Bug#793630: groovy 1.8.6 and libcommons-cli-java 1.3.1 FTBFS

[Miguel Landaeta]

On Tue, Aug 25, 2015 at 11:52:47PM +0200, Markus Koschany wrote:
> 
> I suggest to ask the release team for an exception and to provide the
> security fix via testing-proposed-updates. The CVE-fix appears to be
> straightforward and could be uploaded afterwards to stable-proposed-updates.

Thanks for the suggestion. I'll ask for authorization to release team
to go this with this approach.

> 
> We shouldn't invest too much time in groovy 1.x anymore. I think the
> time is better spent on trying to switch all r-deps from groovy 1.x to
> 2.x as soon as possible and getting rid of this package.

I absolutely agree with you on this. All the time that I want to
spend working on groovy 1.x is to migrate r-deps to 2.x.

-- 
Miguel Landaeta, nomadium at debian.org
secure email with PGP 0x6E608B637D8967E9 available at http://miguel.cc/key.
"Faith means not wanting to know what is true." -- Nietzsche


signature.asc
Description: Digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#793630: groovy 1.8.6 and libcommons-cli-java 1.3.1 FTBFS

[Markus Koschany]

On Wed, 29 Jul 2015 10:49:12 -0300 Miguel Landaeta nomad...@debian.org
wrote:
 On Wed, Jul 29, 2015 at 10:00:16AM +0100, Russel Winder wrote:
  Emmanuel, Miguel,
 
 Hi Russel,
 
  
  Apache Groovy 1.x series is no longer maintained. All effort is now on
  the Apache Groovy 2.4.x and 2.5-SNAPSHOT versions. If Debian is to
  remove Commons CLI 1.2 then I suggest removing the groovy package since
  the groovy2 package is in place already, and is the right version for
  Debian to go with.
 
 That's right. We are no longer maintaining Groovy 1.x although we have
 several packages depending on it and our latest Debian stable release
 still includes groovy 1.x.
 
 I stumbled upon this bug due to my attempt to fix CVE-2015-3253 in
 unstable for groovy 1.8.6 (the published fix is relevant for all
 groovy versions since 1.7.0).
 
 I expect to remove groovy eventually but in the meantime we are
 applying only security bug fixes. We are working on groovy2 now.

Hi all,

I suggest to ask the release team for an exception and to provide the
security fix via testing-proposed-updates. The CVE-fix appears to be
straightforward and could be uploaded afterwards to stable-proposed-updates.

We shouldn't invest too much time in groovy 1.x anymore. I think the
time is better spent on trying to switch all r-deps from groovy 1.x to
2.x as soon as possible and getting rid of this package.

Regards,

Markus






signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#793630: groovy 1.8.6 and libcommons-cli-java 1.3.1 FTBFS

[Russel Winder]

Emmanuel, Miguel,

On Wed, 2015-07-29 at 09:57 +0200, Emmanuel Bourg wrote:
 Le 29/07/2015 03:35, Miguel Landaeta a écrit :
 
  Since you have worked upstream with libcommons-cli-java, I hope to
  don't bother you with this help request.
 
 commons-cli provides several parsers with different behaviors. Up to 
 1.2
 there was a gnu and a posix parsers, and starting with 1.3 I 
 introduced
 a new unified parser (DefaultParser). You may try using it, it's just 
 a
 matter of changing the instantiation and it's likely to work better.

As far as I am aware, the Apache Groovy source explicitly imports and
uses the GnuParser – even now despite it being deprecated – as part of
the CliBuilder class. All other uses of org.apache.commons.cli in the
Apache Groovy source use DefaultParser. If I remember correctly,
DefaultParser, which is PosixParser I believe, enforces bursting of
single hyphen options, which is fine for the Groovy command line, but
not sufficiently flexible for the CliBuilder.

The Java Way is for a version of something, in this case Groovy 1.8.6
to retain its original dependency, in this case Commons CLI 1.2.x,
rather than have the dependencies altered without a new release – most
people get their dependencies from JCenter or Maven Central via Gradle
or Maven.

Apache Groovy 1.x series is no longer maintained. All effort is now on
the Apache Groovy 2.4.x and 2.5-SNAPSHOT versions. If Debian is to
remove Commons CLI 1.2 then I suggest removing the groovy package since
the groovy2 package is in place already, and is the right version for
Debian to go with.

Unless I am missing something.

-- 
Russel.
=
Dr Russel Winder  t: +44 20 7585 2200   voip: sip:russel.win...@ekiga.net
41 Buckmaster Roadm: +44 7770 465 077   xmpp: rus...@winder.org.uk
London SW11 1EN, UK   w: www.russel.org.uk  skype: russel_winder


signature.asc
Description: This is a digitally signed message part
__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#793630: groovy 1.8.6 and libcommons-cli-java 1.3.1 FTBFS

[Emmanuel Bourg]

Le 29/07/2015 03:35, Miguel Landaeta a écrit :

 Since you have worked upstream with libcommons-cli-java, I hope to
 don't bother you with this help request.

commons-cli provides several parsers with different behaviors. Up to 1.2
there was a gnu and a posix parsers, and starting with 1.3 I introduced
a new unified parser (DefaultParser). You may try using it, it's just a
matter of changing the instantiation and it's likely to work better.

Emmanuel Bourg

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#793630: groovy 1.8.6 and libcommons-cli-java 1.3.1 FTBFS

[Paul King]

On 29/07/2015 8:24 PM, Paul King wrote:

On 29/07/2015 7:00 PM, Russel Winder wrote:

Emmanuel, Miguel,

[...snip...]

The 2.4.x stream is a mostly maintenance stream (i.e. bug fixes
and only minor functional changes/enhancements). At this stage,
there aren't any plans for doing a 2.4.x release with Commons CLI 1.3.


793630: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793630

OK, I can see more of the context now. I believe that our 2.4.x stream
should compile against Commons CLI 1.3 (it will just use the deprecated
classes so might have a few warnings).

But now that I understand the context, do let us know if that doesn't
work. If back-porting our CLI 1.3 changes from the 2.5.x stream to the
2.4.x stream (2.4.5 would be our next release) is the only way to get
out a security fixed Debian version of Groovy, then we might consider
bending our only minor enhancements policy in the 2.4.x stream.
We'd need a little bit of time to discuss and then it will take a few
weeks to cut a release - we have a few things on our plates at the
moment and have a new release process through the Apache incubator
at present.



---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#793630: groovy 1.8.6 and libcommons-cli-java 1.3.1 FTBFS

[Paul King]

On 29/07/2015 7:00 PM, Russel Winder wrote:

Emmanuel, Miguel,

On Wed, 2015-07-29 at 09:57 +0200, Emmanuel Bourg wrote:

Le 29/07/2015 03:35, Miguel Landaeta a écrit :


Since you have worked upstream with libcommons-cli-java, I hope to
don't bother you with this help request.


commons-cli provides several parsers with different behaviors. Up to
1.2
there was a gnu and a posix parsers, and starting with 1.3 I
introduced
a new unified parser (DefaultParser). You may try using it, it's just
a
matter of changing the instantiation and it's likely to work better.


As far as I am aware, the Apache Groovy source explicitly imports and
uses the GnuParser – even now despite it being deprecated – as part of
the CliBuilder class. All other uses of org.apache.commons.cli in the
Apache Groovy source use DefaultParser. If I remember correctly,
DefaultParser, which is PosixParser I believe, enforces bursting of
single hyphen options, which is fine for the Groovy command line, but
not sufficiently flexible for the CliBuilder.

The Java Way is for a version of something, in this case Groovy 1.8.6
to retain its original dependency, in this case Commons CLI 1.2.x,
rather than have the dependencies altered without a new release – most
people get their dependencies from JCenter or Maven Central via Gradle
or Maven.

Apache Groovy 1.x series is no longer maintained. All effort is now on
the Apache Groovy 2.4.x and 2.5-SNAPSHOT versions. If Debian is to
remove Commons CLI 1.2 then I suggest removing the groovy package since
the groovy2 package is in place already, and is the right version for
Debian to go with.

Unless I am missing something.


The 2.4.x stream of Groovy uses Commons CLI 1.2 and defaults to our
own GroovyPosixParser which is a clone of PosixParser with some of
the bug fixes from DefaultParser and some of our own. CliBuilder
has a posix switch which allows the GnuParser or standard PosixParser
to be used instead of our GroovyPosixParser.

