Heya, Not the maintainer either, just joining the fun to see if I can help get stuff to move; my main motivation behind this is trying to get the puppetdb → pantomime-clojure → tika dependency chain in a suitable state for buster (other *-clojure packages need fixing, but FTBFSes have patches/MRs now, and uploads should be happening soon enough; but there's still comidi-clojure's #889125 to keep me busy anyway…)
Salvatore Bonaccorso <car...@debian.org> (2018-01-18): > The issue is claimed to be fixed in upstream 1.13 (and as Moritz > pointed out a test was added. Comparing commits between 1.12 and 1.13 > I was unable to isolate the relevant commit(s), but there are some > touching the code for "OOXML files and XMP in PDF and other file > formats". Right, I haven't been able to pinpoint the exact changes, but those could be “hidden” in things like pdfbox version bumps, etc. Even if a specific fix for 1.5 would be identified, it seems hard to get it to build; I've tried that just to see what was feasible, and it doesn't look good anyway: https://bugs.debian.org/850798#12 Not being a Java expert, I've then moved to giving the latest upstream release (1.20) a shot, but there were too many red things, so I've tried to aim at 1.13 “only”, to get this CVE addressed. My WIP is available there: https://salsa.debian.org/kibi/tika https://salsa.debian.org/kibi/tika/commits/master Downloaded and imported 1.13 with uscan, then failed to apply patches, (almost) all of which I've disabled. I've number mine 90+ for easy identification. First failure was missing version for junit dependencies: | [ERROR] [ERROR] Some problems were encountered while processing the POMs: | […] | [ERROR] | [ERROR] The project org.apache.tika:tika-serialization:1.13 (/home/kibi/hack/bsp/puppetdb-builds/tika.git/tika-serialization/pom.xml) has 1 error | [ERROR] 'dependencies.dependency.version' for junit:junit:jar is missing. @ org.apache.tika:tika-serialization:[unknown-version], /home/kibi/hack/bsp/puppetdb-builds/tika.git/tika-serialization/pom.xml, line 59, column 17 | [ERROR] | [ERROR] The project org.apache.tika:tika-batch:1.13 (/home/kibi/hack/bsp/puppetdb-builds/tika.git/tika-batch/pom.xml) has 1 error | [ERROR] 'dependencies.dependency.version' for junit:junit:jar is missing. @ org.apache.tika:tika-batch:[unknown-version], /home/kibi/hack/bsp/puppetdb-builds/tika.git/tika-batch/pom.xml, line 85, column 17 | [ERROR] | [ERROR] The project org.apache.tika:tika-translate:1.13 (/home/kibi/hack/bsp/puppetdb-builds/tika.git/tika-translate/pom.xml) has 1 error | [ERROR] 'dependencies.dependency.version' for junit:junit:jar is missing. @ org.apache.tika:tika-translate:[unknown-version], /home/kibi/hack/bsp/puppetdb-builds/tika.git/tika-translate/pom.xml, line 66, column 17 | [ERROR] | [ERROR] The project org.apache.tika:tika-langdetect:1.13 (/home/kibi/hack/bsp/puppetdb-builds/tika.git/tika-langdetect/pom.xml) has 1 error | [ERROR] 'dependencies.dependency.version' for junit:junit:jar is missing. @ org.apache.tika:tika-langdetect:[unknown-version], /home/kibi/hack/bsp/puppetdb-builds/tika.git/tika-langdetect/pom.xml, line 64, column 17 | [ERROR] | [ERROR] The project org.apache.tika:tika-example:1.13 (/home/kibi/hack/bsp/puppetdb-builds/tika.git/tika-example/pom.xml) has 1 error | [ERROR] 'dependencies.dependency.version' for junit:junit:jar is missing. @ org.apache.tika:tika-example:[unknown-version], /home/kibi/hack/bsp/puppetdb-builds/tika.git/tika-example/pom.xml, line 114, column 17 Hence debian/patches/90-add-junit-version.patch Next failure: | [ERROR] Error resolving version for plugin 'org.apache.maven.plugins:maven-javadoc-plugin' from the repositories [local (/home/kibi/hack/bsp/puppetdb-builds/tika.git/debian/maven-repo), central (https://repo.maven.apache.org/maven2)]: Plugin not found in any plugin repository -> [Help 1] so I've added libmaven-javadoc-plugin-java to B-D-I. Next failure, an unknown package: | [INFO] Reactor Summary for Apache Tika 1.13: | [INFO] | [INFO] Apache Tika parent ................................. FAILURE [ 0.011 s] | [INFO] Apache Tika core ................................... SKIPPED | [INFO] Apache Tika parsers ................................ SKIPPED | [INFO] Apache Tika XMP .................................... SKIPPED | [INFO] Apache Tika serialization .......................... SKIPPED | [INFO] Apache Tika batch .................................. SKIPPED | [INFO] Apache Tika language detection ..................... SKIPPED | [INFO] Apache Tika translate .............................. SKIPPED | [INFO] Apache Tika examples ............................... SKIPPED | [INFO] Apache Tika Java-7 Components ...................... SKIPPED | [INFO] Apache Tika ........................................ SKIPPED | [INFO] ------------------------------------------------------------------------ | [INFO] BUILD FAILURE | [INFO] ------------------------------------------------------------------------ | [INFO] Total time: 1.033 s | [INFO] Finished at: 2018-12-30T23:56:45Z | [INFO] ------------------------------------------------------------------------ | [ERROR] Plugin de.thetaphi:forbiddenapis:2.0 or one of its dependencies could not be resolved: Cannot access central (https://repo.maven.apache.org/maven2) in offline mode and the artifact de.thetaphi:forbiddenapis:jar:2.0 has not been downloaded from it before. -> [Help 1] so I've patched it out, esp. given we have these comments: | <!