Bug#986742: unblock: ruby2.7/2.7.3-1

To: 986742@bugs.debian.org
Subject: Bug#986742: unblock: ruby2.7/2.7.3-1
From: Antonio Terceiro <terceiro@debian.org>
Date: Thu, 15 Apr 2021 20:13:34 -0300
Message-id: <[🔎] YHjInrVGMv+eeW8E@debian.org>
Reply-to: Antonio Terceiro <terceiro@debian.org>, 986742@bugs.debian.org
In-reply-to: <CAPP0f96n+CPsQkTOdRyTwC=O2PMf=Fed_JZVPLnSdsEPSRC60g@mail.gmail.com>
References: <CAPP0f96n+CPsQkTOdRyTwC=O2PMf=Fed_JZVPLnSdsEPSRC60g@mail.gmail.com> <CAPP0f96n+CPsQkTOdRyTwC=O2PMf=Fed_JZVPLnSdsEPSRC60g@mail.gmail.com>

On Sun, 11 Apr 2021 03:04:42 +0530 Utkarsh Gupta <utkarsh@debian.org> wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: debian-ruby@lists.debian.org
> 
> Hello,
> 
> Upstream has recently released a bug-fix only release after a
> vulnerability, CVE-2021-28965, was discovered.
> 
> Upstream release note:
> https://www.ruby-lang.org/en/news/2021/04/05/ruby-2-7-3-released/
> Upstream git logs b/w 2.7.2 and 2.7.3:
> https://github.com/ruby/ruby/compare/v2_7_2...v2_7_3
> 
> This is clearly a bug-fix only release and it'd be *really great* to
> have this included in Bullseye. (I'd be sad not to but..) I understand
> it's your call to make after analyzing so attaching the debdiff for
> your reference and help (snipping ChangeLog entries for noise
> reduction).
> 
> Hopefully, it'd be OK to get this included and have an even nicer
> ruby2.7 for Bullseye. Thanks.

 99 files changed, 39552 insertions(+), 23134 deletions(-)

The debian diff looks very big because of 3 generated files: ChangeLog,
parse.c, and ext/ripper/ripper.c (the last two being bison/yacc
generated parsers). If you filter those out, the result is a lot more
palatable:

 96 files changed, 3761 insertions(+), 886 deletions(-)

Roughtly 1/3 of the insertions are test cases:

 32 files changed, 1150 insertions(+), 97 deletions(-)

I have reviewed the upstream patches and compared the upstream diff with
the debian diff, and indeed all the changes are bug fixes.

There was one marked as a "Feature" in the commit message, but it was
really a follwup to fix an inconsistency in a feature that has been
added in the 2.7 series already. It will cause formerly invalid syntax
to be valid, but won't break any currently working code.

I think the risk with this update is low, and releasing with the latest
available ruby bugfix release will make it easier to provide stable
support in bullseye.

Full disclosure: I am trying to get ruby into new hands, but I'm still a
comaintainer and care a lot about it, so I'm not an uninterested party
here.

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#986742: unblock: ruby2.7/2.7.3-1
  - From: Sebastian Ramacher <sramacher@debian.org>

Prev by Date: Bug#986929: unblock/tpu: nheko/0.7.2-3+deb11u1
Next by Date: Bug#987038: buster-pu: package clamav/0.103.2+dfsg-0+deb10u1
Previous by thread: Bug#987028: marked as done (unblock: workrave/1.10.44-7.1)
Next by thread: Bug#986742: unblock: ruby2.7/2.7.3-1
Index(es):
- Date
- Thread