Package: release.debian.org
Severity: normal
X-Debbugs-Cc: request-track...@packages.debian.org
Control: affects -1 + src:request-tracker5
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package request-tracker5
[ Reason ]
In previous major upgrades we have customised the UPGRADE instructions provided
by upstream to refer to the paths we used in Debian. I realised yesterday that
this hadn't been done for the 4.4 or the 5.0 instructions. I have tailored the
instructions for Debian now, and believe we should provide this to our users
in trixie.
While we also missed this for bookworm, it will be more important in trixie.
We are dropping request-tracker4, so will be forcing our users to make the
major upgrade to request-tracker5 in trixie.
[ Impact ]
The UPGRADE instructions will be more confusing as they may look for commands
to run, or files to modify which aren't where the instructions tell them.
[ Tests ]
There are no code changes.
[ Risks ]
There are no code changes.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
I have made a couple of minor corrections to d/changelog and adjusted
d/watch to ignore the upcoming RT 6 release.
unblock request-tracker5/5.0.7+dfsg-4
diff -Nru request-tracker5-5.0.7+dfsg/debian/changelog
request-tracker5-5.0.7+dfsg/debian/changelog
--- request-tracker5-5.0.7+dfsg/debian/changelog 2025-05-04
17:51:52.000000000 +1200
+++ request-tracker5-5.0.7+dfsg/debian/changelog 2025-05-21
20:43:14.000000000 +1200
@@ -1,9 +1,19 @@
+request-tracker5 (5.0.7+dfsg-4) unstable; urgency=high
+
+ * Update d/watch to only look for versions that match 5.x.y as version 6 will
+ be handled by request-tracker6.
+ * Debianize the UPGRADING-4.4 and UPGRADING-5.0 instructions to use paths
+ etc that are used on Debian.
+
+ -- Andrew Ruthven <and...@etc.gen.nz> Wed, 21 May 2025 20:43:14 +1200
+
request-tracker5 (5.0.7+dfsg-3) unstable; urgency=high
* Update Standards-Version to 4.7.2 (no changes).
* Refresh d/copyright.
* Add Catalan translation, thank you Carles Pina i Estany!
- * Apply upstream patches which fix several security vulnerabilities.
+ * Apply upstream patches which fix several security vulnerabilities
+ (Closes: #1104422).
- [CVE-2025-30087] Vulnerable to Cross Site Scripting via injection of
malicious parameters in a search URL.
- [CVE-2025-2545] RT uses the default OpenSSL cipher, 3DES (des3), for
@@ -14,7 +24,7 @@
- [CVE-2025-31501] Vulnerable to Cross Site Scripting via JavaScript
injection in an Asset name.
- [CVE-2025-31500] Vulnerable to Cross Site Scripting via JavaScript
- injection in an RT permalink.
+ injection in an RT permalink.
-- Andrew Ruthven <and...@etc.gen.nz> Sun, 04 May 2025 17:51:52 +1200
diff -Nru request-tracker5-5.0.7+dfsg/debian/.git-dpm
request-tracker5-5.0.7+dfsg/debian/.git-dpm
--- request-tracker5-5.0.7+dfsg/debian/.git-dpm 2025-05-04 17:27:29.000000000
+1200
+++ request-tracker5-5.0.7+dfsg/debian/.git-dpm 2025-05-21 20:41:00.000000000
+1200
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-9ae6226d9cede5339c007fac69da5c7c516d09c9
-9ae6226d9cede5339c007fac69da5c7c516d09c9
+dd4e7d0f705ba5173a61c7a674b3184a063b9c61
+dd4e7d0f705ba5173a61c7a674b3184a063b9c61
