Bug 226851
| Summary: | www/py-bleach: Update to 2.1.3 | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Mikhail Teterin <mi> | ||||
| Component: | Individual Port(s) | Assignee: | Kubilay Kocak <koobs> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Some People | CC: | decke, ports-secteam, ports, swills | ||||
| Priority: | --- | Keywords: | security | ||||
| Version: | Latest | Flags: | koobs:
maintainer-feedback+
koobs: merge-quarterly? |
||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
(In reply to Mikhail Teterin from comment #0) Yep, TEST_DEPENDS should reflect test requirements. Any python packages required by the test target (via setup.py:tests_require) that aren't satisfied by the system site-packages, are downloaded and installed by setuptools, into WRKDIR, for use by the packages test harness/framework/suite. In most cases TEST_DEPENDS are all in the ports tree. If they're not they can/should be added. It's 'OK' *for now* if they're not in the tree, but this will eventually become an issue with automated test runs by poudriere/package builders not being able to run them and automate QA, so it's better if we get them running without requiring remote downloads before that time comes. Regarding this change, dependent ports should be checked for version compatibility (requiring < 2.* in particular in their setup.py requirements), otherwise they will fail at run time only (not be identified in build/package QA). Beside the above checks, I'm happy to accept this change for commit if the test suite passes, along with standard (poudriere/portlint) QA checks passing. P.S This is why I recommend explicit and exact *_DEPENDS versioning (matching setup.py) as good as we can get it given the syntax we have to use. It makes dependency QA/assessment much easier than searching for requirements files/lines in python sources. Is there any way I can help to speed this process along? The current version of matrix/synapse depends on this port (synapse uses this packages when sending email notifications), but this version is completely broken as the html5lib version in ports has removed features required by the package. Without an upgraded version of this package, synapse can't send notifications. :/ Sorry Mikhail, this port just requires a little more thorough testing, in particular reverse dependencies. I'm on it It turns out pluggy, attrs et al test requirements were due to upstream switching from nose to pytest, which installs these packages) Looking at existing reverse dependencies, py-tensorflow is currently marked BROKEN, and py-nbconvert uses an unqualified (without version specification) 'bleach' dependency and passes QA (poudriere, build/pkg only, not runtime) after the bleach update. The bleach changelog doesn't appear to introduce backwards incompatible changes that haven't (or dont) already create dependency issues due to the html5lib port already being > 0.99* bleach passes its test suite: 250 passed, 2 xfailed in 1.20 seconds There are additionally at least two security related bugfixes in 2.x: https://github.com/mozilla/bleach/blob/v2.1.3/CHANGES This will need to be MFH'd A commit references this bug: Author: koobs Date: Tue May 15 06:48:19 UTC 2018 New revision: 469993 URL: https://svnweb.freebsd.org/changeset/ports/469993 Log: www/py-bleach: Update to 2.1.3 [1] - Update TEST_DEPENDS (upstream switched from nose -> pytest) This version also fixes notifications in the existing version of net-im/py-matrix-synapse. [2] Changelog: https://github.com/mozilla/bleach/blob/v2.1.3/CHANGES PR: 226851 [1][2] Submitted by: mi MFH: 2018Q2 Changes: head/www/py-bleach/Makefile head/www/py-bleach/distinfo A commit references this bug: Author: swills Date: Fri Jul 27 13:37:28 UTC 2018 New revision: 475440 URL: https://svnweb.freebsd.org/changeset/ports/475440 Log: security/vuxml: document py-bleach issue PR: 226851 Changes: head/security/vuxml/vuln.xml VuXML entry created, no merge needed since new quarterly branch was created in the mean time. Closing. |
Created attachment 191740 [details] Update the bleach version The latest available version is 2.1.3 at this time... The patch itself is trivial, but I'm confused about additional packages -- like "pluggy" and "attrs" -- downloaded (using pip) by the test-target. Does this mean, these need to be added to BUILD_ or TEST_DEPENDS?