Bug#836110: Remove export of PERL_USE_UNSAFE_INC in the future

2017-08-20 Thread Dominic Hargreaves 
On Sat, Aug 12, 2017 at 08:56:02PM -0400, Dominic Hargreaves wrote:
> On Sun, Aug 06, 2017 at 11:39:23PM -0400, Dominic Hargreaves wrote:
> 
> > I propose to file bugs on affected packages: do you think that the
> > wording below is okay? I'm guessing severity: normal is appropriate
> > for now, since there is no great hurry to remove the export?
> 
> [...]
> 
> For the record, (most of) these bugs are now filed and blocking this
> one, though I am also going to do another run as I forgot to revert
> adding '-I.' too.

Okay, after this run a much larger set of packages fails - around
350 extra. I think that this may be too many to warrant individual
bug filing at this stage.

The vast majority of new failures are Module::Install related, and that
is now deprecated by the maintainer, so in many cases upstream may be
amenable to, or already planning to replace that with another build system.

One route for Debian to take is just wait for the gradual migration to
debhelper compat 11. I note that the pkg-perl team standard at this
point is still 9. Because of the perl-specific change in debhelper
level 11, I would like to propose (regardless of whether we decide to
file bugs) that we switch to using this for new package uploads, as over
time this will mean we will deal with this class of issues.

I note that the 11 compat level is still experimental, but are there
any downsides with making this the default for pkg-perl?

The full list of packages failing because of Module::Install is
attached.

Cheers,
Dominic.
alice_0.19-1
all-knowing-dns_1.7-1
eekboek_2.02.05+dfsg-2
grepmail_5.3033-8kephra_0.4.3.34
libalgorithm-dependency-perl_1.110-1.1
libalgorithm-lbfgs-perl_0.16-2
libanyevent-connection-perl_0.06-5
libanyevent-dbd-pg-perl_0.03-5
libanyevent-i3-perl_0.16-1
libanyevent-memcached-perl_0.08-1
libanyevent-redis-perl_0.24-2
libapache2-authcassimple-perl_0.10-3
libapp-cli-perl_0.313-2
libarray-diff-perl_0.07-2
libasa-perl_1.03-1
libaspect-perl_1.04-1
libaudio-flac-header-perl_2.4-2
libaudio-moosic-perl_0.10-2
libaudio-musepack-perl_1.0.1-1
libaudio-rpld-perl_0.006-1
libaudio-wma-perl_1.3-2
libauthen-cas-client-perl_0.07-1
libauthen-sasl-perl_2.1600-1
libauthen-simple-ldap-perl_0.3-1
libauthen-simple-perl_0.5-1
libbenchmark-progressbar-perl_0.1-1
libbenchmark-timer-perl_0.7107-1
libbest-perl_0.15-1
libb-hooks-op-check-entersubforcv-perl_0.10-1
libb-hooks-op-check-perl_0.19-3
libcache-memcached-libmemcached-perl_0.04001-1
libcache-simple-timedexpiry-perl_0.27-3
libcarp-clan-share-perl_0.013-1
libcatalyst-action-renderview-perl_0.16-2
libcatalyst-actionrole-acl-perl_0.07-1
libcatalyst-actionrole-requiressl-perl_0.07-1
libcatalyst-action-serialize-data-serializer-perl_1.08-2
libcatalyst-authentication-store-dbix-class-perl_0.1506-3
libcatalyst-component-instancepercontext-perl_0.001001-2
libcatalyst-controller-formbuilder-perl_0.06-2
libcatalyst-log-log4perl-perl_1.06-3
libcatalyst-model-adaptor-perl_0.10-2
libcatalyst-model-dbic-schema-perl_0.65-1
libcatalyst-perl_5.90115-1
libcatalyst-plugin-authentication-perl_0.10023-3
libcatalyst-plugin-authorization-roles-perl_0.09-2
libcatalyst-plugin-cache-perl_0.12-2
libcatalyst-plugin-compress-perl_0.5-1
libcatalyst-plugin-configloader-perl_0.34-2
libcatalyst-plugin-i18n-perl_0.10-3
libcatalyst-plugin-scheduler-perl_0.10-1
libcatalyst-plugin-session-perl_0.40-1
libcatalyst-plugin-session-state-cookie-perl_0.17-3
libcatalyst-plugin-session-store-dbi-perl_0.16-2
libcatalyst-plugin-session-store-delegate-perl_0.06-2/
libcatalyst-plugin-session-store-file-perl_0.18-2
libcatalyst-plugin-stacktrace-perl_0.12-2
libcatalyst-plugin-static-simple-perl_0.33-2
libcatalyst-plugin-subrequest-perl_0.21-1
libcatalyst-plugin-unicode-perl_0.93-3
libcatalyst-view-component-subinclude-perl_0.10-3
libcatalyst-view-csv-perl_1.7-1
libcatalyst-view-email-perl_0.36-1
libcatalyst-view-json-perl_0.36-1
libcatalyst-view-mason-perl_0.19-1
libcatalystx-simplelogin-perl_0.19-1
libcgi-application-plugin-viewcode-perl_1.02-4
libcgi-psgi-perl_0.15-2
libcgi-uploader-perl_2.18-2
libchi-driver-redis-perl_0.10-1
libclass-accessor-grouped-perl_0.10012-1
libclass-accessor-lite-perl_0.08-1
libclass-accessor-named-perl_0.008-1
libclass-adapter-perl_1.07-1
libclass-autouse-perl_2.01-1
libclass-c3-componentised-perl_1.001000-1
libclass-data-accessor-perl_0.04004-2
libclass-default-perl_1.51-3
libclass-handle-perl_1.07-2
libclass-returnvalue-perl_0.55-2
libclass-spiffy-perl_0.15-3
libclipboard-perl_0.13-1
libconfig-gitlike-perl_1.16-1
libconfig-pit-perl_0.04-1
libcontext-preserve-perl_0.01-1
libconvert-pem-perl_0.08-2
libcpandb-perl_0.18-1
libcpan-inject-perl_1.14-1
libcpanplus-dist-build-perl_0.80-1
libcpanplus-perl_0.9162-1
libcql-parser-perl_1.12-1
libcrypt-cracklib-perl_1.7-2
libcrypt-dh-gmp-perl_0.00012-1
libcrypt-dh-perl_0.07-1
libcrypt-dsa-perl_1.17-4
libcrypt-openssl-x509-perl_1.8.7-3
libcss-packer-perl_2.02-1
libcurses-ui-perl_0.9609-1
libdaemon-control-perl_0.001008-1
libdata-amf-perl_0.09+dfsg-2
libdat

