Ubuntu
squid3 package

Merge ~racb/ubuntu/+source/squid3:merge into ~usd-import-team/ubuntu/+source/squid3:debian/sid

Git
lp:~racb/ubuntu/+source/squid3
merge
Merge into debian/sid

Proposed by Robie Basak on 2017-02-06

Status:	Merged
Merge reported by:	Robie Basak
Merged at revision:	not available
Proposed branch:	~racb/ubuntu/+source/squid3:merge
Merge into:	~usd-import-team/ubuntu/+source/squid3:debian/sid
Diff against target:	2828 lines (+2552/-30) 19 files modified debian/NEWS.debian (+11/-0) debian/changelog (+678/-1) debian/control (+6/-6) debian/patches/90-cf.data.ubuntu.patch (+12/-0) debian/patches/99-ubuntu-ssl-cert-snakeoil.patch (+22/-0) debian/patches/series (+2/-0) debian/rules (+6/-1) debian/squid.install (+3/-0) debian/squid.preinst (+15/-0) debian/squid.rc (+0/-2) debian/squid3.postinst (+0/-11) debian/squid3.preinst (+0/-8) debian/tests/control (+4/-0) debian/tests/squid (+11/-0) debian/tests/test-squid.py (+221/-0) debian/tests/testlib.py (+1133/-0) debian/tests/testlib_httpd.py (+352/-0) debian/tests/upstream-test-suite (+1/-1) debian/usr.sbin.squid (+75/-0)
Related bugs:	Link a bug report

Reviewer	Date Requested	Status
ChristianEhrhardt		Approve on 2017-02-10
Ubuntu Server Dev import team	2017-02-06	Pending
Review via email: mp+316496@code.launchpad.net

ChristianEhrhardt (paelzer) wrote on 2017-02-09:

Hi Robie,
I reviewed your changes today - just review of commits/branches/tags no build/test was part of it.
First of all thanks for cleaning up so much old Delta!
Other than the few nit picks I'll mention below I already agree.

There are a few things which made me wonder, but turned out to be ok later on when going through the merge and changelogs - never the less listing them just in case my thought would make you reconsider anything:

OK - bbe7f75 "disabled by default AppArmor profile" "init-system-helpers (>> 1.22ubuntu5) to ensure" ...
  - Only trusty would be below that - do we plan for backports here?
  - Otherwise this might be simplified
  OK -> I found 162c407859e9fc78d83b6a9c00e782f45aaabd26 which does that so you effectively did what I wanted to ask

OK - did not find "5a9b76095e325b5018fd865d3ad6a1f5dfb20954" in the changelog
OK -> I found it dropped as "/var/spool/squid3 upgrade path handling"

3.5.12-1 to 3.5.23-1 checking Diff and impacts:
OK - nothing found we would have to adapt for to other than dropping delta

####

Now the remaining bits where I couldn't find the answer myself in changelog / commits:
Lines starting with an "?" should be clarified IMHO.

- There is a new ubuntu 9 with CVEs in Yakkety
  ok - I checked, both patches are in the new upstream
  ok - I wondered if we would need to "drop" that in the changelog, but found a generic "Drop security fixes: all included in 3.5.23 upstream."
  ? - But we might want/need the 3.5.12-1ubuntu9 in the merged version history right?

- Why are you "Robie BAsak @ horsea" in some commits (upper case A and @horsea)
? - Do you want/need to rewrite that?

- 5a9b760 "Include upgrade migration handling" does this no more change the cache format (dropped from news)
  ok -> ok, dropped anyway so old text is valid now
  ok -> well later comes "Note historical migration in d/NEWS.debian" 96d065d
    ? -> with that the text is in place again - I wonder if that is a mistake (to no more mention the format incompatibility)
    ? -> the changelog of this only says "Correct attribution in d/NEWS.debian." but you also change content, need to adapt?

Robie Basak (racb) wrote on 2017-02-09:

Thank you for the review!

On Thu, Feb 09, 2017 at 01:05:04PM -0000, ChristianEhrhardt wrote:
> - There is a new ubuntu 9 with CVEs in Yakkety
> ok - I checked, both patches are in the new upstream
> ok - I wondered if we would need to "drop" that in the changelog, but found a generic "Drop security fixes: all included in 3.5.23 upstream."
> ? - But we might want/need the 3.5.12-1ubuntu9 in the merged version history right?

It's in Zesty, uploaded last week, and I missed this, basing my merge
against 3.5.12-1ubuntu8 since I'd done the work earlier. Thank you for
spotting it!

In terms of process, I suppose there's always a race here. My old/ubuntu
tag is behind (pointing at import/3.5.12-1ubuntu8) so I think my linter
(work in progress) is capable of spotting this/reducing the race.

I will redo my git-merge-changelogs commit to incorporate
3.5.12-1ubuntu9.

> - Why are you "Robie BAsak @ horsea" in some commits (upper case A and @horsea)
> ? - Do you want/need to rewrite that?

Well spotted :)

The commits data back from before we were saving the logical commits, so
I didn't care about the attribution back then and never set git's
user.email on temporary hosts I used to do the work. I rewrote the
attribution for my merge branch going forward, but I didn't do the
logical tag since that would mutate the commit hashes that I had in my
notes. But now that I'm done, I guess I can rewrite this too before
pushing.

> - 5a9b760 "Include upgrade migration handling" does this no more change the cache format (dropped from news)
> ok -> ok, dropped anyway so old text is valid now
> ok -> well later comes "Note historical migration in d/NEWS.debian" 96d065d
> ? -> with that the text is in place again - I wonder if that is a mistake (to no more mention the format incompatibility)
> ? -> the changelog of this only says "Correct attribution in d/NEWS.debian." but you also change content, need to adapt?

I've come across Ubuntu-specific entries in debian/NEWS before, so I put
this change that I'm carrying forward in the same category. Since we
merge debian/changelog without a specific note in debian/changelog, I
have also been merging debian/NEWS without a specific note in
debian/changelog. In squid3 I've been treating debian/NEWS.debian the
same way. So I only noted the change to debian/NEWS.debian, not the
merge of the previous Ubuntu delta in debian/NEWS.debian. Does that make
sense, or have I misunderstood your point?

ChristianEhrhardt (paelzer) wrote on 2017-02-09:

> > ok -> well later comes "Note historical migration in d/NEWS.debian"
> 96d065d
> > ? -> with that the text is in place again - I wonder if that is a
> mistake (to no more mention the format incompatibility)
> > ? -> the changelog of this only says "Correct attribution in
> d/NEWS.debian." but you also change content, need to adapt?
>
> I've come across Ubuntu-specific entries in debian/NEWS before, so I put
> this change that I'm carrying forward in the same category. Since we
> merge debian/changelog without a specific note in debian/changelog, I
> have also been merging debian/NEWS without a specific note in
> debian/changelog. In squid3 I've been treating debian/NEWS.debian the
> same way. So I only noted the change to debian/NEWS.debian, not the
> merge of the previous Ubuntu delta in debian/NEWS.debian. Does that make
> sense, or have I misunderstood your point?

I'm fine for the (not)mentioning in the changelog now.

I still wonder though if this change in NEWS dropped important information.
The following part is effectively gone:
- Please note that cache store format changed from squid 2.x and cannot be reused with squid 3.x

I wonder - since we try to move it automatically - is it:
- actually not incompatible (then all is fine here)?
- do we move stuff that might break as it is actually incompatible?
- should we leave the note that it is incompatible intact in NEWS (even when adding Steves section)?

I understand the comment was squid2 -> squid3 and we now move squid3 -> squid.
But it is confusing at least to me - I'd love to have that in a new NEWS section instead of modifying the old one.

~racb/ubuntu/+source/squid3:merge updated on 2017-02-09

0525413... by Robie Basak on 2017-02-09: git-merge-changelogs

Robie Basak (racb) wrote on 2017-02-09:

I've reworked the merge against 3.5.12-1ubuntu9. old/ubuntu now points to import/3.5.12-1ubuntu9. I've created a new logical/3.5.12-1ubuntu9, with all commits rewritten with corrected attribution. I've rewritten the git-merge-changelogs commit which now includes 3.5.12-1ubuntu9. I updated debian/NEWS.debian to make it clearer as to what is going on there, with correct attribution, and updated the note in debian/changelog.

Robie Basak (racb) wrote on 2017-02-09:

My old merge was merge.v8 (1bc7eb7). This is merge.v9 (43e5b2d). For convenience, here is the diff between the two: http://paste.ubuntu.com/23961353/

ChristianEhrhardt (paelzer) wrote on 2017-02-10:

Thanks for fixing up my minor findings!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Robie Basak

Ubuntu Server Dev import team

Ubuntu
squid3 package

Merge ~racb/ubuntu/+source/squid3:merge into ~usd-import-team/ubuntu/+source/squid3:debian/sid

Commit Message

Description of the Change

Preview Diff

Subscribers

 diff --git a/debian/NEWS.debian b/debian/NEWS.debian
 index 3987e99..7a738d5 100644
 --- a/debian/NEWS.debian
 +++ b/debian/NEWS.debian
@@ -26,6 +26,17 @@ squid3 (3.5.6-1) unstable; urgency=medium
    that cache store format changed from squid 2.x and cannot be reused with
    squid 3.x
++  [ Robie Basak ]
++  In Ubuntu, data in /var/spool/squid3 *was* moved automatically on upgrade to
++  Xenial (3.5.12-1ubuntu7). Upgrades from before Xenial to after Xenial are not
++  supported; you must upgrade through Xenial. Details of the historic migration
++  path are in Steve's note below.
++
++  [ Steve Langasek ]
++  An attempt will be made to move the data in /var/spool/squid3 automatically.
++  If this is a mountpoint, the move will fail and you will need to migrate
++  your mount configuration by hand.
++
   -- Luigi Gangitano <luigi@debian.org> Wed, 22 Jul 2015 15:48:13 +0200
  squid3 (3.0.STABLE15-1) unstable; urgency=low
 diff --git a/debian/changelog b/debian/changelog
 index 7a90b8d..776ec61 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,52 @@
++squid3 (3.5.23-1ubuntu1) zesty; urgency=medium
++
++  * Merge from Debian (LP: #1644538). Remaining changes:
++    - Add additional dep8 tests.
++    - Use snakeoil certificates.
++    - Add an example refresh pattern for debs.
++    - Add disabled by default AppArmor profile.
++    - Revert "Set pidfile for systemd's sysv-generator" from Debian.
++    - Drop wrong short-circuiting of various invocations; we always want to
++      call the debhelper block.
++    - Add missing Pre-Depends on adduser.
++    - Enable autoreconf. This is no longer required for the security updates,
++      but is needed for the seddery of test-suite/Makefile.am in
++      d/t/upstream-test-suite.
++  * Drop changes (adopted in Debian):
++    - Run sarg-reports if present before rotating logs.
++    - Add lsb-release build dep.
++  * Drop changes that no longer make a functional difference in Ubuntu, but may
++    still be relevant to send to Debian:
++    - d/squid3.postinst: don't try to stop squid3 again.
++    - d/squid3.postrm: don't rm -f conffiles in purge.
++    - Drop squid3 dependencies on ${shlib:Depends} and lsb-base.
++    - Drop creation of /etc/squid.
++  * Drop unnecessary changes:
++    - Add executable bits to d/squid.preinst.
++  * Drop changes relating to the upgrade path from prior to Xenial, so no
++    longer required:
++    - /var/spool/squid3 upgrade path handling.
++    - Conffile upgrade path handling.
++    - Remove redundant version-guarded restart code from squid postinst.
++    - Clean up apparmor links for usr.sbin.squid3 on upgrade.
++    - Attempt to migrate /var/log/squid3 -> /var/log/squid on upgrade.
++    - Add Breaks on older ufw to fix upgrade path.
++    - Use Breaks instead of Conflicts. Instead, drop the Conflicts/Replaces
++      entirely (see below).
++  * Drop security fixes: all included in 3.5.23 upstream.
++  * Drop Conflicts/Replaces of squid against squid3. In Ubuntu, the migration
++    happened in Xenial, so no upgrade path still requires this code. This
++    reduces upgrade ordering difficulty.
++  * Fix failing autopkgtests:
++    - Adjust Python module dependencies.
++    - Correctly handle the squid3 -> squid rename.
++    - Adjust seddery for upstream test squid binary location.
++  * Drop dependency on init-system-helpers. This was introduced in LP 1432683.
++    Since we no longer ship an upstart job, it is no longer required.
++  * Correct attribution and add explanatory note in d/NEWS.debian.
++
++ -- Robie Basak <robie.basak@ubuntu.com>  Tue, 24 Jan 2017 15:47:44 +0000
++
  squid3 (3.5.23-1) unstable; urgency=high
    [ Amos Jeffries <amosjeffries@squid-cache.org> ]
@@ -119,6 +168,186 @@ squid3 (3.5.14-1) unstable; urgency=medium
   -- Luigi Gangitano <luigi@debian.org>  Tue, 16 Feb 2016 23:14:00 +0100
++squid3 (3.5.12-1ubuntu9) zesty; urgency=medium
++
++  * SECURITY UPDATE: cookie data leak via If-Not-Modified HTTP conditional
++    - debian/patches/CVE-2016-10002.patch: properly handle combination of
++      If-Match and a Cache Hit in src/LogTags.h, src/client_side.cc,
++      src/client_side_reply.cc, src/client_side_reply.h.
++    - CVE-2016-10002
++  * SECURITY UPDATE: incorrect HTTP Request header comparison
++    - debian/patches/CVE-2016-10003.patch: don't share private responses
++      with collapsed client in src/client_side_reply.cc.
++    - CVE-2016-10003
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 03 Feb 2017 13:07:31 -0500
++
++squid3 (3.5.12-1ubuntu8) yakkety; urgency=medium
++
++  * SECURITY UPDATE: denial of service via pinger and ICMPv6 packet
++    - debian/patches/CVE-2016-3947.patch: fix sizes in src/icmp/Icmp6.cc.
++    - CVE-2016-3947
++  * SECURITY UPDATE: denial of service and possible code execution via
++    seeding manager reporter with crafted data
++    - debian/patches/CVE-2016-4051.patch: use dynamic MemBuf for internal
++      content generation in tools/cachemgr.cc, src/tests/stub_cbdata.cc,
++      src/tests/stub_mem.cc, tools/Makefile.am.
++    - CVE-2016-4051
++  * SECURITY UPDATE: denial of service or arbitrary code execution via
++    crafted ESI responses
++    - debian/patches/CVE-2016-4052.patch: perform bounds checking and
++      remove asserts in src/esi/Esi.cc.
++    - CVE-2016-4052
++    - CVE-2016-4053
++    - CVE-2016-4054
++  * SECURITY UPDATE: cache-poisoning attacks via an HTTP request with an
++    absolute-URI
++    - debian/patches/CVE-2016-4553.patch: properly handle condition in
++      src/client_side.cc
++    - CVE-2016-4553
++  * SECURITY UPDATE: same-origin bypass and cache-poisoning attack via
++    crafted HTTP host header
++    - debian/patches/CVE-2016-4554.patch: properly handle whitespace in
++      src/mime_header.cc.
++    - CVE-2016-4554
++  * SECURITY UPDATE: denial of service via ESI responses
++    - debian/patches/CVE-2016-4555.patch: fix segfaults in
++      src/client_side_request.cc, src/esi/Context.h, src/esi/Esi.cc.
++    - CVE-2016-4555
++    - CVE-2016-4556
++  * debian/rules: include autoreconf.mk.
++  * debian/control: add dh-autoreconf to BuildDepends.
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 08 Jun 2016 08:05:32 -0400
++
++squid3 (3.5.12-1ubuntu7.1) xenial; urgency=medium
++
++  * Add Breaks on older ufw to fix upgrade path (LP: #1571174).
++
++ -- Robie Basak <robie.basak@ubuntu.com>  Thu, 12 May 2016 11:03:06 +0000
++
++squid3 (3.5.12-1ubuntu7) xenial; urgency=medium
++
++  * Update apparmor profile to be correct for maas-proxy.
++
++ -- LaMont Jones <lamont@ubuntu.com>  Tue, 12 Apr 2016 13:05:00 -0600
++
++squid3 (3.5.12-1ubuntu6) xenial; urgency=medium
++
++  * Attempt to migrate /var/log/squid3 -> /var/log/squid on upgrade.
++  * Update apparmor profile for s/squid3/squid/ and /dev/shm access.
++
++ -- Adam Conrad <adconrad@ubuntu.com>  Sun, 03 Apr 2016 21:34:50 -0600
++
++squid3 (3.5.12-1ubuntu5) xenial; urgency=medium
++
++  * Use versioned Breaks/Replaces instead of an unversioned Conflicts, to
++    further clean up the upgrade ordering.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 01 Apr 2016 21:05:38 +0000
++
++squid3 (3.5.12-1ubuntu4) xenial; urgency=medium
++
++  * Remove redundant version-guarded restart code from squid postinst, which
++    doesn't do the right thing on Ubuntu upgrades.
++  * Remove duplicated conffile handling from the squid3 dummy package with
++    extreme prejudice.  The conffile moving absolutely *must* be done
++    exclusively in the squid package; trying to do it in the squid3 package
++    causes pristine conffiles to be silently overwritten with any
++    locally-modified version from the squid3 package, with hilarious effect.
++  * Adjust squid.{pre,post}inst to trick dpkg-maintscript-helper into
++    believing we had a previously installed version of this package even if
++    we did not, which appears to be a requirement for mv_conffile to DTRT.
++    This is certainly a dpkg bug that needs to be filed.
++  * Move all Ubuntu-specific dpkg-maintscript-helper delta into
++    debian/squid.maintscript for clarity/sanity.  Among other things,
++    this uncovers a bug where we're trying to call both mv_conffile and
++    rm_conffile for /etc/init.d/squid3.
++  * debian/squid3.{pre,post}inst: drop wrong short-circuiting of various
++    invocations; we always want to call the debhelper block.
++  * debian/squid3.postinst: don't try to stop squid3 again, this is
++    redundant.
++  * debian/squid3.postrm: don't rm -f conffiles in purge when dpkg already
++    handles these.
++  * Add missing pre-depends on adduser
++  * Anchor the Conflicts/Replaces to the version of the package that
++    introduced the name change in Ubuntu, to avoid upgrade ordering problems
++    later.
++  * Include upgrade migration handling for /var/spool/squid3 ->
++    /var/spool/squid.  This won't work if /var/spool/squid3 is a mount point,
++    so fail gracefully, but leaving two full squid cache directories around
++    after upgrade is a nuisance.
++  * Remove empty /etc/squid3 dir on upgrade.
++  * Clean up apparmor links for usr.sbin.squid3 on upgrade.  We don't migrate
++    these apparmor settings over, so at least don't leave stale links behind.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 31 Mar 2016 19:01:47 -0700
++
++squid3 (3.5.12-1ubuntu3) xenial; urgency=medium
++
++  * Revert last postinst change as it's buggy.
++  * Remove /etc/init.d/squid3 from preinst on upgrade.
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Tue, 29 Mar 2016 22:46:16 -0400
++
++squid3 (3.5.12-1ubuntu2) xenial; urgency=medium
++
++  * debian/squid.postinst: Fix dist-upgrade of squid by detecting service
++    name (/etc/init.d/squid vs. squid3).
++
++ -- Ryan Harper <ryan.harper@canonical.com>  Mon, 28 Mar 2016 11:20:35 -0500
++
++squid3 (3.5.12-1ubuntu1) xenial; urgency=medium
++
++  * Merge from Debian (LP: #1473691). Remaining changes:
++    - Add dep8 tests.
++    - Use snakeoil certificates.
++    - Run sarg-reports if present before rotating logs
++    - debian/patches/90-cf.data.ubuntu.dpatch: add an example refresh
++      pattern for debs.
++    - Add disabled by default AppArmor profile. Versioned dependency on
++      init-system-helpers (>> 1.22ubuntu5) to ensure we have the
++      apparmor-profile-load script at boot time.
++  * Drop changes:
++    - No longer needed:
++      + Upstart job.
++      + Dependency package for squid -> squid3: depcrecated; the transitional package now runs the other way.
++      + Fix perl & pod2man config.tests.
++      + fix-logical-not-parentheses-warning.patch.
++      + fix-pod2name-pipe-failure.patch.
++      + --disable-strict-error-checking to fix FTBFS.
++    - NEWS.Debian: no longer relevant.
++    - Hardening options: deprecated.
++    - Add patch to show distribution: fixed in Debian (but see
++      lsb-release B-D).
++    - Enable parallel build: makes no difference to build time.
++    - Force -O2 to work around build failure with -O3: presumed no
++      longer needed.
++    - Fixed upstream:
++      + CVE-2014-3609.patch: confirmed fixed since 3.4.7 from upstream
++        advisory.
++      + Fix various ICMP handling issues in Squid pinger: confirmed
++        fixed since 3.4.7 from upstream advisory.
++      + fix-caching-vary-header.patch.
++      + netfilter_fix.patch.
++  * Drop Testsuite: header from dep8 tests: no longer required since
++    dpkg-source >= 1.17.11 does it.
++  * Revert "Set pidfile for systemd's sysv-generator" from Debian.
++    systemd races the squid daemon for pidfile creation, causing systemd
++    to consider the service start to have failed. Work around for now by
++    not telling systemd to use the pidfile.
++  * Add lsb-release build dep. This is required for the
++    --enable-build-info line in debian/rules to work correctly.
++  * Correctly rename conffiles migrated by Debian from squid3 to squid.
++  * Remove conffile for old upstart job Ubuntu delta.
++  * Rename Apparmor profile conffile.
++  * Drop old transitional Apparmor code no longer required.
++  * Adjust AppArmor profile for squid3->squid rename.
++  * Drop versioned AppArmor dependency (transitional; no longer
++    required).
++
++ -- Robie Basak <robie.basak@ubuntu.com>  Thu, 25 Feb 2016 11:42:03 +0000
++
  squid3 (3.5.12-1) unstable; urgency=medium
    [ Amos Jeffries <amosjeffries@squid-cache.org> ]
@@ -371,6 +600,180 @@ squid3 (3.3.8-1.1) unstable; urgency=low
   -- gregor herrmann <gregoa@debian.org>  Sat, 23 Nov 2013 21:05:10 +0100
++squid3 (3.3.8-1ubuntu17) xenial; urgency=medium
++
++  * --disable-strict-error-checking to fix FTBFS due to auto_ptr defined
++    in unique pointer headers. (LP: #1521234).
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Mon, 30 Nov 2015 15:32:14 +0000
++
++squid3 (3.3.8-1ubuntu16) wily; urgency=medium
++
++  [ Tiago Stürmer Daitx ]
++  * d/patches/fix-logical-not-parentheses-warning.patch: Fix warning for
++    logical-not-parentheses which caused squid to FTBFS. (LP: #1496924)
++  * d/patches/netfilter_fix.patch: Backported from Squid Bug #4323.
++    (LP: #1496223)
++  * d/patches/fix-pod2name-pipe-failure.patch: Add --name parameter to
++    pod2man (LP: #1501566)
++  * roll back build-dependency to libecap2-dev, this version of squid3 is not
++    compatible with libecap3 and libecap3 transition has been rolled back for
++    wily.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 09 Oct 2015 00:29:47 +0000
++
++squid3 (3.3.8-1ubuntu15) wily; urgency=medium
++
++  * Build-depend on libecap3-dev instead of libecap2-dev.
++
++ -- Matthias Klose <doko@ubuntu.com>  Wed, 02 Sep 2015 12:16:29 +0200
++
++squid3 (3.3.8-1ubuntu14) vivid; urgency=medium
++
++  * Add versioned dependency on init-system-helpers (>> 1.22ubuntu5) to ensure
++    we have the apparmor-profile-load script at boot time. (LP: #1432683)
++
++ -- Serge Hallyn <serge.hallyn@ubuntu.com>  Thu, 02 Apr 2015 11:12:27 -0500
++
++squid3 (3.3.8-1ubuntu13) vivid; urgency=medium
++
++  * d/squid3.prerm: Removed redundant upstart-only code. Equivalent
++    operations are carried out by debhelper-generated code in a more
++    generic manner. (LP: #1424508)
++
++ -- Oleg Strikov <oleg.strikov@canonical.com>  Thu, 05 Mar 2015 14:24:33 +0300
++
++squid3 (3.3.8-1ubuntu12) vivid; urgency=medium
++
++  * debian/tests/testlib_httpd.py: Use "service" command instead of upstart
++    specific ones, and simplify the logic.
++  * debian/tests/testlib.py, check_exe(): Check /proc/pid/exe symlink instead
++    of parsing cmdline; the latter has "(squid-1)" with the init.d script, and
++    it's not really what we are interested in.
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Fri, 06 Mar 2015 12:10:59 +0100
++
++squid3 (3.3.8-1ubuntu11) vivid; urgency=medium
++
++  * d/patches/fix-caching-vary-header.patch: Added upstream patch
++    for the bug which prevented squid from caching responses with
++    Vary header. (LP: #1336742)
++
++ -- Oleg Strikov <oleg.strikov@canonical.com>  Wed, 04 Mar 2015 15:08:54 +0300
++
++squid3 (3.3.8-1ubuntu10) vivid; urgency=medium
++
++  [Jacek Nykis]
++  * d/usr.sbin.squid3: Apparmor profile has been changed to allow child
++    processes to run execvp(argv[0], [kidname, ...]). (LP: #1416039)
++
++ -- Oleg Strikov <oleg.strikov@canonical.com>  Tue, 03 Mar 2015 18:18:20 +0300
++
++squid3 (3.3.8-1ubuntu9) vivid; urgency=medium
++
++  * Fix various ICMP handling issues in Squid pinger. (LP: #1384943)
++
++ -- Jorge Niedbalski <jorge.niedbalski@canonical.com>  Tue, 18 Nov 2014 14:47:33 -0300
++
++squid3 (3.3.8-1ubuntu8) utopic; urgency=medium
++
++  * SECURITY UPDATE: Ignore Range headers with unidentifiable byte-range
++    values
++    - debian/patches/CVE-2014-3609.patch: adjust src/HttpHdrRange.cc to
++      return an error if unable to determine the byte value for ranges
++    - CVE-2014-3609
++
++ -- Jamie Strandboge <jamie@ubuntu.com>  Tue, 26 Aug 2014 13:51:07 -0500
++
++squid3 (3.3.8-1ubuntu7) utopic; urgency=medium
++
++  * Put back the init.d script, for compatibility with insserv. (LP: #1323274)
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Mon, 26 May 2014 23:27:57 +0200
++
++squid3 (3.3.8-1ubuntu6) trusty; urgency=medium
++
++  * debian/rules: Force -O2 to work around build failure with -O3.
++
++ -- Adam Conrad <adconrad@ubuntu.com>  Mon, 17 Feb 2014 20:13:30 -0700
++
++squid3 (3.3.8-1ubuntu5) trusty; urgency=low
++
++  [ Yolanda Robla ]
++  * debian/control: added lsb-release dependency
++  * debian/patches/fix-distribution.patch: added patch to show distribution
++
++  [ Dimitri John Ledkov ]
++  * Enable parallel build
++
++ -- Yolanda Robla <yolanda.robla@canonical.com>  Wed, 11 Dec 2013 10:51:45 +0000
++
++squid3 (3.3.8-1ubuntu4) trusty; urgency=low
++
++  * Fix perl & pod2man config.tests.
++
++ -- Dmitrijs Ledkovs <xnox@ubuntu.com>  Mon, 04 Nov 2013 02:17:30 +0000
++
++squid3 (3.3.8-1ubuntu3) saucy; urgency=low
++
++  * d/tests/squid: Disable seccomp sandboxing in vsftpd until it works
++    reliably (http://pad.lv/1219857), restart vsftpd using service
++    command.
++
++ -- James Page <james.page@ubuntu.com>  Mon, 02 Sep 2013 15:50:41 +0100
++
++squid3 (3.3.8-1ubuntu2) saucy; urgency=low
++
++  * d/usr.sbin.squid3: Update apparmor profile to allow pinger process to
++    create and use ICMP ports for ipv4/ipv6.
++
++ -- James Page <james.page@ubuntu.com>  Mon, 02 Sep 2013 11:06:54 +0100
++
++squid3 (3.3.8-1ubuntu1) saucy; urgency=low
++
++  * Merge from Debian unstable, remaining changes:
++    + debian/control:
++      - Update maintainer.
++      - Suggests apparmor (>= 2.3)
++      - Depends on ssl-cert ((>= 1.0-11ubuntu1), autopkgtests
++    + debian/squid3.upstart
++      - Move ulimit command to script section so that it applies
++        to the started squid daemon. Thanks to Timur Irmatov (LP: 986159)
++      - Work around squid not handling SIGHUP by adding respawn to
++        upstart job. (LP: 978356)
++    + debian/NEWS.Debian: Rename NEWS.debian, add note regarding squid3
++      transition in 12.04 (LP: 924739)
++    + debian/rules
++      - Re-enable all hardening options lost in the squid->squid3
++        transition (LP: 986314)
++    + squid3.resolvconf, debian/squid3.postinst, debian/squid3.postrm,
++      debian/squid3.preinst, debian/squid3.prerm:
++      - Convert init script to upstart
++    + debian/patches/99-ubuntu-ssl-cert-snakeoil:
++      - Use snakeoil certificates.
++    + debian/logrotate
++      - Use sar-reports rather than sarg-maint. (LP: 26616)
++    + debian/patches/90-cf.data.ubuntu.dpatch:
++      - Add an example refresh pattern for debs.
++        (foundations-lucid-local-report spec)
++    + Add disabled by default AppArmor profile (LP: 497790)
++      - debian/squid3.upstart: load profile in pre-start stanza
++      - add debian/usr.sbin.squid3 profile
++      - debian/rules:
++        + install debian/usr.sbin.squid3, etc/apparmor.d/force-complain and
++          etc/apparmor.d/disable into $(INSTALLDIR)
++        + use dh_apparmor
++      - debian/squid3.install: install etc/apparmor.d/disable, force-complain
++        and usr.sbin.squid3
++      - debian/squid3.preinst: disable profile on clean install or upgrades
++        from earlier than when we shipped the profile
++    + debian/tests:
++      - Add autopkgtests.
++  * d/control: Add dependency package for squid -> squid3 (LP: #1211942).
++  * d/control: Add dh-apparmor to BD's.
++
++ -- James Page <james.page@ubuntu.com>  Wed, 14 Aug 2013 09:03:55 +0100
++
  squid3 (3.3.8-1) unstable; urgency=high
    * Urgency high due to security fixes
@@ -391,6 +794,65 @@ squid3 (3.3.8-1) unstable; urgency=high
   -- Luigi Gangitano <luigi@debian.org>  Sun, 21 Jul 2013 18:28:36 +0200
++squid3 (3.3.4-1ubuntu1) saucy; urgency=low
++
++  * Merge from Debian unstable (LP: #1199883).  Remaining changes:
++    + debian/control:
++      - Update maintainer.
++      - Suggests apparmor (>= 2.3)
++      - Depends on ssl-cert ((>= 1.0-11ubuntu1), autopkgtests
++    + debian/squid3.upstart
++      - Move ulimit command to script section so that it applies
++        to the started squid daemon. Thanks to Timur Irmatov (LP: 986159)
++      - Work around squid not handling SIGHUP by adding respawn to
++        upstart job. (LP: 978356)
++    + debian/NEWS.Debian: Rename NEWS.debian, add note regarding squid3
++      transition in 12.04 (LP: 924739)
++    + debian/rules
++      - Re-enable all hardening options lost in the squid->squid3
++        transition (LP: 986314)
++    + squid3.resolvconf, debian/squid3.postinst, debian/squid3.postrm,
++      debian/squid3.preinst, debian/squid3.prerm:
++      - Convert init script to upstart
++    + debian/patches/99-ubuntu-ssl-cert-snakeoil:
++      - Use snakeoil certificates.
++    + debian/logrotate
++      - Use sar-reports rather than sarg-maint. (LP: 26616)
++    + debian/patches/90-cf.data.ubuntu.dpatch:
++      - Add an example refresh pattern for debs.
++        (foundations-lucid-local-report spec)
++    + Add disabled by default AppArmor profile (LP: 497790)
++      - debian/squid3.upstart: load profile in pre-start stanza
++      - add debian/usr.sbin.squid3 profile
++      - debian/rules:
++        + install debian/usr.sbin.squid3, etc/apparmor.d/force-complain and
++          etc/apparmor.d/disable into $(INSTALLDIR)
++        + use dh_apparmor
++      - debian/squid3.install: install etc/apparmor.d/disable, force-complain
++        and usr.sbin.squid3
++      - debian/squid3.preinst: disable profile on clean install or upgrades
++        from earlier than when we shipped the profile
++    + debian/tests:
++      - Add autopkgtests.
++
++  * Dropped:
++    - debian/patches: dropped patches, superseded by new release:
++      + 98-CVE-2012-5643.patch
++      + 99-lp1117517_r12473.patch
++    - debian/rules: fix FTBFS, removed --with-cppunit-basedir flag,
++      included in Debian.
++    - debian/control: Dropped transitional packages from squid, no
++      longer required.
++
++  * Refreshed patches:
++    - 01-cf.data.debian.patch
++    - 02-makefile-defaults.patch
++    - 15-cachemgr-default-config.patch
++
++  * debian/tests/test-squid.py: fixed case problem with ftp test
++
++ -- Yolanda Robla <yolanda.robla@canonical.com>  Wed, 10 Jul 2013 17:12:42 +0200
++
  squid3 (3.3.4-1) unstable; urgency=low
    * New upstream release
@@ -494,6 +956,92 @@ squid3 (3.1.20-2) unstable; urgency=low
   -- Luigi Gangitano <luigi@debian.org>  Thu, 06 Dec 2012 20:02:56 +0100
++squid3 (3.1.20-1ubuntu7) saucy; urgency=low
++
++  * debian/tests: Run ftp tests against local vsftpd instead of ftp.ubuntu.com.
++
++ -- Yolanda Robla <yolanda.robla@canonical.com>  Mon, 17 Jun 2013 11:00:17 +0200
++
++squid3 (3.1.20-1ubuntu6) saucy; urgency=low
++
++  * debian/tests: Fix start/stop of squid3.
++
++ -- Yolanda Robla <yolanda.robla@canonical.com>  Mon, 10 Jun 2013 10:30:33 +0200
++
++squid3 (3.1.20-1ubuntu5) saucy; urgency=low
++
++  * debian/rules: fix FTBFS, removed --with-cppunit-basedir flag
++
++ -- Yolanda Robla <yolanda.robla@canonical.com>  Mon, 27 May 2013 14:50:11 +0200
++
++squid3 (3.1.20-1ubuntu4) saucy; urgency=low
++
++  * debian/tests: Add autopkgtest.
++
++ -- Yolanda <yolanda.robla@canonical.com>  Mon, 27 May 2013 11:24:35 +0200
++
++squid3 (3.1.20-1ubuntu3) raring-proposed; urgency=low
++
++  * fix FTBFS with newer glibc (LP: #1117517)
++
++ -- Jamie Strandboge <jamie@ubuntu.com>  Wed, 06 Feb 2013 11:37:29 -0600
++
++squid3 (3.1.20-1ubuntu2) raring-proposed; urgency=low
++
++  [ Seth Arnold ]
++  * SECURITY UPDATE: denial of service via cachemgr.cgi insufficient input
++    validation
++    - debian/patches/98-CVE-2012-5643.patch: modify cachemgr.cc to properly
++      free memory and handle input in chunks
++    - Based on
++      http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID-2012_1.patch
++    - CVE-2012-5643
++    - CVE-2013-0189
++
++ -- Jamie Strandboge <jamie@ubuntu.com>  Wed, 06 Feb 2013 09:56:53 -0600
++
++squid3 (3.1.20-1ubuntu1) quantal; urgency=low
++
++  * Merge from Debian testing (LP: #1016560).  Remaining changes:
++    + debian/control:
++      - Update maintainer.
++      - Suggests apparmor (>= 2.3)
++      - Depends on ssl-cert ((>= 1.0-11ubuntu1)
++      - Add transitional dummy packages
++    + debian/squid3.upstart
++      - Move ulimit command to script section so that it applies
++        to the started squid daemon. Thanks to Timur Irmatov (LP: 986159)
++      - Work around squid not handling SIGHUP by adding respawn to
++        upstart job. (LP: 978356)
++    + debian/NEWS.Debian: Rename NEWS.debian, add note regarding squid3
++      transition in 12.04 (LP: 924739)
++    + debian/rules
++      - Re-enable all hardening options lost in the squid->squid3
++        transition (LP: 986314)
++    + squid3.resolvconf, debian/squid3.postinst, debian/squid3.postrm,
++      debian/squid3.preinst, debian/squid3.prerm:
++      - Convert init script to upstart
++    + debian/patches/99-ubuntu-ssl-cert-snakeoil:
++      - Use snakeoil certificates.
++    + debian/logrotate
++      - Use sar-reports rather than sarg-maint. (LP: 26616)
++    + debian/patches/90-cf.data.ubuntu.dpatch:
++      - Add an example refresh pattern for debs.
++        (foundations-lucid-local-report spec)
++    + Add disabled by default AppArmor profile (LP: 497790)
++      - debian/squid3.upstart: load profile in pre-start stanza
++      - add debian/usr.sbin.squid3 profile
++      - debian/rules:
++        + install debian/usr.sbin.squid3, etc/apparmor.d/force-complain and
++          etc/apparmor.d/disable into $(INSTALLDIR)
++        + use dh_apparmor
++      - debian/squid3.install: install etc/apparmor.d/disable, force-complain
++        and usr.sbin.squid3
++      - debian/squid3.preinst: disable profile on clean install or upgrades
++        from earlier than when we shipped the profile
++
++ -- Stefan Bader <stefan.bader@canonical.com>  Fri, 22 Jun 2012 14:18:00 +0200
++
  squid3 (3.1.20-1) unstable; urgency=low
    * New upstream release
@@ -510,6 +1058,66 @@ squid3 (3.1.20-1) unstable; urgency=low
   -- Luigi Gangitano <luigi@debian.org>  Mon, 18 Jun 2012 14:20:53 +0200
++squid3 (3.1.19-1ubuntu5) quantal; urgency=low
++
++  * d/squid3.upstart: Work around squid not handling SIGHUP by
++    adding respawn to upstart job. (LP: #978356)
++
++ -- Clint Byrum <clint@ubuntu.com>  Tue, 19 Jun 2012 15:35:19 -0700
++
++squid3 (3.1.19-1ubuntu4) quantal; urgency=low
++
++  * Add disabled by default AppArmor profile (LP: #497790)
++    - debian/squid3.upstart: load profile in pre-start stanza
++    - add debian/usr.sbin.squid3 profile
++    - debian/rules:
++      + install debian/usr.sbin.squid3, etc/apparmor.d/force-complain and
++        etc/apparmor.d/disable into $(INSTALLDIR)
++      + use dh_apparmor
++    - debian/control: suggests apparmor (>= 2.3)
++    - debian/squid3.install: install etc/apparmor.d/disable, force-complain
++      and usr.sbin.squid3
++    - debian/squid3.preinst: disable profile on clean install or upgrades
++      from earlier than when we shipped the profile
++
++ -- Jamie Strandboge <jamie@ubuntu.com>  Wed, 13 Jun 2012 11:32:14 -0500
++
++squid3 (3.1.19-1ubuntu3.1) quantal; urgency=low
++
++  * debian/rules: re-enable all hardening options lost in the
++    squid->squid3 transition (LP: #986314)
++  * debian/squid3.upstart: move ulimit command to script section
++    so that it applies to the started squid daemon. Thanks to Timur
++    Irmatov (LP: #986159)
++
++ -- Jamie Strandboge <jamie@ubuntu.com>  Wed, 13 Jun 2012 09:06:51 -0500
++
++squid3 (3.1.19-1ubuntu2) precise; urgency=low
++
++  * debian/NEWS.Debian: Rename NEWS.debian, add note regarding squid3
++    transition in 12.04 (LP: #924739)
++
++ -- Adam Gandelman <adamg@canonical.com>  Thu, 12 Apr 2012 13:46:10 -0700
++
++squid3 (3.1.19-1ubuntu1) precise; urgency=low
++
++  * Merge from Debian testing.  Remaining changes:
++    + debian/control:
++      - Update maintainer.
++    + debian/squid3.upstart, debian/rules, squid3.resolvconf,
++      debian/squid3.postinst, debian/squid3.postrm, debian/squid3.preinst,
++      debian/squid3.prerm: Convert init script to upstart
++    + debian/control, debian/patches/99-ubuntu-ssl-cert-snakeoil: Use
++     snakeoil certificates.
++    + debian/logrotate: Use sar-reports rather than sarg-maint. (LP: 26616)
++    + debian/patches/90-cf.data.ubuntu.dpatch: Add an example refresh pattern
++      for debs. (foundations-lucid-local-report spec)
++    + Add transitional dummy packages
++  * New upstream bugfix release fixes swap.state corruption, so squid will
++    now start after a reboot. (LP: #930252)
++
++ -- Christopher James Halse Rogers <raof@ubuntu.com>  Tue, 21 Feb 2012 18:51:26 +1100
++
  squid3 (3.1.19-1) unstable; urgency=low
    * New upstream release
@@ -521,6 +1129,24 @@ squid3 (3.1.19-1) unstable; urgency=low
   -- Luigi Gangitano <luigi@debian.org>  Tue, 07 Feb 2012 16:19:12 +0100
++squid3 (3.1.18-1ubuntu1) precise; urgency=low
++
++  [ Ubuntu Merge-o-Matic ]
++  * Merge from Debian testing.  Remaining changes:
++    + debian/control:
++      - Update maintainer.
++    + debian/squid3.upstart, debian/rules, squid3.resolvconf,
++      debian/squid3.postinst, debian/squid3.postrm, debian/squid3.preinst,
++      debian/squid3.prerm: Convert init script to upstart
++    + debian/control, debian/patches/99-ubuntu-ssl-cert-snakeoil: Use
++     snakeoil certificates.
++    + debian/logrotate: Use sar-reports rather than sarg-maint. (LP: #26616)
++    + debian/patches/90-cf.data.ubuntu.dpatch: Add an example refresh pattern
++      for debs. (foundations-lucid-local-report spec)
++    + Add transitional dummy packages
++
++ -- Chuck Short <zulcss@ubuntu.com>  Mon, 30 Jan 2012 10:24:33 -0500
++
  squid3 (3.1.18-1) unstable; urgency=low
    * New upstream release
@@ -530,6 +1156,23 @@ squid3 (3.1.18-1) unstable; urgency=low
   -- Luigi Gangitano <luigi@debian.org>  Mon, 26 Dec 2011 22:04:28 +0100
++squid3 (3.1.16-1ubuntu1) precise; urgency=low
++
++  * Merge from Debian testing.  Remaining changes:
++    + debian/control:
++      - Update maintainer.
++    + debian/squid3.upstart, debian/rules, squid3.resolvconf,
++      debian/squid3.postinst, debian/squid3.postrm, debian/squid3.preinst,
++      debian/squid3.prerm: Convert init script to upstart
++    + debian/control, debian/patches/99-ubuntu-ssl-cert-snakeoil: Use
++     snakeoil certificates.
++    + debian/logrotate: Use sar-reports rather than sarg-maint. (LP: #26616)
++    + debian/patches/90-cf.data.ubuntu.dpatch: Add an example refresh pattern
++      for debs. (foundations-lucid-local-report spec)
++    + Add transitional dummy packages
++
++ -- Chuck Short <zulcss@ubuntu.com>  Mon, 19 Dec 2011 21:35:43 +0000
++
  squid3 (3.1.16-1) unstable; urgency=low
    * New upstream release
@@ -542,6 +1185,40 @@ squid3 (3.1.16-1) unstable; urgency=low
   -- Luigi Gangitano <luigi@debian.org>  Thu,  3 Nov 2011 13:37:17 +0100
++squid3 (3.1.15-1ubuntu3) precise; urgency=low
++
++  * debian/squid3.upstart: Properly return 0 from maxfds() if $SQUID_MAXFD is
++    unset, else pre-start will fail as well. Also fix paths to config file.
++    (LP: #891445)
++  * debian/squid3.upstart: Modify to better reflect functionality of Debian's
++    squid3.rc
++  * debian/rules: Fix permissions on upstart job
++
++ -- Adam Gandelman <adamg@canonical.com>  Wed, 16 Nov 2011 18:26:25 -0800
++
++squid3 (3.1.15-1ubuntu2) precise; urgency=low
++
++  * Fix spelling of squid-common transitional package name.
++  * Remove meaningless self-conflicts.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Fri, 11 Nov 2011 10:33:44 +0000
++
++squid3 (3.1.15-1ubuntu1) precise; urgency=low
++
++  * debian/control:
++    + Update maintainer.
++  * debian/squid3.upstart, debian/rules, squid3.resolvconf,
++    debian/squid3.postinst, debian/squid3.postrm, debian/squid3.preinst,
++    debian/squid3.prerm: Convert init script to upstart
++  * debian/control, debian/patches/99-ubuntu-ssl-cert-snakeoil: Use
++    snakeoil certificates.
++  * debian/logrotate: Use sar-reports rather than sarg-maint. (LP: #26616)
++  * debian/patches/90-cf.data.ubuntu.dpatch: Add an example refresh pattern
++    for debs. (foundations-lucid-local-report spec)
++  * Add transitional dummy packages.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Thu, 10 Nov 2011 08:59:31 -0500
++
  squid3 (3.1.15-1) unstable; urgency=high
    * Urgency high due to security fixes
@@ -1287,7 +1964,6 @@ squid3 (3.0.PRE4-1) unstable; urgency=low
   -- Luigi Gangitano <luigi@debian.org>  Mon,  3 Jul 2006 16:47:43 +0200
--
  squid3 (3.0.PRE3.20060422-2) unstable; urgency=low
    * debian/control
@@ -1300,3 +1976,4 @@ squid3 (3.0.PRE3.20060422-1) unstable; urgency=low
    * First package attempt
   -- Luigi Gangitano <luigi@debian.org>  Sat, 22 Apr 2006 01:19:36 +0200
++
 diff --git a/debian/control b/debian/control
 index f6a5a6a..6a6181b 100644
 --- a/debian/control
 +++ b/debian/control
@@ -1,11 +1,12 @@
  Source: squid3
  Section: web
  Priority: optional
--Maintainer: Luigi Gangitano <luigi@debian.org>
++Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
++XSBC-Original-Maintainer: Luigi Gangitano <luigi@debian.org>
  Homepage: http://www.squid-cache.org
  Standards-Version: 3.9.8
  Vcs-Git: git://anonscm.debian.org/pkg-squid/pkg-squid3.git/
--Build-Depends: libldap2-dev, libpam0g-dev, libdb-dev, cdbs, libsasl2-dev, debhelper (>=10), libcppunit-dev, libkrb5-dev, comerr-dev, libcap2-dev [linux-any], libecap3-dev (>= 1.0.1-2), libexpat1-dev, libxml2-dev, autotools-dev, libltdl-dev, dpkg-dev (>= 1.16.1~), pkg-config, libnetfilter-conntrack-dev [linux-any], nettle-dev, libgnutls28-dev, lsb-release
++Build-Depends: libldap2-dev, libpam0g-dev, libdb-dev, cdbs, libsasl2-dev, debhelper (>=10), libcppunit-dev, libkrb5-dev, comerr-dev, libcap2-dev [linux-any], libecap3-dev (>= 1.0.1-2), libexpat1-dev, libxml2-dev, autotools-dev, libltdl-dev, dpkg-dev (>= 1.16.1~), pkg-config, libnetfilter-conntrack-dev [linux-any], nettle-dev, libgnutls28-dev, lsb-release, dh-apparmor, dh-autoreconf
  XS-Testsuite: autopkgtest
  Package: squid3
@@ -22,11 +23,10 @@ Description: Transitional package
  Package: squid
  Architecture: any
--Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, adduser, logrotate (>= 3.5.4-1), squid-common (= ${source:Version}), lsb-base, libdbi-perl
--Suggests: squidclient, squid-cgi, squid-purge, resolvconf (>= 0.40), smbclient, ufw, winbindd
++Pre-Depends: adduser
++Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (= ${source:Version}), lsb-base, libdbi-perl, ssl-cert
++Suggests: squidclient, squid-cgi, squid-purge, resolvconf (>= 0.40), smbclient, ufw, winbindd, apparmor
  Recommends: libcap2-bin [linux-any]
--Conflicts: squid3 (<< ${binary:Version})
--Replaces: squid3
  Description: Full featured Web Proxy cache (HTTP proxy)
   Squid is a high-performance proxy caching server for web clients, supporting
   FTP, gopher, ICY and HTTP data objects.
 diff --git a/debian/patches/90-cf.data.ubuntu.patch b/debian/patches/90-cf.data.ubuntu.patch
 new file mode 100644
 index 0000000..86e412c
 --- /dev/null
 +++ b/debian/patches/90-cf.data.ubuntu.patch
@@ -0,0 +1,12 @@
++--- a/src/cf.data.pre
+++++ b/src/cf.data.pre
++@@ -4545,6 +4545,9 @@ NOCOMMENT_START
++ refresh_pattern ^ftp:		1440	20%	10080
++ refresh_pattern ^gopher:	1440	0%	1440
++ refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
+++refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
+++# example lin deb packages
+++#refresh_pattern (\.deb|\.udeb)$   129600 100% 129600
++ refresh_pattern .		0	20%	4320
++ NOCOMMENT_END
++ DOC_END
 diff --git a/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch
 new file mode 100644
 index 0000000..d9aa380
 --- /dev/null
 +++ b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch
@@ -0,0 +1,22 @@
++--- a/src/cf.data.pre
+++++ b/src/cf.data.pre
++@@ -2728,6 +2728,19 @@ DOC_START
++ 			If 'sslkey' is not specified 'sslcert' is assumed to
++ 			reference a combined file containing both the
++ 			certificate and the key.
+++
+++	Notes:
+++
+++	On Debian/Ubuntu systems a default snakeoil certificate is
+++    available in /etc/ssl and users can set:
+++
+++		cert=/etc/ssl/certs/ssl-cert-snakeoil.pem
+++
+++	and
+++
+++		key=/etc/ssl/private/ssl-cert-snakeoil.key
+++
+++	for testing.
++
++ 	sslversion=1|2|3|4|5|6
++ 			The SSL version to use when connecting to this peer
 diff --git a/debian/patches/series b/debian/patches/series
 index 1c214dd..0b77d79 100644
 --- a/debian/patches/series
 +++ b/debian/patches/series
@@ -1,2 +1,4 @@
 -Default-configuration-file-for-debian.patch
 -Change-default-file-locations-for-debian.patch
++90-cf.data.ubuntu.patch
++99-ubuntu-ssl-cert-snakeoil.patch
 diff --git a/debian/rules b/debian/rules
 index 7b2322c..943678b 100755
 --- a/debian/rules
 +++ b/debian/rules
@@ -7,7 +7,8 @@ include /usr/share/dpkg/buildflags.mk
  include /usr/share/cdbs/1/rules/debhelper.mk
  include /usr/share/cdbs/1/class/autotools.mk
--
++include /usr/share/cdbs/1/rules/autoreconf.mk
++
  INSTALLDIR := $(CURDIR)/debian/tmp
  datadir=/usr/share/squid
@@ -84,6 +85,10 @@ install/squid::
  	install -m 755 -g root -d $(INSTALLDIR)/usr/share/man/man1
  	mv $(INSTALLDIR)/usr/bin/purge $(INSTALLDIR)/usr/bin/squid-purge
  	install -m 644 -g root debian/squid-purge.8  $(INSTALLDIR)/usr/share/man/man8
++	install -m 755 -g root -d $(INSTALLDIR)/etc/apparmor.d/force-complain
++	install -m 755 -g root -d $(INSTALLDIR)/etc/apparmor.d/disable
++	install -m 644 -g root debian/usr.sbin.squid $(INSTALLDIR)/etc/apparmor.d
++	dh_apparmor --profile-name=usr.sbin.squid -psquid
  clean::
  	# nothing to do
 diff --git a/debian/squid.install b/debian/squid.install
 index 0f21217..003ee23 100644
 --- a/debian/squid.install
 +++ b/debian/squid.install
@@ -26,3 +26,6 @@ usr/share/man/man8/log_db_daemon.8
  usr/share/man/man8/negotiate_kerberos_auth.8
  usr/share/man/man8/storeid_file_rewrite.8
  usr/share/man/man8/squid.8
++etc/apparmor.d/disable
++etc/apparmor.d/force-complain
++etc/apparmor.d/usr.sbin.squid
 diff --git a/debian/squid.preinst b/debian/squid.preinst
 index 4271ad3..dbf175f 100644
 --- a/debian/squid.preinst
 +++ b/debian/squid.preinst
@@ -51,6 +51,21 @@ then
  	chsh -s /bin/sh proxy
  fi
++disable_profile() {
++    APP_CONFFILE="/etc/apparmor.d/usr.sbin.squid"
++    APP_DISABLE="/etc/apparmor.d/disable/usr.sbin.squid"
++    # Create a symlink to the yet-to-be-unpacked profile
++    if [ ! -e "$APP_CONFFILE" ]; then
++        mkdir -p `dirname $APP_DISABLE` 2>/dev/null || true
++        ln -sf $APP_CONFFILE $APP_DISABLE
++    fi
++}
++
++if [ "$1" = "install" ]; then
++    # Disable AppArmor profile on install
++    disable_profile
++fi
++
  # dh_installdeb will replace this with shell code automatically
  # generated by other debhelper scripts.
 diff --git a/debian/squid.rc b/debian/squid.rc
 index a27fd88..204b676 100644
 --- a/debian/squid.rc
 +++ b/debian/squid.rc
@@ -4,8 +4,6 @@
+ #
  # Version:	@(#)squid.rc  1.0  07-Jul-2006  luigi@debian.org
+ #
--# pidfile: /var/run/squid.pid
--#
  ### BEGIN INIT INFO
  # Provides:          squid
  # Required-Start:    $network $remote_fs $syslog
 diff --git a/debian/squid3.postinst b/debian/squid3.postinst
 index bd075d4..bb862d5 100644
 --- a/debian/squid3.postinst
 +++ b/debian/squid3.postinst
@@ -29,17 +29,6 @@ if test -d /etc/squid3 && dpkg --compare-versions "$2" lt '3.5'; then
  	fi
  fi
--case "$1" in
--	abort-upgrade|abort-remove|abort-deconfigure)
--		;;
--	*)
--		#
--		#	Unknown action - do nothing.
--		#
--		exit 0
--		;;
--esac
--
  # dh_installdeb will replace this with shell code automatically
  # generated by other debhelper scripts.
 diff --git a/debian/squid3.preinst b/debian/squid3.preinst
 index 848f286..8ab65e1 100644
 --- a/debian/squid3.preinst
 +++ b/debian/squid3.preinst
@@ -26,14 +26,6 @@ if test -d /etc/squid3 ; then
  		/etc/squid3/errorpage.css /etc/squid/errorpage.css 3.5.4-1~ squid3 -- "$@"
  fi
--case "$1" in
--	upgrade|install-upgrade)
--		;;
--	abort-upgrade)
--		exit 0
--		;;
--esac
--
  # dh_installdeb will replace this with shell code automatically
  # generated by other debhelper scripts.
 diff --git a/debian/tests/control b/debian/tests/control
 index 0b1e313..4e5b715 100644
 --- a/debian/tests/control
 +++ b/debian/tests/control
@@ -1,3 +1,7 @@
  Tests: upstream-test-suite
  Depends: @builddeps@, fakeroot, squid
  Restrictions: allow-stderr
++
++Tests: squid
++Depends: squid, squidclient, elinks, netcat, pygopherd, apparmor-utils, vsftpd
++Restrictions: needs-root
 diff --git a/debian/tests/squid b/debian/tests/squid
 new file mode 100755
 index 0000000..f17feef
 --- /dev/null
 +++ b/debian/tests/squid
@@ -0,0 +1,11 @@
++#!/bin/bash
++#--------------
++# Testing squid
++#--------------
++set -e
++
++# configure vsftpd
++sed -i "s/anonymous_enable[[:blank:]]*=[[:blank:]]*.*/anonymous_enable=YES/g" /etc/vsftpd.conf
++echo "seccomp_sandbox=NO" >> /etc/vsftpd.conf
++service vsftpd restart 2>&1 > /dev/null
++python `dirname $0`/test-squid.py 2>&1
 diff --git a/debian/tests/test-squid.py b/debian/tests/test-squid.py
 new file mode 100644
 index 0000000..943dd9a
 --- /dev/null
 +++ b/debian/tests/test-squid.py
@@ -0,0 +1,221 @@
++#!/usr/bin/python
++#
++#    test-squid.py quality assurance test script
++#    Copyright (C) 2008-2013 Canonical Ltd.
++#    Author: Jamie Strandboge <jamie@canonical.com>
++#
++#    This program is free software: you can redistribute it and/or modify
++#    it under the terms of the GNU General Public License version 2,
++#    as published by the Free Software Foundation.
++#
++#    This program is distributed in the hope that it will be useful,
++#    but WITHOUT ANY WARRANTY; without even the implied warranty of
++#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++#    GNU General Public License for more details.
++#
++#    You should have received a copy of the GNU General Public License
++#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
++#
++
++'''
++  *** IMPORTANT ***
++  DO NOT RUN ON A PRODUCTION SERVER.
++  *** IMPORTANT ***
++
++  How to run:
++    $ sudo apt-get remove --purge squid
++    $ sudo apt-get -y install squid squidclient python-unit elinks netcat
++    $ sudo ./test-squid.py -v
++
++  NOTE:
++    The host running this script needs to have access to the internet
++
++  TODO:
++    acls
++    ident
++    purge (via squidclient)
++    ...
++    squidguard:
++      - test with:
++        $ echo "http://blocked.com 1.2.3.4/- - GET -" | squidGuard -c /etc/squid/squidGuard.conf -d
++        if using a 'redirect', then the redirect URL is displayed, otherwise
++        nothing
++      - test block with the following in default acl in squidGuard.conf:
++        pass     local none
++        redirect http://www.example.com/redirected.html
++      - test pass with the following in default acl in squidGuard.conf:
++        pass     local all
++        redirect http://www.example.com/redirected.html
++      - test domains and urls with something like the following acl:
++        dest bad {
++            domainlist      test/domains
++            urllist         test/urls
++        }
++        acl {
++            default {
++                pass !bad all
++                redirect http://www.example.com/redirected.html
++            }
++        }
++
++        then create /var/lib/squidguard/db/test/domains with:
++        blocked.com
++
++        Test with:
++        $ echo "http://ok.com 1.2.3.4/- - GET -" | squidGuard -c /etc/squid/squidGuard.conf -d
++        $ echo "http://blocked.com 1.2.3.4/- - GET -" | squidGuard -c /etc/squid/squidGuard.conf -d
++'''
++
++# QRT-Packages: squid squidclient python-unit elinks netcat pygopherd apparmor-utils
++# QRT-Depends: testlib_httpd.py private/qrt/squid.py
++
++import unittest, subprocess
++import os
++import sys
++import testlib
++import testlib_httpd
++import time
++import tempfile
++
++try:
++    from private.qrt.squid import PrivateSquidTest
++except ImportError:
++    class PrivateSquidTest(object):
++        '''Empty class'''
++    print >>sys.stdout, "Skipping private tests"
++
++class BasicTest(testlib_httpd.HttpdCommon, PrivateSquidTest):
++    '''Test basic functionality'''
++    def setUp(self):
++        '''Setup mechanisms'''
++
++        # for some reason, squid on maverick is missing the init.d
++        # upstart compatibility symlink
++        if self.lsb_release['Release'] == 10.10 and not os.path.exists("/etc/init.d/squid"):
++            os.symlink("/lib/init/upstart-job", "/etc/init.d/squid")
++
++        self._set_initscript("/etc/init.d/squid")
++        if self.lsb_release['Release'] >= 12.04:
++            self._set_initscript("squid")
++
++        testlib_httpd.HttpdCommon._setUp(self)
++
++        self.gophermap = "/var/gopher/gophermap"
++
++        self.aa_profile = "usr.sbin.squid"
++        self.aa_abs_profile = "/etc/apparmor.d/%s" % self.aa_profile
++        self.version_with_apparmor = 12.10
++        # This hack is only used until we have tests run both confined and
++        # unconfined
++        self.aa_unload_at_teardown = False
++
++    def tearDown(self):
++        '''Shutdown methods'''
++        testlib_httpd.HttpdCommon._tearDown(self)
++        testlib.config_restore(self.gophermap)
++
++    def test_daemons(self):
++        '''Test daemon'''
++        pidfile = "/run/squid.pid"
++        exe = "squid"
++
++        if self.lsb_release['Release'] < 12.04:
++            pidfile = "/var/run/squid.pid"
++            exe = "squid"
++
++        self.assertTrue(testlib.check_pidfile(exe, pidfile))
++
++    def test_http_proxy(self):
++        '''Test http'''
++        self._test_url_proxy("http://www.ubuntu.com/", "Canonical", "http://localhost:3128/")
++
++    def test_https_proxy(self):
++        '''Test https'''
