Processed: Re: Bug#985958: [pre-approval] unblock: spip/3.2.11-2
Processing control commands: > tags -1 moreinfo Bug #985958 [release.debian.org] [pre-approval] unblock: spip/3.2.11-2 Added tag(s) moreinfo. -- 985958: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985958 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#985958: [pre-approval] unblock: spip/3.2.11-2
Control: tags -1 moreinfo Hi David, On Mon, Apr 12, 2021 at 04:46:35PM -0400, David Prévot wrote: > Le 02/04/2021 à 16:41, Paul Gevers a écrit : > > On 26-03-2021 20:53, David Prévot wrote: > > > Please unblock package spip > > > > This package does have a bit of a track record for security issues. > > Indeed. Since 3.3 will soon be released, the 3.2 branch (as currently in > testing) should mostly only receive security updates starting from now (and > as you already pointed out, it probably will rather sooner than later). > Updating SPIP to 3.2.11 in Bullseye should make our lives less sad during > the Bullseye lifetime, by allowing us to (hopefully) simply cherry-pick > further security fixes (rather than backporting them due to changes between > 3.2.10 and 3.2.11). > > > > [ Reason ] > > > Upstream just released a new minor version to improve PHP 7.4 compat > > > (latest version already improved PHP 7.3 compat). Since Bullseye ship > > > with PHP 7.4, including those fixes should avoid future issues (I had > > > to backport a PHP 7.3 compatibility issue with a buster-security upload > > > already to fix a serious issue with plugins handling). > > > > If I read the upstream CHANGELOG correctly, it seems that this was all > > put together in a short time (days). > > Indeed, they finally realized that compatibility with current PHP version is > useful (I’ve tried pushing for a while, but was not very successful). > > > Are you aware of any tests in the > > package (I didn't spot them)? Does upstream have any testing infra? > > Nothing I’m aware of, unfortunately. On the other hand, this version has > been released upstream more than two weeks ago and I’m not aware of any > reported regression. > > > I'm seriously doubting if we'd not introduce more issues than we solve here. > > I understand your concern, but SPIP 3.2.10, currently in Bullseye, is known > to not be fully compatible with PHP 7.4, also in Bullseye. > > > > [ Impact ] > > > On top of fixing possible problems, this update avoids filling the > > > web server error.log due to multiple warnings and deprecation notices. > > > > Ack. Are those fixes cherry-pickable? > > That’s the main purpose of all the changes from 3.2.10 to 3.2.11 actually. > > > > [ Tests ] > > > I only tested the package manually, but I’m keeping an eye on upstream > > > issues that may arise about this new release. > > > > See above. This doesn't sound great. > > I understand, the timing of this release sucks, and I’ll trust the judgment > of the release team. Yeah, neither option sounds very good. I'm leaning towards accepting it. I suggest you upload it to unstable, and we'll leave it there for a while. If issues show up (either in unstable or upstream), we can reconsider it. I'm tagging the bug moreinfo for now. Please remove that when the upload has been in unstable for a while. Thanks, Ivo
Bug#985958: [pre-approval] unblock: spip/3.2.11-2
Control: tags -1 -moreinfo Hi Paul, Thank you for your reply. Le 02/04/2021 à 16:41, Paul Gevers a écrit : On 26-03-2021 20:53, David Prévot wrote: Please unblock package spip This package does have a bit of a track record for security issues. Indeed. Since 3.3 will soon be released, the 3.2 branch (as currently in testing) should mostly only receive security updates starting from now (and as you already pointed out, it probably will rather sooner than later). Updating SPIP to 3.2.11 in Bullseye should make our lives less sad during the Bullseye lifetime, by allowing us to (hopefully) simply cherry-pick further security fixes (rather than backporting them due to changes between 3.2.10 and 3.2.11). [ Reason ] Upstream just released a new minor