[mickledore,1/1] python3-pygments: upgrade 2.14.0 -> 2.15.1

From: Narpat Mali <narpat.mali@windriver.com>

* Upstream has dropped setup.py
* Inherit python_setuptools_build_meta instead of setuptools3
* Add self as maintainer, as this is a dependency for python3-sphinx

Adds some new lexers, updates a few others. A handful of bug fixes.

https://github.com/pygments/pygments/blob/2.15.1/CHANGES#L6
https://github.com/pygments/pygments/blob/2.15.1/CHANGES#L18

Have cherry-picked the upgrade commit from upstream/master:
https://git.openembedded.org/openembedded-core/commit/?id=22e2569ae4843071b2b48d026ca4742351baf6d1

Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
---
 meta/conf/distro/include/maintainers.inc                      | 2 +-
 ...{python3-pygments_2.14.0.bb => python3-pygments_2.15.1.bb} | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)
 rename meta/recipes-devtools/python/{python3-pygments_2.14.0.bb => python3-pygments_2.15.1.bb} (76%)

Narpat,

I don't see this in Steve's test branch:
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable%2Fmickledore-nut&qt=grep&q=pygments

which is good since for mickledore, I think that you need backport only 
the fix commits
because 2.15.1  has added features and build related changes. I'm not 
using pygments
so I've CCed Tim to ask him to confirm that this is the right approach.

I think that since we've worked on chromium and maybe vim together, and 
seen my
suggest an upgrade rather than a commit backport for dmidecode, you are
under the mistaken impression that it's generally acceptable. It's not.


Also you asked about kirkstone privately, so I'll quote that here:
    "the current version of python3-pygments is 2.11.2 in LTS22 and
     have tried back-porting these above fixes but, the source files
     have been changed a lot and I am unable to back-port these.
     So, upgrading this current version 2.11.2 -> 2.15.1 would be 
acceptable or not ? "

Here as well, the answer is no, we need you to backport the fixes. If 
it's simply not
practical to fix a CVE, in rare cases, you could tag the CVE with 
something like:

meta/recipes-devtools/flex/flex_2.6.4.bb:CVE_STATUS[CVE-2019-6293] = 
"upstream-wontfix:
or = "backporting-not-sensible"

but that's a last resort and others may rightfully object to that 
conclusion.




On 2023-08-08 04:32, Narpat Mali via lists.openembedded.org wrote:
> From: Narpat Mali<narpat.mali@windriver.com>
>
> * Upstream has dropped setup.py
> * Inherit python_setuptools_build_meta instead of setuptools3
> * Add self as maintainer, as this is a dependency for python3-sphinx
>
> Adds some new lexers, updates a few others. A handful of bug fixes.
>
> https://github.com/pygments/pygments/blob/2.15.1/CHANGES#L6
> https://github.com/pygments/pygments/blob/2.15.1/CHANGES#L18
>
> Have cherry-picked the upgrade commit from upstream/master:
> https://git.openembedded.org/openembedded-core/commit/?id=22e2569ae4843071b2b48d026ca4742351baf6d1
It's good that you amended the commit log to show where the work
came from. It seems that you dropped these two SOB lines:

     Signed-off-by: Tim Orling <tim.orling@konsulko.com>
     Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

I'd keep them since it's part of the upstream commit.


>
> Signed-off-by: Narpat Mali<narpat.mali@windriver.com>
> ---
>   meta/conf/distro/include/maintainers.inc                      | 2 +-
>   ...{python3-pygments_2.14.0.bb => python3-pygments_2.15.1.bb} | 4 ++--
>   2 files changed, 3 insertions(+), 3 deletions(-)
>   rename meta/recipes-devtools/python/{python3-pygments_2.14.0.bb => python3-pygments_2.15.1.bb} (76%)
>
> diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
> index 07498a23a9..c9d790ca32 100644
> --- a/meta/conf/distro/include/maintainers.inc
> +++ b/meta/conf/distro/include/maintainers.inc
> @@ -666,7 +666,7 @@ RECIPE_MAINTAINER:pn-python3-pyasn1 = "Tim Orling<tim.orling@konsulko.com>"
>   RECIPE_MAINTAINER:pn-python3-pycairo = "Zang Ruochen<zangruochen@loongson.cn>"
>   RECIPE_MAINTAINER:pn-python3-pycparser = "Tim Orling<tim.orling@konsulko.com>"
>   RECIPE_MAINTAINER:pn-python3-pyelftools = "Joshua Watt<JPEWhacker@gmail.com>"
> -RECIPE_MAINTAINER:pn-python3-pygments = "Unassigned<unassigned@yoctoproject.org>"
> +RECIPE_MAINTAINER:pn-python3-pygments = "Tim Orling<tim.orling@konsulko.com>"
This came from the cherry-pick but clearly you should CC Tim and 
probably email

him first to see if he agrees on maintainership for the recipe in 
mickledore.


