[00:01] http://www.mozillazine.org/talkback.html?article=26135 [00:03] wtf ... http://paste.ubuntu.com/99899/ [00:04] "stray ‘\305’ in program" ? [00:04] you edited that? [00:05] no [00:05] i hope its not hardware [00:06] scary ... seemed to work on second attempt :( [00:06] my memory is dying ... sigh [00:07] i really feel bad now :/ [00:08] what do you have in dist/include/nspr/prio.h:301 ? [00:09] nothing unusual [00:09] how can i make vi show all whitespace codes? [00:09] /home/asac/mozilla/security/1.8.1/mozilla/nsprpub/pr/include/prio.h: ASCII C program text [00:09] typedef enum PRDescType [00:09] { PR_DESC_FILE = 1, PR_DESC_SOCKET_TCP = 2, PR_DESC_SOCKET_UDP = 3, PR_DESC_LAYERED = 4, PR_DESC_PIPE = 5 [00:09] } PRDescType; [00:09] PR_DESC_SOCKET_TCP = 2 is in that line [00:10] cat -tven prio.h | grep 301 [00:10] so its really memory :( [00:10] cat -tven /home/asac/mozilla/security/1.8.1/mozilla/nsprpub/pr/include/prio.h | grep 301 301 PR_DESC_SOCKET_TCP = 2,$ [00:10] http://paste.ubuntu.com/99903/ [00:11] nada [00:11] i hope its a memory corruption in gcc or some other bug there [00:11] and not my poor system :/ [00:11] https://edge.launchpad.net/+builds/berkelium [00:11] boom [00:12] *** TEST-UNEXPECTED-FAIL | ../../../_tests/xpcshell-simple/test_uriloader_exthandler/unit/test_handlerService.js | true == false [00:12] seems still active ;) [00:12] yeah [00:12] probably your issue again? [00:12] wasnt that the one with the setpref for external handler? [00:13] i don't remember [00:14] JS frame :: ../../../_tests/xpcshell-simple/test_uriloader_exthandler/unit/test_handlerService.js :: run_test :: line 155 [00:15] grr, i should not tar a bunch of symlinks to ../../../../blabla :( [00:15] yeah i think thats it [00:16] 1.8.1 browser build working :) [00:16] finally [00:16] lets see if make check works [00:17] hangs in netwerk ... of coures [00:17] http://paste.ubuntu.com/99909/ [00:18] https://bugzilla.mozilla.org/show_bug.cgi?id=444440#c31 [00:18] Mozilla bug 444440 in File Handling "Unexpected application launched when $HOME/.mailcap contains an entry for the handled mime type" [Normal,Assigned] [00:20] yeah still broken [00:23] @time [00:23] Current time in Etc/UTC: January 05 2009, 00:25:57 - Next meeting: EMEA Membership in 19 hours 34 minutes [00:25] Membership? [02:24] <[reed]> asac / fta: patches accepted! [02:25] on mailcap? [02:59] <[reed]> asac: on anything [02:59] <[reed]> :) [03:18] mozilla bug 461277 [03:18] ^^ [03:18] Mozilla bug 461277 in Embedding: GTK Widget "use G_TYPE instead of deprecated GTK_ macros in gtkmozembed.h" [Normal,New] http://bugzilla.mozilla.org/show_bug.cgi?id=461277 [03:18] not sure if superreview means that its ready [03:19] then approval would make sense [03:25] <[reed]> you don't need approval to land on mozilla-central [03:25] <[reed]> sr is enough... bsmedberg owns embedding [05:28] asac: heads up: jaunty's flashplugin-nonfree for amd64 users causes the same nondeterministic inaudible audio observed in hardy. this is due to ia32-libs and lib32asound2-plugins conflicting. [05:29] so since ia32-libs is a dependency of nspluginwrapper on amd64, lib32asound2-plugins cannot be installed on Ubuntu, so pulseaudio and all audio apps using it need to be restarted after Flash attempts to grab the sound device. [05:32] to resolve this issue, two things need to be done: 1) pulseaudio needs to build 32-bit libs for amd64 (similar to what alsa-lib and alsa-plugins do) so that lib32asound2-plugins can be built correctly, and afterward, 2) ia32-libs needs to be updated not to ship libasound2-plugins and instead depend on lib32asound2-plugins. [07:42] fta asac: the thunderbird tarballs I get with "get-orig-source" have an empty mozilla/mozilla dir, is that intended? [07:48] asac: i am also happy to start testing, in case you got the packages ;) [08:52] white, obviously not [08:53] fta: well, i was just wondering, whether you hit the same problem ;) [09:55] crimsun: thanks for the heads up [10:41] white: finally preparing the tarballs now [10:42] xul + sm + tbird + ffox (for 1.8.0 branch) [10:42] asac: ok, if you don't mind I'll start with icedove :) [10:42] asac: maybe Moritz will take other ice* as well [10:43] white: ok. let me prepare the tbird tarball next then (currently tarring up sm) [10:43] nice, newer nss fails to build on i386 with: error: implicit declaration of function ‘putenv’ [10:43] white: what is "newer"? [10:44] asac: 3.12.1-1 [10:44] we are at 3.12.2~rc1 [10:44] asac: the tarball i was getting with get-orig-source has an empty mozilla/mozilla dir btw :/ [10:45] asac: knewer as in debian new ;) [10:45] hehe [10:45] white: which package? icedove 1.5? [10:45] s/knewer/newer/ [10:45] asac: i am still working on an icedove for experimental [10:46] ah [10:46] white: you need mozilla-devscripts [10:46] installed [10:46] to produce orig [10:46] i have it [10:46] interesting [10:46] it downloads a nice thunderbird orig.tar.gz [10:46] ah ... so the icedovisation fails [10:46] hmm [10:47] for testing here, i used another tarball with all the stuff self packed and then I get the build problem, where PK11_GetAllSlotsForCert is not declared [10:47] white: take a look at the latest tbird 3 packaging branch ... i think fta moved logic from m-devscripts to the packages ... maybe thats the reason [10:49] white: there is a bug in nss version checking code in debian/rules [10:49] a)USE_SYSTEM_NSS := $(shell pkg-config --exists 'nspr >= 3.12'; a=$$?; if test $$a != 1; then echo 1; fi) [10:49] -> that should be nss >= 3.12.1 or something i guess [10:50] at least it should fall back to "in-source nss" if the version is not high enough [10:50] if 3.12 is too low for a lower bound we should fix it [10:50] let me check [10:51] asac: 3.12.0 is too low as it doesn't declare PK11_GetAllSlotsForCert [10:51] so we need 3.12.1 [10:54] so debian didnt care to fix nss on i386? [10:54] strange [10:54] 3.12.1-1: alpha amd64 arm armel hppa ia64 kfreebsd-amd64 m68k mips mipsel powerpc s390 sparc [10:54] 3.12.0-5: hurd-i386 i386 kfreebsd-i386 [10:55] i've emailed Mike about it [10:55] there are different ways to fix it i guess [10:55] i think we need a serious bug ;) [10:55] nothing filed as it seems [10:55] put the declaration of putenv everywhere, set defines or maybe compile without -Werror [10:55] all are ugly ways :) [10:55] I'll file one [10:55] package 3.12.2~rc1 ;) [10:56] thats what is currently used for ffox 3 anyway [10:56] asac: Hi [10:56] asac: do you mind if I try to build it for experimental and maybe upload later today? [10:57] asac: newer nss that is [10:57] white: give it a try. you cannot use ubuntu package unfortunately. we have reverted the soname patch from debian ... mike would hate us if we upload that to debian ;) [10:57] white: yeah. just try the new tarball with debian packaging [10:57] ok, I'll give it a try [10:58] white: take our orig i would suggest [10:58] seems like upstream doesnt release .1, .2 etc. [10:58] will do [11:02] asac: The tar in tar trick you told me yesterday. Someone commented on why I had done it. [11:04] wikz: your package doesnt ship debian/ dir in diff.gz [11:04] thats the current major issue ;) [11:04] you punched that in orig as it seems (i didnt look, but since its not in diff.gz and you say it builds I guess it is) [11:04] yeah [11:04] so where did I goof it up? [11:05] wikz: you tarred up everything [11:05] asac: true [11:05] wikz: the orig.tar.gz must only include tar.bz2 [11:05] ok ok [11:05] so just create a tar.gz archive with .bz2 in it [11:05] yes [11:06] I included the entire spicebird-0.7 [11:06] tar cvzf spicebird_0.7.orig.tar.gz spicebird-0.7/*.tar.bz2 [11:06] for instance [11:06] asac: so how come you guys have a different .orig.tar.gz which doesn't include any bz2 from mozilla. do you repack it [11:07] wikz: don't understand the question ;) [11:08] if you ask why we pack tarball on our own: answer is simply that mozilal doesnt release frequently enough. also we have to strip no free/binary stuff from it [11:08] asac: that explains it [11:08] wikz: you should remove binary only stuff too [11:09] look at the "remove.binonly.sh" in mozilla-devscripts [11:09] asac: ok will do that [11:10] white: http://people.ubuntu.com/~asac/mozilla-security/1.8.1.19/icedove-1.5.0.13+1.5.0.15b+prepatch080614i.tar.bz2 [11:10] its based on http://people.ubuntu.com/~asac/mozilla-security/1.8.1.19/moz_1.8.0.15prepatches080614i.tar.gz [11:11] asac: also I am putting all my files in /usr/lib like fta did but I think debian says that images and resources should be in usr/share. should I change the .install files? [11:12] who is debian? [11:12] e.g. who speaks for them? [11:13] if its "just" lintian feel free to ignore that complained [11:14] asac: yes lintian does for my binary packages [11:16] thats not a problem imo ... some might disagree, but well :) [11:28] asac: ok , so if I just pack tarball like you guys do can I get rid of the watch file? [11:29] and remove all the binary stuff. we don't have any non free stuff [11:31] wikz: you have a bunch of binary stuff in your tarball i guess [11:32] loads of them :) [11:33] then yes. you just need to remove binary only stuff [11:33] (binary stuff if sources are there is ok - though not encouraged) [11:35] how about if I will ask upstream to maintain a debian only source tarball so I can use a watch file too :) [11:35] asac: do you guys have a description base for the mozilla advisories somewhere? [11:35] asac: or did Moritz always search by himself through the mozilla pages? [11:37] wikz: would work [11:37] white: usually i put that info in the changelog [11:38] in previous times i sent the advisory infos to the list and mike ... but since nobody cared for quite some time i stopped dong that [11:38] white: http://www.ubuntu.com/usn/usn-690-3 [11:39] asac: yeah, Moritz complained during the last sec meeting that too few of us did any work on mozilla, thus I'm trying to take at least icedove in this round :) [11:39] those are the issues fixed in the 1.8.0 patchset [11:39] there are no "mailnews" only advisories this time [11:39] but you should also add the MFSAs ... look at the previous changelogs [11:39] to get the mapping look at the icedove changelog in unstable [11:39] will do, thanks for the pointer [11:39] that should be a superset of what is fixed in 1.8.0 [11:40] e.g. take icedove 2.0.0.19 changelog ... filter it by the CVEs from above [11:40] hmm [11:40] for 2.0.0.18 we need to go through them individually [11:40] (this release contains .18 + .19 unfortunately) [11:41] white: the starting point is usually: http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.html [11:41] i'll see that i get through them, would be great, if you could give the final version a glance though :) [11:42] white: i will for sure [11:43] white: out of the 2.0.0.18 items listed on that page, mfsa2008-52 doesnt apply for 1.8 branches [11:44] sorry ... the javascript part doesnt apply [11:44] e.g. CVE-2008-5018 is ffox 2 only (e.g. not 1.5) [11:44] but CVE-2008-5017 is valid (also 2008-52) [11:48] white: everything else in the 2.0.0.18 section of current sid icedove applies [11:48] for 2.0.0.19 part use the CVEs in the usn above to filter stuff [11:49] oh mfsa2008-48 doesnt apply either [11:49] so CVE-2008-5018 (mfsa2008-52 part 1) and mfsa2008-48 are not in 1.8.0 branches [11:49] thanks ;) [11:49] asac: you cause me a headache ;) [11:54] white: heh ; [11:54] i will give it to you in a few [11:54] white: in debian/rules you need to update TBIRD_BZ2_ARCHIVE=thunderbird_1.5.0.15pre080614i-source.tar.bz2 [11:55] that line [11:55] to refer to the proper tar.bz2 that is in archive/ [11:55] done already :) [11:56] i am test building (started 30 min ago i think) [11:56] cool [11:57] white: http://paste.ubuntu.com/100263/ [11:58] i added "not affected" to those entries from icedove that are not affected [11:58] i removed CVE 5510 as its not yet fixed on 1.8.0 (patch is a bit more complicated there) ... in case you want to add that to CVE tracker [11:58] http://paste.ubuntu.com/100265/ [11:58] annotated with proper upstream version [12:00] asac: btw would you generally be interested in using the security tracker as the source for security overviews? (public issues only of course) [12:06] asac: older stuff like http://www.mozilla.org/security/announce/2008/mfsa2008-37.html aka CVE-2008-0016 is also fixed in this round? (It was marked as fixed for 2.0.0.17-1) [12:11] btw Mike mailed me and would rather like to fix the nss FTBFS, so i guess no new experimental version :/ [13:07] yeah was expected. not sure why he doesnt like the current nss release though ;) [13:09] white: look at the bugs referenced in mfsa [13:09] http://www.mozilla.org/security/announce/2008/mfsa2008-37.html [13:09] those have approval1.8.0.next ... which means that i landed them in distro patchset [13:10] white: do you have a bugzilla account? [13:18] nope :/ [13:20] asac: good news, icedove builds on etch :) [13:27] white: yay ;) [13:27] does it work? [13:27] also test enigmail ;) [13:28] basic testing would be: imap with ssl/tls, pop with ssl/tls; dragging messages around, checking that all preferences tabs are functional (e.g. not broken); testing a langpack; testing enigmail (sign/enc); testing sending mail through SMTP and SMTP/SSL [13:29] also maybe blog subscription/rss [13:29] but well ;) [13:30] i'm still busy with the advisory, but i'll get to it :) [13:30] http://people.ubuntu.com/~asac/mozilla-security/1.8.1.19/seamonkey_1.5.0.15pre080614i-source.tar.bz2 [13:30] asac: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4070 [13:30] if you are brave you would also look at that ... seamonkey doesnt have embedded tarball [13:31] you can just use that and after that run ./debian/rules source (which will do the iceapisation :)) [13:31] white: again, look at the bug ;) [13:31] also you can see if the patch is in the "patches" directory of the tarball [13:32] it always starts with the bugnumber ;) [13:32] in this case its in the patchset ... yes. [13:32] asac: approval1.8.0.next+ [13:32] mozilla$ ls patches/425152_attachment_334030.patch [13:32] patches/425152_attachment_334030.patch [13:33] (just to clarify: i am happy to dig up everything for you ;) ... just want to teach you how you can find info on your own) [13:34] its http://www.mozilla.org/security/announce/2008/mfsa2008-46.html ... which has https://bugzilla.mozilla.org/show_bug.cgi?id=425152 [13:34] Mozilla bug 425152 in Security "heap overflow when canceling usenet message in nsNNTPProtocol::DoCancel()" [Normal,Resolved: fixed] [13:34] 13:00 < white> asac: btw would you generally be interested in using the security tracker as the source for security overviews? (public issues only of course) [13:34] don't worry, it's good to go through it with you and it helps me a lot. I'll get familiar with the stuff, sometimes i just need a little longer :) [13:34] what do you mean by that exatly ;) [13:35] white: you should really get a bugzilla account ;) ... in future you probably want to be able to see embargoed bugs and i can CC you if you have an account ;) [13:35] not really urgent for this round ... but ;) [13:36] asac: i mean that if you want i could give you access to the tracker and you could track issues there as well, if it helps you (it would of course help us heaps ;) ) [13:38] i will think about it ... what features does it provide? just adding info where what is fixed? [13:38] or can i also add comments (like this is MFSA-2008-XX - javascript part) [13:38] ? [13:38] you can also add NOTEs or TODOs [13:38] it could even be extended to track ubuntu versions [13:38] but that might be a different topic [13:38] i think we have our own tracker here ;) [13:39] (which i dont use ... just push that documentation stuff to sec team) [13:39] i will ask them ... maybe there already is a sync or something? [13:39] jdstrand: ?? [13:39] ^^ [13:40] jdstrand: white is from debian security team ... white: jdstrand is ubuntu security team ;) [13:40] asac: i've discussed the tracker issue with kees. It seems that ubuntu wants to keep their own tracker [13:41] asac: however, it would be great for us to have you using our tracker for mozilla stuff and maybe it can be useful for you in several ways [13:41] yeah most likely launchpad [13:43] white: i would definitly be willing to try that. however, i am really bad at remembering to document stuff ... so better dont rely on me - but i think as soon as i am not alone anymore this tracker thing will just resolve [13:43] asac: what's the best way to find information about issues like http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4068, where there is no bugnumber :/ [13:43] white: if there is a mfsa link then you are lucky [13:43] click on that [13:43] and there you will find the bug [13:44] no bug there [13:44] white: if there is not an mfsa link then its either unfixed or (usually) mitre was on crack and assigned stuff to non-issues [13:44] white: https://bugzilla.mozilla.org/buglist.cgi?bug_id=380994,394075,416318 [13:44] white: there is the link [13:44] asac: there is a mfa link [13:44] its on http://www.mozilla.org/security/announce/2008/mfsa2008-44.html [13:44] ah damn [13:44] above the CVE links [13:44] its just a "multi" bug CVE [13:44] nevermind :) [13:45] white: if you cannot see any of those then its embargoed and i would have to CC you [13:45] but all seem to be opened up [13:45] i'm just checking whether they are fixed or not [13:45] white: yeah ... look in patches/series [13:46] if they are not in there look in bug ... as if they dont apply i usually comment on that in the bug [13:46] asac: only one of the bugnnumbers is mentioned there [13:46] white: yeah. look at the bugs in bugzilla ... the one bug has all the patches [13:46] ah ok [13:46] the other is just testcase/documentation bugs [13:47] its frequent that there are a bunch of bugs (even with patches) and then one wrap up bug which contains the accumulated branch patches [13:47] (sorry, to throw all this at you ... its quite a lot of implicit knowledge there ... feel free to ask if you are uncertain :)) [13:49] no problem, i might have to do something else for a while now, but will try to send the advisory draft to you tonight and test the packages [13:50] white: sure [13:50] thanks so much [14:13] asac: do you know where the "compare" target comes from? icedove-3.0 fails to build for me, because the rule doesn't exist [14:13] i am curious what it does or did [14:17] white: mozilla-devscripts [14:17] white: which version are you using? [14:19] 0.12 [14:19] can i live without the target? [14:20] white: is there no /usr/share/mozilla-devscripts/compare.mk ? [14:20] yes there is [14:21] maybe it's not included for some reason [14:21] nah it's not included [14:21] -include /usr/share/mozilla-devscripts/$(DEB_MOZ_APPLICATION).mk [14:21] my DEB_MOZ_APPLICATION is icedove-3.0 [14:22] bummer [14:22] white: you probably know how to fix that ;) [14:22] we should talk with fta bout that [14:22] asac: i just wanted to remark it :) [14:23] valid [14:24] i think debhelper should get the ability to use debian/control.SOURCEPACKAGE name in preference to debian/control [14:24] in that way we could more easily maintain both in one tree [14:24] assuming that i hate templates for control ;) [14:39] white: i think i refer to the patchset in changelog usually ... the one used for this is: http://people.ubuntu.com/~asac/mozilla-security/1.8.1.19/moz_1.8.0.15prepatches080614i.tar.gz [14:40] maybe also give the tarball location [14:49] white: now i remember why iceape is soooo outdated in etch. its glandium kept calendar, so one cannot even use the upstream tarball directly [14:49] damn [14:49] thats really bad [14:59] asac: you have mail [14:59] i'll be relocating home soon, later i'll produce a nice changelog entry, rebuild and start testing [14:59] please check the draft i