Debian Bug report logs - #677565
msva-perl: Insecure dependency in socket while running with -T switch at /usr/lib/perl/5.14/IO/Socket.pm line 80

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: intrigeri@debian.org

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: msva-perl: Insecure dependency in socket while running with -T switch at /usr/lib/perl/5.14/IO/Socket.pm line 80

Date: Thu, 14 Jun 2012 23:48:49 +0200

Package: msva-perl
Version: 0.8-2
Severity: grave

$ cat $HOME/.monkeysphere/monkeysphere.conf
USE_VALIDATION_AGENT=true
KEYSERVER=keys.indymedia.org
$ . $HOME/.monkeysphere/monkeysphere.conf
$ msva-perl
Use of uninitialized value $loglevel in lc at /usr/share/perl5/Crypt/Monkeysphere/MSVA/Logger.pm line 91.
Insecure dependency in socket while running with -T switch at /usr/lib/perl/5.14/IO/Socket.pm line 80.
zsh: exit 255   msva-perl

This might be related to upgrading libnet-server-perl to 2.005-1.

(Removing the -T flag in /usr/bin/msva-perl
=> the second error message is replaced with:
2 sockets open; should have been 1.
zsh: exit 10    msva-perl
This may be due to the new Net::Server binding to both IPv4 and IPv6.
)

Message #10 received at 677565@bugs.debian.org (full text, mbox, reply):

From: Iain Lane <laney@debian.org>

To: intrigeri@debian.org, 677565@bugs.debian.org

Subject: Re: Bug#677565: msva-perl: Insecure dependency in socket while running with -T switch at /usr/lib/perl/5.14/IO/Socket.pm line 80

Date: Tue, 19 Jun 2012 11:58:58 +0100

[Message part 1 (text/plain, inline)]

Hello,

On Thu, Jun 14, 2012 at 11:48:49PM +0200, intrigeri@debian.org wrote:
> Package: msva-perl
> Version: 0.8-2
> Severity: grave
> 
> $ cat $HOME/.monkeysphere/monkeysphere.conf
> USE_VALIDATION_AGENT=true
> KEYSERVER=keys.indymedia.org
> $ . $HOME/.monkeysphere/monkeysphere.conf
> $ msva-perl
> Use of uninitialized value $loglevel in lc at /usr/share/perl5/Crypt/Monkeysphere/MSVA/Logger.pm line 91.
> Insecure dependency in socket while running with -T switch at /usr/lib/perl/5.14/IO/Socket.pm line 80.
> zsh: exit 255   msva-perl
> 
> This might be related to upgrading libnet-server-perl to 2.005-1.

This broke my X login in a way that was perplexing to untangle. It seems
as if monkeysphere inserts itself into the X session startup by way of a
file in /etc/X11/Xsession.d. monkeysphere-validation-agent failing then
made the whole Xsession execution fail, which is really unfriendly.

Downgrading libnet-server-perl to 0.99-4 fixes it. Perhaps you should
consider blocking that from migrating if it is exposing bugs like this.

Cheers,

-- 
Iain Lane                                  [ iain@orangesquash.org.uk ]
Debian Developer                                   [ laney@debian.org ]
Ubuntu Developer                                   [ laney@ubuntu.com ]
PhD student                                       [ ial@cs.nott.ac.uk ]

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 677565@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@debian.org>

To: Iain Lane <laney@debian.org>

Cc: 677565@bugs.debian.org

Subject: Re: Bug#677565: msva-perl: Insecure dependency in socket while running with -T switch at /usr/lib/perl/5.14/IO/Socket.pm line 80

Date: Tue, 19 Jun 2012 21:44:19 +0200

Hi,

Iain Lane wrote (19 Jun 2012 10:58:58 GMT) :
> Downgrading libnet-server-perl to 0.99-4 fixes it.

Thanks a lot for confirming this.

> Perhaps you should consider blocking that from migrating if it is
> exposing bugs like this.

I agree this bug is annoying, but even knowing that, I doubt
Net-Server-2.005 is any worse than our previous Net::Server 0.99
series, that is seriously buggy itself, and carries a handful of
Debian specific patches that were merged upstream since then.

However, given Net::Server pretends to be taint clean, it does looks
like there's a serious bug in there, that shall be reported and fixed.
I'll try to isolate a minimal testcase and will report it in Debian
and upstream.

