On Sun, 11 Apr 2021 03:04:42 +0530 Utkarsh Gupta <utka...@debian.org> wrote: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > X-Debbugs-Cc: debian-r...@lists.debian.org > > Hello, > > Upstream has recently released a bug-fix only release after a > vulnerability, CVE-2021-28965, was discovered. > > Upstream release note: > https://www.ruby-lang.org/en/news/2021/04/05/ruby-2-7-3-released/ > Upstream git logs b/w 2.7.2 and 2.7.3: > https://github.com/ruby/ruby/compare/v2_7_2...v2_7_3 > > This is clearly a bug-fix only release and it'd be *really great* to > have this included in Bullseye. (I'd be sad not to but..) I understand > it's your call to make after analyzing so attaching the debdiff for > your reference and help (snipping ChangeLog entries for noise > reduction). > > Hopefully, it'd be OK to get this included and have an even nicer > ruby2.7 for Bullseye. Thanks.
99 files changed, 39552 insertions(+), 23134 deletions(-) The debian diff looks very big because of 3 generated files: ChangeLog, parse.c, and ext/ripper/ripper.c (the last two being bison/yacc generated parsers). If you filter those out, the result is a lot more palatable: 96 files changed, 3761 insertions(+), 886 deletions(-) Roughtly 1/3 of the insertions are test cases: 32 files changed, 1150 insertions(+), 97 deletions(-) I have reviewed the upstream patches and compared the upstream diff with the debian diff, and indeed all the changes are bug fixes. There was one marked as a "Feature" in the commit message, but it was really a follwup to fix an inconsistency in a feature that has been added in the 2.7 series already. It will cause formerly invalid syntax to be valid, but won't break any currently working code. I think the risk with this update is low, and releasing with the latest available ruby bugfix release will make it easier to provide stable support in bullseye. Full disclosure: I am trying to get ruby into new hands, but I'm still a comaintainer and care a lot about it, so I'm not an uninterested party here.
signature.asc
Description: PGP signature
