libraries and enlightenment 0.17.3 itself.
Upstream changes of Eina (to get an impression):
Eina 1.7.7
Changes since Eina 1.7.6:
-------------------------
No changes, just updating to keep in sync with last release.
Changes since Eina 1.7.5:
-------------------------
Improvements:
* Honor tile size in Eina_Tiler.
Fixes:
* Prevent denial of service on Eina_Hash function.
* Fix map leak in Eina_File infrastructure.
* Fix portability issue on 64bits system for Eina_CList.
* Fix magic failure in eina_value_array_count when array has not been allocated
Changes since Eina 1.7.4:
-------------------------
No changes, just updating to keep in sync with last release.
Changes since Eina 1.7.3:
-------------------------
Fixes:
* Fix EINA_INLIST_FOREACH_SAFE macro
* Add XML output to doc
* Add installation rule for doc
* Fix build for Windows platforms.
Changes since Eina 1.7.2:
-------------------------
* Fix Solaris build.
* Don't leak fd after exec.
Changes since Eina 1.7.1:
-------------------------
No changes, just updating to keep in sync with last release.
(1) clang flags:
dd_rescue.c:1494:22: warning: implicit declaration of function 'basename' is invalid in C99 [-Wimplicit-function-declaration]
const char* ibase = basename(inm);
(3) clang flags:
dd_recue.c:(.text+0x12b4): undefined reference to `mypread'
dd_rescue.c:(.text+0x1374): undefined reference to `mypwrite'
Reported by joerg@ bulkbuild, and discussed on tech-pkg@, thanks.
D-Bus 1.6.12 (2013-06-13)
==
Fixes:
• CVE-2013-2168: Fix misuse of va_list that could be used as a denial
of service for system services. Vulnerability reported by Alexandru Cornea.
(Simon)
• In dbus-daemon, don't crash if a .service file starts with key=value
(fd.o #60853, Chengwei Yang)
• Unix-specific:
· Fix an assertion failure if we try to activate systemd services before
systemd connects to the bus (fd.o #50199, Chengwei Yang)
· Avoid compiler warnings for ignoring the return from write()
(Chengwei Yang)
based on pkgsrc-wip/dbus-sharp.
This is a fork of ndesk-dbus, which is a C# implementation of D-Bus. It's often
referred to as "managed D-Bus" to avoid confusion with existing bindings (which
wrap libdbus).
-------------------------
Version 1.33, released 2013-03-30.
It brings long options, a new double overwrite mode (-2) and
a man page.
Version 1.32
has a new option -x to append to the output file
and you can specify -Y (multiple times if you wish so) to
write the same data to secondary output files.
Version 1.31 (2013-02-03)
brought a few tiny improvements in the output (such as
displaying the total elapsed time in the summary as opposed to
ETA of 0, and the amount of data really written with option
-W). But importantly, it has the new mode of triple
overwriting of data (options -3 and -4), with random numbers,
inverse random numbers, new random numbers (only for -4) and
zeros, this way allowing paranoia-safe deletion of
information.
Version 1.30 (2013-01-25)
brought a fix for outputting data to stdout and a fix for a
possible double free operation (introduced in 1.29). The
message formatting has been streamlined a bit. The PRNG can
now be initialized from a file (e.g. -Z /dev/urandom). The
program now can also avoid writing to a target block if the
target block already has the same data (option -W). Think of
SSDs or other devices where you want to avoid writes.
In Version 1.29 (2013-01-22)
a bug was fixed, where the last bytes where not copied
corrected if hardbs == softbs. 1.29 also brings a number of
new features; the ability to write the same (softbs sized)
block again and again (option -R, automatically set if infile
is /dev/zero), the ability to limit transfer size such that
the outfile won't be enlarged (-M) and the possibility to use
userspace random numbers (libc/frandom) to fill files with
random data (options -z and -Z). Last not least, OBS also
builds .deb binaries for Ubu12.04 / Deb6 now.
Version is 1.28 (released 2012-05-19)
uses better defaults for hard and softblock sizes (4k/64k
for buffered I/O, 512/1M for direct IO), as suggested by Jan
Kara. Also the copying of access times with the option -p
was fixed.
Version 1.27
allowed to do 512b direct IO (which is possible in latest
Linux kernels) -- idea and patch from Jan Kara. Change
posix_memalign() variable assignment. It has a number of
fixes from Valentin Lab; most importantly, when exiting
because of an error, it updates the variables that are
output. dd_rescue now avoid specal characters in the
logfile. It handles situations gracefully, where wrong
positions resulted in the progress graph causing
faults. Some come from illegal input (negative offset ...),
which is nw detected.
Version 1.25
contains a fix for spurious "Success" messages that resulted
from overwritten (cleared) errno. Bad blocks are formatted
in a way that they are not overwritten on screen and block
numbers are output as unsigned.
Version 1.24
contains a compile fix for Linux versions that contain the
splice syscall but not the other definitions. I also allows
for specifying a directory (such as ".") as output filename
in which case dd_rescue just appends the input file basename
to it, just like cp does. Maybe most importantly, the RPM
now contains the latest version of dd_rhelp (0.1.2).
VS: ----------------------------------------------------------------------
to address issues with NetBSD-6(and earlier)'s fontconfig not being
new enough for pango.
While doing that, also bump freetype2 dependency to current pkgsrc
version.
Suggested by tron in PR 47882
All:
- Due to an incorrect message from last release, here is corrected
information on when a Linux installation is potentially dangerous:
New autoconf tests for sys/capability.h and cap_*() functions
from Linux -lcap
WARNING: If you do not see this:
checking for sys/capability.h... yes
...
checking for cap_get_proc in -lcap... yes
checking for cap_get_proc... yes
checking for cap_set_proc... yes
checking for cap_set_flag... yes
checking for cap_clear_flag... yes
your Linux installation is insecure in case you ever use the
command "setcap" to set up file capabilities for executable commands.
Note that cdrtools (as any other command) need to be capabylity aware
in order to avoid security leaks with enhanced privileges. In most
cases, privileges are only needed for a very limited set of operations.
If cdrtools (cdrecord, cdda2wav, readcd) are installed suid-root, the
functions to control privileges are in the basic set of supported
functions and thus there is no problem for any program to control it's
privileges - if they have been obtained via suid root, you are on a
secure system.
If you are however on an incomplete installation, that supports to
raise privileges via fcaps but that does not include developer support
for caps, the programs get the privileges without being able to know
about the additional privileges and thus keep them because they cannot
control them.
WARNING: If you are on a Linux system that includes support for
fcaps (this is seems to be true for all newer systems with
Linux >= 2.6.24) and there is no development support for capabilities
in the base system, you are on an inherently insecure system that allows
to compile and set up programs with enhanced privileges that cannot
control them.
In such a case, try to educate the security manager for the related
Linux distribution. Note that you may turn your private installation
into a secure installation by installing development support for libcap.
- WARNING: the include structure of include/schily/*.h and several sources
has been restructured to cause less warnings with older OS platforms.
If you see any new problem on your personal platform, please report.
- New includefiles:
schily/poll.h Support poll()
schily/stdarg.h An alias to schily/varargs.h (but using the std name)
schily/sunos4_proto.h Missing prototypes for SunOS-4.x to make gcc quiet
schily/timeb.h Needed for users of ftime()
- Many minor bug-fixes for the files include/schily/*.h
- include/schily/archconf.h now defines __SUNOS5 for easier coding
- include/schily/priv.h now defines platform independent fine grained privileges
- Updated README.compile:
Some typo patches from Jan Engelhardt <jengelh@inai.de>
Documented the "LINKMODE=" macro to explain how to create dynamically
linked bynaries.
Libschily:
- Added #include <schily/libport.h> to libschily/fnmatch.c
Libedc (Optimized by Jörg Schilling, originated by Heiko Eißfeldt heiko@hexco.de):
- Added #include <schily/libport.h>
Libdeflt:
- Added #include <schily/libport.h>
Libfind:
- dirname -> dir_name to avoid a gcc warning
Libhfs_iso:
- Rename variable "utime" to "uxtime" to avoid a compiler warning
Libscg:
- Repositioned #ifdefs to avoid unused variable definitions in
libscg/scsi-sun.c
- libscg/scsi-linux-ata.c now aborts early if errno == EPERM. This now
makes it behave like libscg/scsi-linux-sg.c
- A new scg flag SCGF_PERM_PRINT tells libscg to print a more verbose error
in case that a SCSI comand was aborted with errno == EPERM.
Cdrecord:
- Allow to compile without Linux libcap using "smake COPTX=-DNO_LINUX_CAPS LIB_CAP="
- Cdrecord now checks whether there are sufficient fine grained privileges.
- Cdrecord now uses the new flag SCGF_PERM_PRINT to get better warnings if the
permissions granted by the OS are not sufficient.
Cdda2wav (Maintained/enhanced by Jörg Schilling, originated by Heiko Eißfeldt heiko@hexco.de):
- Include file reordering to avoid warnings on older platforms
- Allow to compile without Linux libcap using "smake COPTX=-DNO_LINUX_CAPS LIB_CAP="
- Repositioned #ifdefs to avoid unused variable definitions in
cdda2wav/sndconfig.c
- Cdda2wav now checks whether there are sufficient fine grained privileges.
- Work around a bug in sys/param.h FreeBSD-9.1, that #define's __FreeBSD_kernel__
instead of #define __FreeBSD_kernel__ 9 that would be needed for Debian
k-FreeBSD compatibility.
The bug affects cdda2wav/mycdrom.h
Readcd:
- Allow to compile without Linux libcap using "smake COPTX=-DNO_LINUX_CAPS LIB_CAP="
- Readcd now checks whether there are sufficient fine grained privileges.
Mkisofs (Maintained/enhanced by Jörg Schilling since 1997, originated by Eric Youngdale):
- Make mkisofs compile without -DUDF and without -DDVD_VIDEO
Thanks to a hint from rmd4work@mail.ru
add: new supported ThinkPad X40
chg: adjusted poll interval to 200ms, which has a acceptable responsiveness
add: support for udev filesystem
and many bug fixes.
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package
Like last time, where this caused no complaints.
D-Bus Python Bindings 1.2.0 (2013-05-07)
========================================
The "compile like it's 1998" release.
Dependencies:
• libdbus 1.6 or later is now required.
Enhancements:
• Unicode Corrigendum 9: when used with a suitable version of libdbus
(1.6.10 or later, or 1.7.2 or later), noncharacters in strings are
now accepted
Fixes:
• Support DBusException('something with non—ASCII') under Python 2
(Michael Vogt, smcv; fd.o #55899)
• Correct some misleading wording in COPYING which was written under the
assumption that libdbus could actually be relicensed to MIT/X11
(Thiago Macieira)
• Avoid variable-length arrays, because MSVC++ is still stuck in 1998
(based on patches from Christoph Höger, fd.o #51725)
• Remove unnecessary uses of stdint.h (fd.o #51725)
• Add support for Unix compilers not supporting 'inline', for completeness
• Use GObject.__class__ instead of GObjectMeta, which can no longer be
imported from gi.repository.GObject in pygobject 3.8
• Fix autoreconfiscation on Automake 1.13 (Marko Lindqvist, fd.o #59006)
etckeeper is a collection of tools to let /etc be stored in a git,
mercurial, darcs, or bzr repository. It hooks into apt (and other
package managers including yum and pacman-g2) to automatically commit
changes made to /etc during package upgrades. It tracks file metadata
that revison control systems do not normally support, but that is
important for /etc, such as the permissions of /etc/shadow.
It's quite modular and configurable, while also being simple to use
if you understand the basics of working with revision control.
The GFM is an application allowing to manipulate single/group/tigroup files. It
can:
* create a new file
* open an existing file
* save file
* rename variables
* remove variables
* create folders
* group files into a group/tigroup file
* ungroup a group/tigroup file into single files
D-Bus Python Bindings 1.2.0 (2013-05-07)
========================================
The "compile like it's 1998" release.
Dependencies:
• libdbus 1.6 or later is now required.
Enhancements:
• Unicode Corrigendum 9: when used with a suitable version of libdbus
(1.6.10 or later, or 1.7.2 or later), noncharacters in strings are
now accepted
Fixes:
• Support DBusException('something with non—ASCII') under Python 2
(Michael Vogt, smcv; fd.o #55899)
• Correct some misleading wording in COPYING which was written under the
assumption that libdbus could actually be relicensed to MIT/X11
(Thiago Macieira)
• Avoid variable-length arrays, because MSVC++ is still stuck in 1998
(based on patches from Christoph Höger, fd.o #51725)
• Remove unnecessary uses of stdint.h (fd.o #51725)
• Add support for Unix compilers not supporting 'inline', for completeness
• Use GObject.__class__ instead of GObjectMeta, which can no longer be
imported from gi.repository.GObject in pygobject 3.8
• Fix autoreconfiscation on Automake 1.13 (Marko Lindqvist, fd.o #59006)
D-Bus 1.6.10 (2013-04-24)
==
The “little-known facts about bananas” release.
• Following Unicode Corrigendum #9, the noncharacters U+nFFFE, U+nFFFF,
U+FDD0..U+FDEF are allowed in UTF-8 strings again.
(fd.o #63072, Simon McVittie)
• Diagnose incorrect use of dbus_connection_get_data() with negative slot
(i.e. before allocating the slot) rather than returning junk
(fd.o #63127, Dan Williams)
• In the activation helper, when compiled for tests, do not reset the system
bus address, fixing the regression tests. (fd.o #52202, Simon)
• Fix building with Valgrind 3.8, at the cost of causing harmless warnings
with Valgrind 3.6 on some compilers (fd.o #55932, Arun Raghavan)
• Don't leak temporary fds pointing to /dev/null (fd.o #56927, Michel HERMIER)
• Create session.d, system.d directories under CMake (fd.o #41319,
Ralf Habacker)
• Unix-specific:
· Include alloca.h for alloca() if available, fixing compilation on
Solaris 10 (fd.o #63071, Dagobert Michelsen)
- added to MESSAGE advising of rc.d script changes
- added BASH as a tool
- fixed pygrub install so that it doesn't get overwritten with a symlink
- turned oxenstored.conf into a proper config file
functional for PV domains. Support for HVM domains and grant tables
is still to come. Note that xm/xend is deprecated in this version.
You should switch to using xl (which is tested to be working) if
you can.
----- 4.2.2
Xen 4.2.2 is a maintenance release in the 4.2 series and contains:
We recommend that all users of Xen 4.2.1 upgrade to Xen 4.2.2.
This release fixes the following critical vulnerabilities:
CVE-2012-5634 / XSA-33: VT-d interrupt remapping source
validation flaw
CVE-2013-0151 / XSA-34: nested virtualization on 32-bit
exposes host crash
CVE-2013-0152 / XSA-35: Nested HVM exposes host to being
driven out of memory by guest
CVE-2013-0153 / XSA-36: interrupt remap entries shared and
old ones not cleared on AMD IOMMUs
CVE-2013-0154 / XSA-37: Hypervisor crash due to incorrect
ASSERT (debug build only)
CVE-2013-0215 / XSA-38: oxenstored incorrect handling of
certain Xenbus ring states
CVE-2012-6075 / XSA-41: qemu (e1000 device driver): Buffer
overflow when processing large packets
CVE-2013-1917 / XSA-44: Xen PV DoS vulnerability with SYSENTER
CVE-2013-1919 / XSA-46: Several access permission issues with
IRQs for unprivileged guests
CVE-2013-1920 / XSA-47: Potential use of freed memory in event
channel operations
CVE-2013-1922 / XSA-48: qemu-nbd format-guessing due to missing
format specification
This release contains many bug fixes and improvements (around
100 since Xen 4.2.1). The highlights are:
ACPI APEI/ERST finally working on production systems
Bug fixes for other low level system state handling
Bug fixes and improvements to the libxl tool stack
Bug fixes to nested virtualization
----- 4.2.1
Xen 4.2.1 is a maintenance release in the 4.2 series and contains:
We recommend that all users of Xen 4.2.0 upgrade to Xen 4.2.1.
The release fixes the following critical vulnerabilities:
CVE-2012-4535 / XSA-20: Timer overflow DoS vulnerability
CVE-2012-4537 / XSA-22: Memory mapping failure DoS
vulnerability
CVE-2012-4538 / XSA-23: Unhooking empty PAE entries DoS
vulnerability
CVE-2012-4539 / XSA-24: Grant table hypercall infinite
loop DoS vulnerability
CVE-2012-4544, CVE-2012-2625 / XSA-25: Xen domain builder
Out-of-memory due to malicious kernel/ramdisk
CVE-2012-5510 / XSA-26: Grant table version switch list
corruption vulnerability
CVE-2012-5511 / XSA-27: Several HVM operations do not
validate the range of their inputs
CVE-2012-5513 / XSA-29: XENMEM_exchange may overwrite
hypervisor memory
CVE-2012-5514 / XSA-30: Broken error handling in
guest_physmap_mark_populate_on_demand()
CVE-2012-5515 / XSA-31: Several memory hypercall operations
allow invalid extent order values
CVE-2012-5525 / XSA-32: several hypercalls do not validate
input GFNs
Among many bug fixes and improvements (around 100 since Xen 4.2.0):
A fix for a long standing time management issue
Bug fixes for S3 (suspend to RAM) handling
Bug fixes for other low level system state handling
Bug fixes and improvements to the libxl tool stack
Bug fixes to nested virtualization
----- 4.2.0
The Xen 4.2 release contains a number of important new features
and updates including:
The release incorporates many new features and improvements to
existing features. There are improvements across the board including
to Security, Scalability, Performance and Documentation.
XL is now the default toolstack: Significant effort has gone
in to the XL tool toolstack in this release and it is now feature
complete and robust enough that we have made it the default. This
toolstack can now replace xend in the majority of deployments, see
XL vs Xend Feature Comparison. As well as improving XL the underlying
libxl library has been significantly improved and supports the
majority of the most common toolstack features. In addition the
API has been declared stable which should make it even easier for
external toolstack such as libvirt and XCP's xapi to make full use
of this functionality in the future.
Large Systems: Following on from the improvements made in 4.1
Xen now supports even larger systems, with up to 4095 host CPUs
and up to 512 guest CPUs. In addition toolstack feature like the
ability to automatically create a CPUPOOL per NUMA node and more
intelligent placement of guest VCPUs on NUMA nodes have further
improved the Xen experience on large systems. Other new features,
such as multiple PCI segment support have also made a positive
impact on such systems.
Improved security: The XSM/Flask subsystem has seen several
enhancements, including improved support for disaggregated systems
and a rewritten example policy which is clearer and simpler to
modify to suit local requirements.
