Re: RFS: ruby-hiera / CVE-2014-3248
Hello,
> > > I have a question about this package. Why it is called
> > > ruby-hiera, but not just hiera (like in official puppetlabs
>>
> > because Debian Ruby Policy says every library has a prefix of
> > "ruby-".
>
> I think in this case it would make sense to ship (at least a
> transitional package) it as "hiera" -- for one, it's what upstream
> does, and indeed it includes a directly usable tool.
> This certainly would be consistent with what we do for other tools
> and would confuse our shared users less.
this could be a solution. But I think a single hiera package is not
needed. Upstream has picked a wrong name for it. Because the package
ships the binary usr/bin/hiera, but you don't use it in normal
operation.
The hiera binary is only used for debugging or testing. Puppet and/or
Mcollective are using the library and not the binary.
I'm using hiera + Puppet for years myself and used the hiera binary 2-3
times perhaps.
>
> In any case, I'd suggest that this would only happen after the
> security upload.
ack.
If more people tell me, we need a hiera package, then I think the
transitional package the best solution for it.
Greets,
Jonas
Reply to: