[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: rails update


On 19/06/2020 20:18, Utkarsh Gupta wrote:
> On Fri, Jun 19, 2020 at 11:28 PM Sylvain Beucler <beuc@beuc.net> wrote:
>> Here's the prepared stretch update:
>> https://www.beuc.net/tmp/debian-lts/rails/
>> https://www.beuc.net/tmp/debian-lts/rails/debdiff.txt
>> Testing was documented at:
>> https://wiki.debian.org/LTS/TestSuites/rails
>> It includes running the DEP-8 tests (which deploys a full app) and
>> running the full upstream testsuite. Test cases for the 2 CVEs were
>> backported.
> Neat!
>>> So assuming you are intersted in preparing the stretch-security one,
>>> would you as well work on the buster-security one? (it has different
>>> set of open CVEs to be addressed).
>> The buster version is different and introduces 3 new vulnerabilities,
>> which strays a bit too far off my current work on rails. I believe the
>> package maintainers (possibly Utkarsh) would be in better position to
>> prepare the buster update.
>> If the rails maintainers are not available though I can step in.
> Honestly, I wouldn't have time and I have a lot of other CVE(s) to take care of.
> I generally prepare security uploads for all suites but at this point, I have
> ruby, ruby-kaminari, apache2, and sympa to take care of.
> And then I am also doing GSoC with Debian, so I would have even lesser time :/
> It'd be great if you can help here this time? <3

Hmm, are you the only active maintainer for rails?

(incidentally, if you're full-time GSoC for the next 3 months, make sure
you set your LTS/ELTS availability accordingly)

>>> Anyway, this was the patch that fixed the regression:
>>> https://salsa.debian.org/ruby-team/rails/-/commit/fe3206768ed30b8eb6a83e74fc813e616d7d0db3
>> As far as I understand, you experienced a regression but it isn't
>> related to the current CVEs, is it?
> It was likely for it to be unrelated. But I found it weird that there were
> no regressions in the previous uploads but this security update broke stuff :/

Which security update broke what, exactly?

>> Is there a depending library/app that you would recommend testing with?
> I think to check with a couple of ruby-rails-assets-* and ruby-jquery-* packages
> in this particular scenario would be good enough.
> In general, they all break together, so even if two or three of them
> build fine, then it's all good! :)


Reply to: