Bug#985958: [pre-approval] unblock: spip/3.2.11-2

To: David Prévot <taffit@debian.org>
Cc: 985958@bugs.debian.org
Subject: Bug#985958: [pre-approval] unblock: spip/3.2.11-2
From: Ivo De Decker <ivodd@debian.org>
Date: Tue, 13 Apr 2021 16:52:28 +0200
Message-id: <[🔎] 20210413145227.GA16538@debian.org>
Reply-to: Ivo De Decker <ivodd@debian.org>, 985958@bugs.debian.org
In-reply-to: <[🔎] 2f307436-48a0-63c8-15af-62aff1bf9eb0@debian.org>
References: <YF47saBQJdGiuXz4@persil.tilapin.org> <[🔎] b5cea5ad-8d85-76ae-a8eb-97f12c0ac401@debian.org> <[🔎] 2f307436-48a0-63c8-15af-62aff1bf9eb0@debian.org> <YF47saBQJdGiuXz4@persil.tilapin.org>

Control: tags -1 moreinfo

Hi David,

On Mon, Apr 12, 2021 at 04:46:35PM -0400, David Prévot wrote:
> Le 02/04/2021 à 16:41, Paul Gevers a écrit :
> > On 26-03-2021 20:53, David Prévot wrote:
> > > Please unblock package spip
> > 
> > This package does have a bit of a track record for security issues.
> 
> Indeed. Since 3.3 will soon be released, the 3.2 branch (as currently in
> testing) should mostly only receive security updates starting from now (and
> as you already pointed out, it probably will rather sooner than later).
> Updating SPIP to 3.2.11 in Bullseye should make our lives less sad during
> the Bullseye lifetime, by allowing us to (hopefully) simply cherry-pick
> further security fixes (rather than backporting them due to changes between
> 3.2.10 and 3.2.11).
> 
> > > [ Reason ]
> > > Upstream just released a new minor version to improve PHP 7.4 compat
> > > (latest version already improved PHP 7.3 compat). Since Bullseye ship
> > > with PHP 7.4, including those fixes should avoid future issues (I had
> > > to backport a PHP 7.3 compatibility issue with a buster-security upload
> > > already to fix a serious issue with plugins handling).
> > 
> > If I read the upstream CHANGELOG correctly, it seems that this was all
> > put together in a short time (days).
> 
> Indeed, they finally realized that compatibility with current PHP version is
> useful (I’ve tried pushing for a while, but was not very successful).
> 
> > Are you aware of any tests in the
> > package (I didn't spot them)? Does upstream have any testing infra?
> 
> Nothing I’m aware of, unfortunately. On the other hand, this version has
> been released upstream more than two weeks ago and I’m not aware of any
> reported regression.
> 
> > I'm seriously doubting if we'd not introduce more issues than we solve here.
> 
> I understand your concern, but SPIP 3.2.10, currently in Bullseye, is known
> to not be fully compatible with PHP 7.4, also in Bullseye.
> 
> > > [ Impact ]
> > > On top of fixing possible problems, this update avoids filling the
> > > web server error.log due to multiple warnings and deprecation notices.
> > 
> > Ack. Are those fixes cherry-pickable?
> 
> That’s the main purpose of all the changes from 3.2.10 to 3.2.11 actually.
> 
> > > [ Tests ]
> > > I only tested the package manually, but I’m keeping an eye on upstream
> > > issues that may arise about this new release.
> > 
> > See above. This doesn't sound great.
> 
> I understand, the timing of this release sucks, and I’ll trust the judgment
> of the release team.

Yeah, neither option sounds very good.

I'm leaning towards accepting it. I suggest you upload it to unstable, and
we'll leave it there for a while. If issues show up (either in unstable or
upstream), we can reconsider it.

I'm tagging the bug moreinfo for now. Please remove that when the upload has
been in unstable for a while.


Thanks,

Ivo

Reply to:

References:
- Bug#985958: [pre-approval] unblock: spip/3.2.11-2
  - From: Paul Gevers <elbrus@debian.org>
- Bug#985958: [pre-approval] unblock: spip/3.2.11-2
  - From: David Prévot <taffit@debian.org>

Prev by Date: Bug#986838: marked as done (unblock: openrc/0.42-2.1)
Next by Date: Processed: Re: [pre-approval] unblock: node-xmldom/0.5.0-1
Previous by thread: Processed: Re: Bug#985958: [pre-approval] unblock: spip/3.2.11-2
Next by thread: Processed: Re: Bug#985958: [pre-approval] unblock: spip/3.2.11-2
Index(es):
- Date
- Thread