On 2013-04-02 21:15, Niko Tyni wrote: > On Sun, Mar 31, 2013 at 05:46:12PM +0100, Dominic Hargreaves wrote: > >> There is a problem with the perl package, as discussed in >> <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224#55> >> onwards, whereby the application of the security fix in that ticket >> now causes double-escaping problems where people workaround the problem >> by escaping themselves, when they detect an earlier Locale::Maketext >> by version number. >> >> I am slightly wary about importing the new (1.23) version of >> Locale::Maketext as I mentioned in that bug already, but my fears may >> be unfounded. Could you comment about whether you would accept such >> a change in wheezy at this time? (I can't really decide whether it's >> RC or not). > > FWIW, it looks clear to me that the only functional changes in the patch > are the $VERSION increments in the .pm files. The rest is documentation > and test cases, and the only important $VERSION is most probably > the main one in Locale/Maketext.pm. >
Indeed. > While that change itself is trivial, it has action-at-distance effects - > otherwise this wouldn't be an issue at all. I think the risk potential > is mostly in breaking something that's trusting Module::CoreList > (dh-make-perl and lintian come to mind, CPAN.pm and CPANPLUS.pm might > be affected somehow too?), and that it's not a very big risk but still > a real one. > Lintian uses a precomputed static list. It would at worst lead to "false-negatives" for "package-superseded-by-perl" (i.e. no tag when one should have been there). I suspect dh-make-perl will have a similar case with using the "cpan" variant instead of the "core" variant in dependencies (though I only gave it a quick scan). I would suspect that any application code using Module::CoreList would still have to account for the "cpan" version being present? > [...] > > In this specific case, upgrading Locale::Maketext fully to 1.23 in wheezy > would probably have been the "right" thing to do if we had anticipated > these issues. But we didn't, and it seems very late in the release > process to do it now. Also, I can't really see us applying anything but > the targeted fix for squeeze. > I am tempted to take this fix for Wheezy and be done with it. Can (one of) you please check up on CPAN.pm/CPANPLUS.pm ? > I see Fedora/RedHat also upgraded their Locale::Maketext modules without > incrementing $VERSION (I checked the patches in RHEL 6 / Perl 5.10.1 and > Fedora Core 16 & 17 / Perl 5.14.3). So it looks like even if we do try > to fix this for wheezy, applications still have to check for features > rather than versions to stay on the safe side. > Okay, sounds like it will be fine with leaving Squeeze as is then. ~Niels -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org