Debian Bug report logs -
#864745
jessie-pu: package perl/5.20.2-3+deb8u8
Reported by: Dominic Hargreaves <dom@earth.li>
Date: Tue, 13 Jun 2017 23:18:01 UTC
Severity: normal
Tags: confirmed, jessie
Fixed in version 8.9
Done: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, debian-perl@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>
:
Bug#864745
; Package release.debian.org
.
(Tue, 13 Jun 2017 23:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominic Hargreaves <dom@earth.li>
:
New Bug report received and forwarded. Copy sent to debian-perl@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>
.
(Tue, 13 Jun 2017 23:18:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
In July 2016 we released a security update for perl to fix an optional
module loading related vulnerability:
https://www.debian.org/security/2016/dsa-3628
This update included a change that has been since improved by upstream
for better compatibility with existing code. The original update caused
a few packages to FTBFS:
#864302
#864299
#832862
#832866
#832845
As such we believe that it makes sense to update perl in jessie to
include the improved fix, which is scheduled for inclusion in upstream
maintenance releases soon.
The attached patch implements the aforementioned update, and has been
tested against packages build-depending on build in jessie with no
regressions (and we've confirmed that the above bugs have been fixed).
Please let us know if we can upload to jessie-proposed-updates.
Thanks!
Dominic.
-- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
[base.pm.debdiff (text/plain, attachment)]
Changed Bug title to 'jessie-pu: package perl/5.20.2-3+deb8u8' from 'jessie-pu: package perl/5.20.2-3+deb8u6'.
Request was from Dominic Hargreaves <dom@earth.li>
to control@bugs.debian.org
.
(Tue, 13 Jun 2017 23:21:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>
:
Bug#864745
; Package release.debian.org
.
(Tue, 04 Jul 2017 16:18:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominic Hargreaves <dom@earth.li>
:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>
.
(Tue, 04 Jul 2017 16:18:03 GMT) (full text, mbox, link).
Message #12 received at 864745@bugs.debian.org (full text, mbox, reply):
Just to confirm that
1) this commit is identical to those now in upstream release candidates.
2) This has now been filed as #867164 (sorry that this was missing before)
3) this particular bug doesn't strictly apply to stretch/sid, but we plan
to fix it in sid at least for consistency and to fix the minor remaining
security bug (see #867170)
Thanks,
Dominic.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>
:
Bug#864745
; Package release.debian.org
.
(Wed, 05 Jul 2017 05:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Cyril Brulebois <kibi@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>
.
(Wed, 05 Jul 2017 05:51:03 GMT) (full text, mbox, link).
Message #17 received at 864745@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Dominic,
Dominic Hargreaves <dom@earth.li> (2017-07-04):
> 1) this commit is identical to those now in upstream release candidates.
> 2) This has now been filed as #867164 (sorry that this was missing before)
Thanks for the update, much appreciated.
I have to say that giving you a green light to update perl in stable with this
kind of fix makes me a little nervous, sorry. :(
> 3) this particular bug doesn't strictly apply to stretch/sid, but we plan
> to fix it in sid at least for consistency and to fix the minor remaining
> security bug (see #867170)
I'm not sure how we feel about similar-yet-kind-of-different bugs in
other suites (as in: not sure whether fixing those would be considered
a hard requirement before an update in (old)stable).
KiBi.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>
:
Bug#864745
; Package release.debian.org
.
(Thu, 06 Jul 2017 18:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominic Hargreaves <dom@earth.li>
:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>
.
(Thu, 06 Jul 2017 18:39:03 GMT) (full text, mbox, link).
Message #22 received at 864745@bugs.debian.org (full text, mbox, reply):
+ debian-perl as it possible affects how we deal with FTBFS module
packages.
On Wed, Jul 05, 2017 at 07:46:39AM +0200, Cyril Brulebois wrote:
> Hi Dominic,
>
> Dominic Hargreaves <dom@earth.li> (2017-07-04):
> > 1) this commit is identical to those now in upstream release candidates.
> > 2) This has now been filed as #867164 (sorry that this was missing before)
>
> Thanks for the update, much appreciated.
>
> I have to say that giving you a green light to update perl in stable with this
> kind of fix makes me a little nervous, sorry. :(
Okay, it would be useful to know in a bit more detail why you think this,
as it doesn't seem any different from other similar fixes to perl we
have requested in the past (and we've learnt our lesson from lack of
mass rebuild testing where that was an issue previously)
But anyway, there are two options:
1) proceed with the update as proposed. This should be fairly low risk
since we have test-rebuilt all packages build-depending on perl and found
no regressions, and the problem it is fixing only affected a handful
of unusual cases. Given the lack of bug reports, I assume the imperfect
base.pm change hasn't actually affected anyone in the real world, but of
course that might be a rash assumption.
2) work around the problem by patching away the issue like we have
for stretch in the half dozen or so affected packages. This would leave
jessie's perl in a slightly awkward state in carrying around for the
rest of its days a patch that was rejected by upstream in favour
of another one. But in practice it may not make all that difference.
And probably the risk in doing this is slightly less in not touching a
core package, though it is a bit more work.
Overall I'm in favour of 1) but happy to defer to you. Does anyone
else in pkg-perl have an opinion on this?
> > 3) this particular bug doesn't strictly apply to stretch/sid, but we plan
> > to fix it in sid at least for consistency and to fix the minor remaining
> > security bug (see #867170)
>
> I'm not sure how we feel about similar-yet-kind-of-different bugs in
> other suites (as in: not sure whether fixing those would be considered
> a hard requirement before an update in (old)stable).
Even if you reject the patch for jessie, I hope you will consider it
in stretch, as there is actually fixes a minor security issue (in due
course it will end up in a new upstream point release, and it's quite
likely we'll want a wholesale upgrade to that anyway).
Indeed, if that would also make you uncomfortable we should discuss
that in more detail...
I will aim to get the s-p-u bug for that filed soon.
Thanks,
Dominic.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>
:
Bug#864745
; Package release.debian.org
.
(Thu, 06 Jul 2017 19:03:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Cyril Brulebois <kibi@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>
.
(Thu, 06 Jul 2017 19:03:05 GMT) (full text, mbox, link).
Message #27 received at 864745@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Dominic Hargreaves <dom@earth.li> (2017-07-06):
> + debian-perl as it possible affects how we deal with FTBFS module
> packages.
>
> On Wed, Jul 05, 2017 at 07:46:39AM +0200, Cyril Brulebois wrote:
> > Hi Dominic,
> >
> > Dominic Hargreaves <dom@earth.li> (2017-07-04):
> > > 1) this commit is identical to those now in upstream release
> > > candidates.
> > > 2) This has now been filed as #867164 (sorry that this was missing
> > > before)
> >
> > Thanks for the update, much appreciated.
> >
> > I have to say that giving you a green light to update perl in stable
> > with this kind of fix makes me a little nervous, sorry. :(
>
> Okay, it would be useful to know in a bit more detail why you think
> this, as it doesn't seem any different from other similar fixes to
> perl we have requested in the past (and we've learnt our lesson from
> lack of mass rebuild testing where that was an issue previously)
Well, I'm not the one having accepted past proposed-updates, and since
I've been active on quite a number of {jessie,stretch}-pu requests over
the past few weeks, that was mainly a hint for other release team
members that I wasn't going to green or red light this request myself.
> But anyway, there are two options:
>
> 1) proceed with the update as proposed. This should be fairly low risk
> since we have test-rebuilt all packages build-depending on perl and found
> no regressions, and the problem it is fixing only affected a handful
> of unusual cases. Given the lack of bug reports, I assume the imperfect
> base.pm change hasn't actually affected anyone in the real world, but of
> course that might be a rash assumption.
>
> 2) work around the problem by patching away the issue like we have
> for stretch in the half dozen or so affected packages. This would leave
> jessie's perl in a slightly awkward state in carrying around for the
> rest of its days a patch that was rejected by upstream in favour
> of another one. But in practice it may not make all that difference.
