Bug#1102752: bookworm-pu: expat/2.5.0-1+deb12u2
On Sat, 2025-08-30 at 13:46 +0300, Adrian Bunk wrote: > On Sat, Aug 30, 2025 at 01:04:03PM +0300, Adrian Bunk wrote: > > ... > > Regarding node-expat, #1064047 was fixed by RM and I have no idea > > whether this is more than a test failure. > > ... > > Addendum from bullseye LTS: > https://salsa.debian.org/js-team/node-expat/-/commit/6c58e776d35318ebd28cf033b014719c45980f7a > > Removing it gives me a bullseye FTBFS with the same errors as the > bookworm autopkgtest. Thank you for digging that out. Sadly that doesn't actually tell us if the issues are isolated to the test suite, or the package just has no users. Arguably either means they have no practical effect, but still. Regards, Adam
Bug#1102752: bookworm-pu: expat/2.5.0-1+deb12u2
On Sat, Aug 30, 2025 at 01:04:03PM +0300, Adrian Bunk wrote: >... > Regarding node-expat, #1064047 was fixed by RM and I have no idea > whether this is more than a test failure. >... Addendum from bullseye LTS: https://salsa.debian.org/js-team/node-expat/-/commit/6c58e776d35318ebd28cf033b014719c45980f7a Removing it gives me a bullseye FTBFS with the same errors as the bookworm autopkgtest. cu Adrian
Bug#1102752: bookworm-pu: expat/2.5.0-1+deb12u2
On Sat, Aug 30, 2025 at 10:11:47AM +0100, Adam D. Barratt wrote: > Hi, > > On Sun, 2025-07-13 at 11:18 +0200, László Böszörményi (GCS) wrote: > > On Sat, Jul 5, 2025 at 4:39 PM Paul Gevers wrote: > > > On Thu, 5 Jun 2025 19:57:24 +0200 Paul Gevers > > > wrote: > > > > The autopkgtests of node-expat and python3.11 fail with the expat > > > > from > > > > proposed-updates. Can you have a look (you may want to involve > > > > the > > > > maintainers of those packages)? > > [...] > > > Any news? > > I've been busy with several things. Tried to reproduce the problems > > in the background but I was not able to. I'm still working on it, as > > now I have more time. > > The point release is next wekeend, and we need to be making a decision > as to whether to be including this update shortly. What's the status on > the test failures? Regarding python3.11, this needs: https://github.com/python/cpython/commit/3501eca89e27873f6037abcb39e5031dfbce7077 Without the fails_with_expat_2_6_0 due to the CVE-2023-52425 backport this becomes: https://salsa.debian.org/lts-team/packages/python3.7/-/commit/abf7997346d1cc2f7b96a5f643efff742a26d91d#77e295c43281825c62439f85ee54902e04eae026 This won't cause build failures since Python3 is one of the toolchain packages that runs a huge number of buildtime tests but ignores all test failures: https://sources.debian.org/src/python3.11/3.11.2-6%2Bdeb12u6/debian/rules#L677 https://sources.debian.org/src/python3.11/3.11.2-6%2Bdeb12u6/debian/rules#L693 https://sources.debian.org/src/python3.11/3.11.2-6%2Bdeb12u6/debian/rules#L708 So this is harmless with a test-only fix, and the autopkgtest can be fixed in the next python3.11 update. Regarding node-expat, #1064047 was fixed by RM and I have no idea whether this is more than a test failure. > Regards, > > Adam cu Adrian
Bug#1102752: bookworm-pu: expat/2.5.0-1+deb12u2
Hi, On Sun, 2025-07-13 at 11:18 +0200, László Böszörményi (GCS) wrote: > On Sat, Jul 5, 2025 at 4:39 PM Paul Gevers wrote: > > On Thu, 5 Jun 2025 19:57:24 +0200 Paul Gevers > > wrote: > > > The autopkgtests of node-expat and python3.11 fail with the expat > > > from > > > proposed-updates. Can you have a look (you may want to involve > > > the > > > maintainers of those packages)? > [...] > > Any news? > I've been busy with several things. Tried to reproduce the problems > in the background but I was not able to. I'm still working on it, as > now I have more time. The point release is next wekeend, and we need to be making a decision as to whether to be including this update shortly. What's the status on the test failures? Regards, Adam