sent to you :) [15:01] white: thanks. try to keep the current changelog form if possible ;) [15:03] asac: ignore the formatting issues in the draft, i'll fix them up later, just tell me, if you are satisfied with the rest :) [15:07] white: s/Iceweasel/Icedove/ [15:08] white: did you do the CVE list like i said? [15:08] or are you also naming stuff that is fixed in sid? [15:08] asac: i went through the list from http://security-tracker.debian.net/tracker/status/release/stable [15:09] asac: and i added the MFSAs [15:09] (not all apply in both places) [15:09] asac: well they should apply for etch and all are fixed in sid (it doesn't matter, if some were fixed earlier) [15:10] or am i missing something? [15:11] white: have oyu checked whether those CVEs have been named in the changelog before? [15:11] i think most of them are already mentioned [15:11] so they are not fixed in this upload, but in the ones before [15:12] hmm [15:12] ok [15:13] so 2.0.0.17 never made it to security hmm [15:13] i was quite sure i uploaded that [15:13] but well ... maybe i just did xulrunner considering hits higher impact [15:14] hmm [15:15] i think there is one MFSA missing [15:16] white: * MFSA 2008-59 aka CVE-2008-4582 - Script access to .documentURI and [15:16] .textContent in mail [15:17] that one is also fixed everywhere else ... (its probably not in the tracker because the upstream MFSA doesnt provide the CVE) [15:17] well ... everywhere where the 1.8.1.18 backports have been released to [15:29] asac: have to relocate now, will answer later [16:48] asac: does CVE-2008-4582 affect icedove? I though it's only for the browsers [16:48] asac: apart from that one, any other points? [16:48] i'll write the changelog now [17:02] white: is the patch in there? [17:02] white: it doesnt apply to 1.8.0 branches [17:02] https://bugzilla.mozilla.org/show_bug.cgi?id=455311#c78 [17:03] Mozilla bug 455311 in Networking: File "[FIX]mid-autumn festival vulnerability" [Normal,Resolved: fixed] [17:03] but maybe i took https://bugzilla.mozilla.org/show_bug.cgi?id=455311#c80 anyway [17:03] in case some embedders use .desktop files [17:11] hold on, i am just finishing the changelog [17:16] yeah [17:16] i am still here ;) [17:17] iceape killed me again ... calendar/ has binary files, so no luck with diff ;) [17:17] so now uue tarball ;) [17:18] asac: does that look ok to you? http://paste.debian.net/25288/ [17:18] asac: i am a bit unsure about http://www.mozilla.org/security/announce/2008/mfsa2008-61.html aka CVE-2008-5503 [17:18] i'll check whether there is a patch in the tarball [17:19] white: please point to the tarball/patchset download source [17:19] i think i did that in previous uploads? [17:19] like: [17:19] * backports for thunderbird 2.0.0.17 stability/security update [17:20] i have in dapper: [17:20] * RELEASE security/stability backports for tbird 1.5 as of 2.0.0.19 [17:20] (USN-701-2) [17:20] - http://people.ubuntu.com/~asac/mozilla-security/1.8.1.19/moz_1.8.0.15prepatches080614i.tar.gz [17:20] white: btw, the upload we are looking at is 2.0.0.17 + 18 + 19 [17:21] also mention the tarball maybe: http://people.ubuntu.com/~asac/mozilla-security/1.8.1.19/icedove-1.5.0.13+1.5.0.15b+prepatch080614i.tar.bz2 [17:21] it's quite a nice number of issues :) [17:21] ok, step by step [17:21] white: look at the patches/series file ;) [17:21] so i have the *backports ... lines [17:21] those are all issues we backported since 1.5 went eol [17:21] those commented out are alreawdy committed [17:23] asac: then you want me to add three tarball lines pointing to patchsets? [17:24] white: no ... just to the .19 patchset + tar.bz2 [17:24] they contain the rest [17:26] can you quickly post the URLs plz? [17:33] patchset: calendar-1.0.9.tar.bz2.uue [17:33] tarball: http://people.ubuntu.com/~asac/mozilla-security/1.8.1.19/icedove-1.5.0.13+1.5.0.15b+prepatch080614i.tar.bz2 [17:33] patchset: http://people.ubuntu.com/~asac/mozilla-security/1.8.1.19/moz_1.8.0.15prepatches080614i.tar.gz [17:36] asac: what's calendar-1.0.9.tar.bz2.uue [17:38] white: thats a paste error ;) [17:38] :) [17:38] i am trying to push calendar parts to iceape diff.gz [17:38] so we can use tarballs again [17:38] ok anything else or can i start a nice build in cowbuilder? [17:38] mike apparently shuffled the upstream tarballs without a repro instruction ;) [17:39] white: yes, why do you say "non-maintainer upload"? [17:39] imo its not really unusual that security team does security uploads for packages they dont maintain ;) [17:39] asac: common practise by most sec members [17:40] asac: i don't really maintain many packages anymore and do more uploads of packages i don't maintain ;) [17:40] yeah ... but isnt really informative ;) [17:40] why would anybody want to know that its a NMU? [17:40] it informs that it is a sec upload [17:40] if that info is good to have it shouldnt have the "top" place ;) [17:40] and performed by someone from the sec team (although that doesn't mean much) [17:40] white: thats already said by the other line [17:41] since it's common practise I'd prefer to keep it [17:41] i dont mind ,) [17:41] :) [17:42] oh [17:42] # [17:42] * MFSA 2008-67 aka CVE-2008-5510 - Escaped null characters ignored by CSS [17:42] # [17:42] i think thats the one that isnt fixed [17:42] hmm, it was marked as fixed in - icedove 2.0.0.19-1 [17:42] yeah [17:42] in our tracker, which doesn't have to mean anything :) [17:42] its low severity and patch was too intrusive to take in this round [17:43] ok, i'll take it out then [17:43] white: its fixed in 1.8 (e.g. 2) but not in 1.8.0 [17:43] so not in the upload you are preparing right now [17:45] i've added CVE-2008-5503 to the changelog and advisory, allthough it's pretty low severity IMHO [17:45] white: also CVE-2008-5502 doesnt affect 1.8.0 branch [17:46] just 5501 (layout) [17:46] so it was fixed already in etch? [17:46] white: no it doesnt apply ;) [17:47] in the tracker it reads - icedove 2.0.0.16-1 [17:47] as fixed version [17:47] huh? [17:48] white: CVE-2008-5502 is 1.9 branch only ... so its not fixed in any 2. [17:48] because its not an issue there [17:48] same for 5501 [17:49] http://www.mozilla.org/security/announce/2008/mfsa2008-60.html [17:49] look there [17:49] it says "Firefox 3" only [17:49] which means its 1.9 branch only [17:50] ok, so i'll just mark it as not-affecting the debian versions and take it out of the changelog [17:50] yeah ... but 5500 applies ;) [17:50] (so the MFSA is valid) [17:50] got ya :) [17:51] 18:45 < white> i've added CVE-2008-5503 to the changelog and advisory, allthough it's pretty low severity IMHO [17:51] why wasnt that in there in the first place? [17:51] did i forget that in sid? [17:54] white: i think you also forgot http://www.mozilla.org/security/announce/2008/mfsa2008-46.html ... 