Ubuntu
sssd package

Merge ~sergiodj/ubuntu/+source/sssd:merge-2.5.2-4-jammy into ubuntu/+source/sssd:debian/sid

  1. Git
  2. lp:~sergiodj/ubuntu/+source/sssd
  3. merge-2.5.2-4-jammy
  4. Merge into debian/sid
Proposed by Sergio Durigan Junior
Status: Merged
Merge reported by: Sergio Durigan Junior
Merged at revision: 47b8ad116bb6fb3f0288091350c802165dd52bf9
Proposed branch: ~sergiodj/ubuntu/+source/sssd:merge-2.5.2-4-jammy
Merge into: ubuntu/+source/sssd:debian/sid
Diff against target: 294 lines (+228/-2)
5 files modified
debian/changelog (+139/-0)
debian/control (+3/-2)
debian/patches/fix-python-tests.patch (+83/-0)
debian/patches/series (+1/-0)
debian/rules (+2/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Canonical Server Pending
Review via email: mp+410912@code.launchpad.net

Description of the change

This is the merge of sssd 2.5.2-4 from Debian.

This is a relatively straightforward merge. Fortunately we will be able to drop a bunch of delta we've been carrying, because Debian incorporated most of it.

There's one patch that we're still going to have to carry for a bit more which is the d/p/fix-python-tests.patch. This one hasn't been adopted by Debian because it's not a problem there yet, and eventually we will be able to drop it because it's been accepted by upstream and is part of the 2.6.0 release. I'm expecting that Debian will update sssd to this release before the end of jammy's cycle.

Aside from that, there's not much else to say. The package is getting into a better shape with each release, which is good.

There's a PPA with the proposed package here:

https://launchpad.net/~sergiodj/+archive/ubuntu/sssd-merge/+packages

autopkgtest is still happy:

autopkgtest [20:30:44]: @@@@@@@@@@@@@@@@@@@@ summary
ldap-user-group-ldap-auth PASS
ldap-user-group-krb5-auth PASS

To post a comment you must log in.
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Ping :-).

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Putting that on my TODO-List for today ...

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

"The package is getting into a better shape with each release, which is good."
=> That is the right spirit :-)

* Changelog:
  - [+] old content and logical tag match as expected
  - [+] changelog entry correct version and targeted codename
  - [+] changelog entries correct
  - [x] bug references correct
        Keeping the reference to "(LP: #1910611) fully intact will ping the bug on every merge.
        please change that to e.g. LP: 1910611 to leave the bug alone.
  - [+] update-maintainer has been run

* Merge - Indirect Changes:
  - [+] no upstream changes to consider
        At https://github.com/SSSD/sssd/releases there are some removals with 2.5.0 which
        made me think, but the biggest one is the samba change which would not work with
        our recent samba anyway.
  - [+] no further upstream version to consider
        (we know 2.6 will be another step, it is good to go them one by one)
  - [+] debian changes look safe
        I wondered but 994479 didn't skip all testing, so ok

* Merge - Old Delta:
  - [+] dropped changes are ok to be dropped
  - [+] nothing else to drop (yet)
  - [+] changes forwarded upstream/debian

* New Delta:
  - [+] no new patches added

* Git/Maintenance
  - [+] commits are properly split (more important on -dev than on SRUs)

* Build/Test:
  - [+] build is ok
  - [+] verified PPA package installs/uninstalls
  - [+] autopkgtest against the PPA package passes
  - [+] sanity checks test fine

I have only had a trivial sssd install (2.5.2-4ubuntu1~ppa2) that worked fine, I assume you have tested this for real and ran the autopkgtest?

Only found the minimal nitpick in the changelog, up to you to adapt before an upload.

review: Approve
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

On Tuesday, November 02 2021, Christian Ehrhardt  wrote:

> Review: Approve

Thanks for the review, Christian.

> * Changelog:
> - [+] old content and logical tag match as expected
> - [+] changelog entry correct version and targeted codename
> - [+] changelog entries correct
> - [x] bug references correct
> Keeping the reference to "(LP: #1910611) fully intact will ping the bug on every merge.
> please change that to e.g. LP: 1910611 to leave the bug alone.

Huh, that's funny. git-ubuntu should take care of automatically
removing the colon from these bug references, but for some reason it
didn't this time. But yeah, I will remove it by hand, thanks.