Documentation: The Xen documentation has been much improved,
both the in-tree documentation and the wiki. This is in no small
part down to the success of the Xen Document Days so thanks to all
who have taken part.
---- 4.2.2
Xen 4.2.2 is a maintenance release in the 4.2 series and contains:
We recommend that all users of Xen 4.2.1 upgrade to Xen 4.2.2.
This release fixes the following critical vulnerabilities:
CVE-2012-5634 / XSA-33: VT-d interrupt remapping source
validation flaw
CVE-2013-0151 / XSA-34: nested virtualization on 32-bit
exposes host crash
CVE-2013-0152 / XSA-35: Nested HVM exposes host to being
driven out of memory by guest
CVE-2013-0153 / XSA-36: interrupt remap entries shared and
old ones not cleared on AMD IOMMUs
CVE-2013-0154 / XSA-37: Hypervisor crash due to incorrect
ASSERT (debug build only)
CVE-2013-0215 / XSA-38: oxenstored incorrect handling of
certain Xenbus ring states
CVE-2012-6075 / XSA-41: qemu (e1000 device driver): Buffer
overflow when processing large packets
CVE-2013-1917 / XSA-44: Xen PV DoS vulnerability with SYSENTER
CVE-2013-1919 / XSA-46: Several access permission issues with
IRQs for unprivileged guests
CVE-2013-1920 / XSA-47: Potential use of freed memory in event
channel operations
CVE-2013-1922 / XSA-48: qemu-nbd format-guessing due to missing
format specification
This release contains many bug fixes and improvements (around
100 since Xen 4.2.1). The highlights are:
ACPI APEI/ERST finally working on production systems
Bug fixes for other low level system state handling
Bug fixes and improvements to the libxl tool stack
Bug fixes to nested virtualization
----- 4.2.1
Xen 4.2.1 is a maintenance release in the 4.2 series and contains:
We recommend that all users of Xen 4.2.0 upgrade to Xen 4.2.1.
The release fixes the following critical vulnerabilities:
CVE-2012-4535 / XSA-20: Timer overflow DoS vulnerability
CVE-2012-4537 / XSA-22: Memory mapping failure DoS vulnerability
CVE-2012-4538 / XSA-23: Unhooking empty PAE entries DoS vulnerability
CVE-2012-4539 / XSA-24: Grant table hypercall infinite
loop DoS vulnerability
CVE-2012-4544, CVE-2012-2625 / XSA-25: Xen domain builder
Out-of-memory due to malicious kernel/ramdisk
CVE-2012-5510 / XSA-26: Grant table version switch list
corruption vulnerability
CVE-2012-5511 / XSA-27: Several HVM operations do not
validate the range of their inputs
CVE-2012-5513 / XSA-29: XENMEM_exchange may overwrite hypervisor memory
CVE-2012-5514 / XSA-30: Broken error handling in
guest_physmap_mark_populate_on_demand()
CVE-2012-5515 / XSA-31: Several memory hypercall operations
allow invalid extent order values
CVE-2012-5525 / XSA-32: several hypercalls do not validate input GFNs
Among many bug fixes and improvements (around 100 since Xen 4.2.0):
A fix for a long standing time management issue
Bug fixes for S3 (suspend to RAM) handling
Bug fixes for other low level system state handling
Bug fixes and improvements to the libxl tool stack
Bug fixes to nested virtualization
----- 4.2.0
The Xen 4.2 release contains a number of important new features
and updates including:
The release incorporates many new features and improvements to
existing features. There are improvements across the board including
to Security, Scalability, Performance and Documentation.
XL is now the default toolstack: Significant effort has gone
in to the XL tool toolstack in this release and it is now feature
complete and robust enough that we have made it the default. This
toolstack can now replace xend in the majority of deployments, see
XL vs Xend Feature Comparison. As well as improving XL the underlying
libxl library has been significantly improved and supports the
majority of the most common toolstack features. In addition the
API has been declared stable which should make it even easier for
external toolstack such as libvirt and XCP's xapi to make full use
of this functionality in the future.
Large Systems: Following on from the improvements made in 4.1
Xen now supports even larger systems, with up to 4095 host CPUs
and up to 512 guest CPUs. In addition toolstack feature like the
ability to automatically create a CPUPOOL per NUMA node and more
intelligent placement of guest VCPUs on NUMA nodes have further
improved the Xen experience on large systems. Other new features,
such as multiple PCI segment support have also made a positive
impact on such systems.
Improved security: The XSM/Flask subsystem has seen several
enhancements, including improved support for disaggregated systems
and a rewritten example policy which is clearer and simpler to
modify to suit local requirements.
Documentation: The Xen documentation has been much improved,
both the in-tree documentation and the wiki. This is in no small
part down to the success of the Xen Document Days so thanks to all
who have taken part.
This release fixes a serious security issue found in the way that RSA keys
were being generated.
It recommended that existing Salt keys be regenerated once 0.15.1 has been
deployed on the master and all minions.
A 'key_regen' routine has been added to 0.15.1 to make this transition easier.
The following sequence is a convenient way to regenerate all keys in an
environment:
salt-run manage.key_regen
You will be prompted to restart the master. Once completed, all keys in the
environment will have been regenerated and you will need to accept the new
keys using the following command:
salt-key -A
This broke packages that needed a target Python at build-time.
Instead, change it from defined/undefined to yes/no/tool. Most cases
of defined used `yes' anyway; fix the few stragglers do that instead.
New case `tool' is for TOOL_DEPENDS rather than buildlink3.
pkgsrc changes:
* set LICENSE as gnu-lgpl-v2 from COPYING.
* drop -DG_DISABLE_DEPREATED in whole build instead of just in a directory
by patch-ah, because much deprecated warnings will be appeared with recent
glib2.
* fix specify to configure of samba location.
Major changes in 1.6.7
======================
This is a convenient release for people who want to have old
gnome 2.32 and new glib:
* Do not build app lookup extension if we have glib >= 2.27.1
Other fixes:
* build: Adapt autogen.sh to libtool-2.4
* build: Bump fuse requirement for ATOMIC_O_TRUNC support
Upstream changes:
* Revision 2.36 2013-04-12 11:47:03+02 fred
* Some processes like apache under a recent Linux were listed with UID
* root instead of the correct UID, as they use setuid(). We now read the
* UID from the owner of /proc/PID instead of /proc/PID/stat, as this
* seems to be updated correctly. Thanks to Tom Schmidt
* <tschmidt AT micron.com> for pointing out this bug.
*
* Revision 2.35 2013-02-28 08:33:02+01 fred
* Added Stan Sieler's fix to my adaption of snprintf fix by Stan Sieler :-)
*
* Revision 2.34 2013-02-27 16:57:25+01 fred
* Added snprintf fix by Stan Sieler
From Nils Ratusznik per PR pkg/47800
pkgsrc changes:
---------------
Update MASTER_SITES. Now requires curl to fetch on https mirror.
Upstream changes:
-----------------
3.8.3 -> 3.8.4
- Added --version command line option
- Disable ACL tests if logrotate is not compiled WITH_ACL support or if
ACLs are not supported by the system running tests
- Disable SELinux tests if logrotate is not compiled WITH_SELINUX support
or if SELinux is not supported by the system running tests
- Fixed bug which prevented skipping particular log file config
if the config contained errors.
- Fixed skipping of configs containing firstaction/lastaction scripts
with '}' character in case of error before these scripts.
- Support also 'K' unit for *size directives.
- Added preremove option to let admin to do something with the old logs
before they are removed by logrotate.
- Fixed possible loop in tabooext parsing.
- Move code to set SELinux context before compressLogFile calls to create
compressed log files with the proper context.
- Call prerotate/postrotate script only for really rotated files in
nosharedscripts mode (as stated in man page).
LogRider is my attempt to improve a popular LogCheck/LogSentry utility.
LogCheck uses egrep for periodically scanning system logs for specific
alert/hacking signatures based on set of static filters. LogRider is
rewritten from scratch with lot of important features added:
1. Strings caught by any filter are excluded from processing by next filters.
2. Actual filters are composed from the set of small sub-filters located
in directories that name is given as filter name. Each subfilter
contains messages generated by one service. You can easily put additional
filters for checking additional services without modification of
already existing program and configuration.
3. Configuration is separated from program and moved to standalone file.
This means that LogRider may be easily adopted to new platform without
modification of program core, and may be easily used for checking multiple
logfiles by different filters.
. Updated salt to version 0.15.0
From SaltStack website:
Salt 0.15.0 comes with many smaller features and a few larger ones.
The Salt Mine
First there was the peer system, allowing for commands to be executed from a
minion to other minions to gather data live. Then there was the external job
cache for storing and accessing long term data. Now the middle ground is being
filled in with the Salt Mine. The Salt Mine is a system used to execute
functions on a regular basis on minions and then store only the most recent
data from the functions on the master, then the data is looked up via targets.
The mine caches data that is public to all minions, so when a minion posts
data to the mine all other minions can see it.
IPV6 Support
0.13.0 saw the addition of initial IPV6 support but errors were encountered
and it needed to be stripped out. This time the code covers more cases and
must be explicitly enabled. But the support is much more extensive than before.
Copy Files From Minions to the Master
Minions have long been able to copy files down from the master file server,
but until now files could not be easily copied from the minion up to the
master.
A new function called cp.push can push files from the minions up to the master
server. The uploaded files are then cached on the master in the master
cachedir for each minon.
Better Template Debugging
Template errors have long been a burden when writing states and pillar. 0.15.0
will now send the compiled template data to the debug log, this makes tracking
down the intermittent stage templates much easier. So running state.sls or
state.highstate with -l debug will now print out the rendered templates in the
debug information.
State Event Firing
The state system is now more closely tied to the master's event bus. Now when
a state fails the failure will be fired on the master event bus so that the
reactor can respond to it.
Major Syndic Updates
The Syndic system has been basically re-written. Now it runs in a completely
asynchronous way and functions primarily as an event broker. This means that
the events fired on the syndic are now pushed up to the higher level master
instead of the old method used which waited for the client libraries to return.
This makes the syndic much more accurate and powerful, it also means that all
events fired on the syndic master make it up the pipe as well making a reactor
on the higher level master able to react to minions further downstream.
Peer System Updates
The Peer System has been updated to run using the client libraries instead of
firing directly over the publish bus. This makes the peer system much more
consistent and reliable.
Minion Key Revocation
In the past when a minion was decommissioned the key needed to be manually
deleted on the master, but now a function on the minion can be used to revoke
the calling minion's key:
salt-call saltutil.revoke_auth
Function Return Codes
Functions can now be assigned numeric return codes to determine if the
function executed successfully. While not all functions have been given return
codes, many have and it is an ongoing effort to fill out all functions that
might return a non-zero return code.
Functions in Overstate
The overstate system was originally created to just manage the execution of
states, but with the addition of return codes to functions, requisite logic
can now be used with respect to the overstate. This means that an overstate
stage can now run single functions instead of just state executions.
Pillar Error Reporting
Previously if errors surfaced in pillar, then the pillar would consist of only
and empty dict. Now all data that was successfully rendered stays in pillar
and the render error is also made available. If errors are found in the
pillar, states will refuse to run.
Using Cached State Data
Sometimes states are executed purely to maintain a specific state rather than
to update states with new configs. This is grounds for the new cached state
system. By adding cache=True to a state call the state will not be generated
fresh from the master but the last state data to be generated will be used.
If no previous state data is available then fresh data will be generated.
Monitoring States
The new monitoring states system has been started. This is very young but
allows for states to be used to configure monitoring routines. So far only one
monitoring state is available, the disk.status state. As more capabilities are
added to Salt UI the monitoring capabilities of Salt will continue to be
expanded.
This integrates fixes for all vulnerabilities which were patched
in pkgsrc before.
Among many bug fixes and improvements (around 50 since Xen 4.1.4):
* ACPI APEI/ERST finally working on production systems
* Bug fixes for other low level system state handling
* Support for xz compressed Dom0 and DomU kernels
systems other than the build host.
- don't install dvd-handler -- DVD support is disabled since version 5.
- install query.sql in client-only package too.
All:
- Fixed a typo in include/schily/stat.h related to nanosecond
handling for NetBSD and OpenBSD
- New autoconf tests for sys/capability.h and cap_*() functions
from Linux -lcap
WARNING: If you do not see this:
checking for cap_get_proc in -lcap... yes
checking for cap_get_proc... yes
checking for cap_set_proc... yes
checking for cap_set_flag... yes
checking for cap_clear_flag... yes
your Linux installation is insecure in case you ever use the
command "setcap" to set up file capabilities for executable commands.
