When packaging new backport versions, I diff the old Debian package with the old backport package to extract the changes I did there, and then apply this patch to the new version. There is always a reject in debian/changelog because the topmost bpo entry won't apply cleanly to the new changelog. To fix this, I invoke "vi debian/changelog*" and manually copy the rejected hunk.

Unfortunately, I regularly end up copying it from debian/changelog.rej (buffer 3) into debian/changelog.orig (buffer 2) instead of debian/changelog (buffer 1). Here's the fix in my .vimrc:

" Prevent accidental editing of patch .orig files
autocmd BufRead *.orig set readonly

PostgreSQL's libpq5 package got its symbols file somewhere around version 8.4, so the symbols in there were all marked with version "8.4~" or greater. As I'm working on pgapt.debian.net aiming at providing packages for all upstream-supported PG versions (currently 8.3 and up), this made packages incompatible with 8.3's libpq5.

There didn't seem to be a ready program to feed a series of .deb files which would then run dpkg-gensymbols and build a symbols file, so I wrote this shell script:

#!/bin/sh

set -eu

[ -d tmp ] || mkdir tmp

i=1

for pkg in "$@" ; do
    echo "$pkg"
    test -e "$pkg"
    name=$(dpkg-deb -I "$pkg" | perl -lne 'print $1 if /^ Package: (.+)/')
    version=$(dpkg-deb -I "$pkg" | perl -lne 'print $1 if /^ Version: (.+)/')
    out=$(printf "tmp/%03d_%s" $i "$version")
    dpkg-deb -x "$pkg" "$out"
    dpkg-gensymbols -P"$out" -p"$name" -v"$version" \
        ${oldsymbols:+-I"$oldsymbols"} -O"$out.symbols" | \
        tee "$out.symbols.diff"
    test -s "$out.symbols.diff" || rm "$out.symbols.diff"
    oldsymbols="$out.symbols"
    rm -rf "$out"
    i=$(expr $i + 1)
done

To use it, do the following:

• debsnap -a i386 libpq5
• ls binary-libpq5/*.deb > files
• edit "files" to have proper ordering (~rc versions before releases, remove bpo versions, etc.)
• ./walk-symbols $(cat files)

The highest-numbered *.symbols file in tmp/ will then have symbol information for all packages. I then did some manual post-processing like s/~rc1-1/~/ to get nice (and backportable) version numbers.

Another nice trick (pointed out by jcristau) is to replace the lowest version number of that package (8.2~ here, where libpq changed SONAME) by 0 which will make dpkg-shlibdeps omit the >= version part. (Most packages depending on libpq5 will profit from that.)

I'm still pondering whether this script is non-trivial enough add to devscripts. (The people I asked so far only made comments about the mkdir call...)

My first DNSSEC setups were using OpenDNSSEC, but at some point I prefered to migrate to DNSSEC-Tools.

Here's a hack (howto) to migrate the KSK keys to .krf format. The ZSK keys will be generated by the first zonesigner run.

#!/bin/sh

ZONE="$1"
KEY="$2"
ALGO="$3"

cd keys
sudo softhsm --export $ZONE.zsk --slot 0 --pin 1234 --id $KEY
softhsm-keyconv --tobind --in $ZONE.zsk --name $ZONE. --algorithm $ALGO

BINDKEY=$(ls K$ZONE*key)
sed -i -e 's/256/257/' $BINDKEY
BASEKEY=$(basename $BINDKEY .key)

cd ..

cat > $ZONE.krf <<EOF
zone    "$ZONE"
    serial      "2011112202"
    kskcur      "$ZONE-signset-00001"
    signedzone  "$ZONE.signed"
    kskcount    "1"
    archivedir  "/var/lib/dnssec-tools/archive"
    kskdirectory    "/cb/ns.df7cb.de/keys"
    zskdirectory    "/cb/ns.df7cb.de/keys"
    endtime     "+2592000"
    lastset     "$ZONE-signset-00004"
    zonefile    "$ZONE"
    keyrec_type "zone"
    keyrec_signsecs "1321964086"
    keyrec_signdate "Tue Nov 22 12:14:46 2011"

set "$ZONE-signset-00001"
    keys        "$BASEKEY"
    set_type    "kskcur"
    zonename    "$ZONE"
    keyrec_setsecs  "1321961247"
    keyrec_setdate  "Tue Nov 22 11:27:27 2011"

key "$BASEKEY"
    zonename    "$ZONE"
    keyrec_type "kskcur"
    algorithm   "$ALGO"
    random      "/dev/urandom"
    keypath     "/cb/ns.df7cb.de/keys/$BINDKEY"
    ksklength   "2048"
    ksklife     "15552000"
    revperiod   "3888000"
    keyrec_gensecs  "1321961248"
    keyrec_gendate  "Tue Nov 22 11:27:28 2011"

EOF

zonesigner -keydirectory keys -usensec3 -genzsk -verbose $ZONE

rollinit $ZONE >> all.rollrec

echo "/cb/ns.df7cb.de/$ZONE.signed $ZONE cb@df7cb.de" >> checkzones.txt

(The filenames at the end are those used by http://www.incertum.net/archives/11-DNSSEC-mit-Debiansqueeze-dnssec-tools,-bind9.html)

Vim's habit of completing the full filename of the first match on :e has always annoyed me. Rhonda pointed me to wildmode - thanks!

set wildmode=longest,list:longest,list:full

Transitioning Python modules to dh_python2 is straightforward. I removed LOADS of magic from python-radix. I especially like the complexity reduction in debian/rules, but debian/control also got some fields removed.

Because of some problem with Denic's DNSSEC testbed and bind resolvers, dlv.isc.org has removed all DLV records for *.de domains. WTF.

29. April 2011

I doubt CUPS and I will ever become friends. Every time I try to print something at home, my notebook has new issues. This time the HP color laser had jobs stuck at "pending".

Fix this time: re-run hp-setup to add a new printer definition. In the gimp print dialog a new tab for "color" will appear. Thanks zobel for the suggestion.