* [PATCH 0/1]: Replace ruby with ruby-2.3.2.
@ 2016-11-18 23:32 Ben Woodcroft
2016-11-18 23:32 ` [PATCH] gnu: ruby: Replace with 2.3.2 [fixes CVE-2015-3900] Ben Woodcroft
0 siblings, 1 reply; 5+ messages in thread
From: Ben Woodcroft @ 2016-11-18 23:32 UTC (permalink / raw)
To: guix-devel
Hi there,
Ruby 2.3.2 was just released, and since it entails >300 rebuilds it is a good
candidate for staging I think.
I do not know of an easy way to check exactly which security fixes have been
applied beyond text searching the CHANGELOG, which isn't optimal so I believe
there are other fixes that have been applied beyond the one mentioned in the
commit message.
In pushing the update to staging, to avoid problems during the merge, is it
best to push this patch and then a second doing the actual update to staging?
Thanks,
ben
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH] gnu: ruby: Replace with 2.3.2 [fixes CVE-2015-3900].
2016-11-18 23:32 [PATCH 0/1]: Replace ruby with ruby-2.3.2 Ben Woodcroft
@ 2016-11-18 23:32 ` Ben Woodcroft
2016-11-19 15:28 ` Leo Famulari
0 siblings, 1 reply; 5+ messages in thread
From: Ben Woodcroft @ 2016-11-18 23:32 UTC (permalink / raw)
To: guix-devel
* gnu/packages/ruby.scm (ruby)[replacement]: New field.
(ruby-2.3.2): New variable.
---
gnu/packages/ruby.scm | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index e4c1ef0..f2b5de9 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -47,6 +47,7 @@
(define-public ruby
(package
(name "ruby")
+ (replacement ruby-2.3.2)
(version "2.3.1")
(source
(origin
@@ -101,6 +102,25 @@ a focus on simplicity and productivity.")
(home-page "https://ruby-lang.org")
(license license:ruby)))
+(define ruby-2.3.2
+ (package
+ (inherit ruby)
+ (version "2.3.2")
+ (source
+ (origin
+ (method url-fetch)
+ (uri (string-append "http://cache.ruby-lang.org/pub/ruby/"
+ (version-major+minor version)
+ "/ruby-" version ".tar.xz"))
+ (sha256
+ (base32
+ "031g76zxb2wp6988dmrpbqd98i17xi6l8q1115h83r2w0h8z6y2w"))
+ (modules '((guix build utils)))
+ (snippet `(begin
+ ;; Remove bundled libffi
+ (delete-file-recursively "ext/fiddle/libffi-3.2.1")
+ #t))))))
+
(define-public ruby-2.2
(package (inherit ruby)
(version "2.2.6")
--
2.10.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] gnu: ruby: Replace with 2.3.2 [fixes CVE-2015-3900].
2016-11-18 23:32 ` [PATCH] gnu: ruby: Replace with 2.3.2 [fixes CVE-2015-3900] Ben Woodcroft
@ 2016-11-19 15:28 ` Leo Famulari
2016-11-20 7:00 ` Ben Woodcroft
0 siblings, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2016-11-19 15:28 UTC (permalink / raw)
To: Ben Woodcroft; +Cc: guix-devel
On Sat, Nov 19, 2016 at 09:32:09AM +1000, Ben Woodcroft wrote:
> * gnu/packages/ruby.scm (ruby)[replacement]: New field.
> (ruby-2.3.2): New variable.
> ---
> gnu/packages/ruby.scm | 20 ++++++++++++++++++++
> 1 file changed, 20 insertions(+)
>
> diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
> index e4c1ef0..f2b5de9 100644
> --- a/gnu/packages/ruby.scm
> +++ b/gnu/packages/ruby.scm
> @@ -47,6 +47,7 @@
> (define-public ruby
> (package
> (name "ruby")
> + (replacement ruby-2.3.2)
Remember that grafted replacements should have a compatible ABI.
This is the first result I found when searching for "Ruby ABI compatible"
https://www.ruby-lang.org/en/news/2013/12/21/ruby-version-policy-changes-with-2-1-0/
So, if they've kept that policy, this should be fine.
Thanks for taking care of this!
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] gnu: ruby: Replace with 2.3.2 [fixes CVE-2015-3900].
2016-11-19 15:28 ` Leo Famulari
@ 2016-11-20 7:00 ` Ben Woodcroft
2016-11-20 15:28 ` Leo Famulari
0 siblings, 1 reply; 5+ messages in thread
From: Ben Woodcroft @ 2016-11-20 7:00 UTC (permalink / raw)
To: Leo Famulari, Ben Woodcroft; +Cc: guix-devel
On 20/11/16 01:28, Leo Famulari wrote:
> On Sat, Nov 19, 2016 at 09:32:09AM +1000, Ben Woodcroft wrote:
>> * gnu/packages/ruby.scm (ruby)[replacement]: New field.
>> (ruby-2.3.2): New variable.
>> ---
>> gnu/packages/ruby.scm | 20 ++++++++++++++++++++
>> 1 file changed, 20 insertions(+)
>>
>> diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
>> index e4c1ef0..f2b5de9 100644
>> --- a/gnu/packages/ruby.scm
>> +++ b/gnu/packages/ruby.scm
>> @@ -47,6 +47,7 @@
>> (define-public ruby
>> (package
>> (name "ruby")
>> + (replacement ruby-2.3.2)
> Remember that grafted replacements should have a compatible ABI.
>
> This is the first result I found when searching for "Ruby ABI compatible"
>
> https://www.ruby-lang.org/en/news/2013/12/21/ruby-version-policy-changes-with-2-1-0/
>
> So, if they've kept that policy, this should be fine.
I can't see any evidence to the contrary. I also ran a compatibility
checker and it seemed to work out (while 2.3.2 vs 2.2.6 did not, as a
negative control).
https://lvc.github.io/abi-compliance-checker/
I'm not quite finished packaging it yet up to standard just yet, but I
pushed what I have here, in case it is useful in the meantime.
https://github.com/wwood/guix_mine/blob/master/ben/packages/local.scm
I pushed the graft to master and updated it directly on staging.
ben
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] gnu: ruby: Replace with 2.3.2 [fixes CVE-2015-3900].
2016-11-20 7:00 ` Ben Woodcroft
@ 2016-11-20 15:28 ` Leo Famulari
0 siblings, 0 replies; 5+ messages in thread
From: Leo Famulari @ 2016-11-20 15:28 UTC (permalink / raw)
To: Ben Woodcroft; +Cc: guix-devel
On Sun, Nov 20, 2016 at 05:00:58PM +1000, Ben Woodcroft wrote:
> I can't see any evidence to the contrary. I also ran a compatibility checker
> and it seemed to work out (while 2.3.2 vs 2.2.6 did not, as a negative
> control).
> https://lvc.github.io/abi-compliance-checker/
>
> I'm not quite finished packaging it yet up to standard just yet, but I
> pushed what I have here, in case it is useful in the meantime.
> https://github.com/wwood/guix_mine/blob/master/ben/packages/local.scm
>
> I pushed the graft to master and updated it directly on staging.
Thanks!
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-11-21 16:06 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-11-18 23:32 [PATCH 0/1]: Replace ruby with ruby-2.3.2 Ben Woodcroft
2016-11-18 23:32 ` [PATCH] gnu: ruby: Replace with 2.3.2 [fixes CVE-2015-3900] Ben Woodcroft
2016-11-19 15:28 ` Leo Famulari
2016-11-20 7:00 ` Ben Woodcroft
2016-11-20 15:28 ` Leo Famulari
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).