Debian Perl Sprint 2017

Introduction

4 members of the Debian Perl Group met in Lloret de Mar over the weekend from May 18 to May 21 2017 as part of the Debian Sun Camp to kick off the development around perl for Buster and to work on QA tasks across our 3000+ packages. The preparation details can be found on the sprint wiki.

The participants would like to thank the Debian Sun Camp organizers for providing the framework for our sprint, and all donors to the Debian project who helped to cover a large part of our expenses.

Bugs and Packages

Overview

Bugs tagged with:

A total of 23 bugs were filed/worked on. These include:

Some details

Perl 5.26

src:perl

perl 5.26.0-RC1 was packaged and uploaded to experimental. Some notable details include:

Versioned Provides

Deploying versioned provides in src:perl would simplify numerous dependencies. For instance, perl could Provides: libtest-simple-perl (= 1.xxxxxx) and other packages could then only (Build-)Depends: libtest-simple-perl (>= 1.xxxxxx) without needing an alternative dependency on perl. See debian-policy bug (#761219).

This was expected to work in toolchain and infrastructure since dose3 has a fix in stretch (#786671) and britney support has been in place for a year (#786803), but there were vague worries about remaining wanna-build (which uses dose3) issues.

Versioned provides were deployed in a src:perl upload to experimental (#758100), and some TODO items were identified for uploading to unstable:

More recently, wanna-build issues indeed surfaced shortly after perl 5.24 upload to unstable with versioned Provides enabled (#867104 - fixed on 2017-07-19). Additionally, an autopkgtest problem was spotted (#867081). The change was then (hopefully temporarily) reverted so that these issues can be fixed and the fixes can be deployed in the infrastructure.

Insecure loading of YAML data

Bug #861958 reported lintian: insecure YAML validation in early May, which also was tracked later in CVE-2017-8829. A review of all YAML loaders available in Debian was finished during the sprint (details can be found in YAML unsafe).

Several approaches were tested in order to find whether they would break any packages in Debian:

The switch to control the behaviour should be an environment variable since several packages have been written to use any of the available loaders. Ideally, there should be just one switch that works for all implementations.

autopkgtest

After a short discussion, recursively run of smoke tests in pkg-perl-autopkgtest was enabled in order to remove the burden of manually adding the list of test to be run for packages that do not run t/*.t only.

The libfile-sharedir-par-perl issues in autopkgtest were fixed by using the smoke-setup file instead of smoke-files to build blib contents needed by tests.

A walk through the pkg-perl-autopkgtest setup was performed with Tincho in order to help setting autopkgtest up for the pkg-golang team. The wording of directory chroot type in autopkgtest was improved (thanks to Tincho for noticing!) and the details on how to speed up builds with eatmydata in schroot were added too. On the other hand, it is also worth noting that the number of indirection levels is probably needlessly high since autodep8 came along.

Open question: Is there any difference nowadays between Testsuite: autopkgtest and Testsuite: autopkgtest-pkg-perl?

Team Web Pages

The pkg-perl handbook (still a proof of concept) was updated and locally rebuilt with sphinx and rsynced later to alioth (the idea of building it on alioth was discarded). The details can be found in README.sphinx.

A cleanup of wiki.d.o Perl pages was performed:

And some other ideas came up for the future:

Other tasks

Future ideas

Paul Wise suggested using Perl::Critic (and maybe other linters like all the things) to find issues in Perl modules code that could also be reported upstream. The details were added to Nice things to have section in OpenTasks.

We might want to go through bugs tagged rm-candidate and/or add bugs there to continue removing packages. Also, we might look into orphaned packages with O: in WNPP list (those mentioned by the MIA team were already there).