Bug#1040007: libwww-mechanize-perl: migrate to libhttp-cookiejar-perl?

Fri, 30 Jun 2023 15:15:20 -0700 

lib/WWW/Mechanize.pm currently says:

  You are encouraged to install L<Mozilla::PublicSuffix> and use
  L<HTTP::CookieJar::LWP> as your cookie jar.  L<HTTP::CookieJar::LWP>
  provides a better security model matching that of current Web browsers
  when L<Mozilla::PublicSuffix> is installed.

    use HTTP::CookieJar::LWP ();

    my $jar = HTTP::CookieJar::LWP->new;
    my $agent = WWW::Mechanize->new( cookie_jar => $jar );

So it appears libwww-mechanize-perl already supports the use of
libhttp-cookiejar-perl, but leaves it to the caller; and also, I don't see
anywhere in the library that libhttp-cookie-perl is used, only in mech-dump
which almost seems like an example script, and could easily be converted?

On Fri, Jun 30, 2023 at 02:56:15PM -0700, Steve Langasek wrote:
> Package: libwww-mechanize-perl
> Version: 2.16-1
> Severity: wishlist
> User: ubuntu-de...@lists.ubuntu.com
> Usertags: origin-ubuntu mantic
> 
> Dear maintainers,
> 
> The libwww-perl package has recently switched from depending on
> libhttp-cookies-perl, to depending on libhttp-cookiejar-perl, with the
> upstream rationale that this is "a safer cookie jar".
> 
> Are there any plans for libwww-mechanize-perl to also switch?
> 
> Downstream in Ubuntu, we libwww-perl, libwww-mechanize-perl, and
> libhttp-cookies-perl are all in the "main" component of the archive with
> different security committments than "universe" and we have a preference for
> not having duplicate implementations of functionality where we can avoid it;
> therefore we would prefer to replace libhttp-cookies-perl with
> libhttp-cookiejar-perl in main by having both of the reverse-dependencies
> updated to use the same implementation, rather than having both in main.
> 
> I also see that libwww-mechanize-perl itself depends on libwww-perl, so I
> wonder what the interactions are like there if the two libraries are using
> separate cookie stores?
> 
> Thanks,
> -- 
> Steve Langasek                   Give me a lever long enough and a Free OS
> Debian Developer                   to set it on, and I can move the world.
> Ubuntu Developer                                   https://www.debian.org/
> slanga...@ubuntu.com                                     vor...@debian.org

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                   https://www.debian.org/
slanga...@ubuntu.com                                     vor...@debian.org

Attachment: signature.asc
Description: PGP signature

Reply via email to