Ubuntu
postfix package

Merge ~lucaskanashiro/ubuntu/+source/postfix:update-to-version-3.4.11 into ubuntu/+source/postfix:ubuntu/focal-devel

  1. Git
  2. lp:~lucaskanashiro/ubuntu/+source/postfix
  3. update-to-version-3.4.11
  4. Merge into ubuntu/focal-devel
Proposed by Lucas Kanashiro
Status: Approved
Approved by: Lucas Kanashiro
Approved revision: b4a96e9bbe9b1ceebb75dd0a24ed6b711c98749b
Proposed branch: ~lucaskanashiro/ubuntu/+source/postfix:update-to-version-3.4.11
Merge into: ubuntu/+source/postfix:ubuntu/focal-devel
Diff against target: 212 lines (+38/-58)
10 files modified
HISTORY (+9/-0)
Makefile.in (+1/-1)
debian/changelog (+10/-0)
debian/patches/series (+0/-1)
dev/null (+0/-51)
makedefs (+1/-1)
src/dns/dns.h (+4/-0)
src/dns/dns_lookup.c (+5/-2)
src/dns/dns_str_resflags.c (+6/-0)
src/global/mail_version.h (+2/-2)
Reviewer Review Type Date Requested Status
Lucas Kanashiro (community) Approve
Bryce Harrington (community) Needs Fixing
Canonical Server Core Reviewers Pending
Review via email: mp+385501@code.launchpad.net

Description of the change

This MP updates postfix to version 3.4.11 in Focal to fix this bug:

https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1868955

Scott Kitterman proposed this microrelease update (from 3.4.10 to 3.4.11) since the changes are minimal and it was already approved by the Tech Board in the past.

Here is a PPA with the proposed package:

https://launchpad.net/~lucaskanashiro/+archive/ubuntu/focal-postifx-lp1868955/+packages

autopkgtest is still happy:

autopkgtest [10:53:30]: @@@@@@@@@@@@@@@@@@@@ summary
postfix PASS

To post a comment you must log in.
Revision history for this message
Bryce Harrington (bryce) wrote :
Download full text (4.5 KiB)

* Changelog:
  - [√] old content and logical tag match as expected
  - [√] changelog entry correct version and targeted codename
  - [√] changelog entries correct
  - [x] update-maintainer has been run

* Actual changes:
  - [x] no upstream changes to consider
  - [√] no further upstream version to consider
  - [√] debian changes look safe

* Old Delta:
  - [√] dropped changes are ok to be dropped
  - [√] nothing else to drop
  - [√] changes forwarded upstream/debian (if appropriate)

* New Delta:
  - [-] no new patches added
  - [√] patches match what was proposed upstream
  - [√] patches correctly included in debian/patches/series
  - [√] patches have correct DEP3 metadata

* Build/Test:
  - [√] build is ok
  - [√] verified PPA package installs/uninstalls
  - [√] autopkgtest against the PPA package passes
  - [√] sanity checks test fine

Don't forget to run update-maintainer

I examined the dropped patch. It looks like some of it still should apply, however it looks like the rationale to include it was purely just to fix a build problem, so I agree if it now builds ok then the need for the patch is gone. So dropping it LGTM.

I didn't attempt to rebuild the package, but I did verify it installs from the PPA into lxc, and I ran the test cases for eoan and focal. The behavior is still a bit different but it appears to work:

root@triage-eoan:/home/bryce# posttls-finger -t30 -T180 -c -L verbose,summary -w smtp.sdeziel.info:465
posttls-finger: initializing the client-side TLS engine
posttls-finger: using DANE RR: _465._tcp.smtp.sdeziel.info -> dane-ta.le-authority-x3.sdeziel.info IN TLSA 2 1 1 60:B8:75:75:44:7D:CB:A2:A3:6B:7D:11:AC:09:FB:24:A9:DB:40:6F:EE:12:D2:CC:90:18:05:17:61:6E:8A:18
posttls-finger: setting up TLS connection to smtp.sdeziel.info[24.212.252.42]:465
posttls-finger: smtp.sdeziel.info[24.212.252.42]:465: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL"
posttls-finger: smtp.sdeziel.info[24.212.252.42]:465: depth=1 matched trust anchor public-key sha256 digest=60:B8:75:75:44:7D:CB:A2:A3:6B:7D:11:AC:09:FB:24:A9:DB:40:6F:EE:12:D2:CC:90:18:05:17:61:6E:8A:18
posttls-finger: smtp.sdeziel.info[24.212.252.42]:465: depth=0 chain is trust-anchor signed
posttls-finger: smtp.sdeziel.info[24.212.252.42]:465: depth=0 verify=1 subject=/CN=smtp.sdeziel.info
posttls-finger: smtp.sdeziel.info[24.212.252.42]:465: subjectAltName: imap.sdeziel.info
posttls-finger: smtp.sdeziel.info[24.212.252.42]:465: subjectAltName: mail.sdeziel.info
posttls-finger: smtp.sdeziel.info[24.212.252.42]:465: Matched subjectAltName: smtp.sdeziel.info
posttls-finger: smtp.sdeziel.info[24.212.252.42]:465 CommonName smtp.sdeziel.info
posttls-finger: smtp.sdeziel.info[24.212.252.42]:465: subject_CN=smtp.sdeziel.info, issuer_CN=Let's Encrypt Authority X3, fingerprint=C9:7A:27:B3:13:62:4C:ED:5C:C8:CE:6D:9D:E8:E7:3A:F2:73:AE:9D, pkey_fingerprint=59:B1:2C:D2:78:CD:55:A1:11:F5:D5:AA:DB:87:1E:16:00:EC:52:33
posttls-finger: Verified TLS connection established to smtp.sdeziel.info[24.212.252.42]:465: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256

And on focal:

root@triage-f...

Read more...

review: Needs Fixing
Reply
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Many thanks for the review Bryce :)

About the update-maintainer run: I did not execute this script because the previous release targeting Focal already did that (version 3.4.10-1ubuntu1). After this explanation I'll consider the packaging work is fine and mark this MP as approved.

I'll apply the corrections you suggested to the SRU bug description.

review: Approve
Reply
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

$ git push pkg upload/3.4.11-0ubuntu1
Enumerating objects: 37, done.
Counting objects: 100% (37/37), done.
Delta compression using up to 8 threads
Compressing objects: 100% (21/21), done.
Writing objects: 100% (22/22), 2.74 KiB | 701.00 KiB/s, done.
Total 22 (delta 18), reused 1 (delta 1)
remote: Checking connectivity: 22, done.
To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/postfix
 * [new tag] upload/3.4.11-0ubuntu1 -> upload/3.4.11-0ubuntu1

$ dput ubuntu ../postfix_3.4.11-0ubuntu1_source.changes
Checking signature on .changes
gpg: ../postfix_3.4.11-0ubuntu1_source.changes: Valid signature from F823A2729883C97C
Checking signature on .dsc
gpg: ../postfix_3.4.11-0ubuntu1.dsc: Valid signature from F823A2729883C97C
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading postfix_3.4.11-0ubuntu1.dsc: done.
  Uploading postfix_3.4.11.orig.tar.gz: done.
  Uploading postfix_3.4.11.orig.tar.gz.asc: done.
  Uploading postfix_3.4.11-0ubuntu1.debian.tar.xz: done.
  Uploading postfix_3.4.11-0ubuntu1_source.changes: done.
Successfully uploaded packages.

Reply

Unmerged commits

b4a96e9... by Lucas Kanashiro

Update changelog

f4dd413... by Lucas Kanashiro

Drop patch 80_glibc2.30-ftbfs.diff

This patch is not needed anymore and it does not cleanly apply to this
new upstream release.

