Bug#768509: [php-maint] Bug#768509: debian-edu-config: After upgrading a Wheezy main-server to Debian 7.7 the Gosa gui fails to connect to LDAP

Ondřej Surý ondrej at sury.org
Tue Nov 18 16:36:08 UTC 2014


Hi David,

On Tue, Nov 18, 2014, at 03:28, David Prévot wrote:
> [ Adding php maintainers, security team and release team to the loop. ]
> 
> Hi,
> 
> Le 09/11/2014 17:45, Wolfgang Schweer a écrit :
> 
> [ About a severe issue that recently popped up. ]
> 
> > Seems to be that the update from php version 5.4.4 to 5.4.34 (new 
> > upstream release) caused the problem.
> 
> I can confirm being hit by this issue, and downgrading from 5.4.34
> recently introduced by DSA 3064-1 to 5.4.4 still in stable allowed to
> workaround this problem (thanks by the way for the various
> investigations and workarounds provided in this bug reports).

I am sorry that this have caused you troubles. The update was carefully
prepared, tested on real life production sites before we have pushed
this update to security-master.

> That makes me wonder, that even if we’ve been warned in the DSA that the
> new version “includes additional bug fixes, new features and possibly
> incompatible changes.”, simply “refer[ing] to the upstream
> changelog for more information” sounds a bit like closing eyes in the
> hope nothing will break.

Similar breakages of niche configurations (mainly odbc and sybase) has
happened in past when backporting security patches. We hope that
incrementally this will get better since the next updates won't be that
big.

> Maybe this upgrade will allow us to spot and fix a severe issue in gosa
> this time, but changing the way to handle (security) updates during the
> lifetime of a stable release may not be the best way to keep it stable.
> 
> I do understand that safely backporting (security) patches may be hard
> sometime, but that’s part of what (used to) make the quality and
> robustness reputation of Debian, and it would be nice to only use such
> upgrade to new (minor) version as a last resort only. Potentially
> breaking user scripts on security updates is bad, but risking to break
> package distributed in stable sounds even worse.

If you check the changelog of stable releases of php5 you will find
something like 137 individual fixes:

$ git log --format=oneline  debian/5.4.4-14..debian/5.4.4-14+deb7u14  |
grep -Ev " (prepare|php5) " | wc -l
137

Most of those are just crash fixes.

Upgrading to the last minor version is not a last resort, but a way how
to keep our PHP team (and mine) sanity (although that has improved much
when upstream switched from svn to git).

Cheers,
-- 
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server



More information about the Debian-edu-pkg-team mailing list