Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)

[Mike Gabriel]

On  Mo 29 Jun 2020 12:07:31 CEST, Holger Levsen wrote:


- DLA 2230-1 (reserved by Mike Gabriel)


Ouch. Here it is:
https://salsa.debian.org/webmaster-team/webwml/-/merge_requests/504

Mike
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de



pgpVPAzRXACsR.pgp
Description: Digitale PGP-Signatur

Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)

[Utkarsh Gupta]

Hi,

On Mon, Jun 29, 2020 at 5:58 PM 'Mike Gabriel' via Extended LTS
Contributors  wrote:
> > - DLA 2230-1 (reserved by Mike Gabriel)
> Ouch. Here it is:
> https://salsa.debian.org/webmaster-team/webwml/-/merge_requests/504

Merged! :)


Best,
Utkarsh

Re: rails update

[Sylvain Beucler]

Hi,

On 25/06/2020 18:20, Sylvain Beucler wrote:
> On 22/06/2020 13:23, Sylvain Beucler wrote:
>> On 22/06/2020 11:56, Utkarsh Gupta wrote:
>>> On Mon, Jun 22, 2020 at 3:11 PM Sylvain Beucler  wrote:
 Hmm, are you the only active maintainer for rails?
>>>
>>> There are 3 maintainers. CC'ed rails@p.d.o.
>>> However, since you have already worked on preparing the fix for
>>> Jessie, it's much easier on your part to do it for Stretch and Buster.
>>> But that's volunteer work :)
>>>
>>> If you don't want to work, don't :)
>>
>> For rails@d.p.o's info, I explained at:
>> https://lists.debian.org/debian-lts/2020/06/msg00063.html
>> that I prepared the jessie (4.1.8) and stretch (4.2.7.1) updates at:
>> https://www.beuc.net/tmp/debian-lts/rails/
>>
>> However the buster version (5.2.2.1) is affected by a different set of
>> vulnerabilities, is much closer to bullseye (5.2.4.3), and apparently
>> the update causes new issues.
>>
>> That's why I think it'd make more sense for the rails maintainers to
>> backport the latest bullseye update.
>>
>> Let me know what you plan to do.
>>
 Which security update broke what, exactly?
>>>
>>> The latest security update from 5.2.4.2 to 5.2.4.3, which contained
>>> fixes for CVE-2020-816{2,4,5,6,7}.
>>> JavaScript bundle generation for Activestorage didn't work w/o that
>>> patch. We had to switch to node-babel7 for that.
>>
>> I updated
>> https://wiki.debian.org/LTS/TestSuites/rails
>> accordingly.
>>
>> The stretch updates passes this new test.
>>
>> (Though in this particular case it may have just been due to node-babel
>> changes in unstable since March, e.g. babel7 is pulled through
>> node-regenerator-transform.)
> 
> Status update: jessie and stretch are affected by new important
> CVE-2020-8163.
> buster and above not affected.
> Currently waiting for upstream's feedback on a second regression, then
> I'll prepare an update for jessie & stretch.

https://www.beuc.net/tmp/debian-lts/rails/ is updated.

Upstream showed little care for 4.x and I don't expect further feedback,
so I went ahead and backported:
https://github.com/rails/rails/commit/d9ff835b99ff3c7567ccde9b1379b4deeabee32f
to fix the regression, including tests.

Rationale at:
https://github.com/rails/rails/issues/39301#issuecomment-648885623

Note: redmine/stretch (< 3.4) was not affected by the regression.

Cheers!
Sylvain

(semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)

[Holger Levsen]

hi,

today there was nothing to be unclaimed for LTS nor ELTS, and noone
had claimed 4 or more packages, hooray!

Two DLAs have been reserved but not yet been published on www.debian.org:

- DLA 2261-1 (reserved by Thorsten Alteholz)
- DLA 2230-1 (reserved by Mike Gabriel)


-- 
tschau,
Holger

---
   holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C


signature.asc
Description: PGP signature