7ffdc76a3d7dde5bc3954f1c874ec200bdc3310a
7ffdc76a3d7dde5bc3954f1c874ec200bdc3310a
request-tracker5_5.0.7+dfsg.orig.tar.gz
diff -Nru
request-tracker5-5.0.7+dfsg/debian/patches/debianize_UPGRADING-4.4.diff
request-tracker5-5.0.7+dfsg/debian/patches/debianize_UPGRADING-4.4.diff
--- request-tracker5-5.0.7+dfsg/debian/patches/debianize_UPGRADING-4.4.diff
1970-01-01 12:00:00.000000000 +1200
+++ request-tracker5-5.0.7+dfsg/debian/patches/debianize_UPGRADING-4.4.diff
2025-05-21 20:41:00.000000000 +1200
@@ -0,0 +1,140 @@
+From dd4e7d0f705ba5173a61c7a674b3184a063b9c61 Mon Sep 17 00:00:00 2001
+From: Andrew Ruthven <and...@etc.gen.nz>
+Date: Wed, 21 May 2025 20:38:16 +1200
+Subject: Debianize UPGRADING-4.4
+
+Forwarded: not-needed
+Patch-Name: debianize_UPGRADING-4.4.diff
+---
+ docs/UPGRADING-4.4 | 36 +++++++++++++++++++-----------------
+ 1 file changed, 19 insertions(+), 17 deletions(-)
+
+diff --git a/docs/UPGRADING-4.4 b/docs/UPGRADING-4.4
+index 575d4543..a3e26c8c 100644
+--- a/docs/UPGRADING-4.4
++++ b/docs/UPGRADING-4.4
+@@ -22,7 +22,7 @@ L<RT::Authen::ExternalAuth::DBI> documentation.
+ Users of the existing
+ L<RT::Authen::ExternalAuth|https://metacpan.org/pod/RT::Authen::ExternalAuth>
+ extension should remove C<RT::Authen::ExternalAuth> from the plugins list.
+-Please also remove F<local/plugins/RT-Authen-ExternalAuth> from your RT
++Please also remove F<RT-Authen-ExternalAuth> from your RT
+ installation.
+
+ =item *
+@@ -33,9 +33,9 @@ has been moved into core RT.
+ Users of the existing LDAPImport extension should remove
+ C<RT::Extension::LDAPImport> from the plugins list. Please adjust any
+ cronjobs or external scripts which invoke
+-F<local/plugins/RT-Extension-LDAPImport/bin/rtldapimport> to instead
+-invoke F<sbin/rt-ldapimport>. Please also remove
+-F<local/plugins/RT-Extension-LDAPImport> from your RT installation.
++F<rtldapimport> to instead
++invoke F</usr/sbin/rt-ldapimport-5>. Please also remove
++F<RT-Extension-LDAPImport> from your RT installation.
+
+ =item *
+
+@@ -54,9 +54,9 @@ visible.
+ Users who are currently using the
+ L<RT::Extension::Assets|https://bestpractical.com/assets/> extension
+ should remove C<RT::Extension::Assets> from the plugin list and run the
+-F<etc/upgrade/upgrade-assets> utility after completing all the other
++F</usr/share/request-tracker5/etc/upgrade/upgrade-assets> utility after
completing all the other
+ upgrade steps from the F<README>. Please also remove
+-F<local/plugins/RT-Extension-Assets> from your RT installation.
++F<RT-Extension-Assets> from your RT installation.
+
+ =item *
+
+@@ -74,7 +74,7 @@ the main RT code and database upgrade steps successfully:
+
+ =item * Remove C<RT::Extension::SLA> from your plugin list in
C<RT_SiteConfig.pm>
+
+-=item * Run the upgrade script F<etc/upgrade/upgrade-sla>
++=item * Run the upgrade script
F</usr/share/request-tracker5/etc/upgrade/upgrade-sla>
+
+ =item * Update the format of your C<%ServiceAgreements> configuration
+
+@@ -89,7 +89,7 @@ If you have a Business Hours configuration, update your
configuration
+ in C<RT_SiteConfig.pm> with the same changes as described above for
+ C<%ServiceAgreements>.
