[DRE-maint] rails update
Pirate Praveen
praveen at onenetbeyond.org
Mon Jul 6 08:55:38 BST 2020
On 2020, ജൂലൈ 6 1:09:09 PM IST, Sylvain Beucler <beuc at beuc.net> wrote:
>Hi,
>
>On 30/06/2020 22:38, Salvatore Bonaccorso wrote:
>> On Mon, Jun 29, 2020 at 01:06:49PM +0200, Sylvain Beucler wrote:
>>> On 25/06/2020 18:20, Sylvain Beucler wrote:
>>>> On 22/06/2020 13:23, Sylvain Beucler wrote:
>>>>> On 22/06/2020 11:56, Utkarsh Gupta wrote:
>>>>>> On Mon, Jun 22, 2020 at 3:11 PM Sylvain Beucler <beuc at beuc.net> wrote:
>>>>>>> Hmm, are you the only active maintainer for rails?
>>>>>>
>>>>>> There are 3 maintainers. CC'ed rails at p.d.o.
>>>>>> However, since you have already worked on preparing the fix for
>>>>>> Jessie, it's much easier on your part to do it for Stretch and Buster.
>>>>>> But that's volunteer work :)
>>>>>>
>>>>>> If you don't want to work, don't :)
>>>>>
>>>>> For rails at d.p.o's info, I explained at:
>>>>> https://lists.debian.org/debian-lts/2020/06/msg00063.html
>>>>> that I prepared the jessie (4.1.8) and stretch (4.2.7.1) updates at:
>>>>> https://www.beuc.net/tmp/debian-lts/rails/
>>>>>
>>>>> However the buster version (5.2.2.1) is affected by a different set of
>>>>> vulnerabilities, is much closer to bullseye (5.2.4.3), and apparently
>>>>> the update causes new issues.
>>>>>
>>>>> That's why I think it'd make more sense for the rails maintainers to
>>>>> backport the latest bullseye update.
>>>>>
>>>>> Let me know what you plan to do.
>>>>>
>>>>>>> Which security update broke what, exactly?
>>>>>>
>>>>>> The latest security update from 5.2.4.2 to 5.2.4.3, which contained
>>>>>> fixes for CVE-2020-816{2,4,5,6,7}.
>>>>>> JavaScript bundle generation for Activestorage didn't work w/o that
>>>>>> patch. We had to switch to node-babel7 for that.
>>>>>
>>>>> I updated
>>>>> https://wiki.debian.org/LTS/TestSuites/rails
>>>>> accordingly.
>>>>>
>>>>> The stretch updates passes this new test.
>>>>>
>>>>> (Though in this particular case it may have just been due to node-babel
>>>>> changes in unstable since March, e.g. babel7 is pulled through
>>>>> node-regenerator-transform.)
>>>>
>>>> Status update: jessie and stretch are affected by new important
>>>> CVE-2020-8163.
>>>> buster and above not affected.
>>>> Currently waiting for upstream's feedback on a second regression, then
>>>> I'll prepare an update for jessie & stretch.
>>>
>>> https://www.beuc.net/tmp/debian-lts/rails/ is updated.
>>>
>>> Upstream showed little care for 4.x and I don't expect further feedback,
>>> so I went ahead and backported:
>>> https://github.com/rails/rails/commit/d9ff835b99ff3c7567ccde9b1379b4deeabee32f
>>> to fix the regression, including tests.
>>>
>>> Rationale at:
>>> https://github.com/rails/rails/issues/39301#issuecomment-648885623
>>>
>>> Note: redmine/stretch (< 3.4) was not affected by the regression.
>>
>> Attaching the debdiff for reference. The changes looks good to me, but
>> I defintively would like to see a second pair of eyes here from the
>> rails maintainers, in particular for CVE-2020-8163, Utkarsh?
>>
>> There is no lost work, but if we want to release a rails update for
>> stretch (before it moves to LTS), we should try to get as well a rails
>> update beeing prepared for buster, Utkarsh you indicated lack of time
>> currently, any one other up from the rails maintainers?
>
>@security team: forwarding praveen's message below
>@others: including context for that message above
>
>It seems the perception of what is and isn't supported varies.
Just like gitlab was removed from stable, rails can also get removed from stable if no one steps up to maintain it. I'm happy with rails in just unstable for my use cases. A package can be supported only when people are willing to support it.
>On 06/07/2020 09:01, Pirate Praveen wrote:
>> Hi,
>>
>> My main motivation for maintaining rails is for gitlab. Since gitlab is
>> not in stable, I don't usually do stable updates of rails (I think
>> Utkarsh does it usually). I provide rails updates via buster-backports
>> or fasttrack.debian.net. I think redmine is also supported via
>> buster-backports only. open-build-system and debci are other rails apps
>> and may be their uploaders are interested in buster updates.
>>
>> Thanks
>> Praveen, one of the uploaders of rails.
>>
>> Note: debian-ruby at l.d.o is a better place to discuss these issues.
>> --
>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
More information about the Pkg-ruby-extras-maintainers
mailing list