Re: RFC: ruby-loofah 2.2.3-1+deb10u2

[Daniel Leidert <dleidert@debian.org>]

Hi Anton,

thanks for your feedback.

Am Dienstag, dem 14.03.2023 um 06:11 +0100 schrieb Anton Gladky:
> Hi Daniel,
> 
> congratulations on your first update!
> 
> Some notes:
> 
> 1) to be consistent with all other updates please do not add the suffix
> in the version number

I'm not quite sure what you mean by that. "gbp dch -S" adds the
~1.[gitrev] ... to snapshots. That will be removed when doing the
finalization and the final version number will be:

2.2.3-1+deb10u2

which I think is exactly what it should be.

> 2) t is not quite a team upload. Better use "dch --lts" which
> converts to "* Non-maintainer upload by the LTS Security Team."

That's a good idea.

> 3) Please check, why piuparts is failing on CI.

I have already yesterday, and I wasn't able to reproduce that (the log
is also not clear about the "what is actually happening"). But I check
once more in the evening.

> 4) Regarding behavioral change... I cannot evaluate without the context.
> Maybe someone else from LTS team or the original maintainer can help.

Well, the context is that uploads to stable (or oldstable for that
matter) should usually not change the behavior. The behavior of version
2.2.3-1+deb10u1 is that it will scrub nested <script> elements
completely, while 2.2.3-1+deb10u2 will basically escape the <script>
HTML elements and treat them as if they were in a CDATA section. It's
not a "big" change, but still.

Regards, Daniel