> - [+] update-maintainer has been run
>
> * Merge - Indirect Changes:
> - [+] no upstream changes to consider
> At https://github.com/SSSD/sssd/releases there are some removals with 2.5.0 which
> made me think, but the biggest one is the samba change which would not work with
> our recent samba anyway.

+1

> - [+] no further upstream version to consider
> (we know 2.6 will be another step, it is good to go them one by one)

Yeah. I think Debian will merge it before the end of our cycle.

> - [+] debian changes look safe
> I wondered but 994479 didn't skip all testing, so ok
>
> * Merge - Old Delta:
> - [+] dropped changes are ok to be dropped
> - [+] nothing else to drop (yet)
> - [+] changes forwarded upstream/debian
>
> * New Delta:
> - [+] no new patches added
>
> * Git/Maintenance
> - [+] commits are properly split (more important on -dev than on SRUs)
>
> * Build/Test:
> - [+] build is ok
> - [+] verified PPA package installs/uninstalls
> - [+] autopkgtest against the PPA package passes
> - [+] sanity checks test fine
>
> I have only had a trivial sssd install (2.5.2-4ubuntu1~ppa2) that worked fine, I assume you have tested this for real and ran the autopkgtest?

Yeah, I did test it locally and ran autopkgtest as well.

> Only found the minimal nitpick in the changelog, up to you to adapt before an upload.

Thanks, I've adjusted d/changelog to remove the colon and uploaded it:

$ dput sssd_2.5.2-4ubuntu1_source.changes
Trying to upload package to ubuntu
Checking signature on .changes
gpg: /home/sergio/work/sssd/sssd_2.5.2-4ubuntu1_source.changes: Valid signature from 106DA1C8C3CBBF14
Checking signature on .dsc
gpg: /home/sergio/work/sssd/sssd_2.5.2-4ubuntu1.dsc: Valid signature from 106DA1C8C3CBBF14
Package includes an .orig.tar.gz file although the debian revision suggests
that it might not be required. Multiple uploads of the .orig.tar.gz may be
rejected by the upload queue management software.
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading sssd_2.5.2-4ubuntu1.dsc: done.
  Uploading sssd_2.5.2.orig.tar.gz: done.
  Uploading sssd_2.5.2.orig.tar.gz.asc: done.
  Uploading sssd_2.5.2-4ubuntu1.debian.tar.xz: done.
  Uploading sssd_2.5.2-4ubuntu1_source.buildinfo: done.
  Uploading sssd_2.5.2-4ubuntu1_source.changes: done.
Successfully uploaded packages.

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

 sssd | 2.5.2-4ubuntu1 | jammy | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x

