Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libxml2: add 2.11.9, 2.12.9 and remove unused versions #25364

Merged
merged 2 commits into from
Sep 24, 2024
Merged

libxml2: add 2.11.9, 2.12.9 and remove unused versions #25364

merged 2 commits into from
Sep 24, 2024

Conversation

Nekto89
Copy link
Contributor

@Nekto89 Nekto89 commented Sep 23, 2024

Summary

Changes to recipe: libxml2/*

Motivation

2.11.9 and 2.12.9 contain fix for [CVE-2024-40896] Fix XXE protection in downstream code
https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.9
https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.9

Details

I've also removed bugfix versions that aren't present in current master

@Nekto89
Copy link
Contributor Author

Nekto89 commented Sep 23, 2024
edited
Loading

I don't know how to safely choose versions that can be removed. I just used text search but maybe it's not enough? There are multiple recipes with version ranges "libxml2/[>=2.12.5 <3]"

@conan-center-bot
Copy link
Collaborator

Conan v1 pipeline ✔️

All green in build 1 (e90af836419d8d3a67d37e72afcd5c8716eb69bb):

  • libxml2/2.12.9:
    Built 20 packages out of 22 (All logs)

  • libxml2/2.11.9:
    Built 20 packages out of 22 (All logs)

Conan v2 pipeline ✔️

Note: Conan v2 builds are now mandatory. Please read our discussion about it.

All green in build 1 (e90af836419d8d3a67d37e72afcd5c8716eb69bb):

  • libxml2/2.11.9:
    All packages built successfully! (All logs)

  • libxml2/2.12.9:
    All packages built successfully! (All logs)

@gsantner
Copy link
Contributor

Related to this, there is also my PR #25322 open that adds the 2.13 series

@AbrilRBS
Copy link
Member

We'll also merge this PR this Wednesday alongside the linked PR, thanks a lot for taking the time to add the new patch versions, we appreciate it :)

@jcar87
Copy link
Contributor

jcar87 commented Sep 23, 2024

I don't know how to safely choose versions that can be removed. I just used text search but maybe it's not enough? There are multiple recipes with version ranges "libxml2/[>=2.12.5 <3]"

generally if they are not used by any other recipe in the same revision of the repository, it may be safe to delete if there are newer versions available and in use (or via a version range). However on the other hand, for when there are many major.minor.patch - we would always always keep the most recent .patch.

As an aside, we'd like to update the language used when "removing" versions - the Conan Center remote will always serve all versions ever published, there is no removal process (IIRC the only actual remove we've had was xz-utils due to the malicious nature of the release). dropping a version from the git repository has an affect of: "stop publishing new recipe revisions or packages for older versions" - which is a bit longer than 'remove', but a tad less misleading :P

uilianries
uilianries approved these changes Sep 24, 2024
View reviewed changes
Copy link
Member

@uilianries uilianries left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I didn't find a removed version that is affecting CCI.

@conan-center-bot conan-center-bot merged commit b49379f into conan-io:master Sep 24, 2024
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@uilianries uilianries uilianries approved these changes

@AbrilRBS AbrilRBS AbrilRBS approved these changes

Assignees

@uilianries uilianries

@AbrilRBS AbrilRBS

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@Nekto89 @conan-center-bot @gsantner @AbrilRBS @jcar87 @uilianries