Note that cdrtools (as any other command) need to be capabylity aware
in order to avoid security leaks with enhanced privileges. In most
cases, privileges are only needed for a very limited set of operations.
If cdrtools (cdrecord, cdda2wav, readcd) are installed suid-root, the
functions to control privileges are in the basic set of supported
functions and thus there is no problem for any program to control it's
privileges - if they have been obtained via suid root, you are on a
secure system.
If you are however on an incomplete installation, that supports to
raise privileges via fcaps but that does not include developer support
for caps, the programs get the privileges without being able to know
about the additional privileges and thus keep them because they cannot
control them.
WARNING: If you are on a Linux system that includes support for
fcaps (this is seems to be true for all newer systems with
Linux >= 2.6.24) and there is no development support for capabilities
in the base system, you are on an inherently insecure system that allows
to compile and set up programs with enhanced privileges that cannot
control them.
In such a case, try to educate the security manager for the related
Linux distribution. Note that you may turn your private installation
into a secure installation by installing development support for libcap.
- The autofconf tests for broken Linux kernel headers now avoid to
warn for /usr/src/linux/include if this directory is missing.
- include/schily/priv.h now includes sys/capabilitiy.h if available.
Libscg:
- Trying to support suid-root-less installation of librscg users on Linux.
librscg now understands that a non-root program may be able to
create sockets for a privileged port.
Cdrecord:
- Trying to support suid-root-less installation of cdrecord on Linux.
NOTE: You need "file caps" support built into your Linux installation.
Call:
setcap cap_sys_resource,cap_dac_override,cap_sys_admin,cap_sys_nice,cap_net_bind_service,cap_ipc_lock,cap_sys_rawio+ep /opt/schily/bin/cdrecord
To set up the capabilities on Linux.
Cdda2wav (Maintained/enhanced by Jörg Schilling, originated by Heiko Eißfeldt heiko@hexco.de):
- Trying to support suid-root-less installation of cdda2wav on Linux.
NOTE: You need "file caps" support built into your Linux installation.
Call:
setcap cap_dac_override,cap_sys_admin,cap_sys_nice,cap_net_bind_service,cap_sys_rawio+ep /opt/schily/bin/cdda2wav
To set up the capabilities on Linux.
Readcd:
- Trying to support suid-root-less installation of readcd on Linux.
NOTE: You need "file caps" support built into your Linux installation.
Call:
setcap cap_dac_override,cap_sys_admin,cap_net_bind_service,cap_sys_rawio+ep /opt/schily/bin/readcd
To set up the capabilities on Linux.
Scgcheck:
- Link now against $(LIB_CAP) also as librscg needs it on Linux
Scgskeleton:
- Link now against $(LIB_CAP) also as librscg needs it on Linux
Btcflash:
- Link now against $(LIB_CAP) also as librscg needs it on Linux
Mkisofs (Maintained/enhanced by Jörg Schilling since 1997, originated by Eric Youngdale):
- -new-dir-mode now just superseeds the effect of -dir-mode on
directories that have been "invented" by mkisofs.
This is a more intuitive behavior.
- Link now against $(LIB_CAP) also as librscg needs it on Linux
Makefile
* xmlto is just required to docbook_docs, move dependency to `doc' option.
* remove buildlinking to gobject-introspection, it is alrady in option.mk
conditionally.
* gdk_pixbuf2 is really requied by this package, drop specification of `build'
dependency.
* exactly specify required glib2 version.
* from NEWS, libnotify>=7.0 use GBus instead of dbus-glib, so drop dependency
on dbus and dbus-glib.
* change dependency on gtk3 to `build', it is just required to test build.
buildlink3.mk
* change ABI_DEPENDS to reasonable version.
* drop `doc' and `introspection' option condition handling , it will not affect
to packages usind this file or should be handled packages by themselves.
* drop buildlinking to dbus and dbus-glib and add to gdk-pixbuf2, same reason
as Makefile.
options.mk
* gtk-doc documents are already in release taball, so dtk-doc is not required
to build, reuse as docbook-docs to match PLIST.doc condition.
* exactly specify required gobject introspection version.
Bump PKGREVISION.
Collection.
Monitoring is an API with a DSL feel to write monitoring daemons in Python.
Monitoring works well for the following tasks:
* to be notified when incidents happen (email, XMPP, ZeroMQ...)
* automatic actions to be taken (restart, rm, git pull...)
* to collect system statistics for further processing e.g. graphs
* tie into existing/third-party Python code
* play along nicely with existing deployment/configuration ecosystem
(fabric/cuisine)
Overview
* monitoring DSL: declarative programming to define monitoring strategy
* wide spectrum: from data collection and incident reporting to taking
automatic actions
* Small, easy to read, a single file API
* Revised BSD License
Use Cases
* ensure service availability: test and start/stop when problems
* collect system statistics/data, log locally and/or remotely
* alert on system/service health, take actions
Fabric is an incredible tool to automate administration of remote machines.
As Fabric's functions are rather low-level, you'll probably quickly see a need
for more high-level functions such as add/remove users and groups,
install/upgrade packages, etc.
Cuisine is a small set of functions that sit on top of Fabric, to abstract
common administration operations such as file/dir operations, user/group
creation, package install/upgrade, making it easier to write portable
administration and deployment scripts.
Cuisine's features are:
* Small, easy to read, a single file API:
<object>_<operation>() e.g. dir_exists(location) tells if there is a
remote directory at the given location.
* Covers file/dir operations, user/group operations, package operations
* Text processing and template functions
* All functions are lazy: they will actually only do things when the change
is required.
1.1 "Mean Street" -- 4/2/2013
Core Features
* added --check option for "dry run" mode
* added --diff option to show how templates or copied files change, or
might change
* --list-tasks for the playbook will list the tasks without running them
* able to set the environment by setting "environment:" as a dictionary
on any task (go proxy support!)
