Bug 256387 - lang/tauthon: Update to 2.8.3
Summary: lang/tauthon: Update to 2.8.3
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Fernando Apesteguía
URL: https://github.com/naftaliharris/taut...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-06-02 17:24 UTC by Olivier Certner
Modified: 2021-06-04 14:04 UTC (History)
1 user (show)

See Also:
fernape: merge-quarterly+


Attachments
Patch (by git format-patch) against the ports tree (11.85 KB, patch)
2021-06-02 17:24 UTC, Olivier Certner
no flags Details | Diff
Changes since 2.8.2 (4.53 KB, text/plain)
2021-06-04 08:03 UTC, Olivier Certner
olivier.freebsd: maintainer-approval+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Olivier Certner 2021-06-02 17:24:09 UTC
Created attachment 225502 [details]
Patch (by git format-patch) against the ports tree

Patch attached, please use `git am` to apply.
Comment 1 Bugzilla Automation freebsd_committer 2021-06-02 17:24:09 UTC
Maintainer informed via mail
Comment 2 Fernando Apesteguía freebsd_committer 2021-06-03 06:32:41 UTC
Hi Olivier,

This port has an expiration date that is due in 20 days. Are there any plans to prevent it from dying?
Comment 3 Olivier Certner 2021-06-03 16:11:51 UTC
Hi Fernando,

On my side, yes, I never considered Tauthon dead, and I've even contributed to it upstream.

On portmgr's side, I don't know at all. Last information I have is portmgr public mail announcing deprecation ("Python 2.7 removal outline"). I'll just point out that python27 has an expiration date of 2020/12/31 but is still in the tree. Sure, no ports depend on Tauthon, since this was forbidden, so it's indeed technically trivial to remove it, whereas removing Python 2.7 would imply removing Chromium et alter.

But I think this is irrelevant to the matter at hand. This new version of Tauthon  fixes lots of security problems reported to Python 3.x, and as such should be imported before expiration, just for the fact that some people that want to use it will resurrect the port locally, so it's better they have the most recent version.

And yes, this also means that Tauthon is now more secure than Python 2.7, and even has fixes not yet in 3.x.
Comment 4 Mark Linimon freebsd_committer freebsd_triage 2021-06-03 18:38:21 UTC
(In reply to Olivier Certner from comment #3)
> I'll just point out that python27 has an expiration date of 2020/12/31 but is still in the tree.

My understanding was that this is because the FreeBSD.org infrastructure still has some dependencies on python27.

In part, this is what stirred the mailing list migration -- to get rid of (one of the?) last dependencies.
Comment 5 Fernando Apesteguía freebsd_committer 2021-06-04 07:52:36 UTC
Any ChangeLog we can use as a reference? I could not find one in GH.

Cheers
Comment 6 Olivier Certner 2021-06-04 08:03:23 UTC
Created attachment 225537 [details]
Changes since 2.8.2

Yes, the file Misc/NEWS.d/2.8.3.rst in the repo, which I'm attaching here. It contains the list of security fixes, and an incomplete list of new module aliases (3.x compat).
Comment 7 commit-hook freebsd_committer 2021-06-04 09:45:42 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=a64c3e0ebe0c6b62e95e07d28eea2d0fad4525b8

commit a64c3e0ebe0c6b62e95e07d28eea2d0fad4525b8
Author:     Fernando Apesteguía <fernape@FreeBSD.org>
AuthorDate: 2021-06-04 09:38:47 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2021-06-04 09:38:47 +0000

    security/vuxml: Add CVE-2020-8492 for lang/tauthon

    PR: 256387
    Reported by:    olivier.freebsd@free.fr

 security/vuxml/vuln.xml | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
Comment 8 commit-hook freebsd_committer 2021-06-04 09:46:44 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=7d98dad380fae35c1a1f64e1b86c3488aef24d0f

commit 7d98dad380fae35c1a1f64e1b86c3488aef24d0f
Author:     Fernando Apesteguía <fernape@FreeBSD.org>
AuthorDate: 2021-06-04 07:47:40 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2021-06-04 09:42:15 +0000

    lang/tauthon: Update to 2.8.3

    ChangeLog: https://github.com/naftaliharris/tauthon/blob/master/Misc/NEWS.d/2.8.3.rst

    PR:     256387
    Reported by:    olivier.freebsd@free.fr (maintainer)
    Security:       CVE-2020-8492
    MFH:    2021Q2

 lang/tauthon/Makefile                             | 20 ++++----
 lang/tauthon/distinfo                             |  6 +--
 lang/tauthon/files/patch-setup.py                 |  2 +-
 lang/tauthon/files/patch-setup_metadata.py (gone) | 29 ------------
 lang/tauthon/pkg-plist                            | 58 +++++++++++++++++++----
 5 files changed, 64 insertions(+), 51 deletions(-)
Comment 9 commit-hook freebsd_committer 2021-06-04 10:13:52 UTC
A commit in branch 2021Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=96419941bedafbce043e6a9a834f575812187652

commit 96419941bedafbce043e6a9a834f575812187652
Author:     Fernando Apesteguía <fernape@FreeBSD.org>
AuthorDate: 2021-06-04 07:47:40 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2021-06-04 10:05:35 +0000

    lang/tauthon: Update to 2.8.3

    ChangeLog: https://github.com/naftaliharris/tauthon/blob/master/Misc/NEWS.d/2.8.3.rst

    PR:     256387
    Reported by:    olivier.freebsd@free.fr (maintainer)
    Security:       CVE-2020-8492
    MFH:    2021Q2

    (cherry picked from commit 7d98dad380fae35c1a1f64e1b86c3488aef24d0f)

 lang/tauthon/Makefile                             | 20 ++++----
 lang/tauthon/distinfo                             |  6 +--
 lang/tauthon/files/patch-setup.py                 |  2 +-
 lang/tauthon/files/patch-setup_metadata.py (gone) | 29 ------------
 lang/tauthon/pkg-plist                            | 58 +++++++++++++++++++----
 5 files changed, 64 insertions(+), 51 deletions(-)
Comment 10 Fernando Apesteguía freebsd_committer 2021-06-04 10:15:17 UTC
^Triage: Maintainer-feedback flag (+) not required unless requested (?) first

Committed,

Thanks!
Comment 11 Olivier Certner 2021-06-04 14:04:06 UTC
Thanks!