../Randy


>   RECIPE_MAINTAINER:pn-python3-pygobject = "Zang Ruochen<zangruochen@loongson.cn>"
>   RECIPE_MAINTAINER:pn-python3-pyopenssl = "Tim Orling<tim.orling@konsulko.com>"
>   RECIPE_MAINTAINER:pn-python3-pyparsing = "Unassigned<unassigned@yoctoproject.org>"
> diff --git a/meta/recipes-devtools/python/python3-pygments_2.14.0.bb b/meta/recipes-devtools/python/python3-pygments_2.15.1.bb
> similarity index 76%
> rename from meta/recipes-devtools/python/python3-pygments_2.14.0.bb
> rename to meta/recipes-devtools/python/python3-pygments_2.15.1.bb
> index 16769e9263..e0e477100e 100644
> --- a/meta/recipes-devtools/python/python3-pygments_2.14.0.bb
> +++ b/meta/recipes-devtools/python/python3-pygments_2.15.1.bb
> @@ -4,8 +4,8 @@ HOMEPAGE ="http://pygments.org/"
>   LICENSE = "BSD-2-Clause"
>   LIC_FILES_CHKSUM ="file://LICENSE;md5=36a13c90514e2899f1eba7f41c3ee592"
>   
> -inherit setuptools3
> -SRC_URI[sha256sum] = "b3ed06a9e8ac9a9aae5a6f5dbe78a8a58655d17b43b93c078f094ddc476ae297"
> +inherit python_setuptools_build_meta
> +SRC_URI[sha256sum] = "8ace4d3c1dd481894b2005f560ead0f9f19ee64fe983366be1a21e171d12775c"
>   
>   DEPENDS += "\
>               ${PYTHON_PN} \
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#185652):https://lists.openembedded.org/g/openembedded-core/message/185652
> Mute This Topic:https://lists.openembedded.org/mt/100618182/3616765
> Group Owner:openembedded-core+owner@lists.openembedded.org
> Unsubscribe:https://lists.openembedded.org/g/openembedded-core/unsub  [randy.macleod@windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

On Fri, Aug 11, 2023 at 6:42 AM Randy MacLeod via
lists.openembedded.org
<randy.macleod=windriver.com@lists.openembedded.org> wrote:
>
> Narpat,
>
> I don't see this in Steve's test branch:
>    https://git.openembedded.org/openembedded-core-contrib/log/?h=stable%2Fmickledore-nut&qt=grep&q=pygments

Yes, for the reasons you discuss below.  I was intending to reply this
morning, but you beat me to it :-)

> which is good since for mickledore, I think that you need backport only the fix commits
> because 2.15.1  has added features and build related changes. I'm not using pygments
> so I've CCed Tim to ask him to confirm that this is the right approach.
>
> I think that since we've worked on chromium and maybe vim together, and seen my
> suggest an upgrade rather than a commit backport for dmidecode, you are
> under the mistaken impression that it's generally acceptable. It's not.
>
>
> Also you asked about kirkstone privately, so I'll quote that here:
>    "the current version of python3-pygments is 2.11.2 in LTS22 and
>     have tried back-porting these above fixes but, the source files
>     have been changed a lot and I am unable to back-port these.
>     So, upgrading this current version 2.11.2 -> 2.15.1 would be acceptable or not ? "
>
> Here as well, the answer is no, we need you to backport the fixes. If it's simply not
> practical to fix a CVE, in rare cases, you could tag the CVE with something like:
>
> meta/recipes-devtools/flex/flex_2.6.4.bb:CVE_STATUS[CVE-2019-6293] = "upstream-wontfix:
> or = "backporting-not-sensible"
>
> but that's a last resort and others may rightfully object to that conclusion.

Yes, same issue with a kirkstone upgrade!  However your suggestion to
consider CVE_STATUS isn't possible for any of the stable branches
since we won't be backporting that feature (it is too intrusive)

So for mickledore and kirkstone it would be CVE_CHECK_IGNORE and with
dunfell CVE_CHECK_WHITELIST. And of course comment explaining the
issue and why this is an appropriate resolution.

Steve

> On 2023-08-08 04:32, Narpat Mali via lists.openembedded.org wrote:
>
> From: Narpat Mali <narpat.mali@windriver.com>
>
> * Upstream has dropped setup.py
> * Inherit python_setuptools_build_meta instead of setuptools3
> * Add self as maintainer, as this is a dependency for python3-sphinx
>
> Adds some new lexers, updates a few others. A handful of bug fixes.
>
> https://github.com/pygments/pygments/blob/2.15.1/CHANGES#L6
> https://github.com/pygments/pygments/blob/2.15.1/CHANGES#L18
>
> Have cherry-picked the upgrade commit from upstream/master:
> https://git.openembedded.org/openembedded-core/commit/?id=22e2569ae4843071b2b48d026ca4742351baf6d1
>
> It's good that you amended the commit log to show where the work
> came from. It seems that you dropped these two SOB lines:
>
>     Signed-off-by: Tim Orling <tim.orling@konsulko.com>
>     Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
>
> I'd keep them since it's part of the upstream commit.
>
>
>
> Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
> ---
>  meta/conf/distro/include/maintainers.inc                      | 2 +-
>  ...{python3-pygments_2.14.0.bb => python3-pygments_2.15.1.bb} | 4 ++--
>  2 files changed, 3 insertions(+), 3 deletions(-)
>  rename meta/recipes-devtools/python/{python3-pygments_2.14.0.bb => python3-pygments_2.15.1.bb} (76%)
>
> diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
> index 07498a23a9..c9d790ca32 100644
> --- a/meta/conf/distro/include/maintainers.inc
> +++ b/meta/conf/distro/include/maintainers.inc
> @@ -666,7 +666,7 @@ RECIPE_MAINTAINER:pn-python3-pyasn1 = "Tim Orling <tim.orling@konsulko.com>"
>  RECIPE_MAINTAINER:pn-python3-pycairo = "Zang Ruochen <zangruochen@loongson.cn>"
>  RECIPE_MAINTAINER:pn-python3-pycparser = "Tim Orling <tim.orling@konsulko.com>"
>  RECIPE_MAINTAINER:pn-python3-pyelftools = "Joshua Watt <JPEWhacker@gmail.com>"
> -RECIPE_MAINTAINER:pn-python3-pygments = "Unassigned <unassigned@yoctoproject.org>"
> +RECIPE_MAINTAINER:pn-python3-pygments = "Tim Orling <tim.orling@konsulko.com>"
>
> This came from the cherry-pick but clearly you should CC Tim and probably email
>
> him first to see if he agrees on maintainership for the recipe in mickledore.
>
>
> ../Randy
>
>
>  RECIPE_MAINTAINER:pn-python3-pygobject = "Zang Ruochen <zangruochen@loongson.cn>"
>  RECIPE_MAINTAINER:pn-python3-pyopenssl = "Tim Orling <tim.orling@konsulko.com>"
>  RECIPE_MAINTAINER:pn-python3-pyparsing = "Unassigned <unassigned@yoctoproject.org>"
> diff --git a/meta/recipes-devtools/python/python3-pygments_2.14.0.bb b/meta/recipes-devtools/python/python3-pygments_2.15.1.bb
> similarity index 76%
> rename from meta/recipes-devtools/python/python3-pygments_2.14.0.bb
> rename to meta/recipes-devtools/python/python3-pygments_2.15.1.bb
> index 16769e9263..e0e477100e 100644
> --- a/meta/recipes-devtools/python/python3-pygments_2.14.0.bb
> +++ b/meta/recipes-devtools/python/python3-pygments_2.15.1.bb
> @@ -4,8 +4,8 @@ HOMEPAGE = "http://pygments.org/"
>  LICENSE = "BSD-2-Clause"
>  LIC_FILES_CHKSUM = "file://LICENSE;md5=36a13c90514e2899f1eba7f41c3ee592"
>
> -inherit setuptools3
> -SRC_URI[sha256sum] = "b3ed06a9e8ac9a9aae5a6f5dbe78a8a58655d17b43b93c078f094ddc476ae297"
> +inherit python_setuptools_build_meta
> +SRC_URI[sha256sum] = "8ace4d3c1dd481894b2005f560ead0f9f19ee64fe983366be1a21e171d12775c"
>
>  DEPENDS += "\
>              ${PYTHON_PN} \
>
>
>
>
> --
> # Randy MacLeod
> # Wind River Linux
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#185850): https://lists.openembedded.org/g/openembedded-core/message/185850
> Mute This Topic: https://lists.openembedded.org/mt/100618182/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>