--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: pre-approval unblock: appstream/0.14.4-1
- From: Matthias Klumpp <mak@debian.org>
- Date: Wed, 23 Jun 2021 03:08:24 +0200
- Message-id: <CAKNHny-iW6Ed-zP2UsX5vDCCjaNJhHC+mh5U9zByhDVhf8kH=g@mail.gmail.com>
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: normal
Please unblock package appstream
This is currently a pre-approval request, as the changes - even though
almost all of them are bugfixes - are larger, in a key package, and
we're close to the final release.
[ Reason ]
AppStream has had two bugfix-only releases, and rather than
backporting a lot of interdependent patches, I would much rather like
to upload the 0.14.4 release as-a-whole. There are very few changes in
there that are not bugfixes, and I consider those low-risk.
As maintainer of the AppStream project upstream as well as in Debian,
I have a good overview of what went into the code.
Here's the individual changes made with explanations on why we want
them in Debian for the release. I have stripped out all translation
updates and documentation changes, as those will not change how the
program works.
* compose: Don't loop endlessly if external desktop l10n function is set
This change is only relevant for Ubuntu, without it the Ubuntu
AppStream metadata generator will loop endlessly. We still want this
in Debian in case someone processes an Ubuntu archive on a Debian
host, as it's a rather annoying issue to run into when processing
metadata.
* Never create a predictable dir in /tmp for caching
AppStream in current bullseye may create /tmp/appstream, which
wouldn't be an issue unless the program using it is run as root.
Unfortunately we run `appstreamcli` as roo all the time as part of an
apt update, so this may be a security issue with a predictable folder
being created in /tmp with elevated privileges.
* component: Don't strip ";" from keywords before translating them
Again, only relevant for Ubuntu which translates desktop-entry files
differently than Debian (but also won't affect Debian, only people who
process Ubuntu archives on a Debian host)
* utils: Don't strip modifiers when stripping encoding
Previously we generated invalid YAML by creating multiple entries with
the same value for YAML dicts, when stripping "ca.UTF-8" and
"ca@valencia.UTF-8" both to "ca". This fixes both the issue of
modifiers being ignored by AppStream and the YAML corruption.
* compose: Check optipng is there before we use it
Fix for a rare configuration issue.
* Improve text line wrapping, especially if many newlines are present
We previously wrapped text output from `appstreamcli` on the terminal
incorrectly of lists where contained within it, leading to
weird-looking output. This is a cosmetic fix for human-readable CLI
output (obviously doesn#t affect the tool's structured data output
modes).
* Make word-wrap function unicode-aware
Same, wraps e.g. Japanese text correctly now on the console.
* Make license_is_metadata_license parse more complex expressions
This is a fix for an issue Debian developers reported upstream but
which was actually a fault in appstream-compose. See
https://gitlab.gnome.org/GNOME/evince/-/merge_requests/346 for an
example.
* Improve cache refresh code, don't flag cache as updated if update failed
Kills a race condition, and also prevents AppStream from marking a
cache as valid even though it wasn't. This appears mostly in cases
where 3rd-party repositories are added which have broken data or data
(Debian's archive never triggers this, unless something went wrong).
* Use system cache even if we had to drop some invalid metadata
This ties in with the fix from above and affects cases where 3rd-party
repositories are used. Without this patch, software centers may load
all data twice each run, leading to extreme startup times on slower
devices.
* Assign more string class members safely
This is some API hardening that prevents crashes if an API user does
something like `as_set_string_member (object, as_get_string_member
(object))` where we'd get a segmentation fault. Generally good to
have, even though I am not aware of any client triggering this.
* Fix flashed firmware generating incorrect XML
* Fix YAML having wrong names for the firmware data
"flashed" and "runtime" firmware had wrong metadata in both XML and
YAML, which resulted in them being ignored by some tools. This change
fixes this and makes firmware work as specified.
By uploading the 0.14.4 release, we'll also drag in a few features,
here's an explanation for these:
* qt: Expose setter and getter for pool cache location
Just exposes some more API for Qt users and is otherwise inert.
* utils: Use GLib's gstring_replace if available
Just some cleanup in AppStream's utility code, which was required for
the "ca@valencia" fix series.
* its: Allow to mark release descriptions as non-translatable
Allows upstream projects to mark release descriptions as
non-translatable, but does nothing if not used explicitly (it's a
one-line config change).
* compose: Point people at the specification if metadata license is invalid
This is an explanation string change, that does not have any functional impact.
You can find the whole NEWS file with the documentation changes
included upstream at
https://github.com/ximion/appstream/blob/master/NEWS#L1-L48
All changes (including translation changes) are listed here:
https://github.com/ximion/appstream/compare/v0.14.2...v0.14.4
[ Impact ]
If the change isn't permitted, we ship AppStream with a bunch of known
bugs. I would try to create a release with cherry-picked standalone
fixes for the most severe issues, but fixing all would pretty much be
equivalent to merging the whole release code (minus translations and
doc fixes).
The "ca@valencia" issue would be especially hard to address separately
of the other changes on top of 0.14.2.
[ Tests ]
Some of this code has been tested in other distributions since March
(everything that was part of the 0.14.3 release) without any reported
issues.
All newly added code also came with tests for AppStream's internal
testsuite and works as expected. All of the changes are also already
live on Debian's AppStream infrastructure (important so we don't ship
with broken YAML data), so far with no issues.
Ubuntu will likely also reprocess their data soon, and was using a
version of AppStream with these patches for a while in a Snap for
metadata generation.
[ Risks ]
This is a key package, so any new bugs we pull in will hurt. The
riskiest part of this patchset is the "ca@valencia" bugfix, as that
required some comparatively substantial code changes. It is, however,
also a change that makes a lot of sense to have present in Debian 11,
as it improves localization as well as resolving a YAML data
corruption bug.
All other changes are very limited in scope and very unlikely to cause
any issues.
Since the metadata generation part has received some extensive testing
on our infrastructure, there is a low risk that there are issues with
it. The client part has been autopkg-tested, unit-tested and tested
locally by me, but the package could still be left in unstable for a
longer period before migrating, to be sure everything is fine. Since
AppStream is ubiquitous on desktop-Debian installations, any issues
are usually found very quickly.
[ Other info ]
Packaging for the intended release is at
https://salsa.debian.org/pkgutopia-team/appstream
The package could also be uploaded to experimental for testing, if requested.
I know this is quite a large chunk of stuff late in cycle, and I
apologize for this, especially since many of the issues have been
known for a while (but could only be fixed by us recently due to time
constraints on my side).
Let me know what you think!
Cheers,
Matthias
unblock appstream/0.14.4-1
--- End Message ---