В Mon, 08 Oct 2012 14:26:08 +0200 Mehdi Dogguy <mehdi@dogguy.org> пишет: > On 28/09/2012 07:57, Alexander Golovko wrote: > > Package: release.debian.org Severity: normal User: > > release.debian.org@packages.debian.org Usertags: unblock > > > > Hi! > > > > Please unblock bacula-* packages, it fixes multiple bugs, include > > CVE-2012-4430, crashes and debian policy violations: > > > > #687923 - security issue CVE-2012-4430 #688732 - bacula-fd save > > only first xattr on file #682733 - unowned files after purge > > #680051 - switch between bacula-director-<dbtype> #679958 - > > incorrect systemd service file Fix unsafe bacula-director > > passwords. Fix bacula-fd crash on saving xattr on btrfs. > > > > Ok, I don't feel comfortable with all these packaging changes. I don't > think I'm going to unblock this package. Could you prepare an upload > to t-p-u please? #687923, #682733, #679958, "Fix unsafe > bacula-director passwords" look okay. For the others, please show > minimal separate patches if you want to include them. I can try to remove some patches, but i'm afraid, that completely rework changes will be very hard. I list all changes (except #687923, #682733, #679958, "Fix unsafe bacula-director passwords") with links to commits and additional description. Please say, which of changes can be included and which not. Sorry for this abuse. 1. Build packages for all database types in the same time, not a separate process for sqlite3, mysql and pgsql. http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=1ca440fc3758a28fdcd17c05aa24f724934dbc5f This change affect only package building process. It was thoroughly checked, that binary packages changed not more, than on rebuild from the same sources. This change make build process much more clear and less differ from standard debhelper. I'm afraid, that unaccepting this change will lead to requirement of very hard reworking some other changes. Another argument for accept this change is that this change will be one of first candidate for post-wheezy and we will need support two different solutions - for stable wheezy and current. 2. Save all file xattrs, not only first (Closes: #688732), Fix bacula-fd crash on saving xattr on btrfs. http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=455622199fb46805cd11f69630279af5987c0bb2 http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=d7bb353b616c6221684ffc81cbfe2c885a1dab81 It is a regression since squeeze. Squeeze shipped with previous major version of bacula. There are a big commits, but however this is only adding upstream patch. I'm think, there is important bugfix. 3. fix daemons user/group on systems with systemd (Closes: #679958). delegate daemons uid/gid changing to start-stop-daemon or systemd, thanks to Matija Nalis (Closes: #556207). This changes are related and intersected. First commit reverted by last. http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=d077cd3c71734828b635f8605c8411f6cd86b6f6 http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=cf9eb640182f4adfd83d05954dc35a20b60170c1 http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=694b788e0f82a734ca98bb0930a97432240c7fe8 Upstream already much time (at least since 2010, Oct) use start-stop-daemon for change daemons uid/gid in their variant of init scripts. Our patch for uid/gid changing by systemd was already accepted into upstream. The big problem, that without this change user can't simply get backtraces on daemons crashes. This backtraces required for some bugreport to upstream. 4. fix waiting for real daemon stopping (Closes: #684744). remove unused code from bacula-director init script. http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=ef0c7b8b1ee7060decff3b4757bfb512c11bb98a http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=d4052cfbafbcb1718b687886a7b01198f06fb0a1 http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=037b600ebfec34b6d48adcbfa08580276e188d0b First commit is bug fix, last is only adding info into changelog. Second commit is not required, but always better, when init scripts make the same tasks by the same methods. 5. Add build-depends for read-all capability support (Closes: #683080). capabilities is linux-only feature. disable it for non-linux platforms, add information, that capabilities is linux-only feature. Add information about file daemon without root privileges. http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=c6b51c2c010ae82f73d8cdce2eecbfbe52e6bbec http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=74198182c2fa9e2567077356e345ff5251e26bf1 http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=6e1fab3c304fa73b9c6801a07290ce48b7cadb24 Yes, this is, of-course, new feature. But maybe fact, that this change can improve Debian security and will be very useful for Debian System Administration Team will be enough for accept this change? 