* added ansible_ssh_user and ansible_ssh_pass for per-host/group username
and password
* jinja2 extensions can now be loaded from the config file
* support for complex arguments to modules (within reason)
* can specify ansible_connection=X to define the connection type in
inventory variables
* a new chroot connection type
* module common code now has basic type checking (and casting) capability
* module common now supports a 'no_log' attribute to mark a field as
not to be syslogged
* inventory can now point to a directory containing multiple
scripts/hosts files, if using this, put group_vars/host_vars
directories inside this directory
* added configurable crypt scheme for 'vars_prompt'
* password generating lookup plugin -- $PASSWORD(path/to/save/data/in)
* added --step option to ansible-playbook, works just like Linux
interactive startup!
Modules Added:
* bzr (bazaar version control)
* cloudformation
* django-manage
* gem (ruby gems)
* homebrew
* lvg (logical volume groups)
* lvol (LVM logical volumes)
* macports
* mongodb_user
* netscaler
* okg
* openbsd_pkg
* rabbit_mq_plugin
* rabbit_mq_user
* rabbit_mq_vhost
* rabbit_mq_parameter
* rhn_channel
* s3 -- allows putting file contents in buckets for sharing over s3
* uri module -- can get/put/post/etc
* vagrant -- launching VMs with vagrant, this is different from existing
vagrant plugin
* zfs
changes:
-many fixes
-new option: Generate encrypted backups without revealing the user's
key id via option --hidden-encrypt-key
-translation updates
-cleanup, doc improvement
pkgsrc changes:
-added option to use gnupg2
-drop py-boto dependency -- if we had a dependency for each possible
backend, it would be just too much. add a MESSAGE pointing to
some options and information
-minor cleanup
Version 1.6.0
- Re-org of code into multiple files, split HTML and Unix listdir() into
separate functions, various code cleanups and optimizations.
- Fixed a memory leak in listdir() when memory was allocated early and not
freed before function exit.
- Fixed possible buffer overflow where symbolic links are followed.
- Fixed links printing "argetm" before the name of the link when the LINK
setting for DIR_COLORS is set to target (Markus Schnalke
<meillo@marmaro.de>)
- More fully support dir colors -- added support for su, sg, tw, ow, & st
options (and "do" in theory).
- Use the environment variable "TREE_COLORS" instead of "LS_COLORS" for
color information if it exists.
- Added --si flag to print filesizes in SI (powers of 1000) units (Ulrich
Eckhardt)
- Added -Q to quote filenames in double quotes. Does not override -N or -q.
- Control characters are no longer printed in carrot notation, but as
backslashed octal, ala ls, except for codes 7-13 which are printed as
\a, \b, \t, \n, \v, \f and \r respectively. Spaces and backslashes are
also now backslashed as per ls, for better input to scripts unless -Q
is in use (where "'s are backslashed.) (Ujjwal Kumar)
- Added -U for unsorted listings (directory order).
- Added -c for sorting by last status change (ala ls -c).
- --dirsfirst is now a meta-sort and does not override -c, -v, -r or -t, but
is disabled by -U.
- After many requests, added the ability to process the entire tree before
emitting output. Used for the new options --du, which works like the du
command: sums the amount of space under each directory and prints a total
amount used in the report and the --prune option which will prune all empty
directories from the output (makes the -P option output much more readable.)
It should be noted that this will be slow to output when processing large
directory trees and can consume copious amounts of memory, use at your own
peril.
- Added -X option to emit the directory tree in XML format (turns colorization
off always.)
- Added --timefmt option to specify the format of time display (implies -D).
Uses the strftime format.
Version 1.5.3
- Properly quote directories for the system command when tree is relaunched
using the -R option.
- Fixed possible indentation problem if dirs[*] is not properly zeroed
(Martin Nagy).
- Use strcoll() instead of strcmp() to sort files based on locale if set.
- Change "const static" to "static const" to remove some compiler warnings
for Solaris (Kamaraju Kusumanchi).
- Actually use TREE_CHARSET if it's defined.
- Automatically select UTF-8 charset if TREE_CHARSET is not set, and the
locale is set to *UTF-8 (overridden with --charset option.)
Version 1.5.2.2
- Set locale before checking MB_CUR_MAX.
- Added HP-NonStop platform support (Craig McDaniel <craigmcd@gmail.com>)
- Fixed to support 32 bit UID/GIDs.
- Added Solaris build options to Makefile (edit and uncomment to use).
Provided by Wang Quanhong
Version 1.5.2.1
- Added strverscmp.c file for os's without strverscmp. Source file is
attributed to: Jean-Franois Bignolles <bignolle@ecoledoc.ibp.fr>
- Try different approach to MB_CUR_MAX problem.
- Changed the argument to printit() to be signed char to avoid warnings.
Version 1.5.2
- Added --filelimit X option to not descend directories that have more than
X number of files in them.
- Added -v option for version sorting (also called natural sorting) ala ls.
Version 1.5.1.2
- Fixed compile issues related to MB_CUR_MAX on non-linux machines.
- Removed unecessary features.h
File too long (should be no more than 24 lines).
Line too long (should be no more than 80 characters).
Trailing empty lines.
Trailing white-space.
Trucated the long files as best as possible while preserving the most info
contained in them.
0.5.1
* Add icon option to notify-send and kdialog
* Allow app_name in Growl notifications
0.5.0
* Fix ruby-growl adapter to work with new Growl protocol
- Fix a possible segfault
- Add a scalable icon
- Support empty sparse file
- Disable the PacMan animation
- Let total size be the sum of total size
- Fix a valgrind warning
COMMENT should not be longer than 70 characters.
COMMENT should not begin with 'A'.
COMMENT should not begin with 'An'.
COMMENT should not begin with 'a'.
COMMENT should not end with a period.
COMMENT should start with a capital letter.
pkglint warnings. Some files also got minor formatting, spelling, and style
corrections.
From http://download.gna.org/py-notify/:
"Releases in 0.1 development branch are still available on a separate page
for historical purposes. There is no reason to use them in production:
current stable 0.2 is both bug-free and faster, and more features can be
found in 0.3 development releases."
Package no longer needs buildlink3.mk file, as there is no shared library
installed. PLIST has many entries in PYSITELIB. Package uses PYDISTUTILS
to handle everything. pkg-config, libtool, and gmake are no longer needed.
HOMEPAGE and MASTER_SITES were updated. Added LICENSE. Passes pkglint.
Aaron J. Grier, with implementation changes by myself:
- rules to add the run-time path correctly when building shared versions
of libraries. Using -dllpath to ocamlmklib for this - ',' would need
to be clumsily escaped from gmake.
(This also needs a patched ocamlmklib - from ocaml 4.00.1nb2 -
that has -elfmode which prevents -L paths being added to the
run-time path).
- Path fixes, but not using fixed paths as originally proposed,
but the SUBST framework.
- Trim whitespace off a numeric string read out of the kernel.
Instead of open coding the function, use String.trim, as the
String library is used, anyway. (available in ocaml >= 4.00.1)
Upgrade to version 2.0:
- Canonicalize x86_64 to amd64.
- Canonicalize i86pc to i386.
- Implement a -format option in favor of the plethora of element selectors.
- Add -group, -release and -relgroup.
- Use lsb_release(1) on systems with Linux kernels to determine operating
system name (use the distribution ID).
- Handle Fedora, Mandriva, RedHat and SuSE.
- Handle Mac OS X.
- Handle Cygwin (at least on XP).
pkgsrc changes:
---------------
- Update dependency to py-paramiko to 1.10.0
upstream changes:
-----------------
2013-03-01: released Fabric 1.6.0
2013-03-01: released Fabric 1.5.4
[Bug] #844: Account for SSH config overhaul in Paramiko 1.10 by e.g.
updating treatment of IdentityFile to handle multiple values.
This and related SSH config parsing changes are backwards
incompatible; we are including them in this release because they do fix
incorrect, off-spec behavior.
[Bug] #843: Ensure string pool_size values get run through int() before
deriving final result (stdlib min() has odd behavior here...).
Thanks to Chris Kastorff for the catch.
[Bug] #839: Fix bug in rsync_project where IPv6 address were not always
correctly detected. Thanks to Antonio Barrero for catch & patch.
[Bug] #587: Warn instead of aborting when env.use_ssh_config is True but
the configured SSH conf file doesn't exist. This allows multi-user
fabfiles to enable SSH config without causing hard stops for users lacking
SSH configs. Thanks to Rodrigo Pimentel for the report.
[Feature] #821: Add remote_tunnel to allow reverse SSH tunneling
(exposing locally-visible network ports to the remote end).
Thanks to Giovanni Bajo for the patch.
[Feature] #823: Add env.remote_interrupt which controls whether Ctrl-C is
forwarded to the remote end or is captured locally
(previously, only the latter behavior was implemented).
Thanks to Geert Jansen for the patch.
- new "favorites" plug-in;
- mouse event handling on the desktop set as optional;
- possibility to open browser windows with specific views by default;
- additional minor fixes and improvements.
* let verbose output to stderr, so that such output is mixed to the command
output (for example, using redirect).
* avoid to use `flock', it is not a part of base.
* useradd
* add skel support
* set homedir properly
* avoid to try dropping from "Users" when uid=gid (pseudo group as user).
* also chgrp gid for created homedir.
* userdel
* catch up error correctly when trying to delete Windows users.
PR pkg/47581 by Nils Ratusznik.
3.8.2 -> 3.8.3
- Fixed setting "size" bigger than 4GB on 32bit architectures
- Do not overwrite mode set by "create" option when using ACL. "create"
directive is now not mixed up with ACLs. If you use "create" in config
file and log file has some ACLs set, ACLs are not kept and are
overwritten by the mode set in "create" directive.
- Mode argument in "create" directive can be omitted. Only owner and group
is set in this case. Check man page for more info.
- improvements to icons (emblems, type associations...)
- differentiated directory icons (pictures, videos...)
- fixes to the git and subversion plug-ins (when adding files)
- support for URLs and directories as desktop entries (homescreen)
- additional improvements when handling desktop entries
- some fixes to the user interface (back/forward buttons...)
- additional minor fixes (internal dependencies...)
* Added new option '-K, --skip-size'.
* Added new option '-T, --timeout'.
* Maximum skip size is now limited to 1% of infile size or 1 GiB.
* Set current_pos to end of block when reading backwards.
* The '-E, --max-error-rate' option now checks the rate of actually
failed reads, not the growth of error size.
All:
- include/schily/stat.h now contains macros to set the nanoseconds
in timestamps in a OS independent way
Mkisofs (Maintained/enhanced by Jörg Schilling since 1997, originated by Eric Youngdale):
- mkisofs now identifies itdelf by default (inside the APPID string)
as being UDF capable.
- mkisofs now sets link count and "unique id" == inode number for files.
Note that this may still not result in useful hardlinked files on all
platforms as e.g. Solaris and Linux ignore the UDF unique ID and rather
use the location of the file_entry as inode number. This will never
return the same number for different filenames that point to the
same file data and thus prevents hard linked files from being visible.
This is however not a Solaris problem, the problem is rather in the
UDF standard that does not require the unique id to be in a 32 bit
range as long as the media size is = 8 TB. Note that 32 bit UNIX
programs cannot access files with an inode number that cannot be
expressed as 32 bit number, so inode numbers that do not fit into
32 bits may cause problems. Ths only way to work around this problem
would be to enance the Solaris and Linux UDF filesystem module to
recognize whether a filesystem has been created by mkisofs that grants
useful inode numbers. The same is already done for ISO-9660.
- mkisofs now supports additional file types with UDF:
- named pipes
- sockets
- character devices
- block devices
- mkisofs now supports all three UNIX times with microsecond granularity in UDF
- mkisofs now sets correct user/group/permission for symlinks in UDF
- mkisofs now supports S_ISUID, S_ISGID, S_ISVTX (set uid, set gid, sticky) in UDF
in modules (the files in ${WRKSRC}/library), as they're treated as
data and not scripts - the right thing to do is to set
"ansible_python_interpreter" in the configuration.
Also, install example files in ${PREFIX}/share/examples/ansible.
- install manpages
- replace "etc" with PKG_SYSCONFDIR in a number of locations
- replace "usr/share" with @PREFIX@/share in some places
- do some cleanup so things install with PKG_DEVELOPER set.
Euca2ools are command line tools for interacting with Amazon Web
Services (AWS) and other AWS-compatible web services, such as
Eucalyptus and OpenStack.
Uses Python, no Java.
Ansible is a radically simple model-driven configuration management,
multi-node deployment, and remote task execution system. Ansible works
over SSH and does not require any software or daemons to be installed
on remote nodes. Extension modules can be written in any language and
are transferred to managed machines automatically.
