On Wed, 19 May 2021 22:12:59 +0200 Paul Gevers <elb...@debian.org> wrote:
> Hi,
>
> On Sat, 15 May 2021 11:18:31 +0000 Debian FTP Masters
> <ftpmas...@ftp-master.debian.org> wrote:
> >  rails (2:6.0.3.7+dfsg-1) unstable; urgency=high
> >  .
> >    * Upload to unstable directly.
> >    * New upstream version 6.0.3.7+dfsg. (Closes: #988214)
> >      - Prevent slow regex when parsing host authorization header.
> >        (Fixed: CVE-2021-22904)
> >      - Prevent catastrophic backtracking during mime parsing.
> >        (Fixes: CVE-2021-22902)
> >      - Prevent string polymorphic route arguments.
> >        (Fixes: CVE-2021-22885)
>
> This new rails version renewed its versioned dependency on ruby-marcel.
> The new ruby-marcel version doesn't look like a targeted fix, so it
> doesn't fit the freeze policy. If I read the changelog correctly, this > dependency is there to give rails a more relaxed license. I think such a
> change is not really needed at this stage of the freeze, does rails
> still work with the old version of ruby-marcel and can the version bump
> be reverted?
>
> Paul
>

The only reverse dependency on ruby-marcel is rails.

pravi@ilvala2:~$ reverse-depends ruby-marcel
Reverse-Depends
* ruby-activestorage

Packages without architectures listed are reverse-dependencies in: all, amd64, arm64, armel, armhf, i386, mips64el, mipsel, ppc64el, s390x
pravi@ilvala2:~$ reverse-depends -b ruby-marcel
Reverse-Build-Depends
* rails

So I think the possible impact of this bump is limited to rails itself and going back to older version is more work and long term maintenance diverging from upstream. Would it be possible to give an exception for ruby-marcel?

Reply via email to