Bug#1013329: razor 2.85 is really 2.84
Hi vagrant, thanks for pushing this to bdo. On 21/06/2022 23:41, Vagrant Cascadian wrote: On 2022-06-20, Malte S. Stretz wrote: TL;DR: It looks like the Debian 2.85 razor package you've been recently working on according to https://salsa.debian.org/debian/razor/-/commits/debian/latest is really 2.84 >> […] The current "upstream" version was uploaded to debian in 2008 currently present in old-old-stable (e.g. two releases prior to the current stable release): https://tracker.debian.org/news/303771/accepted-razor-1285-1-source-amd64/ The best thing might be to actually update to the newest upstream release, if there is indeed one newer than 2.85... and kind of ignore that unfortunate problem... ... though there might be security issues that are not correctly tracked that are fixed in the upstream 2.85, but not in the debian packages because of the version discrepancy; that might be worth confirming and possibly notifying the security team. The good news: There doesn't seem to be any security relevant changes in https://github.com/toddr/Razor2-Client-Agent/compare/v2.84...v2.85 There even don't seem to be many functional changes, most of the changes are cleanup/build related things. v2.86 also was just a build related thing. The bad news: All the current Debian patches won't apply anymore since there was some excessive reformatting applied upstream. OTOH will some of them not be needed anymore since it looks they were partially incorporated upstream. All that said, not sure I have the energy to tackle this kind of tangled problem at the moment... Would you like help with that? My Debian packaging know how is a bit rusty but I could create a PR on Salsa which * Merges the Upstream repo into the current Salsa repo (ie. switching it over to https://wiki.debian.org/PackagingWithGit#Using_the_upstream_repo without losing any history) at upstream v2.84 * Fixes up the Quilt patches and merge that state with upstream v2.85 * Bump the whole stuff to v2.86 What do I get out of that? I'd like to include my IPv6 patch on top of all of this. Regards, Malte
Bug#1013329: razor 2.85 is really 2.84
Source: razor
Version: 1:2.85-4.2
X-Debbugs-Cc: m...@msquadrat.de
Control: submitter -1 m...@msquadrat.de
On 2022-06-20, Malte S. Stretz wrote:
> TL;DR: It looks like the Debian 2.85 razor package you've been recently
> working on according to
> https://salsa.debian.org/debian/razor/-/commits/debian/latest is really 2.84
>
>
> I noticed this when I repackaged it to backport my IPv6 support from my
> GitHub PR at https://github.com/toddr/Razor2-Client-Agent/pull/13 for
> which you can find the quilt patch here
> https://salsa.debian.org/mss/razor/-/blob/ipv6/debian/patches/ipv6.patch
>
> Something was odd because the change applied differently to the Debian
> codebase than to the upstream one. I first assumed this was because
> upstream is already at version 2.86 but there aren't really any relevant
> changes in that version. But in commit
> 9e8186ac058eae55c92ab4ee9e982d24a978e66a the maintainer ran perltidy on
> the codebase which reformatted among others the Makefile.PL. But that
> change was applied already between 2.84 and 2.85.
>
> I compared the salsa and GitHub codebase with `git ls-tree -r HEAD | awk
> '{print $4}' | sort | xargs md5sum` and it is indeed almost the same for
> upstream tag v2.84 whereas for v2.85 a lot of changes are reported.
>
> I finally verified this by installing the package and checked that the
> 'use lib' line in razor-admin is still present in the Debian version
> whereas it is gone on CPAN in 2.85 (ie. CPAN matches the GitHub repo):
>
> *
> https://metacpan.org/release/TODDR/Razor2-Client-Agent-2.84/source/bin/razor-admin#L13
>
> *
> https://metacpan.org/release/TODDR/Razor2-Client-Agent-2.85/source/bin/razor-admin#L13
>
>
> So unless I miss something it looks like this package is actually quite
> messed up.
The current "upstream" version was uploaded to debian in 2008 currently
present in old-old-stable (e.g. two releases prior to the current stable
release):
https://tracker.debian.org/news/303771/accepted-razor-1285-1-source-amd64/
The best thing might be to actually update to the newest upstream
release, if there is indeed one newer than 2.85... and kind of ignore
that unfortunate problem...
... though there might be security issues that are not correctly tracked
that are fixed in the upstream 2.85, but not in the debian packages
because of the version discrepancy; that might be worth confirming and
possibly notifying the security team.
All that said, not sure I have the energy to tackle this kind of tangled
problem at the moment...
live well,
vagrant
signature.asc
Description: PGP signature
