Re: RFS: ruby-hiera / CVE-2014-3248

[Jonas Genannt <jonas.genannt@capi2name.de>]

Hello,

> > > I have a question about this package. Why  it is called
> > > ruby-hiera, but not just hiera (like in official puppetlabs
>>
> > because Debian Ruby Policy says every library has a prefix of
> > "ruby-".
> 
> I think in this case it would make sense to ship (at least a
> transitional package) it as "hiera" -- for one, it's what upstream
> does, and indeed it includes a directly usable tool.
> This certainly would be consistent with what we do for other tools
> and would confuse our shared users less.

this could be a solution. But I think a single hiera package is not
needed. Upstream has picked a wrong name for it. Because the package
ships the binary usr/bin/hiera, but you don't use it in normal
operation. 

The hiera binary is only used for debugging or testing. Puppet and/or
Mcollective are using the library and not the binary.

I'm using hiera + Puppet for years myself and used the hiera binary 2-3
times perhaps.

> 
> In any case, I'd suggest that this would only happen after the
> security upload.

ack.


If more people tell me, we need a hiera package, then I think the
transitional package the best solution for it.

Greets,
	Jonas