Notes: - Does not have a known CVE yet but will: https://github.com/mozilla/bleach/issues/527 - The fix seems to be part of commit https://github.com/mozilla/bleach/commit/d6018f2539d271963c3e7f54f36ef11900363c69 - That fix has backwards-incompatible effects to my best knowledge How should we continue?
Thanks for chasing it upstream. I guess let's proceed like normal -- if you like, some ewarn could be added for a bit when people upgrade rather than a fresh install. So, are you ready for stabilisation (you may ofc call yourself too)?
(In reply to Sam James (sam_c) (security padawan) from comment #1) > So, are you ready for stabilisation (you may ofc call yourself too)? There are known failing tests for all version of bleach (bug #710148) and we're stabilizing bleach 3.1.3 in bug #714596 right now. I don't want to advise against making 3.1.4 stable but I'm at least reluctant to advise for it.
(In reply to Sebastian Pipping from comment #2) > (In reply to Sam James (sam_c) (security padawan) from comment #1) > > So, are you ready for stabilisation (you may ofc call yourself too)? > > There are known failing tests for all version of bleach (bug #710148) and > we're stabilizing bleach 3.1.3 in bug #714596 right now. I don't want to > advise against making 3.1.4 stable but I'm at least reluctant to advise for > it. Let's wait until Python 3.7.7 is stable (bug 715124).
(In reply to Sam James (sam_c) (security padawan) from comment #3) > (In reply to Sebastian Pipping from comment #2) > > (In reply to Sam James (sam_c) (security padawan) from comment #1) > > > So, are you ready for stabilisation (you may ofc call yourself too)? > > > > There are known failing tests for all version of bleach (bug #710148) and > > we're stabilizing bleach 3.1.3 in bug #714596 right now. I don't want to > > advise against making 3.1.4 stable but I'm at least reluctant to advise for > > it. > > Let's wait until Python 3.7.7 is stable (bug 715124). Actually, on second thought: this is an issue which will affect users of bleach too on buggy Python versions. It's unrelated to the stabilisation of a newer bleach, right?
The test failure bug has now been closed because it was due to the Python version. Are we alright to stabilise now, given it was independent of bleach? Thanks!
(In reply to Sam James (sam_c) (security padawan) from comment #5) > The test failure bug has now been closed because it was due to the Python > version. > > Are we alright to stabilise now, given it was independent of bleach? Thanks! Given https://bugs.gentoo.org/714596#h4 and the fact that we still have 3.1.3 around I think it's fair to continue. Adding arches now…
arm64 stable; amd64 arm ia64 ppc ppc64 x86 hppa s390 sparc ALLARCHES stable
Cleanup done. GLSA vote: No.