Bug 226851 - www/py-bleach: Update to 2.1.3
Summary: www/py-bleach: Update to 2.1.3
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Kubilay Kocak
URL:
Keywords: security
Depends on:
Blocks:
 
Reported: 2018-03-22 16:38 UTC by Mikhail Teterin
Modified: 2018-07-27 13:38 UTC (History)
4 users (show)

See Also:
koobs: maintainer-feedback+
koobs: merge-quarterly?


Attachments
Update the bleach version (771 bytes, patch)
2018-03-22 16:38 UTC, Mikhail Teterin
koobs: maintainer-approval? (ports-secteam)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Teterin freebsd_committer 2018-03-22 16:38:11 UTC
Created attachment 191740 [details]
Update the bleach version

The latest available version is 2.1.3 at this time...

The patch itself is trivial, but I'm confused about additional packages -- like "pluggy" and "attrs" -- downloaded (using pip) by the test-target.

Does this mean, these need to be added to BUILD_ or TEST_DEPENDS?
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2018-03-28 03:49:13 UTC
(In reply to Mikhail Teterin from comment #0)

Yep, TEST_DEPENDS should reflect test requirements. 

Any python packages required by the test target (via setup.py:tests_require) that aren't satisfied by the system site-packages, are downloaded and installed by setuptools, into WRKDIR, for use by the packages test harness/framework/suite.

In most cases TEST_DEPENDS are all in the ports tree. If they're not they can/should be added.

It's 'OK' *for now* if they're not in the tree, but this will eventually become an issue with automated test runs by poudriere/package builders not being able to run them and automate QA, so it's better if we get them running without requiring remote downloads before that time comes.

Regarding this change, dependent ports should be checked for version compatibility (requiring < 2.* in particular in their setup.py requirements), otherwise they will fail at run time only (not be identified in build/package QA).

Beside the above checks, I'm happy to accept this change for commit if the test suite passes, along with standard (poudriere/portlint) QA checks passing.

P.S This is why I recommend explicit and exact *_DEPENDS versioning (matching setup.py) as good as we can get it given the syntax we have to use. It makes dependency QA/assessment much easier than searching for requirements files/lines in python sources.
Comment 2 Sascha Biberhofer 2018-05-11 19:20:36 UTC
Is there any way I can help to speed this process along? The current version of matrix/synapse depends on this port (synapse uses this packages when sending email notifications), but this version is completely broken as the html5lib version in ports has removed features required by the package. 

Without an upgraded version of this package, synapse can't send notifications. :/
Comment 3 Kubilay Kocak freebsd_committer freebsd_triage 2018-05-12 07:52:37 UTC
Sorry Mikhail, this port just requires a little more thorough testing, in particular reverse dependencies. I'm on it
Comment 4 Kubilay Kocak freebsd_committer freebsd_triage 2018-05-15 06:28:36 UTC
It turns out pluggy, attrs et al test requirements were due to upstream switching from nose to pytest, which installs these packages)

Looking at existing reverse dependencies, py-tensorflow is currently marked BROKEN, and py-nbconvert uses an unqualified (without version specification) 'bleach' dependency and passes QA (poudriere, build/pkg only, not runtime) after the bleach update.

The bleach changelog doesn't appear to introduce backwards incompatible changes that haven't (or dont) already create dependency issues due to the html5lib port already being > 0.99*

bleach passes its test suite: 250 passed, 2 xfailed in 1.20 seconds
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2018-05-15 06:31:14 UTC
There are additionally at least two security related bugfixes in 2.x:

https://github.com/mozilla/bleach/blob/v2.1.3/CHANGES

This will need to be MFH'd
Comment 6 commit-hook freebsd_committer 2018-05-15 06:48:41 UTC
A commit references this bug:

Author: koobs
Date: Tue May 15 06:48:19 UTC 2018
New revision: 469993
URL: https://svnweb.freebsd.org/changeset/ports/469993

Log:
  www/py-bleach: Update to 2.1.3 [1]

  - Update TEST_DEPENDS (upstream switched from nose -> pytest)

  This version also fixes notifications in the existing version of
  net-im/py-matrix-synapse. [2]

  Changelog:

    https://github.com/mozilla/bleach/blob/v2.1.3/CHANGES

  PR:		226851 [1][2]
  Submitted by:	mi
  MFH:		2018Q2

Changes:
  head/www/py-bleach/Makefile
  head/www/py-bleach/distinfo
Comment 7 commit-hook freebsd_committer 2018-07-27 13:37:31 UTC
A commit references this bug:

Author: swills
Date: Fri Jul 27 13:37:28 UTC 2018
New revision: 475440
URL: https://svnweb.freebsd.org/changeset/ports/475440

Log:
  security/vuxml: document py-bleach issue

  PR:		226851

Changes:
  head/security/vuxml/vuln.xml
Comment 8 Steve Wills freebsd_committer 2018-07-27 13:38:20 UTC
VuXML entry created, no merge needed since new quarterly branch was created in the mean time. Closing.