Re: p5-libwww

["S.P.Zeidler" <spz%serpens.de@localhost>]

Thus wrote Thomas Klausner (wiz%NetBSD.org@localhost):

> On Wed, Jul 13, 2011 at 09:59:55PM +0200, S.P.Zeidler wrote:
> > 5.837 is the last '5' version, the '6' versions have a bunch of moduls
> > split out. I recently packaged these new modules, so that all dependencies
> > for p5-libwww-6.02 are already present.
> 
> Are there conflicts between the separate packages and p5-libwww-5?

Good point, I added the respective lines to Makefiles.

> > Formally, p5-libwww-6.02 does not depend on p5-LWP-Protocol-https,
> > but p5-libwww-5.837 contained https capability. That's the reason it
> > reports as vulnerable in fact:
> > p5-libwww-5.837 wasn't too picky about the certs it got, ie it did
> > encryption but not really verification. p5-LWP-Protocol-https by default
> > checks the certificate, or fails if it can't when e.g. there is no CA cert
> > for the certificate in question. One can tell it to not verify by setting
> > the environment variable PERL_LWP_SSL_VERIFY_HOSTNAME to 0.
> > 
> > So, update p5-libwww? with or without p5-LWP-Protocol-https as package
> > dependency?
> 
> I think we should not make it depend on p5-LWP-Protocol-https.
> If packages need the functionality, we can add the dependency there.

It's less a question whether an entire package needs it, as whether a user
of a package configured their web services in a way that https is
necessary. eg devel/rt3 does not need https, but rt.NetBSD.org does.
As such, you get a disruptive change, and adding an update message will
likely not catch problems like these since hardly anyone will be
installing p5-libwww on its own; it'll likely be a well-buried dependency.

regards,
        spz
-- 
spz%serpens.de@localhost (S.P.Zeidler)