29 Jul
2017
29 Jul
'17
20:49
bsd-mailx (8.1.2-0.20160123cvs-4) unstable; urgency=medium
Since this version MIME headers are added to every outgoing mail
to indicate the correct local charset (from the POSIX locale)
and transfer encoding (always 8bit).
See "Character sets and MIME" in bsd-mailx(1) man page
and Bug#859935 for more information.
-- Robert Luberda <robert(a)debian.org> Sat, 15 Apr 2017 00:11:27 +0200
ca-certificates (20161102) unstable; urgency=medium
Update Mozilla certificate authority bundle to version 2.9.
The following certificate authorities were added (+):
+ "Certplus Root CA G1"
+ "Certplus Root CA G2"
+ "Certum Trusted Network CA 2"
+ "Hellenic Academic and Research Institutions ECC RootCA 2015"
+ "Hellenic Academic and Research Institutions RootCA 2015"
+ "ISRG Root X1"
+ "OpenTrust Root CA G1"
+ "OpenTrust Root CA G2"
+ "OpenTrust Root CA G3"
+ "SZAFIR ROOT CA2"
The following certificate authorities were removed (-):
- "CA Disig"
- "NetLock Business (Class B) Root"
- "NetLock Express (Class C) Root"
- "NetLock Notary (Class A) Root"
- "NetLock Qualified (Class QA) Root"
- "Sonera Class 1 Root CA"
- "Staat der Nederlanden Root CA"
- "Verisign Class 1 Public Primary Certification Authority - G2"
- "Verisign Class 3 Public Primary Certification Authority"
- "Verisign Class 3 Public Primary Certification Authority - G2"
-- Michael Shuler <michael(a)pbandjelly.org> Wed, 02 Nov 2016 21:15:03 -0500
ca-certificates (20151214) unstable; urgency=medium
Removed SPI CA. Closes: #796208
Updated Mozilla certificate authority bundle to version 2.6.
The following certificate authorities were added (+):
+ "CA WoSign ECC Root"
+ "Certification Authority of WoSign G2"
+ "Certinomis - Root CA"
+ "OISTE WISeKey Global Root GB CA"
+ "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
+ "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
The following certificate authorities were removed (-):
- "A-Trust-nQual-03"
- "Buypass Class 3 CA 1"
- "ComSign Secured CA"
- "Digital Signature Trust Co. Global CA 1"
- "Digital Signature Trust Co. Global CA 3"
- "SG TRUST SERVICES RACINE"
- "TC TrustCenter Class 2 CA II"
- "TC TrustCenter Universal CA I"
- "TURKTRUST Certificate Services Provider Root 1"
- "TURKTRUST Certificate Services Provider Root 2"
- "UTN DATACorp SGC Root CA"
- "Verisign Class 4 Public Primary Certification Authority - G3"
-- Michael Shuler <michael(a)pbandjelly.org> Mon, 14 Dec 2015 18:51:50 -0600
ca-certificates (20150426) unstable; urgency=medium
Update Mozilla certificate authority bundle to version 2.4.
The following certificate authorities were added (+):
+ "CFCA EV ROOT"
+ "COMODO RSA Certification Authority"
+ "Entrust Root Certification Authority - EC1"
+ "Entrust Root Certification Authority - G2"
+ "GlobalSign ECC Root CA - R4"
+ "GlobalSign ECC Root CA - R5"
+ "IdenTrust Commercial Root CA 1"
+ "IdenTrust Public Sector Root CA 1"
+ "S-TRUST Universal Root CA"
+ "Staat der Nederlanden EV Root CA"
+ "Staat der Nederlanden Root CA - G3"
+ "USERTrust ECC Certification Authority"
+ "USERTrust RSA Certification Authority" Closes: #762709
The following certificate authorities were removed (-):
- "America Online Root Certification Authority 1"
- "America Online Root Certification Authority 2"
- "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
- "GTE CyberTrust Global Root"
- "Thawte Premium Server CA"
- "Thawte Server CA"
-- Michael Shuler <michael(a)pbandjelly.org> Sun, 26 Apr 2015 10:37:48 -0500
dovecot (1:2.2.21-1) unstable; urgency=medium
This release disables the dovecot.socket systemd unit by default. The unit is
disabled only if the dovecot.service unit is already enabled, making sure
that dovecot will start on system boot. If you are upgrading dovecot and
previously relied on dovecot.socket and dovecot.service being both enabled,
please re-enable dovecot.socket manually using
systemctl enable dovecot.socket
Future package updates will not disable the socket unit again. For details
regarding this decision, please see Debian bugs #803915 and #814999.
-- Apollon Oikonomopoulos <apoikos(a)debian.org> Fri, 19 Feb 2016 16:54:27 +0200
gdb (7.8-1) experimental; urgency=medium
WARNING: gdb now uses Python 3 by default.
Please update your Python scripts to work on both Python 2 and 3 as
soon as possible.
See /usr/share/doc/gdb*/README.python_switch for details.
-- Samuel Bronson <naesten(a)gmail.com> Tue, 26 Aug 2014 14:04:20 -0400
glibc (2.21-2) unstable; urgency=medium
Starting with version 2.21-1, the glibc requires a 3.2 or later Linux
kernel. If you use an older kernel, please upgrade it *before*
installing this glibc version. Failing to do so will end-up with the
following failure:
Preparing to unpack .../libc6_2.21-1_amd64.deb ...
Checking for services that may need to be restarted...
Checking init scripts...
WARNING: this version of the GNU libc requires kernel version
3.2 or later. Please upgrade your kernel before installing
glibc.
Note: This obviously does not apply to non-Linux kernels.
-- Aurelien Jarno <aurel32(a)debian.org> Thu, 03 Dec 2015 22:46:21 +0100
gnupg2 (2.1.11-7+exp1) experimental; urgency=medium
The gnupg package now provides the "modern" version of GnuPG.
Please read /usr/share/doc/gnupg/README.Debian for details about the
transition from "classic" to "modern"
-- Daniel Kahn Gillmor <dkg(a)fifthhorseman.net> Wed, 30 Mar 2016 09:59:35 -0400
ifupdown (0.8.17) unstable; urgency=medium
Ifupdown now also configures VLANs for bridge interfaces. (Previously, the
bridge-utils package integrated with the vlan package to do this via if-up
hooks, however since bridge-utils 1.5-11 this integration has been removed.)
-- Guus Sliepen <guus(a)debian.org> Tue, 10 Jan 2017 17:20:09 +0100
ifupdown (0.8.1) unstable; urgency=medium
The /etc/default/networking file is now read even when systemd is used,
although its use is not recommended.
-- Guus Sliepen <guus(a)debian.org> Wed, 02 Dec 2015 23:25:41 +0100
ifupdown (0.8) unstable; urgency=medium
Ifupdown now comes with a systemd service file. Any options specified in
/etc/default/networking will no longer be used. If you are using
CONFIGURE_INTERFACES=no, then run "systemctl disable networking" instead.
If you are using EXCLUDE_INTERFACES, then edit /etc/network/interfaces and
remove those interfaces from any "auto" keywords.
Ifupdown will now be more strict when errors occur, and will also properly
return a non-zero exit code when (de)configuring an interface fails. Please
ensure your /etc/network/interfaces is correct and that your interfaces can
be brought up and down without errors, especially during system startup.
Ifupdown now has more fine-grained locking, allowing concurrent calls of
ifup and ifdown. It is also allowed to call ifup and ifdown from a (pre-)up
or (post-)down line from /etc/network/interfaces, as long as no recursion
occurs.
You can now use the "inherits" keyword to copy settings from another
interface stanza.
RFC 4361 DDNS support is now enabled by default for inet dhcp interfaces if
isc-dhcp-client is installed.
-- Guus Sliepen <guus(a)debian.org> Sun, 22 Nov 2015 21:19:44 +0100
initramfs-tools (0.129) unstable; urgency=medium
* Some systems that do not support suspend-to-disk (hibernation) will
require a configuration change to explicitly disable this.
From version 0.128, the boot code waits for a suspend/resume device
to appear, rather than checking just once. If the configured or
automatically selected resume device is not available at boot time,
this results in a roughly 30 second delay.
You should set the RESUME variable in
/etc/initramfs-tools/conf.d/resume or
/etc/initramfs-tools/initramfs.conf to one of:
- auto - select the resume device automatically
- none - disable use of a resume device
- UUID=<uuid> - use a specific resume device (by UUID)
- /dev/<name> - use a specific resume device (by kernel name)
-- Ben Hutchings <ben(a)decadent.org.uk> Thu, 20 Apr 2017 23:21:32 +0100
initramfs-tools (0.121~rc1) unstable; urgency=medium
* If initramfs-tools is configured to use busybox but it is not
installed, mkinitramfs will now fail. Previously it would quietly use
klibc instead, sometimes producing a broken initramfs. You may need
to modify /etc/initramfs-tools/initramfs.conf or install busybox when
upgrading.
