Ubuntu
sssd package

Merge ~sergiodj/ubuntu/+source/sssd:merge-2.7.1-2-kinetic into ubuntu/+source/sssd:debian/sid

  1. Git
  2. lp:~sergiodj/ubuntu/+source/sssd
  3. merge-2.7.1-2-kinetic
  4. Merge into debian/sid
Proposed by Sergio Durigan Junior
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merge reported by: Sergio Durigan Junior
Merged at revision: 35712e4711fbb023a05e53791f2839d478d93b8b
Proposed branch: ~sergiodj/ubuntu/+source/sssd:merge-2.7.1-2-kinetic
Merge into: ubuntu/+source/sssd:debian/sid
Diff against target: 309 lines (+234/-3)
2 files modified
debian/changelog (+230/-0)
debian/control (+4/-3)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Andreas Hasenack Approve
Canonical Server Pending
Review via email: mp+424698@code.launchpad.net

Description of the change

This is the merge of sssd 2.7.1-2 from Debian unstable.

The merge itself was simple, and we're actually able to even drop one of our deltas (the LTO one). The rest of our delta is very Ubuntu-specific and I don't see us getting rid of it anytime soon, but it's also very easy to maintain.

This new upstream release fixes a bunch of bugs, including one that I reported to upstream a while ago and is causing authentication failures (see bug #1934997). I looked at the current list of bugs for the package and couldn't find anything else that may be fixed by this new release.

There was a problem with version 2.7.1-1 (see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012502) but that's been fixed by 2.7.1-2 which backports an upstream patch (https://github.com/SSSD/sssd/pull/6204). This should be part of the next minor release.

There's a PPA with the proposed changes here:

https://launchpad.net/~sergiodj/+archive/ubuntu/sssd-merge/+packages

The builds are still running. Once they finish, I'll trigger autopkgtests and post the results here.

To post a comment you must log in.
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Hm, the i386 build has failed due to missing dependencies. sssd unfortunately has this problem... I will check with the AA and see if it's possible to include those deps on i386.

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Status update: the new sssd introduces a new binary package called sssd-idp, which provides Kerberos plugins that are required to enable authentication against external identity providers. It also provides a helper program to handle the OAuth 2.0 Device Authorization Grant is provided.

This new binary package requires a few more Build-Dependends to be built:

- libcurl4-openssl-dev
- libjose-dev
- libkrad-dev

Of those, only libjose-dev isn't available on i386, and that's what's causing the FTBFS right now. I pinged vorlon on IRC and asked him if it's possible to add the jose package to i386, given that jose's build dependencies are all available on i386, and the fact that this is not the first time this i386 conundrun has happened.

I'm waiting on his reply to proceed with this MP.

I also think it's important to mention that this new binary package, once accepted, will land in universe. I talked to Andreas in private and we think that it should be fine to keep sssd-idp in universe for this cycle while we gather more information about its role in the bigger sssd picture. We can certainly revisit this next cycle and consider doing an MRI for it.

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

<vorlon> | sergiodj: I would prefer you do the upload first so we can see via update_excuses what needs to be done and follow through

Therefore, I'm marking this MP as Needs Review again. Bear in mind that the build is currently failing on i386.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I'll grab this

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

> I talked to Andreas in private and we think that it should be fine to keep sssd-idp in universe
> for this cycle

Just reiterating this. Check out these upstream release notes about sssd-idp[1]:
"""
Added a new krb5 plugin idp and a new binary oidc_child which performs OAuth2 authentication against FreeIPA. This, however, can not be tested yet because this feature is still under development on the FreeIPA server side. Nevertheless, we have decided to include this in the release in order to enable the functionality on the clients immediately when the FreeIPA project delivers this feature without the need to update the clients.
"""

1. https://sssd.io/release-notes/sssd-2.7.0.html

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I think you can merge these two commits. Usually in logical, but if you want to do it now on top of debian/sid that's also fine:

commit d36036c652ab62d942eb2a8f8fa800fea6a78e3e
Author: Sergio Durigan Junior <email address hidden>
Date: Mon Feb 14 16:16:18 2022 -0500

        - Remember how architecture lists in debian/control work.

commit 0d33597c0bec4a96959d9a770b7d2681707ab8e9
Author: Sergio Durigan Junior <email address hidden>
Date: Mon Feb 14 16:15:29 2022 -0500

        - d/control: Don't build sssd-tools on i386, now uninstallable due
          to added python3-{click,systemd} dependencies.

DEP8 tests look good as well. I'm unsure what vorlon expects to see after the upload, since i386 won't build, and thus won't migrate.

+1

review: Approve
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

On Monday, June 20 2022, Andreas Hasenack wrote:

> Review: Approve

Thanks for the review, Andreas.

> I think you can merge these two commits. Usually in logical, but if you want to do it now on top of debian/sid that's also fine:
>
> commit d36036c652ab62d942eb2a8f8fa800fea6a78e3e
> Author: Sergio Durigan Junior <email address hidden>
> Date: Mon Feb 14 16:16:18 2022 -0500
>
> - Remember how architecture lists in debian/control work.
>
> commit 0d33597c0bec4a96959d9a770b7d2681707ab8e9
> Author: Sergio Durigan Junior <email address hidden>
> Date: Mon Feb 14 16:15:29 2022 -0500
>
> - d/control: Don't build sssd-tools on i386, now uninstallable due
> to added python3-{click,systemd} dependencies.
>

Done, thanks.

> DEP8 tests look good as well. I'm unsure what vorlon expects to see after the upload, since i386 won't build, and thus won't migrate.

Uploaded:

$ dput sssd_2.7.1-2ubuntu1_source.changes
Trying to upload package to ubuntu
Checking signature on .changes
gpg: /home/sergio/work/sssd/sssd_2.7.1-2ubuntu1_source.changes: Valid signature from 106DA1C8C3CBBF14
Checking signature on .dsc
gpg: /home/sergio/work/sssd/sssd_2.7.1-2ubuntu1.dsc: Valid signature from 106DA1C8C3CBBF14
Package includes an .orig.tar.gz file although the debian revision suggests
that it might not be required. Multiple uploads of the .orig.tar.gz may be
rejected by the upload queue management software.
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading sssd_2.7.1-2ubuntu1.dsc: done.
  Uploading sssd_2.7.1.orig.tar.gz: done.
  Uploading sssd_2.7.1.orig.tar.gz.asc: done.
  Uploading sssd_2.7.1-2ubuntu1.debian.tar.xz: done.
  Uploading sssd_2.7.1-2ubuntu1_source.buildinfo: done.
  Uploading sssd_2.7.1-2ubuntu1_source.changes: done.
Successfully uploaded packages.

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: sergiodj, ahasenack
Uploaders: sergiodj, ahasenack
MP auto-approved

