Control: tags -1 moreinfo Hi David,
On Mon, Apr 12, 2021 at 04:46:35PM -0400, David Prévot wrote: > Le 02/04/2021 à 16:41, Paul Gevers a écrit : > > On 26-03-2021 20:53, David Prévot wrote: > > > Please unblock package spip > > > > This package does have a bit of a track record for security issues. > > Indeed. Since 3.3 will soon be released, the 3.2 branch (as currently in > testing) should mostly only receive security updates starting from now (and > as you already pointed out, it probably will rather sooner than later). > Updating SPIP to 3.2.11 in Bullseye should make our lives less sad during > the Bullseye lifetime, by allowing us to (hopefully) simply cherry-pick > further security fixes (rather than backporting them due to changes between > 3.2.10 and 3.2.11). > > > > [ Reason ] > > > Upstream just released a new minor version to improve PHP 7.4 compat > > > (latest version already improved PHP 7.3 compat). Since Bullseye ship > > > with PHP 7.4, including those fixes should avoid future issues (I had > > > to backport a PHP 7.3 compatibility issue with a buster-security upload > > > already to fix a serious issue with plugins handling). > > > > If I read the upstream CHANGELOG correctly, it seems that this was all > > put together in a short time (days). > > Indeed, they finally realized that compatibility with current PHP version is > useful (I’ve tried pushing for a while, but was not very successful). > > > Are you aware of any tests in the > > package (I didn't spot them)? Does upstream have any testing infra? > > Nothing I’m aware of, unfortunately. On the other hand, this version has > been released upstream more than two weeks ago and I’m not aware of any > reported regression. > > > I'm seriously doubting if we'd not introduce more issues than we solve here. > > I understand your concern, but SPIP 3.2.10, currently in Bullseye, is known > to not be fully compatible with PHP 7.4, also in Bullseye. > > > > [ Impact ] > > > On top of fixing possible problems, this update avoids filling the > > > web server error.log due to multiple warnings and deprecation notices. > > > > Ack. Are those fixes cherry-pickable? > > That’s the main purpose of all the changes from 3.2.10 to 3.2.11 actually. > > > > [ Tests ] > > > I only tested the package manually, but I’m keeping an eye on upstream > > > issues that may arise about this new release. > > > > See above. This doesn't sound great. > > I understand, the timing of this release sucks, and I’ll trust the judgment > of the release team. Yeah, neither option sounds very good. I'm leaning towards accepting it. I suggest you upload it to unstable, and we'll leave it there for a while. If issues show up (either in unstable or upstream), we can reconsider it. I'm tagging the bug moreinfo for now. Please remove that when the upload has been in unstable for a while. Thanks, Ivo