* Support for loop-aes has been removed. If you use loop-aes encryption
for the root or /usr filesystem, you will need to switch to cryptsetup.
See the 'loop-AES extension' section in cryptsetup(8).
-- Ben Hutchings <ben(a)decadent.org.uk> Tue, 22 Dec 2015 21:56:40 +0000
iputils (3:20150815-1) unstable; urgency=medium
As of 3:20150815-1, the ping and ping6 commands are unified in a single
binary that can communicate with targets of either address family. In
order to force the use of a specific address family, you need to either
pass the argument -4 or -6 on the command line, or call the program via
one of the ping4 or ping6 names.
You will need to be particularly aware of this change if you're invoking ping
via a script as part of a monitoring or other such automated system.
-- Noah Meyerhans <noahm(a)debian.org> Fri, 19 Feb 2016 22:26:30 -0800
libcgi-pm-perl (4.15-1) unstable; urgency=medium
From upstream Changes, 4.15:
- This release removes the AUTOLOAD and compile optimisations from CGI.pm
that were introduced into CGI.pm twenty (20) years ago as a response to
its large size, which meant there was a significant compile time penalty.
[...]
- This essentially deprecates the -compile pragma and ->compile method. The
-compile pragma will no longer do anything, whereas the ->compile method
will raise a deprecation warning. More importantly this also REMOVES the
-any pragma because as per the documentation this pragma needed to be
"used with care or not at all" and allowing arbitrary HTML tags is almost
certainly a bad idea. If you are using the -any pragma and using arbitrary
tags (or have typo's in your code) your code will *BREAK*
- Although this release should be back compatible (with the exception of any
code using the -any pragma) you are encouraged to test it throughly as if
you are doing anything out of the ordinary with CGI.pm (i.e. have bugs
that may have been masked by the AUTOLOAD feature) you may see some issues.
From upstream Changes, 4.13:
- CGI::Pretty is now DEPRECATED and will be removed in a future release.
Please see GH #162 (https://github.com/leejo/CGI.pm/issues/162) for more
information and discussion (also GH #140 for HTML function deprecation
discussion: https://github.com/leejo/CGI.pm/issues/140)
-- gregor herrmann <gregoa(a)debian.org> Sat, 09 May 2015 22:01:44 +0200
linux-latest (76) unstable; urgency=medium
* From Linux 4.8, several changes have been made in the kernel
configuration to 'harden' the system, i.e. to mitigate security bugs.
Some changes may cause legitimate applications to fail, and can be
reverted by run-time configuration:
- On most architectures, the /dev/mem device can no longer be used to
access devices that also have a kernel driver. This breaks dosemu
and some old user-space graphics drivers. To allow this, set the
kernel parameter: iomem=relaxed
- The kernel log is no longer readable by unprivileged users. To
allow this, set the sysctl: kernel.dmesg_restrict=0
-- Ben Hutchings <ben(a)decadent.org.uk> Sat, 29 Oct 2016 02:05:32 +0100
linux-latest (75) unstable; urgency=medium
* From Linux 4.7, the iptables connection tracking system will no longer
automatically load helper modules. If your firewall configuration
depends on connection tracking helpers, you should explicitly load the
required modules. For more information, see
<https://home.regit.org/netfilter-en/secure-use-of-helpers/>.
-- Ben Hutchings <ben(a)decadent.org.uk> Sat, 29 Oct 2016 01:53:18 +0100
net-tools (1.60+git20161116.90da8a0-1) unstable; urgency=medium
After 15 years without upstream development, net-tools is being worked on
again, fixing many long-standing issues.
The bad news is that the output of many commands has changed, and it is sure
to break scripts that relied on parsing it.
If you have customs scripts that use any of these commands, please make sure
they still work after this upgrade:
netstat, ifconfig, ipmaddr, iptunnel, mii-tool, nameif, plipconfig, rarp,
route, slattach, arp.
Apologies in advance for the trouble that this may cause, but maintaining a
separate version of net-tools just to keep the old format is something I am
not able to do.
