My Debian Activities in April 2018

FTP master

This month I accepted 145 packages and rejected 5 uploads. The overall number of packages that got accepted this month was 260.

Debian LTS

This was my forty sixth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 16.25h. During that time I did LTS uploads of:

    [DLA 1353-1] wireshark security update for 12 CVEs
    [DLA 1364-1] openslp-dfsg security update for one CVE
    [DLA 1367-1] slurm-llnl security update for one CVE

I also started to work on the next bunch of wireshark CVEs and I intend to upload packages for Jessie and Stretch as well.
Other packages I started are krb5 and cups.

Last but not least I did a week of frontdesk duties, where I check lots of CVEs for their impact on Wheezy.

Other stuff

During April I did uploads of …

  • pescetti to fix a FTBFS with Java 9 due to -source/-target only
  • salliere to fix a FTBFS with Java 9 due to -source/-target only
  • libb64 to fix a FTCBFS
  • chktex to fix a FTBFS with TeX Live 2018

Thanks to all the people who sent patches!

I also finished the libosmocore transistion this month by uploading the following osmocom packages to unstable and alongside fixing some bugs that our tireless QA tools detected:

Further I uploaded osmo-fl2k already two days after release. It is a nice software that enables an USB-VGA converter to be used as transmitter for all kind of signals. Of course just use it in a shielded room!

As Nicolas Mora, the upstream author of the oauth2 server glewlwyd, wanted to be more involved in Debian packaging, I sponsored some of his first packages. They are all new versions of his software:

I also uploaded a new upstream version of dateutils.

Last but not least I worked on some apcupsd bugs and I am down to 16 bugs now.

Fun with puppet — runinterval

Notice to my future self: The default interval between two runs of puppet is 30min or 1800s. In case this is too short you can add something like:

runinterval = 28800

to the [main] section of the puppet client configuration.

If you want to do this automagically, just run the command

puppet config set runinterval 28800

on each client.

Another command you might want to remember:

puppet agent --configprint runinterval

Fun with broken harddisks

Today I needed to replace a faulty harddisk, which had a GPT, in a software RAID1. A GPT is a Guid Partition Table and is normally needed for partitions > 2TB. But wait, my external harddisk has 4TB and it uses an MBR (Master Boot Record)!?

In an MBR the partition size is stored in four bytes, which could have 0xFFFFFFFF as a maximum value. This would be 4294967295 in decimal. But the partition size is not given in bytes but in sectors. On Linux systems the sector size of an attached harddisk can be found in /sys/block/sd[X]/queue/hw_sector_size.

root@server:~ # cat /sys/block/sdd/queue/hw_sector_size
512

This is the normal sector size of a harddisk, so 4294967295 sectors of 512 bytes result in 2TB.

Luckily some external harddisks have a sector size of 4096 bytes.

root@server:~ # cat /sys/block/sda/queue/hw_sector_size
4096

This results in a partition size of 16TB.

Anyway, my disk had a GPT and after installing the new harddisk, it had to get a copy of the GPT of the first one. This can be done with sgdisk, that is part of package gdisk on Debian systems. So after doing apt-get install gdisk one can:

sgdisk --replicate=/dev/sdb /dev/sda

In this case /dev/sda is the source disk and /dev/sdb is the new one.

You can see the GPT with:

sgdisk -p /dev/sda
sgdisk -p /dev/sdb

Due to the cloning, both disks have the same GUID and to avoid hassle, the new one needs a new GUID. This is done with:

sgdisk -G /dev/sdb

The structure of the software raid can be seen in /proc/mdstat. In my case I have three md devices: md0, md1 and md2
On my system md0 currently has only one active member /dev/sda2. So /dev/sdb2 has to be added:

mdadm /dev/md0 --manage --add /dev/sdb2

As this is just a small partition, it took only a few seconds and syslog showed:

[ 5881.551829] md: bind
[ 5881.581014] RAID1 conf printout:
[ 5881.581020] --- wd:1 rd:2
[ 5881.581026] disk 0, wo:0, o:1, dev:sda2
[ 5881.581030] disk 1, wo:1, o:1, dev:sdb2
[ 5881.581174] md: recovery of RAID array md0
[ 5881.581180] md: minimum _guaranteed_ speed: 1000 KB/sec/disk.
[ 5881.581186] md: using maximum available idle IO bandwidth (but not more than 200000 KB/sec) for recovery.
[ 5881.581195] md: using 128k window, over a total of 499988k.
[ 5889.511049] md: md0: recovery done.
[ 5889.614014] RAID1 conf printout:
[ 5889.614020] --- wd:2 rd:2
[ 5889.614026] disk 0, wo:0, o:1, dev:sda2
[ 5889.614031] disk 1, wo:0, o:1, dev:sdb2

The same needs to be done for the other partitions:
mdadm /dev/md1 --manage --add /dev/sdb3
mdadm /dev/md2 --manage --add /dev/sdb4

They are way bigger and recovery of the RAID lasts a bit longer. But finally everything is done and nagios switches back from red to green. Mission accomplished!

bind: rndc addzone and also-notify

Notice to my future self: If you add zones to bind by rndc addzone please remember that those zones will be stored in /var/cache/bind/*.nzf. If you have to change your nameservers, you also need to adapt the also-notify list in all zones. If you forget one zone and there is one unused ip address in that list, all slaves will get the notification, start the transfer but the update won’t happen and the old data remain on the slave.

This sounds really crazy, but think about April 2018, when the challenge for your letsencrypt certificate was added to the master server but never reached the slaves. The log was full of


ERROR: Challenge is invalid! (returned: invalid) (result: {
"type": "dns-01",
"status": "invalid",
"error": {
"type": "urn:acme:error:unauthorized",
"detail": "Incorrect TXT record \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\" found at _acme-challenge.xxxxxxxxx",
"status": 403
},

My Debian Activities in March 2018

FTP master

This month I accepted 252 packages and rejected 23 uploads. The overall number of packages that got accepted this month was 308.

I also took care of #890944.

Debian LTS

This was my forty fifth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 23.25h. During that time I did LTS uploads of:

    [DLA 1313-1] isc-dhcp security update for two CVEs
    [DLA 1312-1] libvorbisidec security update for one CVE
    [DLA 1333-1] dovecot security update for three CVEs
    [DLA 1334-1] mosquitto security update two CVEs
    [DSA 4152-1] mupdf security update for two Jessie CVEs and two Stretch CVEs

I also prepared a test package for wireshark, fixing 12 CVEs. I am still waiting for feedback :-).

The issues for mupdf did not affect Wheezy, so there has been no DLA. Instead the security team accepted my debdiff for Jessie and Stretch and published a DSA. Thanks to Luciano for doing this.
As it turned out, the patch I found for icu last month had been the correct one. But as it did not affect Wheezy, there has been no DLA as well.

Last but not least I did one week of frontdesk duties.

Other stuff

During march I did uploads of …

  • libctl to fix a FTBFS during binary-indep-only build

I also moved all oauth2 related packages as well as cd5 to salsa.

Last but not least I took care of some old bugs in apcupsd that no longer seem to be relevant.

My Debian Activities in February 2018

FTP master

This month everything came back to normal and I accepted 272 packages and rejected 30 uploads. The overall number of packages that got accepted this month was 423.

Debian LTS

This was my forty fourth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 23.75h. During that time I did LTS uploads of:

  • [DLA 1279-1] clamav security update for two CVEs
  • [DLA 1286-1] quagga security update for three CVEs
  • [DLA 1290-1] libvpx security update for one CVE
  • [DSA 4125-1] wavpack security update for three Jessie CVEs and three Stretch CVEs

The issues for wavpack did not affect Wheezy, so there has been no DLA. Instead the security team accepted my debdiff for Jessie and Stretch and published a DSA. Thanks to Sebastien for doing this.
I also started to work on a fix for ICU. Unfortunately Moritz did not agree with me on the correct patch for this. As upstream did not respond to my query yet, I did not do an upload.
I also did not finish my work on opencv, I am still searching for the correct C++ template. On the other hand I finished work on 12 of 22 CVEs for wireshark. The rest will be done in March.

