[DRE-maint] rails update

Mon Jul 6 08:39:09 BST 2020

Hi,

On 30/06/2020 22:38, Salvatore Bonaccorso wrote:
> On Mon, Jun 29, 2020 at 01:06:49PM +0200, Sylvain Beucler wrote:
>> On 25/06/2020 18:20, Sylvain Beucler wrote:
>>> On 22/06/2020 13:23, Sylvain Beucler wrote:
>>>> On 22/06/2020 11:56, Utkarsh Gupta wrote:
>>>>> On Mon, Jun 22, 2020 at 3:11 PM Sylvain Beucler <beuc at beuc.net> wrote:
>>>>>> Hmm, are you the only active maintainer for rails?
>>>>>
>>>>> There are 3 maintainers. CC'ed rails at p.d.o.
>>>>> However, since you have already worked on preparing the fix for
>>>>> Jessie, it's much easier on your part to do it for Stretch and Buster.
>>>>> But that's volunteer work :)
>>>>>
>>>>> If you don't want to work, don't :)
>>>>
>>>> For rails at d.p.o's info, I explained at:
>>>> https://lists.debian.org/debian-lts/2020/06/msg00063.html
>>>> that I prepared the jessie (4.1.8) and stretch (4.2.7.1) updates at:
>>>> https://www.beuc.net/tmp/debian-lts/rails/
>>>>
>>>> However the buster version (5.2.2.1) is affected by a different set of
>>>> vulnerabilities, is much closer to bullseye (5.2.4.3), and apparently
>>>> the update causes new issues.
>>>>
>>>> That's why I think it'd make more sense for the rails maintainers to
>>>> backport the latest bullseye update.
>>>>
>>>> Let me know what you plan to do.
>>>>
>>>>>> Which security update broke what, exactly?
>>>>>
>>>>> The latest security update from 5.2.4.2 to 5.2.4.3, which contained
>>>>> fixes for CVE-2020-816{2,4,5,6,7}.
>>>>> JavaScript bundle generation for Activestorage didn't work w/o that
>>>>> patch. We had to switch to node-babel7 for that.
>>>>
>>>> I updated
>>>> https://wiki.debian.org/LTS/TestSuites/rails
>>>> accordingly.
>>>>
>>>> The stretch updates passes this new test.
>>>>
>>>> (Though in this particular case it may have just been due to node-babel
>>>> changes in unstable since March, e.g. babel7 is pulled through
>>>> node-regenerator-transform.)
>>>
>>> Status update: jessie and stretch are affected by new important
>>> CVE-2020-8163.
>>> buster and above not affected.
>>> Currently waiting for upstream's feedback on a second regression, then
>>> I'll prepare an update for jessie & stretch.
>>
>> https://www.beuc.net/tmp/debian-lts/rails/ is updated.
>>
>> Upstream showed little care for 4.x and I don't expect further feedback,
>> so I went ahead and backported:
>> https://github.com/rails/rails/commit/d9ff835b99ff3c7567ccde9b1379b4deeabee32f
>> to fix the regression, including tests.
>>
>> Rationale at:
>> https://github.com/rails/rails/issues/39301#issuecomment-648885623
>>
>> Note: redmine/stretch (< 3.4) was not affected by the regression.
> 
> Attaching the debdiff for reference. The changes looks good to me, but
> I defintively would like to see a second pair of eyes here from the
> rails maintainers, in particular for CVE-2020-8163, Utkarsh?
> 
> There is no lost work, but if we want to release a rails update for
> stretch (before it moves to LTS), we should try to get as well a rails
> update beeing prepared for buster, Utkarsh you indicated lack of time
> currently, any one other up from the rails maintainers?

@security team: forwarding praveen's message below
@others: including context for that message above

It seems the perception of what is and isn't supported varies.

On 06/07/2020 09:01, Pirate Praveen wrote:
> Hi,
>
> My main motivation for maintaining rails is for gitlab. Since gitlab is
> not in stable, I don't usually do stable updates of rails (I think
> Utkarsh does it usually). I provide rails updates via buster-backports
> or fasttrack.debian.net. I think redmine is also supported via
> buster-backports only. open-build-system and debci are other rails apps
> and may be their uploaders are interested in buster updates.
>
> Thanks
> Praveen, one of the uploaders of rails.
>
> Note: debian-ruby at l.d.o is a better place to discuss these issues.
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.