-- Martín Ferrari <tincho(a)debian.org> Mon, 26 Dec 2016 05:29:25 +0000
ntp (1:4.2.8p4+dfsg-2) unstable; urgency=medium
You now need to use "rlimit memlock -1" to disable locking memory. The
behaviour for ""rlimit memlock 0" changed between 4.2.8p3 and 4.2.8p4 and
it now tries to lock all the memory. But for various people this still
breaks things.
-- Kurt Roeckx <kurt(a)roeckx.be> Thu, 22 Oct 2015 18:58:56 +0200
opendkim (2.11.0~alpha-8) unstable; urgency=medium
On systems using systemd, this version replaces /etc/default/opendkim
with the files /etc/systemd/system/opendkim.service.d/overrride.conf
and /etc/tmpfiles.d/opendkim.conf carrying over non-default settings.
Note: since /etc/default/opendkim is removed if you are using systemd, if
you later switch back to sysvinit, you will have to manually recreate it
if needed.
-- Scott Kitterman <scott(a)kitterman.com> Mon, 07 Nov 2016 12:14:31 -0500
openssh (1:7.4p1-7) unstable; urgency=medium
This version restores the default for AuthorizedKeysFile to search both
~/.ssh/authorized_keys and ~/.ssh/authorized_keys2, as was the case in
Debian configurations before 1:7.4p1-1. Upstream intends to phase out
searching ~/.ssh/authorized_keys2 by default, so you should ensure that
you are only using ~/.ssh/authorized_keys, at least for critical
administrative access; do not assume that the current default will remain
in place forever.
-- Colin Watson <cjwatson(a)debian.org> Sun, 05 Mar 2017 02:12:42 +0000
openssh (1:7.4p1-1) unstable; urgency=medium
OpenSSH 7.4 includes a number of changes that may affect existing
configurations:
* ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit
block ciphers are not safe in 2016 and we don't want to wait until
attacks like SWEET32 are extended to SSH. As 3des-cbc was the only
mandatory cipher in the SSH RFCs, this may cause problems connecting to
older devices using the default configuration, but it's highly likely
that such devices already need explicit configuration for key exchange
and hostkey algorithms already anyway.
* sshd(8): Remove support for pre-authentication compression. Doing
compression early in the protocol probably seemed reasonable in the
1990s, but today it's clearly a bad idea in terms of both cryptography
(cf. multiple compression oracle attacks in TLS) and attack surface.
Pre-auth compression support has been disabled by default for >10
years. Support remains in the client.
* ssh-agent will refuse to load PKCS#11 modules outside a whitelist of
trusted paths by default. The path whitelist may be specified at
run-time.
* sshd(8): When a forced-command appears in both a certificate and an
authorized keys/principals command= restriction, sshd will now refuse
to accept the certificate unless they are identical. The previous
(documented) behaviour of having the certificate forced-command
override the other could be a bit confusing and error-prone.
* sshd(8): Remove the UseLogin configuration directive and support for
having /bin/login manage login sessions.
The unprivileged sshd process that deals with pre-authentication network
traffic is now subject to additional sandboxing restrictions by default:
that is, the default sshd_config now sets UsePrivilegeSeparation to
"sandbox" rather than "yes". This has been the case upstream for a
while,
but until now the Debian configuration diverged unnecessarily.
-- Colin Watson <cjwatson(a)debian.org> Tue, 27 Dec 2016 18:01:46 +0000
openssh (1:7.2p1-1) unstable; urgency=medium
OpenSSH 7.2 disables a number of legacy cryptographic algorithms by
default in ssh:
* Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants and the
rijndael-cbc aliases for AES.
* MD5-based and truncated HMAC algorithms.
These algorithms are already disabled by default in sshd.
-- Colin Watson <cjwatson(a)debian.org> Tue, 08 Mar 2016 11:47:20 +0000
openssh (1:7.1p1-2) unstable; urgency=medium
OpenSSH 7.0 disables several pieces of weak, legacy, and/or unsafe
cryptography.
* Support for the legacy SSH version 1 protocol is disabled by default at
compile time. Note that this also means that the Cipher keyword in
ssh_config(5) is effectively no longer usable; use Ciphers instead for
protocol 2. The openssh-client-ssh1 package includes "ssh1",
"scp1",
and "ssh-keygen1" binaries which you can use if you have no alternative
way to connect to an outdated SSH1-only server; please contact the
server administrator or system vendor in such cases and ask them to
upgrade.
* Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is
disabled by default at run-time. It may be re-enabled using the
instructions at http://www.openssh.com/legacy.html
* Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by
default at run-time. These may be re-enabled using the instructions at
http://www.openssh.com/legacy.html
* Support for the legacy v00 cert format has been removed.
Future releases will retire more legacy cryptography, including:
* Refusing all RSA keys smaller than 1024 bits (the current minimum is
768 bits).
* Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc,
all arcfour variants, and the rijndael-cbc aliases for AES.
* MD5-based HMAC algorithms will be disabled by default.
-- Colin Watson <cjwatson(a)debian.org> Tue, 08 Dec 2015 15:33:08 +0000
openssh (1:6.9p1-1) unstable; urgency=medium
UseDNS now defaults to 'no'. Configurations that match against the client
host name (via sshd_config or authorized_keys) may need to re-enable it or
convert to matching against addresses.
-- Colin Watson <cjwatson(a)debian.org> Thu, 20 Aug 2015 10:38:58 +0100
openssl (1.1.0c-3) unstable; urgency=medium
The openssl enc command changed the default digest (used to create the key
from passphrase) from MD5 to SHA256 since the version 1.1.0. The digest can
be specified with the -md option.
-- Sebastian Andrzej Siewior <sebastian(a)breakpoint.cc> Tue, 27 Dec 2016 23:37:36
+0100
pinentry-gtk2 (0.9.6-3) unstable; urgency=medium
Since pinentry-gtk2 0.9.6, upstream now uses the default GTK text
entry widget instead of a custom text-entry widget. The GTK text
entry widget in password mode may display characters while typed based
on the setting of gtk-entry-password-hint-timeout. This value
defaults to 0 (never display), but may be overridden in
/etc/gtk-2.0/gtkrc or ~/.gtkrc-2.0. If your password entry shows the
last character typed, please ensure that this value is not set in your
system's configuration files.
See
https://developer.gnome.org/gtk2/stable/GtkSettings.html#GtkSettings--gtk-e…
and https://bugs.debian.org/801757 for more details.
-- Daniel Kahn Gillmor <dkg(a)fifthhorseman.net> Mon, 19 Oct 2015 20:39:25 -0400
proftpd-dfsg (1.3.5b-3) unstable; urgency=medium
Starting from this version, proftpd works by default in standalone mode at
its first install. It is still possible to use inetd/xinetd mode, but the
admin has to manage that manually by update-inetd or configuring xinetd.
Some information about that are provided in the accompanying doc
/usr/share/doc/proftpd-basic/README.Debian.
-- Francesco Paolo Lovergine <frankie(a)debian.org> Fri, 27 Jan 2017 14:44:31 +0100
systemd (231-1) unstable; urgency=low
This version drops support for running /etc/rcS.d SysV init scripts.
These are prone to cause dependency loops, and almost all Debian packages
with rcS scripts now ship a native systemd service. If you have custom or
third-party rcS scripts you need to convert them or change them to run
in rc2.d/ - rc5.d/; see this page for details:
<https://wiki.debian.org/Teams/pkg-systemd/rcSMigration>.
-- Martin Pitt <mpitt(a)debian.org> Thu, 14 Jul 2016 12:54:34 +0200
systemd (224-2) unstable; urgency=medium
This version splits out systemd-nspawn, systemd-machined, and machinectl
into the new "systemd-container" package. That now also enables
systemd-importd.
-- Martin Pitt <mpitt(a)debian.org> Sat, 22 Aug 2015 15:58:43 +0200
unbound (1.5.7-2) unstable; urgency=medium
The unbound package no longer ships an /etc/default/unbound conffile.
If modified, it will be renamed to /etc/default/unbound.dpkg-bak after
upgrading.
The /etc/default/unbound file, if it exists, will still be read and the
behavior of the package can be modified, but the defaults have been changed
to make it unnecessary for most users to need an /etc/default/unbound
file.
The following variables are still supported by the /etc/default/unbound
file, if it exists:
DAEMON_OPTS
If set, the value of this variable will be appended to the daemon
command-line.
RESOLVCONF
This variable now must be explicitly set to "false" to disable the
unbound package's resolvconf provider. Otherwise, it defaults to
enabled if unset.