Bug#1102752: bookworm-pu: expat/2.5.0-1+deb12u2
On Sat, Jul 5, 2025 at 4:39 PM Paul Gevers wrote: > On Thu, 5 Jun 2025 19:57:24 +0200 Paul Gevers wrote: > > The autopkgtests of node-expat and python3.11 fail with the expat from > > proposed-updates. Can you have a look (you may want to involve the > > maintainers of those packages)? [...] > Any news? I've been busy with several things. Tried to reproduce the problems in the background but I was not able to. I'm still working on it, as now I have more time. Laszlo/GCS
Bug#1102752: bookworm-pu: expat/2.5.0-1+deb12u2
Hi László, On Thu, 5 Jun 2025 19:57:24 +0200 Paul Gevers wrote: On Sat, 12 Apr 2025 16:46:52 +0200 =?UTF-8?B?TMOhc3psw7MgQsO2c3rDtnJtw6lueWkgKEdDUyk=?= wrote: > I do not see risks, using it on my machine without problems. The fixes > were done by RedHat and they are already using those on their > distribution. The autopkgtests of node-expat and python3.11 fail with the expat from proposed-updates. Can you have a look (you may want to involve the maintainers of those packages)? https://ci.debian.net/packages/n/node-expat/stable/amd64/ https://ci.debian.net/packages/p/python3.11/stable/amd64/ Any news? Paul OpenPGP_signature.asc Description: OpenPGP digital signature
Bug#1102752: bookworm-pu: expat/2.5.0-1+deb12u2
Hi László, On Sat, 12 Apr 2025 16:46:52 +0200 =?UTF-8?B?TMOhc3psw7MgQsO2c3rDtnJtw6lueWkgKEdDUyk=?= wrote: I do not see risks, using it on my machine without problems. The fixes were done by RedHat and they are already using those on their distribution. The autopkgtests of node-expat and python3.11 fail with the expat from proposed-updates. Can you have a look (you may want to involve the maintainers of those packages)? https://ci.debian.net/packages/n/node-expat/stable/amd64/ https://ci.debian.net/packages/p/python3.11/stable/amd64/ Paul OpenPGP_signature.asc Description: OpenPGP digital signature
Bug#1102752: bookworm-pu: expat/2.5.0-1+deb12u2
Control: tags -1 + confirmed On Sat, 2025-04-12 at 16:46 +0200, László Böszörményi (GCS) wrote: > Expat has three security issues, none of those warrant a DSA. Hence I > would like to fix those issues with this PU. As Salvatore noted, the changelog distribution should be "bookworm". With that updated, please go ahead. Regards, Adam
Bug#1102752: bookworm-pu: expat/2.5.0-1+deb12u2
Hi László On Sat, Apr 12, 2025 at 04:46:52PM +0200, László Böszörményi (GCS) wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: [email protected] > Usertags: pu > Control: affects -1 + src:expat > > Hi RMs, > > [ Reason ] > Expat has three security issues, none of those warrant a DSA. Hence I > would like to fix those issues with this PU. > > [ Impact ] > At first, the CVE-2024-50602 fix had a regression which hit one part > of the self-testing of libxml-parser-perl package. Then it was fixed > upstream and checked to be working on Bookwork as well. > > [ Tests ] > Installed it on my main machine. Then using browsers, LibreOffice and > other stuff depending on expat without any problems. > > [ Risks ] > I do not see risks, using it on my machine without problems. The fixes > were done by RedHat and they are already using those on their > distribution. > > [ Checklist ] > [x] *all* changes are documents in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in bookworm > [x] the issue is verified as fixed in unstable > > Thanks for considering, > Laszlo/GCS Thanks a lot for preparing the update for the point release, agreed that they are no-dsa. You need to change the target distribution to bookworm in the debian/changelog. Regards, Salvatore