6. don't remove bacula user on package purging (details in bug 621833). http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=7f9def1fd9ba58d803f496967e249dde51028e68 http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=bc8970c8cba4fd9468df0ed0cf92891b2dca8c91 As was discussed in bug 621833, removing system users is not a good idea. And bacula definitely create files with backups, which would not automatically removed after package purging. Account already have shell /bin/false, so no need for additional locking. 7. fix files left after packages purge (thanks to piuparts). http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=85d99ef87085872fbdca7cb098362ebdc2e8cd18 There is policy violation. 8. make package purging more careful about users files. http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=cda0a2fe5fb511c04455f2d9c5ab33df7aeaa34e Before this we can remove files, manually created by user. Theoretically, there can be files from other packages (not yet existed, as i know). User can want to manually backup configs, purge and reinstall packages, but before this fix we can incorrectly remove his backup. 9. fix bacula log directory (Closes: #684203). http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=024a68beecdcbe046525408632d098ee38a10e9b Incorrect path to logfiles. This is a regression since squeeze. 10. force /etc/defaults/bacula-dir reregistration in ucf when changing bacula-director database type, fix purging after this (Closes: #680051). http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=5bb13f060158eb3118c8f3e6fbaf9a2a8942fff8 http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=9b3421a5caba0f406d050d5d7cc4ff99ce97a67d This bug mean, that users can't execute "apt-get install bacula-director-mysql" when there is already installed bacula-director-sqlite3 or bacula-director-pgsql. They should purge old package manually. 11. switch to /run directory There are two commits, in first was missed correct dependency from initscripts http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=4a4b5a8554f523c89da9608a874ddb6e8bb1dd5e http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=eaf6744f799c165bc891fde8bf520adb147a4dbb 12. Fix impossibility to run out-of-box scripts make_mysql_tables and update_mysql_tables scripts, shipped with package (#679855). http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=5b7963dc0f32390e31dbc26ac9ee9fa0d6b7ae38 Files for manual populate database (without dbconfig-common) was incorrect. It need fixes before be used by user. We must either document this difference from upstream or ship correct files. I think, that preffer ship correct files can be used as described by upstream. This patch already in upstream. 13. switch from usermod to more debian-policy friendly adduser. http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=0527cba52b28f735cde6b1e499da93991860e37e http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=562d51910458b777d5e0a5966ac1358c9f498997 14. fix hostname substitution (Closes: #682966). http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=82737eb31724a617974ba6cd339f543db467fe8b http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=a10ebee5afbd044d3266bb6d835520b9f8c93060 http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=74e9c2d902371aaa6e7c42e909607a99a1d8d6f3 15. add bacula into cdrom group (Closes: #520508). http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=ad18bf43f1395f2f522f7e0ed303a09605ada50e http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=19a9341a532e64014e2a2b41d4b1cf6f4e5c3613 16. Cleanup list of linked libraries. http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=def8c31909bfef4c1df99d1dbb1029f15a02399c This change, as i understand, should not affect resulted binary code, only remove from linking unused libraries. So it should be stable and fix build warnings. Also it make dependency list more clean. 17. Add build-depends for LZO support. http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=c6b51c2c010ae82f73d8cdce2eecbfbe52e6bbec Yes, this is definitely new functional, but due to it already included into ubuntu, i think, this change is stable. 16. Improve the use of English (thanks to debian-l10n-english team). This is related to bug with fixing unsafe bacula-director passwords. Currently a l10n-english team end their job and we wait i18n team. I'm afraid, that if some of changes in current version unacceptable and need be reverted before upload to testing, than i will finish this not early, than i18n team make translates. But if all of above changes can be uploaded, may be the best choice will wait i18n team and upload to testing next bacula package version with consistent debconf templates and its translations. > > Regards, > -- with best regards, Alexander Golovko email: alexandro@ankalagon.ru xmpp: alexandro@ankalagon.ru
Attachment:
signature.asc
Description: PGP signature