This is done

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 5d77edb..8b4a535 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,32 @@
6+sssd (2.5.2-4ubuntu1) jammy; urgency=medium
7+
8+ * Merge with Debian unstable (LP: #1946904). Remaining changes:
9+ - Disable lto, not ready upstream.
10+ - d/control: Drop libgdm-dev Build-Depend on i386.
11+ - d/p/fix-python-tests.patch: Fix Python tests by making them
12+ assert Python module paths by using full pathnames.
13+ * Dropped changes:
14+ - d/apparmor-profile: Update profile. (LP #1910611)
15+ + Extend read permissions to /etc/sssd/** and /etc/gss/**.
16+ + Add read/execute permission to /usr/libexec/sssd/*.
17+ [ Incorporated by Debian. ]
18+ - Fix FTBFS with newer autoconf
19+ + debian/patches/fix_newer_autoconf.patch: do not unset PYTHON_PREFIX
20+ and PYTHON_EXEC_PREFIX in src/external/python.m4.
21+ [ Incorporated by Debian. ]
22+ - SECURITY UPDATE: shell command injection in sssctl comment
23+ + debian/patches/CVE-2021-3621.patch: replace system() with execvp() to
24+ avoid execution of user supplied command in
25+ src/tools/sssctl/sssctl.c, src/tools/sssctl/sssctl.h,
26+ src/tools/sssctl/sssctl_data.c, src/tools/sssctl/sssctl_logs.c.
27+ + CVE-2021-3621
28+ [ Incorporated by Debian. ]
29+ - d/p/disable-fail_over-tests.patch: Disable fail_over-tests,
30+ which is failing when running inside sbuild.
31+ [ Not needed anymore; issue does not reproduce on Jammy. ]
32+
33+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Wed, 27 Oct 2021 20:16:31 -0400
34+
35 sssd (2.5.2-4) unstable; urgency=medium
36
37 * control: Promote libnss-sss and libpam-sss to sssd-common Depends.
38@@ -40,6 +69,63 @@ sssd (2.5.2-1) unstable; urgency=medium
39
40 -- Timo Aaltonen <tjaalton@debian.org> Thu, 16 Sep 2021 14:51:42 +0300
41
42+sssd (2.4.1-2ubuntu4) impish; urgency=medium
43+
44+ * Fix FTBFS with newer autoconf
45+ - debian/patches/fix_newer_autoconf.patch: do not unset PYTHON_PREFIX
46+ and PYTHON_EXEC_PREFIX in src/external/python.m4.
47+
48+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 08 Sep 2021 11:39:53 -0400
49+
50+sssd (2.4.1-2ubuntu3) impish; urgency=medium
51+
52+ * SECURITY UPDATE: shell command injection in sssctl comment
53+ - debian/patches/CVE-2021-3621.patch: replace system() with execvp() to
54+ avoid execution of user supplied command in
55+ src/tools/sssctl/sssctl.c, src/tools/sssctl/sssctl.h,
56+ src/tools/sssctl/sssctl_data.c, src/tools/sssctl/sssctl_logs.c.
57+ - CVE-2021-3621
58+
59+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 18 Aug 2021 08:13:38 -0400
60+
61+sssd (2.4.1-2ubuntu2) impish; urgency=medium
62+
63+ * No-change rebuild due to OpenLDAP soname bump.
64+
65+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 21 Jun 2021 18:09:16 -0400
66+
67+sssd (2.4.1-2ubuntu1) impish; urgency=medium
68+
69+ * Merge with Debian unstable. Remaining changes:
70+ - d/apparmor-profile: Update profile. (LP #1910611)
71+ + Extend read permissions to /etc/sssd/** and /etc/gss/**.
72+ + Add read/execute permission to /usr/libexec/sssd/*.
73+ - Disable lto, not ready upstream.
74+ - d/control: Drop libgdm-dev Build-Depend on i386.
75+ * Dropped changes:
76+ - d/p/condition-path-exists-sssd-conf.patch: Only start
77+ sssd.service if there is a configuration file present.
78+ (LP: #1900642)
79+ [ Included in 2.4.1-2 ]
80+ - d/p/0003-Only-start-sssd.service-if-there-s-a-configuration-f.patch:
81+ Upstream patch to make sssd.service only able to start when there
82+ is a configuration file present. (LP #1900642)
83+ - d/p/condition-path-exists-sssd-conf.patch: Remove.
84+ [ Included in 2.4.1-2 ]
85+ - Avoid sending malformed SYSLOG_IDENTIFIER to journald (LP #1908065):
86+ + d/p/lp-1908065-01-syslog_identifier-format.patch:
87+ Upstream patch to include "sssd[]" identifier in program names.
88+ + d/p/lp-1908065-02-remove-syslog_identifier.patch:
89+ Upstream patch to remove custom SYSLOG_IDENTIFIER from Journald.
90+ [ Included in 2.4.1-2 ]
91+ * Added changes:
92+ - d/p/fix-python-tests.patch: Fix Python tests by making them
93+ assert Python module paths by using full pathnames.
94+ - d/p/disable-fail_over-tests.patch: Disable fail_over-tests,
95+ which is failing when running inside sbuild.
96+
97+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Tue, 18 May 2021 17:29:58 -0400
98+
99 sssd (2.4.1-2) unstable; urgency=medium
100
101 [ Marco Trevisan (Treviño) ]
102@@ -65,6 +151,59 @@ sssd (2.4.1-1) unstable; urgency=medium
103
104 -- Timo Aaltonen <tjaalton@debian.org> Wed, 10 Feb 2021 11:32:35 +0200
105
106+sssd (2.4.0-1ubuntu7) impish; urgency=medium
107+
108+ * d/control: Drop libgdm-dev Build-Depend on i386.
109+
110+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Tue, 11 May 2021 16:22:31 -0400
111+
112+sssd (2.4.0-1ubuntu6) hirsute; urgency=medium
113+
114+ * Disable lto, not ready upstream.
115+
116+ -- Matthias Klose <doko@ubuntu.com> Tue, 23 Mar 2021 13:18:53 +0100
117+
118+sssd (2.4.0-1ubuntu5) hirsute; urgency=medium
119+
120+ * No change rebuild with fixed ownership.
121+
122+ -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 16 Feb 2021 15:22:14 +0000
123+
124+sssd (2.4.0-1ubuntu4) hirsute; urgency=medium
125+
126+ * Avoid sending malformed SYSLOG_IDENTIFIER to journald (LP: #1908065):
127+ - d/p/lp-1908065-01-syslog_identifier-format.patch:
128+ Upstream patch to include "sssd[]" identifier in program names.
129+ - d/p/lp-1908065-02-remove-syslog_identifier.patch:
130+ Upstream patch to remove custom SYSLOG_IDENTIFIER from Journald.
131+
132+ -- Valters Jansons <valter.jansons@gmail.com> Fri, 05 Feb 2021 20:51:32 +0000
133+
134+sssd (2.4.0-1ubuntu3) hirsute; urgency=medium
135+
136+ * d/apparmor-profile: Update profile. (LP: #1910611)
137+ - Extend read permissions to /etc/sssd/conf.d/* and /etc/gss/mech.d/*.
138+ - Add read/execute permission to /usr/libexec/sssd/*.
139+
140+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 18 Jan 2021 16:57:21 -0500
141+
142+sssd (2.4.0-1ubuntu2) hirsute; urgency=medium
143+
144+ * d/p/0003-Only-start-sssd.service-if-there-s-a-configuration-f.patch:
145+ Upstream patch to make sssd.service only able to start when there
146+ is a configuration file present. (LP: #1900642)
147+ * d/p/condition-path-exists-sssd-conf.patch: Remove.
148+
149+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Tue, 12 Jan 2021 16:17:38 -0500
150+
151+sssd (2.4.0-1ubuntu1) hirsute; urgency=medium
152+
153+ * d/p/condition-path-exists-sssd-conf.patch: Only start
154+ sssd.service if there is a configuration file present.
155+ (LP: #1900642)
156+
157+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Thu, 10 Dec 2020 14:20:24 -0500
158+
159 sssd (2.4.0-1) unstable; urgency=medium
160
161 * New upstream release.
162diff --git a/debian/control b/debian/control
163index e02837d..3fad894 100644
164--- a/debian/control
165+++ b/debian/control
166@@ -1,7 +1,8 @@
167 Source: sssd
168 Section: utils
169 Priority: optional
170-Maintainer: Debian SSSD Team <pkg-sssd-devel@alioth-lists.debian.net>
171+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
172+XSBC-Original-Maintainer: Debian SSSD Team <pkg-sssd-devel@alioth-lists.debian.net>
173 Uploaders: Timo Aaltonen <tjaalton@debian.org>,
174 Dominik George <natureshadow@debian.org>
175 Build-Depends:
176@@ -25,7 +26,7 @@ Build-Depends:
177 libcollection-dev,
178 libdbus-1-dev,
179 libdhash-dev,
180- libgdm-dev [!s390x !kfreebsd-any !hurd-any],
181+ libgdm-dev [!s390x !kfreebsd-any !hurd-any !i386],
182 libglib2.0-dev,
183 libini-config-dev,
184 libjansson-dev,
185diff --git a/debian/patches/fix-python-tests.patch b/debian/patches/fix-python-tests.patch
186new file mode 100644
187index 0000000..5053f8e
188--- /dev/null
189+++ b/debian/patches/fix-python-tests.patch
190@@ -0,0 +1,83 @@
191+From: Sergio Durigan Junior <sergio.durigan@canonical.com>
192+Date: Mon, 17 May 2021 19:09:14 -0400
193+Subject: Improve assertion when verifying paths for Python modules
194+
195+In Ubuntu we're facing a problem where the 3 Python tests under
196+src/tests/*-test.py are failing due to cosmetical differences between
197+what the '.__file__' method returns and what 'MODPATH' ends up being.
198+