Cheers,
-- 
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc

Message #20 received at 677565@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@boum.org>

To: 677565@bugs.debian.org

Cc: Iain Lane <laney@debian.org>

Subject: Re: Bug#677565: msva-perl: Insecure dependency in socket while running with -T switch at /usr/lib/perl/5.14/IO/Socket.pm line 80

Date: Wed, 20 Jun 2012 04:33:02 +0200

Hi,

intrigeri wrote (19 Jun 2012 19:44:19 GMT) :
> However, given Net::Server pretends to be taint clean, it does looks
> like there's a serious bug in there, that shall be reported and fixed.
> I'll try to isolate a minimal testcase and will report it in Debian
> and upstream.

I tried building msva-perl 0.8-2 + commit f24706da cherry-picked from
upstream. Good news: for some reason, the resulting package does not
expose the bug we are discussing :)

So I suggest the following plan:

  0. ASAP: someone (Iain? Daniel?) reproduces my successful testing
     result.

  1. short-term: push msva-perl 0.8-3 out to unstable, with this
     commit applied (and perhaps 20e3148 too?)

  2. long-term: investigate if there's actually a bug in Net-Server,
     and if there is, report it properly.

Daniel, what do you think?

Cheers,
--
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc

Message #25 received at 677565@bugs.debian.org (full text, mbox, reply):

From: Iain Lane <laney@debian.org>

To: intrigeri <intrigeri@boum.org>

Cc: 677565@bugs.debian.org

Subject: Re: Bug#677565: msva-perl: Insecure dependency in socket while running with -T switch at /usr/lib/perl/5.14/IO/Socket.pm line 80

Date: Wed, 27 Jun 2012 23:30:40 +0100

[Message part 1 (text/plain, inline)]

Hi,

On Wed, Jun 20, 2012 at 04:33:02AM +0200, intrigeri wrote:
> Hi,
> 
> intrigeri wrote (19 Jun 2012 19:44:19 GMT) :
> > However, given Net::Server pretends to be taint clean, it does looks
> > like there's a serious bug in there, that shall be reported and fixed.
> > I'll try to isolate a minimal testcase and will report it in Debian
> > and upstream.
> 
> I tried building msva-perl 0.8-2 + commit f24706da cherry-picked from
> upstream. Good news: for some reason, the resulting package does not
> expose the bug we are discussing :)
> 
> So I suggest the following plan:
> 
>   0. ASAP: someone (Iain? Daniel?) reproduces my successful testing
>      result.

Sorry for the delay. I tried to do this but failed because I cannot find
the commits you are referring to. I use the repository referenced in
Vcs-Git of msva-perl: git://git.monkeysphere.info/msva-perl.

,----
| laney@raleigh> git show f24706da
| fatal: ambiguous argument 'f24706da': unknown revision or path not in
| the working tree.
`----

Where can I find these commits? Alternatively, you could upload a source
package somewhere for me to build/test.

Cheers,

-- 
Iain Lane                                  [ iain@orangesquash.org.uk ]
Debian Developer                                   [ laney@debian.org ]
Ubuntu Developer                                   [ laney@ubuntu.com ]
PhD student                                       [ ial@cs.nott.ac.uk ]

[signature.asc (application/pgp-signature, inline)]

Message #30 received at 677565@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@boum.org>

To: Iain Lane <laney@debian.org>

Cc: 677565@bugs.debian.org

Subject: Re: Bug#677565: msva-perl: Insecure dependency in socket while running with -T switch at /usr/lib/perl/5.14/IO/Socket.pm line 80

Date: Thu, 28 Jun 2012 00:49:17 +0200

Hi,

Iain Lane wrote (27 Jun 2012 22:30:40 GMT) :
> Where can I find these commits?

There: git://lair.fifthhorseman.net/~dkg/msva-perl
(Yeah, I know, that's not obvious.)

Message #35 received at 677565@bugs.debian.org (full text, mbox, reply):

From: Iain Lane <laney@debian.org>

To: intrigeri <intrigeri@boum.org>

Cc: 677565@bugs.debian.org

Subject: Re: Bug#677565: msva-perl: Insecure dependency in socket while running with -T switch at /usr/lib/perl/5.14/IO/Socket.pm line 80

Date: Thu, 28 Jun 2012 09:37:41 +0100

[Message part 1 (text/plain, inline)]

On Thu, Jun 28, 2012 at 12:49:17AM +0200, intrigeri wrote:
> Hi,
> 
> Iain Lane wrote (27 Jun 2012 22:30:40 GMT) :
> > Where can I find these commits?
> 
> There: git://lair.fifthhorseman.net/~dkg/msva-perl
> (Yeah, I know, that's not obvious.)

