Dear Debian release team,
Please note that, even though I was the person who updated SQLAlchemy to apply the upstream CVE fix, I am not the official maintainer of the package, and that this is probably up to Piotr to do the work. I'm happily replying though. :) I'm CC-ing Piotr and Mike Bayer (upstream for SQLAlchemy). On 5/28/19 8:59 PM, Paul Gevers wrote: > Control: tags -1 moreinfo confirmed > > Hi Zigo, > > On Tue, 21 May 2019 17:50:28 +0200 Thomas Goirand <z...@debian.org> wrote: >> Note that it may (or not) break some reverse dependencies, though according >> to upstream, OpenStack (the biggest SQLAlchemy consumer in Debian) behaves >> correctly with it. If this happens, then these reverse dependencies will >> have to be fixed. > > Do you already have indications that this may be the case? For all things OpenStack, I'm pretty sure that everything is ok, because the upstream author of SQLAlchemy has been hired by Red Hat to make sure OpenStack uses SQLAlchemy the proper way. For other dependencies, it's harder to know. > How you > already warned the reverse dependencies to check? I would appreciate it > if you do such that we can also have those fixed reverse dependencies in > buster. > > Paul Here's the list of reverse dependencies for python3-sqlalchemy: * buildbot * changeme * db2twitter * dms-core [amd64 arm64 armel armhf i386 mips mips64el mipsel ppc64el s390x] * mailman3 * openlp * python3-agatesql * python3-geoalchemy2 * python3-osmalchemy * python3-pybel * python3-sadisplay * python3-sqlsoup * retweet * sqlacodegen * yokadi Here are those for python-sqlalchemy: * archipel-core * bauble * blogofile-converters * childsplay * epigrass [amd64 arm64 armel armhf i386 kfreebsd-amd64 mips mips64el mipsel ppc64el s390x] * gnukhata-core * gourmet * griffith * kamcli * pegasus-wms * pycsw-wsgi * python-elixir * python-pywps * python-sprox * python-sqlkit * python-sqlsoup * python-zope.sqlalchemy * pytrainer * vistrails * yhsm-yubikey-ksm I removed all-things-openstack and libraries who are very unlikely to have issues, such as sqlalchemy-utils and others. I don't know any of the above package. It would be hard to tell who's affected by a related problem, though the miss-use of SQLAlchemy (because that's really what we're talking about here... a miss-use that should have been considered a bug to begin with, even without the applied patch to SQLAlchemy) is quite rare. I very much think it's safer to just allow SQLAchemy to migrate right now, to fix the potential SQL insertion vulnerability, rather than waiting for any (potential, but likely rare) issue in the above reverse dependencies. I do think a gentle ping to the maintainers of the above packages would be nice, but probably mass-filling of bugs isn't needed. How can I easily gather the list of maintainer? Is there a script somewhere to do this, or should I write it myself (which shouldn't be hard with some apt-cache show in a loop...)? Piotr, Mike, is what I wrote above accurate? Cheers, Thomas Goirand (zigo)