0d8f45d... by Lucas Kanashiro

New upstream release: 3.4.11

Workaround for broken DANE support after an incompatible change in
GLIBC 2.31 (LP: #1868955)

741cc12... by Lucas Kanashiro

Update maintainer

8068d02... by Lucas Kanashiro

Update changelog

c7f13c1... by Lucas Kanashiro

d/configure-instance.sh: fix typo in tls_CApath copying (LP: #1872288)

Cherry-picked from Debian:
https://salsa.debian.org/postfix-team/postfix-dev/-/commit/b8e0b846e34eeaaa2315ead2304824b21b01fe7a

bccb5bd... by Scott Kitterman

Import patches-unapplied version 3.4.10-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 4b98c422dde24cb6b8188cae702049a7cd6aec3d

New changelog entries:
  [Scott Kitterman]
  * Update postfix.postinst text to refer to systemctl vice service
  [Wietse Venema]
  * 3.4.10

4b98c42... by Scott Kitterman

Import patches-unapplied version 3.4.9-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 465789c376eec1adbf704f0ded235313870629c3

New changelog entries:
  [Scott Kitterman]
  * Correct Debian's smtp (8) man page name in d/p/debian-man-name.diff for
    lmtp. Closes: #920356
  * Fix d/init.d running change so it works with multi-instance again
    - Thanks to <email address hidden> for the fix. Closes: #944922
  * Bump standards-version to 4.5.0 without further change
  * Switch from debian/compat to debhelper-compat and bump compat to 12
      - Update debian/rules to use dh_installsystemd instead of
        dh_systemd_enable and dh_systemd_start
      - Update debian/rules for new example install path
  [Wietse Venema]
  * 3.4.9

465789c... by Scott Kitterman

Import patches-unapplied version 3.4.8-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 73174881ac414438b04971c0c3daeaa744971efe

New changelog entries:
  [Scott Kitterman]
  * Stop generating obsolete Upstream substvar
  * Bump standards-version to 4.4.1 without further change
  * Use -l instead of LD_LIBRARY_PATH for dh_shlibdeps
  * Check GPG signature when downloading new versions via uscan
  [Wietse Venema]
  * 3.4.8

7317488... by Scott Kitterman

Import patches-unapplied version 3.4.7-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 83fd26b6906c2f40b2ad485dcaa59924f43e0a10

New changelog entries:
  [Andreas Hasenack]
  * Update autopkgtest to use python3. Closes: #943212 LP: #1845334
  [Scott Kitterman]
  * Update smtp_tls_CApath to /etc/ssl/certs so it actually works.
    Closes: #923083
  * Refactor running status detection in sysv init based on upstream
    postfix-script so it works in docker. Closes: #941293