version to improve PHP 7.4 compat (latest version already improved PHP 7.3 compat). Since Bullseye ship with PHP 7.4, including those fixes should avoid future issues (I had to backport a PHP 7.3 compatibility issue with a buster-security upload already to fix a serious issue with plugins handling). If I read the upstream CHANGELOG correctly, it seems that this was all put together in a short time (days). Indeed, they finally realized that compatibility with current PHP version is useful (I’ve tried pushing for a while, but was not very successful). Are you aware of any tests in the package (I didn't spot them)? Does upstream have any testing infra? Nothing I’m aware of, unfortunately. On the other hand, this version has been released upstream more than two weeks ago and I’m not aware of any reported regression. I'm seriously doubting if we'd not introduce more issues than we solve here. I understand your concern, but SPIP 3.2.10, currently in Bullseye, is known to not be fully compatible with PHP 7.4, also in Bullseye. [ Impact ] On top of fixing possible problems, this update avoids filling the web server error.log due to multiple warnings and deprecation notices. Ack. Are those fixes cherry-pickable? That’s the main purpose of all the changes from 3.2.10 to 3.2.11 actually. [ Tests ] I only tested the package manually, but I’m keeping an eye on upstream issues that may arise about this new release. See above. This doesn't sound great. I understand, the timing of this release sucks, and I’ll trust the judgment of the release team. Regards David
Processed: Re: Bug#985958: [pre-approval] unblock: spip/3.2.11-2
Processing control commands: > tags -1 -moreinfo Bug #985958 [release.debian.org] [pre-approval] unblock: spip/3.2.11-2 Removed tag(s) moreinfo. -- 985958: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985958 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#985958: [pre-approval] unblock: spip/3.2.11-2
Control: tags -1 moreinfo Hi David, On 26-03-2021 20:53, David Prévot wrote: > Please unblock package spip This package does have a bit of a track record for security issues. > [ Reason ] > Upstream just released a new minor version to improve PHP 7.4 compat > (latest version already improved PHP 7.3 compat). Since Bullseye ship > with PHP 7.4, including those fixes should avoid future issues (I had > to backport a PHP 7.3 compatibility issue with a buster-security upload > already to fix a serious issue with plugins handling). If I read the upstream CHANGELOG correctly, it seems that this was all put together in a short time (days). Are you aware of any tests in the package (I didn't spot them)? Does upstream have any testing infra? I'm seriously doubting if we'd not introduce more issues than we solve here. > [ Impact ] > On top of fixing possible problems, this update avoids filling the > web server error.log due to multiple warnings and deprecation notices. Ack. Are those fixes cherry-pickable? > [ Tests ] > I only tested the package manually, but I’m keeping an eye on upstream > issues that may arise about this new release. See above. This doesn't sound great. Paul OpenPGP_signature Description: OpenPGP digital signature
Processed: Re: Bug#985958: [pre-approval] unblock: spip/3.2.11-2
Processing control commands: > tags -1 moreinfo Bug #985958 [release.debian.org] [pre-approval] unblock: spip/3.2.11-2 Added tag(s) moreinfo. -- 985958: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985958 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#985958: [pre-approval] unblock: spip/3.2.11-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package spip [ Reason ] Upstream just released a new minor version to improve PHP 7.4 compat (latest version already improved PHP 7.3 compat). Since Bullseye ship with PHP 7.4, including those fixes should avoid future issues (I had to backport a PHP 7.3 compatibility issue with a buster-security upload already to fix a serious issue with plugins handling). [ Impact ] On top of fixing possible problems, this update avoids filling the web server error.log due to multiple warnings and deprecation notices. [ Tests ] I only tested the package manually, but I’m keeping an eye on upstream issues that may arise about this new release. [ Risks ] It’s a leaf, non-key package. Even if there are various changes, they are mostly trivial. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] I’ve filtered the debdiff with the following command (excluding getid3 changes because the package depends on an already up to date php-getid3 rather than the version vendored in, and some documentation), but the result is still big, sorry: 61 files changed, 647 insertions(+), 334 deletions(-) git diff debian/3.2.9-1 --ignore-all-space --ignore-blank-lines | \ filterdiff --exclude=*/plugins-dist/medias/lib/getid3/* \ --exclude=*NEWS --exclude=*README.md > /tmp/spip_ign_filtered.diff unblock spip/3.2.11-2 diff --git a/CHANGELOG.TXT b/CHANGELOG.TXT index d9db953dec..f69be25c84 100644 --- a/CHANGELOG.TXT +++ b/CHANGELOG.TXT @@ -1,3 +1,99 @@ +SPIP-Core v3.2.10 -> v3.2.11 (26 March 2021) + + +b52a4a5b3 | cedric | 2021-03-12 | twitterbot est aussi notre ami pour le laisser scraper l'url qu'on veut touitter (fil) +58d5d6190 | cedric | 2021-02-15 | Report de https://git.spip.net/spip-contrib-outils/securite/commit/e7b571681a92eb40edda24b45dc472e113c1 qui fix #4.. +6611fd50b | cedric | 2021-02-15 | Report de https://git.spip.net/spip-contrib-outils/securite/commit/3eccaf41426d4f3c8f28b50d81e12fbe5f8af4c2 +62d33c975 | marcimat | 2021-03-26 | Notice-- : Attribut sans ses quotes... (realet) + + + +SPIP-Core v3.2.9 -> v3.2.10 (26 mars 2021) +--- + +0b1bd0542 | marcimat | 2018-09-05 | Compat PHP 7.x : Scorie résiduelle du passage à mysqli. Mais ces fonctions ne semblent plus utilisées. +7621a660a | marcimat | 2021-03-19 | Retour partiel sur 31df72005 pour compat PHP 5.4 ... +4de4b3c34 | marcimat | 2021-03-19 | Correction deprecated php 7.4 : ordre de join inversé. +0ea620c9a | marcimat | 2018-09-05 | Tickets #4059 et #4138 : meilleure compat PHP 7.2 +f69b39c9e | marcimat | 2021-03-18 | Suppression du fichier .gitattributes inutile. +a54ab9a89 | rastapopoulos | 2021-03-14 | Backport de 2e55e3a60e à la main car plus dans le même fichier en 3.3. +bdc53dcc9 | marcimat | 2021-03-11 | Lorsqu'on déclare un traitement à un champ de rubrique, tel que `$table_des_traitements['DEMO']['rubriques'] = ...`, c.. +510983b09 | cedric| 2021-03-09 | Fix https://core.spip.net/issues/4442 : le vieux parseur xml a la main (qu'il faudrait virer) ne tolerait pas l'utilis.. +31df72005 | marcimat | 2021-03-05 | Suite de e11b28be4 : plus éviter une fatale en PHP 8 si unicode2charset cherche à utiliser un charset inexistant +00c2038da | marcimat | 2021-03-05 | Correction d'une Fatale Suite à 27e4f1bcc. C'est sport mais le commit ajoute des accents dans le squelettes prive/sque.. +e380b0afd | cy.altern | 2021-03-04 | report a4cdf3b633 +916b67198 | marcimat | 2021-03-04 | Ticket #4348 : Compat PHP 7.4 (deprecated curly braces array) +910c245ea | marcimat | 2020-03-26 | Compat PHP 7.4 : éviter une notice lorsque la pagination ne trouve aucune entrée. +1b5549e51 | marcimat | 2019-08-26 | Ticket #4348 : Compat PHP 7.4 (notice). +c5492ea3e | marcimat | 2019-08-26 | Ticket #4348 : Compat PHP 7.4 (deprecated curly braces array) +da6dfc068 | marcimat | 2019-08-26 | Ticket #4348 : Compat PHP 7.4, Trying to access array offset on value of type null. +db1814dc5 | marcimat | 2019-08-25 | Compat PHP 7.4, Deprecated: Array and string offset access syntax with curly braces (Francky) +330eb930f | marcimat | 2019-06-17 | Ticket #4348 : Correction pour PHP 7.4 (Left-associative ternary operator deprecation) +130ada180 | marcimat | 2018-02-09 | Compatibilité PHP 7.2 : create_function => function xxx each => key, current, next +8075d79f2 | marcimat | 2017-12-11 | Ticket #4059 : Compat PHP 7.2, remplacer un create_function. +061107f80 | marcimat | 2017-12-11 | Ticket #4059 : Compat PHP 7.2, remplacer des create_function. +af94fa5d9 | marcimat | 2017-12-11 | Ticket #4059 : Compat PHP 7.2, remplacer des