Received: by 2002:a05:7412:e794:b0:fa:551:50a7 with SMTP id o20csp2338293rdd; Fri, 12 Jan 2024 06:43:57 -0800 (PST) X-Google-Smtp-Source: AGHT+IGW/uPhhdZyyksXtqa7ZvNHUSvZ6gAVdDFUHCjUV5Krs4QcEYx+sb/JqFgBM1kLNwC1txTr X-Received: by 2002:a05:620a:1352:b0:783:3101:5938 with SMTP id c18-20020a05620a135200b0078331015938mr1401900qkl.45.1705070637708; Fri, 12 Jan 2024 06:43:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1705070637; cv=none; d=google.com; s=arc-20160816; b=e2FD45yBck7nowx+RtzDH0Im/Ci5+atSr+1Eg0YPa/bCImUU3mhKh9/yPvwLgLDWJK +ocVOilCr7KYt83cBwc9mOLGoNli0HIXXkZ8F49wL5nWHw4UP8hi4e1KGpJhO8Kz2ZvN 7AH0YMHLlUhdvlb1Np1iiZEqT8fZ9P9vTyIcI6JidHMWD+zJCaHnt5VMTmUFppcKSKBK hVJ9AFwjxmGRXhYu4AHLvcwgM10wATQ3PjRp0sa/eXBBZIeSeMWcpF/McrjyrVxmWjda GUqN5RXlDMdBK7RPNDwHKONKQOrQMm/dgKq0afwf68VV7+Jc1yOh/a5AMJ3SQHse1pRg qw6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:list-unsubscribe:list-subscribe:list-id:precedence :message-id:date:references:in-reply-to:subject:cc:to:from :dkim-signature:dkim-filter; bh=hX2vbYDKK5fM8nBKji8rXauO2R5qVnHvz5B0AYqatCo=; fh=e9ZihfgTgR3WTh0Hc6Hb6K8QdCqYsOOW44Ck3n53H7E=; b=wjWkLpmQ0JBnRlynPyGdVWu/asnCmFyhaMHgw6NbqK08wjIsm2DRMXxNzRy96tYhqG 4gk+xPqHZyD0zc/GueAlTxXcemggk3zBpra+ZkRHLqA+2cotzCcPM5PlxvlJxBbKLkh9 53mRRBAsTF3RHjiwUt+2XT6afzT6XxgEMZOF0c7WWuE1lf2HcjdVcsa+32qymRmliKoG 1BRGF/TyYT2OFrxYgzTvHzDlugYilTCVaTAI1FfFyXcP0b5achmvKMkB4wuGMYM4/Y7B MUHmeyPHGQG4iTWO+rggVyBjpkgwGUfacm1WjD5sXWNOxmmzQOobgbybcBU5mOj70Vxy FEfw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lwn.net header.s=20201203 header.b=elt5CBpF; spf=pass (google.com: domain of linux-kernel+bounces-24762-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-24762-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=lwn.net Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id y9-20020a05620a09c900b0078314baf856si2897472qky.576.2024.01.12.06.43.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Jan 2024 06:43:57 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-24762-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@lwn.net header.s=20201203 header.b=elt5CBpF; spf=pass (google.com: domain of linux-kernel+bounces-24762-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-24762-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=lwn.net Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 73EEB1C22014 for ; Fri, 12 Jan 2024 14:43:57 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id BF0C66E2A0; Fri, 12 Jan 2024 14:43:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=lwn.net header.i=@lwn.net header.b="elt5CBpF" Received: from ms.lwn.net (ms.lwn.net [45.79.88.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7B8A16DD05; Fri, 12 Jan 2024 14:43:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=lwn.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=lwn.net Received: from localhost (unknown [IPv6:2601:280:5e00:7e19::646]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ms.lwn.net (Postfix) with ESMTPSA id 7A78535D; Fri, 12 Jan 2024 14:43:41 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 ms.lwn.net 7A78535D DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lwn.net; s=20201203; t=1705070621; bh=hX2vbYDKK5fM8nBKji8rXauO2R5qVnHvz5B0AYqatCo=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=elt5CBpFjtYsAvyw4vgFwDM0o1ohPPsVFWC83y3wfOfqVncJ4yq7C+WJZ6WdE4jX3 b7XuulidUFWzg9xItc+C/LyroLB+tzIWzZarFc8yIZ8rmV/kdBdshEtqFb3BrHyTtz mHamxvGmOrMd/4g78fYvTAfrKgKuvwteiGzGWdJ3bdpA/AGmntkqIC407f4XCl8prd N6rFTo6kp+Ksv2BA2ivqkNPKXh/ze5JhOWMdhEEhcOxhj0IDqNmWNdvQRS809kVexh LI5EFNUp4pe/QUE1T3a4Rf2l9rgM3C0R5cpoIggyaDYS27m1rOuRZ5rP6y6otf4Wtl 9cnMWWu7nzssg== From: Jonathan Corbet To: Linus Torvalds Cc: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, Akira Yokosawa Subject: Re: [GIT PULL] Documentation for 6.8 In-Reply-To: References: <87sf37vegj.fsf@meer.lwn.net> Date: Fri, 12 Jan 2024 07:43:39 -0700 Message-ID: <87v87yk3xg.fsf@meer.lwn.net> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain [Adding Akira] Linus Torvalds writes: > On Mon, 8 Jan 2024 at 10:59, Jonathan Corbet wrote: >> >> - The minimum Sphinx requirement has been raised to 2.4.4, following a >> warning that was added in 6.2. > > Well, speaking of warnings, github now has this "dependabot" thing > that warns about bad minimum requirements due to tooling that has > security issues. > > And it warns about our "jinja2 < 3.1" requirement, because apparently > that can cause issues: > > "The xmlattr filter in affected versions of Jinja accepts keys > containing spaces. XML/HTML attributes cannot contain spaces, as each > would then be interpreted as a separate attribute. If an application > accepts keys (as opposed to only values) as user input, and renders > these in pages that other users see as well, an attacker could use > this to inject other attributes and perform XSS. Note that accepting > keys as user input is not common or a particularly intended use case > of the xmlattr filter, and an application doing so should already be > verifying what keys are provided regardless of this fix" > > with affected versions being marked as < 3.1.3 and fixed in Jinja2 3.1.3 > > I'm ignoring this github dependabit warning since the issue seems to > be rather irrelevant for our doc use, but I thought I'd mention it. I suppose it is worth looking into this, just in case a hostile docs patch that nobody catches might somehow cause an exploit to show up on docs.kernel.org. Seems unlikely but it would be good to be sure. Akira (CC'd) noted, in adding that requirement, that newer jinja2 breaks Sphinx prior to 4.8. I've been thinking that supporting 2.x is going to prove increasingly unsustainable, but raising our minimum to 4.8 would surely make some people unhappy. I like the Python ecosystem for a lot of things, but its approach to API compatibility is ... not great. jon