2.0.0.17 [17:55] white: you also forgot https://bugzilla.mozilla.org/show_bug.cgi?id=458883 [17:55] hmm i got it in the advisory, but not in the changelog :/ [17:55] Mozilla bug 458883 in Security "Make Document.documentURI and .textContent noAccess in mailnews" [Major,Verified: fixed] [17:55] i already said all this above :/ [17:55] anyway ... let me look further ;) [17:55] i need to compare the advisory with the changelog :/ [17:56] white: no ... dont start with CVEs [17:56] start with MFSAs ;) [17:56] then go through the list [17:56] thats better ;) [17:56] i swear [17:57] laste was http://www.mozilla.org/security/announce/2008/mfsa2008-59.html [17:57] thats what you forgot too [17:57] ;) [17:57] (not the bug) [17:58] also missing http://www.mozilla.org/security/announce/2008/mfsa2008-61.html [17:58] (i think you added that you said) [17:58] yeah that should be it [17:58] thanks [17:59] so missing in changelog (from your paste): [17:59] http://www.mozilla.org/security/announce/2008/mfsa2008-46.html [17:59] MFSA 2008-59 doesn't even have a CVE id? [17:59] http://www.mozilla.org/security/announce/2008/mfsa2008-59.html [17:59] http://www.mozilla.org/security/announce/2008/mfsa2008-61.html [17:59] 16:16 < asac> white: * MFSA 2008-59 aka CVE-2008-4582 - Script access to .documentURI and [17:59] ah right [17:59] you should add that everywhere [18:00] its affecting all 1.8 branch products [18:00] e.g. everything except xulrunner/iceweasel in lenny [18:00] ok cool [18:00] that should be it ;) [18:00] thanks a bunch [18:01] i am still fighting iceape a bit ;) [18:01] maybe i will have something later [18:01] after the whole ice* round is over (or icedove at least), i need to fix some other stuff, like some simple integer overflow or some XSS [18:01] something small, easy and successfull ;0 [18:02] hehe [18:02] well its a huge success if you manage to get icedove out ;) [18:04] and also first time is always hardest ;) [18:05] building now [18:13] i have to ask again regarding CVE-2008-4582 [18:14] it seems to point to http://www.mozilla.org/security/announce/2008/mfsa2008-47.html [18:21] ah CVE-2008-5024 [18:21] nevermind :) [18:35] white: hmmm indeed strange [18:35] not sure whats that about [18:36] thats the CVE for 59 that went over the ticker [18:36] let me double check [18:56] hi [19:00] heh [19:00] iceape-chatzilla to houston ;) [19:00] fun [19:02] * IRCMonkey off [19:07] asac fta: i got an icedove version build now. I'll add a small patch to remove some branding. I've called the version 3.0~b1-1.1 and the packages icedove-3.0 as you requested [19:07] asac fta: Noel wanted to know, whether we could put that to experimental with your permission? [19:07] i think he emailed asac [19:16] asac: i guess i'll give the package to noel and leave it to him :) [19:17] you dont need permission [19:17] just keep th eubuntu mozillateam in Maintainer field ;) [19:17] and give the code back you did to us ;) [19:18] white: ^^ [19:18] feel free to add all of you to Uploaders [19:18] is Mike ok with that as well or isn't he maintaining icedove? [19:19] he isnt [19:19] i already moved Maintainer: to ubuntu team [19:19] it was myself before for ages [19:19] like you can see in the etch package ;) [19:19] ok, i just wanted to make sure everything is sound :) [19:20] so should i just commit my icedove-3.0 branch to bazaar? [19:20] asac: do you have any news from fta about FF3.1 not starting with xmlruner? [19:20] white: if you have a branch then yes [19:20] asac: don't i need some special foo powers? [19:20] BUGabundo: no [19:20] bah [19:21] can't open it for 2 weeks! [19:21] hm [19:21] i need context [19:21] white: push that to your own area for now ... i will shove it over. we can add you to team on next meeting ... which is in 10 days or so ;) [19:21] need to downgrad again [19:21] fta don't you remember me telling you that that it segfault? [19:21] when I had both 3.0 and 3.1 PPA ? [19:21] oh, 2 != versions at the same time [19:21] found that it was related to the PPA version of xlrunner [19:22] 1.9.1 or something [19:22] well, i wanted to find the root cause last week but got busy with something else [19:22] $ firefox-3.1 Could not find compatible GRE between version 1.9.1b3pre and 1.9.1b3pre. [19:22] this is different [19:22] please, show me your /etc/gre.d [19:22] from POV it's the same! [19:22] lol [19:23] 1.9.0.4.system.conf [19:23] 1.9.0.5.system.conf [19:23] 1.9.2a1pre.system.conf [19:24] you don't have xulrunner-1.9.1 installed ? [19:24] I think I have [19:24] apparently not [19:24] xulrunner-1.9.1: [19:24] Installed: 1.9.1~b3~hg20090103r22626+nobinonly-0ubuntu1~fta3 [19:24] Candidate: 1.9.1~b3~hg20090103r22626+nobinonly-0ubuntu1~fta3 [19:24] Version table: [19:24] *** 1.9.1~b3~hg20090103r22626+nobinonly-0ubuntu1~fta3 0 [19:24] 500 http://ppa.launchpad.net jaunty/main Packages [19:24] 100 /var/lib/dpkg/status [19:24] 1.9.1~b2+build1+nobinonly-0ubuntu3 0 [19:24] 500 ftp://darkstar.ist.utl.pt jaunty/universe Packages [19:24] 500 ftp://archive.ubuntu.com jaunty/universe Packages [19:24] I seems I do have it! [19:24] your PPA version [19:25] you should have a /etc/gre.d/1.9.1b3pre.system.conf file then [19:25] strange [19:25] yeah [19:25] fta: yes. i think there is a bug in migration [19:25] --reinstall ? [19:25] fta: i had some more complains that the gre file was gone [19:25] BUGabundo: give it a try [19:25] BUGabundo: --reinstalll xulrunner-1.9 [19:25] (not ffox) [19:25] thanks [19:26] I know ... just looking for the correct package [19:26] dpkg-query -W -f='${Conffiles}' xulrunner-1.9.1 | grep gre.d [19:26] bah... one 'l' too many [19:26] /etc/gre.d/1.9.1b3pre.system.conf 9284295b58639184f779e138babb9ee3 [19:27] do you want the md5sums too? [19:27] FYI I did change gconf to use the latest cul [19:27] is that before or after --reinstall [19:27] *xul [19:27] ? [19:27] before [19:27] reinstall running now [19:27] If you wish to add some of these files, please add them by name. [19:27] Committing to: /etc/ [19:27] modified alternatives/xulrunner [19:27] missing gre.d/1.9.0.4.system.conf [19:27] deleted gre.d/1.9.0.4.system.conf [19:28] LOL [19:28] wooww [19:28] fta: i think it happens when you install 1.9.1 for first time. at lesat the complains couldnt reproduce, after they fixed it [19:28] something changed according to my bzr backup of /etc [19:29] $ firefox-3.1 Could not find compatible GRE between version 1.9.1b3pre and 1.9.1b3pre. [19:29] fta: dont you use rm_conffile? [19:29] no [19:29] why not? [19:29] /etc/gre.d/1.9.1b3pre.system.conf 9284295b58639184f779e138babb9ee3 [19:29] after reinstall [19:29] well, yes [19:29] thats actually quite important ;) [19:29] ah ok [19:29] look the same to me [19:30] BUGabundo: md5sum /etc/gre.d/1.9.1b3pre.system.conf gives you? [19:30] asac, http://paste.ubuntu.com/100515/ [19:30] fta: in preinst? [19:30] $ md5sum /etc/gre.d/1.9.1b3pre.system.conf [19:30] md5sum: /etc/gre.d/1.9.1b3pre.system.conf: No such file or directory [19:30] asac, yes [19:31] 1.9.0.5.system.conf [19:31] 1.9.2a1pre.system.conf [19:31] fta: maybe in preinst everything is obsolete or something ... hmm [19:32] fta: @XULBRANCH@? who cares about 1.9.0? is that supposed to be done by 1.9.0? [19:33] asac, what i experienced a few times is that when you upgrade for v1 to v2, the gre-v1.conf file is not removed, if you upgrade again (ie v2 to v3 or v2 to another v2), it v1 is removed [19:33] -for+from [19:33] well ... in this case the new config is removed right? [19:33] maybe we should take care that we dont remove stuff from the same gre version [19:33] it seems so but i never experienced that [19:33] i'll have a closer look after diner [19:34] conffiles are a real pita [19:34] so now good news for me?» [19:34] sometimes they are not replaced with new files even though they were never touched :( [19:34] BUGabundo: so did you reinstall? [19:34] yep [19:34] which package verison of xulrunner was installed? [19:34] * fta blames dpkg [19:35] Removing obsolete conffile /etc/gre.d/1.9.0.4.system.conf ... [19:35] Unpacking replacement xulrunner-1.9 ... [19:35] Setting up xulrunner-1.9 (1.9.0.5+nobinonly-0ubuntu1) ... [19:35] I have from 1.9.0,1.9.1 and 1.9.2 [19:35] apt-cache madison xulrunner-1.9 xulrunner-1.9.1 xulrunner-1.9.2 | grep -v Source [19:36] xulrunner-1.9 | 1.9.0.5+nobinonly-0ubuntu1 | ftp://darkstar.ist.utl.pt jaunty/main Packages [19:36] xulrunner-1.9 | 1.9.0.5+nobinonly-0ubuntu1 | ftp://archive.ubuntu.com jaunty/main Packages [19:36] xulrunner-1.9.1 | 1.9.1~b3~hg20090103r22626+nobinonly-0ubuntu1~fta3 | http://ppa.launchpad.net jaunty/main Packages [19:36] xulrunner-1.9.1 | 1.9.1~b2+build1+nobinonly-0ubuntu3 | ftp://darkstar.ist.utl.pt jaunty/universe Packages [19:36] xulrunner-1.9.1 | 1.9.1~b2+build1+nobinonly-0ubuntu3 | ftp://archive.ubuntu.com jaunty/universe Packages [19:36] xulrunner-1.9.2 | 1.9.2~a1~hg20090102r23257+nobinonly-0ubuntu1~fta2 | http://ppa.launchpad.net jaunty/main Packages [19:36] ok [19:36] bug in my preinst then [19:36] * BUGabundo blames stable,beta & alpha all together! [19:37] but this is different from running != versions at the same time [19:37] missing gre.d/1.9.0.4.system.conf [19:37] deleted gre.d/1.9.0.4.system.conf [19:37] when did that happen? [19:37] after the reinstall [19:38] its the bzr log [19:38] that is attached to apt [19:38] humm how is it called!!? [19:38] etckeeper [19:39] could you please pastebin me your traces (apt) [19:39] full command please! [19:39] of the reinstall? [19:40] http://paste.ubuntu.com/100527/ [19:40] maybe from /var/log/apt/term.log if your xul upgrades are in there [19:42] http://paste.ubuntu.com/100528/ [19:42] http://paste.ubuntu.com/100527/ <= this is correct, 1.9.0.5 removes the old 1.9.0.4 gre file, but it happened at reinstall not when 1.9.0.5 was first installed, so this is sub-optimal [19:43] asac, do you have a bug # on lp for this bug? [19:45] BUGabundo, what happens when you --reinstall 1.9.1 ? [19:45] again?? [19:45] lol [19:45] have a look at the log above fta [19:45] hmm, you pasted 1.9 several times [19:46] did i mis-read? [19:46] don't know! [19:46] but I can always redo it to be sure [19:46] so its 1.9.1 correct? [19:46] hold on, reading your long log file [19:47] Preparing to replace xulrunner-1.9.1 1.9.1~b2+build1+nobinonly-0ubuntu3 (using .../xulrunner-1.9.1_1.9.1~b3~hg20081227r22500+nobinonly-0ubuntu1~fta1_amd64.deb) ... [19:47] Removing obsolete conffile /etc/gre.d/1.9.1b3pre.system.conf ... [19:47] Unpacking replacement xulrunner-1.9.1 ... [19:47] not good [19:47] fta tail it!! last lines all you need [19:48] yeah so now I have no 1.9.1 on gre.d [19:48] nope, i need history, the cause is just this [19:48] humm [19:48] I did downgrade from FF3.1b3 PPA to 3.1 archive [19:48] and xul too! [19:48] if the clean-up happens one step too late and you keep reverting to b2, bingo, you loose your gre file [19:49] but I enable it again to check if you fixed it and got into this === rzr is now known as rZr [19:51] what i already know: b2-1 -> b2-2 -> b2-3 -> b3-1 (nada, while gre/b2 should be removed) -> b3-2 (gre/b2 removed, all fine) -> b3-3 ... [19:52] you seems to be doing: b2-3 -> b3-1 -> b2-3 -> b3-2 -> b2-3 -> b3-3 (no b3 gre file??) [19:53] is that correct? [19:53] * BUGabundo is confused (and hungry) [19:53] don't :) [19:53] i'm trying to understand your upgrade path [19:53] humm [19:54] ok... ibex -> jaunty pre-alpha1, with PPA always enabled AFAIR [19:54] (bear with me..) [19:54] last week FF3.1 started segfaulting [19:54] so I posted it here [19:54] installed 3.2 and it also failed [19:54] when FF3.0 was opened [19:55] removed PPA and downgrade just FF3.1 to archive [19:55] no go, so I donwgraded xul too! [19:55] it worked ! enabled PPA again and got here today to ask what's up! [19:56] you're mixing 2 issues: a/ gre file disappearing & causing ff-x to fail on startup and b/ concurrent versions no longer running but showing a segfault and opening a window from the other version [19:57] for b/ i know what is causing that, i could revert my changes but i would prefer fix the bug (needs work) [19:57] ok [19:57] about a/? [19:58] for a/ it seems to be caused by my preinstall script but it still not clear to me how you could end up there. yet, i see did it. [19:58] and asac said some other guys filed bugs about that very same thing [19:59] asac: any luck getting the ML moderate pass? mail still in queue [19:59] fta: should I remove it all [19:59] with purge? [19:59] and start again? [19:59] to fix a/ i need to understand the situation, i'll study your logs after dinner, this bug is more critical than b/ [20:00] thanks [20:00] Dinner time [20:00] brbr [20:00] to work-around a/, you can just re-create that file manually, it's easy. [20:01] send me yours [20:01] LOL [20:01] fta@ix:~ $ cat /etc/gre.d/1.9.1b3pre.system.conf [20:01] [1.9.1b3pre] [20:01] GRE_PATH=/usr/lib/xulrunner-1.9.1b3pre [20:01] xulrunner=true [20:01] abi=x86-gcc3 [20:03] if you are on amd64, the last line is "abi=x86_64-gcc3" [20:03] I am [20:03] I'll create it after dinner [20:03] [[]] [20:04] ok, cu then [20:09] i hate that [20:09] that's cocked me up before when buiding .xpi files [20:30] BUGabundo: we have to wait for gnomefreak ;) [20:30] directhex: ? [20:31] asac, ABI stuff being read from the running cpu when compilling plugins, not the compiler arch [20:31] white: CVE-2008-4066 [20:31] i think thats not fixed in our 1.8.0 branches [20:31] can you note that in tracker so i get to it? (its http://www.mozilla.org/security/announce/2008/mfsa2008-43.html part 2 ... if you could add that as comment) [20:32] directhex: ah ok. can be itchy ;) ... i think BUGabundo didnt have any line though ;) [20:39] asac: taken out of the advisory and the changelog [20:39] BUGabundo, sudo zgrep -hE '(xulrunner-1.9.1 |gre.d/1.9.1)' /var/log/apt/term.log.