Quantcast

Re: jessie RC bugs in perl packages

Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: jessie RC bugs in perl packages

gregor herrmann-3
On Wed, 17 May 2017 13:40:51 +0300, Adrian Bunk wrote:

> The following RC bugs in jessie seem easily fixable[1]:
>
> #788008 libcgi-application-plugin-anytemplate-perl: missing dependency on libclone-perl
> #784845 libdevel-gdb-perl: FTBFS: t/expect.t #8 sometimes fails
> #810655 libembperl-perl: postinst fails when libapache2-mod-perl2 is not installed
> #783656 libhtml-microformats-perl: missing dependency on libmodule-pluggable-perl
> #788350 FTBFS - proxy tests
> #824843 libsys-syscall-perl: FTBFS on arm64: test suite failures
> #824936 libsys-syscall-perl: FTBFS on mips*: test failures
> #517472 libxml-libxml-perl: Missing versioned dependency on libxml2 - Causes runtime warnings
> #808454 libdata-faker-perl: FTBFS under some locales (eg. fr_CH.UTF-8)
> #830476 libpoe-component-client-http-perl: accesses the internet during build
> #834961 libvitacilina-perl: FTBFS too much often (configure fails)
> #848060 libx11-protocol-other-perl: FTBFS randomly (failing tests)
> #849777 shutter: CVE-2016-10081: Insecure use of perl exec()
>
> Could you prepare jessue-pu updates for them?
I'm starting to look at them right now at the pkg-perl sprint.
Thanks for providing this list!


Cheers,
gregor

--
 .''`.  https://info.comodo.priv.at/ - Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-  

signature.asc (981 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: jessie RC bugs in perl packages

gregor herrmann-3
On Fri, 19 May 2017 12:53:10 +0200, gregor herrmann wrote:

> > Could you prepare jessue-pu updates for them?
> I'm starting to look at them right now at the pkg-perl sprint.
> Thanks for providing this list!


> #788008 libcgi-application-plugin-anytemplate-perl: missing dependency on libclone-perl

Update prepared in git, pu-bug filed.

> #784845 libdevel-gdb-perl: FTBFS: t/expect.t #8 sometimes fails

This is an occasional test failure, and I'm not convinced that applying the
change from testing/unstable (disabling one test) actually helps any user in
stable.

> #810655 libembperl-perl: postinst fails when libapache2-mod-perl2 is not installed

Update prepared in git, pu-bug filed.

> #783656 libhtml-microformats-perl: missing dependency on libmodule-pluggable-perl

Update prepared in git, pu-bug filed.

> #788350 FTBFS - proxy tests

Update prepared in git, pu-bug filed.

> #824843 libsys-syscall-perl: FTBFS on arm64: test suite failures
> #824936 libsys-syscall-perl: FTBFS on mips*: test failures

#826136 as well (bug metadata updated - not RC but when were there we can
just take all of them, I guess).

Update prepared in git, pu-bug filed.

> #517472 libxml-libxml-perl: Missing versioned dependency on libxml2 - Causes runtime warnings

I think that's not serious for jessie.
Originally this was an annoying warning (which it probably still is in
jessie), and we bumped the severity later when packages failed to build
because of it: #796354 - libimage-info-perl, and #796385 - request-tracker4.
I just rebuilt libimage-info-perl in a jessie chroot without any problems,
therefore I'd rather not update libxml-libxml-perl in jessie.
(Maybe we should lower the severity now? Or tag is stretch+sid)

> #808454 libdata-faker-perl: FTBFS under some locales (eg. fr_CH.UTF-8)

Update prepared in git, pu-bug filed.

> #830476 libpoe-component-client-http-perl: accesses the internet during build

I think there is no clear consensus that pure DNS queries are really a
policy violation. As this change wouldn't provide any practical advantage,
I'd rather ignore it for stable.

> #834961 libvitacilina-perl: FTBFS too much often (configure fails)

As I understand it, this bug doesn't affect stable:
ExtUtils::MakeMaker (see #835988) and Encode (see #835989)

Bug metadata updated.

> #848060 libx11-protocol-other-perl: FTBFS randomly (failing tests)

Update prepared in git, pu-bug filed.

> #849777 shutter: CVE-2016-10081: Insecure use of perl exec()

I'm confused. This should be fixed in 0.92-0.1+deb8u1.
At least that's what https://tracker.debian.org/news/829114 says.
Still, https://bugs.debian.org/849777 doesn't know about it?
(But shows some pending fixes in some pushes?)


Ok, so far for the first round.


Cheers,
gregor

--
 .''`.  https://info.comodo.priv.at/ - Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-  

signature.asc (981 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: jessie RC bugs in perl packages

Adrian Bunk-3
I'm adding the release team to the Cc for the 3 bugs that are
candidates for jessie-ignore.

On Fri, May 19, 2017 at 10:24:15PM +0200, gregor herrmann wrote:
> On Fri, 19 May 2017 12:53:10 +0200, gregor herrmann wrote:
>
> > > Could you prepare jessue-pu updates for them?
> > I'm starting to look at them right now at the pkg-perl sprint.
> > Thanks for providing this list!

Thanks a lot for working on them!

Comments on some items:

>...
> > #784845 libdevel-gdb-perl: FTBFS: t/expect.t #8 sometimes fails
>
> This is an occasional test failure, and I'm not convinced that applying the
> change from testing/unstable (disabling one test) actually helps any user in
> stable.
>...

