Bug#985958: [pre-approval] unblock: spip/3.2.11-2
Control: tags -1 -moreinfo
Hi Paul,
Thank you for your reply.
Le 02/04/2021 à 16:41, Paul Gevers a écrit :
On 26-03-2021 20:53, David Prévot wrote:
Please unblock package spip
This package does have a bit of a track record for security issues.
Indeed. Since 3.3 will soon be released, the 3.2 branch (as currently in
testing) should mostly only receive security updates starting from now
(and as you already pointed out, it probably will rather sooner than
later). Updating SPIP to 3.2.11 in Bullseye should make our lives less
sad during the Bullseye lifetime, by allowing us to (hopefully) simply
cherry-pick further security fixes (rather than backporting them due to
changes between 3.2.10 and 3.2.11).
[ Reason ]
Upstream just released a new minor version to improve PHP 7.4 compat
(latest version already improved PHP 7.3 compat). Since Bullseye ship
with PHP 7.4, including those fixes should avoid future issues (I had
to backport a PHP 7.3 compatibility issue with a buster-security upload
already to fix a serious issue with plugins handling).
If I read the upstream CHANGELOG correctly, it seems that this was all
put together in a short time (days).
Indeed, they finally realized that compatibility with current PHP
version is useful (I’ve tried pushing for a while, but was not very
successful).
Are you aware of any tests in the
package (I didn't spot them)? Does upstream have any testing infra?
Nothing I’m aware of, unfortunately. On the other hand, this version has
been released upstream more than two weeks ago and I’m not aware of any
reported regression.
I'm seriously doubting if we'd not introduce more issues than we solve here.
I understand your concern, but SPIP 3.2.10, currently in Bullseye, is
known to not be fully compatible with PHP 7.4, also in Bullseye.
[ Impact ]
On top of fixing possible problems, this update avoids filling the
web server error.log due to multiple warnings and deprecation notices.
Ack. Are those fixes cherry-pickable?
That’s the main purpose of all the changes from 3.2.10 to 3.2.11 actually.
[ Tests ]
I only tested the package manually, but I’m keeping an eye on upstream
issues that may arise about this new release.
See above. This doesn't sound great.
I understand, the timing of this release sucks, and I’ll trust the
judgment of the release team.
Regards
David
Reply to: