From: Pjotr Prins <pjotr.public12@thebird.nl>
To: "Thompson, David" <dthompson2@worcester.edu>
Cc: guix-devel <guix-devel@gnu.org>
Subject: Re: Ruby security updates
Date: Sat, 9 Jan 2016 05:40:56 +0100 [thread overview]
Message-ID: <20160109044056.GA18179@thebird.nl> (raw)
In-Reply-To: <CAJ=RwfYp4zjZBFJRLxjUh7Us5+svOTF_PA2O919N=93GKbPCyA@mail.gmail.com>
Ruby 1.8.7 is still being used. For me one of the selling points of
GNU Guix is that we can retain older packages when they are still
useful. The switch from Ruby 1.8 to 1.9 was quite intrusive and not
all software made the switch (similar to the python 2 to 3
switch). Some people argue that the software should be updated, but it
sometimes proves to be (too) hard or not worth the effort. Ruby 1.8 is
still a nice interpreter (it was the original Ruby by Matz).
If you run Ruby 1.8 in user space the security concerns are not really
relevant. There is no magic, Ruby can not circumvent the Linux
kernel's permissions.
So, the question here is not about security per se, it is more about
what packages do we retain in Guix. I think in this case, because
there are users, Ruby 1.8 belongs in Guix. Guix' versioning and
isolation allows for using different versions of software and
retaining Ruby 1.8's incompatibility with later Ruby's makes it a
distinct selling point for Guix.
Of course I can do without. But now I can point to others at the incompatiple
versions of Ruby we support, as well as Python, Perl and samtools, for example.
If you ditch 1.8.7 I won't be upset, but I hope you see my point. There is no
real cost attached and plenty upside :)
Pj.
On Fri, Jan 08, 2016 at 07:15:53PM -0500, Thompson, David wrote:
> On Fri, Jan 8, 2016 at 6:48 PM, Mark H Weaver <mhw@netris.org> wrote:
> > Some of our ruby versions may need security updates.
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=1248935
> >
> > Can someone who cares about ruby please investigate?
>
> This particular issue is definitely fixed in Ruby 2.2.4 or later,
> which we upgraded very recently in response to this.
>
> Now, I suspect Pjotr will find issue with this, but I think we really
> should drop the Ruby 1.8.7 package because it is end-of-life and will
> *not* receive bug fixes or security updates.
>
> Thoughts?
>
> - Dave
>
--
next prev parent reply other threads:[~2016-01-09 4:41 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-08 23:48 Ruby security updates Mark H Weaver
2016-01-09 0:15 ` Thompson, David
2016-01-09 4:40 ` Pjotr Prins [this message]
2016-01-10 3:05 ` Mark H Weaver
2016-01-09 5:15 ` Ben Woodcroft
2016-01-09 9:04 ` Pjotr Prins
2016-01-09 9:53 ` Andreas Enge
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160109044056.GA18179@thebird.nl \
--to=pjotr.public12@thebird.nl \
--cc=dthompson2@worcester.edu \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).