Preparation of Debian GNU/Linux 2.2r3

Anthony Fok says: Since multiple users have filed bugs against the NLS problem, it is safe to assume that this problem affects a significant minority of all users,. (PDF files often undisplayable or unprintable without the fix unless they manually set LANG=C or something like that...) So 4.05-3 does indeed: fix an "important" bug that inconvenience quite a few users; or for newbie users, they don't even know how to fix it with LANG=C...

Changelog says:

* Added a line in /usr/lib/mime/packages/acroread to force Netscape use the Acroread PDF plugin. Thanks to Thibaut Cousin for reporting the bug and and to fellow Debian developer Ryan Murray for providing the fix. Closes: Bug#79333

* Acroread has some NLS issues that broke viewing and printing for international users when the decimal separator is not a dot. A patch is applied to the acroread wrapper script to set LC_NUMERIC. Thanks to Mirek, Serge Gavrilov, Sebastien Cabot for their bug reports, and special thanks to Florian Siegesmund for providing a patch ported from the netscape wrapper script written by H. Peter Anvin et al. Closes: Bug#66586, #66593, #76840, #86473.

* Moved /usr/X11R6/bin/acroread back to /usr/bin/acroread. :-)

* Added menu hints="PDF". Thanks, Arthur Korn! Closes: Bug#82321.

* Acroread 4.05 does support type-in fields for fill-in forms. Closes: Bug#36451.

Security Update

Security Update

Get architectures in sync.

This is non-US.

Fix unmet dependency in potato

Security Update

Install, uses an updated kernel and other improvements.

Other architectures are not able to hold the release, since boot-floppies are normally out of sync. There are too few porters around working on it.

m68k: Christian recently relocated to the US, and no one else is willing to do boot-floppies. Jonathan McDowell is working on them.

arm: Peter Naulls or Wookey plan to build them within the next two weeks. Philip Blundell is working on them today (Apr 15th).

Get stable packages in sync

Security Update

Showstopper

Fixed cslatex stops installation (closes: #67214, #69224)

Security upload

Packages compiled for alpha and arm uploaded.

No advisory yet, due to audit in progress

Get stable in sync

Security Update

ACCEPT: 1.4-11 REJECT: 1.4-12

Versions completely out of sync.

I would be convinced to let 1.4-11 go into stable to get architectures in sync again. However, since -12 was uploaded for arm, they are out of sync again. I'm not convinced the changes in -12 justify inclusion into stable.

Changelog for 1.4-11:

* The patch by Topi Miettinen to fix critical bug #74976 broke file recovery, but also the :w command. Re-engineered the patch so that the bug is fixed without any side-effects (closes: #77918)

* Add explanation by the author to clear up copyright notice (closes: #72021)

Changelog for 1.4-12: * Patch by David Douthitt to fix subsitition bug (closes: #73059)

* Patch by David Douthitt to fix range bug (closes: #55407)

* Move elvis-tiny to /bin (closes: #37571)

* Install wrapper in /bin/vi that execs /usr/bin/vi if it is present and /bin/elvis-tiny otherwise (closes: #72889)

* Install alternative for 'editor' (closes: #85318)

Arm compilation ready for upload on auric, requires 1.4-12 to be removed from proposed-updates

Miquel says: 1.4-12 was never meant to go into 'stable', I made a typo in the changelog file. I filed a bug against ftp.debian.org to fix the situation, which was done pretty quickly. Weird that -12 got into the arm port.

Maintainer: Miquel van Smoorenburg <miquels@cistron.nl>

Get stable in sync

Security update, DSA 034

alpha uploaded by me, waiting for dinstall

Security Update

Compiled to sync versions in stable

Security Update

Security Upload, DSA 046

Get architectures back in sync.

Security updates (advisory pending)

* Apply security fix patch from Werner.

* Apply another patch from Werner to fix bogus warning on Rijndael usage.

This is non-US.

Get architectures back in sync.

Get versions in sync

Security Update

Doesn't compile on arm due to no libforms

This looks quite screwed... However, since many of them, if not all, are new packages to stable, they are not likely to hurt. Since there are important security updates to 2.2.18 and above kernels at least most recent kernel versions need to be installed into stable. pcmcia-cs is a convenience package.

