Hi Andy,
On 09/01/2025 09:29, Andy Allan wrote:
Hi All,
Yesterday I ran into a bug, and it got me wondering about the Debian
policy on patch-level releases for ruby.
We're using Bookworm, so the ruby3.1 package is currently 3.1.2-7+deb12u1
https://packages.debian.org/bookworm/ruby3.1
The bug that I ran into was fixed in ruby 3.1.3, namely:
https://bugs.ruby-lang.org/issues/18673
Ruby 3.1.3 was released in November 2022, so I was surprised that the
bugfix wasn't included in the Debian ruby3.1 package yet.
So I'm wondering, what's the general policy for handling ruby patch
releases in Debian? Is it a case of, we would like to be shipping all
patch releases (3.1.6 is the latest for 3.1) but we haven't done it
yet? Or is 3.1.2 set in stone for bookworm? Or are some patches (e.g.
CVEs) backported to 3.1.2 but other patches aren't? Or something else?
I've had a good dig around for any guidance or policy on this topic,
without any success so far. Before I go any further I thought I should
ask here first.
Thanks for reaching out to us. In general, we do not update the version
of packages in stable releases (in this case bookworm), even if there
are patch releases advertising bug fixes only. In a stable release, we
do have the security support (fixing relevant CVEs) but we can also fix
important bugs affecting users when the fix is not too disruptive (those
are included in the Debian stable point releases).
I took a look at the upstream fix for this bug and it is a one-liner
(plus some test):
https://github.com/ruby/ruby/pull/5761/files
I believe we can try to follow-up on this and fix it in bookworm. Could
you please file a bug asking to fix this?
Let me know if you have any question.
--
Lucas Kanashiro
