv1 protocol?
--
Jeremy Stanley
signature.asc
Description: PGP signature
ce
is currently non-linear.
https://github.com/GSConnect/gnome-shell-extension-gsconnect/issues/1412
Thanks,
Jeremy Bicha
dependency for GNOME Builder 43 which will use GTK4.
Thanks,
Jeremy Bicha
cairomm1.16 source package naming has been adopted by other distros:
https://repology.org/project/cairomm/versions
Thanks,
Jeremy Bicha
pangomm2.48 ABI is intended for use with gtkmm4.0 (which uses GTK 4).
The pangomm2.48 source package naming has been adopted by other distros:
https://repology.org/project/pangomm/versions
Thanks,
Jeremy Bicha
endbr64
--
Jeremy Stanley
signature.asc
Description: PGP signature
for Debian 12.
Most but not all of the Ubuntu desktop flavors have also switched to
PipeWire for Ubuntu 22.10. I'm not involved in the decisions for other
Debian desktop flavors but they would get the same advantages and
their apps designed for PulseAudio should still work with PipeWire.
Thank you,
Jeremy Bicha
sion on this topic. We are still able to fix release critical bugs
until the Release and after the release as stable updates.
I think we should make the swap this week so we can see the actual
effects instead of hypothetical concerns.
Thank you,
Jeremy Bicha
an easy escape.
However, I've not seen a single complaint from Ubuntu about switching
to PipeWire. So maybe we still ought to switch gnome-core now to get
real feedback.
Thank you,
Jeremy Bicha
ause I'm not involved in those decisions.
I'll likely upload the gnome-core change to Unstable tomorrow.
Thank you,
Jeremy Bicha
o handle that file, but maybe they needed to handle
sources.list.d/ anyway.
Thank you,
Jeremy Bicha
we
> can introduce those in point releases with "predictable" schedule,
> it would be better, IMHO.
>
> * KDE Plasma: 5.27 - 2023-02?
> * GNOME : 44 - 2023-03
The Debian GNOME team doesn't have anywhere close to enough developer
time and energy to make backporting a new major GNOME release
feasible.
Thank you,
Jeremy Bicha
for users to override the preference; they would
need to add/edit the config file in their home directory manually.
More details in the README at https://github.com/Vladimir-csp/xdg-terminal-exec
Thanks,
Jeremy Bicha
r experimental now.
The only place it's been packaged so far is the Arch Linux AUR:
https://repology.org/project/xdg-terminal-exec/versions
Thank you,
Jeremy Bicha
On Thu, Jul 7, 2022 at 4:58 AM Guillem Jover wrote:
> On Tue, 2022-06-28 at 21:51:44 -0400, Jeremy Bicha wrote:
> > Here's a suggestion:
> > user-session-migration
> > dh-migrate-user-session Providing dh-sequence-migrate-user-session
>
> Personally I'd perh
eam. Packaging is at
https://salsa.debian.org/gnome-team/libdex
It is a required dependency for GNOME Builder 44.
Thanks,
Jeremy Bicha
your machine from prying eyes if it gets
stolen, but unless you're putting sensitive data in /boot why go to
the added trouble of encrypting it?
--
Jeremy Stanley
signature.asc
Description: PGP signature
s you reasonably want to invest in defending against. I'm
certainly not saying there's *never* a reason to encrypt /boot, but
people who feel they need to do so aren't involved in improving
tools and automation sufficiently to make it convenient to set up
either.
--
Jeremy Stanley
signature.asc
Description: PGP signature
key material used to decrypt and encrypt.
Not that I'm a fan of the proposed use case, but see the manpage for
cryptsetup-luksAddKey(8): "Adds a keyslot protected by a new
passphrase." So while there is only one passphrase for a key, a
device can be accessed by an arbitrary number
. So at first
> I'd like to gather more input on this and would appreciate suggestions
> where to head for next. In the quest for final truth.
I'll be perfectly satisfied with bookworm-is-released. ;)
--
Jeremy Stanley
signature.asc
Description: PGP signature
Package: wnpp
Severity: wishlist
Owner: Jeremy Sowden
* Package name: linenoise
Version : 1.0+git20180718.4a961c010872
Upstream Author : Salvatore Sanfilippo
* URL : https://github.com/antirez/linenoise
* License : BSD-2-Clause
Programming Lang: C
201 - 300 of 537 matches
Mail list logo