Bug#836110: Remove export of PERL_USE_UNSAFE_INC in the future

2017-08-12 Thread Dominic Hargreaves 
On Sun, Aug 06, 2017 at 11:39:23PM -0400, Dominic Hargreaves wrote:

> I propose to file bugs on affected packages: do you think that the
> wording below is okay? I'm guessing severity: normal is appropriate
> for now, since there is no great hurry to remove the export?

[...]

For the record, (most of) these bugs are now filed and blocking this
one, though I am also going to do another run as I forgot to revert
adding '-I.' too.

Cheers,
Dominic.

Bug#836110: Remove export of PERL_USE_UNSAFE_INC in the future

2017-08-06 Thread Dominic Hargreaves 
On Fri, Jul 07, 2017 at 12:00:36AM +0100, Dominic Hargreaves wrote:
> On Thu, Jun 29, 2017 at 12:06:21PM +0100, Dominic Hargreaves wrote:

> > Sorry about this. At this stage I think it might be better to wait
> > until perl 5.26 has transitioned, so we can reassess all the various
> > breakages without the local modifications that we introduced for 5.24.
> > 
> > I think a transition bug will be opened soon, so this shouldn't delay
> > by more than another couple of months, which should be acceptable for 
> > the buster release?
> 
> (For the bug record).
> 
> Niels removed this from debhelper compat 11:
> 
> https://anonscm.debian.org/git/debhelper/debhelper.git/tree/debhelper.pod#n683
> 
> but I don't this changes my plan above to push on this after the
> perl 5.26 transition is underway. It means that module maintainers
> can move to debhelper 11 as a way to verify whether their packages
> need properly fixing.

Hi,

I've now started this rebuild, and the results are appearing on gobby:




I propose to file bugs on affected packages: do you think that the
wording below is okay? I'm guessing severity: normal is appropriate
for now, since there is no great hurry to remove the export?

