I'm adding the release team to the Cc for the 3 bugs that are candidates for jessie-ignore.
On Fri, May 19, 2017 at 10:24:15PM +0200, gregor herrmann wrote: > On Fri, 19 May 2017 12:53:10 +0200, gregor herrmann wrote: > > > > Could you prepare jessue-pu updates for them? > > I'm starting to look at them right now at the pkg-perl sprint. > > Thanks for providing this list! Thanks a lot for working on them! Comments on some items: >... > > #784845 libdevel-gdb-perl: FTBFS: t/expect.t #8 sometimes fails > > This is an occasional test failure, and I'm not convinced that applying the > change from testing/unstable (disabling one test) actually helps any user in > stable. >... Release team, if appropriate please mark jessie-ignore. >... > > #517472 libxml-libxml-perl: Missing versioned dependency on libxml2 - > > Causes runtime warnings > > I think that's not serious for jessie. > Originally this was an annoying warning (which it probably still is in > jessie), and we bumped the severity later when packages failed to build > because of it: #796354 - libimage-info-perl, and #796385 - request-tracker4. > I just rebuilt libimage-info-perl in a jessie chroot without any problems, > therefore I'd rather not update libxml-libxml-perl in jessie. > (Maybe we should lower the severity now? Or tag is stretch+sid) >... This shouldn't be a problem in a pure jessie. It only warns about older versions, so the case it would fix in jessie would be warnings when using the jessie libxml-libxml-perl with the wheezy libxml2 (which seems permitted by the dependencies). The change to libxml-libxml-perl would be small, but if there are no reported problems during wheezy -> jessie upgrades I agree that this is not necessary. Release team, if appropriate please mark jessie-ignore. >... > > #830476 libpoe-component-client-http-perl: accesses the internet during > > build > > I think there is no clear consensus that pure DNS queries are really a > policy violation. As this change wouldn't provide any practical advantage, > I'd rather ignore it for stable. >... Release team, if appropriate please mark jessie-ignore. >... > > #849777 shutter: CVE-2016-10081: Insecure use of perl exec() > > I'm confused. This should be fixed in 0.92-0.1+deb8u1. > At least that's what https://tracker.debian.org/news/829114 says. > Still, https://bugs.debian.org/849777 doesn't know about it? >... CVE-2015-0854 != CVE-2016-10081 > Cheers, > gregor cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed
