From nobody Wed Feb 7 14:12:10 2024 X-Original-To: python@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TVMWH0RBwz59Rc9 for ; Wed, 7 Feb 2024 14:12:11 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TVMWG4nvHz47fJ for ; Wed, 7 Feb 2024 14:12:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707315130; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6w0FKbzxzOlN2lg+0ZiQ67uBwZhGtJqFFWEzI42mjGc=; b=tta5uXRTEdA0sv7O9Lzp6Z61oOXRYd3FwNz7r8rbiTpY3Zm74Y4kKO9KDU9n0InsDKzYhG 25Nk1xDbSPA7n0FbNvJkVYa72PseeSnctgHS19wPJq2hIGRTbuDyZvbEh6fcJubWpJ3KKQ cFrzGwQdpr6xiOWcoF8u7fxwFLpxD9Srt2sPVsQQe/jnjWHxsyEtJBX5TCQfyfx5Y9i9rZ 2k3zskvg/B0QHGcentH6CUMvAAPQsDlW7quv4KQXP1H7pQQVLAJS4Y7ISm5C8lLonzaCKq FvCNO8qJgsR1Yssokkazyym46KXNfzlW1guBLuL9MqyZYmrBRL7UI7YJB35jLQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1707315130; a=rsa-sha256; cv=none; b=D8ZLDw6DRUVqiFD6xHAIy7Cyvl6Haj8PFBT+V4kMjBRVQiQ77FgpPP7shGpv05LqhYnBVA RTfxs2jkPx7Joy9jf/0kXuDtmSDhTf0DCGN4/lwIaXNe6P8ktbvsqrdDhD+pLw/qYL+yOu 7jJGTsRokihh84CcpE5bwP+J/nBTxoRk6oLcu8Uio+VQdz3RyDRS8sjQ8Wdrt6jHYn4EHf LQ4h8/M7K83oZ8Qrmf5KYsLQSwkd4hnoPw5oktdRohwjqpixtG44hBEkvcwfhNnqDd7aRF Bi34mehURLg5QI8teKseNyQBll8IC8/npZn14bbSetDE0zUYLkkbx6oF+IV1XQ== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4TVMWG3s2Zz18yh for ; Wed, 7 Feb 2024 14:12:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 417ECAbq022437 for ; Wed, 7 Feb 2024 14:12:10 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 417ECAoo022436 for python@FreeBSD.org; Wed, 7 Feb 2024 14:12:10 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: python@FreeBSD.org Subject: [Bug 275167] security/py-service-identity: merge duplicate of security/py-service_identity Date: Wed, 07 Feb 2024 14:12:10 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: jcfyecrayz@liamekaens.com X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: sunpoet@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: FreeBSD-specific Python issues List-Archive: https://lists.freebsd.org/archives/freebsd-python List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-python@freebsd.org X-BeenThere: freebsd-python@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D275167 --- Comment #22 from John Hein --- I think this can be closed now. The old port was deprecated and is now gon= e.=20 Dependent ports have been updated to point to the new port. Note that comment 20 has not been addressed - separate bug. (In reply to Palle Girgensohn from comment #17) First let me say that I understand the position to force ports to use a new= er version in some cases and started thinking along the same lines in this cas= e at first. I came down on the side of deprecating the older version mainly for the following reasons: (1) I don't know the ramifications of moving to a new update for all the affected ports. I took a look, but I realized I don't know enough. For example, for some of the ports that specify service-identity as a dependenc= y, I don't see a direct dependency. Maybe the service-identity dependency should just be removed for some of these ports. If so, that's more correct - even better than globally updating their dependency to a newer version. (2) There is ('was' now) indeed a run-time conflict between some of these ports. But, to be honest, most of these ports are not critical ports for t= he global ports tree. I'm sure they are important to some, but I'm saying they are not globally critical. To me, this indicates that we don't have to act without having a full understanding of the ramifications. py-twisted is pr= etty important, and after some analysis, it seems that it can be updated to service-identity 23.1.0. But I don't have the time to analyze all the affec= ted ports - at least not to a confidence level where I am comfortable with forc= ing them all to a new dependency version. (3) The maintainers of the affected ports should be able to evaluate and h= ave time to weigh in on updates for their port. Doing global updates to ports without maintainer feedback should be done sparingly unless the changes are obviously correct and necessary for the greater good. I fully understand why one would want to do the sweeping patch. But this didn't seem to rise to that level of emergency. Allowing maintainers some = time to review seems reasonable. Build failures are much less problematic than run-time failures - the latter is harder to debug. At the very least the maintainers of the affected ports should be explicitly invited to review and given time to evaluate. Generally, regardless whether we go the "deprecate" route or the "update all affected ports now" route, we should invite all the affected maintainers to evaluate how changes will affect their port (including whether the port rea= lly does need a direct dependency on service-identity). --=20 You are receiving this mail because: You are on the CC list for the bug.=