[MIR] libdigest-md5-file-perl & libswitch-perl (dependency of devscripts)

[Availability]
- The package libdigest-md5-file-perl is already in Ubuntu universe.
- The package libdigest-md5-file-perl build for the architectures it is designed to work on.
- It currently builds and works for architetcures: all
- Link to package [[https://launchpad.net/ubuntu/+source/libdigest-md5-file-perl]]

[Rationale]
- The package libdigest-md5-file-perl is required in Ubuntu main for devscripts
- The package libdigest-md5-file-perl will not generally be useful for a large part of
  our user base, but is important/helpful still because it is needed by devscripts, a
  package very commonly used by Debian and Ubuntu developers, and also some power users
  who wish to build their own packages.
- It would be great and useful to community/processes to have the
  package libdigest-md5-file-perl in Ubuntu main, but there is no definitive deadline.

[Security]
- No CVEs/security issues in this software in the past
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024)
- Packages does not contain extensions to security-sensitive software
  (filters, scanners, plugins, UI skins, ...)

[Quality assurance - function/usage]
- The package works well right after install

[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does
  not have too many, long-term & critical, open bugs
  - Ubuntu https://bugs.launchpad.net/ubuntu/+source/libdigest-md5-file-perl/+bug
  - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libdigest-md5-file-perl
  - Upstream's bug tracker: https://rt.cpan.org/Public/Dist/Display.html?Name=Digest-MD5-File

[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
  it makes the build fail, link to build log
  https://launchpadlibrarian.net/514920504/buildlog_ubuntu-hirsute-amd64.libdigest-md5-file-perl_0.08-1.1_BUILDING.txt.gz

- The package does not run an autopkgtest because it is not implemented

[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package
  https://launchpadlibrarian.net/652669289/buildlog_ubuntu-lunar-amd64.libdigest-md5-file-perl_0.08-1.1ubuntu1_BUILDING.txt.gz
- Please attach the full output you have got from
  `lintian --pedantic` as an extra post to this bug:
  See the attachment libdigest-md5-file-perl.lintian.log
- Lintian overrides are present, but ok because there is a false-positive
  with first-person pronoun used in the description where it is actually
  the `my` syntax in Perl.
- This package does not rely on obsolete or about to be demoted packages.
- The package will not be installed by default
- Packaging and build is easy, link to d/rules
  https://git.launchpad.net/ubuntu/+source/libdigest-md5-file-perl/tree/debian/rules

[UI standards]
- Application is not end-user facing (does not need translation)

[Dependencies]
- No further depends or recommends dependencies that are not yet in main

[Standards ...

[Availability]
The package libswitch-perl is already in Ubuntu universe.
The package libswitch-perl build for the architectures it is designed to work on.
It currently builds and works for architetcures: all
Link to package [[https://launchpad.net/ubuntu/+source/libswitch-perl]]

[Rationale]
- The package libswitch-perl is required in Ubuntu main for devscripts
- The package libswitch-perl will not generally be useful for a large part of
  our user base, but is important/helpful still because it is needed by devscripts, a
  package very commonly used by Debian and Ubuntu developers, and also some power users
  who wish to build their own packages.

- It would be great and useful to community/processes to have the
  package libswitch-perl in Ubuntu main, but there is no definitive deadline.

[Security]
- No CVEs/security issues in this software in the past
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024)
- Packages does not contain extensions to security-sensitive software
  (filters, scanners, plugins, UI skins, ...)

[Quality assurance - function/usage]
- The package works well right after install

[Quality assurance - maintenance]
- The package has important open bugs:
  - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480106
  - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=656545
  - https://rt.cpan.org/Ticket/Display.html?id=142923

[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
  it makes the build fail, link to build log
  https://launchpadlibrarian.net/607630437/buildlog_ubuntu-kinetic-amd64.libswitch-perl_2.17-3_BUILDING.txt.gz

- The package does not run an autopkgtest because it is not implemented

[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package:
  https://launchpadlibrarian.net/652670389/buildlog_ubuntu-lunar-amd64.libswitch-perl_2.17-3ubuntu1_BUILDING.txt.gz
- Please attach the full output you have got from
  `lintian --pedantic` as an extra post to this bug:
  See attachment libswitch-perl.lintian.log
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- The package will not be installed by default
- Packaging and build is easy, link to d/rules
  https://git.launchpad.net/ubuntu/+source/libswitch-perl/tree/debian/rules

[UI standards]
- Application is not end-user facing (does not need translation)

[Dependencies]
- No further depends or recommends dependencies that are not yet in main

[Standards compliance]
- This package correctly follows FHS and Debian Policy

[Maintenance/Owner]
- Owning Team will be Foundations Team
- Team is not yet, but will subscribe to the package before promotion

- This does not use static builds
- This does not use vendored code
- This package is not rust based

- The package was test rebuilt in PPA or sbuild recently:
  https://launchpadlibrarian.net/652670389/buildlog...

It seems like libswitch-perl does have autopkgtest. Sorry for the mistake. Launchpad does not allow me to edit the long post, so I will list the changes to the MIR report below:

Replace the "- The package does not run an autopkgtest because it is not implemented" sentence in the section "[Quality assurance - testing]" with:

- The package runs an autopkgtest, and is currently passing on
  amd64 arm64 armhf ppc64el s390x, link to test logs
  https://autopkgtest.ubuntu.com/packages/libswitch-perl
  (i386 failed due to unmet dependencies)

Thanks for preparing the MIRs, I've set the status to "New" in order to apply the MIR teams process states: https://github.com/canonical/ubuntu-mir#process-states

Review for Package: libswitch-perl

[Summary]
MIR team NACK

There seem to be better, more modern ways to do this without adding a very
old dependency to main. This would need a very good explanation why it would
be impossible to use perl builtins of the this decade to solve the same.

[Duplication]
This looks wrong to be added to main in 2023. I mean this package clearly
states "This is an obsolete module provided for compatibility since it is being
removed from the core. For perl 5.10 and above the "given/when" builtins
are much preferred."
Perl 5.10 was in Ubuntu since intrepid, that is 13 years ago.
New code should just use [1]
So if this is only for compat with very very old code, why is it suddenly
needed in devscripts? I have found [2] to be the reason which on a glance
does look wrong to force the use of this perl module.

First I thought it might be due to the use of regex, but even that seems to
be known strange bugs in switch and workign fine with given/when [3].

Looking forward to 24.04 as the next LTS it feels wrong to add this for
another decade. Did I mention there was no update since 2014?

Instead please consider to recode this new code, propose it to Debian and
get rid of the dependency.

[1]: https://www.geeksforgeeks.org/perl-given-when-statement/
[2]: https://salsa.debian.org/debian/devscripts/-/commit/3ebcb3f5748aa758cdf701d413a99b21ef10aab2
[3]: https://stackoverflow.com/questions/1181685/why-doesnt-my-regular-expression-work-with-perls-switch-module

Review for Package: libdigest-md5-file-perl

Hmm, another package not touched in ages, so one can think it is stable
or neglected?
In any case this isn't much code, but just being 400 lines it has
plenty of code duplication (all _, _hex, _base64 could be unified)
and plenty of whitespace damage which does not increase confidence.

This is again used for a rater small change which might be resolved with less
dependencies [1].

[1]: https://salsa.debian.org/debian/devscripts/-/commit/f50644205a5fdd1d9ca91bdf01c98ba364a80d15

MIR team NACK
Please have a look at implementing this without perl-dependency-proliferation
and propose it to devscripts on Salsa.

[Duplication]
What does it provide?:
1. md5 of files, but Digest::file can deal with that just fine
     https://perldoc.perl.org/Digest::file
   This can be just one line without this module
     https://stackoverflow.com/a/53016159/6361589
   This is part of base perl and thereby preferred
2. md5 for url, doing that directly would be just one line more
     https://stackoverflow.com/questions/13679914/perl-get-md5-hash-of-a-fetched-file
   libwww-perl already is in the dependencies of devscripts and in main.
   Using that is only a minor change but saves many people one more perl
   module on disk used for something that would easily work without.

