Re: rails update
On 19/06/2020 20:18, Utkarsh Gupta wrote:
> On Fri, Jun 19, 2020 at 11:28 PM Sylvain Beucler <firstname.lastname@example.org> wrote:
>> Here's the prepared stretch update:
>> Testing was documented at:
>> It includes running the DEP-8 tests (which deploys a full app) and
>> running the full upstream testsuite. Test cases for the 2 CVEs were
>>> So assuming you are intersted in preparing the stretch-security one,
>>> would you as well work on the buster-security one? (it has different
>>> set of open CVEs to be addressed).
>> The buster version is different and introduces 3 new vulnerabilities,
>> which strays a bit too far off my current work on rails. I believe the
>> package maintainers (possibly Utkarsh) would be in better position to
>> prepare the buster update.
>> If the rails maintainers are not available though I can step in.
> Honestly, I wouldn't have time and I have a lot of other CVE(s) to take care of.
> I generally prepare security uploads for all suites but at this point, I have
> ruby, ruby-kaminari, apache2, and sympa to take care of.
> And then I am also doing GSoC with Debian, so I would have even lesser time :/
> It'd be great if you can help here this time? <3
Hmm, are you the only active maintainer for rails?
(incidentally, if you're full-time GSoC for the next 3 months, make sure
you set your LTS/ELTS availability accordingly)
>>> Anyway, this was the patch that fixed the regression:
>> As far as I understand, you experienced a regression but it isn't
>> related to the current CVEs, is it?
> It was likely for it to be unrelated. But I found it weird that there were
> no regressions in the previous uploads but this security update broke stuff :/
Which security update broke what, exactly?
>> Is there a depending library/app that you would recommend testing with?
> I think to check with a couple of ruby-rails-assets-* and ruby-jquery-* packages
> in this particular scenario would be good enough.
> In general, they all break together, so even if two or three of them
> build fine, then it's all good! :)