++        self._test_url_proxy("https://wiki.ubuntu.com/", "Community", "http://localhost:3128/")
++
++    def test_ftp_proxy(self):
++        '''Test ftp'''
++        self._test_url_proxy("ftp://anonymous@localhost:21", "irectory", "http://localhost:3128/")
++
++    def test_squidclient(self):
++        '''Test squidclient'''
++        urls = ['http://www.ubuntu.com/', 'https://wiki.ubuntu.com/', \
++            'ftp://anonymous@localhost:21', 'gopher://127.0.0.1']
++
++        for url in urls:
++            rc, report = testlib.cmd(['squidclient', '-h', '127.0.0.1', '-p', '3128', '-r', url])
++            expected = 0
++            result = 'Got exit code %d, expected %d\n' % (rc, expected)
++            self.assertEquals(expected, rc, result + report)
++
++    def test_CVE_2011_3205(self):
++        '''Test parsing lines > 4096 in length (CVE-2011-3205)'''
++
++        longline = "ABCDEF" * 4096
++
++        testlib.config_replace(self.gophermap, """Welcome to Pygopherd!  You can place your documents
++in /var/gopher for future use.  You can remove the gophermap
++file there to get rid of this message, or you can edit it to
++use other things.  (You'll need to do at least one of these
++two things in order to get your own data to show up!)
++
++%s
++
++Some links to get you started:
++
++1Pygopherd Home /devel/gopher/pygopherd gopher.quux.org 70
++1Quux.Org Mega Server   /   gopher.quux.org 70
++1The Gopher Project /Software/Gopher    gopher.quux.org 70
++1Traditional UMN Home Gopher    /   gopher.tc.umn.edu   70
++
++Welcome to the world of Gopher and enjoy!
++""" %(longline), append=False)
++
++        rc, report = testlib.cmd(['squidclient', '-h', '127.0.0.1', '-p', '3128', '-r', "gopher://127.0.0.1"])
++        expected = 0
++        result = 'Got exit code %d, expected %d\n' % (rc, expected)
++        self.assertEquals(expected, rc, result + report)
++
++    # Run this last so if we enable the profile then we don't unload it
++    def test_zz_apparmor(self):
++        '''Test apparmor'''
++        if self.lsb_release['Release'] < 12.10:
++            self._skipped("No profile in 12.04 and under")
++
++        self.aa_unload_at_teardown = True
++
++        # Currently while we have a profile, it is shipped disabled by default.
++        # Verify that.
++        rc, report = testlib.check_apparmor(self.aa_abs_profile, 12.10, is_running=False)
++        expected = 1
++        result = 'Got exit code %d, expected %d\n' % (rc, expected)
++        self.assertEquals(rc, expected, result + report)
++
++        # Verify it is syntactically correct
++        rc, report = testlib.cmd(['apparmor_parser', '-p', self.aa_abs_profile])
++        expected = 0
++        result = 'Got exit code %d, expected %d\n' % (rc, expected)
++        self.assertEquals(rc, expected, result + report)
++
++        # Verify it loads ok
++        rc, report = testlib.cmd(['aa-enforce', self.aa_abs_profile])
++        expected = 0
++        result = 'Got exit code %d, expected %d\n' % (rc, expected)
++        self.assertEquals(rc, expected, result + report)
++
++        self._stop()
++        self._start()
++
++        rc, report = testlib.check_apparmor(self.aa_abs_profile, 12.10, is_running=True)
++        expected = 1
++        result = 'Got exit code %d, expected %d\n' % (rc, expected)
++        self.assertEquals(rc, expected, result + report)
++
++
++if __name__ == '__main__':
++    suite = unittest.TestSuite()
++    suite.addTest(unittest.TestLoader().loadTestsFromTestCase(BasicTest))
++
++    rc = unittest.TextTestRunner(verbosity=2).run(suite)
++    if not rc.wasSuccessful():
++        sys.exit(1)
 diff --git a/debian/tests/testlib.py b/debian/tests/testlib.py
 new file mode 100644
 index 0000000..4e51f3d
 --- /dev/null
 +++ b/debian/tests/testlib.py
@@ -0,0 +1,1133 @@
++#
++#    testlib.py quality assurance test script
++#    Copyright (C) 2008-2011 Canonical Ltd.
++#
++#    This library is free software; you can redistribute it and/or
++#    modify it under the terms of the GNU Library General Public
++#    License as published by the Free Software Foundation; either
++#    version 2 of the License.
++#
++#    This library is distributed in the hope that it will be useful,
++#    but WITHOUT ANY WARRANTY; without even the implied warranty of
++#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++#    Library General Public License for more details.
++#
++#    You should have received a copy of the GNU Library General Public
++#    License along with this program.  If not, see
++#    <http://www.gnu.org/licenses/>.
++#
++
++'''Common classes and functions for package tests.'''
++
++import string, random, crypt, subprocess, pwd, grp,  signal, time, unittest, tempfile, shutil, os, os.path, re, glob
++import sys, socket, gzip
++from stat import *
++from encodings import string_escape
++
++import warnings
++warnings.filterwarnings('ignore', message=r'.*apt_pkg\.TagFile.*', category=DeprecationWarning)
++try:
++    import apt_pkg
++    apt_pkg.InitSystem();
++except:
++    # On non-Debian system, fall back to simple comparison without debianisms
++    class apt_pkg(object):
++        def VersionCompare(one, two):
++            list_one = one.split('.')
++            list_two = two.split('.')
++            while len(list_one)>0 and len(list_two)>0:
++                if list_one[0] > list_two[0]:
++                    return 1
++                if list_one[0] < list_two[0]:
++                    return -1
++                list_one.pop(0)
++                list_two.pop(0)
++            return 0
++
++bogus_nxdomain = "208.69.32.132"
++
++# http://www.chiark.greenend.org.uk/ucgi/~cjwatson/blosxom/2009-07-02-python-sigpipe.html
++# This is needed so that the subprocesses that produce endless output
++# actually quit when the reader goes away.
++import signal
++def subprocess_setup():
++    # Python installs a SIGPIPE handler by default. This is usually not what
++    # non-Python subprocesses expect.
++    signal.signal(signal.SIGPIPE, signal.SIG_DFL)
++
++class TimedOutException(Exception):
++    def __init__(self, value = "Timed Out"):
++        self.value = value
++    def __str__(self):
++        return repr(self.value)
++
++def _restore_backup(path):
++    pathbackup = path + '.autotest'
++    if os.path.exists(pathbackup):
++        shutil.move(pathbackup, path)
++
++def _save_backup(path):
++    pathbackup = path + '.autotest'
++    if os.path.exists(path) and not os.path.exists(pathbackup):
++        shutil.copy2(path, pathbackup)
++        # copy2 does not copy ownership, so do it here.
++        # Reference: http://docs.python.org/library/shutil.html
++        a = os.stat(path)
++        os.chown(pathbackup, a[4], a[5])
++
++def config_copydir(path):
++    if os.path.exists(path) and not os.path.isdir(path):
++        raise OSError, "'%s' is not a directory" % (path)
++    _restore_backup(path)
++
++    pathbackup = path + '.autotest'
++    if os.path.exists(path):
++        shutil.copytree(path, pathbackup, symlinks=True)
++
++def config_replace(path,contents,append=False):
++    '''Replace (or append) to a config file'''
++    _restore_backup(path)
++    if os.path.exists(path):
++        _save_backup(path)
++        if append:
++            contents = file(path).read() + contents
++    open(path, 'w').write(contents)
++
++def config_comment(path, field):
++    _save_backup(path)
++    contents = ""
++    for line in file(path):
++        if re.search("^\s*%s\s*=" % (field), line):
++            line = "#" + line
++        contents += line
++
++    open(path+'.new', 'w').write(contents)
++    os.rename(path+'.new', path)
++
++def config_set(path, field, value, spaces=True):
++    _save_backup(path)
++    contents = ""
++    if spaces==True:
++        setting = '%s = %s\n' % (field, value)
++    else:
++        setting = '%s=%s\n' % (field, value)
++    found = False
++    for line in file(path):
++        if re.search("^\s*%s\s*=" % (field), line):
++            found = True
++            line = setting
++        contents += line
++    if not found:
++        contents += setting
++
++    open(path+'.new', 'w').write(contents)
++    os.rename(path+'.new', path)
++
++def config_patch(path, patch, depth=1):
++    '''Patch a config file'''
++    _restore_backup(path)
++    _save_backup(path)
++
++    handle, name = mkstemp_fill(patch)
++    rc = subprocess.call(['/usr/bin/patch', '-p%s' %(depth), path], stdin=handle, stdout=subprocess.PIPE)
++    os.unlink(name)
++    if rc != 0:
++        raise Exception("Patch failed")
++
++def config_restore(path):
++    '''Rename a replaced config file back to its initial state'''
++    _restore_backup(path)
++
++def timeout(secs, f, *args):
++    def handler(signum, frame):
++        raise TimedOutException()
++
++    old = signal.signal(signal.SIGALRM, handler)
++    result = None
++    signal.alarm(secs)
++    try:
++        result = f(*args)
++    finally:
++        signal.alarm(0)
++        signal.signal(signal.SIGALRM, old)
++
++    return result
++
++def require_nonroot():
++    if os.geteuid() == 0:
++        print >>sys.stderr, "This series of tests should be run as a regular user with sudo access, not as root."
++        sys.exit(1)
++
++def require_root():
++    if os.geteuid() != 0:
++        print >>sys.stderr, "This series of tests should be run with root privileges (e.g. via sudo)."
++        sys.exit(1)
++
++def require_sudo():
++    if os.geteuid() != 0 or os.environ.get('SUDO_USER', None) == None:
++        print >>sys.stderr, "This series of tests must be run under sudo."
++        sys.exit(1)
++    if os.environ['SUDO_USER'] == 'root':
++        print >>sys.stderr, 'Please run this test using sudo from a regular user. (You ran sudo from root.)'
++        sys.exit(1)
++
++def random_string(length,lower=False):
++    '''Return a random string, consisting of ASCII letters, with given
++    length.'''
++
++    s = ''
++    selection = string.letters
++    if lower:
++        selection = string.lowercase
++    maxind = len(selection)-1
++    for l in range(length):
++        s += selection[random.randint(0, maxind)]
++    return s
++
++def mkstemp_fill(contents,suffix='',prefix='testlib-',dir=None):
++    '''As tempfile.mkstemp does, return a (file, name) pair, but with
++    prefilled contents.'''
++
++    handle, name = tempfile.mkstemp(suffix=suffix,prefix=prefix,dir=dir)
++    os.close(handle)
++    handle = file(name,"w+")
++    handle.write(contents)
++    handle.flush()
++    handle.seek(0)
++
++    return handle, name
++
++def create_fill(path, contents, mode=0644):
++    '''Safely create a page'''
++    # make the temp file in the same dir as the destination file so we
++    # don't get invalid cross-device link errors when we rename
++    handle, name = mkstemp_fill(contents, dir=os.path.dirname(path))
++    handle.close()
++    os.rename(name, path)
++    os.chmod(path, mode)
++
++def login_exists(login):
++    '''Checks whether the given login exists on the system.'''
++
++    try:
++        pwd.getpwnam(login)
++        return True
++    except KeyError:
++        return False
++
++def group_exists(group):
++    '''Checks whether the given login exists on the system.'''
++
++    try:
++        grp.getgrnam(group)
++        return True
++    except KeyError:
++        return False
++
++def recursive_rm(dirPath, contents_only=False):
++    '''recursively remove directory'''
++    names = os.listdir(dirPath)
++    for name in names:
++        path = os.path.join(dirPath, name)
++        if os.path.islink(path) or not os.path.isdir(path):
++            os.unlink(path)
++        else:
++            recursive_rm(path)
++    if contents_only == False:
++        os.rmdir(dirPath)
++
++def check_pidfile(exe, pidfile):
++    '''Checks if pid in pidfile is running'''
++    if not os.path.exists(pidfile):
++        return False
++
++    # get the pid
++    try:
++        fd = open(pidfile, 'r')
++        pid = fd.readline().rstrip('\n')
++        fd.close()
++    except:
++        return False
++
++    return check_pid(exe, pid)
++
++def check_pid(exe, pid):
++    '''Checks if pid is running'''
++
++    exelink = "/proc/%s/exe" % (str(pid))
++    if not os.path.exists(exelink):
++        return False
++    pidexe = os.path.basename(os.readlink(exelink))
++    if pidexe == exe:
++        return True
++    sys.stderr.write('check_pid(%s): expected %s, got %s' % (pid, exe, pidexe))
++    return False
++
++def check_port(port, proto, ver=4):
++    '''Check if something is listening on the specified port.
++       WARNING: for some reason this does not work with a bind mounted /proc
++    '''
++    assert (port >= 1)
++    assert (port <= 65535)
++    assert (proto.lower() == "tcp" or proto.lower() == "udp")
++    assert (ver == 4 or ver == 6)
++
++    fn = "/proc/net/%s" % (proto)
++    if ver == 6:
++        fn += str(ver)
++
++    rc, report = cmd(['cat', fn])
++    assert (rc == 0)
++
++    hport = "%0.4x" % port
++
++    if re.search(': [0-9a-f]{8}:%s [0-9a-f]' % str(hport).lower(), report.lower()):
++        return True
++    return False
++
++def get_arch():
++    '''Get the current architecture'''
++    rc, report = cmd(['uname', '-m'])
++    assert (rc == 0)
++    return report.strip()
++
++def get_memory():
++    '''Gets total ram and swap'''
++    meminfo = "/proc/meminfo"
++    memtotal = 0
++    swaptotal = 0
++    if not os.path.exists(meminfo):
++        return (False, False)
++
++    try:
++        fd = open(meminfo, 'r')
++        for line in fd.readlines():
++            splitline = line.split()
++            if splitline[0] == 'MemTotal:':
++                memtotal = int(splitline[1])
++            elif splitline[0] == 'SwapTotal:':
++                swaptotal = int(splitline[1])
++        fd.close()
++    except:
++        return (False, False)
++
++    return (memtotal,swaptotal)
++
++def is_running_in_vm():
++    '''Check if running under a VM'''
++    # add other virtualization environments here
++    for search in ['QEMU Virtual CPU']:
++        rc, report = cmd_pipe(['dmesg'], ['grep', search])
++        if rc == 0:
++            return True
++    return False
++
++def ubuntu_release():
++    '''Get the Ubuntu release'''
++    f = "/etc/lsb-release"
++    try:
++        size = os.stat(f)[ST_SIZE]
++    except:
++        return "UNKNOWN"
++
++    if size > 1024*1024:
++        raise IOError, 'Could not open "%s" (too big)' % f
++
++    try:
++        fh = open("/etc/lsb-release", 'r')
++    except:
++        raise
++
++    lines = fh.readlines()
++    fh.close()
++
++    pat = re.compile(r'DISTRIB_CODENAME')
++    for line in lines:
++        if pat.search(line):
++            return line.split('=')[1].rstrip('\n').rstrip('\r')
++
++    return "UNKNOWN"
++
++def cmd(command, input = None, stderr = subprocess.STDOUT, stdout = subprocess.PIPE, stdin = None, timeout = None):
++    '''Try to execute given command (array) and return its stdout, or return
++    a textual error if it failed.'''
++
++    try:
++        sp = subprocess.Popen(command, stdin=stdin, stdout=stdout, stderr=stderr, close_fds=True, preexec_fn=subprocess_setup)
++    except OSError, e:
++        return [127, str(e)]
++
++    out, outerr = sp.communicate(input)
++    # Handle redirection of stdout
++    if out == None:
++        out = ''
++    # Handle redirection of stderr
++    if outerr == None:
++        outerr = ''
++    return [sp.returncode,out+outerr]
++
++def cmd_pipe(command1, command2, input = None, stderr = subprocess.STDOUT, stdin = None):
++    '''Try to pipe command1 into command2.'''
++    try:
++        sp1 = subprocess.Popen(command1, stdin=stdin, stdout=subprocess.PIPE, stderr=stderr, close_fds=True)
++        sp2 = subprocess.Popen(command2, stdin=sp1.stdout, stdout=subprocess.PIPE, stderr=stderr, close_fds=True)
++    except OSError, e:
++        return [127, str(e)]
++
++    out = sp2.communicate(input)[0]
++    return [sp2.returncode,out]
++
++def cwd_has_enough_space(cdir, total_bytes):
++    '''Determine if the partition of the current working directory has 'bytes'
++       free.'''
++    rc, df_output = cmd(['df'])
++    result = 'Got exit code %d, expected %d\n' % (rc, 0)
++    if rc != 0:
++        return False
++
++    kb = total_bytes / 1024
++
++    mounts = dict()
++    for line in df_output.splitlines():
++        if '/' not in line:
++            continue
++        tmp = line.split()
++        mounts[tmp[5]] = int(tmp[3])
++
++    cdir = os.getcwd()
++    while cdir != '/':
++        if not mounts.has_key(cdir):
++            cdir = os.path.dirname(cdir)
++            continue
++        if kb < mounts[cdir]:
++            return True
++        else:
++            return False
++
++    if kb < mounts['/']:
++        return True
++
++    return False
++
++def get_md5(filename):
++    '''Gets the md5sum of the file specified'''
++
++    (rc, report) = cmd(["/usr/bin/md5sum", "-b", filename])
++    expected = 0
++    assert (expected == rc)
++
++    return report.split(' ')[0]
++
++def dpkg_compare_installed_version(pkg, check, version):
++    '''Gets the version for the installed package, and compares it to the
++       specified version.
++    '''
++    (rc, report) = cmd(["/usr/bin/dpkg", "-s", pkg])
++    assert (rc == 0)
++    assert ("Status: install ok installed" in report)
++    installed_version = ""
++    for line in report.splitlines():
++        if line.startswith("Version: "):
++            installed_version = line.split()[1]
++
++    assert (installed_version != "")
++
++    (rc, report) = cmd(["/usr/bin/dpkg", "--compare-versions", installed_version, check, version])
++    assert (rc == 0 or rc == 1)
++    if rc == 0:
++        return True
++    return False
++
++def prepare_source(source, builder, cached_src, build_src, patch_system):
++    '''Download and unpack source package, installing necessary build depends,
++       adjusting the permissions for the 'builder' user, and returning the
++       directory of the unpacked source. Patch system can be one of:
++       - cdbs
++       - dpatch
++       - quilt
++       - quiltv3
++       - None (not the string)
++
++       This is normally used like this:
++
++       def setUp(self):
++           ...
++           self.topdir = os.getcwd()
++           self.cached_src = os.path.join(os.getcwd(), "source")
++           self.tmpdir = tempfile.mkdtemp(prefix='testlib', dir='/tmp')
++           self.builder = testlib.TestUser()
++           testlib.cmd(['chgrp', self.builder.login, self.tmpdir])
++           os.chmod(self.tmpdir, 0775)
++
++       def tearDown(self):
++           ...
++           self.builder = None
++           self.topdir = os.getcwd()
++           if os.path.exists(self.tmpdir):
++               testlib.recursive_rm(self.tmpdir)
++
++       def test_suite_build(self):
++           ...
++           build_dir = testlib.prepare_source('foo', \
++                                         self.builder, \
++                                         self.cached_src, \
++                                         os.path.join(self.tmpdir, \
++                                           os.path.basename(self.cached_src)),
++                                         "quilt")
++           os.chdir(build_dir)
++
++           # Example for typical build, adjust as necessary
++           print ""
++           print "  make clean"
++           rc, report = testlib.cmd(['sudo', '-u', self.builder.login, 'make', 'clean'])
++
++           print "  configure"
++           rc, report = testlib.cmd(['sudo', '-u', self.builder.login, './configure', '--prefix=%s' % self.tmpdir, '--enable-debug'])
++
++           print "  make (will take a while)"
++           rc, report = testlib.cmd(['sudo', '-u', self.builder.login, 'make'])
++
++           print "  make check (will take a while)",
++           rc, report = testlib.cmd(['sudo', '-u', self.builder.login, 'make', 'check'])
++           expected = 0
++           result = 'Got exit code %d, expected %d\n' % (rc, expected)
++           self.assertEquals(expected, rc, result + report)
++
++        def test_suite_cleanup(self):
++            ...
++            if os.path.exists(self.cached_src):
++                testlib.recursive_rm(self.cached_src)
++
++       It is up to the caller to clean up cached_src and build_src (as in the
++       above example, often the build_src is in a tmpdir that is cleaned in
++       tearDown() and the cached_src is cleaned in a one time clean-up
++       operation (eg 'test_suite_cleanup()) which must be run after the build
++       suite test (obviously).
++       '''
++
++    # Make sure we have a clean slate
++    assert (os.path.exists(os.path.dirname(build_src)))
++    assert (not os.path.exists(build_src))
++
++    cdir = os.getcwd()
++    if os.path.exists(cached_src):
++        shutil.copytree(cached_src, build_src)
++        os.chdir(build_src)
++    else:
++        # Only install the build dependencies on the initial setup
++        rc, report = cmd(['apt-get','-y','--force-yes','build-dep',source])
++        assert (rc == 0)
++
++        os.makedirs(build_src)
++        os.chdir(build_src)
++
++        # These are always needed
++        pkgs = ['build-essential', 'dpkg-dev', 'fakeroot']
++        rc, report = cmd(['apt-get','-y','--force-yes','install'] + pkgs)
++        assert (rc == 0)
++
++        rc, report = cmd(['apt-get','source',source])
++        assert (rc == 0)
++        shutil.copytree(build_src, cached_src)
++
++    unpacked_dir = os.path.join(build_src, glob.glob('%s-*' % source)[0])
++
++    # Now apply the patches. Do it here so that we don't mess up our cached
++    # sources.
++    os.chdir(unpacked_dir)
++    assert (patch_system in ['cdbs', 'dpatch', 'quilt', 'quiltv3', None])
++    if patch_system != None and patch_system != "quiltv3":
++        if patch_system == "quilt":
++            os.environ.setdefault('QUILT_PATCHES','debian/patches')
++            rc, report = cmd(['quilt', 'push', '-a'])
++            assert (rc == 0)
++        elif patch_system == "cdbs":
++            rc, report = cmd(['./debian/rules', 'apply-patches'])
++            assert (rc == 0)
++        elif patch_system == "dpatch":
++            rc, report = cmd(['dpatch', 'apply-all'])
++            assert (rc == 0)
++
++    cmd(['chown', '-R', '%s:%s' % (builder.uid, builder.gid), build_src])
++    os.chdir(cdir)
++
++    return unpacked_dir
++
++def _aa_status():
++    '''Get aa-status output'''
++    exe = "/usr/sbin/aa-status"
++    assert (os.path.exists(exe))
++    if os.geteuid() == 0:
++        return cmd([exe])
++    return cmd(['sudo', exe])
++
++def is_apparmor_loaded(path):
++    '''Check if profile is loaded'''
++    rc, report = _aa_status()
++    if rc != 0:
++        return False
++
++    for line in report.splitlines():
++        if line.endswith(path):
++            return True
++    return False
++
++def is_apparmor_confined(path):
++    '''Check if application is confined'''
++    rc, report = _aa_status()
++    if rc != 0:
++        return False
++
++    for line in report.splitlines():
++        if re.search('%s \(' % path, line):
++            return True
++    return False
++
++def check_apparmor(path, first_ubuntu_release, is_running=True):
++    '''Check if path is loaded and confined for everything higher than the
++       first Ubuntu release specified.
++
++       Usage:
++        rc, report = testlib.check_apparmor('/usr/sbin/foo', 8.04, is_running=True)
++        if rc < 0:
++            return self._skipped(report)
++
++        expected = 0
++        result = 'Got exit code %d, expected %d\n' % (rc, expected)
++        self.assertEquals(expected, rc, result + report)
++     '''
++    global manager
++    rc = -1
++
++    if manager.lsb_release["Release"] < first_ubuntu_release:
++        return (rc, "Skipped apparmor check")
++
++    if not os.path.exists('/sbin/apparmor_parser'):
++        return (rc, "Skipped (couldn't find apparmor_parser)")
++
++    rc = 0
++    msg = ""
++    if not is_apparmor_loaded(path):
++        rc = 1
++        msg = "Profile not loaded for '%s'" % path
++
++    # this check only makes sense it the 'path' is currently executing
++    if is_running and rc == 0 and not is_apparmor_confined(path):
++        rc = 1
++        msg = "'%s' is not running in enforce mode" % path
++
++    return (rc, msg)
++
++def get_gcc_version(gcc, full=True):
++    gcc_version = 'none'
++    if not gcc.startswith('/'):
++        gcc = '/usr/bin/%s' % (gcc)
++    if os.path.exists(gcc):
++        gcc_version = 'unknown'
++        lines = cmd([gcc,'-v'])[1].strip().splitlines()
++        version_lines = [x for x in lines if x.startswith('gcc version')]
++        if len(version_lines) == 1:
++            gcc_version = " ".join(version_lines[0].split()[2:])
++    if not full:
++        return gcc_version.split()[0]
++    return gcc_version
++
++def is_kdeinit_running():
++    '''Test if kdeinit is running'''
++    # applications that use kdeinit will spawn it if it isn't running in the
++    # test. This is a problem because it does not exit. This is a helper to
++    # check for it.
++    rc, report = cmd(['ps', 'x'])
++    if 'kdeinit4 Running' not in report:
++        print >>sys.stderr, ("kdeinit not running (you may start/stop any KDE application then run this script again)")
++        return False
++    return True
++
++def get_pkgconfig_flags(libs=[]):
++    '''Find pkg-config flags for libraries'''
++    assert (len(libs) > 0)
++    rc, pkg_config = cmd(['pkg-config', '--cflags', '--libs'] + libs)
++    expected = 0
++    if rc != expected:
++        print >>sys.stderr, 'Got exit code %d, expected %d\n' % (rc, expected)
++    assert(rc == expected)
++    return pkg_config.split()
++
++class TestDaemon:
++    '''Helper class to manage daemons consistently'''
++    def __init__(self, init):
++        '''Setup daemon attributes'''
++        self.initscript = init
++
++    def start(self):
++        '''Start daemon'''
++        rc, report = cmd([self.initscript, 'start'])
++        expected = 0
++        result = 'Got exit code %d, expected %d\n' % (rc, expected)
++        time.sleep(2)
++        if expected != rc:
++            return (False, result + report)
++
++        if "fail" in report:
++            return (False, "Found 'fail' in report\n" + report)
++
++        return (True, "")
++
++    def stop(self):
++        '''Stop daemon'''
++        rc, report = cmd([self.initscript, 'stop'])
++        expected = 0
++        result = 'Got exit code %d, expected %d\n' % (rc, expected)
++        if expected != rc:
++            return (False, result + report)
++
++        if "fail" in report:
++            return (False, "Found 'fail' in report\n" + report)
++
++        return (True, "")
++
++    def reload(self):
++        '''Reload daemon'''
++        rc, report = cmd([self.initscript, 'force-reload'])
++        expected = 0
++        result = 'Got exit code %d, expected %d\n' % (rc, expected)
++        if expected != rc:
++            return (False, result + report)
++
++        if "fail" in report:
++            return (False, "Found 'fail' in report\n" + report)
++
++        return (True, "")
++
++    def restart(self):
++        '''Restart daemon'''
++        (res, str) = self.stop()
++        if not res:
++            return (res, str)
++
++        (res, str) = self.start()
++        if not res:
++            return (res, str)
++
++        return (True, "")
++
++    def status(self):
++        '''Check daemon status'''
++        rc, report = cmd([self.initscript, 'status'])
++        expected = 0
++        result = 'Got exit code %d, expected %d\n' % (rc, expected)
++        if expected != rc:
++            return (False, result + report)
++
++        if "fail" in report:
++            return (False, "Found 'fail' in report\n" + report)
++
++        return (True, "")
++
++class TestlibManager(object):
++    '''Singleton class used to set up per-test-run information'''
++    def __init__(self):
++        # Set glibc aborts to dump to stderr instead of the tty so test output
++        # is more sane.
++        os.environ.setdefault('LIBC_FATAL_STDERR_','1')
++
++        # check verbosity
++        self.verbosity = False
++        if (len(sys.argv) > 1 and '-v' in sys.argv[1:]):
++            self.verbosity = True
++
++        # Load LSB release file
++        self.lsb_release = dict()
++        if not os.path.exists('/usr/bin/lsb_release') and not os.path.exists('/bin/lsb_release'):
++            raise OSError, "Please install 'lsb-release'"
++        for line in subprocess.Popen(['lsb_release','-a'],stdout=subprocess.PIPE,stderr=subprocess.PIPE).communicate()[0].splitlines():
++            field, value = line.split(':',1)
++            value=value.strip()
++            field=field.strip()
++            # Convert numerics
++            try:
++                value = float(value)
++            except:
++                pass
++            self.lsb_release.setdefault(field,value)
++
++        # FIXME: hack OEM releases into known-Ubuntu versions
++        if self.lsb_release['Distributor ID'] == "HP MIE (Mobile Internet Experience)":
++            if self.lsb_release['Release'] == 1.0:
++                self.lsb_release['Distributor ID'] = "Ubuntu"
++                self.lsb_release['Release'] = 8.04
++            else:
++                raise OSError, "Unknown version of HP MIE"
++
++        # FIXME: hack to assume a most-recent release if we're not
++        # running under Ubuntu.
++        if self.lsb_release['Distributor ID'] not in ["Ubuntu","Linaro"]:
++            self.lsb_release['Release'] = 10000
++        # Adjust Linaro release to pretend to be Ubuntu
++        if self.lsb_release['Distributor ID'] in ["Linaro"]:
++       	    self.lsb_release['Distributor ID'] = "Ubuntu"
++            self.lsb_release['Release'] -= 0.01
++
++        # Load arch
++        if not os.path.exists('/usr/bin/dpkg'):
++            machine = cmd(['uname','-m'])[1].strip()
++            if machine.endswith('86'):
++                self.dpkg_arch = 'i386'
++            elif machine.endswith('_64'):
++                self.dpkg_arch = 'amd64'
++            elif machine.startswith('arm'):
++                self.dpkg_arch = 'armel'
++            else:
++                raise ValueError, "Unknown machine type '%s'" % (machine)
++        else:
++            self.dpkg_arch = cmd(['dpkg','--print-architecture'])[1].strip()
++
++        # Find kernel version
++        self.kernel_is_ubuntu = False
++        self.kernel_version_signature = None
++        self.kernel_version = cmd(["uname","-r"])[1].strip()
++        versig = '/proc/version_signature'
++        if os.path.exists(versig):
++            self.kernel_is_ubuntu = True
++            self.kernel_version_signature = file(versig).read().strip()
++            self.kernel_version_ubuntu = self.kernel_version
++        elif os.path.exists('/usr/bin/dpkg'):
++            # this can easily be inaccurate but is only an issue for Dapper
++            rc, out = cmd(['dpkg','-l','linux-image-%s' % (self.kernel_version)])
++            if rc == 0:
++                self.kernel_version_signature = out.strip().split('\n').pop().split()[2]
++                self.kernel_version_ubuntu = self.kernel_version_signature
++        if self.kernel_version_signature == None:
++            # Attempt to fall back to something for non-Debian-based
++            self.kernel_version_signature = self.kernel_version
++            self.kernel_version_ubuntu = self.kernel_version
++        # Build ubuntu version without hardware suffix
++        try:
++            self.kernel_version_ubuntu = "-".join([x for x in self.kernel_version_signature.split(' ')[1].split('-') if re.search('^[0-9]', x)])
++        except:
++            pass
++
++        # Find gcc version
++        self.gcc_version = get_gcc_version('gcc')
++
++        # Find libc
++        self.path_libc = [x.split()[2] for x in cmd(['ldd','/bin/ls'])[1].splitlines() if x.startswith('\tlibc.so.')][0]
++
++        # Report self
++        if self.verbosity:
++            kernel = self.kernel_version_ubuntu
++            if kernel != self.kernel_version_signature:
++                kernel += " (%s)" % (self.kernel_version_signature)
++            print >>sys.stdout, "Running test: '%s' distro: '%s %.2f' kernel: '%s' arch: '%s' uid: %d/%d SUDO_USER: '%s')" % ( \
++                sys.argv[0],
++                self.lsb_release['Distributor ID'],
++                self.lsb_release['Release'],
++                kernel,
++                self.dpkg_arch,
++                os.geteuid(), os.getuid(),
++                os.environ.get('SUDO_USER', ''))
++            sys.stdout.flush()
++
++        # Additional heuristics
++        #if os.environ.get('SUDO_USER', os.environ.get('USER', '')) in ['mdeslaur']:
++        #    sys.stdout.write("Replying to Marc Deslauriers in http://launchpad.net/bugs/%d: " % random.randint(600000, 980000))
++        #    sys.stdout.flush()
++        #    time.sleep(0.5)
++        #    sys.stdout.write("destroyed\n")
++        #    time.sleep(0.5)
++
++    def hello(self, msg):
++        print >>sys.stderr, "Hello from %s" % (msg)
++# The central instance
++manager = TestlibManager()
++
++class TestlibCase(unittest.TestCase):
++    def __init__(self, *args):
++        '''This is called for each TestCase test instance, which isn't much better
++           than SetUp.'''
++
++        unittest.TestCase.__init__(self, *args)
++
++        # Attach to and duplicate dicts from manager singleton
++        self.manager = manager
++        #self.manager.hello(repr(self) + repr(*args))
++        self.my_verbosity = self.manager.verbosity
++        self.lsb_release = self.manager.lsb_release
++        self.dpkg_arch = self.manager.dpkg_arch
++        self.kernel_version = self.manager.kernel_version
++        self.kernel_version_signature = self.manager.kernel_version_signature
++        self.kernel_version_ubuntu = self.manager.kernel_version_ubuntu
++        self.kernel_is_ubuntu = self.manager.kernel_is_ubuntu
++        self.gcc_version = self.manager.gcc_version
++        self.path_libc = self.manager.path_libc
++
++    def version_compare(self, one, two):
++        return apt_pkg.VersionCompare(one,two)
++
++    def assertFileType(self, filename, filetype):
++        '''Checks the file type of the file specified'''
++
++        (rc, report, out) = self._testlib_shell_cmd(["/usr/bin/file", "-b", filename])
++        out = out.strip()
++        expected = 0
++        # Absolutely no idea why this happens on Hardy
++        if self.lsb_release['Release'] == 8.04 and rc == 255 and len(out) > 0:
++            rc = 0
++        result = 'Got exit code %d, expected %d:\n%s\n' % (rc, expected, report)
++        self.assertEquals(expected, rc, result)
++
++        filetype = '^%s$' % (filetype)
++        result = 'File type reported by file: [%s], expected regex: [%s]\n' % (out, filetype)
++        self.assertNotEquals(None, re.search(filetype, out), result)
++
++    def yank_commonname_from_cert(self, certfile):
++        '''Extract the commonName from a given PEM'''
++        rc, out = cmd(['openssl','asn1parse','-in',certfile])
++        if rc == 0:
++            ready = False
++            for line in out.splitlines():
++                if ready:
++                    return line.split(':')[-1]
++                if ':commonName' in line:
++                    ready = True
++        return socket.getfqdn()
++
++    def announce(self, text):
++        if self.my_verbosity:
++            print >>sys.stdout, "(%s) " % (text),
++            sys.stdout.flush()
++
++    def make_clean(self):
++        rc, output = self.shell_cmd(['make','clean'])
++        self.assertEquals(rc, 0, output)
++
++    def get_makefile_compiler(self):
++        # Find potential compiler name
++        compiler = 'gcc'
++        if os.path.exists('Makefile'):
++            for line in open('Makefile'):
++                if line.startswith('CC') and '=' in line:
++                    items = [x.strip() for x in line.split('=')]
++                    if items[0] == 'CC':
++                        compiler = items[1]
++                        break
++        return compiler
++
++    def make_target(self, target, expected=0):
++        '''Compile a target and report output'''
++
++        compiler = self.get_makefile_compiler()
++        rc, output = self.shell_cmd(['make',target])
++        self.assertEquals(rc, expected, 'rc(%d)!=%d:\n' % (rc, expected) + output)
++        self.assertTrue('%s ' % (compiler) in output, 'Expected "%s":' % (compiler) + output)
++        return output
++
++    # call as   return testlib.skipped()
++    def _skipped(self, reason=""):
++        '''Provide a visible way to indicate that a test was skipped'''
++        if reason != "":
++            reason = ': %s' % (reason)
++        self.announce("skipped%s" % (reason))
++        return False
++
++    def _testlib_shell_cmd(self,args,stdin=None, stdout=subprocess.PIPE, stderr=subprocess.STDOUT):
++        argstr = "'" + "', '".join(args).strip() + "'"
++        rc, out = cmd(args,stdin=stdin,stdout=stdout,stderr=stderr)
++        report = 'Command: ' + argstr + '\nOutput:\n' + out
++        return rc, report, out
++
++    def shell_cmd(self, args, stdin=None):
++        return cmd(args,stdin=stdin)
++
++    def assertShellExitEquals(self, expected, args, stdin=None, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, msg=""):
++        '''Test a shell command matches a specific exit code'''
++        rc, report, out = self._testlib_shell_cmd(args, stdin=stdin, stdout=stdout, stderr=stderr)
++        result = 'Got exit code %d, expected %d\n' % (rc, expected)
++        self.assertEquals(expected, rc, msg + result + report)
++
++    def assertShellExitNotEquals(self, unwanted, args, stdin=None, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, msg=""):
++        '''Test a shell command doesn't match a specific exit code'''
++        rc, report, out = self._testlib_shell_cmd(args, stdin=stdin, stdout=stdout, stderr=stderr)
++        result = 'Got (unwanted) exit code %d\n' % rc
++        self.assertNotEquals(unwanted, rc, msg + result + report)
++
++    def assertShellOutputContains(self, text, args, stdin=None, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, msg="", invert=False):
++        '''Test a shell command contains a specific output'''
++        rc, report, out = self._testlib_shell_cmd(args, stdin=stdin, stdout=stdout, stderr=stderr)
++        result = 'Got exit code %d.  Looking for text "%s"\n' % (rc, text)
++        if not invert:
++            self.assertTrue(text in out, msg + result + report)
++        else:
++            self.assertFalse(text in out, msg + result + report)
++
++    def assertShellOutputEquals(self, text, args, stdin=None, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, msg="", invert=False, expected=None):
++        '''Test a shell command matches a specific output'''
++        rc, report, out = self._testlib_shell_cmd(args, stdin=stdin, stdout=stdout, stderr=stderr)
++        result = 'Got exit code %d. Looking for exact text "%s" (%s)\n' % (rc, text, " ".join(args))
++        if not invert:
++            self.assertEquals(text, out, msg + result + report)
++        else:
++            self.assertNotEquals(text, out, msg + result + report)
++        if expected != None:
++            result = 'Got exit code %d. Expected %d (%s)\n' % (rc, expected, " ".join(args))
++            self.assertEquals(rc, expected, msg + result + report)
++
++    def _word_find(self, report, content, invert=False):
++        '''Check for a specific string'''
++        if invert:
++            warning = 'Found "%s"\n' % content
++            self.assertTrue(content not in report, warning + report)
++        else:
++            warning = 'Could not find "%s"\n' % content
++            self.assertTrue(content in report, warning + report)
++
++    def _test_sysctl_value(self, path, expected, msg=None, exists=True):
++        sysctl = '/proc/sys/%s' % (path)
++        self.assertEquals(exists, os.path.exists(sysctl), sysctl)
++        value = None
++        if exists:
++            value = int(file(sysctl).read())
++            report = "%s is not %d: %d" % (sysctl, expected, value)
++            if msg:
++                report += " (%s)" % (msg)
++            self.assertEquals(value, expected, report)
++        return value
++
++    def set_sysctl_value(self, path, desired):
++        sysctl = '/proc/sys/%s' % (path)
++        self.assertTrue(os.path.exists(sysctl),"%s does not exist" % (sysctl))
++        file(sysctl,'w').write(str(desired))
++        self._test_sysctl_value(path, desired)
++
++    def kernel_at_least(self, introduced):
++        return self.version_compare(self.kernel_version_ubuntu,
++                                    introduced) >= 0
++
++    def kernel_claims_cve_fixed(self, cve):
++        changelog = "/usr/share/doc/linux-image-%s/changelog.Debian.gz" % (self.kernel_version)
++        if os.path.exists(changelog):
++            for line in gzip.open(changelog):
++                if cve in line and not "revert" in line and not "Revert" in line:
++                    return True
++        return False
++
++class TestGroup:
++    '''Create a temporary test group and remove it again in the dtor.'''
++
++    def __init__(self, group=None, lower=False):
++        '''Create a new group'''
++
++        self.group = None
++        if group:
++            if group_exists(group):
++                raise ValueError, 'group name already exists'
++        else:
++            while(True):
++                group = random_string(7,lower=lower)
++                if not group_exists(group):
++                    break
++
++        assert subprocess.call(['groupadd',group]) == 0
++        self.group = group
++        g = grp.getgrnam(self.group)
++        self.gid = g[2]
++
++    def __del__(self):
++        '''Remove the created group.'''
++
++        if self.group:
++            rc, report = cmd(['groupdel', self.group])
++            assert rc == 0
++
++class TestUser:
++    '''Create a temporary test user and remove it again in the dtor.'''
++
++    def __init__(self, login=None, home=True, group=None, uidmin=None, lower=False, shell=None):
++        '''Create a new user account with a random password.
++
++        By default, the login name is random, too, but can be explicitly
++        specified with 'login'. By default, a home directory is created, this
++        can be suppressed with 'home=False'.'''
++
++        self.login = None
++
++        if os.geteuid() != 0:
++            raise ValueError, "You must be root to run this test"
++
++        if login:
++            if login_exists(login):
++                raise ValueError, 'login name already exists'
++        else:
++            while(True):
++                login = 't' + random_string(7,lower=lower)
++                if not login_exists(login):
++                    break
++
++        self.salt = random_string(2)
++        self.password = random_string(8,lower=lower)
++        self.crypted = crypt.crypt(self.password, self.salt)
++
++        creation = ['useradd', '-p', self.crypted]
++        if home:
++            creation += ['-m']
++        if group:
++            creation += ['-G',group]
++        if uidmin:
++            creation += ['-K','UID_MIN=%d'%uidmin]
++        if shell:
++            creation += ['-s',shell]
++        creation += [login]
++        assert subprocess.call(creation) == 0
++        # Set GECOS
++        assert subprocess.call(['usermod','-c','Buddy %s' % (login),login]) == 0
++
++        self.login = login
++        p = pwd.getpwnam(self.login)
++        self.uid   = p[2]
++        self.gid   = p[3]
++        self.gecos = p[4]
++        self.home  = p[5]
++        self.shell = p[6]
++
++    def __del__(self):
++        '''Remove the created user account.'''
++
++        if self.login:
++            # sanity check the login name so we don't accidentally wipe too much
++            if len(self.login)>3 and not '/' in self.login:
++                subprocess.call(['rm','-rf', '/home/'+self.login, '/var/mail/'+self.login])
++            rc, report = cmd(['userdel', '-f', self.login])
++            assert rc == 0
++
++    def add_to_group(self, group):
++        '''Add user to the specified group name'''
++        rc, report = cmd(['usermod', '-G', group, self.login])
++        if rc != 0:
++            print report
++        assert rc == 0
++
++# Timeout handler using alarm() from John P. Speno's Pythonic Avocado
++class TimeoutFunctionException(Exception):
++    """Exception to raise on a timeout"""
++    pass
++class TimeoutFunction:
++    def __init__(self, function, timeout):
++        self.timeout = timeout
++        self.function = function
++
++    def handle_timeout(self, signum, frame):
++        raise TimeoutFunctionException()
++
++    def __call__(self, *args, **kwargs):
++        old = signal.signal(signal.SIGALRM, self.handle_timeout)
++        signal.alarm(self.timeout)
++        try:
++            result = self.function(*args, **kwargs)
++        finally:
++            signal.signal(signal.SIGALRM, old)
++        signal.alarm(0)
++        return result
++
++def main():
++    print "hi"
++    unittest.main()
 diff --git a/debian/tests/testlib_httpd.py b/debian/tests/testlib_httpd.py
 new file mode 100644
 index 0000000..1468398
 --- /dev/null
 +++ b/debian/tests/testlib_httpd.py
@@ -0,0 +1,352 @@
++#!/usr/bin/python
++#
++#    testlib_httpd.py quality assurance test script
++#    Copyright (C) 2008-2013 Canonical Ltd.
++#    Author: Jamie Strandboge <jamie@canonical.com>
++#    Author: Marc Deslauriers <marc.deslauriers@canonical.com>
++#
++#    This program is free software: you can redistribute it and/or modify
++#    it under the terms of the GNU General Public License version 3,
