[PATCH 0/1]: Replace ruby with ruby-2.3.2.

[PATCH 0/1]: Replace ruby with ruby-2.3.2.

[Ben Woodcroft]

Hi there,

Ruby 2.3.2 was just released, and since it entails >300 rebuilds it is a good
candidate for staging I think.

I do not know of an easy way to check exactly which security fixes have been
applied beyond text searching the CHANGELOG, which isn't optimal so I believe
there are other fixes that have been applied beyond the one mentioned in the
commit message.

In pushing the update to staging, to avoid problems during the merge, is it
best to push this patch and then a second doing the actual update to staging?

Thanks,
ben

[PATCH] gnu: ruby: Replace with 2.3.2 [fixes CVE-2015-3900].

[Ben Woodcroft]

* gnu/packages/ruby.scm (ruby)[replacement]: New field.
(ruby-2.3.2): New variable.
---
 gnu/packages/ruby.scm | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index e4c1ef0..f2b5de9 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -47,6 +47,7 @@
 (define-public ruby
   (package
     (name "ruby")
+    (replacement ruby-2.3.2)
     (version "2.3.1")
     (source
      (origin
@@ -101,6 +102,25 @@ a focus on simplicity and productivity.")
     (home-page "https://ruby-lang.org")
     (license license:ruby)))
 
+(define ruby-2.3.2
+  (package
+    (inherit ruby)
+    (version "2.3.2")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "http://cache.ruby-lang.org/pub/ruby/"
+                           (version-major+minor version)
+                           "/ruby-" version ".tar.xz"))
+       (sha256
+        (base32
+         "031g76zxb2wp6988dmrpbqd98i17xi6l8q1115h83r2w0h8z6y2w"))
+       (modules '((guix build utils)))
+       (snippet `(begin
+                   ;; Remove bundled libffi
+                   (delete-file-recursively "ext/fiddle/libffi-3.2.1")
+                   #t))))))
+
 (define-public ruby-2.2
   (package (inherit ruby)
     (version "2.2.6")
-- 
2.10.0

Re: [PATCH] gnu: ruby: Replace with 2.3.2 [fixes CVE-2015-3900].

[Leo Famulari]

On Sat, Nov 19, 2016 at 09:32:09AM +1000, Ben Woodcroft wrote:
> * gnu/packages/ruby.scm (ruby)[replacement]: New field.
> (ruby-2.3.2): New variable.
> ---
>  gnu/packages/ruby.scm | 20 ++++++++++++++++++++
>  1 file changed, 20 insertions(+)
> 
> diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
> index e4c1ef0..f2b5de9 100644
> --- a/gnu/packages/ruby.scm
> +++ b/gnu/packages/ruby.scm
> @@ -47,6 +47,7 @@
>  (define-public ruby
>    (package
>      (name "ruby")
> +    (replacement ruby-2.3.2)

Remember that grafted replacements should have a compatible ABI.

This is the first result I found when searching for "Ruby ABI compatible"

https://www.ruby-lang.org/en/news/2013/12/21/ruby-version-policy-changes-with-2-1-0/

So, if they've kept that policy, this should be fine.

Thanks for taking care of this!

Re: [PATCH] gnu: ruby: Replace with 2.3.2 [fixes CVE-2015-3900].

[Ben Woodcroft]

On 20/11/16 01:28, Leo Famulari wrote:
> On Sat, Nov 19, 2016 at 09:32:09AM +1000, Ben Woodcroft wrote:
>> * gnu/packages/ruby.scm (ruby)[replacement]: New field.
>> (ruby-2.3.2): New variable.
>> ---
>>   gnu/packages/ruby.scm | 20 ++++++++++++++++++++
>>   1 file changed, 20 insertions(+)
>>
>> diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
>> index e4c1ef0..f2b5de9 100644
>> --- a/gnu/packages/ruby.scm
>> +++ b/gnu/packages/ruby.scm
>> @@ -47,6 +47,7 @@
>>   (define-public ruby
>>     (package
>>       (name "ruby")
>> +    (replacement ruby-2.3.2)
> Remember that grafted replacements should have a compatible ABI.
>
> This is the first result I found when searching for "Ruby ABI compatible"
>
> https://www.ruby-lang.org/en/news/2013/12/21/ruby-version-policy-changes-with-2-1-0/
>
> So, if they've kept that policy, this should be fine.
I can't see any evidence to the contrary. I also ran a compatibility 
checker and it seemed to work out (while 2.3.2 vs 2.2.6 did not, as a 
negative control).
https://lvc.github.io/abi-compliance-checker/

I'm not quite finished packaging it yet up to standard just yet, but I 
pushed what I have here, in case it is useful in the meantime.
https://github.com/wwood/guix_mine/blob/master/ben/packages/local.scm

I pushed the graft to master and updated it directly on staging.

ben

Re: [PATCH] gnu: ruby: Replace with 2.3.2 [fixes CVE-2015-3900].

[Leo Famulari]

On Sun, Nov 20, 2016 at 05:00:58PM +1000, Ben Woodcroft wrote:
> I can't see any evidence to the contrary. I also ran a compatibility checker
> and it seemed to work out (while 2.3.2 vs 2.2.6 did not, as a negative
> control).
> https://lvc.github.io/abi-compliance-checker/
> 
> I'm not quite finished packaging it yet up to standard just yet, but I
> pushed what I have here, in case it is useful in the meantime.
> https://github.com/wwood/guix_mine/blob/master/ben/packages/local.scm
> 
> I pushed the graft to master and updated it directly on staging.

Thanks!