Got it, thanks. Seems to fix it indeed, and if the other commit fixes
the "Use of uninitialized value" warning (looked at the code but didn't
test it) then we might as well include that too IMHO.

I guess getting a freeze unblock wouldn't be a problem for this, but we
should nevertheless try and get uploaded before then. Can you ping dkg
in #monkeysphere?

Cheers,

-- 
Iain Lane                                  [ iain@orangesquash.org.uk ]
Debian Developer                                   [ laney@debian.org ]
Ubuntu Developer                                   [ laney@ubuntu.com ]
PhD student                                       [ ial@cs.nott.ac.uk ]

[signature.asc (application/pgp-signature, inline)]

Message #40 received at 677565@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@boum.org>

To: 677565@bugs.debian.org

Cc: Iain Lane <laney@debian.org>, Tim Retout <tim@retout.co.uk>

Subject: Re: Bug#677565: msva-perl: Insecure dependency in socket while running with -T switch at /usr/lib/perl/5.14/IO/Socket.pm line 80

Date: Thu, 05 Jul 2012 01:19:24 +0200

Hi,

Tim did not manage to reproduce this bug on current sid, and neither
could I in a sid VM.

However, I can still reproduce it on the system that exposed it in the
first place, so unfortunately, it does not look like the bug was
magically autofixed by some change in the underlying
Debian/Perl environment.

Cheers,
--
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc

Message #45 received at 677565@bugs.debian.org (full text, mbox, reply):

From: Andrew Harvey <andrew.harvey4@gmail.com>

To: 677565@bugs.debian.org

Subject: Re: Bug#677565: msva-perl: Insecure dependency in socket while running with -T switch at /usr/lib/perl/5.14/IO/Socket.pm line 80

Date: Sat, 14 Jul 2012 10:06:55 +1000

[Message part 1 (text/plain, inline)]

Severity: critical

I'm tagging this critical as it "makes unrelated software on the system
(or the whole system) break". If I'm wrong in doing this, you can always
change it back.

I can also confirm this issue still exists (at least for my existing up
to date unstable installation (I haven't tested a clean sid install).
Indeed it prevents logging in through the normal X login.

Leaving in ~/.xsession-errors

Use of uninitialized value $loglevel in lc at
/usr/share/perl5/Crypt/Monkeysphere/MSVA/Logger.pm line 91.
2 sockets open; should have been 1.

I can also confirm that msva-perl 0.8-2 + commit f24706da cherry-picked
from upstream fixes the issue.

[signature.asc (application/pgp-signature, attachment)]

Message #50 received at 677565-close@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: 677565-close@bugs.debian.org

