| DRX | Anyone know when the glibc security update (2.36-9+deb12u4) will be available? I've seen it already on Debian (some time ago), but still haven't seen it on Devuan. | 03:40 |
|---|---|---|
| gnarface | usually just takes a couple hours for the build process to happen and packages to propagate out, how long has it been? | 04:10 |
| DRX | Well, according to https://lists.debian.org/debian-security-announce/2024/msg00018.html, it looks like it was posted at 18:33 UTC. | 04:12 |
| rustyaxe | ii libc6:amd64 2.37-13 amd64 GNU C Library: Shared libraries | 04:12 |
| DRX | I would guess the update was available then, like it usually is on Debian. | 04:12 |
| gnarface | hmmm.... | 04:12 |
| DRX | Are you on stable or testing, rustyaxe? | 04:12 |
| rustyaxe | testing. I dont have time for years old software :p | 04:13 |
| gnarface | huh, actually wait, not a forked package so there should be no rebuild | 04:13 |
| gnarface | hmmm.... | 04:13 |
| DRX | I'm looking at stable. Yes, I've noticed this happening more lately. | 04:13 |
| DRX | The security updates on Devuan used to be out shortly after Debian. | 04:14 |
| gnarface | let's try to ask fsmithred about it | 04:14 |
| DRX | Did you patch the Jenkins CI (ci.devuan.org) after the CVE-2024-23897 announcement on January 24? | 04:15 |
| DRX | I hope there isn't something wrong with it, though I don't think it would be involved in this. | 04:15 |
| DRX | It looks like the glibc security update is available now. Glad to see it; buffer overflows in syslog() are no joke. | 04:53 |
| gnarface | i can only assume it must have been some sort of mirror propagation delay, maybe actually upstream at debian | 04:53 |
| gnarface | not sure though | 04:54 |
| gnarface | if fsmithred comes back maybe he'll have some insight | 04:54 |
| onefang | Hmmm libc6 in oldstable-security (Beowulf) is 2.31-13+deb11u7 and no update recently. | 09:23 |
| cousin_luigi | Where can I find a list of patched packages for devuan? More specifically, I'm trying to find out what differences in php and modules there might be. | 10:27 |
| |cos| | cousin_luigi: My assumption is that all patched packages have their sources at git.devuan.org and that everything else is stock debian, but I haven't really got a clue. | 10:45 |
| cousin_luigi | Thanks, will look there. | 10:48 |
| fsmithred | cousin_luigi, all forked packages have "devuan" in the version. apt-cache, apt or aptititude search devuan will give you a list. | 17:25 |
| fsmithred | oops! 'aptitude search devuan' does not search the versions, just the package name. | 17:26 |
| cousin_luigi | fsmithred: dpkg -l|awk '$3~/devuan/' is what I want | 17:41 |
| fsmithred | gettin' fancy there | 17:57 |
| fsmithred | bbl | 18:06 |
| rwp | cousin_luigi, You are looking for the https://pkgmaster.devuan.org/bannedpackages.txt listing of packages that are either banned or forked. | 18:06 |
| rwp | AFAIK none of the PHP packages have been forked. All of them are verbatim the same packages as Debian upstream. | 18:06 |
| cousin_luigi | rwp: No, actually I was looking for modifications that might be causing php token problems. Right now I suspect libuuid1 to be the culprit. | 18:10 |
| cousin_luigi | https://git.devuan.org/devuan/util-linux is there a way to see a diff against the debian package? | 18:10 |
| rwp | cousin_luigi, I downloaded both packages and ran debdiff on them: https://paste.debian.net/plain/1305896 | 18:16 |
| rwp | I got the diff reversed due to alphabetical sorting. Sorry. | 18:17 |
| cousin_luigi | rwp: Thanks for the effort, but I think I have to look at the source. | 18:17 |
| cousin_luigi | https://git.devuan.org/devuan/util-linux/src/tag/devuan/2.38.1-5devuan1 maybe make my way through the commits is easier | 18:17 |
| rwp | One could download the source for both and then diff the source directories. | 18:17 |
| rwp | Using debdiff on the packages was easy enough that I was happy to do the easy stuff. :-) | 18:18 |
