On Mon, Jul 25, 2016 at 06:34:01PM +0200, Emilio Pozuelo Monfort wrote: > On 25/07/16 17:20, Dominic Hargreaves wrote: > > Hello, > > > > As you will see from the below DSA, a class of vulnerabilities in > > perl programs has been announced today. We have fixed the worst parts of > > this in Debian, but ultimately we'd like to (in keeping with upstream's > > intentions for 5.26) remove the current directory from the module search > > path altogether. > > > > At the moment, this would cause around 40 packages to FTBFS (that was > > the number of jessie - it will be a bit different for sid). > > The advisory only mentions about a dozen packages. Is that estimate of ~40 > accurate?
The confusion here is that the recent update did two things; it fixed some known vulnerabilities, and also paved the way for being able to remove '.' from @INC in the future (by allowing perl itself to build, and fixing some of the toolchain - ie debhelper, cdbs, libmodule-build-perl). This brought the number of FTBFS packages with '.' removed down from a few hundred to ~ 40. The remaining 40 need individual uploads to fix. I think most of them should be fairly easy to patch. > > In the near term, changing the default is a matter of uncommenting a line > > in a conffile (and can therefore be easily reverted by the user if needed). > > > > I'd like to upload such a change to sid ASAP (probably just after the > > initial sid upload, due any minute now, migrates to testing). If the > > impact of that measured against sid/stretch is manageable, we'd also like > > to consider making the change by default in a future point release, > > although the number of packages that need updates may still be too large; > > we'd obviously discuss that with you in the normal way via a transition > > bug. > > > > Are you happy for us to introduce such a change in sid later this week, > > and start filing RC bugs about problems in other packages caused by > > the change? > > Are these problems to difficult to change? This should be fine, but if you can > give an approximate list of affected packages that would be appreciated. I think they're mostly pretty easy - eg adding -I. to explicit Makefile.PL invocations in old style rules files, and so on. Here is the list from our jessie testing: kdesrc-build_1.15.1-1 kgb-bot_1.33-2 libalgorithm-dependency-perl_1.110-1 libcache-simple-timedexpiry-perl_0.27-2 libclass-c3-perl_0.26-1 libclass-c3-xs-perl_0.13-2 libclass-default-perl_1.51-2 libconfig-record-perl_1.1.2-1 libdevel-declare-parser-perl_0.17-1 libfile-nfslock-perl_1.24-1 libfile-userconfig-perl_0.06-2 libfilter-eof-perl_0.04-2 libgraph-writer-dsm-perl_0.006-1 libhtml-html5-parser-perl_0.301-1 libimage-info-perl_1.28-1 libintl-perl_1.23-1 liblocal-lib-perl_2.000014-1 liblwp-authen-wsse-perl_0.05-2 libmethod-alias-perl_1.03-1 libmp3-info-perl_1.24-1 libnet-ldap-filterbuilder-perl_1.0004-1 libnet-proxy-perl_0.12-6 libpoe-component-client-ident-perl_1.07-2 libpoe-component-server-simplehttp-perl_2.18-1 libtest-file-perl_1.41-1 libtheschwartz-perl_1.07-1 libvalidate-net-perl_0.6-1 makepp_2.0.98.5-1 munin_2.0.25-1 net-telnet-cisco_1.10-5 ocsinventory-agent_2.0.5-1 ooolib-perl_0.1.9-1 pari_2.7.2-1 pdl_2.007-4 rt-extension-calendar_0.17-1 rt-extension-spawnlinkedticketinqueue_0.06-1 slack_0.15.2-6 spamassassin_3.4.0-6 xemacs21-packages_2009.02.17.dfsg.2-2 xmltv_0.5.63-2 The list might of course be shorter for sid as more rules files will have been modernised. Cheers, Dominic.