In previous versions, this variable had to be explicitly set to "true"
to enable the resolvconf provider, but the /etc/default/unbound file
shipped with it explicitly enabled.
ROOT_TRUST_ANCHOR_FILE
This variable can be explicitly set to override the path used by the
root trust anchor update mechanism for the root trust anchor. Otherwise,
it defaults to /var/lib/unbound/root.key if unset.
ROOT_TRUST_ANCHOR_UPDATE
This variable now must be explicitly set to "false" to disable the root
trust anchor update mechanism. Otherwise, it defaults to enabled if
unset.
In previous versions, this variable had to be explicitly set to "true"
to enable the update mechanism, but the /etc/default/unbound file
shipped with it explicitly enabled.
The following variables are no longer supported by the /etc/default/unbound
file, but were present in previous versions:
UNBOUND_ENABLE
This variable controlled whether or not the init script would start the
Unbound daemon. Instead, use the standard Debian mechanisms for enabling
or disabling a service started by the init system.
RESOLVCONF_FORWARDERS
This variable controlled whether or not the upstream nameservers
supplied by resolvconf were configured into the running Unbound instance
with the "unbound-control forward" command, via a resolvconf update.d
hook.
This mechanism still exists, but the variable controlling it has been
removed. Instead, add or remove the executable bit from the
/etc/resolvconf/update.d/unbound file to enable or disable the hook.
This release also makes the following changes:
The resolvconf update.d hook can be problematic, especially if the
upstream nameservers do not perform DNSSEC validation, or if a
"forward-zone" declaration for the root zone has been statically
configured by the administrator. In previous versions, the hook was
enabled by default, but it is now disabled by default. It can be
explicitly enabled by running "chmod +x /etc/resolvconf/update.d/unbound".
The unbound package now depends on the dns-root-data package, and the root
trust anchor update mechanism has been enhanced to import the root trust
anchor from /usr/share/dns/root.key on new installations, or if the
/usr/share/dns/root.key file is newer than /var/lib/unbound/root.key.
-- Robert Edmonds <edmonds(a)debian.org> Sun, 21 Feb 2016 16:01:33 -0500
fail2ban (0.9.0+git48-gabcab00-1) experimental; urgency=low
[ Yaroslav Halchenko ]
* This version went through big refactoring which allowed to gain new
features such as multiline matching (see upstream's changelog for more
information).
* Although .local files are still supported, customizations are advised
to be provided under corresponding .d/ directories. E.g. see
/etc/fail2ban/jail.d/defaults-debian.conf which is where now sshd
jail is enabled by default to match previous behavior of Fail2Ban in
Debian.
[ Daniel Schaal ]
* All jails definitions were rewritten to become more concise and uniform.
From this version on log paths are defined in distro specific files,
for Debian this is in /etc/fail2ban/paths-debian.conf.
-- Yaroslav Halchenko <debian(a)onerussian.com> Tue, 25 Mar 2014 08:38:31 -0400
lsb (9.20150826) unstable; urgency=low
This update drops all lsb-* compatibility packages, and is therefore an
abandon of the pursuit of LSB compatibility for Debian. Only lsb-release and
lsb-base are kept as they continue to be used throughout the archive.
-- Didier Raboud <odyx(a)debian.org> Wed, 26 Aug 2015 12:00:00 +0200
make-dfsg (4.1-2) unstable; urgency=low
WARNING: Backward-incompatibility!
The ar program in the binutils package in Debian is now configured
with --enable-deterministic-archives. This change makes the archives
reproducible, by setting the UID, GID, and timestamp to 0. However,
when dealing with archives created with the libxx(*.o) style rules,
make needs the timestamp of the file in order to decide to update it
or not. With the current deterministic behavior of ar, the time stamp
is always 0. This has consequences, since make will fall back to always
adding each member to the archive, whether or not it is required. This
is a change in behaviour, and, for instance, it makes make fail to
build, failing 7 out of 10 archive tests.
.
Since binutils will create archive with time stamps set to 0 when
running in "deterministic" mode, make will always try to update such
members. When this is detected, make will emit a warning.
.
There is some online discussion:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798804
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798913
https://bugzilla.redhat.com/show_bug.cgi?id=1195883
-- Manoj Srivastava <srivasta(a)debian.org> Mon, 18 Jan 2016 16:09:19 -0800