+
+-=item * (Optional) Remove the directory F<local/plugins/RT-Extension-SLA>
++=item * (Optional) Remove the directory F<RT-Extension-SLA>
+
+ You can remove this directory and all of its contents from your RT
+ installation to uninstall the previous extension code
+@@ -112,8 +112,8 @@
L<RT::Extension::ExternalStorage|https://metacpan.org/pod/RT::Extension::Externa
+ should remove it from the plugin list. Please adjust any cronjobs or external
+ scripts which invoke
+ F<local/plugins/RT-Extension-ExternalStorage/bin/extract-attachments>
+-to instead invoke F<sbin/rt-externalize-attachments>. Please also remove
+-F<local/plugins/RT-Extension-ExternalStorage> from your RT installation.
++to instead invoke F</usr/sbin/rt-externalize-attachments-5>. Please also
remove
++F<RT-Extension-ExternalStorage> from your RT installation.
+
+ =item *
+
+@@ -137,7 +137,7 @@ introduced in 4.4.2.
+ Users who are currently using
+
L<RT::Extension::ParentTimeWorked|https://metacpan.org/pod/RT::Extension::ParentTimeWorked>
+ should remove it from the plugin list. Please also remove
+-F<local/plugins/RT-Extension-ParentTimeWorked> from your RT installation.
++F<RT-Extension-ParentTimeWorked> from your RT installation.
+
+ =item *
+
+@@ -147,7 +147,7 @@ removed in favor of a built-in solution.
+ =item *
+
+ You can now split settings from F<RT_SiteConfig.pm> into separate files under
+-an F<etc/RT_SiteConfig.d/> directory. All files ending in C<.pm> will be
++an F</etc/request-tracker5/RT_SiteConfig.d/> directory. All files ending in
C<.pm> will be
+ parsed, in alphabetical order, after the main F<RT_SiteConfig.pm> is loaded.
+
+ You also no longer need the C<1;> at the end of site config files.
+@@ -507,6 +507,8 @@ We now explicitly depend on the Pod::Select Perl module
since it was removed
+ from the Perl core starting in 5.18. If you're on a recent version of Perl
+ you will most likely need to install this dependency.
+
++This is installed on Debian when installing the request-tracker5 package.
++
+ =item *
+
+ We now automatically enable ExternalAuth when the ExternalSettings config is
+@@ -599,7 +601,7 @@ RT now has the functionality from
+ L<RT::Extension::AdminConditionsAndActions> built in. Users who are
+ currently using this extension should remove it from the plugin list.
+ Please also remove
+-F<local/plugins/RT-Extension-AdminConditionsAndActions> from your RT
++F<RT-Extension-AdminConditionsAndActions> from your RT
+ installation.
+
+ =back
+@@ -660,7 +662,7 @@ If you use groups in ticket roles, it's likely your
CachedGroupMembers table
+ has a large number of now unnecessary records and these can hurt performance.
+ To delete these extra records run the following script:
+
+- /opt/rt4/etc/upgrade/shrink-cgm-table
++ /usr/share/request-tracker5/etc/upgrade/shrink-cgm-table
+
+ Depending on how many records your system has, this may take a while to run.
+ After you run this, you may have significantly reduced the number of records
+@@ -735,13 +737,13 @@ RT 4.4.6 and earlier use the Perl GraphViz module for
interfacing with the graph
+ library for generating ticket link graphs. That module has been deprecated so
+ we have replaced it with the GraphViz2 module.
+
+-Systems using C<--enable-graphviz> will be prompted to install the Perl
+-GraphViz2 module when upgrading.
++This is installed on Debian when installing the request-tracker5 package.
+
+ =item * MySQL 8 now supported
+
+ Starting with RT 4.4.7, RT now supports MySQL 8. Note that as part of this
upgrade
+-you also need to update the module L<DBIx::SearchBuilder>.
++you also need to update the module L<DBIx::SearchBuilder>, which is provided
by
++libdbix-searchbuilder-perl on Debian.
