Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: rlaa...@debian.org
[ Reason ]
gbonds is a program to track U.S. Savings Bonds and show their current
redemption value. To do so, it needs updated valuation data from the
U.S. Treasury twice a year. For nearly 30 years, Treasury has
released this data in flat file format. These were recently
discontinued in favor of an HTTP JSON API. The old files were removed
from Treasury's FTP site and I have it on good authority that they are
not coming back.
This is Debian bug #1001610.
[ Impact ]
gbonds cannot provide current redemption values. The version in
bullseye shipped with redemption data through May 2021 and, if its
update code ran before Treasury deleted the files from the FTP site,
could have downloaded one more file with redemption data through
December 2021.
[ Tests ]
The new updater code writes out files in the traditional flat file
format. I downloaded data for the previous period and compared it
to the last official flat file. The results are the same, except:
- The order of the lines in the file differs, which does not
affect the data.
- The API returns "null" (which maps to " ") instead of
"NO PAY". This seems to be a bug, as the API is documented to
return "NO PAY". I reported this to Treasury via their contact
form, but who know if/when this might be fixed. This does not
affect the values calculated, though it does mean bonds will
not properly show as "Not yet eligible for payment".
[ Risks ]
The core of the update code has been completely rewritten (by me, as
gbonds is long dead upstream). It uses libsoup to download data and
json-glib to parse it.
If the new update code is non-functional, it's no worse than the old
code now. Since Treasury has removed the files from its FTP site and
is not publishing new ones in that format, the old update code no
longer does anything useful.
If the new update code produces bad output, users would see incorrect
valuations. The transformation is straightforward, and I did compare
to the old data, as noted above.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
1. I added the last official Treasury data file (sb202106.asc). I
wouldn't normally include one of these in a stable update because
the update code would download them anyway. But in this case, the
file is no longer available from Treasury. It seems correct to ship
the last official file since it's possible to do so.
2. I added a patch (which I wrote) that rewrites the core of the update
code. Instead of downloading flat files from Treasury's FTP site,
it accesses Treasury's HTTP JSON API. It writes out files in the
traditional format, so none of the rest of the application changed.
3. I modified debian/gbp.conf to reference the debian/bullseye branch
I created as part of this update.
4. I updated debian/changelog, of course.
diff -Nru gbonds-2.0.3/debian/changelog gbonds-2.0.3/debian/changelog
--- gbonds-2.0.3/debian/changelog 2021-02-04 02:23:39.0 -0600
+++ gbonds-2.0.3/debian/changelog 2021-12-23 21:24:14.0 -0600
@@ -1,3 +1,10 @@
+gbonds (2.0.3-16+deb11u1) bullseye; urgency=high
+
+ * Add redemption data through 11/2021 (sb202106.asc)
+ * Use Treasury API for redemption data (Closes: 1001610)
+
+ -- Richard Laager Thu, 23 Dec 2021 21:24:14 -0600
+
gbonds (2.0.3-16) unstable; urgency=medium
* Add redemption data through 05/2021 (sb202012.asc)
diff -Nru gbonds-2.0.3/debian/control gbonds-2.0.3/debian/control
--- gbonds-2.0.3/debian/control 2021-02-04 02:22:30.0 -0600
+++ gbonds-2.0.3/debian/control 2021-12-23 21:23:46.0 -0600
@@ -6,6 +6,8 @@
dpkg-dev (>= 1.16.1),
intltool,
libgtk-3-dev,
+ libjson-glib-dev,
+ libsoup2.4-dev,
libtool,
libxml2-dev (>= 2.4.23),
Standards-Version: 4.5.1
diff -Nru gbonds-2.0.3/debian/gbp.conf gbonds-2.0.3/debian/gbp.conf
--- gbonds-2.0.3/debian/gbp.conf2020-02-19 18:18:42.0 -0600
+++ gbonds-2.0.3/debian/gbp.conf2021-12-23 21:24:11.0 -0600
@@ -1,5 +1,5 @@
[DEFAULT]
-debian-branch = debian/unstable
+debian-branch = debian/bullseye
pristine-tar = True
upstream-branch = upstream/latest
diff -Nru gbonds-2.0.3/debian/patches/download-sites
gbonds-2.0.3/debian/patches/download-sites
--- gbonds-2.0.3/debian/patches/download-sites 2020-08-15 17:41:52.0
-0500
+++ gbonds-2.0.3/debian/patches/download-sites 1969-12-31 18:00:00.0
-0600
@@ -1,15 +0,0 @@
-Description: Remove snaught.com from the download list
- It didn't have the latest redemption data. This leaves only the
-