Package: release.debian.org User: release.debian....@packages.debian.org Usertags: unblock Severity: normal
Please unblock package appstream This is currently a pre-approval request, as the changes - even though almost all of them are bugfixes - are larger, in a key package, and we're close to the final release. [ Reason ] AppStream has had two bugfix-only releases, and rather than backporting a lot of interdependent patches, I would much rather like to upload the 0.14.4 release as-a-whole. There are very few changes in there that are not bugfixes, and I consider those low-risk. As maintainer of the AppStream project upstream as well as in Debian, I have a good overview of what went into the code. Here's the individual changes made with explanations on why we want them in Debian for the release. I have stripped out all translation updates and documentation changes, as those will not change how the program works. * compose: Don't loop endlessly if external desktop l10n function is set This change is only relevant for Ubuntu, without it the Ubuntu AppStream metadata generator will loop endlessly. We still want this in Debian in case someone processes an Ubuntu archive on a Debian host, as it's a rather annoying issue to run into when processing metadata. * Never create a predictable dir in /tmp for caching AppStream in current bullseye may create /tmp/appstream, which wouldn't be an issue unless the program using it is run as root. Unfortunately we run `appstreamcli` as roo all the time as part of an apt update, so this may be a security issue with a predictable folder being created in /tmp with elevated privileges. * component: Don't strip ";" from keywords before translating them Again, only relevant for Ubuntu which translates desktop-entry files differently than Debian (but also won't affect Debian, only people who process Ubuntu archives on a Debian host) * utils: Don't strip modifiers when stripping encoding Previously we generated invalid YAML by creating multiple entries with the same value for YAML dicts, when stripping "ca.UTF-8" and "c...@valencia.utf-8" both to "ca". This fixes both the issue of modifiers being ignored by AppStream and the YAML corruption. * compose: Check optipng is there before we use it Fix for a rare configuration issue. * Improve text line wrapping, especially if many newlines are present We previously wrapped text output from `appstreamcli` on the terminal incorrectly of lists where contained within it, leading to weird-looking output. This is a cosmetic fix for human-readable CLI output (obviously doesn#t affect the tool's structured data output modes). * Make word-wrap function unicode-aware Same, wraps e.g. Japanese text correctly now on the console. * Make license_is_metadata_license parse more complex expressions This is a fix for an issue Debian developers reported upstream but which was actually a fault in appstream-compose. See https://gitlab.gnome.org/GNOME/evince/-/merge_requests/346 for an example. * Improve cache refresh code, don't flag cache as updated if update failed Kills a race condition, and also prevents AppStream from marking a cache as valid even though it wasn't. This appears mostly in cases where 3rd-party repositories are added which have broken data or data (Debian's archive never triggers this, unless something went wrong). * Use system cache even if we had to drop some invalid metadata This ties in with the fix from above and affects cases where 3rd-party repositories are used. Without this patch, software centers may load all data twice each run, leading to extreme startup times on slower devices. * Assign more string class members safely This is some API hardening that prevents crashes if an API user does something like `as_set_string_member (object, as_get_string_member (object))` where we'd get a segmentation fault. Generally good to have, even though I am not aware of any client triggering this. * Fix flashed firmware generating incorrect XML * Fix YAML having wrong names for the firmware data "flashed" and "runtime" firmware had wrong metadata in both XML and YAML, which resulted in them being ignored by some tools. This change fixes this and makes firmware work as specified. By uploading the 0.14.4 release, we'll also drag in a few features, here's an explanation for these: * qt: Expose setter and getter for pool cache location Just exposes some more API for Qt users and is otherwise inert. * utils: Use GLib's gstring_replace if available Just some cleanup in AppStream's utility code, which was required for the "ca@valencia" fix series. * its: Allow to mark release descriptions as non-translatable Allows upstream projects to mark release descriptions as non-translatable, but does nothing if not used explicitly (it's a one-line config change). * compose: Point people at the specification if metadata license is invalid This is an explanation string change, that does not have any functional impact. You can find the whole NEWS file with the documentation changes included upstream at https://github.com/ximion/appstream/blob/master/NEWS#L1-L48 All changes (including translation changes) are listed here: https://github.com/ximion/appstream/compare/v0.14.2...v0.14.4 [ Impact ] If the change isn't permitted, we ship AppStream with a bunch of known bugs. I would try to create a release with cherry-picked standalone fixes for the most severe issues, but fixing all would pretty much be equivalent to merging the whole release code (minus translations and doc fixes). The "ca@valencia" issue would be especially hard to address separately of the other changes on top of 0.14.2. [ Tests ] Some of this code has been tested in other distributions since March (everything that was part of the 0.14.3 release) without any reported issues. All newly added code also came with tests for AppStream's internal testsuite and works as expected. All of the changes are also already live on Debian's AppStream infrastructure (important so we don't ship with broken YAML data), so far with no issues. Ubuntu will likely also reprocess their data soon, and was using a version of AppStream with these patches for a while in a Snap for metadata generation. [ Risks ] This is a key package, so any new bugs we pull in will hurt. The riskiest part of this patchset is the "ca@valencia" bugfix, as that required some comparatively substantial code changes. It is, however, also a change that makes a lot of sense to have present in Debian 11, as it improves localization as well as resolving a YAML data corruption bug. All other changes are very limited in scope and very unlikely to cause any issues. Since the metadata generation part has received some extensive testing on our infrastructure, there is a low risk that there are issues with it. The client part has been autopkg-tested, unit-tested and tested locally by me, but the package could still be left in unstable for a longer period before migrating, to be sure everything is fine. Since AppStream is ubiquitous on desktop-Debian installations, any issues are usually found very quickly. [ Other info ] Packaging for the intended release is at https://salsa.debian.org/pkgutopia-team/appstream The package could also be uploaded to experimental for testing, if requested. I know this is quite a large chunk of stuff late in cycle, and I apologize for this, especially since many of the issues have been known for a while (but could only be fixed by us recently due to time constraints on my side). Let me know what you think! Cheers, Matthias unblock appstream/0.14.4-1
