Ubuntu
ruby-rack package

proposed-migration for ruby-rackup 0.2.2-1, ruby-rack 3.0.0-1

Bug #2023576 reported by Steve Langasek
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ruby-rack (Debian)
Fix Released
Unknown
ruby-rack (Ubuntu)
Fix Committed
Undecided
Lucas Kanashiro
ruby-rack-session (Ubuntu)
Fix Committed
Undecided
Unassigned
ruby-rackup (Ubuntu)
Fix Committed
Undecided
Unassigned

Bug Description

ruby-rackup 0.2.2-1 is stuck in -proposed.

It build-depends on ruby-rack (>= 3.0) from Debian experimental. However, ruby-rack itself is FTBFS in mantic.

  1) Error:
Rack::MockResponse#test_0005_provides access to persistent cookies set with max-age:
ArgumentError: invalid domain: ".test.com"
    /usr/lib/ruby/3.1.0/cgi/cookie.rb:128:in `domain='
    /usr/lib/ruby/3.1.0/cgi/cookie.rb:95:in `initialize'

Reproducible with a network-connected system, so it's not an issue with launchpad blocking network access.

See original description

CVE References

Steve Langasek (vorlon)
Changed in ruby-rackup (Ubuntu):
assignee: nobody → Steve Langasek (vorlon)
Steve Langasek (vorlon)
description: updated
description: updated
Changed in ruby-rackup (Ubuntu):
assignee: Steve Langasek (vorlon) → nobody
Steve Langasek (vorlon)
Changed in ruby-rack (Ubuntu):
assignee: nobody → Steve Langasek (vorlon)
description: updated
Revision history for this message
Steve Langasek (vorlon) wrote :

https://buildd.debian.org/status/fetch.php?pkg=ruby-rack&arch=all&ver=3.0.0-1&stamp=1668029150&raw=0 shows ruby-rack 3.0.0-1 in experimental building with libruby3.1 amd64 3.1.2-3. We currently have libruby3.1 3.1.2-7. The changelog for libruby3.1 shows:

ruby3.1 (3.1.2-7) unstable; urgency=medium

  * Upload to unstable

 -- Antonio Terceiro <email address hidden> Sat, 25 Mar 2023 14:20:34 -0300

ruby3.1 (3.1.2-7~exp) experimental; urgency=medium

  * Update openssl extension to to 3.0.1 (Closes: #1032070)

 -- Antonio Terceiro <email address hidden> Sun, 05 Mar 2023 17:13:36 -0300

ruby3.1 (3.1.2-6) unstable; urgency=medium

  * Add missing dependencies for pkg-config test

 -- Antonio Terceiro <email address hidden> Thu, 26 Jan 2023 09:34:07 -0300

ruby3.1 (3.1.2-5) unstable; urgency=medium

  * Add autopkgtest to test pkg_config
  * Add build dependency on pkg-config from pkgconf.
    The absence of this build dependency made the check for whether
    pkg-config works fail (because it was not there) at the ./configure
    stage, making RbConfig::CONFIG["PKG_CONFIG"] empty, and therefore broke
    the usage of pkg_config() in extconf.rb scripts.
    This was noticed by Lucas Kanashiro (thanks!) in Ubuntu while rebuilding
    all Ruby packages to add ruby3.1 support, where ruby-augeas and
    ruby-libvirt failed to build.

 -- Antonio Terceiro <email address hidden> Wed, 25 Jan 2023 14:46:18 -0300

ruby3.1 (3.1.2-4) unstable; urgency=medium

  * Replace cross pkg-config patch with patches applied upstream
  * Apply upstream patch to fix TZ tests (Closes: #1028890)
  * Drop exclude for TestTimeTZ, not needed anymore
  * debian/libruby3.1.symbols: fix version of rb_gc_ractor_newobj_cache_clear
  * debian/tests/builtin-extensions: also require libraries
  * Add upstream patch to upgrade CGI extension to 0.3.5.
    This fixes an HTTP response splitting vulnerability in CGI [CVE-2021-33621]
    (Closes: #1024799)

 -- Antonio Terceiro <email address hidden> Sun, 15 Jan 2023 08:27:59 -0300

The same build failure is reproducible in Debian sid.

Also it turns out this is Debian bug #1030442 which has been fixed in the unstable version of ruby-rack but not the experimental version.

Steve Langasek (vorlon)
Changed in ruby-rack (Ubuntu):
status: New → Fix Committed
summary: - proposed-migration for ruby-rackup 0.2.2-1
+ proposed-migration for ruby-rackup 0.2.2-1, ruby-rack 3.0.0-1
Changed in ruby-rackup (Ubuntu):
status: New → Fix Committed
Changed in ruby-rack-session (Ubuntu):
status: New → Fix Committed
Bug Watch Updater (bug-watch-updater)
Changed in ruby-rack (Debian):
status: Unknown → Fix Released
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote (last edit ):

Last time I checked the status of ruby-rack version 3, there were some reverse dependencies that are not yet ready to move to version 3. I want to make sure everything is fine to let it migrate to the release pocket.

tags: added: block-proposed
Steve Langasek (vorlon)
Changed in ruby-rack (Ubuntu):
assignee: Steve Langasek (vorlon) → Lucas Kanashiro (lucaskanashiro)
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

After checking the reverse dependencies, some of them still do not support ruby-rack version 3 upstream, and the ones that do require some major version bumps. Since there is nothing not tracked in the excuses page entry, and it will not migrate without fixing the issues, I am removing the block-proposed tag.

tags: removed: block-proposed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.