Other stuff

During February I uploaded new upstream versions of …

I also moved all alljoyn packages as well as a56 to salsa.

My Debian Activities in January 2018

FTP master

This month I was distracted from NEW by private stuff, so I only accepted 141 packages and rejected 4 uploads. The overall number of packages that got accepted this month was 361.

Almost two years ago Moritz filed #817286. After some time of inactivity, this bug draw CIP’s attention. Civil Infrastructure Platform is a project under the umbrella of the Linux Foundation. Their basic goal is to provide security support for a very long time (10 years for software and 15 years for the kernel).

As this bugs meets one of their goals, they would like to support Debian and are going to sponsor my work on this bug. So hopefully in the near future staging repositories will be available in Debian.

Debian LTS

This was my forty third month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 18.25h. During that time I did LTS uploads of:

  • [DLA 1235-1] opencv security update for two CVEs
  • [DLA 1252-1] couchdb security update for two CVEs
  • [DLA 1255-1] bind9 security update one CVE
  • [DLA 1258-1] wireshark security update for three CVEs
  • [DSA 4101-1] wireshark security update for three Jessie CVEs and three Stretch CVEs
  • [DLA 1263-1] curl security update one CVE

Unfortunately my debdiffs for opencv have not yet been processed by the security team. But as I also started to work on another round of CVEs for opencv, there will be another chance …

Last but not least I did one week of frontdesk duties.

Other stuff

During January I uploaded new upstream versions of …

First steps with arm64

As it was Christmas time recently, I wanted to allow oneself something special. So I ordered a Macchiatobin from SolidRun. Unfortunately they don’t exaggerate with their delivery times and I had to wait about two months for my device. I couldn’t celebrate Christmas time with it, but fortunately New Year.

Anyway, first I tried to use the included U-Boot to start the Debian installer on an USB stick. Oh boy, that was a bad idea and in retrospect just a waste of time. But there is debian-arm@l.d.o and Steve McIntyre was so kind to help me out of my vale of tears.

First I put the EDK2 flash image from Leif on an SD card, set the jumper on the board to boot from it (for the SD card boot, the right most jumper has to be set!) and off we go. Afterwards I put the debian-testing-arm64-netinst.iso on an USB stick and tried to start this. Unfortunately I was hit by #887110 and had to use a mini installer from here. Installation went smooth and as a last step I had to start the rescue mode and install grub to the removable media path. It is an extra point in the installer, so no need to enter cryptic commands :-).

Voila, rebooted and my Macchiatobin is up and running.

My Debian Activities in December 2017

FTP master

This month I accepted 222 packages and rejected 39 uploads. The overall number of packages that got accepted this month was 348.

According to the statistic I now passed the mark of 12000 accepted packages.

Debian LTS

This was my forty second month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 14h. During that time I did LTS uploads of:

  • [DLA 1211-1] libxml2 security update for one CVE
  • [DLA 1213-1] openafs security update for one CVE
  • [DLA 1218-1] rsync security update for three CVEs
  • [DLA 1226-1] wireshark security update for four CVEs

I also started to work on opencv.

Last but not least I did one week of frontdesk duties.

Other stuff

During December I uploaded new upstream versions of …

I also did uploads of …

  • libosmocore to reintroduce the correct version of the library
  • gnupg-pkcs11-scd to finally depend on libssl-dev and libgcrypt20-dev
  • openbsc to fix a bug with libdbi
  • libsmpp34 to move the package to debian-mobcom
  • osmo-mgw to introduce the package to Debian
  • osmo-pcu to introduce the package to Debian
  • osmo-hlr to introduce the package to Debian
  • osmo-libasn1c to introduce the package to Debian
  • osmo-ggsn to introduce the package to Debian
  • libmatthew-java to fix a bug with java9 (thanks to Markus Koschany for the patch)

I also sponsored …

  • printrun, which really is a new upstream version!