On Fri, Aug 11, 2023 at 6:42 AM Randy MacLeod via lists.openembedded.org <[email protected]> wrote: > > Narpat, > > I don't see this in Steve's test branch: > > https://git.openembedded.org/openembedded-core-contrib/log/?h=stable%2Fmickledore-nut&qt=grep&q=pygments
Yes, for the reasons you discuss below. I was intending to reply this morning, but you beat me to it :-) > which is good since for mickledore, I think that you need backport only the > fix commits > because 2.15.1 has added features and build related changes. I'm not using > pygments > so I've CCed Tim to ask him to confirm that this is the right approach. > > I think that since we've worked on chromium and maybe vim together, and seen > my > suggest an upgrade rather than a commit backport for dmidecode, you are > under the mistaken impression that it's generally acceptable. It's not. > > > Also you asked about kirkstone privately, so I'll quote that here: > "the current version of python3-pygments is 2.11.2 in LTS22 and > have tried back-porting these above fixes but, the source files > have been changed a lot and I am unable to back-port these. > So, upgrading this current version 2.11.2 -> 2.15.1 would be acceptable > or not ? " > > Here as well, the answer is no, we need you to backport the fixes. If it's > simply not > practical to fix a CVE, in rare cases, you could tag the CVE with something > like: > > meta/recipes-devtools/flex/flex_2.6.4.bb:CVE_STATUS[CVE-2019-6293] = > "upstream-wontfix: > or = "backporting-not-sensible" > > but that's a last resort and others may rightfully object to that conclusion. Yes, same issue with a kirkstone upgrade! However your suggestion to consider CVE_STATUS isn't possible for any of the stable branches since we won't be backporting that feature (it is too intrusive) So for mickledore and kirkstone it would be CVE_CHECK_IGNORE and with dunfell CVE_CHECK_WHITELIST. And of course comment explaining the issue and why this is an appropriate resolution. Steve > On 2023-08-08 04:32, Narpat Mali via lists.openembedded.org wrote: > > From: Narpat Mali <[email protected]> > > * Upstream has dropped setup.py > * Inherit python_setuptools_build_meta instead of setuptools3 > * Add self as maintainer, as this is a dependency for python3-sphinx > > Adds some new lexers, updates a few others. A handful of bug fixes. > > https://github.com/pygments/pygments/blob/2.15.1/CHANGES#L6 > https://github.com/pygments/pygments/blob/2.15.1/CHANGES#L18 > > Have cherry-picked the upgrade commit from upstream/master: > https://git.openembedded.org/openembedded-core/commit/?id=22e2569ae4843071b2b48d026ca4742351baf6d1 > > It's good that you amended the commit log to show where the work > came from. It seems that you dropped these two SOB lines: > > Signed-off-by: Tim Orling <[email protected]> > Signed-off-by: Richard Purdie <[email protected]> > > I'd keep them since it's part of the upstream commit. > > > > Signed-off-by: Narpat Mali <[email protected]> > --- > meta/conf/distro/include/maintainers.inc | 2 +- > ...{python3-pygments_2.14.0.bb => python3-pygments_2.15.1.bb} | 4 ++-- > 2 files changed, 3 insertions(+), 3 deletions(-) > rename meta/recipes-devtools/python/{python3-pygments_2.14.0.bb => > python3-pygments_2.15.1.bb} (76%) > > diff --git a/meta/conf/distro/include/maintainers.inc > b/meta/conf/distro/include/maintainers.inc > index 07498a23a9..c9d790ca32 100644 > --- a/meta/conf/distro/include/maintainers.inc > +++ b/meta/conf/distro/include/maintainers.inc > @@ -666,7 +666,7 @@ RECIPE_MAINTAINER:pn-python3-pyasn1 = "Tim Orling > <[email protected]>" > RECIPE_MAINTAINER:pn-python3-pycairo = "Zang Ruochen > <[email protected]>" > RECIPE_MAINTAINER:pn-python3-pycparser = "Tim Orling > <[email protected]>" > RECIPE_MAINTAINER:pn-python3-pyelftools = "Joshua Watt > <[email protected]>" > -RECIPE_MAINTAINER:pn-python3-pygments = "Unassigned > <[email protected]>" > +RECIPE_MAINTAINER:pn-python3-pygments = "Tim Orling > <[email protected]>" > > This came from the cherry-pick but clearly you should CC Tim and probably > email > > him first to see if he agrees on maintainership for the recipe in mickledore. > > > ../Randy > > > RECIPE_MAINTAINER:pn-python3-pygobject = "Zang Ruochen > <[email protected]>" > RECIPE_MAINTAINER:pn-python3-pyopenssl = "Tim Orling > <[email protected]>" > RECIPE_MAINTAINER:pn-python3-pyparsing = "Unassigned > <[email protected]>" > diff --git a/meta/recipes-devtools/python/python3-pygments_2.14.0.bb > b/meta/recipes-devtools/python/python3-pygments_2.15.1.bb > similarity index 76% > rename from meta/recipes-devtools/python/python3-pygments_2.14.0.bb > rename to meta/recipes-devtools/python/python3-pygments_2.15.1.bb > index 16769e9263..e0e477100e 100644 > --- a/meta/recipes-devtools/python/python3-pygments_2.14.0.bb > +++ b/meta/recipes-devtools/python/python3-pygments_2.15.1.bb > @@ -4,8 +4,8 @@ HOMEPAGE = "http://pygments.org/"; > LICENSE = "BSD-2-Clause" > LIC_FILES_CHKSUM = "file://LICENSE;md5=36a13c90514e2899f1eba7f41c3ee592" > > -inherit setuptools3 > -SRC_URI[sha256sum] = > "b3ed06a9e8ac9a9aae5a6f5dbe78a8a58655d17b43b93c078f094ddc476ae297" > +inherit python_setuptools_build_meta > +SRC_URI[sha256sum] = > "8ace4d3c1dd481894b2005f560ead0f9f19ee64fe983366be1a21e171d12775c" > > DEPENDS += "\ > ${PYTHON_PN} \ > > > > > -- > # Randy MacLeod > # Wind River Linux > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#185851): https://lists.openembedded.org/g/openembedded-core/message/185851 Mute This Topic: https://lists.openembedded.org/mt/100618182/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
