Bug#600063: libclass-accessor-grouped-perl: Module susceptible to drastic change of semantics in presence of libclass-xsaccessor-perl

gregor herrmann gregoa at debian.org
Sat Oct 16 16:33:39 UTC 2010 

On Wed, 13 Oct 2010 12:35:30 +0200, Peter Rabbitson wrote:

> Package: libclass-accessor-grouped-perl
> Version: 0.09003-1
> Severity: important
> Tags: patch
> 
> 
> A bit over a year ago optional support for Class::XSAccessor was introduced
> to generate lightning-fast 'simple'-group accessors. However it recently a
> number of oversights became apparent, all of which were fixed in the latest
> version on CPAN 0.09008. The identified and fixed problems are:
> 
> * Any accessors of type 'simple' (arguably the most used ones) that are
> declared as read-only or write-only, will silently turn into read-writer ones
> when Class::XSAccessor is present in @INC
> 
> * If Class::XSAccessor is present in @INC set_simple/get_simple methods will
> no longer be invoked, even if the underlying program defines custom versions
> of these methods
> 
> Note that it doesn't matter wether Class::XSAccessor was installed via dpkg
> or if it has been locally cpan'ed - all it takes is for the perl interpreter
> to find it somehow.
> 
> Please consider upgrading the squeeze version, as the current one (0.09003-1)
> is too vulnerable to spooky action at a distance.

Dear release team,

I'd like to ask for your advice on how to handle this issue.

Some facts:
* Peter Rabbitson is the upstream author and knows best the problem
  and fixes :) He has contacted us via IRC and is happy to help in
  any way in solving the problem. - Please CC him on replies.
* testing has 0.09003-1, unstable unfortunately already has
  0.09006-1, and 0.09008 is the new upstream release which contains
  the fixes.
* The diff between 0.09003 and 0.09008 is not exactly minimal:
  http://search.cpan.org/diff?from=Class-Accessor-Grouped-0.09003&to=Class-Accessor-Grouped-0.09008
  (although the only relevant changes are in lib/Class/Accessor/Grouped.pm,
  the rest is build system (inc/Module/), docs, tests, ...)

The options I see now are:
- Upload 0.09008 to unstable and unblock it; but I guess that doesn't
  conform to the current freeze policy due to the size of the diff.
- Create a patch against 0.09003 that contains only the necessary
  changes (lib/Class/Accessor/Grouped.pm and the test cases?), and
  upload to t-p-u.
- (Create a patch against 0.09006 and upload via unstable.)

Peter has offered to backport the changes and create an
as-minimal-as-possible patch against 0.09003 (or 0.09006), with or
without test cases, but we'd like to clarify the way to proceed
before wasting time :)

Thanks in advance,
gregor

-- 
 .''`.   http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4
 : :' :  Debian GNU/Linux user, admin, & developer - http://www.debian.org/
 `. `'   Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe
   `-    NP: Phil Collins: Inside Out
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20101016/a66d39ea/attachment.pgp>

More information about the pkg-perl-maintainers mailing list