{2,1}.gz /var/log/apt/term.log | grep -vE '^(Setting up|Unpacking)' [20:39] asac: it's fixed in sid though right? === rzr is now known as rZr [20:48] white: not sure right now [20:48] white: sory for confusion. seems i messed up my own iceape tarball by using the wrong patchset version ;) so not all was in there [20:48] let me check [20:49] white: ok what i said was correct. its missing ... its in 2 though [20:55] asac: new icedove package seems to work, at least i can reach my pop/imap accounts and use smtp on my relay host :) [20:57] asac: CVE-2008-4066: - icedove 2.0.0.17-1 (that is the fixed icedove entry) [21:25] white: http://paste.ubuntu.com/100583/ ;) [21:25] white: you know whether i need to build depend on sharutils and bzip2? [21:27] woww, that's a lot of MFSAs [21:27] that was even more work [21:27] i went through all MFSAs and checked that we have it [21:27] i found three bugs that i somehow dont have in the patchsets [21:28] have to investigate now and patch them next time if it turns out to be forgotten [21:28] most likely i just forgot to document in bug why i didnt take it though [21:28] asac: nice work [21:28] asac: but back to icedove, one step at a time ;) [21:29] asac: CVE-2008-4066: - icedove 2.0.0.17-1 [21:29] is that still correct? [21:29] icedove etch packages seem to work by the way as already said :) [21:30] white: good. you hav a mfsa for that?= [21:30] 21:31 < asac> can you note that in tracker so i get to it? (its http://www.mozilla.org/security/announce/2008/mfsa2008-43.html part 2 ... if you could add that as comment) [21:30] yes [21:30] thats fixed in 2.0.0.17 [21:30] asac: i was wondering, if it is fixed in sid and if so, which version it was fixed :) [21:30] ah great :) [21:30] ts just that the second part is not in 1.8.0 [21:31] so is the CVE fixed in sid? (like the second part) [21:31] white: for upstream tarballs you can check whether bugs are fixed by going to the bug and look for the fixed1.8.1.17 (for 2.0.0.17) ;) [21:31] sorry, but i need to get through the CVEs :) [21:31] or verified1.8.1.17 [21:31] which is even saying that QA has verified that its fixed [21:32] white: for outstanding CVEs we discuss at best add the MFSA ;) [21:32] so we dont need to hunt it down ;) [21:32] i'll try my best :) [21:32] sure [21:32] if not ... we wil survive it ;) [21:32] though scratching heads again [21:32] did you guys use m-d ? [21:32] :) [21:33] fta: for what? [21:33] fta: for patchset management? [21:33] i think thats a missing feature as of now ;) [21:33] asac: ok, at the moment, the etch packages are rebuilding without the CVE id in it [21:33] explain [21:33] asac: but with the MFSA included [21:33] would be cool if i could tell it: also add patchset "url-to-patches/tarball" and "url-to-patches/tarball2" [21:33] asac: were there any other objections? [21:33] and apply ;) [21:34] white: post the changelog again ;) ... my brain is out of sync again ;) [21:34] sure [21:35] asac: http://paste.debian.net/25323/ [21:36] * asac just noticed that he is using ffox 1.5 for the last 5 hours ;) [21:36] thought it was broken ;) ... but now i see [21:37] asac: should i resend the advisory draft as well? [21:37] ill just do it anyway :) [21:37] * MFSA 2008-37 aka CVE-2008-0016 - UTF-8 URL stack buffer overflow [21:37] there are two whitespaces [21:37] 16 - UTF-8 URL [21:37] ^^ [21:38] :) [21:39] white: maybe use the same i used for -41 [21:39] [11:47] white: take a look at the latest tbird 3 packaging branch ... i think fta moved logic from m-devscripts to the packages ... maybe thats the reason [21:39] http://paste.ubuntu.com/100583/ [21:39] i'm not done with that yet [21:39] fta: ah [21:39] ok [21:39] jsut a few packages moved [21:39] was just a blind guess [21:39] we found it actually [21:39] its DEB_MOZ_APPLICATION=icedove-3.0 [21:39] which kills the thing [21:39] fta: ^^ [21:40] ? [21:40] probably icedove-3.0 needs to ship a debian/icedove-3.0.mk and include the thunderbirc-3.0.mk? [21:40] fta: compare isnt included [21:40] because $(DEB_MOZ_APPLICATION).mk doesnt exist [21:41] compare is included in $(project).mk usually, but could be included directly [21:41] doesn't matter much for as long as mozilla-devscripts isn't uploaded to debian :) [21:41] but then you need to add your own filters [21:41] white: please take my text for -41, -42 (http://paste.ubuntu.com/100583/) [21:42] asac: you mean http://paste.debian.net/25324/ ? [21:43] yes [21:43] white: * MFSA 2008-45 aka CVE-2008-4069 - [1.8 branch] XBM appears to draw [21:43] ok [21:43] uninitialized memory [21:43] is that not tbird? [21:43] seems like [21:43] ok [21:45] white: same for the other multi advisories: -52, -60 -68 [21:46] i'd say that http://www.mozilla.org/security/announce/2008/mfsa2008-54.html is also in thunderbird [21:46] tbird does http stuff [21:47] e.g. rss feed and so on [21:47] but well [21:47] its ok to not name it [21:47] or name it ;) [21:47] asac: so i guess there are two or three minor issues we don't have in the current round [21:47] but all major ones should be there [21:48] so we could build the final version now :) [21:48] nice ... i forgot -59 in iceape ;) [21:49] asac: should i restart the build for icedove now? :) [21:49] white: yes if you changed the other multi things. [21:49] in changelog ... go ahead [21:50] if you have the builds staged somewhere i can also take a look and test [21:50] asac: i am building them on a sec host, but can make them available after build [22:03] asac fta: I have added a bzr branch to https://code.launchpad.net/~steffen-joeris/+junk/icedove-3.0, which appears to build here. There are some concerning warnings, but it starts and seems to run [22:04] asac fta: i've packed the -source.tar.bz2 into a icedove-3.0_3.0~b1.orig.tar.gz locally (wasn't sure how you wanted it in bzr, if at all) [22:05] hope it helps somehow [22:05] white: why junk? [22:05] you can use the "thunderbird" project [22:06] but doesnt matter [22:06] i can take a look at it as its now [22:06] asac: well, you said somewhere on launchpad ;) [22:06] hehe ;) [22:06] white: oh [22:06] white: you have to start with the thunderbird branch [22:06] and then do the changes on top [22:06] otherwise you cannot merge in future [22:07] and dont add the tar ;) [22:07] just debian/ in bzr [22:07] asac: well i obviously had to rename all the stuff in /debian [22:07] white: thats ok [22:07] you can use bzr mv [22:07] to rename files [22:07] we do most things in debian/rules anyway [22:08] so conflicts should be more or less bearable in future ;) [22:08] fta: what do you think? [22:08] the tarball was kind of important for me as i couldn't get a complete tarball out of mozilla-devscripts :/ [22:09] white: yes. but not in the bzr branch ;) [22:09] asac: either way, I'll send Noel a mail with some information and a remark to contact you for further cooperation, if he continues to work on it :) [22:09] yep [22:10] asac, sure. i do that quite a lot with all the xul 1.9/1.9.1/1.9.2 branches. bzr mv once then bzr merge [22:11] fta: yeah. but i mean the filenames in .install will have a different path ... so conflicts will happen for sure [22:11] debhelper needs more features ;) [22:11] (again) [22:11] bzr seems to remember the mv [22:11] yes the mv is no problem [22:11] but you s/thunderbird/icedove/ in files [22:11] and then next time you touch them in tbird they conflict (rightfully) [22:12] yep, some conflicts are expected but it's usually easy to solve [22:12] do we need debhelper files at all? [22:12] ;) [22:12] i am more and more getting a fan of making all paths generic by punching stuff in debian/rules [22:12] i'm afraid we do need them, too many files [22:12] that would help a bunch in rebranding and being downstream and so on [22:13] yeah ... i think we should do mozhelper though [22:13] especially the splits between several debs [22:13] and add the generic features required to it [22:13] what i want is easy variables in .install/link/dirs [22:13] and also .sourcepackage extensions ;) [22:14] we could also make all those .in and subst filenames and paths [22:14] yeah. its just that i get a bad feeling when thinking about templates ;) [22:14] but true [22:15] fta: ah ... but we definitly would need debian/control.sourcepackage [22:15] its not that easy to replace description and stuff generically [22:15] well maybe not "definitly" :) [22:15] control doesnt change often so branches will have rare conflicts there [22:16] so no mozhelper, but everything .in :) [22:16] changing control is tricky as it's easy to confuse cdbs [22:23] iceape building ... what a mess :) [22:55] mmmmm, tricky. when I upgrade from X to Y, what is run is "preinst(from-X) upgrade X", so the preinst script knows nothing about Y and doesn't have access to any file of Y [22:55] so preinst is not the good candidate [23:03] asac, ^^ [23:06] fta: why do you need to know Y from arguments? [23:07] you have access to the maintainer scripts [23:07] think about X -> Y -> X [23:07] so you probably have to do templating [23:07] if you need the version number [23:07] fta: you mean if Y upgrade is rolled back ? or if you downgrade? [23:08] downgraded, like BUGabundo [23:09] why would there be a problem when downgrading? [23:13] you start from X, stable, providing /etc/greX [23:13] you upgrade to Y, providing /etc/greY [23:13] -> preinst install X [23:13] -> look for gre files => only /etc/greX, not obsolete, do nothing [23:13] -> install /etc/greY => we have 2 gre files [23:13] you downgrade to X, providing /etc/greX [23:13] -> preinst install Y [23:13] -> look for gre files => /etc/greY is obsolete => removed [23:13] => /etc/greX is not obsolete => do nothing [23:13] -> install /etc/greY fails as is has been removed by preinst => BINGO [23:14] eh [23:15] the last 3 lines are reversed X<->Y [23:17] asac, http://paste.ubuntu.com/100643/ [23:17] 00:13 < fta> -> preinst install X [23:17] this means [23:17] 00:13 < fta> -> Y.preinst install X [23:17] no, it's the old preinst [23:17] -> look for gre files => only /etc/greX, not obsolete, do nothing [23:18] thats wrong [23:18] why old preinst? [23:18] that isnt called on upgrade at all [23:18] http://www.debian.org/doc/debian-policy/ch-maintainerscripts.html#s-unpackphase [23:18] 1. [23:18] If the package is being upgraded, call [23:18] old-postrm upgrade new-version [23:18] 2. [23:18] If this fails, dpkg will attempt: [23:18] new-postrm failed-upgrade old-version [23:18] thats postrm ;) [23:18] not preinst [23:18] oops [23:18] so the problem here is that [23:19] -> look for gre files => only /etc/greX, not obsolete, do nothing [23:19] should do: [23:19] at that point, the new gre file is not there yet [23:19] -> look for gre files => remove all not /etc/greY [23:19] hmm [23:19] there's only the old one [23:20] you should just remove /etc/greX and all obsolete ;) [23:20] yes. the new gre file is /etc/greY [23:20] thats not needed at that point [23:20] we remove "previous" + all obsolete [23:20] that should be right [23:21] but pkg version != gre version [23:21] thats for Y.new-preinst upgrade X [23:23] i can add gre-version in the template and rm obsolete iif != (new) gre-version [23:25] asac, who else complain? [23:25] lool [23:25] but that was "just" upgrade/install [23:25] hm [23:26] he couldnt start after upgrade ... gre missing [23:26] we couldnt investigate unfortunately [23:26] which version? 3.0 ? [23:26] not sure [23:27] where was that? here? [23:27] it was before holiday [23:27] i think in #ubuntu-mobile [23:28] Dec 17 15:54:51 Could not find compatible GRE between version 1.9.0.1 and 1.9.0.*. [23:30] did we land anything in 1.9 yet at all? [23:30] Dec 17 15:55:36 I'm doing a jaunty dist-upgrade, and it's been 20 minutes that firefox is broken during the upgrade with this message; I wonder why the dep isn't < 1.9.1 as well? [23:30] Dec 17 16:07:15 asac: Working again now; I wonder what broke it [23:30] so just during the dist-upgrade [23:31] oh ;) [23:31] thanks for being my memory [23:41] asac, http://paste.ubuntu.com/100653/ this should fix the bug, but we still have two gre just after a gre bump [23:44] asac, got a r+ for mozilla bug 460913 \o/ [23:44] Mozilla bug 460913 in Build Config "Installer shouldn't copy xulrunner files into Firefox install directory" [Normal,Assigned] http://bugzilla.mozilla.org/show_bug.cgi?id=460913 [23:46] asac, r- for mozilla bug 412610 [23:46] Mozilla bug 412610 in Startup and Profile System "MAXPATHLEN too small for glibc's realpath()" [Normal,Resolved: fixed] http://bugzilla.mozilla.org/show_bug.cgi?id=412610