Subject: Bug#677565: fixed in msva-perl 0.9-1

Date: Sat, 28 Jul 2012 21:17:14 +0000

Source: msva-perl
Source-Version: 0.9-1

We believe that the bug you reported is fixed in the latest version of
msva-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 677565@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <dkg@fifthhorseman.net> (supplier of updated msva-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 25 Jul 2012 13:20:08 -0400
Source: msva-perl
Binary: msva-perl
Architecture: source all
Version: 0.9-1
Distribution: unstable
Urgency: low
Maintainer: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Changed-By: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Description: 
 msva-perl  - Cryptographic identity validation agent (Perl implementation)
Closes: 614313 642304 661939 677565 682353 682518
Changes: 
 msva-perl (0.9-1) unstable; urgency=low
 .
   * New Upstream version
    - tighter dependencies
    - daemon crash should no longer kill X11 session
      (Closes: #682353, #682518)
    - cleanup for newer versions of perl and modules
      (Closes: #677565, #642304)
    - binds explicitly to IPv4 loopback
      (Closes: #661939)
    - scanning for changes and prompting to reload off by default
      (Closes: #614313)
   * bumped Standards-Version to 3.9.3 (no changes needed)
Checksums-Sha1: 
 b25ff2b2118e1b108b3c3dfdcce8e1c245fed651 1927 msva-perl_0.9-1.dsc
 62ee238e51b0f4550b04fcf95e06058199eddbb9 54506 msva-perl_0.9.orig.tar.gz
 3ec53b9587080d222c9ae0e199e0000c26b9887c 3563 msva-perl_0.9-1.debian.tar.gz
 0bafb14f29f8876d5401d7283bd740672e937f80 44860 msva-perl_0.9-1_all.deb
Checksums-Sha256: 
 c46d49c96fdc89d007233363fc56850a853950f53d0d029f90b061a7882be662 1927 msva-perl_0.9-1.dsc
 1323bc10f7a7847cbd5b22a781ca0025b20cafc72df5f8e12b771eb338c34bf5 54506 msva-perl_0.9.orig.tar.gz
 a9d400d4cf22ddc893f76e8548c9f4284daae53f7fe52b10be155a78a7252c67 3563 msva-perl_0.9-1.debian.tar.gz
 a46bcfdb7a06e832d933b011ddcb86e006ed76e16d6e5a94e59c993c10cefef1 44860 msva-perl_0.9-1_all.deb
Files: 
 07181ad66eb7871dcd1088a59d8afee9 1927 net extra msva-perl_0.9-1.dsc
 e0af8643227ebedbd2edf31579ab5644 54506 net extra msva-perl_0.9.orig.tar.gz
 236a98262e42d4ebfa9c68a4ecd26b17 3563 net extra msva-perl_0.9-1.debian.tar.gz
 67027362bcf49dd6fec47c8914b7b0ec 44860 net extra msva-perl_0.9-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJQFFMSXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwRUU1QkU5NzkyODJEODBCOUY3NTQwRjFD
Q0QyRUQ5NEQyMTczOUU5AAoJEMzS7ZTSFznpfNIP/1m9Sbuc9d1BMIioFS75rQeP
EeOg7Yw70zNUjpOMtU9WuDD88YJAX3cfb9ifzJYJyYae/ZFJIvkBwky2rNL8tCjy
Shj1Y9uBHyAuGpR/R9huZ47WyrY8mJ/sc1anUa7n8Y3Vrb9npOsvZNIiY6GOX9sX
cdbEWtOuxWV+1pAAm30zwo50erSFSyv/RtJhUTJcl8GWMvTb1uz7g9FlhjwDyFv4
RbFawREUBNw8lAFFancOuD1gQR2IN5PBJC2aMSpt7DS8iVo45jwvc2kz7hmuIvm9
n08ycsOxXCHYp/CQcr3k66TQXQ3gfX+Jw/yJpDMAGL6bKoFyYHTOklKwszOcCy2t
hBqk0l0P9RxmtH9yrFLDXH6oW7DytU8ERHUSpCbikzyIaP1X09/aTLOzMdekeeNh
FGDlqFgGTueMQ88MWh3Z6mUZ98vUT85McMybBppO0ypSEtjo38c9zAJW3wl0TXvY
ZMjrnX8xnaVnKBUe7dEu8aDMJG8ZADmsyRmiGVuiuPuh/028eiSToID+ed6e5QUP
nbCLczG6tPIP+9pGpIkarvldQj5JMgpSxJQkgtYuJ0WrDF5MQvAKQ6xtoKv1alYV
xoTcjcT0k1W6ocB64YjPgmZmSDgI2L7bqh/V+6C3lHMpeQgIGEwKXEvNf3b0a/MX
ceYOG78dTBv7QewUfz+2
=8P1J
-----END PGP SIGNATURE-----

Message #55 received at 677565@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: 682353@bugs.debian.org, 682518@bugs.debian.org, 677565@bugs.debian.org

Subject: RC bugs in msva-perl

Date: Sat, 2 Feb 2013 13:12:16 +0000

Hi Daniel,

These three RC bugs are still present in wheezy although they were
fixed in sid in July.

Am I right in thinking that #682518 and #677565 are actually the
same issue, and that they are fixed by upstream commits?

7f8a57a1ebc8f5b4d63acbd8f7104c85f7dc0a19  Make msva's primary listening daemon a subprocess instead of the parent
06800804fa6ee5454e393e3ac9492136022b887f  newer versions of Net::Server can bind to multiple sockets

Do you have any plans to prepare a t-p-u upload to fix this set of
wheezy RC bugs?

Cheers,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Message #60 received at 677565@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: 682353@bugs.debian.org, 682518@bugs.debian.org, 677565@bugs.debian.org

Cc: 686054@bugs.debian.org

Subject: Re: RC bugs in msva-perl

Date: Sat, 2 Feb 2013 13:19:21 +0000

On Sat, Feb 02, 2013 at 01:12:16PM +0000, Dominic Hargreaves wrote:
> Hi Daniel,
> 
> These three RC bugs are still present in wheezy although they were
> fixed in sid in July.
> 
> Am I right in thinking that #682518 and #677565 are actually the
> same issue, and that they are fixed by upstream commits?
> 
> 7f8a57a1ebc8f5b4d63acbd8f7104c85f7dc0a19  Make msva's primary listening daemon a subprocess instead of the parent
> 06800804fa6ee5454e393e3ac9492136022b887f  newer versions of Net::Server can bind to multiple sockets
> 
> Do you have any plans to prepare a t-p-u upload to fix this set of
> wheezy RC bugs?