> And probably the risk in doing this is slightly less in not touching a
> core package, though it is a bit more work.
>
> Overall I'm in favour of 1) but happy to defer to you. Does anyone
> else in pkg-perl have an opinion on this?
I see a third one:
0) Wait from someone else from the release team to comment on this.
Hope this clarifies.
KiBi.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>
:
Bug#864745
; Package release.debian.org
.
(Thu, 06 Jul 2017 23:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominic Hargreaves <dom@earth.li>
:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>
.
(Thu, 06 Jul 2017 23:09:03 GMT) (full text, mbox, link).
Message #32 received at 864745@bugs.debian.org (full text, mbox, reply):
On Thu, Jul 06, 2017 at 09:01:21PM +0200, Cyril Brulebois wrote:
> Dominic Hargreaves <dom@earth.li> (2017-07-06):
> > + debian-perl as it possible affects how we deal with FTBFS module
> > packages.
> >
> > On Wed, Jul 05, 2017 at 07:46:39AM +0200, Cyril Brulebois wrote:
> > > Hi Dominic,
> > >
> > > Dominic Hargreaves <dom@earth.li> (2017-07-04):
> > > > 1) this commit is identical to those now in upstream release
> > > > candidates.
> > > > 2) This has now been filed as #867164 (sorry that this was missing
> > > > before)
> > >
> > > Thanks for the update, much appreciated.
> > >
> > > I have to say that giving you a green light to update perl in stable
> > > with this kind of fix makes me a little nervous, sorry. :(
> >
> > Okay, it would be useful to know in a bit more detail why you think
> > this, as it doesn't seem any different from other similar fixes to
> > perl we have requested in the past (and we've learnt our lesson from
> > lack of mass rebuild testing where that was an issue previously)
>
> Well, I'm not the one having accepted past proposed-updates, and since
> I've been active on quite a number of {jessie,stretch}-pu requests over
> the past few weeks, that was mainly a hint for other release team
> members that I wasn't going to green or red light this request myself.
>
> > But anyway, there are two options:
> >
> > 1) proceed with the update as proposed. This should be fairly low risk
> > since we have test-rebuilt all packages build-depending on perl and found
> > no regressions, and the problem it is fixing only affected a handful
> > of unusual cases. Given the lack of bug reports, I assume the imperfect
> > base.pm change hasn't actually affected anyone in the real world, but of
> > course that might be a rash assumption.
> >
> > 2) work around the problem by patching away the issue like we have
> > for stretch in the half dozen or so affected packages. This would leave
> > jessie's perl in a slightly awkward state in carrying around for the
> > rest of its days a patch that was rejected by upstream in favour
> > of another one. But in practice it may not make all that difference.
> > And probably the risk in doing this is slightly less in not touching a
> > core package, though it is a bit more work.
> >
> > Overall I'm in favour of 1) but happy to defer to you. Does anyone
> > else in pkg-perl have an opinion on this?
>
> I see a third one:
>
> 0) Wait from someone else from the release team to comment on this.
>
>
> Hope this clarifies.
That makes perfect sense, sorry for the misunderstanding!
Dominic.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>
:
Bug#864745
; Package release.debian.org
.
(Mon, 10 Jul 2017 20:27:05 GMT) (full text, mbox, link).
Acknowledgement sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>
:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>
.
(Mon, 10 Jul 2017 20:27:05 GMT) (full text, mbox, link).
Message #37 received at 864745@bugs.debian.org (full text, mbox, reply):
Control; tags -1 + confirmed
On Wed, 2017-06-14 at 00:14 +0100, Dominic Hargreaves wrote:
> In July 2016 we released a security update for perl to fix an optional
> module loading related vulnerability:
>
> https://www.debian.org/security/2016/dsa-3628
>
> This update included a change that has been since improved by upstream
> for better compatibility with existing code. The original update caused
> a few packages to FTBFS:
>
> #864302
> #864299
> #832862
> #832866
> #832845
>
> As such we believe that it makes sense to update perl in jessie to
> include the improved fix, which is scheduled for inclusion in upstream
> maintenance releases soon.
Please go ahead.
Regards,
Adam
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>
:
Bug#864745
; Package release.debian.org
.
(Tue, 11 Jul 2017 16:48:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominic Hargreaves <dom@earth.li>
:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>
.
(Tue, 11 Jul 2017 16:48:02 GMT) (full text, mbox, link).
Message #42 received at 864745@bugs.debian.org (full text, mbox, reply):
On Mon, Jul 10, 2017 at 09:24:11PM +0100, Adam D. Barratt wrote:
> Control; tags -1 + confirmed
>
> On Wed, 2017-06-14 at 00:14 +0100, Dominic Hargreaves wrote:
> > In July 2016 we released a security update for perl to fix an optional
> > module loading related vulnerability:
> >
> > https://www.debian.org/security/2016/dsa-3628
> >
> > This update included a change that has been since improved by upstream
> > for better compatibility with existing code. The original update caused
> > a few packages to FTBFS:
> >
> > #864302
> > #864299
> > #832862
> > #832866
> > #832845
> >
> > As such we believe that it makes sense to update perl in jessie to
> > include the improved fix, which is scheduled for inclusion in upstream
> > maintenance releases soon.
>
> Please go ahead.
>
> Regards,
>
> Adam
Thanks, done.
Dominic.
Added tag(s) confirmed.
Request was from "Adam D. Barratt" <adsb@coccia.debian.org>
to control@bugs.debian.org
.
(Sat, 15 Jul 2017 10:39:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>
:
Bug#864745
; Package release.debian.org
.
(Sat, 15 Jul 2017 21:51:08 GMT) (full text, mbox, link).
Acknowledgement sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>
:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>
.
(Sat, 15 Jul 2017 21:51:08 GMT) (full text, mbox, link).
Message #49 received at 864745@bugs.debian.org (full text, mbox, reply):
Control: tags -1 + pending
On Tue, 2017-07-11 at 17:46 +0100, Dominic Hargreaves wrote:
> On Mon, Jul 10, 2017 at 09:24:11PM +0100, Adam D. Barratt wrote:
> > Control; tags -1 + confirmed
> >
> > On Wed, 2017-06-14 at 00:14 +0100, Dominic Hargreaves wrote:
> > > In July 2016 we released a security update for perl to fix an optional
> > > module loading related vulnerability:
> > >
> > > https://www.debian.org/security/2016/dsa-3628
> > >
> > > This update included a change that has been since improved by upstream
> > > for better compatibility with existing code. The original update caused
> > > a few packages to FTBFS:
> > >
> > > #864302
> > > #864299
> > > #832862
> > > #832866
> > > #832845
> > >
> > > As such we believe that it makes sense to update perl in jessie to
> > > include the improved fix, which is scheduled for inclusion in upstream
> > > maintenance releases soon.
> >
> > Please go ahead.
> >
> > Regards,
> >
> > Adam
>
> Thanks, done.
Flagged for acceptance.
Regards,
Adam
Added tag(s) pending.
Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk>
to 864745-submit@bugs.debian.org
.
(Sat, 15 Jul 2017 21:51:08 GMT) (full text, mbox, link).
Reply sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>
:
You have taken responsibility.
(Sat, 22 Jul 2017 12:22:12 GMT) (full text, mbox, link).
Notification sent
to Dominic Hargreaves <dom@earth.li>
:
Bug acknowledged by developer.
(Sat, 22 Jul 2017 12:22:13 GMT) (full text, mbox, link).
Message #56 received at 864745-done@bugs.debian.org (full text, mbox, reply):
Version: 8.9
Hi,
These bugs all relate for updates which were included in today's jessie
point release.
Regards,
Adam
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 20 Aug 2017 07:32:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed May 8 21:38:11 2024;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.