Merge git 1:2.15.1-3 (main) from Debian unstable (main)

Ubuntu changelog:

> * Build against pcre v3 only, as that is the only on in
> main. Non-deterministic builds w.r.t. library ABI dependencies are
> bad.

Please feel free to file a bug at https://bugs.debian.org/src:git with more details. Library ABI dependencies depending on the development packages built against is completely normal: it is what happens whenever a library has a soname bump.

> * debian/rules: s390x libpcre3 library has JIT disabled, set
> NO_LIBPCRE1_JIT on that arch to stop the build from failing.

Where can I read more about this bug? Has it been reported upstream?

> * debian/patches/git-branch-fix-regressions.patch: Fix branch renaming
> not updating HEADs correctly. Thanks to Nguyễn Thái Ngọc Duy
> <email address hidden>. Closes LP: #1712694.

Fixed by v2.15.0-rc0~104^2 (branch: fix branch renaming not updating HEADs correctly, 2017-08-24), which is part of 1:2.15.0-1.

> * SECURITY UPDATE: Git cvsserver OS Command Injection (LP: #1719740)
> - shell-drop-git-cvsserver-support-by-default.diff
> - cvsserver-use-safe_pipe_capture.diff
> - cvsimport-shell-quote-variable-used-in-backticks.diff
> - archimport-use-safe_pipe_capture-for-user-input.diff
> - CVE-2017-14867

Fixed by v2.10.5~3 (Merge branch 'jc/cvsserver', 2017-09-22), which is part of 1:2.15.0-1.

I believe the issue that caused the fork is that pcre3 is in main, while the (newer*) pcre2 is only in universe. Since git is in main, it’s only allowed to depend on libraries in main. The next thing that needs to happen, then, is https://wiki.ubuntu.com/MainInclusionProcess for pcre2.

(* As you are aware, pcre3 is misnamed: it’s actually the original version of pcre that preceded pcre2.)

Thanks. https://bugs.launchpad.net/ubuntu/+source/pcre2/+bug/1636666 is open for that.

Is there e.g. a build log illustrating why the

 libpcre2-dev | libpcre3-dev,

in Build-Depends is not working? Would using build profiles to select the pcre version help Ubuntu to avoid having to fork?

My understanding is that dependency resolution on the build server is unaware of the universe vs. main distinction. 2.14.0-1 was successfully built in artful-proposed (https://launchpad.net/ubuntu/+source/git/1:2.14.0-1), but was then blocked upon migration to artful by some separate check. I’m not really clear on the details.

> My understanding is that dependency resolution on the build server is unaware of the universe vs.
> main distinction. 2.14.0-1 was successfully built in artful-proposed
>(https://launchpad.net/ubuntu/+source/git/1:2.14.0-1), but was then blocked upon migration to
> artful by some separate check. I’m not really clear on the details.

Thanks. That makes sense.

That means (until https://bugs.launchpad.net/ubuntu/+source/pcre2/+bug/1636666 is fixed) that this comes down to wanting a way to request different Build-Depends for Ubuntu versus Debian. I'd be happy to do that using build profiles if there is a profile that Ubuntu builds with, for example.

Ubuntu doesn't use a build profile like that. If you think that's important, you could try filing a bug against Launchpad and it will get triaged or reassigned as needed.

I'm renaming this bug since a sync is not appropriate. Some other comments:

1. Please consider using 'requestsync' from the ubuntu-dev-tools package to make fiing the appropriate bug easier next time.

2. Ubuntu 18.04 development only opened a few days ago and autosyncs only started a few hours ago (and the autopkgtest queue is backed up for a few days). So there really isn't much of a delay caused by there being an Ubuntu-specific delta yet.

Ping. Any changes you're waiting for in the Debian package before merging?

> Is there e.g. a build log illustrating why the
>
> libpcre2-dev | libpcre3-dev,

Since, archive reorg both are available in Ubuntu during build, and the first one that is available is picked, as in currently Ubuntu would prefer reverse ordering of these "libpcre3-dev | libpcre2-dev".

However, none of this matters much long term. In Ubuntu we simply do not want to ship both pcre libraries in main. Have all of the below transitioned to the new pcre?

$ reverse-depends -b -c main src:pcre3
Reverse-Build-Depends
=====================
* aide (for libpcre3-dev)
* android-tools (for libpcre3-dev)
* apache2 (for libpcre3-dev)
* apr-util (for libpcre3-dev)
* clamav (for libpcre3-dev)
* exim4 (for libpcre3-dev)
* freeradius (for libpcre3-dev)
* git (for libpcre3-dev)
* glib2.0 (for libpcre3-dev)
* grep (for libpcre3-dev)
* haproxy (for libpcre3-dev)
* libpam-mount (for libpcre3-dev)
* libselinux (for libpcre3-dev)
* nginx (for libpcre3-dev)
* nmap (for libpcre3-dev)
* php7.1 (for libpcre3-dev)
* postfix (for libpcre3-dev)
* python-pyscss (for libpcre3-dev)
* qtbase-opensource-src (for libpcre3-dev)
* quagga (for libpcre3-dev)
* rasqal (for libpcre3-dev)
* slang2 (for libpcre3-dev)
* sssd (for libpcre3-dev)
* wget (for libpcre3-dev)
* zsh (for libpcre3-dev)

If yes, we can promote pcre2 to main; do transition; and demote pcre3 to universe.

@xnox: your comment is probably a better fit for https://bugs.launchpad.net/ubuntu/+source/pcre2/+bug/1636666. This bug is about git being out of date in bionic and appears to be fixed by https://bugs.launchpad.net/ubuntu/+source/git/1:2.15.1-1ubuntu1.

Ping. Is there anything blocking this merge?

This bug was fixed in the package git - 1:2.15.1-1ubuntu2

---------------
git (1:2.15.1-1ubuntu2) bionic; urgency=medium

  * debian/gitweb.apache2: use lynx instead of the deprecated transitional
    lynx-cur package.

 -- Łukasz 'sil2100' Zemczak <email address hidden> Thu, 14 Dec 2017 19:51:49 +0100