[Koha-devel] Koha packaging problems (Deb10/Buster)

Thu Mar 12 23:36:20 CET 2020

Wait a minute... why do we need to pin libmojolicious-perl? 

Thanks to Ere's work on https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22522, Koha should be able to work with Mojolicious 8 now (and Mojolicious::Plugin::OpenAPI 2.21 and JSON::Validator 3.18). Admittedly it's only in master right now, but I'm using his patches on 18.11 and 19.11 already with Mojolicious 8, and they're working well so far. So hopefully people start pushing that code to stable branches ASAP. 

David Cook
Systems Librarian
Prosentient Systems
72/330 Wattle St
Ultimo, NSW 2007
Australia

Office: 02 9212 0899
Direct: 02 8005 0595

-----Original Message-----
From: Koha-devel <koha-devel-bounces at lists.koha-community.org> On Behalf Of Mason James
Sent: Thursday, 12 March 2020 8:20 PM
To: Koha Devel <koha-devel at lists.koha-community.org>
Subject: Re: [Koha-devel] Koha packaging problems (Deb10/Buster)

On 12/03/20 12:43 am, Mason James wrote:
> On 10/03/20 8:08 pm, Mason James wrote:
>> Hi Koha devs
>>
>> We have a dependency problem with the release of debian-10 and the 
>> following packages. (debian-11 is ok)
>>
>>  libmojolicious-perl
>>  libmojolicious-plugin-openapi-perl
>>  libyaml-libyaml-perl
>> Two other options...
>>  1/ use kc.org debian packages, with cpanminus (or similar) providing 
>> the distro specific packages (extra installation steps and 
>> complexity)
>>  2/ ignore the problem for now, and accept that older koha/distro 
>> combinations will be forced to break
> some other points i didnt mention...
>
> koha on buster has a security bug. the solution requires some packages 
> to be updated
>
> i can push the packages to the koha repo to fix this problem, but... 
> (there's always a but) the new packages will break jessie :/ when 
> jessie-lts support officially finishes on 30th june 2020, i can 
> happily push these packages - but between now and 30th june we need to 
> decide on a fix for the security bug on buster
>  https://wiki.debian.org/LTS
>
> some other options...
>  3/ do nothing and tell people to not use buster, until june
>  4/ provide buster packages in an separate repo, until june
>  5/ provide instructions to add buster packages using cpanm, until 
> june
>  6/ update koha repo to fix buster, and provide jessie packages in an 
> separate repo
>  7/ update koha repo to fix buster, and provide instructions to add 
> jessie packages using cpanm
>  8/ submit required buster packages to debian buster-backports repo 
> (not sure how difficult this is)
>
> i prefer option 4/, as its the least disruptive for users, and only 
> requires an extra sources.list line to implement
>
> also... i think we should hold off on redesigning the koha apt 
> repository until *after* this buster security issue is fixed
>
> cheers, Mason

hmm, i had forgotten another...
its possible to tell apt to prefer koha's older mojo v7 package, rather than the newer debian/buster mojo v8 package

running the following command before 'apt install koha-common' makes it possible to run the various koha releases on debian 10

$ sudo cat << EOF > /etc/apt/preferences.d/koha-1001
Package: libjson-validator-perl
Pin-Priority: 1001
Pin: release o=Koha

Package: libmojolicious-perl
Pin-Priority: 1001
Pin: release o=Koha
EOF

for me, this option is probably the easiest workaround for koha on debian 10

if nobody objects? - i am happy to update the koha wiki with this workaround

cheers, Mason

_______________________________________________
Koha-devel mailing list
Koha-devel at lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 484 bytes
Desc: not available
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20200313/a2bac725/attachment-0001.sig>