... stopping evaluation here.
I might be convinced to re-consider it if there is a strong argument for
it that I have missed, but without that it really looks like a minor change in
src:devscripts that will help to:
  a) keep developer system free of more perl lib sprawl on disk
  b) keep the more actively supported set of libs in main under control

@Zixing - please do not get me wrong, your requests were nicely prepared and processed.
But they missed a hard check on step #1 which is "do I really need that or are there better ways". And if you (or anyone else) believe I have missed the an important point here feel free to speak up and the MIR team will reconsider the situation.

I re-read the ruling and it might not be clear enough there until checked by a MIR team member.
I've opened [1] to clarify. Feel free to chime in there if this would not have helped you in the first place and you'd need/expect something else.

[1]: https://github.com/canonical/ubuntu-mir/pull/10

On Wed, 01 Mar 2023 09:04:15 -0000, Christian Ehrhardt  wrote:

> This looks wrong to be added to main in 2023. I mean this package clearly
> states "This is an obsolete module provided for compatibility since it is being
> removed from the core. For perl 5.10 and above the "given/when" builtins
> are much preferred."
> Perl 5.10 was in Ubuntu since intrepid, that is 13 years ago.
> New code should just use [1]
…
> [1]: https://www.geeksforgeeks.org/perl-given-when-statement/

Quick additional info:

I agree that using the old Switch module has a bad smell; but what
the old documentation of the old Switch module doesn't know is that
reccommending given/when is also problematic, as this (and more
importantly the underlying smartmatch feature) are deprecated and
will be removed from perl.

Timeline:
- After years of discussions, the deprecation has landed in git
  recently:
  https://github.com/Perl/perl5/commit/ac8ba642ae7dadc7f3491e13148b8d1c45b84649
  and the commits around it
- This most probably will show up as new warnings in 5.37.10 (March
  2023, dev release) and 5.38.0 (May 2023, next release).
- Removal is currently planned for 5.42.0 (May 2025).

So starting to use given/when now is not really future-proof …

Currently there's no good way to write switch/case statements in Perl
(although there's hope that something will appear in perl core in the
future, maybe built on the experimental
https://metacpan.org/pod/Syntax::Keyword::Match ) … The safest way is
probably to go back to if/elsif/else …

Some more links:
https://blogs.perl.org/mt/mt-search.cgi?limit=20&search=smartmatch
https://www.nntp.perl.org/group/perl.perl5.porters/2022/12/msg265180.html
https://leonerds-code.blogspot.com/2022/06/a-troubling-thought-smartmatch.html

Cheers,
gregor, Debian Perl Group

--
 .''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06
 `. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
   `-

Hi people,

I mentioned this thread in salsa in the MRs that added those dependencies.

https://salsa.debian.org/debian/devscripts/-/merge_requests/299
https://salsa.debian.org/debian/devscripts/-/merge_requests/311

I'd totally welcome somebody to propose changes that drop these modules.

Hi all,

I have prepared a series of patches to remove the dependencies from devscripts.

Unfortunately, I don't have an account on the Debian Salsa GitLab instance, and it seems like the instance restricted new account creation, so I have to post the patches here.

Thanks to Zixing! We now have a merge-request pending in Debian salsa, to get these deprecated dependencies replaced: https://salsa.debian.org/debian/devscripts/-/merge_requests/336

This bug was fixed in the package devscripts - 2.23.3ubuntu2

---------------
devscripts (2.23.3ubuntu2) lunar; urgency=medium

  * Drop debpkg to make devscripts architecture all. Instead of debpkg please
    use sudo for debi (or, highly dangerous, make dpkg setuid root).
  * Revert special handling for i386

 -- Benjamin Drung <email address hidden> Mon, 20 Mar 2023 13:05:08 +0100