From mboxrd@z Thu Jan  1 00:00:00 1970
From: Pjotr Prins <pjotr.public12@thebird.nl>
Subject: Re: Ruby security updates
Date: Sat, 9 Jan 2016 05:40:56 +0100
Message-ID: <20160109044056.GA18179@thebird.nl>
References: <87si271vks.fsf@netris.org>
	<CAJ=RwfYp4zjZBFJRLxjUh7Us5+svOTF_PA2O919N=93GKbPCyA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:49342)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pjotr2016@thebird.nl>) id 1aHlLK-0000XD-Q4
	for guix-devel@gnu.org; Fri, 08 Jan 2016 23:41:35 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <pjotr2016@thebird.nl>) id 1aHlLF-0000rd-Qa
	for guix-devel@gnu.org; Fri, 08 Jan 2016 23:41:34 -0500
Received: from mail.thebird.nl ([95.154.246.10]:40284)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pjotr2016@thebird.nl>) id 1aHlLF-0000qa-KV
	for guix-devel@gnu.org; Fri, 08 Jan 2016 23:41:29 -0500
Content-Disposition: inline
In-Reply-To: <CAJ=RwfYp4zjZBFJRLxjUh7Us5+svOTF_PA2O919N=93GKbPCyA@mail.gmail.com>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: "Thompson, David" <dthompson2@worcester.edu>
Cc: guix-devel <guix-devel@gnu.org>

Ruby 1.8.7 is still being used.  For me one of the selling points of
GNU Guix is that we can retain older packages when they are still
useful. The switch from Ruby 1.8 to 1.9 was quite intrusive and not
all software made the switch (similar to the python 2 to 3
switch). Some people argue that the software should be updated, but it
sometimes proves to be (too) hard or not worth the effort. Ruby 1.8 is
still a nice interpreter (it was the original Ruby by Matz).

If you run Ruby 1.8 in user space the security concerns are not really
relevant. There is no magic, Ruby can not circumvent the Linux
kernel's permissions.

So, the question here is not about security per se, it is more about
what packages do we retain in Guix. I think in this case, because
there are users, Ruby 1.8 belongs in Guix. Guix' versioning and
isolation allows for using different versions of software and
retaining Ruby 1.8's incompatibility with later Ruby's makes it a
distinct selling point for Guix.

Of course I can do without. But now I can point to others at the incompatiple
versions of Ruby we support, as well as Python, Perl and samtools, for example.
If you ditch 1.8.7 I won't be upset, but I hope you see my point. There is no
real cost attached and plenty upside :)

Pj.

On Fri, Jan 08, 2016 at 07:15:53PM -0500, Thompson, David wrote:
> On Fri, Jan 8, 2016 at 6:48 PM, Mark H Weaver <mhw@netris.org> wrote:
> > Some of our ruby versions may need security updates.
> >
> >   https://bugzilla.redhat.com/show_bug.cgi?id=1248935
> >
> > Can someone who cares about ruby please investigate?
> 
> This particular issue is definitely fixed in Ruby 2.2.4 or later,
> which we upgraded very recently in response to this.
> 
> Now, I suspect Pjotr will find issue with this, but I think we really
> should drop the Ruby 1.8.7 package because it is end-of-life and will
> *not* receive bug fixes or security updates.
> 
> Thoughts?
> 
> - Dave
> 

--