Herbert Xu: kernel-image-2.2.19pre* are not needed on i386/alpha.

Get architectures in sync

This is non-US.

Syncing architectures

Security-Update, DSA 044

Bugfix to security-update

Security Update

Security update, DSA 035, DoS

Alpha compiled & uploaded by me

Security update, DSA 036

Security update, DSA 011

Security update, DSA 012

Get architectures in sync

Changelog says

* The following patches are needed to get mtools running on ARM:

- updated config.guess and config.sub

- configure.in: recognize *-*-linux-gnu

- configure.in: add "-mstructure-size-boundary=8" to the CFLAGS on ARM (closes: #79180)

All arch's in sync now.

Explanation from Adrian Bunk:

It was meant to go in potato: All the patches (except the changed maintainer address) are ARM-specific or save (I don't expect bugs with "updated config.guess and config.sub") and shouldn't affect other platforms. Currently, any call to one of the programs on ARM gives the error message:

Mtools has not been correctly compiled Recompile it using a more recent compiler

(Joey) If Netwinders would have a floppy drive I would be convinced.

Acorn and RiscPC have floppies.

Get versions back in sync.

Get versions in sync

Security update, DSA 013, move to main again

Sparc, powerpc and alpha compiled & uploaded by me.

Security update, same as DSA 013

Security Update

* Moved non-free hpcdtoppm util from here to -nonfree package to fix important bug.

The upgrade path is safe now (two build-deps is missing and one too much... though)

Security update, DSA 037

Fixes possible document corruption. Changelog says:

Added Alexandero Viro's patch against possible document corruption. I think this is worth including in the next stable release. This is bug 77978

Get versions in sync

Get architectures in sync

This is non-US.

Get it back in sync

* Upstream fixes (see /usr/share/doc/postfix/RELEASE_NOTES), including: - Postfix must no longer use DB 1.85 compatibility mode, because that mode loses the file lock while building a table, so that table lookups fail and MAIL IS LOST. Closes: #78812. - Confusing site_hog_factor is disabled by default. - As required by RFC822, Postfix now inserts a generic To: header if no destination header is not present. - postfix sendmail command no interprets '.' as end of message, unless the sendmail-compatible -i (or -oi) command line option is specified.

Packages (-25) fixes a problem that can result in data loss, packages (-26) fix some nastyness with the prerm script

* Patch from knok@daionet.gr.jp (NOKUBI Takatsugu) and the PosgreSQL-J Mailing List to cure loss of data (under some circumstances) in vacuum. Closes: 81292

Arch's out of sync: i.e. sparc missing for -26

Security update

Well, I'm not quite amused. I made a diff between the version from stable and proposed-updates. It's 9308 lines large (271kB).

* To the release manager: -11 includes a security fix to the tempfile module, which was vulnerable to a symlink attack. Apart from that, it contains an important fix for a long outstanding obscure bug in the signal handling code, and a few small modifications to fix some other bugs. This revision is a recompile of the unstable package for potato (one minor modification to mpzmodule was necessary to compile). I would think this revision should be included in the next point release of potato.

Removes one error that let's users see how wonderful python barfs.

Security Update

Get versions back in sync

Gregg Berkholtz says: The following text is from the main SETI@Home page (http://setiathome.ssl.berkeley.edu): "... SETI@home version 3.03 is available and mandatory for all supported platforms. Earlier versions are unable to contact our server, so please upgrade to version 3.03..." Also, in potato, the install fails due to the fact that it tries to fetch a now non-existent .tgz file.

Ok, this can be considered as reason for including it in stable. However:

New packages are missing for arm and m68k, they're missing upstream basically. Thus referring packages should probably be removed from stable.

Security update, DSA 038

Security Update

Security update, DSA 040

Security Update

Security Update

Security Update (1:1.2.3-9.2)

Sanity Update (broken conffile fix, non-security issue)

This is non-US.

Security Update

Arm upload from me, installed.

This is non-US.

Security update, DSA 031

Changelog says: Fix a DoS. Also Closes: #84353

I'm not convinced this package should go into stable but Anthony Towns is. Changelog:

* 'locales' now depends on version >= 2.1.3-17 because LC_COLLATE of zh_TW.Big5 was missing in Potato 2.2r2.

* Corrected description of task-chinese-t: changed "Simplified" to "Traditional".

