Control: tags -1 + moreinfo On 2021-04-15 20:13:34 -0300, Antonio Terceiro wrote: > On Sun, 11 Apr 2021 03:04:42 +0530 Utkarsh Gupta <utka...@debian.org> wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian....@packages.debian.org > > Usertags: unblock > > X-Debbugs-Cc: debian-r...@lists.debian.org > > > > Hello, > > > > Upstream has recently released a bug-fix only release after a > > vulnerability, CVE-2021-28965, was discovered. > > > > Upstream release note: > > https://www.ruby-lang.org/en/news/2021/04/05/ruby-2-7-3-released/ > > Upstream git logs b/w 2.7.2 and 2.7.3: > > https://github.com/ruby/ruby/compare/v2_7_2...v2_7_3 > > > > This is clearly a bug-fix only release and it'd be *really great* to > > have this included in Bullseye. (I'd be sad not to but..) I understand > > it's your call to make after analyzing so attaching the debdiff for > > your reference and help (snipping ChangeLog entries for noise > > reduction). > > > > Hopefully, it'd be OK to get this included and have an even nicer > > ruby2.7 for Bullseye. Thanks. > > 99 files changed, 39552 insertions(+), 23134 deletions(-) > > The debian diff looks very big because of 3 generated files: ChangeLog, > parse.c, and ext/ripper/ripper.c (the last two being bison/yacc > generated parsers). If you filter those out, the result is a lot more > palatable: > > 96 files changed, 3761 insertions(+), 886 deletions(-) > > Roughtly 1/3 of the insertions are test cases: > > 32 files changed, 1150 insertions(+), 97 deletions(-)
Since the initial bug report didn't reach the list due the size of the diff, could you or Utkarsh please prepare a filtered debdiff including the changes to debian/? This would make it easier for us to reach a decision. Thanks Cheers > > I have reviewed the upstream patches and compared the upstream diff with > the debian diff, and indeed all the changes are bug fixes. > > There was one marked as a "Feature" in the commit message, but it was > really a follwup to fix an inconsistency in a feature that has been > added in the 2.7 series already. It will cause formerly invalid syntax > to be valid, but won't break any currently working code. > > I think the risk with this update is low, and releasing with the latest > available ruby bugfix release will make it easier to provide stable > support in bullseye. > > Full disclosure: I am trying to get ruby into new hands, but I'm still a > comaintainer and care a lot about it, so I'm not an uninterested party > here. -- Sebastian Ramacher
signature.asc
Description: PGP signature
