[DRE-maint] Bug#629067: libactionpack-ruby: libactionpack update breaks redmine

Ondřej Surý ondrej at debian.org
Mon Sep 5 15:05:32 UTC 2011 

Hmm,

you're right the reassignment was wrong. I missed that when I was reassigning
the bugs to new packages.

I thought I already sent that to redmine maintainer and the result was that it's
the redmine which needs the update.

On Thu, Jun 9, 2011 at 11:10, Jérémy Lal <kapouer at melix.org> wrote:
> On 09/06/2011 10:18, Ondřej Surý wrote:
>> Hi Jérémy,
>>
>> since my ruby is not very good, the question is if we want to release
>> update for redmine or is there a simple way how to fix the API inside
>> the rails?
>
> the bug report might be misleading : html_safe may have been unavailable
> even before the security update. I remember i had an issue with this at some point.
> I noticed 2.3.5-1.2+squeeze0.1 is not in the git repository, could you fix that ?
>
> Jérémy.

and from previous rails maintainer:

On Sat, Jun 11, 2011 at 04:01, Adam Majer <adamm at zombino.com> wrote:
> On Wed, Jun 08, 2011 at 05:02:52PM +0200, Scharon, Daniel wrote:
>> This bug is caused by a regression within rails, which was introduced in
>> the upgrade from 2.3.5-1.2 to 2.3.5-1.2+squeeze0.1
>>
>> See #629067 for the bug report on rails, which is containing a
>> workaround.
>
> I think the proper fix is to remove reference to nonexistent html_safe
> method which doesn't exist in 2.3.5 rails. OpenSUSE has correct fix.
>
> - Adam

Adam, could you please elaborate on this? Do you mean the correct fix for rails
or for redmine?

O.

On Mon, Sep 5, 2011 at 16:34, Faidon Liambotis <paravoid at debian.org> wrote:
> reassign 629067 libactionpack-ruby
> found 629067 rails/2.3.5-1.2+squeeze0.1
> severity 629067 grave
> thanks
>
> On Fri, Jun 03, 2011 at 12:26:27PM +0200, Vincent-Xavier JUMEL wrote:
>> Package: libactionpack-ruby
>> Version: 2.3.5-1.2+squeeze0.1
>> Severity: normal
>>
>> libactionpack update breaks redmine user view if hide_mail is not enabled.
>> Redmine renderer fails on an inexistant html_safe method
>>
>> Workaround : change user preference to hidden mail
>> psql> update user_preference set hide_mail = 't' where hide_mail = 'f' ;
>
> This was reassigned to ruby-actionpack-2.3 (present only in wheezy+) but
> it's not really obvious why — no explanative mail was sent to the BTS
> and the bug report remains unanswered.
>
> If it affects another package in wheezy, then it should probably be
> cloned/reassigned instead.
>
> I'm reassigning it back and changing this severity: this was a security
> update that broke an unrelated package (redmine) *in stable*. This is
> /not/ acceptable according to the security team's guidelines.
>
> You could say that either the fix should be adapted or that the call
> sites (redmine) should be fixed. I'd vote for the first, though, since
> we can't really know what else has been broken by this change (in the
> archive, let alone user-installed applications...)
>
> In any case, I'm adding redmine maintainers & the security team to the
> Cc in case they have something useful to add.
>
> Regards,
> Faidon
>



-- 
Ondřej Surý <ondrej at sury.org>
http://blog.rfc1925.org/

More information about the Pkg-ruby-extras-maintainers mailing list