The 2.5.x stream of Groovy (yet to release 2.5.0) uses Commons CLI 1.3
and DefaultParser both internally and within CliBuilder. There is an
escape mechanism to use the deprecated GnuParser or (the deprecated in
this stream GroovyPosixParser).

The 2.4.x stream is a mostly maintenance stream (i.e. bug fixes
and only minor functional changes/enhancements). At this stage,
there aren't any plans for doing a 2.4.x release with Commons CLI 1.3.

Groovy2 is certainly the package to go with for Groovy. It currently
relies on Commons CLI 1.2. I missed the earlier part of the
conversation, and it's been too many years since I was last involved
with Debian builds for me to remember all the details, so I won't
make any further recommendations but feel free to ask more questions
if needed.

Cheers, Paul.


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#793630: groovy 1.8.6 and libcommons-cli-java 1.3.1 FTBFS

[Miguel Landaeta]

On Wed, Jul 29, 2015 at 10:00:16AM +0100, Russel Winder wrote:
 Emmanuel, Miguel,

Hi Russel,

 
 Apache Groovy 1.x series is no longer maintained. All effort is now on
 the Apache Groovy 2.4.x and 2.5-SNAPSHOT versions. If Debian is to
 remove Commons CLI 1.2 then I suggest removing the groovy package since
 the groovy2 package is in place already, and is the right version for
 Debian to go with.

That's right. We are no longer maintaining Groovy 1.x although we have
several packages depending on it and our latest Debian stable release
still includes groovy 1.x.

I stumbled upon this bug due to my attempt to fix CVE-2015-3253 in
unstable for groovy 1.8.6 (the published fix is relevant for all
groovy versions since 1.7.0).

I expect to remove groovy eventually but in the meantime we are
applying only security bug fixes. We are working on groovy2 now.

Cheers,

-- 
Miguel Landaeta, nomadium at debian.org
secure email with PGP 0x6E608B637D8967E9 available at http://miguel.cc/key.
Faith means not wanting to know what is true. -- Nietzsche


signature.asc
Description: Digital signature
__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#793630: groovy 1.8.6 and libcommons-cli-java 1.3.1 FTBFS

[Miguel Landaeta]

On Wed, Jul 29, 2015 at 09:57:35AM +0200, Emmanuel Bourg wrote:
 Le 29/07/2015 03:35, Miguel Landaeta a écrit :
 
  Since you have worked upstream with libcommons-cli-java, I hope to
  don't bother you with this help request.
 
 commons-cli provides several parsers with different behaviors. Up to 1.2
 there was a gnu and a posix parsers, and starting with 1.3 I introduced
 a new unified parser (DefaultParser). You may try using it, it's just a
 matter of changing the instantiation and it's likely to work better.
 

Yes, I already tried that with no luck.

The thing is, commons-cli 1.3 is supposed to be backward compatible
with 1.2 and I believe so. It still provides PosixParser class
although is marked as deprecated.

Current groovy version in the archive is 1.8.6-4 and it was compiled
with commons-cli 1.2. When you try to build it today, ant tasks defs
fail when they are run against 1.3. So, I can't even do a test build
to check if DefaultParser works OK or not.

-- 
Miguel Landaeta, nomadium at debian.org
secure email with PGP 0x6E608B637D8967E9 available at http://miguel.cc/key.
Faith means not wanting to know what is true. -- Nietzsche


signature.asc
Description: Digital signature
__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#793630: groovy 1.8.6 and libcommons-cli-java 1.3.1 FTBFS

[Miguel Landaeta]

tags 793630 + help
thanks

Hi Emmanuel, how are you?

I'm writing you due to #793630. It's an FTBFS that I strongly suspect
is caused by libcommons-cli-java 1.3. When I try to build groovy with
libcommons-cli 1.2-3 it builds OK but it fails with 1.3.1-2 due to
groovyc not recognizing a flag.

I tried hard to debug this issue but I'm unable to understand how/why
groovyc ends being called with --null flag. I stumbled upon this issue
because I need to upload a security fix for groovy but I'm unable to
build groovy in sid due to this issue.

Since you have worked upstream with libcommons-cli-java, I hope to
don't bother you with this help request.

Thanks,

-- 
Miguel Landaeta, nomadium at debian.org
secure email with PGP 0x6E608B637D8967E9 available at http://miguel.cc/key.
Faith means not wanting to know what is true. -- Nietzsche


signature.asc
Description: Digital signature
__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.