Maintainer: Anthony Wong <ypwong@debian.org>

A *lot* of Chinese users got bitten by the bug in the locales package in 2.2r2: the zh_TW.Big5 LC_COLLATE file was missing due to a packaging bug that finally got fixed (by me) in 2.1.13-17. A *lot* of users complained that Chinese didn't work in Debian 2.2r2, and we saw their complaints on mailing lists and newsgroups. That is why Anthony Wong uploaded this new version of task-chinese-t that depends on a correct locales package to make sure users' locales package get updated properly when they user "apt-get install task-chinese-t".

Security Update

Compiled by me to sync versions in stable

Misplaced upload, Changelog mentions 'stable unstable'. Approved by Anthony Towns.

Maintainer: Anthony Fok <foka@debian.org>

Ryan Murray reported a "serious" bug... postinst would fail unless tetex-bin is already installed. It fixes problems in BOTH stable and unstable, so it is NOT an misplaced upload! (I.e. I know what I was doing!)

Security Update

Get versions back in sync

Get architectures back in sync

Get architectures back in sync.

This upload fixes a security problem, no advisory though, it's old also.

No powerpc or m68k packages of w3m available at all.

w3m-ssl is non-US.

This upload fixes a broken version in potato which may result in the watchdog rebooting the machine during the upgrade.

1. Watchdog daemon is stopped

2. A whole lot of packages are unpacked

3. (sometimes) dpkg stops and prompts you to overwrite /etc/watchdog.conf

4. Watchdog daemon is restarted

Security Update (2.6.0-5.2)

Sanity Update (broken conffile fix, non-security issue)

Security update, DSA 042

m68k: xemacs21 doesn't build

Dunno why this should go into stable. Approved by Anthony Towns. Changelog says:

* Added code in postinst to rmdir /usr/X11R6/lib/X11/fonts/chinese if it is empty or just contains font.dir and fonts.alias (Closes: Bug#54994).

* [debian/control]: Removed an extraneous colon at the end of the Build-Depends line (Closes: #76505).

Maintainer: Changwoo Ryu <cwryu@debian.org>

Changwoo Ryu is not the maintainer of the cmex font; I am. The upload closes a bug that may cause X fail to start after an upgrade. xfonts-cmex-big5p's former life, xfntbig5p-cmex24m, created the /usr/X11R6/lib/X11/fonts/chinese directory, but never removed it in postrm. Apparently, it was causing some problems for users who upgraded from xfntbig5p-cmex24m to xfonts-cmex-big5p. And of course, the second bug that it fixed, the extraneous colon at the end of the Build-Depends line, fix a "cannot build from source" bug.

Long awaited security update

Get architectures back in sync.

Bugfix, security update from stable broke the packages, this is a fix.

xpdf-i is in non-US.

Changelog:

* The Debian source archive xtide_2.2.orig.tar.gz was not pristine and included tidal harmonics data downloaded from the XTide web site. It was recently discovered that some of the data included in the above archive may be in violation of copyright. Therefore, XTide's author removed the data in question from his web site and produced new harmonics files which were included in this 2.2a Debian version.

Convenience update as an exception. This upload adds a couple of more graphic cards to the database so more users will be able to auto-detect their graphic card. Since configuring the graphics card is still a pain, this improvement should go into stable.

This fixes a serious (affecting perhaps 15% of machines on which the powerpc port supports) booting bug.

* Use "MacRISC" instead of the entire list of machine types in <COMPATIBLE>. One line change, should fix booting on all recent machines. (Well, one line change in four places).

Get architectures in sync

PowerPC and sparc missing

This is non-US.

Fix for serial console installs.

Alpha package is missing

Maintainer: Yann Dirson <dirson@debian.org>

Alleged security update.

Changelog says:

* Several security exploits found to icecast. No simple way to patch

* old version, so upgrade to latest stable version from icecast.org

* If questions or assistance needed join #icecast on openprojects.net IRC

Do you have a documentation about said security exploits? That's still pending

Is it something different than this one?

"icecast" is a server used to distribute audio streams to compatible clients such as winamp, mpg123, xmms and many others. Matt Messier (mmessier@prilnari.com) and John Viega (viega@list.org) have identified several buffer overflow and format strings problems in Icecast that could be remotely exploited. Our latest update to this software changes the package to use an unprivileged user ("icecast") for the daemon, so the impact of this vulnerability is not as high. Recent distributions (CL >= 5.1) have this package compiled with StackGuard to make it more difficult to exploit buffer overflows.

It's said to be.

Clarification appreciated.

Security Update

Bdale reports a serious problem with this upload, it broke some functionality. He's going to upload a fixed version, so this will have to wait for 2.2r4 then. Fixed for 2.2.2.2000.01.31-5.

alpha, arm, powerpc missing

Broken sync upload.

If there would be libpaper *and* libpaperg version 1.0.3-13.potato1 for sparc, I'd be convinced to accept the package.

I have prepared an upload for libpaper *and* libpaperg binary packages sitting on auric, waiting for a free path to proposed-updates.

nedit is now Free Software.

sparc missing

Security Update

Roland Bauerschmidt reports "php4-cgi broken". Look at #89431. /usr/lib/cgi-bin/php4 is a symlink to debian/php4-cgi/usr/bin/php4 which of course doesn't exist.

Rebuild for 4.0.3pl1-0potato2 issued. Missing: alpha, sparc

Updated packages should be uploaded soon.

Get architectures back in sync

alpha missing

Get versions back in sync.

PowerPC missing

Get architectures in sync.

m68k missing

This is non-US.

aj: a calendar program getting days of a month wrong seems a decent thing to fix.

m68k missing

Security upload, DSA 043

Zope 2.1.6-7 indeed had two problems with two of the Hotfixes included, so I prepared a new version 2.1.6-8 and uploaded that to Incoming (target 'stable'):

First, Hotfix_2000-10-02 broke some stuff in 2.1.6 (the README said that this Hotfox_2000-10-02 would apply to 2.2.x and later, which is obviously correct). Therefore 2000-10-02 was removed in 2.1.6-8. Obviously, the vulnerability fixed by this Hotfix was only introduced in Zope 2.2.0.

Then, Hotfix_2000-10-11 wouldn't work with 2.1.6 out of the box, but since 2.1.6 was affected by the vulnerability nonetheless, I had to apply a fix to the Hotfix. Included in 2.1.6-8 as well.

This time, 2.1.6-8 has been tested on a potato system to a moderate degree.

Sparc missing.

Priority low, no critical or security fixes.

From the maintainer: I made these packages before I was told that build dependencies were not required. Feel free to reject, there were no other changes.

Maintainer: Ivo Timmermans <ivo@debian.org>

No reason given why it was uploaded for potato. ChangeLog says:

* Uploaded to stable.

Even worse, configuration defaults to spanish.

Maintainer: Nicolás Lichtmaier <nick@debian.org>

No reason to make it into stable, changelog mentions unstable

Maintainer: Chris Rutter <chris@armlinux.org>

Alleged security update. BenC had already fixed it in 1.5.3-6. BSD sent out an advisory recently which confused our maintainer. (he read too much glibc code or something :)

Investigation: It looks like that upload fixes a problem which was already fixed in the stable version of »cfengine«. Thus there is no reason for including this package. Additionally Debian doesn't activate said »cfd« by default, it even won't run without manual interaction (conffile missing).

aj: It's actually non-free, not contrib. The maintainer says that we ought to be doing this in order to be allowed to distribute it at all; I'm inclined to allow that in. (In any event, it's non-free, so it doesn't much matter if it breaks things)

Joe Drew: It's come to my attention that this version of distributed-net has critical bugs, so I've gotten it removed from proposed-updates. I've had complaints that the version in stable is too old, but I think I'll just start pointing them to the unstable version, or make a "stable-ish" version in a private apt-repository. As it is, distributed-net cannot be released in 2.2r3.

Since the client in stable does not work anymore, it cannot be distributed at all, it should probably be removed from it.

No reason why this should go into stable. ChangeLog says:

* Moved /usr/doc/ to /usr/share/doc (Closes: #91430)

* Added Sections: and Priority: fields.

Misplaced upload that ought to be unstable only

* New "upstream" release, downloaded on 4 Jan 2000.

Maintainer: Anthony Wong <ypwong@debian.org>

Misplaced upload that ought to be unstable only.

Maintainer: Ivo Timmermans <ivo@debian.org>