On Wed, May 29, 2019, at 5:28 PM, Thomas Goirand wrote: > > Dear Debian release team, > > Please note that, even though I was the person who updated SQLAlchemy to > apply the upstream CVE fix, I am not the official maintainer of the > package, and that this is probably up to Piotr to do the work. I'm > happily replying though. :) > > I'm CC-ing Piotr and Mike Bayer (upstream for SQLAlchemy). > > On 5/28/19 8:59 PM, Paul Gevers wrote: > > Control: tags -1 moreinfo confirmed > > > > Hi Zigo, > > > > On Tue, 21 May 2019 17:50:28 +0200 Thomas Goirand <z...@debian.org> wrote: > >> Note that it may (or not) break some reverse dependencies, though according > >> to upstream, OpenStack (the biggest SQLAlchemy consumer in Debian) behaves > >> correctly with it. If this happens, then these reverse dependencies will > >> have to be fixed. > > > > Do you already have indications that this may be the case? > > For all things OpenStack, I'm pretty sure that everything is ok, because > the upstream author of SQLAlchemy has been hired by Red Hat to make sure > OpenStack uses SQLAlchemy the proper way. > > For other dependencies, it's harder to know. > > > How you > > already warned the reverse dependencies to check? I would appreciate it > > if you do such that we can also have those fixed reverse dependencies in > > buster. > > > > Paul > > Here's the list of reverse dependencies for python3-sqlalchemy: > > * buildbot > * changeme > * db2twitter > * dms-core [amd64 arm64 armel armhf i386 mips mips64el mipsel ppc64el s390x] > * mailman3 > * openlp > * python3-agatesql > * python3-geoalchemy2 > * python3-osmalchemy > * python3-pybel > * python3-sadisplay > * python3-sqlsoup > * retweet > * sqlacodegen > * yokadi > > Here are those for python-sqlalchemy: > > * archipel-core > * bauble > * blogofile-converters > * childsplay > * epigrass [amd64 arm64 armel armhf i386 kfreebsd-amd64 mips mips64el > mipsel ppc64el s390x] > * gnukhata-core > * gourmet > * griffith > * kamcli > * pegasus-wms > * pycsw-wsgi > * python-elixir > * python-pywps > * python-sprox > * python-sqlkit > * python-sqlsoup > * python-zope.sqlalchemy > * pytrainer > * vistrails > * yhsm-yubikey-ksm > > I removed all-things-openstack and libraries who are very unlikely to > have issues, such as sqlalchemy-utils and others. > > I don't know any of the above package. It would be hard to tell who's > affected by a related problem, though the miss-use of SQLAlchemy > (because that's really what we're talking about here... a miss-use that > should have been considered a bug to begin with, even without the > applied patch to SQLAlchemy) is quite rare. > > I very much think it's safer to just allow SQLAchemy to migrate right > now, to fix the potential SQL insertion vulnerability, rather than > waiting for any (potential, but likely rare) issue in the above reverse > dependencies. > > I do think a gentle ping to the maintainers of the above packages would > be nice, but probably mass-filling of bugs isn't needed. How can I > easily gather the list of maintainer? Is there a script somewhere to do > this, or should I write it myself (which shouldn't be hard with some > apt-cache show in a loop...)? > > Piotr, Mike, is what I wrote above accurate?
I can confirm Openstack is likely OK, most packages are likely OK, and if a package is not OK, it's a trivial fix for them. > > Cheers, > > Thomas Goirand (zigo) >
