Audit of the 0-day NMU of libxml2 revert in unstable

To: "Debian XML/SGML Group" <debian-xml-sgml-pkgs@lists.alioth.debian.org>, Raphaël Hertzog <hertzog@debian.org>
Cc: debian-release@lists.debian.org
Subject: Audit of the 0-day NMU of libxml2 revert in unstable
From: Aron Xu <aron@debian.org>
Date: Tue, 22 Sep 2015 17:37:40 +0800
Message-id: <[🔎] CAMr=8w7zqSctGAAVUGM7YCpFeKC128iQWtPD_cAxKd07EccX6A@mail.gmail.com>

Hi,

Since there was a 0-day NMU that reverts libxml2 from 2.9.2 to 2.9.1
uploaded to unstable, which is strongly disagreed in discussion, I'm
providing a brief audit of problems behind this revert and would
kindly ask everyone do not do any 0-day NMU to libxml2 from now on
even if you strongly believe you have good reasons, and please _never_
do version revert even if you strongly believe you have good reasons.

Known regressions lead by revert:

1. Bug #754424: spurious parser error affecting xmllint
2. Bug #781232: xmlSafeURI: Fails to unparse URI with empty host part
    Solved by following NMU of libvirt maintainer
3. libicu dbg package was dropped which makes the debug symbols
dependency broken
4. Not-approved patch in the name of security update.
5. Long list of NULL pointers, dereferences, and missing checks (upstream side)

A new upload of libxml2 has landed in unstable, going to 2.9.2 again
with all mentioned problems resolved, RC bugs closed.

Thanks,
Aron

Reply to:

Prev by Date: Bug#799758: jessie-pu: package apt-dater-host/1.0.0-2
Next by Date: Есть подходящий офис
Previous by thread: Bug#799758: jessie-pu: package apt-dater-host/1.0.0-2
Next by thread: Есть подходящий офис
Index(es):
- Date
- Thread