Argh, sorry, I somehow completely missed the unblock request.
As the release team aren't too happy about the size of the 0.9 debdiff,
what do you think about my suggestion - are these the right commits
to fix the RC bugs in question (one of them needs rebasing/porting; the
other appears to be apply cleanly)?

Cheers,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Message #65 received at 677565@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@debian.org>

To: Dominic Hargreaves <dom@earth.li>

Cc: 677565@bugs.debian.org, 682353@bugs.debian.org, 682518@bugs.debian.org, 686054@bugs.debian.org

Subject: Re: Bug#677565: RC bugs in msva-perl

Date: Sat, 02 Feb 2013 15:31:33 +0100

Hi,

Dominic Hargreaves wrote (02 Feb 2013 13:19:21 GMT) :
> As the release team aren't too happy about the size of the 0.9 debdiff,
> what do you think about my suggestion - are these the right commits
> to fix the RC bugs in question (one of them needs rebasing/porting; the
> other appears to be apply cleanly)?

FWIW, I've asked about the same on the Monkeysphere mailing-list last
October, see dkg's answer there:
https://lists.riseup.net/www/arc/monkeysphere/2012-10/

Cheers,
-- 
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc

Message #70 received at 677565@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: intrigeri <intrigeri@debian.org>

Cc: 677565@bugs.debian.org, 682353@bugs.debian.org, 682518@bugs.debian.org, 686054@bugs.debian.org

Subject: Re: Bug#677565: RC bugs in msva-perl

Date: Mon, 4 Feb 2013 18:28:44 +0000

On Sat, Feb 02, 2013 at 03:31:33PM +0100, intrigeri wrote:
> Hi,
> 
> Dominic Hargreaves wrote (02 Feb 2013 13:19:21 GMT) :
> > As the release team aren't too happy about the size of the 0.9 debdiff,
> > what do you think about my suggestion - are these the right commits
> > to fix the RC bugs in question (one of them needs rebasing/porting; the
> > other appears to be apply cleanly)?
> 
> FWIW, I've asked about the same on the Monkeysphere mailing-list last
> October, see dkg's answer there:
> https://lists.riseup.net/www/arc/monkeysphere/2012-10/

Thanks for that - so it seems that it's not as clear cut as I hoped
which patches are needed. I don't use msva-perl myself, so I probably
won't be doing anything more on this one.

Cheers,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Message #75 received at 677565@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Dominic Hargreaves <dom@earth.li>, 682518@bugs.debian.org

Cc: intrigeri <intrigeri@debian.org>, 677565@bugs.debian.org, 682353@bugs.debian.org, 686054@bugs.debian.org, Monkeysphere Developers <monkeysphere@lists.riseup.net>

Subject: Re: Bug#682518: Bug#677565: RC bugs in msva-perl

Date: Fri, 08 Feb 2013 00:48:55 -0500

[Message part 1 (text/plain, inline)]

On 02/04/2013 01:28 PM, Dominic Hargreaves wrote:
> On Sat, Feb 02, 2013 at 03:31:33PM +0100, intrigeri wrote:
>> FWIW, I've asked about the same on the Monkeysphere mailing-list last
>> October, see dkg's answer there:
>> https://lists.riseup.net/www/arc/monkeysphere/2012-10/

I've just pushed a proposed upstream msva-perl/0.8.1 targetted bugfix
tag to git://lair.fifthhorseman.net/~dkg/msva-perl, and a "wheezy"
branch that uses that and targets testing-proposed-updates.

The debdiff between 0.8-2 and the proposed 0.8.1-1 is attached here.  It
is smaller than the previously-submitted changeset to 0.9.1-1, but it is
still non-trivial, alas, due to having to accomodate the new Net::Server
and the change to avoid crashing X11 sessions if the agent fails for any
reason we were not able to anticipate.

I've tested 0.8.1-1 on a wheezy system and it works for me.  I plan to
upload it to t-p-u sometime tomorrow or the next day unless i hear from
anyone that it didn't work for them.

Regards,

	--dkg

[msva-perl_0.8-2_0.8.1-1.debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, attachment)]

Message #80 received at 677565@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@debian.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Cc: Dominic Hargreaves <dom@earth.li>, 682518@bugs.debian.org, 677565@bugs.debian.org, 682353@bugs.debian.org, 686054@bugs.debian.org, Monkeysphere Developers <monkeysphere@lists.riseup.net>

Subject: Re: [monkeysphere] Bug#682518: Bug#677565: RC bugs in msva-perl

Date: Fri, 08 Feb 2013 10:14:43 +0100

Hi,

Daniel Kahn Gillmor wrote (08 Feb 2013 05:48:55 GMT) :
> I've just pushed a proposed upstream msva-perl/0.8.1 targetted bugfix
> tag to git://lair.fifthhorseman.net/~dkg/msva-perl, and a "wheezy"
> branch that uses that and targets testing-proposed-updates.

Excellent! Thanks a lot.

> I've tested 0.8.1-1 on a wheezy system and it works for me.

I'm going to test it during a few days.

> I plan to upload it to t-p-u sometime tomorrow or the next day
> unless i hear from anyone that it didn't work for them.

Looks like a good plan, but I suggest waiting a bit longer for:

  1. You and someone else (I volunteer) to try the proposed package
     for a few days: given t-p-u uploads have no time to be tested in
     sid, we should be extra careful about them.
  2. A pre-approval from the release team, which is required by the
     current freeze policy before uploading to t-p-u.

Cheers,
-- 
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc

Message #85 received at 677565@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: intrigeri <intrigeri@debian.org>

Cc: Dominic Hargreaves <dom@earth.li>, 682518@bugs.debian.org, 677565@bugs.debian.org, 682353@bugs.debian.org, 686054@bugs.debian.org, Monkeysphere Developers <monkeysphere@lists.riseup.net>, debian-release@lists.debian.org

Subject: Re: [monkeysphere] Bug#682518: Bug#677565: RC bugs in msva-perl

Date: Fri, 08 Feb 2013 14:03:48 -0500

[Message part 1 (text/plain, inline)]

On 02/08/2013 04:14 AM, intrigeri wrote:

> I'm going to test it during a few days.

thank you very much, intrigeri!

> Looks like a good plan, but I suggest waiting a bit longer for:
> 
>   1. You and someone else (I volunteer) to try the proposed package
>      for a few days: given t-p-u uploads have no time to be tested in
>      sid, we should be extra careful about them.
>   2. A pre-approval from the release team, which is required by the
>      current freeze policy before uploading to t-p-u.

now that i have a volunteer other than myself to test it, i will wait
until i hear back from you :)

meanwhile, if anyone on the release team (cc'ed here) wants to give a
review of the proposed debdiff, i would be happy to know if msva-perl
0.8.1-1 would be acceptable for t-p-u.

	--dkg

[signature.asc (application/pgp-signature, attachment)]

Message #90 received at 677565@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@debian.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Cc: 686054@bugs.debian.org, Dominic Hargreaves <dom@earth.li>, 682518@bugs.debian.org, 677565@bugs.debian.org, 682353@bugs.debian.org, Monkeysphere Developers <monkeysphere@lists.riseup.net>, debian-release@lists.debian.org

Subject: Re: Bug#686054: [monkeysphere] Bug#682518: Bug#677565: RC bugs in msva-perl

Date: Fri, 15 Feb 2013 13:55:25 +0100

Hi,

Daniel Kahn Gillmor wrote (08 Feb 2013 19:03:48 GMT) :
> now that i have a volunteer other than myself to test it, i will wait
> until i hear back from you :)

I've been using the proposed msva-perl's integration into the SSH
client for a week and have not experienced any regression.

> meanwhile, if anyone on the release team (cc'ed here) wants to give a
> review of the proposed debdiff, i would be happy to know if msva-perl
> 0.8.1-1 would be acceptable for t-p-u.

Most of the cherry-picked changes make sense to me, fix important or
RC bugs, and are obviously fine for t-p-u to me.

Some of the cherry-picked changes (e.g. the one that fixes #614313)
are not explicitly documented in debian/changelog, and don't exactly
match the current freeze policy. However, I think these ones are
trivial and have already had more than six months of exposure
in unstable.

So, I recommend the release team pre-approves this t-p-u upload, and
perhaps Daniel could go through the msva-perl_debian/0.8-2..wheezy
log, and makes sure everything is mentionned in debian/changelog
(while documenting every upstream change in there would not be
necessary if this was a regular upload to sid, I think a t-p-u upload
is a bit different and should document it details every change it
brings in).

Cheers,
-- 
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc

Send a report that this bug log contains spam.