"This package FTBFS when built with a locally-patched version of
debhelper without USE_UNSAFE_INC exported to the build environment.
This export was added in 2016 in order to accommodate the perl security
release to remove '.' in @INC by default.

As well as allowing us to (eventually) remove this temporary
fix from debhelper, fixing this bug will also help upstreams, since
their users using perl 5.26 will also experience this breakage.
Additionally, it's possible that the problem may also exist at runtime
for your package (though from experience this is less likely).

Note that the testing was against a locally-modified version
of debhelper, but you can get the same effect by setting debhelper
compat level 11 in your package, which also removes the same
export.

The relevant build failure logs are below."

Cheers,
Dominic.

Bug#836110: Remove export of PERL_USE_UNSAFE_INC in the future

2017-07-06 Thread Dominic Hargreaves 
On Thu, Jun 29, 2017 at 12:06:21PM +0100, Dominic Hargreaves wrote:
> On Tue, Jun 27, 2017 at 08:55:00AM +, Niels Thykier wrote:
> > On Sat, 3 Dec 2016 14:12:53 + Dominic Hargreaves  wrote:
> > > [...]
> > > 
> > > Hi Niels,
> > > 
> > > (and sorry about the silence).
> > > 
> > > No, not yet. That will need a full rebuild with the debhelper change
> > > reverted, and I'm unlikely to have time to do that until the new year.
> > > 
> > > Cheers,
> > > Dominic.
> > > 
> > > 
> > 
> > Ping. :)
> > 
> > I was reminded of this due to a related chat on #d-perl today. :)
> 
> Hi Niels,
> 
> Sorry about this. At this stage I think it might be better to wait
> until perl 5.26 has transitioned, so we can reassess all the various
> breakages without the local modifications that we introduced for 5.24.
> 
> I think a transition bug will be opened soon, so this shouldn't delay
> by more than another couple of months, which should be acceptable for 
> the buster release?

(For the bug record).

Niels removed this from debhelper compat 11:

https://anonscm.debian.org/git/debhelper/debhelper.git/tree/debhelper.pod#n683

but I don't this changes my plan above to push on this after the
perl 5.26 transition is underway. It means that module maintainers
can move to debhelper 11 as a way to verify whether their packages
need properly fixing.

Thanks Niels!

Dominic.

Bug#836110: Remove export of PERL_USE_UNSAFE_INC in the future

2017-06-29 Thread Dominic Hargreaves 
On Tue, Jun 27, 2017 at 08:55:00AM +, Niels Thykier wrote:
> On Sat, 3 Dec 2016 14:12:53 + Dominic Hargreaves  wrote:
> > [...]
> > 
> > Hi Niels,
> > 
> > (and sorry about the silence).
> > 
> > No, not yet. That will need a full rebuild with the debhelper change
> > reverted, and I'm unlikely to have time to do that until the new year.
> > 
> > Cheers,
> > Dominic.
> > 
> > 
> 
> Ping. :)
> 
> I was reminded of this due to a related chat on #d-perl today. :)

Hi Niels,

Sorry about this. At this stage I think it might be better to wait
until perl 5.26 has transitioned, so we can reassess all the various
breakages without the local modifications that we introduced for 5.24.

I think a transition bug will be opened soon, so this shouldn't delay
by more than another couple of months, which should be acceptable for 
the buster release?

Cheers,
Dominic.

Bug#836110: Remove export of PERL_USE_UNSAFE_INC in the future

2017-06-27 Thread Niels Thykier 
On Sat, 3 Dec 2016 14:12:53 + Dominic Hargreaves  wrote:
> [...]
> 
> Hi Niels,
> 
> (and sorry about the silence).
> 
> No, not yet. That will need a full rebuild with the debhelper change
> reverted, and I'm unlikely to have time to do that until the new year.
> 
> Cheers,
> Dominic.
> 
> 

Ping. :)

I was reminded of this due to a related chat on #d-perl today. :)

