Bug#695224: Locale::Maketext versioning in perl package
Niko Tyni
ntyni at debian.org
Wed Apr 10 18:44:07 UTC 2013
On Sun, Apr 07, 2013 at 02:12:46PM +0200, Niels Thykier wrote:
> > On Sun, Mar 31, 2013 at 05:46:12PM +0100, Dominic Hargreaves wrote:
> >
> >> There is a problem with the perl package, as discussed in
> >> <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224#55>
> >> onwards, whereby the application of the security fix in that ticket
> >> now causes double-escaping problems where people workaround the problem
> >> by escaping themselves, when they detect an earlier Locale::Maketext
> >> by version number.
> >>
> >> I am slightly wary about importing the new (1.23) version of
> >> Locale::Maketext as I mentioned in that bug already, but my fears may
> >> be unfounded. Could you comment about whether you would accept such
> >> a change in wheezy at this time? (I can't really decide whether it's
> >> RC or not).
> I would suspect that any application code using Module::CoreList would
> still have to account for the "cpan" version being present?
Yes, I too think that should be expected.
> I am tempted to take this fix for Wheezy and be done with it. Can (one
> of) you please check up on CPAN.pm/CPANPLUS.pm ?
Sorry for the delay and thanks for looking at this.
I just tested installing Locale-Maketext-Utils-0.36 from CPAN, as it
requires Locale::Maketext 1.22 or greater. I saw no problems with either
cpan or cpanp: with perl/5.14.2-20 from sid/wheezy a newer Locale-Maketext
gets pulled in from CPAN, but with Dominic's patch the system version
satisfies the requirement as expected. That's good enough for me.
So, can we consider the patch pre-approved?
> > I see Fedora/RedHat also upgraded their Locale::Maketext modules without
> > incrementing $VERSION (I checked the patches in RHEL 6 / Perl 5.10.1 and
> > Fedora Core 16 & 17 / Perl 5.14.3). So it looks like even if we do try
> > to fix this for wheezy, applications still have to check for features
> > rather than versions to stay on the safe side.
> Okay, sounds like it will be fine with leaving Squeeze as is then.
Ack on my part.
Thanks again,
--
Niko Tyni ntyni at debian.org
More information about the Perl-maintainers
mailing list