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 0aeea88..ea630cd 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,15 @@
6+sssd (2.7.1-2ubuntu1) kinetic; urgency=medium
7+
8+ * Merge with Debian unstable (LP: #1971327, #1934997). Remaining changes:
9+ - d/control: Drop libgdm-dev Build-Depend on i386.
10+ - d/control: Don't build sssd-tools on i386, now uninstallable due
11+ to added python3-{click,systemd} dependencies.
12+ * Dropped changes:
13+ - d/rules: Disable lto, not ready upstream.
14+ [ Incorporated by Debian ]
15+
16+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Tue, 14 Jun 2022 16:59:20 -0400
17+
18 sssd (2.7.1-2) unstable; urgency=medium
19
20 * pac-relax-default-for-pac_check-option.diff: Drop pac_present from
21@@ -40,6 +52,31 @@ sssd (2.6.3-2) unstable; urgency=medium
22
23 -- Timo Aaltonen <tjaalton@debian.org> Tue, 29 Mar 2022 10:04:50 +0300
24
25+sssd (2.6.3-1ubuntu3) jammy; urgency=medium
26+
27+ * No-change rebuild with new samba 4.15.5
28+
29+ -- Andreas Hasenack <andreas@canonical.com> Thu, 24 Feb 2022 08:55:08 -0300
30+
31+sssd (2.6.3-1ubuntu2) jammy; urgency=medium
32+
33+ * No-change rebuild with new libnfsidmap from src:nfs-utils
34+
35+ -- Andreas Hasenack <andreas@canonical.com> Thu, 17 Feb 2022 10:57:41 -0300
36+
37+sssd (2.6.3-1ubuntu1) jammy; urgency=medium
38+
39+ * Merge with Debian unstable (LP: #1946904). Remaining changes:
40+ - d/rules: Disable lto, not ready upstream.
41+ - d/control: Drop libgdm-dev Build-Depend on i386.
42+ - d/control: Don't build sssd-tools on i386, now uninstallable due
43+ to added python3-{click,systemd} dependencies.
44+ * Dropped changes, picked by Debian:
45+ - Remove RANDFILE from the config template. It's no longer necessary and
46+ breaks with openssl 3.0.
47+
48+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 14 Feb 2022 16:21:21 -0500
49+
50 sssd (2.6.3-1) unstable; urgency=medium
51
52 * New upstream release.
53@@ -51,6 +88,40 @@ sssd (2.6.3-1) unstable; urgency=medium
54
55 -- Timo Aaltonen <tjaalton@debian.org> Fri, 11 Feb 2022 09:35:43 +0200
56
57+sssd (2.6.1-1ubuntu4) jammy; urgency=medium
58+
59+ * No-change rebuild with Python 3.10 as default version
60+
61+ -- Graham Inggs <ginggs@ubuntu.com> Sun, 16 Jan 2022 15:13:06 +0000
62+
63+sssd (2.6.1-1ubuntu3) jammy; urgency=medium
64+
65+ * Remember how architecture lists in debian/control work.
66+
67+ -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 17 Dec 2021 23:12:51 +0000
68+
69+sssd (2.6.1-1ubuntu2) jammy; urgency=medium
70+
71+ * Don't build sssd-tools on i386, now uninstallable due to added
72+ python3-{click,systemd} dependencies.
73+
74+ -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 17 Dec 2021 21:50:00 +0000
75+
76+sssd (2.6.1-1ubuntu1) jammy; urgency=low
77+
78+ * Merge from Debian unstable. Remaining changes:
79+ - Disable lto, not ready upstream.
80+ - d/control: Drop libgdm-dev Build-Depend on i386.
81+ - Remove RANDFILE from the config template. It's no longer necessary and
82+ breaks with openssl 3.0.
83+ * Dropped changes, included upstream:
84+ - d/p/fix-python-tests.patch: Fix Python tests by making them
85+ assert Python module paths by using full pathnames.
86+ * Dropped changes, included in Debian:
87+ - debian/control: Switch to libsemanage-dev from libsemanage1-dev
88+
89+ -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 10 Dec 2021 10:29:16 -0800
90+
91 sssd (2.6.1-1) unstable; urgency=medium
92
93 * New upstream release.
94@@ -67,6 +138,54 @@ sssd (2.5.2-5) unstable; urgency=medium
95
96 -- Timo Aaltonen <tjaalton@debian.org> Mon, 08 Nov 2021 21:17:29 +0200
97
98+sssd (2.5.2-4ubuntu4) jammy; urgency=medium
99+
100+ * No-change rebuild against libssl3
101+
102+ -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 09 Dec 2021 00:19:23 +0000
103+
104+sssd (2.5.2-4ubuntu3) jammy; urgency=medium
105+
106+ * Remove RANDFILE from the config template. It's no longer necessary and
107+ breaks with openssl 3.0.
108+
109+ -- Rico Tzschichholz <ricotz@ubuntu.com> Tue, 23 Nov 2021 20:19:07 +0100
110+
111+sssd (2.5.2-4ubuntu2) jammy; urgency=medium
112+
113+ * debian/control: Switch to libsemanage-dev from libsemanage1-dev
114+
115+ -- Rico Tzschichholz <ricotz@ubuntu.com> Mon, 22 Nov 2021 20:51:36 +0100
116+
117+sssd (2.5.2-4ubuntu1) jammy; urgency=medium
118+
119+ * Merge with Debian unstable (LP: #1946904). Remaining changes:
120+ - Disable lto, not ready upstream.
121+ - d/control: Drop libgdm-dev Build-Depend on i386.
122+ - d/p/fix-python-tests.patch: Fix Python tests by making them
123+ assert Python module paths by using full pathnames.
124+ * Dropped changes:
125+ - d/apparmor-profile: Update profile. (LP #1910611)
126+ + Extend read permissions to /etc/sssd/** and /etc/gss/**.
127+ + Add read/execute permission to /usr/libexec/sssd/*.
128+ [ Incorporated by Debian. ]
129+ - Fix FTBFS with newer autoconf
130+ + debian/patches/fix_newer_autoconf.patch: do not unset PYTHON_PREFIX
131+ and PYTHON_EXEC_PREFIX in src/external/python.m4.
132+ [ Incorporated by Debian. ]
133+ - SECURITY UPDATE: shell command injection in sssctl comment
134+ + debian/patches/CVE-2021-3621.patch: replace system() with execvp() to
135+ avoid execution of user supplied command in
136+ src/tools/sssctl/sssctl.c, src/tools/sssctl/sssctl.h,
137+ src/tools/sssctl/sssctl_data.c, src/tools/sssctl/sssctl_logs.c.
138+ + CVE-2021-3621
139+ [ Incorporated by Debian. ]
140+ - d/p/disable-fail_over-tests.patch: Disable fail_over-tests,
141+ which is failing when running inside sbuild.
142+ [ Not needed anymore; issue does not reproduce on Jammy. ]
143+
144+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Wed, 27 Oct 2021 20:16:31 -0400
145+
146 sssd (2.5.2-4) unstable; urgency=medium
147
148 * control: Promote libnss-sss and libpam-sss to sssd-common Depends.
149@@ -109,6 +228,63 @@ sssd (2.5.2-1) unstable; urgency=medium
150
151 -- Timo Aaltonen <tjaalton@debian.org> Thu, 16 Sep 2021 14:51:42 +0300
152
153+sssd (2.4.1-2ubuntu4) impish; urgency=medium
154+
155+ * Fix FTBFS with newer autoconf
156+ - debian/patches/fix_newer_autoconf.patch: do not unset PYTHON_PREFIX
157+ and PYTHON_EXEC_PREFIX in src/external/python.m4.
158+
159+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 08 Sep 2021 11:39:53 -0400
160+
161+sssd (2.4.1-2ubuntu3) impish; urgency=medium
162+
163+ * SECURITY UPDATE: shell command injection in sssctl comment
164+ - debian/patches/CVE-2021-3621.patch: replace system() with execvp() to
165+ avoid execution of user supplied command in
166+ src/tools/sssctl/sssctl.c, src/tools/sssctl/sssctl.h,
167+ src/tools/sssctl/sssctl_data.c, src/tools/sssctl/sssctl_logs.c.
168+ - CVE-2021-3621
169+
170+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 18 Aug 2021 08:13:38 -0400
171+
172+sssd (2.4.1-2ubuntu2) impish; urgency=medium
173+
174+ * No-change rebuild due to OpenLDAP soname bump.
175+
176+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 21 Jun 2021 18:09:16 -0400
177+
178+sssd (2.4.1-2ubuntu1) impish; urgency=medium
179+
180+ * Merge with Debian unstable. Remaining changes:
181+ - d/apparmor-profile: Update profile. (LP #1910611)
182+ + Extend read permissions to /etc/sssd/** and /etc/gss/**.
183+ + Add read/execute permission to /usr/libexec/sssd/*.
184+ - Disable lto, not ready upstream.
185+ - d/control: Drop libgdm-dev Build-Depend on i386.
186+ * Dropped changes:
187+ - d/p/condition-path-exists-sssd-conf.patch: Only start
188+ sssd.service if there is a configuration file present.
189+ (LP: #1900642)
190+ [ Included in 2.4.1-2 ]
191+ - d/p/0003-Only-start-sssd.service-if-there-s-a-configuration-f.patch:
192+ Upstream patch to make sssd.service only able to start when there
193+ is a configuration file present. (LP #1900642)
194+ - d/p/condition-path-exists-sssd-conf.patch: Remove.
195+ [ Included in 2.4.1-2 ]
196+ - Avoid sending malformed SYSLOG_IDENTIFIER to journald (LP #1908065):
197+ + d/p/lp-1908065-01-syslog_identifier-format.patch:
198+ Upstream patch to include "sssd[]" identifier in program names.
199+ + d/p/lp-1908065-02-remove-syslog_identifier.patch:
200+ Upstream patch to remove custom SYSLOG_IDENTIFIER from Journald.
201+ [ Included in 2.4.1-2 ]