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/HISTORY b/HISTORY
2index 1ebf42a..73db7c3 100644
3--- a/HISTORY
4+++ b/HISTORY
5@@ -24346,3 +24346,12 @@ Apologies for any names omitted.
6 multi-Milter configuration during MAIL FROM. Milter client
7 state was not properly reset after one of the Milters failed.
8 Reported by WeiYu Wu.
9+
10+20200416
11+
12+ Workaround for broken builds after an incompatible change
13+ in GCC 10. Files: makedefs, Makefile.in.
14+
15+ Workaround for broken DANE support after an incompatible
16+ change in GLIBC 2.31. This avoids the need for new options
17+ in /etc/resolv.conf. Files: dns/dns.h, dns/dns_lookup.c.
18diff --git a/Makefile.in b/Makefile.in
19index fa12b04..aaab94d 100644
20--- a/Makefile.in
21+++ b/Makefile.in
22@@ -1,5 +1,5 @@
23 SHELL = /bin/sh
24-WARN = -Wmissing-prototypes -Wformat -Wno-comment
25+WARN = -Wmissing-prototypes -Wformat -Wno-comment -fcommon
26 OPTS = 'WARN=$(WARN)'
27 DIRS = src/util src/global src/dns src/tls src/xsasl src/master src/milter \
28 src/postfix src/fsstone src/smtpstone \
29diff --git a/debian/changelog b/debian/changelog
30index 86e71a2..fb7f5ad 100644
31--- a/debian/changelog
32+++ b/debian/changelog
33@@ -1,3 +1,13 @@
34+postfix (3.4.11-0ubuntu1) focal; urgency=medium
35+
36+ * New upstream release: 3.4.11
37+ - Workaround for broken DANE support after an incompatible change in
38+ GLIBC 2.31 (LP: #1868955)
39+ * Drop patch 80_glibc2.30-ftbfs.diff. This patch is not needed anymore and
40+ it does not cleanly apply to this new upstream release.
41+
42+ -- Lucas Kanashiro <kanashiro@ubuntu.com> Mon, 08 Jun 2020 18:43:19 -0300
43+
44 postfix (3.4.10-1ubuntu1) focal; urgency=medium
45
46 * d/configure-instance.sh: fix typo in tls_CApath copying (LP: #1872288)
47diff --git a/debian/patches/80_glibc2.30-ftbfs.diff b/debian/patches/80_glibc2.30-ftbfs.diff
48deleted file mode 100644
49index c36baf0..0000000
50--- a/debian/patches/80_glibc2.30-ftbfs.diff
51+++ /dev/null
52@@ -1,51 +0,0 @@
53-Description: fix build with glibc 2.30
54- glibc 2.30 release notes at
55- https://savannah.gnu.org/forum/forum.php?forum_id=9515 states:
56- """
57- Support for the "inet6" option in /etc/resolv.conf and the RES_USE_INET6
58- resolver flag (deprecated in glibc 2.25) have been removed.
59- ...
60- The obsolete RES_INSECURE1 and RES_INSECURE2 option flags for the DNS stub
61- resolver have been removed from <resolv.h>.
62- """
63- And RES_AAONLY and RES_PRIMARY are already flagged as deprecated and are
64- being guarded with the same fix.
65-Origin: upstream, https://github.com/vdukhovni/postfix/commit/3274c3cea9d739f86e84b65664aabb692e37e83f#diff-777bfb681a1cd539ddc8e1e606959ffa
66-Bug: http://postfix.1071664.n5.nabble.com/build-failure-with-glibc-2-30-td102511.html
67-Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1842923
68-Last-Update: 2019-09-05
69----
70-This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
71-diff --git a/postfix/src/dns/dns_str_resflags.c b/postfix/src/dns/dns_str_resflags.c
72-index 5f2cce5e..472394c3 100644
73---- a/src/dns/dns_str_resflags.c
74-+++ b/src/dns/dns_str_resflags.c
75-@@ -52,18 +52,28 @@
76- static const LONG_NAME_MASK resflag_table[] = {
77- "RES_INIT", RES_INIT,
78- "RES_DEBUG", RES_DEBUG,
79-+#ifdef RES_AAONLY
80- "RES_AAONLY", RES_AAONLY,
81-+#endif
82- "RES_USEVC", RES_USEVC,
83-+#ifdef RES_PRIMARY
84- "RES_PRIMARY", RES_PRIMARY,
85-+#endif
86- "RES_IGNTC", RES_IGNTC,
87- "RES_RECURSE", RES_RECURSE,
88- "RES_DEFNAMES", RES_DEFNAMES,
89- "RES_STAYOPEN", RES_STAYOPEN,
90- "RES_DNSRCH", RES_DNSRCH,
91-+#ifdef RES_INSECURE1
92- "RES_INSECURE1", RES_INSECURE1,
93-+#endif
94-+#ifdef RES_INSECURE2
95- "RES_INSECURE2", RES_INSECURE2,
96-+#endif
97- "RES_NOALIASES", RES_NOALIASES,
98-+#ifdef RES_USE_INET6