-- The Tika Bundle has no java code of its own, so no need to do --> | <!-- any forbidden API checking against it (it gets confused...) --> and it's marked skip=true, which made it like optional enough… Hence debian/patches/91-drop-forbiddenapis-dependency.patch Next issue: | [INFO] Reactor Summary for Apache Tika 1.13: | [INFO] | [INFO] Apache Tika parent ................................. SUCCESS [ 0.004 s] | [INFO] Apache Tika core ................................... SUCCESS [ 4.768 s] | [INFO] Apache Tika parsers ................................ FAILURE [ 0.007 s] | [INFO] Apache Tika XMP .................................... SKIPPED | [INFO] Apache Tika serialization .......................... SKIPPED | [INFO] Apache Tika batch .................................. SKIPPED | [INFO] Apache Tika language detection ..................... SKIPPED | [INFO] Apache Tika translate .............................. SKIPPED | [INFO] Apache Tika examples ............................... SKIPPED | [INFO] Apache Tika Java-7 Components ...................... SKIPPED | [INFO] Apache Tika ........................................ SKIPPED | [INFO] ------------------------------------------------------------------------ | [INFO] BUILD FAILURE | [INFO] ------------------------------------------------------------------------ | [INFO] Total time: 5.829 s | [INFO] Finished at: 2018-12-31T00:01:51Z | [INFO] ------------------------------------------------------------------------ | [ERROR] Error resolving version for plugin 'org.codehaus.gmaven:groovy-maven-plugin' from the repositories [local (/home/kibi/hack/bsp/puppetdb-builds/tika.git/debian/maven-repo), central (https://repo.maven.apache.org/maven2)]: Plugin not found in any plugin repository -> [Help 1] so I've patched it out, as it appears in a profile with the “testSetup” id, which I thought might not be entirely needed. Hence debian/patches/92-drop-groovy-maven-plugin-dependency.patch Next issue: | [INFO] Reactor Summary for Apache Tika 1.13: | [INFO] | [INFO] Apache Tika parent ................................. SUCCESS [ 0.002 s] | [INFO] Apache Tika core ................................... SUCCESS [ 4.163 s] | [INFO] Apache Tika parsers ................................ FAILURE [ 0.127 s] | [INFO] Apache Tika XMP .................................... SKIPPED | [INFO] Apache Tika serialization .......................... SKIPPED | [INFO] Apache Tika batch .................................. SKIPPED | [INFO] Apache Tika language detection ..................... SKIPPED | [INFO] Apache Tika translate .............................. SKIPPED | [INFO] Apache Tika examples ............................... SKIPPED | [INFO] Apache Tika Java-7 Components ...................... SKIPPED | [INFO] Apache Tika ........................................ SKIPPED | [INFO] ------------------------------------------------------------------------ | [INFO] BUILD FAILURE | [INFO] ------------------------------------------------------------------------ | [INFO] Total time: 5.366 s | [INFO] Finished at: 2018-12-31T00:06:02Z | [INFO] ------------------------------------------------------------------------ | [ERROR] Failed to execute goal on project tika-parsers: Could not resolve dependencies for project org.apache.tika:tika-parsers:jar:1.13: The following artifacts could not be resolved: org.apache.tika:tika-core:jar:tests:debian, org.gagravarr:vorbis-java-tika:jar:debian, com.healthmarketscience.jackcess:jackcess:jar:debian, com.healthmarketscience.jackcess:jackcess-encrypt:jar:debian, net.sourceforge.jmatio:jmatio:jar:debian, org.apache.pdfbox:pdfbox-tools:jar:debian, com.rometools:rome:jar:debian, org.codelibs:jhighlight:jar:debian, com.pff:java-libpst:jar:debian, com.github.junrar:junrar:jar:debian, org.apache.cxf:cxf-rt-rs-client:jar:debian, org.xerial:sqlite-jdbc:jar:debian, org.apache.opennlp:opennlp-tools:jar:debian, org.apache.commons:commons-exec:jar:debian, com.googlecode.json-simple:json-simple:jar:debian, org.json:json:jar:debian, com.google.code.gson:gson:jar:debian, com.github.jai-imageio:jai-imageio-core:jar:debian, edu.ucar:netcdf4:jar:debian, edu.ucar:grib:jar:debian, edu.ucar:cdm:jar:debian, edu.ucar:httpservices:jar:debian, org.apache.commons:commons-csv:jar:debian, org.apache.sis.core:sis-utility:jar:debian, org.apache.sis.storage:sis-netcdf:jar:debian, org.apache.sis.core:sis-metadata:jar:debian, org.opengis:geoapi:jar:debian, org.apache.ctakes:ctakes-core:jar:debian, com.fasterxml.jackson.core:jackson-core:jar:debian: Cannot access central (https://repo.maven.apache.org/maven2) in offline mode and the artifact org.apache.tika:tika-core:jar:tests:debian has not been downloaded from it before. -> [Help 1] As I've seen other patches marking similar dependencies as optional in tika-parsers/pom.xml, I've tried to mimick that; unfortunately without any changes in the output. Anyway, this is debian/patches/93-mark-parsers-dependencies-as-optional.patch Some advice on where to go from here would be welcome: does it make sense to try and get the right hammer to get 1.13 in a buildable state? Should one try to package 1.20 instead anyway? Please note I haven't even checked yet what version could work for pantomime-clojure. (I've cc'ed the Puppet Package Maintainers on this mail for wider reach.) Cheers, -- Cyril Brulebois (k...@debian.org) <https://debamax.com/> D-I release manager -- Release team member -- Freelance Consultant
signature.asc
Description: PGP signature
