Hi Adam, On Sun, Oct 12, 2014 at 04:17:04PM +0100, Adam D. Barratt wrote: > On Fri, 2014-10-10 at 19:45 +0100, Adam D. Barratt wrote: > > Yes, this appears to be a security release. However, it also represents > > several upstream releases worth of development, and the changes come to > > > > 186 files changed, 7164 insertions(+), 4533 deletions(-) > > > > so I'm not currently particularly keen to hurry the changes through as > > quickly as we ordinarily might for a security update. > > > > Even restricting the changes to lib/* still leaves us with > > > > 93 files changed, 3981 insertions(+), 3053 deletions(-) > > I was rather hoping that the above message would lead to more of a > discussion about the request.
Sorry, maybe I misunderstood the purpose and the way of the these faster migration requests. Actually when I read your mail I gave up on my request. I saw no point in replying. > That doesn't appear to have happened so far, so some specific questions: > > - what is the real-world impact of the security issue? It looked worse when I first read about it. There is an API change to force application writers to be concius that they may receive a list when asking for url query parameters. http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/ Most perl web applications/frameworks either updated their documentation, changed their code or both (e.g catalyst, plack). It can be okay if Mojolicious migrates after a 10 day delay. > - what is the effect of the changes on libmojolicious-perl's several > reverse-dependencies? (The upstream changelog mentions that the security > fix necessitated changing the way that existing methods operate.) That is a good question I do not know. (However if Mojolicious would migrate earlier the maintainers of the reverse dependencies would have more time before the freeze to handle the situation if necessary.) Regards, Tamas -- CSILLAG Tamas (cstamas) - http://cstamas.hu/ -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/20141012154946.GT8980@rivendell
