Your message dated Thu, 26 Aug 2021 19:18:44 +0000
with message-id <[email protected]>
and subject line Bug#992200: fixed in perl 5.34.0-1
has caused the Debian Bug report #992200,
regarding perl: regen-configure orig tarball file exclusions
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
992200: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992200
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: perl
Version: 5.32.1-5
We're not including the metaconfig (= regen-configure) original tarball
in a consistent way.
We have uscan(1) machinery in debian/watch and debian/copyright
to filter out bin/ and repack to .xz, but it looks like we're not
using that. The filtering was added pretty early in
commit a42e63561fdfa1ed091cabcfe2b176d1bcac33ff
Author: Niko Tyni <[email protected]>
Date: Sat Oct 14 16:06:17 2017 +0300
Add machinery for generating the regen-configure component tarball
We filter out bin/* from the upstream repo with Files-Excluded because
they are generated files from dist sources. The aim is to use the
Debian packaged dist binaries (mainly metaconfig) together with
the unit probes that were taken from an earlier dist version
(possibly 3.5.20).
Later I added the .xz repacking with
commit 6f5580f38188e6b0c9b12c110058c2db758183c3
Author: Niko Tyni <[email protected]>
Date: Thu May 17 21:14:30 2018 +0300
Use xz compression for component tarball
This makes the tarball reproducible
AFAICS the machinery was used for the 5.28 series, but all tarballs
after that were imported as .gz without filtering/repacking.
We need to decide what to do going forward.
Other things being equal, using the pristine .gz tarball from Github would
seem preferrable to me, assuming Github serves it in a reproducible way
(which it seems to do in my quick tests.)
The argument about bin/* being generated files from dist sources is still
true. OTOH looking at src:dist the sources seem to be just small shell
extraction wrappers around the scripts. FWIW if this is a DFSG violation,
it's present in bullseye too (but not buster).
Another reason for the filtering was to make sure we use the separately
packaged dist binaries rather than the ones in the tarball. Clearly
things have worked fine without this safeguard. If it still feels
necessary I suppose we could replace it with some mv(1) dance in the
update-configure-stamp target.
Using .gz tarballs for regen-configure and .xz for Perl itself leads
into some trouble around #898026, but we seem to have managed with
the workaround documented in README.source.
I'm somewhat at loss. While I'd like to drop the repacking, it seems
that keeping it is a safer course to make sure we ship things with their
source.
If we keep the repacking, we should at least add a sanity check to make
sure we don't accidentally import pristine tarballs anymore.
Thoughts?
--
Niko
--- End Message ---
--- Begin Message ---
Source: perl
Source-Version: 5.34.0-1
Done: Niko Tyni <[email protected]>
We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Niko Tyni <[email protected]> (supplier of updated perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 26 Aug 2021 21:20:41 +0300
Source: perl
Architecture: source
Version: 5.34.0-1
Distribution: experimental
Urgency: medium
Maintainer: Niko Tyni <[email protected]>
Changed-By: Niko Tyni <[email protected]>
Closes: 914128 992200
Changes:
perl (5.34.0-1) experimental; urgency=medium
.
* Update to new upstream version 5.34.0.
* Add a build time sanity check to make sure we filter away generated
files from the regen-configure tarball. (Closes: #992200)
* Fix usrmerge related reproducibility issues. Thanks to Vagrant
Cascadian. (Closes: #914128)
* Update cross build support files.
* Skip io/msg.t on x32 due to broken System V message queues.
(See #988900)
* [SECURITY] CVE-2021-36770: Encode loading code from working directory
Checksums-Sha1:
54120c644fcf449c5ba56dba468c62afead3bf4e 2886 perl_5.34.0-1.dsc
eca37348b91435b329a3e60376409ee265b9fda1 415412
perl_5.34.0.orig-regen-configure.tar.xz
d461e206a1dca5e79d39e77debf0b564f6d77d37 12881416 perl_5.34.0.orig.tar.xz
58093e5887a3425725bca4d73b43203aafb84a00 166148 perl_5.34.0-1.debian.tar.xz
43059105913e27eaff3688deb0342317ae8ba0a1 6291 perl_5.34.0-1_source.buildinfo
Checksums-Sha256:
431f91a259fbff835d5e5e900e17c4beac28a5488c3de20dc3c11bae12545523 2886
perl_5.34.0-1.dsc
b168f566401fdccc13d0616c258854c1e1a461276922babca617097cd9dfd85b 415412
perl_5.34.0.orig-regen-configure.tar.xz
82c2e5e5c71b0e10487a80d79140469ab1f8056349ca8545140a224dbbed7ded 12881416
perl_5.34.0.orig.tar.xz
b5b645fe1c5c6ecb04e2a41b704346f6fb83943147888ac4bce1042b008f06ed 166148
perl_5.34.0-1.debian.tar.xz
4cb99076151400c732b596bbd47cda307d99d9df3a13e0d52df55ff8f7f126f1 6291
perl_5.34.0-1_source.buildinfo
Files:
39df5f608020da349861bbb8572fd87e 2886 perl standard perl_5.34.0-1.dsc
169eb75873e6bd40134abb028db49295 415412 perl standard
perl_5.34.0.orig-regen-configure.tar.xz
df7ecb0653440b26dc951ad9dbfab517 12881416 perl standard perl_5.34.0.orig.tar.xz
cad740833f94a26e922aac55d1952499 166148 perl standard
perl_5.34.0-1.debian.tar.xz
3e75680a24a34f270b73fc398530265c 6291 perl standard
perl_5.34.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEEdqKOQsmBHZHoj7peLsD/s7cwGx8FAmEn3CsRHG50eW5pQGRl
Ymlhbi5vcmcACgkQLsD/s7cwGx8i8xAAkiPJbIndasFGUxN0x1W1WWBVQY5N8i8J
DhZU0lWfywiU7/F1FxVoGmNwawwtnHQcxkn8oIr1hLzhexvcsL4aRaGORLONyM4l
mf5rDmt2+jDEkPEcfIDHPDsmCa1e8gnyueC8mtPUNvql4E6evXlpXBsURD9B376m
b9OtY9LH8UyieesFbErod3uJuJQkKgdvObSKwT6vBNlRDwUdt2a1dmc0gk/kh/X/
OGTmuqFZS5PD+QE4JautO8HOk3F/R8maqd0o3dB66yeylphTeBOfv9cushJD1Tbv
PTPHPQwc3E3Y57QmXEBeeUeoEEmLryLCXzYX0BXoV6+b2/kQNRWq+qaXi10gWVad
uwmhe7+rq0AayrFELksR5WK2IPqU4xi9kClsWP8yAMRvSzp/mlPVqFpXrpa9tqwL
S+HYZZDOfZx174LQO2lpF3Nug9uzGZO95eo5tRJfoMRAA3fU735FfB9hkY880xde
IF5DLh5EDaJdgNNqIOnPKhy6PvChWlSOvXUH7fn+3aa8XqPeIHGPCoy4QXH9QAIH
1BlcSAqk6DLBIkwnBEyt14+4OWvR8WSQx0ALFIk+i3x5OacBaigl/kIsYPWxF5k7
WYZVJODb0cOvTcZPAA2xz+RRQq1gjJbWFPMsDv49uzNt5l02FGpGNyz6VZs3djq5
+ABOoTDrqUM=
=HPxM
-----END PGP SIGNATURE-----
--- End Message ---