202+ * Added changes:
203+ - d/p/fix-python-tests.patch: Fix Python tests by making them
204+ assert Python module paths by using full pathnames.
205+ - d/p/disable-fail_over-tests.patch: Disable fail_over-tests,
206+ which is failing when running inside sbuild.
207+
208+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Tue, 18 May 2021 17:29:58 -0400
209+
210 sssd (2.4.1-2) unstable; urgency=medium
211
212 [ Marco Trevisan (TreviƱo) ]
213@@ -134,6 +310,59 @@ sssd (2.4.1-1) unstable; urgency=medium
214
215 -- Timo Aaltonen <tjaalton@debian.org> Wed, 10 Feb 2021 11:32:35 +0200
216
217+sssd (2.4.0-1ubuntu7) impish; urgency=medium
218+
219+ * d/control: Drop libgdm-dev Build-Depend on i386.
220+
221+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Tue, 11 May 2021 16:22:31 -0400
222+
223+sssd (2.4.0-1ubuntu6) hirsute; urgency=medium
224+
225+ * Disable lto, not ready upstream.
226+
227+ -- Matthias Klose <doko@ubuntu.com> Tue, 23 Mar 2021 13:18:53 +0100
228+
229+sssd (2.4.0-1ubuntu5) hirsute; urgency=medium
230+
231+ * No change rebuild with fixed ownership.
232+
233+ -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 16 Feb 2021 15:22:14 +0000
234+
235+sssd (2.4.0-1ubuntu4) hirsute; urgency=medium
236+
237+ * Avoid sending malformed SYSLOG_IDENTIFIER to journald (LP: #1908065):
238+ - d/p/lp-1908065-01-syslog_identifier-format.patch:
239+ Upstream patch to include "sssd[]" identifier in program names.
240+ - d/p/lp-1908065-02-remove-syslog_identifier.patch:
241+ Upstream patch to remove custom SYSLOG_IDENTIFIER from Journald.
242+
243+ -- Valters Jansons <valter.jansons@gmail.com> Fri, 05 Feb 2021 20:51:32 +0000
244+
245+sssd (2.4.0-1ubuntu3) hirsute; urgency=medium
246+
247+ * d/apparmor-profile: Update profile. (LP: #1910611)
248+ - Extend read permissions to /etc/sssd/conf.d/* and /etc/gss/mech.d/*.
249+ - Add read/execute permission to /usr/libexec/sssd/*.
250+
251+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 18 Jan 2021 16:57:21 -0500
252+
253+sssd (2.4.0-1ubuntu2) hirsute; urgency=medium
254+
255+ * d/p/0003-Only-start-sssd.service-if-there-s-a-configuration-f.patch:
256+ Upstream patch to make sssd.service only able to start when there
257+ is a configuration file present. (LP: #1900642)
258+ * d/p/condition-path-exists-sssd-conf.patch: Remove.
259+
260+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Tue, 12 Jan 2021 16:17:38 -0500
261+
262+sssd (2.4.0-1ubuntu1) hirsute; urgency=medium
263+
264+ * d/p/condition-path-exists-sssd-conf.patch: Only start
265+ sssd.service if there is a configuration file present.
266+ (LP: #1900642)
267+
268+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Thu, 10 Dec 2020 14:20:24 -0500
269+
270 sssd (2.4.0-1) unstable; urgency=medium
271
272 * New upstream release.
273@@ -1203,3 +1432,4 @@ sssd (0.5.0-0ubuntu1) karmic; urgency=low
274 * Initial release.
275
276 -- Mathias Gug <mathiaz@ubuntu.com> Mon, 24 Aug 2009 16:35:11 -0400
277+
278diff --git a/debian/control b/debian/control
279index 7fdf6ff..4a8fc74 100644
280--- a/debian/control
281+++ b/debian/control
282@@ -1,7 +1,8 @@
283 Source: sssd
284 Section: utils
285 Priority: optional
286-Maintainer: Debian SSSD Team <pkg-sssd-devel@alioth-lists.debian.net>
287+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
288+XSBC-Original-Maintainer: Debian SSSD Team <pkg-sssd-devel@alioth-lists.debian.net>
289 Uploaders: Timo Aaltonen <tjaalton@debian.org>,
290 Dominik George <natureshadow@debian.org>
291 Build-Depends:
292@@ -26,7 +27,7 @@ Build-Depends:
293 libcurl4-openssl-dev,
294 libdbus-1-dev,
295 libdhash-dev,
296- libgdm-dev [!s390x !kfreebsd-any !hurd-any],
297+ libgdm-dev [!s390x !kfreebsd-any !hurd-any !i386],
298 libglib2.0-dev,
299 libini-config-dev,
300 libjansson-dev,
301@@ -228,7 +229,7 @@ Description: System Security Services Daemon -- proxy back end
302 PAM modules to leverage SSSD caching.
303
304 Package: sssd-tools
305-Architecture: any
306+Architecture: amd64 arm64 armhf ppc64el riscv64 s390x
307 Depends:
308 python3,
309 python3-sss,

Subscribers

People subscribed via source and target branches