Bug#695224: Locale::Maketext versioning in perl package
Niko Tyni
ntyni at debian.org
Tue Apr 2 19:15:56 UTC 2013
On Sun, Mar 31, 2013 at 05:46:12PM +0100, Dominic Hargreaves wrote:
> There is a problem with the perl package, as discussed in
> <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224#55>
> onwards, whereby the application of the security fix in that ticket
> now causes double-escaping problems where people workaround the problem
> by escaping themselves, when they detect an earlier Locale::Maketext
> by version number.
>
> I am slightly wary about importing the new (1.23) version of
> Locale::Maketext as I mentioned in that bug already, but my fears may
> be unfounded. Could you comment about whether you would accept such
> a change in wheezy at this time? (I can't really decide whether it's
> RC or not).
FWIW, it looks clear to me that the only functional changes in the patch
are the $VERSION increments in the .pm files. The rest is documentation
and test cases, and the only important $VERSION is most probably
the main one in Locale/Maketext.pm.
While that change itself is trivial, it has action-at-distance effects -
otherwise this wouldn't be an issue at all. I think the risk potential
is mostly in breaking something that's trusting Module::CoreList
(dh-make-perl and lintian come to mind, CPAN.pm and CPANPLUS.pm might
be affected somehow too?), and that it's not a very big risk but still
a real one.
Thinking about the necessity of this: Paul is IMO right that security
fixes and other backported stuff usually don't change functionality
API-wise, and I'm generally sympathetic to the idea of incrementing
$VERSION when they do. Unfortunately that's hard to do in the general case
(as the versioning scheme doesn't really support downstream branching.)
In this specific case, upgrading Locale::Maketext fully to 1.23 in wheezy
would probably have been the "right" thing to do if we had anticipated
these issues. But we didn't, and it seems very late in the release
process to do it now. Also, I can't really see us applying anything but
the targeted fix for squeeze.
I see Fedora/RedHat also upgraded their Locale::Maketext modules without
incrementing $VERSION (I checked the patches in RHEL 6 / Perl 5.10.1 and
Fedora Core 16 & 17 / Perl 5.14.3). So it looks like even if we do try
to fix this for wheezy, applications still have to check for features
rather than versions to stay on the safe side.
--
Niko Tyni ntyni at debian.org
More information about the Perl-maintainers
mailing list