+
+ =back
+
diff -Nru
request-tracker5-5.0.7+dfsg/debian/patches/debianize_UPGRADING-5.0.diff
request-tracker5-5.0.7+dfsg/debian/patches/debianize_UPGRADING-5.0.diff
--- request-tracker5-5.0.7+dfsg/debian/patches/debianize_UPGRADING-5.0.diff
1970-01-01 12:00:00.000000000 +1200
+++ request-tracker5-5.0.7+dfsg/debian/patches/debianize_UPGRADING-5.0.diff
2025-05-21 20:41:00.000000000 +1200
@@ -0,0 +1,114 @@
+From f5de3aebd09b261a65e913c94db557dc565a2745 Mon Sep 17 00:00:00 2001
+From: Andrew Ruthven <and...@etc.gen.nz>
+Date: Wed, 21 May 2025 20:29:22 +1200
+Subject: Debianize UPGRADING-5.0
+
+Forwarded: not-needed
+Patch-Name: debianize_UPGRADING-5.0.diff
+---
+ docs/UPGRADING-5.0 | 44 +++++++++++++++++++++-----------------------
+ 1 file changed, 21 insertions(+), 23 deletions(-)
+
+diff --git a/docs/UPGRADING-5.0 b/docs/UPGRADING-5.0
+index a97eb7b3..041bfa1d 100644
+--- a/docs/UPGRADING-5.0
++++ b/docs/UPGRADING-5.0
+@@ -12,23 +12,26 @@ extension writers, including deprecated code.
+
+ =head2 Upgrading Recommendations
+
+-RT now defaults to a database name of rt5 and an installation root of
+-/opt/rt5.
++RT now defaults to a database name of rt5.
+
+ If you are upgrading, you will likely want to specify that your database is
+ still named rt4 or even rt3. Alternatively, you could import a backup of your
+ database as rt5 to conform to the new default, although this isn't required.
+
+-Upgrading to RT 5 over an existing RT 4 installation (/opt/rt4) is not
+-recommended and will almost certainly cause issues. Instead, do a fresh
+-install into /opt/rt5 (or your custom location) for the code portion of the
+-upgrade. Then import your existing database and run the database upgrade
+-steps using make upgrade-database.
++Upgrading to RT 5 over an existing RT 4 installation is not recommended and
++will almost certainly cause issues. In Debian installing RT 5 will install to
++new locations.
+
+-We recommend this approach because of the large number of changes to the code
+-base for this major release. We moved some things to new locations and old
+-files are not removed as part of the upgrade process. These old files will
+-still be detected by RT in some cases and will cause issues.
++If you aren't using dbconfig to manage your database, refer to
++/usr/share/doc/request-tracker5/NEWS.Debian.gz for details on how to upgrade
++your database. You may want to copy it to a new database first.
++
++We take the approach of installing to new locations to allow running RT 4 and
++RT 5 side-by-side on Debian and also because of the large number of changes to
++the code base for this major release. We moved some things to new locations
and
++old files are not removed as part of the upgrade process. If RT 5 was
installed
++over the top of RT 4 then these old files will still be detected by RT in some
++cases and will cause issues.
+
+ Installing a fresh code base will also allow you to evaluate your local
+ modifications and configuration changes as you migrate to 5.0. If you have
+@@ -123,11 +126,7 @@ the previous behavior.
+
+ =item *
+
+-RT can now run with GnuPG 2.2. On install or upgrade, it requires the updated
+-version of L<GnuPG::Interface>. C<make testdeps> will test for the correct
version.
+-RT should also still run with GnuPG 1.4.x. It is not supported for GnuPG
versions
+-2.0 or 2.1. On some Linux systems, you may need to add a new repo to get an
+-updated GnuPG package with some version of 2.2.
++RT can now run with GnuPG 2.2 or 2.4.
+
+ =item *
+
+@@ -175,7 +174,7 @@ are described below.
+ =item RT::Extension::ConfigInDatabase
+
+ If you previously used L<RT::Extension::ConfigInDatabase>
+-as an extension, run the F<etc/upgrade/upgrade-configurations> utility
++as an extension, run the
F</usr/share/request-tracker5/etc/upgrade/upgrade-configurations> utility
+ after completing all the other upgrade steps from the F<README>. This
+ will migrate your existing configuration to the new core RT tables.
+
+@@ -226,7 +225,7 @@ options added for AssetSQL and the new asset query builder.
+ =item RT::Authen::Token
+
+ If you previously used
L<RT::Authen::Token|https://metacpan.org/pod/RT::Authen::Token>
+-as an extension, run the F<etc/upgrade/upgrade-authtokens> utility
++as an extension, run the
F</usr/share/request-tracker5/etc/upgrade/upgrade-authtokens> utility
+ after completing all the other upgrade steps from the F<README>. This
+ will migrate your existing tokens to the new core RT tables.
+
+@@ -388,7 +387,7 @@ If you use groups in ticket roles, it's likely your
CachedGroupMembers table
+ has a large number of now unnecessary records and these can hurt performance.
+ To delete these extra records run the following script:
+
+- /opt/rt5/etc/upgrade/shrink-cgm-table
++ /usr/share/request-tracker5/etc/upgrade/shrink-cgm-table
+
+ Depending on how many records your system has, this may take a while to run.
+ After you run this, you may have significantly reduced the number of records
+@@ -498,8 +497,7 @@ RT 4.4.6 and earlier use the Perl GraphViz module for
interfacing with the graph
+ library for generating ticket link graphs. That module has been deprecated so
+ we have replaced it with the GraphViz2 module.
+
+-Systems using C<--enable-graphviz> will be prompted to install the Perl
+-GraphViz2 module when upgrading.
++This is installed on Debian when installing the request-tracker5 package.
+
+ =item * New C<$EmailDashboardInlineCSS> option for dashboard email
+
+@@ -511,8 +509,8 @@ CSS. We have found this reduces the size of the dashboard
emails
+ significantly and can help with rendering in some email clients.
+
+ To use this new feature, you must install the optional Perl module
+-L<CSS::Inliner>, version 4018 or later, then enable the feature in
+-your RT configuration.
++L<CSS::Inliner>, available on Debian as the libcss-inliner-perl package, then
++enable the feature in your RT configuration.
+
+ =item * ModifyLoginRedirect callback in Logout.html moved
+
diff -Nru request-tracker5-5.0.7+dfsg/debian/patches/series
request-tracker5-5.0.7+dfsg/debian/patches/series
--- request-tracker5-5.0.7+dfsg/debian/patches/series 2025-05-04
17:27:29.000000000 +1200
+++ request-tracker5-5.0.7+dfsg/debian/patches/series 2025-05-21
20:41:00.000000000 +1200
@@ -28,3 +28,5 @@
upstream_5.0.7_cve:_patchset_2025-04-08.diff
upstream_5.0.7_cve:_patchset_2025-04-11.diff
upstream_5.0.8_test_web:_patchset_2025-04-08.diff
+debianize_UPGRADING-5.0.diff
+debianize_UPGRADING-4.4.diff
diff -Nru request-tracker5-5.0.7+dfsg/debian/watch
request-tracker5-5.0.7+dfsg/debian/watch
--- request-tracker5-5.0.7+dfsg/debian/watch 2025-05-04 17:27:28.000000000
+1200
+++ request-tracker5-5.0.7+dfsg/debian/watch 2025-05-21 20:40:59.000000000
+1200
@@ -1,9 +1,9 @@
version=4
opts="dversionmangle=s/\+dfsg//, pgpsigurlmangle=s/$/.asc/" \
- https://bestpractical.com/download-page .*/rt-(\d+\.\d+\.\d+)\.tar\.gz
+ https://bestpractical.com/download-page .*/rt-(5\.\d+\.\d+)\.tar\.gz
# It seems that uscan gets confused and detects the parent directory, which
# is why I had to use downloadurlmangle.
opts="dversionmangle=s/\+dfsg//, pgpsigurlmangle=s/$/.asc/,
component=third-party-source, \
downloadurlmangle=s%.*(/rt-*)%https://download.bestpractical.com/pub/rt/release/third-party-source$1%";
\
- https://download.bestpractical.com/pub/rt/release/third-party-source
.*/rt-(\d+\.\d+\.\d+)-third-party-source\.tar\.gz
+ https://download.bestpractical.com/pub/rt/release/third-party-source
.*/rt-(5\.\d+\.\d+)-third-party-source\.tar\.gz
