Hi, On 19/06/2020 20:18, Utkarsh Gupta wrote: > On Fri, Jun 19, 2020 at 11:28 PM Sylvain Beucler <b...@beuc.net> wrote: >> Here's the prepared stretch update: >> https://www.beuc.net/tmp/debian-lts/rails/ >> https://www.beuc.net/tmp/debian-lts/rails/debdiff.txt >> >> Testing was documented at: >> https://wiki.debian.org/LTS/TestSuites/rails >> It includes running the DEP-8 tests (which deploys a full app) and >> running the full upstream testsuite. Test cases for the 2 CVEs were >> backported. > > Neat! > >>> So assuming you are intersted in preparing the stretch-security one, >>> would you as well work on the buster-security one? (it has different >>> set of open CVEs to be addressed). >> >> The buster version is different and introduces 3 new vulnerabilities, >> which strays a bit too far off my current work on rails. I believe the >> package maintainers (possibly Utkarsh) would be in better position to >> prepare the buster update. >> If the rails maintainers are not available though I can step in. > > Honestly, I wouldn't have time and I have a lot of other CVE(s) to take care > of. > I generally prepare security uploads for all suites but at this point, I have > ruby, ruby-kaminari, apache2, and sympa to take care of. > > And then I am also doing GSoC with Debian, so I would have even lesser time :/ > > It'd be great if you can help here this time? <3
Hmm, are you the only active maintainer for rails? (incidentally, if you're full-time GSoC for the next 3 months, make sure you set your LTS/ELTS availability accordingly) >>> Anyway, this was the patch that fixed the regression: >>> https://salsa.debian.org/ruby-team/rails/-/commit/fe3206768ed30b8eb6a83e74fc813e616d7d0db3 >> >> As far as I understand, you experienced a regression but it isn't >> related to the current CVEs, is it? > > It was likely for it to be unrelated. But I found it weird that there were > no regressions in the previous uploads but this security update broke stuff :/ Which security update broke what, exactly? >> Is there a depending library/app that you would recommend testing with? > > I think to check with a couple of ruby-rails-assets-* and ruby-jquery-* > packages > in this particular scenario would be good enough. > In general, they all break together, so even if two or three of them > build fine, then it's all good! :) OK. Cheers! Sylvain
