Debian Patches

Status for ganeti/3.0.2-3

Patch Description Author Forwarded Bugs Origin Last update
0001-verify-warn-about-weak-certs.patch verify: warn about weak cert keys or signing algos
Extend x509.VerifyX509Certificate() to also check certificates for weak
keys or signing algorithms. Rename _VerifyCertificateInner() to
_VerifyX509CertificateValidity() to better match what it does, and add a
new _VerifyX509CertificateStrength() function that checks:

- whether the public key's length is smaller than
- whether the certificate is signed using a known-weak signature

Apart from cluster verify, VerifyX509Certificate() is also called in a
number of places as a pre-flight check with expiration warnings
disabled, where every non-empty response is treated as a hard error. In
order not to break these uses, we need to change
VerifyX509Certificate()'s API to make strength checks optional. Also we
refactor the error handling logic to return multiple error XOR warning
message that originate from different checks.
Apollon Oikonomopoulos <> no 2018-09-03
0002-remove-hardcoded-libc-linux-constants.patch Do not hardcode arch-dependent libc/linux constants
commit 1abcb876d279f698b0fafe723feac22540d145f9

utils.mlock: do not use hardcoded mlockall(2) flags

Switch to using the build-time detected flags from constants.

Signed-off-by: Apollon Oikonomopoulos <>

commit b273f537019249ce693f8df78640ff5c6c6bdf4c

kvm.netdev: do not use hardcoded ioctl values

Switch to using the build-time detected values from constants.

Signed-off-by: Apollon Oikonomopoulos <>

commit 681b23e163fc7d1fd1c9a88906834c67b9f0bf2e

Derive arch-dependent constant values from libc/linux headers

We are currently hardcoding some C constants in our Python code in two
places: the mlockall(2) flags (used via ctypes), and the TUN/TAP driver
ioctls. These constants are actually architecture-dependent and should
be derived at build time.

Use hsc2py to append these definitions to src/AutoConf.hs, and have them
propagate to Ganeti.Constants (and from there lib/ A
follow-up commit will replace the current constants with the derived

Signed-off-by: Apollon Oikonomopoulos <>
Apollon Oikonomopoulos <> no 2019-01-28
0003-py-tests-Add-compatibility-with-PyYAML-6.0.patch py-tests: Add compatibility with PyYAML 6.0.
PyYAML requires a 'Loader' argument since version 6.0. Explicitly add
FullLoader which was default in previous versions.

(cherry picked from commit 61d775002a5ded15586c58bd0708a16b0fc25536)
Marius Bakke <> no 2022-04-08
0004-py-tests-Use-the-safe-PyYAML-loader.patch py-tests: Use the "safe" PyYAML loader.
There are few reasons to use the "unsafe" FullLoader, none of which
affect the QA suite. Use the "safe" loader to set a precedence for
future uses of PyYAML.

(cherry picked from commit 0d7738656b0bdd3ba1e4ed50bcff0d182d850ce2)
Marius Bakke <> no 2022-04-08
0005-Relax-Haskell-dependencies-to-allow-LTS-19-packages.patch Relax Haskell dependencies to allow LTS-19 packages Apollon Oikonomopoulos <> no 2022-11-11
0006-Template-Haskell-2.17-compatibility.patch Template Haskell 2.17 compatibility
Handle the following changes in a backwards compatible manner:
- TyVarBndr is now annotated with a flag.
- The data constructors DoE and MDoE got a new Maybe ModName argument
to describe the qualifier of do blocks.

(cherry picked from commit a3bef2675e94cab1f6cab411bf319148c769325e)
Apollon Oikonomopoulos <> no 2022-12-04
0007-Allow-building-with-GHC-9-Lens-5.patch Allow building with GHC 9 / Lens 5
It looks like something in the GHC 9 / Lens 5 combination yields
unexpected results when using view on Lens', with GHC complaining that
it's passed a Lens' instead of a Getting (which should be compatible).
Commenting out the singatures of Ganeti.Network.poolLens,
Ganeti.Network.poolArrayLens and Ganeti.Utils.MultiMap.multiMapL makes
Ganeti build again, so I'll keep this ugly hack until I figure out
what's actually wrong.
Apollon Oikonomopoulos <> no 2022-12-07
0008-make-allow-C.utf8-alongside-C.UTF-8.patch make: allow C.utf8 alongside C.UTF-8
Since Debian glibc 2.34-1, the C.UTF-8 locale has been renamed to C.utf8 to
match upstream naming. Update the grep command used to figure out the
locale name to match against both names.
Apollon Oikonomopoulos <> no 2022-12-07
0009-uidpool_unittest-avoid-using-negative-UIDs.patch uidpool_unittest: avoid using negative UIDs
The uidpool unittests long relied on the fact that pgrep would accept
"-1" as a valid uid and in turn would match nothing. As of propcs 4.0.3
however, pgrep will error out when passed a negative uid, thus breaking
the tests.

Work around this by using a valid UID, but one that is unlikely to be
used in real systems: on most systems, SUB_UID_MAX which is the highest
uid expected to be in regular use, is set to 600100000. Picking 2^30 +
42 looks like a reasonably safe choice.

This fixes #1691.
Apollon Oikonomopoulos <> no 2023-03-06

All known versions for source package 'ganeti'