| cousin_luigi | Indeed. Will try that | 18:18 |
| DRX | That diff is interesting to see. It looks like debian has moved a lot to /usr/bin and /usr/sbin from /bin and /sbin respectively. | 18:19 |
| DRX | I recall reading about that somewhere, but I can't remember why they were doing that. | 18:20 |
| rwp | Debian is moving ALL of their files from /bin to /usr/bin and all of the packages installing anything to /bin are getting uploaded with that change. | 18:20 |
| rwp | That change by itself causes me no problem. But in doing that they have been adding bugs by NOT updating the associated debian-alternatives paths and other associated hard coded paths to match. It's a bug if it does not match. But one that is hidden by the /bin -> /usr/bin symlink. | 18:21 |
| DRX | Do you know why? I don't a lot of difference, other than if those happen to be different mount points. | 18:21 |
| rwp | DRX, Honestly we have been talking about little other than UsrMerge for the last year. I see you have been joyously enjoying avoiding the endless discussions, rants, ravings about it. It's too much to summaries. | 18:22 |
| DRX | LOL, OK, I'm glad I missed it! | 18:22 |
| rwp | Too much to *summarize. Instead just know that it is a very hot and contention topic that is continuing every day here. | 18:22 |
| DRX | I can understand that it will cause bugs when the paths aren't updated, so there is that. | 18:23 |
| rwp | Just FYI but Testing and Unstable are completely broken by UsrMerge unless one takes special care installing them due to this being half way over the fence. We have been forced to step one leg over the vence. The barbed wire is chaffing. | 18:24 |
| DRX | Ouch! That makes me glad for all the work keeping stable working so well. | 18:25 |
| DRX | It will be a few more years until I upgrade all the stable instances after they become oldstable. Hopefully, it will all be worked out by then. | 18:26 |
| rwp | Stable Daedalus is before UsrMerge and not yet affected. But Debian upstream has decided that regardless of the many valid objections to taking the shortcut path that they are taking the shortcut path and barging forward with the plan to symlink /bin -> /usr/bin and /lib -> /usr/lib and damn the torpedoes that are known to exist in the way of it. | 18:26 |
| rwp | So Debian 13 Trixie and Devuan 6 Excalibur are definitely affected. Deeply. And so far Devuan as a project has not made a decision yet as to how it will be handled. Devuan will be forced to do something about it at some point. But debates are still happening on the topic. | 18:27 |
| DRX | What kind of torpedoes do you see? | 18:28 |
| DRX | I.e., what are the biggest problems in your view? | 18:28 |
| rwp | Sigh. Okay. A clean way forward would have been to move all of the files out of /bin,/lib into /usr/bin,/usr/lib package by package first. Then when /bin,/lib was empty then swap them for symlinks. But instead they forced the symlinks first. The dpkg maintainer has been strongly objecting that this breaks the canonical tracking of file locations in the dpkg database by doing this not in the packages. | 18:30 |
| rwp | And then there are things like the Linux kernel loads firmware from /lib NOT /usr/lib and so that migration has happened not coordinated with the kernel. And the entire initramfs build process is broken along with this. | 18:30 |
| DRX | The first point about the packaging must be a pain for maintainers. The second one ... wow. How do they expect that to work? | 18:31 |
| rwp | *I* don't expect that to work. | 18:32 |
| rwp | Start reading here: https://wiki.debian.org/UsrMerge | 18:32 |
| DRX | Thanks. I will read up on that. | 18:34 |
| rwp | I have lost the URL but if you find Helmut's page tracking the issues that is a canonical source of high quality information. | 18:34 |
| rwp | Here is a good summary from a year ago already: https://lwn.net/Articles/890219/ | 18:40 |
| DRX | Reading... | 18:53 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!