99- "RES_USE_INET6", RES_USE_INET6,
100-+#endif
101- #ifdef RES_ROTATE
102- "RES_ROTATE", RES_ROTATE,
103- #endif
104diff --git a/debian/patches/series b/debian/patches/series
105index 4976a63..fe67e62 100644
106--- a/debian/patches/series
107+++ b/debian/patches/series
108@@ -14,6 +14,5 @@
109 41_rmail.diff
110 50_LANG.diff
111 70_postfix-check.diff
112-80_glibc2.30-ftbfs.diff
113 tls_version.diff
114 debian-man-name.diff
115diff --git a/makedefs b/makedefs
116index 93731c2..aea15d6 100644
117--- a/makedefs
118+++ b/makedefs
119@@ -1136,7 +1136,7 @@ esac
120 : ${CC=gcc} ${OPT='-O'} ${DEBUG='-g'} ${AWK=awk} \
121 ${WARN='-Wall -Wno-comment -Wformat -Wimplicit -Wmissing-prototypes \
122 -Wparentheses -Wstrict-prototypes -Wswitch -Wuninitialized \
123- -Wunused -Wno-missing-braces'}
124+ -Wunused -Wno-missing-braces -fcommon'}
125
126 # Extract map type names from -DHAS_XXX compiler options. We avoid
127 # problems with tr(1) range syntax by using enumerations instead,
128diff --git a/src/dns/dns.h b/src/dns/dns.h
129index f758e44..b8c4c4a 100644
130--- a/src/dns/dns.h
131+++ b/src/dns/dns.h
132@@ -59,6 +59,7 @@
133 */
134 #ifdef NO_DNSSEC
135 #undef RES_USE_DNSSEC
136+#undef RES_TRUSTAD
137 #endif
138
139 /*
140@@ -70,6 +71,9 @@
141 #ifndef RES_USE_EDNS0
142 #define RES_USE_EDNS0 0
143 #endif
144+#ifndef RES_TRUSTAD
145+#define RES_TRUSTAD 0
146+#endif
147
148 /*-
149 * TLSA: https://tools.ietf.org/html/rfc6698#section-7.1
150diff --git a/src/dns/dns_lookup.c b/src/dns/dns_lookup.c
151index 1bfeb7e..2ae6483 100644
152--- a/src/dns/dns_lookup.c
153+++ b/src/dns/dns_lookup.c
154@@ -116,6 +116,9 @@
155 /* Request DNSSEC validation. This flag is silently ignored
156 /* when the system stub resolver API, resolver(3), does not
157 /* implement DNSSEC.
158+/* Automatically turns on the RES_TRUSTAD flag on systems that
159+/* support this flag (this behavior will be more configurable
160+/* in a later release).
161 /* .RE
162 /* .IP lflags
163 /* Flags that control the operation of the dns_lookup*()
164@@ -453,10 +456,10 @@ static int dns_query(const char *name, int type, unsigned flags,
165 /*
166 * Set extra options that aren't exposed to the application.
167 */
168-#define XTRA_FLAGS (RES_USE_EDNS0)
169+#define XTRA_FLAGS (RES_USE_EDNS0 | RES_TRUSTAD)
170
171 if (flags & RES_USE_DNSSEC)
172- flags |= RES_USE_EDNS0;
173+ flags |= (RES_USE_EDNS0 | RES_TRUSTAD);
174
175 /*
176 * Save and restore resolver options that we overwrite, to avoid
177diff --git a/src/dns/dns_str_resflags.c b/src/dns/dns_str_resflags.c
178index 5f2cce5..df32345 100644
179--- a/src/dns/dns_str_resflags.c
180+++ b/src/dns/dns_str_resflags.c
181@@ -60,10 +60,16 @@ static const LONG_NAME_MASK resflag_table[] = {
182 "RES_DEFNAMES", RES_DEFNAMES,
183 "RES_STAYOPEN", RES_STAYOPEN,
184 "RES_DNSRCH", RES_DNSRCH,
185+#ifdef RES_INSECURE1
186 "RES_INSECURE1", RES_INSECURE1,
187+#endif
188+#ifdef RES_INSECURE2
189 "RES_INSECURE2", RES_INSECURE2,
190+#endif
191 "RES_NOALIASES", RES_NOALIASES,
192+#ifdef RES_USE_INET6
193 "RES_USE_INET6", RES_USE_INET6,
194+#endif
195 #ifdef RES_ROTATE
196 "RES_ROTATE", RES_ROTATE,
197 #endif
198diff --git a/src/global/mail_version.h b/src/global/mail_version.h
199index 41647d3..1893837 100644
200--- a/src/global/mail_version.h
201+++ b/src/global/mail_version.h
202@@ -20,8 +20,8 @@
203 * Patches change both the patchlevel and the release date. Snapshots have no
204 * patchlevel; they change the release date only.
205 */
206-#define MAIL_RELEASE_DATE "20200312"
207-#define MAIL_VERSION_NUMBER "3.4.10"
208+#define MAIL_RELEASE_DATE "20200418"
209+#define MAIL_VERSION_NUMBER "3.4.11"
210
211 #ifdef SNAPSHOT
212 #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE

Subscribers

People subscribed via source and target branches