Thanks,
~Niels

Bug#836110: Remove export of PERL_USE_UNSAFE_INC in the future

2016-12-03 Thread Dominic Hargreaves 
On Wed, Oct 05, 2016 at 05:58:00AM +, Niels Thykier wrote:
> On Tue, 30 Aug 2016 17:35:41 +0100 Dominic Hargreaves  wrote:
> > Package: debhelper
> > Version: 9.20160814
> > Severity: wishlist
> > X-Debbugs-Cc: p...@packages.debian.org
> > User: debian-p...@lists.debian.org
> > Usertags: perl-cwd-inc-removal
> > 
> > On Tue, Aug 30, 2016 at 03:59:00PM +, Niels Thykier wrote:
> > > Dominic Hargreaves:
> > > > Hi maintainers,
> > > > 
> > > > Thanks very much for applying the patches in #832436 for the
> > > > remove-cwd-in-inc issue in perl. One of these changes, to export
> > > > PERL_USE_UNSAFE_INC, is not a good long-term solution, and I will file
> > > > bugs against packages which would otherwise be broken in due course
> > > > with a view to requesting removal of that export in debhelper at some
> > > > point after stretch's release.
> > > > 
> > > > Would you be happy for me to file a wishlist bug against this to act
> > > > as a reminder, and to block with the bugs I will file against affected
> > > > packages?
> > > > 
> > > > No hurry on this, but I wanted to make sure it didn't get forgotten.
> > > > 
> > > > Cheers,
> > > > Dominic.
> > > > 
> > > > [...]
> > > 
> > [...]
> > 
> 
> Hi Dominic,
> 
> Did you file some of the blockers already?  If so, they don't seem to be
> tagged as blockers of this bug. :)

Hi Niels,

(and sorry about the silence).

No, not yet. That will need a full rebuild with the debhelper change
reverted, and I'm unlikely to have time to do that until the new year.

Cheers,
Dominic.

Bug#836110: Remove export of PERL_USE_UNSAFE_INC in the future

2016-10-04 Thread Niels Thykier 
On Tue, 30 Aug 2016 17:35:41 +0100 Dominic Hargreaves  wrote:
> Package: debhelper
> Version: 9.20160814
> Severity: wishlist
> X-Debbugs-Cc: p...@packages.debian.org
> User: debian-p...@lists.debian.org
> Usertags: perl-cwd-inc-removal
> 
> On Tue, Aug 30, 2016 at 03:59:00PM +, Niels Thykier wrote:
> > Dominic Hargreaves:
> > > Hi maintainers,
> > > 
> > > Thanks very much for applying the patches in #832436 for the
> > > remove-cwd-in-inc issue in perl. One of these changes, to export
> > > PERL_USE_UNSAFE_INC, is not a good long-term solution, and I will file
> > > bugs against packages which would otherwise be broken in due course
> > > with a view to requesting removal of that export in debhelper at some
> > > point after stretch's release.
> > > 
> > > Would you be happy for me to file a wishlist bug against this to act
> > > as a reminder, and to block with the bugs I will file against affected
> > > packages?
> > > 
> > > No hurry on this, but I wanted to make sure it didn't get forgotten.
> > > 
> > > Cheers,
> > > Dominic.
> > > 
> > > [...]
> > 
> [...]
> 

Hi Dominic,

Did you file some of the blockers already?  If so, they don't seem to be
tagged as blockers of this bug. :)

Thanks,
~Niels

Bug#836110: Remove export of PERL_USE_UNSAFE_INC in the future

2016-08-30 Thread Dominic Hargreaves 
Package: debhelper
Version: 9.20160814
Severity: wishlist
X-Debbugs-Cc: p...@packages.debian.org
User: debian-p...@lists.debian.org
Usertags: perl-cwd-inc-removal

On Tue, Aug 30, 2016 at 03:59:00PM +, Niels Thykier wrote:
> Dominic Hargreaves:
> > Hi maintainers,
> > 
> > Thanks very much for applying the patches in #832436 for the
> > remove-cwd-in-inc issue in perl. One of these changes, to export
> > PERL_USE_UNSAFE_INC, is not a good long-term solution, and I will file
> > bugs against packages which would otherwise be broken in due course
> > with a view to requesting removal of that export in debhelper at some
> > point after stretch's release.
> > 
> > Would you be happy for me to file a wishlist bug against this to act
> > as a reminder, and to block with the bugs I will file against affected
> > packages?
> > 
> > No hurry on this, but I wanted to make sure it didn't get forgotten.
> > 
> > Cheers,
> > Dominic.
> > 
> > [...]
> 
> By all means, please go ahead. :)

Thanks, done.

Dominic.