199+I have not been able to pinpoint exactly what is causing this issue;
200+it only happens when SSSD is built inside a chroot environment (with
201+sbuild, for example). The logs look like this:
202+
203+F
204+======================================================================
205+FAIL: testImport (__main__.PyHbacImport)
206+Import the module and assert it comes from tree
207+----------------------------------------------------------------------
208+Traceback (most recent call last):
209+ File "/<<PKGBUILDDIR>>/src/tests/pyhbac-test.py", line 91, in testImport
210+ self.assertEqual(pyhbac.__file__, MODPATH + "/pyhbac.so")
211+AssertionError: '/<<PKGBUILDDIR>>/build/./tp_pyhbac_xw2omut2/pyhbac.so' != './tp_pyhbac_xw2omut2/pyhbac.so'
212+- /<<PKGBUILDDIR>>/build/./tp_pyhbac_xw2omut2/pyhbac.so
213++ ./tp_pyhbac_xw2omut2/pyhbac.so
214+
215+Given that the intention of the test is to verify that the two paths
216+are equal, I suggest that we do this slight improvement and call
217+'os.path.realpath' before comparing both paths. This way we guarantee
218+that they're both properly canonicalized.
219+
220+I have verified that the tests still pass with this change.
221+
222+Signed-off-by: Sergio Durigan Junior <sergio.durigan@canonical.com>
223+
224+Forwarded: yes, https://github.com/SSSD/sssd/pull/5636
225+Last-Updated: 2021-05-18
226+---
227+ src/tests/pyhbac-test.py | 3 ++-
228+ src/tests/pysss-test.py | 3 ++-
229+ src/tests/pysss_murmur-test.py | 3 ++-
230+ 3 files changed, 6 insertions(+), 3 deletions(-)
231+
232+diff --git a/src/tests/pyhbac-test.py b/src/tests/pyhbac-test.py
233+index 06163af..c8ce47f 100755
234+--- a/src/tests/pyhbac-test.py
235++++ b/src/tests/pyhbac-test.py
236+@@ -88,7 +88,8 @@ class PyHbacImport(unittest.TestCase):
237+ print("Could not load the pyhbac module. Please check if it is "
238+ "compiled", file=sys.stderr)
239+ raise e
240+- self.assertEqual(pyhbac.__file__, MODPATH + "/pyhbac.so")
241++ self.assertEqual(os.path.realpath(pyhbac.__file__),
242++ os.path.realpath(MODPATH + "/pyhbac.so"))
243+
244+
245+ class PyHbacRuleElementTest(unittest.TestCase):
246+diff --git a/src/tests/pysss-test.py b/src/tests/pysss-test.py
247+index 30bc074..20ef0ab 100755
248+--- a/src/tests/pysss-test.py
249++++ b/src/tests/pysss-test.py
250+@@ -58,7 +58,8 @@ class PysssImport(unittest.TestCase):
251+ print("Could not load the pysss module. Please check if it is "
252+ "compiled", file=sys.stderr)
253+ raise ex
254+- self.assertEqual(pysss.__file__, MODPATH + "/pysss.so")
255++ self.assertEqual(os.path.realpath(pysss.__file__),
256++ os.path.realpath(MODPATH + "/pysss.so"))
257+
258+
259+ class PysssEncryptTest(unittest.TestCase):
260+diff --git a/src/tests/pysss_murmur-test.py b/src/tests/pysss_murmur-test.py
261+index 531f8b5..75b4651 100755
262+--- a/src/tests/pysss_murmur-test.py
263++++ b/src/tests/pysss_murmur-test.py
264+@@ -59,7 +59,8 @@ class PySssMurmurImport(unittest.TestCase):
265+ print("Could not load the pysss_murmur module. "
266+ "Please check if it is compiled", file=sys.stderr)
267+ raise e
268+- self.assertEqual(pysss_murmur.__file__, MODPATH + "/pysss_murmur.so")
269++ self.assertEqual(os.path.realpath(pysss_murmur.__file__),
270++ os.path.realpath(MODPATH + "/pysss_murmur.so"))
271+
272+
273+ class PySssMurmurTestNeg(unittest.TestCase):
274diff --git a/debian/patches/series b/debian/patches/series
275index 66b6f6e..21183b7 100644
276--- a/debian/patches/series
277+++ b/debian/patches/series
278@@ -3,3 +3,4 @@ default-to-socket-activated-services.diff
279 fix_newer_autoconf.patch
280 0001-TOOLS-replace-system-with-execvp-to-avoid-execution-.patch
281 0001-ad-fallback-to-ldap-if-cldap-is-not-available-in-lib.patch
282+fix-python-tests.patch
283diff --git a/debian/rules b/debian/rules
284index 2adb804..c2251b3 100755
285--- a/debian/rules
286+++ b/debian/rules
287@@ -3,6 +3,8 @@
288 dh $@ --with python3 \
289 --builddirectory=build
290
291+export DEB_BUILD_MAINT_OPTIONS = optimize=-lto
292+
293 DPKG_EXPORT_BUILDFLAGS = 1
294 include /usr/share/dpkg/buildflags.mk
295

Subscribers

People subscribed via source and target branches