Release team, if appropriate please mark jessie-ignore.

>...
> > #517472 libxml-libxml-perl: Missing versioned dependency on libxml2 - Causes runtime warnings
>
> I think that's not serious for jessie.
> Originally this was an annoying warning (which it probably still is in
> jessie), and we bumped the severity later when packages failed to build
> because of it: #796354 - libimage-info-perl, and #796385 - request-tracker4.
> I just rebuilt libimage-info-perl in a jessie chroot without any problems,
> therefore I'd rather not update libxml-libxml-perl in jessie.
> (Maybe we should lower the severity now? Or tag is stretch+sid)
>...

This shouldn't be a problem in a pure jessie.

It only warns about older versions, so the case it would fix in jessie
would be warnings when using the jessie libxml-libxml-perl with the
wheezy libxml2 (which seems permitted by the dependencies).

The change to libxml-libxml-perl would be small, but if there are no
reported problems during wheezy -> jessie upgrades I agree that this
is not necessary.

Release team, if appropriate please mark jessie-ignore.

>...
> > #830476 libpoe-component-client-http-perl: accesses the internet during build
>
> I think there is no clear consensus that pure DNS queries are really a
> policy violation. As this change wouldn't provide any practical advantage,
> I'd rather ignore it for stable.
>...

Release team, if appropriate please mark jessie-ignore.
 
>...
> > #849777 shutter: CVE-2016-10081: Insecure use of perl exec()
>
> I'm confused. This should be fixed in 0.92-0.1+deb8u1.
> At least that's what https://tracker.debian.org/news/829114 says.
> Still, https://bugs.debian.org/849777 doesn't know about it?
>...

CVE-2015-0854 != CVE-2016-10081

> Cheers,
> gregor

cu
Adrian

--

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: jessie RC bugs in perl packages

gregor herrmann-3
On Sat, 20 May 2017 13:21:12 +0300, Adrian Bunk wrote:

> I'm adding the release team to the Cc for the 3 bugs that are
> candidates for jessie-ignore.

Thanks!
 
> > > #849777 shutter: CVE-2016-10081: Insecure use of perl exec()
> >
> > I'm confused. This should be fixed in 0.92-0.1+deb8u1.
> > At least that's what https://tracker.debian.org/news/829114 says.
> > Still, https://bugs.debian.org/849777 doesn't know about it?
> >...
>
> CVE-2015-0854 != CVE-2016-10081

Oops :/
Sorry, I should I have stopped yesterday when I realized that I was
getting tired.

Done now: cherrypicked the same commits for stable in git and filed a
pu bug.


Cheers,
gregor

--
 .''`.  https://info.comodo.priv.at/ - Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-  

signature.asc (981 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: jessie RC bugs in perl packages

Julien Cristau-6
In reply to this post by Adrian Bunk-3
Control: tag 783610 jessie-ignore
Control: severity 830476 normal

On Sat, May 20, 2017 at 13:21:12 +0300, Adrian Bunk wrote:

> I'm adding the release team to the Cc for the 3 bugs that are
> candidates for jessie-ignore.
>
> On Fri, May 19, 2017 at 10:24:15PM +0200, gregor herrmann wrote:
> > On Fri, 19 May 2017 12:53:10 +0200, gregor herrmann wrote:
> >
> > > > Could you prepare jessue-pu updates for them?
> > > I'm starting to look at them right now at the pkg-perl sprint.
> > > Thanks for providing this list!
>
> Thanks a lot for working on them!
>
> Comments on some items:
>
> >...
> > > #784845 libdevel-gdb-perl: FTBFS: t/expect.t #8 sometimes fails
> >
> > This is an occasional test failure, and I'm not convinced that applying the
> > change from testing/unstable (disabling one test) actually helps any user in
> > stable.
> >...
>
> Release team, if appropriate please mark jessie-ignore.
>
We should fix it if there's ever a reason to update the package in
jessie, so I'll leave this one as-is.

> >...
> > > #517472 libxml-libxml-perl: Missing versioned dependency on libxml2 - Causes runtime warnings
> >
> > I think that's not serious for jessie.
> > Originally this was an annoying warning (which it probably still is in
> > jessie), and we bumped the severity later when packages failed to build
> > because of it: #796354 - libimage-info-perl, and #796385 - request-tracker4.
> > I just rebuilt libimage-info-perl in a jessie chroot without any problems,
> > therefore I'd rather not update libxml-libxml-perl in jessie.
> > (Maybe we should lower the severity now? Or tag is stretch+sid)
> >...
>
> This shouldn't be a problem in a pure jessie.
>
> It only warns about older versions, so the case it would fix in jessie
> would be warnings when using the jessie libxml-libxml-perl with the
> wheezy libxml2 (which seems permitted by the dependencies).
>
> The change to libxml-libxml-perl would be small, but if there are no
> reported problems during wheezy -> jessie upgrades I agree that this
> is not necessary.
>
> Release team, if appropriate please mark jessie-ignore.
>
OK, I guess...

> >...
> > > #830476 libpoe-component-client-http-perl: accesses the internet during build
> >
> > I think there is no clear consensus that pure DNS queries are really a
> > policy violation. As this change wouldn't provide any practical advantage,
> > I'd rather ignore it for stable.
> >...
>
> Release team, if appropriate please mark jessie-ignore.
>  
Downgrading.  I don't believe this should be RC.

Cheers,
Julien

Loading...