Re: jessie RC bugs in perl packages

To: debian-perl@lists.debian.org
Cc: debian-release@lists.debian.org
Subject: Re: jessie RC bugs in perl packages
From: Adrian Bunk <bunk@debian.org>
Date: Sat, 20 May 2017 13:21:12 +0300
Message-id: <[🔎] 20170520102112.rnk6foahw7rntvbr@localhost>
In-reply-to: <[🔎] 20170519202415.d24tqob2uddqx4ke@jadzia.comodo.priv.at>
References: <20170517104051.sman2ommend5sn52@localhost> <[🔎] 20170519105310.ou2eg2b6l6ymdyln@jadzia.comodo.priv.at> <[🔎] 20170519202415.d24tqob2uddqx4ke@jadzia.comodo.priv.at>

I'm adding the release team to the Cc for the 3 bugs that are
candidates for jessie-ignore.

On Fri, May 19, 2017 at 10:24:15PM +0200, gregor herrmann wrote:
> On Fri, 19 May 2017 12:53:10 +0200, gregor herrmann wrote:
> 
> > > Could you prepare jessue-pu updates for them?
> > I'm starting to look at them right now at the pkg-perl sprint.
> > Thanks for providing this list!

Thanks a lot for working on them!

Comments on some items:

>...
> > #784845 libdevel-gdb-perl: FTBFS: t/expect.t #8 sometimes fails
> 
> This is an occasional test failure, and I'm not convinced that applying the
> change from testing/unstable (disabling one test) actually helps any user in
> stable.
>...

Release team, if appropriate please mark jessie-ignore.

>...
> > #517472 libxml-libxml-perl: Missing versioned dependency on libxml2 - Causes runtime warnings
> 
> I think that's not serious for jessie.
> Originally this was an annoying warning (which it probably still is in
> jessie), and we bumped the severity later when packages failed to build
> because of it: #796354 - libimage-info-perl, and #796385 - request-tracker4.
> I just rebuilt libimage-info-perl in a jessie chroot without any problems,
> therefore I'd rather not update libxml-libxml-perl in jessie.
> (Maybe we should lower the severity now? Or tag is stretch+sid)
>...

This shouldn't be a problem in a pure jessie.

It only warns about older versions, so the case it would fix in jessie 
would be warnings when using the jessie libxml-libxml-perl with the
wheezy libxml2 (which seems permitted by the dependencies).

The change to libxml-libxml-perl would be small, but if there are no 
reported problems during wheezy -> jessie upgrades I agree that this
is not necessary.

Release team, if appropriate please mark jessie-ignore.

>...
> > #830476 libpoe-component-client-http-perl: accesses the internet during build
> 
> I think there is no clear consensus that pure DNS queries are really a
> policy violation. As this change wouldn't provide any practical advantage,
> I'd rather ignore it for stable.
>...

Release team, if appropriate please mark jessie-ignore.
 
>...
> > #849777 shutter: CVE-2016-10081: Insecure use of perl exec()
> 
> I'm confused. This should be fixed in 0.92-0.1+deb8u1.
> At least that's what https://tracker.debian.org/news/829114 says.
> Still, https://bugs.debian.org/849777 doesn't know about it?
>...

CVE-2015-0854 != CVE-2016-10081

> Cheers,
> gregor

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Reply to:

Follow-Ups:
- Re: jessie RC bugs in perl packages
  - From: gregor herrmann <gregoa@debian.org>
- Re: jessie RC bugs in perl packages
  - From: Julien Cristau <jcristau@debian.org>

References:
- Re: jessie RC bugs in perl packages
  - From: gregor herrmann <gregoa@debian.org>
- Re: jessie RC bugs in perl packages
  - From: gregor herrmann <gregoa@debian.org>

Prev by Date: Re: The YAML::XS situation
Next by Date: Re: jessie RC bugs in perl packages
Previous by thread: Re: jessie RC bugs in perl packages
Next by thread: Re: jessie RC bugs in perl packages
Index(es):
- Date
- Thread