Bug#985958: [pre-approval] unblock: spip/3.2.11-2

To: 985958@bugs.debian.org
Subject: Bug#985958: [pre-approval] unblock: spip/3.2.11-2
From: David Prévot <taffit@debian.org>
Date: Mon, 12 Apr 2021 16:46:35 -0400
Message-id: <[🔎] 2f307436-48a0-63c8-15af-62aff1bf9eb0@debian.org>
Reply-to: David Prévot <taffit@debian.org>, 985958@bugs.debian.org
In-reply-to: <[🔎] b5cea5ad-8d85-76ae-a8eb-97f12c0ac401@debian.org>
References: <YF47saBQJdGiuXz4@persil.tilapin.org> <[🔎] b5cea5ad-8d85-76ae-a8eb-97f12c0ac401@debian.org> <YF47saBQJdGiuXz4@persil.tilapin.org>

Control: tags -1 -moreinfo

Hi Paul,

Thank you for your reply.

Le 02/04/2021 à 16:41, Paul Gevers a écrit :

On 26-03-2021 20:53, David Prévot wrote:

Please unblock package spip


This package does have a bit of a track record for security issues.

Indeed. Since 3.3 will soon be released, the 3.2 branch (as currently intesting) should mostly only receive security updates starting from now(and as you already pointed out, it probably will rather sooner thanlater). Updating SPIP to 3.2.11 in Bullseye should make our lives lesssad during the Bullseye lifetime, by allowing us to (hopefully) simplycherry-pick further security fixes (rather than backporting them due tochanges between 3.2.10 and 3.2.11).

[ Reason ]
Upstream just released a new minor version to improve PHP 7.4 compat
(latest version already improved PHP 7.3 compat). Since Bullseye ship
with PHP 7.4, including those fixes should avoid future issues (I had
to backport a PHP 7.3 compatibility issue with a buster-security upload
already to fix a serious issue with plugins handling).


If I read the upstream CHANGELOG correctly, it seems that this was all
put together in a short time (days).

Indeed, they finally realized that compatibility with current PHPversion is useful (I’ve tried pushing for a while, but was not verysuccessful).

Are you aware of any tests in the
package (I didn't spot them)? Does upstream have any testing infra?

Nothing I’m aware of, unfortunately. On the other hand, this version hasbeen released upstream more than two weeks ago and I’m not aware of anyreported regression.

I'm seriously doubting if we'd not introduce more issues than we solve here.

I understand your concern, but SPIP 3.2.10, currently in Bullseye, isknown to not be fully compatible with PHP 7.4, also in Bullseye.

[ Impact ]
On top of fixing possible problems, this update avoids filling the
web server error.log due to multiple warnings and deprecation notices.


Ack. Are those fixes cherry-pickable?


That’s the main purpose of all the changes from 3.2.10 to 3.2.11 actually.

[ Tests ]
I only tested the package manually, but I’m keeping an eye on upstream
issues that may arise about this new release.


See above. This doesn't sound great.

I understand, the timing of this release sucks, and I’ll trust thejudgment of the release team.


Regards

David

Reply to:

Follow-Ups:
- Bug#985958: [pre-approval] unblock: spip/3.2.11-2
  - From: Ivo De Decker <ivodd@debian.org>

References:
- Bug#985958: [pre-approval] unblock: spip/3.2.11-2
  - From: Paul Gevers <elbrus@debian.org>

Prev by Date: Processed: Re: Bug#985958: [pre-approval] unblock: spip/3.2.11-2
Next by Date: Re: Finding a tentative bullseye release date
Previous by thread: Processed: Re: Bug#985958: [pre-approval] unblock: spip/3.2.11-2
Next by thread: Processed: Re: Bug#985958: [pre-approval] unblock: spip/3.2.11-2
Index(es):
- Date
- Thread