Re: rails update

To: Utkarsh Gupta <utkarsh@debian.org>
Cc: Debian Security Team <team@security.debian.org>, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: rails update
From: Sylvain Beucler <beuc@beuc.net>
Date: Mon, 22 Jun 2020 11:41:30 +0200
Message-id: <[🔎] d1871be0-9720-4b5f-584a-e235de8cae03@beuc.net>
In-reply-to: <CAPP0f94Xo6EXMYW36TPDEZAkd_dRe9=LB5rcHx69-vD=tVYEcQ@mail.gmail.com>
References: <[🔎] 91e4df09-16e5-cedb-4e61-bc3970c2d116@beuc.net> <[🔎] 20200619094006.GA1126775@eldamar.local> <[🔎] CAPP0f95JEBSUKAk7So5spgoA0oAc0uv7Y7nepfkMpe52GcxXHQ@mail.gmail.com> <[🔎] CAPP0f95wpEk42ZvBWn6Bx-jOWd9_CT5q21GM35c1e6TH58_dZw@mail.gmail.com> <[🔎] a05e49b9-c119-ed40-6090-d00419f6819c@beuc.net> <CAPP0f94Xo6EXMYW36TPDEZAkd_dRe9=LB5rcHx69-vD=tVYEcQ@mail.gmail.com>

Hi,

On 19/06/2020 20:18, Utkarsh Gupta wrote:
> On Fri, Jun 19, 2020 at 11:28 PM Sylvain Beucler <beuc@beuc.net> wrote:
>> Here's the prepared stretch update:
>> https://www.beuc.net/tmp/debian-lts/rails/
>> https://www.beuc.net/tmp/debian-lts/rails/debdiff.txt
>>
>> Testing was documented at:
>> https://wiki.debian.org/LTS/TestSuites/rails
>> It includes running the DEP-8 tests (which deploys a full app) and
>> running the full upstream testsuite. Test cases for the 2 CVEs were
>> backported.
> 
> Neat!
> 
>>> So assuming you are intersted in preparing the stretch-security one,
>>> would you as well work on the buster-security one? (it has different
>>> set of open CVEs to be addressed).
>>
>> The buster version is different and introduces 3 new vulnerabilities,
>> which strays a bit too far off my current work on rails. I believe the
>> package maintainers (possibly Utkarsh) would be in better position to
>> prepare the buster update.
>> If the rails maintainers are not available though I can step in.
> 
> Honestly, I wouldn't have time and I have a lot of other CVE(s) to take care of.
> I generally prepare security uploads for all suites but at this point, I have
> ruby, ruby-kaminari, apache2, and sympa to take care of.
> 
> And then I am also doing GSoC with Debian, so I would have even lesser time :/
> 
> It'd be great if you can help here this time? <3

Hmm, are you the only active maintainer for rails?

(incidentally, if you're full-time GSoC for the next 3 months, make sure
you set your LTS/ELTS availability accordingly)

>>> Anyway, this was the patch that fixed the regression:
>>> https://salsa.debian.org/ruby-team/rails/-/commit/fe3206768ed30b8eb6a83e74fc813e616d7d0db3
>>
>> As far as I understand, you experienced a regression but it isn't
>> related to the current CVEs, is it?
> 
> It was likely for it to be unrelated. But I found it weird that there were
> no regressions in the previous uploads but this security update broke stuff :/

Which security update broke what, exactly?

>> Is there a depending library/app that you would recommend testing with?
> 
> I think to check with a couple of ruby-rails-assets-* and ruby-jquery-* packages
> in this particular scenario would be good enough.
> In general, they all break together, so even if two or three of them
> build fine, then it's all good! :)
OK.

Cheers!
Sylvain

Reply to:

Follow-Ups:
- Re: rails update
  - From: Utkarsh Gupta <utkarsh@debian.org>

References:
- rails update
  - From: Sylvain Beucler <beuc@beuc.net>
- Re: rails update
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: rails update
  - From: Utkarsh Gupta <utkarsh@debian.org>
- Re: rails update
  - From: Utkarsh Gupta <utkarsh@debian.org>
- Re: rails update
  - From: Sylvain Beucler <beuc@beuc.net>

Prev by Date: Re: libdatetime-timezone-perl need to wait?
Next by Date: Re: rails update
Previous by thread: Re: rails update
Next by thread: Re: rails update
Index(es):
- Date
- Thread