[Bug 2024245] Re: [MIR] libhttp-cookiejar-perl
Steve Langasek
2024245 at bugs.launchpad.net
Thu Jul 20 20:25:02 UTC 2023
After closer review, I've noticed that libwww-perl itself still depends
on both libhttp-cookiejar-perl and libhttp-cookies-perl; and by default
it only uses libhttp-cookies-perl. And libhttp-cookiejar-perl is not
"safer" unless coupled with another perl module not currently packaged.
And it doesn't provide the same interfaces. So it is redundant and
should not be a runtime dependency of libwww-perl; uploaded to remove
the dep.
** Changed in: libhttp-cookiejar-perl (Ubuntu)
Status: Incomplete => Won't Fix
** Changed in: libwww-perl (Ubuntu)
Status: New => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is a bug assignee.
https://bugs.launchpad.net/bugs/2024245
Title:
[MIR] libhttp-cookiejar-perl
Status in libhttp-cookiejar-perl package in Ubuntu:
Won't Fix
Status in libwww-perl package in Ubuntu:
Fix Committed
Status in libwww-mechanize-perl package in Debian:
New
Bug description:
[Availability]
Architecture-all perl package present in Ubuntu since 2014. https://launchpad.net/ubuntu/+source/libhttp-cookiejar-perl
[Rationale]
Required by current libwww-perl in Debian. This duplicates / supersedes functionality already present in libhttp-cookies-perl, however libwww-perl describes libhttp-cookiejar-perl as "a safer cookie jar", "providing a better security model matching that of current Web browsers when Mozilla::PublicSuffix is installed".
libwww-mechanize-perl is also a reverse-dependency of libhttp-cookies-
perl in main and has not migrated to libhttp-cookiejar-perl yet in
Debian, so it doesn't appear we can do a straight swap of one source
package for the other at present.
[Security]
- No results on https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=HTTP%3A%3ACookiejar or https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=http-cookiejar
- only false positives on unrelated packages when searching site:www.openwall.com/lists/oss-security
- 0 results on https://ubuntu.com/security/cves?package=libhttp-cookiejar-perl
- 0 security issues on https://security-tracker.debian.org/tracker/source-package/libhttp-cookiejar-perl
Package does not ship any executables, it's a perl module; but by
definition it will be used to handle untrusted input from the
Internet.
[Quality assurance - maintenance]
No open bugs at https://bugs.launchpad.net/ubuntu/+source/libhttp-cookiejar-perl or https://bugs.debian.org/src:libhttp-cookiejar-perl.
Single wishlist bug open at https://github.com/dagolden/HTTP-CookieJar/issues.
[Quality assurance - testing]
upstream tests are run via autodep8 and at package build time and pass on all archs https://autopkgtest.ubuntu.com/packages/libhttp-cookiejar-perl/mantic/amd64
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- The package will be installed by default, but does not ask debconf
questions
- Packaging and build is easy; trivial dh debian/rules
[UI standards]
- n/a, perl module only
[Dependencies]
- No further depends or recommends dependencies that are not yet in main
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be foundations-bugs and will subscribe to the package before promotion
[Background information]
The Package description explains the package well
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libhttp-cookiejar-perl/+bug/2024245/+subscriptions
More information about the foundations-bugs
mailing list