++#    as published by the Free Software Foundation.
++#
++#    This program is distributed in the hope that it will be useful,
++#    but WITHOUT ANY WARRANTY; without even the implied warranty of
++#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++#    GNU General Public License for more details.
++#
++#    You should have received a copy of the GNU General Public License
++#    along with this program.  If not, see <httpd://www.gnu.org/licenses/>.
++#
++
++import unittest, subprocess
++import os
++import sys
++import tempfile
++import testlib
++import time
++import socket
++import shutil
++import cookielib
++import urllib2
++import re
++import base64
++
++class HttpdCommon(testlib.TestlibCase):
++    '''Common functions'''
++    def _setUp(self, clearlogs = False):
++        '''Setup'''
++        self.release = self.lsb_release['Codename']
++        self.html_page = "/var/www/test.html"
++        self.php_page = "/var/www/test.php"
++        self.cgi_page = "/usr/lib/cgi-bin/test-cgi.pl"
++        self.apache2_default = "/etc/default/apache2"
++        self.ssl_key = "/etc/ssl/private/server.key"
++        self.ssl_crt = "/etc/ssl/certs/server.crt"
++        self.ssl_site = "/etc/apache2/sites-enabled/999-testlib"
++        self.ports_file = "/etc/apache2/ports.conf"
++        self.access_log = "/var/log/apache2/access.log"
++        self.error_log = "/var/log/apache2/error.log"
++        if not hasattr(self, 'initscript'):
++            self._set_initscript("apache2")
++
++        # Dapper's apache2 is disabled by default
++        if self.lsb_release['Release'] == 6.06:
++            testlib.config_replace(self.apache2_default, "", append=True)
++            subprocess.call(['sed', '-i', 's/NO_START=1/NO_START=0/', self.apache2_default])
++
++        self._stop()
++        if clearlogs == True:
++            self._clearlogs()
++        self._start()
++
++    def _set_initscript(self, initscript):
++        self.initscript = initscript
++
++    def _tearDown(self):
++        '''Clean up after each test_* function'''
++        self._stop()
++        time.sleep(2)
++        if os.path.exists(self.html_page):
++            os.unlink(self.html_page)
++        if os.path.exists(self.php_page):
++            os.unlink(self.php_page)
++        if os.path.exists(self.cgi_page):
++            os.unlink(self.cgi_page)
++        if os.path.exists(self.ssl_key):
++            os.unlink(self.ssl_key)
++        if os.path.exists(self.ssl_crt):
++            os.unlink(self.ssl_crt)
++        if os.path.exists(self.ssl_site):
++            os.unlink(self.ssl_site)
++        self._disable_mod("ssl")
++        testlib.config_restore(self.ports_file)
++        testlib.config_restore(self.apache2_default)
++
++    def _start(self):
++        '''Start process'''
++        rc, report = testlib.cmd(['service', self.initscript, 'start'])
++        expected = 0
++        result = 'Got exit code %d, expected %d\n' % (rc, expected)
++        self.assertEquals(expected, rc, result + report)
++        time.sleep(2)
++
++    def _stop(self):
++        '''Stop process'''
++        rc, report = testlib.cmd(['service', self.initscript, 'stop'])
++        expected = 0
++        result = 'Got exit code %d, expected %d\n' % (rc, expected)
++        self.assertEquals(expected, rc, result + report)
++
++    def _clearlogs(self):
++        '''Clear httpd logs'''
++        if os.path.exists(self.access_log):
++            os.unlink(self.access_log)
++        if os.path.exists(self.error_log):
++            os.unlink(self.error_log)
++
++    def __disable_mod(self, mod):
++        if not os.path.exists(os.path.join("/etc/apache2/mods-available", mod + \
++                                       ".load")):
++            return
++        if not os.path.exists("/usr/sbin/a2dismod"):
++            return
++        rc, report = testlib.cmd(['a2dismod', mod])
++        expected = 0
++        result = 'Got exit code %d, expected %d\n' % (rc, expected)
++        self.assertEquals(expected, rc, result + report)
++
++    def _disable_mod(self, mod):
++        self.__disable_mod(mod)
++        self._restart()
++        time.sleep(2)
++
++    def _disable_mods(self, mods):
++        '''take a list of modules to disable'''
++        for mod in mods:
++            self.__disable_mod(mod)
++        self._restart()
++        time.sleep(2)
++
++    def __enable_mod(self, mod):
++        rc, report = testlib.cmd(['a2enmod', mod])
++        expected = 0
++        result = 'Got exit code %d, expected %d\n' % (rc, expected)
++        self.assertEquals(expected, rc, result + report)
++
++    def _enable_mod(self, mod):
++        self.__enable_mod(mod)
++        # for some reason, force-reload doesn't work
++        # if self.lsb_release['Release'] >= 8.04:
++        #    self._reload()
++        # else:
++        self._restart()
++        time.sleep(2)
++
++    def _enable_mods(self, mods):
++        '''take a list of modules to enable'''
++        for mod in mods:
++            self.__enable_mod(mod)
++        # for some reason, force-reload doesn't work
++        # if self.lsb_release['Release'] >= 8.04:
++        #    self._reload()
++        # else:
++        self._restart()
++        time.sleep(2)
++
++    def _disable_site(self, sitename):
++        rc, report = testlib.cmd(['a2dissite', sitename])
++        expected = 0
++        result = 'Got exit code %d, expected %d\n' % (rc, expected)
++        self.assertEquals(expected, rc, result + report)
++        self._restart()
++        time.sleep(2)
++
++    def _enable_site(self, sitename):
++        rc, report = testlib.cmd(['a2ensite', sitename])
++        expected = 0
++        result = 'Got exit code %d, expected %d\n' % (rc, expected)
++        self.assertEquals(expected, rc, result + report)
++        # for some reason, force-reload doesn't work
++        # if self.lsb_release['Release'] >= 8.04:
++        #    self._reload()
++        #else:
++        self._restart()
++        time.sleep(2)
++
++    def _reload(self):
++        '''Reload httpd'''
++        rc, report = testlib.cmd([self.initscript, 'force-reload'])
++        expected = 0
++        result = 'Got exit code %d, expected %d\n' % (rc, expected)
++        self.assertEquals(expected, rc, result + report)
++
++    def _restart(self):
++        '''Restart httpd'''
++        self._stop()
++        self._start()
++
++    def _prepare_ssl(self, srvkey, srvcert):
++        '''Prepare Apache for ssl connections'''
++        self._enable_mod("ssl")
++
++        # copy instead of rename so we don't get invalid cross-device link errors
++        shutil.copy(srvkey, self.ssl_key)
++        shutil.copy(srvcert, self.ssl_crt)
++
++        if self.lsb_release['Release'] <= 7.04:
++            testlib.config_replace(self.ports_file, "Listen 443", True)
++
++        # create the conffile entry
++        site_contents = '''
++NameVirtualHost *:443
++<VirtualHost *:443>
++        SSLEngine on
++        SSLOptions +StrictRequire
++        SSLCertificateFile /etc/ssl/certs/server.crt
++        SSLCertificateKeyFile /etc/ssl/private/server.key
++
++        ServerAdmin webmaster@localhost
++
++        DocumentRoot /var/www/
++        ErrorLog /var/log/apache2/error.log
++
++        # Possible values include: debug, info, notice, warn, error, crit,
++        # alert, emerg.
++        LogLevel warn
++
++        CustomLog /var/log/apache2/access.log combined
++        ServerSignature On
++</VirtualHost>
++'''
++        testlib.create_fill(self.ssl_site, site_contents)
++        self._reload()
++
++    def _test_url_proxy(self, url="http://localhost/", content="", proxy="localhost:3128"):
++        '''Test the given url'''
++        rc, report = testlib.cmd(['elinks', '-verbose', '2', '-no-home', '1', '-eval', 'set protocol.ftp.proxy.host = "%s"' %(proxy), '-eval',
++            'set protocol.http.proxy.host = "%s"' %(proxy), '-eval', 'set protocol.https.proxy.host = "%s"' %(proxy), '-dump', url])
++        expected = 0
++        result = 'Got exit code %d, expected %d\n' % (rc, expected)
++        self.assertEquals(expected, rc, result + report)
++
++        if content != "":
++            self._word_find(report, content)
++
++    def _test_url(self, url="http://localhost/", content="", invert=False, source=False):
++        '''Test the given url'''
++        if source:
++            report = self._get_page_source(url)
++        else:
++            report = self._get_page(url)
++
++        if content != "":
++            self._word_find(report, content, invert)
++
++    def _get_page_source(self, url="http://localhost/", data='', headers=None):
++        '''Fetch html source'''
++        cookies = "/tmp/cookies.lwp"
++        testlib.create_fill(cookies, "#LWP-Cookies-2.0")
++
++        if headers == None:
++            headers = {'User-agent' : 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)'}
++
++        clean_url = url
++        if re.search(r'http(|s)://.*:.*@[a-z].*', url):
++            tmp = re.sub(r'^http(|s)://', '', url)
++            username = tmp.split('@')[0].split(':')[0]
++            password = tmp.split('@')[0].split(':')[1]
++            base64_str = base64.encodestring('%s:%s' % (username, password))[:-1]
++            headers['Authorization'] = "Basic %s" % (base64_str)
++            # strip out the username and password from the url
++            clean_url = re.sub(r'%s:%s@' % (username, password), '', url)
++
++        cj = cookielib.LWPCookieJar(filename=cookies)
++        cj.load()
++
++        opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
++        urllib2.install_opener(opener)
++
++        try:
++            if data != '':
++                req = urllib2.Request(clean_url, data, headers)
++            else:
++                req = urllib2.Request(clean_url, headers=headers)
++        except:
++            raise
++
++        tries = 0
++        failed = True
++        while tries < 3:
++            try:
++                handle = urllib2.urlopen(req)
++                failed = False
++                break
++            except urllib2.HTTPError, e:
++                raise
++                if e.code != 503:
++                    # for debugging
++                    #print >>sys.stderr, 'Error retrieving page "url=%s", "data=%s"' % (url, data)
++                    raise
++            tries += 1
++            time.sleep(2)
++
++        self.assertFalse(failed, 'Could not retrieve page "url=%s", "data=%s"' % (url, data))
++        html = handle.read()
++        cj.save()
++
++        return html
++
++    def _get_page(self, url="http://localhost/"):
++        '''Get contents of given url'''
++        rc, report = testlib.cmd(['elinks', '-verbose', '2', '-no-home', '1', '-dump', url])
++        expected = 0
++
++        result = 'Got exit code %d, expected %d\n' % (rc, expected)
++        self.assertEquals(expected, rc, result + report)
++
++        return report
++
++    def _test_raw(self, request="", content="", host="localhost", port=80, invert = False, limit=1024):
++        '''Test the given url with a raw socket to include headers'''
++        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
++        s.connect((host, port))
++        s.send(request)
++        data = s.recv(limit)
++        s.close()
++
++        if content != "":
++            self._word_find(data, content, invert = invert)
++
++def create_php_page(page, php_content=None):
++    '''Create a basic php page'''
++
++    # complexity here is due to maintaining interface compatability when
++    # php_content is not provided
++    if not php_content:
++        str = "php works"
++        php_content = "echo '" + str + "'; "
++    else:
++        str = php_content
++    script = '''<?php
++%s
++?>''' %(php_content)
++    testlib.create_fill(page, script)
++    return str
++
++def create_perl_script(page):
++    '''Create a basic perl script'''
++    str = "perl works"
++    script = '''#!/usr/bin/perl
++print "Content-Type: text/plain\\n\\n";
++print "''' + str + '''\\n";
++
++'''
++    testlib.create_fill(page, script, 0755)
++
++    return str
++
++def create_html_page(page):
++    '''Create html page'''
++    str = "html works"
++    testlib.create_fill(page, "<html><body>" + str + "</body></html>")
++    return str
 diff --git a/debian/tests/upstream-test-suite b/debian/tests/upstream-test-suite
 index 4f6b332..ec3e370 100644
 --- a/debian/tests/upstream-test-suite
 +++ b/debian/tests/upstream-test-suite
@@ -2,7 +2,7 @@
  set -e
  dpkg-source --before-build `pwd`
--sed -i -e 's/\$(top_builddir)\/src\/squid/\/usr\/sbin\/squid/' test-suite/Makefile.am
++sed -i -e 's/\$(top_builddir)\/src\/squid\ /\/usr\/sbin\/squid\ /' test-suite/Makefile.am
  dpkg-buildpackage -rfakeroot --target=pre-build
  dpkg-buildpackage -rfakeroot --target=common-configure-arch 2>/dev/null
  make -C src/base libbase.la
 diff --git a/debian/usr.sbin.squid b/debian/usr.sbin.squid
 new file mode 100644
 index 0000000..2a400e9
 --- /dev/null
 +++ b/debian/usr.sbin.squid
@@ -0,0 +1,75 @@
++# Author: Simon Deziel
++#         Jamie Strandboge
++# vim:syntax=apparmor
++#include <tunables/global>
++
++/usr/sbin/squid {
++  #include <abstractions/base>
++  #include <abstractions/kerberosclient>
++  #include <abstractions/nameservice>
++
++  capability net_raw,
++  capability setuid,
++  capability setgid,
++  capability sys_chroot,
++
++  # allow child processes to run execvp(argv[0], [kidname, ...])
++  /usr/sbin/squid ix,
++
++  # pinger
++  network inet raw,
++  network inet6 raw,
++
++  /etc/mtab r,
++  @{PROC}/[0-9]*/mounts r,
++  @{PROC}/mounts r,
++
++  # squid3 configuration
++  /etc/squid/** r,
++  /{,var/}run/squid.pid rwk,
++  /var/spool/squid/ r,
++  /var/spool/squid/** rwk,
++  /usr/lib/squid{,3}/* rmix,
++  /usr/share/squid/** r,
++  /var/log/squid/* rw,
++
++  # squid-langpack
++  /usr/share/squid-langpack/** r,
++
++  # maas-proxy
++  /var/lib/maas/maas-proxy.conf r,
++  /var/log/maas/proxy/** rw,
++  /var/spool/maas-proxy/ r,
++  /var/spool/maas-proxy/** rwk,
++
++  # squid-deb-proxy
++  /etc/squid-deb-proxy/** r,
++  /{,var/}run/squid-deb-proxy.pid rwk,
++  /var/cache/squid-deb-proxy/ r,
++  /var/cache/squid-deb-proxy/** rwk,
++  /var/log/squid-deb-proxy/* rw,
++  owner /dev/shm/** rmw,
++
++  # squidguard
++  /usr/bin/squidGuard Cx -> squidguard,
++  profile squidguard {
++    #include <abstractions/base>
++
++    /etc/squid/squidGuard.conf r,
++    /var/log/squid{,3}/squidGuard.log w,
++    /var/lib/squidguard/** rw,
++
++    # squidguard by default uses /var/log/squid as its logdir, however, we
++    # don't want it to access squid's logs, only its own. Explicitly deny
++    # access to squid's files but allow all others since the user may specify
++    # anything for the squidGurad 'log' directive.
++    /var/log/squid{,3}/* rw,
++    audit deny /var/log/squid{,3}/{access,cache,store}.log* rw,
++
++    # Site-specific additions and overrides. See local/README for details.
++    #include <local/usr.sbin.squid>
++  }
++
++  # Site-specific additions and overrides. See local/README for details.
++  #include <local/usr.sbin.squid>
++}

Ubuntusquid3 package

Merge ~racb/ubuntu/+source/squid3:merge into ~usd-import-team/ubuntu/+source/squid3:debian/sid

Commit Message

Description of the Change

Preview Diff

Subscribers

Ubuntu
squid3 package