Bug#695224: Locale::Maketext versioning in perl package
Niels Thykier
niels at thykier.net
Sun Apr 7 12:12:46 UTC 2013
On 2013-04-02 21:15, Niko Tyni wrote:
> On Sun, Mar 31, 2013 at 05:46:12PM +0100, Dominic Hargreaves wrote:
>
>> There is a problem with the perl package, as discussed in
>> <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224#55>
>> onwards, whereby the application of the security fix in that ticket
>> now causes double-escaping problems where people workaround the problem
>> by escaping themselves, when they detect an earlier Locale::Maketext
>> by version number.
>>
>> I am slightly wary about importing the new (1.23) version of
>> Locale::Maketext as I mentioned in that bug already, but my fears may
>> be unfounded. Could you comment about whether you would accept such
>> a change in wheezy at this time? (I can't really decide whether it's
>> RC or not).
>
> FWIW, it looks clear to me that the only functional changes in the patch
> are the $VERSION increments in the .pm files. The rest is documentation
> and test cases, and the only important $VERSION is most probably
> the main one in Locale/Maketext.pm.
>
Indeed.
> While that change itself is trivial, it has action-at-distance effects -
> otherwise this wouldn't be an issue at all. I think the risk potential
> is mostly in breaking something that's trusting Module::CoreList
> (dh-make-perl and lintian come to mind, CPAN.pm and CPANPLUS.pm might
> be affected somehow too?), and that it's not a very big risk but still
> a real one.
>
Lintian uses a precomputed static list. It would at worst lead to
"false-negatives" for "package-superseded-by-perl" (i.e. no tag when one
should have been there).
I suspect dh-make-perl will have a similar case with using the "cpan"
variant instead of the "core" variant in dependencies (though I only
gave it a quick scan).
I would suspect that any application code using Module::CoreList would
still have to account for the "cpan" version being present?
> [...]
>
> In this specific case, upgrading Locale::Maketext fully to 1.23 in wheezy
> would probably have been the "right" thing to do if we had anticipated
> these issues. But we didn't, and it seems very late in the release
> process to do it now. Also, I can't really see us applying anything but
> the targeted fix for squeeze.
>
I am tempted to take this fix for Wheezy and be done with it. Can (one
of) you please check up on CPAN.pm/CPANPLUS.pm ?
> I see Fedora/RedHat also upgraded their Locale::Maketext modules without
> incrementing $VERSION (I checked the patches in RHEL 6 / Perl 5.10.1 and
> Fedora Core 16 & 17 / Perl 5.14.3). So it looks like even if we do try
> to fix this for wheezy, applications still have to check for features
> rather than versions to stay on the safe side.
>
Okay, sounds like it will be fine with leaving Squeeze as is then.
~Niels
More information about the Perl-maintainers
mailing list