unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Ruby security updates
@ 2016-01-08 23:48 Mark H Weaver
  2016-01-09  0:15 ` Thompson, David
  0 siblings, 1 reply; 7+ messages in thread
From: Mark H Weaver @ 2016-01-08 23:48 UTC (permalink / raw)
  To: guix-devel

Some of our ruby versions may need security updates.

  https://bugzilla.redhat.com/show_bug.cgi?id=1248935

Can someone who cares about ruby please investigate?

      Mark

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Ruby security updates
  2016-01-08 23:48 Ruby security updates Mark H Weaver
@ 2016-01-09  0:15 ` Thompson, David
  2016-01-09  4:40   ` Pjotr Prins
  2016-01-09  5:15   ` Ben Woodcroft
  0 siblings, 2 replies; 7+ messages in thread
From: Thompson, David @ 2016-01-09  0:15 UTC (permalink / raw)
  To: Mark H Weaver; +Cc: guix-devel

On Fri, Jan 8, 2016 at 6:48 PM, Mark H Weaver <mhw@netris.org> wrote:
> Some of our ruby versions may need security updates.
>
>   https://bugzilla.redhat.com/show_bug.cgi?id=1248935
>
> Can someone who cares about ruby please investigate?

This particular issue is definitely fixed in Ruby 2.2.4 or later,
which we upgraded very recently in response to this.

Now, I suspect Pjotr will find issue with this, but I think we really
should drop the Ruby 1.8.7 package because it is end-of-life and will
*not* receive bug fixes or security updates.

Thoughts?

- Dave

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Ruby security updates
  2016-01-09  0:15 ` Thompson, David
@ 2016-01-09  4:40   ` Pjotr Prins
  2016-01-10  3:05     ` Mark H Weaver
  2016-01-09  5:15   ` Ben Woodcroft
  1 sibling, 1 reply; 7+ messages in thread
From: Pjotr Prins @ 2016-01-09  4:40 UTC (permalink / raw)
  To: Thompson, David; +Cc: guix-devel

Ruby 1.8.7 is still being used.  For me one of the selling points of
GNU Guix is that we can retain older packages when they are still
useful. The switch from Ruby 1.8 to 1.9 was quite intrusive and not
all software made the switch (similar to the python 2 to 3
switch). Some people argue that the software should be updated, but it
sometimes proves to be (too) hard or not worth the effort. Ruby 1.8 is
still a nice interpreter (it was the original Ruby by Matz).

If you run Ruby 1.8 in user space the security concerns are not really
relevant. There is no magic, Ruby can not circumvent the Linux
kernel's permissions.

So, the question here is not about security per se, it is more about
what packages do we retain in Guix. I think in this case, because
there are users, Ruby 1.8 belongs in Guix. Guix' versioning and
isolation allows for using different versions of software and
retaining Ruby 1.8's incompatibility with later Ruby's makes it a
distinct selling point for Guix.

Of course I can do without. But now I can point to others at the incompatiple
versions of Ruby we support, as well as Python, Perl and samtools, for example.
If you ditch 1.8.7 I won't be upset, but I hope you see my point. There is no
real cost attached and plenty upside :)

Pj.

On Fri, Jan 08, 2016 at 07:15:53PM -0500, Thompson, David wrote:
> On Fri, Jan 8, 2016 at 6:48 PM, Mark H Weaver <mhw@netris.org> wrote:
> > Some of our ruby versions may need security updates.
> >
> >   https://bugzilla.redhat.com/show_bug.cgi?id=1248935
> >
> > Can someone who cares about ruby please investigate?
> 
> This particular issue is definitely fixed in Ruby 2.2.4 or later,
> which we upgraded very recently in response to this.
> 
> Now, I suspect Pjotr will find issue with this, but I think we really
> should drop the Ruby 1.8.7 package because it is end-of-life and will
> *not* receive bug fixes or security updates.
> 
> Thoughts?
> 
> - Dave
> 

-- 

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Ruby security updates
  2016-01-09  0:15 ` Thompson, David
  2016-01-09  4:40   ` Pjotr Prins
@ 2016-01-09  5:15   ` Ben Woodcroft
  2016-01-09  9:04     ` Pjotr Prins
  2016-01-09  9:53     ` Andreas Enge
  1 sibling, 2 replies; 7+ messages in thread
From: Ben Woodcroft @ 2016-01-09  5:15 UTC (permalink / raw)
  To: Thompson, David, Mark H Weaver; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 976 bytes --]



On 09/01/16 10:15, Thompson, David wrote:
> On Fri, Jan 8, 2016 at 6:48 PM, Mark H Weaver <mhw@netris.org> wrote:
>> Some of our ruby versions may need security updates.
>>
>>    https://bugzilla.redhat.com/show_bug.cgi?id=1248935
>>
>> Can someone who cares about ruby please investigate?
> This particular issue is definitely fixed in Ruby 2.2.4 or later,
> which we upgraded very recently in response to this.
Indeed, but seems it also affects 2.1 < 2.1.8, where we have 2.1.6. I've 
attached a trivial patch that updates it - ok to push?
> Now, I suspect Pjotr will find issue with this, but I think we really
> should drop the Ruby 1.8.7 package because it is end-of-life and will
> *not* receive bug fixes or security updates.

In general though it is a shame to remove old packages, Guix seems well 
suited to keeping old software usable. Is there a more useful place for 
removed packages to go other than the trash? A collection of exported 
profiles perhaps?

ben

[-- Attachment #2: 0001-gnu-ruby-2.1-Update-to-2.1.8.patch --]
[-- Type: text/x-patch, Size: 1077 bytes --]

From 4c40fa0229dc2cb479227c16f23abad703101b70 Mon Sep 17 00:00:00 2001
From: Ben Woodcroft <donttrustben@gmail.com>
Date: Sat, 9 Jan 2016 14:53:58 +1000
Subject: [PATCH] gnu: ruby-2.1: Update to 2.1.8.

* gnu/packages/ruby.scm (ruby-2.1): Update to 2.1.8.
---
 gnu/packages/ruby.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index 4ac3385..577be18 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -97,7 +97,7 @@ a focus on simplicity and productivity.")
 
 (define-public ruby-2.1
   (package (inherit ruby)
-    (version "2.1.6")
+    (version "2.1.8")
     (source
      (origin
        (method url-fetch)
@@ -106,7 +106,7 @@ a focus on simplicity and productivity.")
                            "/ruby-" version ".tar.bz2"))
        (sha256
         (base32
-         "1sbcmbhadcxk0509svwxbm2vvgmpf3xjxr1397bgp9x46nz36lkv"))))
+         "11rkbfc90cg9p9mzg32475alf3ddcn9q8a3ar3fwm5xskic0n395"))))
     (arguments
      `(#:test-target "test"
        #:parallel-tests? #f
-- 
2.6.3


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: Ruby security updates
  2016-01-09  5:15   ` Ben Woodcroft
@ 2016-01-09  9:04     ` Pjotr Prins
  2016-01-09  9:53     ` Andreas Enge
  1 sibling, 0 replies; 7+ messages in thread
From: Pjotr Prins @ 2016-01-09  9:04 UTC (permalink / raw)
  To: Ben Woodcroft; +Cc: guix-devel

On Sat, Jan 09, 2016 at 03:15:04PM +1000, Ben Woodcroft wrote:
> In general though it is a shame to remove old packages, Guix seems
> well suited to keeping old software usable. Is there a more useful
> place for removed packages to go other than the trash? A collection
> of exported profiles perhaps?
> 
> ben

Cool idea. Can we do that in the context of the Guix project? We could
maintain a git repo for that purpose. I would do it anyway, and this
way we could share.

Pj.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Ruby security updates
  2016-01-09  5:15   ` Ben Woodcroft
  2016-01-09  9:04     ` Pjotr Prins
@ 2016-01-09  9:53     ` Andreas Enge
  1 sibling, 0 replies; 7+ messages in thread
From: Andreas Enge @ 2016-01-09  9:53 UTC (permalink / raw)
  To: Ben Woodcroft; +Cc: guix-devel

On Sat, Jan 09, 2016 at 03:15:04PM +1000, Ben Woodcroft wrote:
> Indeed, but seems it also affects 2.1 < 2.1.8, where we have 2.1.6. I've
> attached a trivial patch that updates it - ok to push?

Definitely.

Andreas

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Ruby security updates
  2016-01-09  4:40   ` Pjotr Prins
@ 2016-01-10  3:05     ` Mark H Weaver
  0 siblings, 0 replies; 7+ messages in thread
From: Mark H Weaver @ 2016-01-10  3:05 UTC (permalink / raw)
  To: Pjotr Prins; +Cc: guix-devel

Pjotr Prins <pjotr.public12@thebird.nl> writes:

> Ruby 1.8.7 is still being used.  For me one of the selling points of
> GNU Guix is that we can retain older packages when they are still
> useful. The switch from Ruby 1.8 to 1.9 was quite intrusive and not
> all software made the switch (similar to the python 2 to 3
> switch). Some people argue that the software should be updated, but it
> sometimes proves to be (too) hard or not worth the effort. Ruby 1.8 is
> still a nice interpreter (it was the original Ruby by Matz).

Given this, there's a good chance that someone will backport the
security fix to Ruby 1.8.  Maybe it has already been done.  Would you
like to look?

      Mark

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2016-01-10  3:05 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-01-08 23:48 Ruby security updates Mark H Weaver
2016-01-09  0:15 ` Thompson, David
2016-01-09  4:40   ` Pjotr Prins
2016-01-10  3:05     ` Mark H Weaver
2016-01-09  5:15   ` Ben Woodcroft
2016-01-09  9:04     ` Pjotr Prins
2016-01-09  9:53     ` Andreas Enge

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).