Ruby security updates

Ruby security updates

[Mark H Weaver]

Some of our ruby versions may need security updates.

  https://bugzilla.redhat.com/show_bug.cgi?id=1248935

Can someone who cares about ruby please investigate?

      Mark

Re: Ruby security updates

[Thompson, David]

On Fri, Jan 8, 2016 at 6:48 PM, Mark H Weaver <mhw@netris.org> wrote:
> Some of our ruby versions may need security updates.
>
>   https://bugzilla.redhat.com/show_bug.cgi?id=1248935
>
> Can someone who cares about ruby please investigate?

This particular issue is definitely fixed in Ruby 2.2.4 or later,
which we upgraded very recently in response to this.

Now, I suspect Pjotr will find issue with this, but I think we really
should drop the Ruby 1.8.7 package because it is end-of-life and will
*not* receive bug fixes or security updates.

Thoughts?

- Dave

Re: Ruby security updates

[Pjotr Prins]

Ruby 1.8.7 is still being used.  For me one of the selling points of
GNU Guix is that we can retain older packages when they are still
useful. The switch from Ruby 1.8 to 1.9 was quite intrusive and not
all software made the switch (similar to the python 2 to 3
switch). Some people argue that the software should be updated, but it
sometimes proves to be (too) hard or not worth the effort. Ruby 1.8 is
still a nice interpreter (it was the original Ruby by Matz).

If you run Ruby 1.8 in user space the security concerns are not really
relevant. There is no magic, Ruby can not circumvent the Linux
kernel's permissions.

So, the question here is not about security per se, it is more about
what packages do we retain in Guix. I think in this case, because
there are users, Ruby 1.8 belongs in Guix. Guix' versioning and
isolation allows for using different versions of software and
retaining Ruby 1.8's incompatibility with later Ruby's makes it a
distinct selling point for Guix.

Of course I can do without. But now I can point to others at the incompatiple
versions of Ruby we support, as well as Python, Perl and samtools, for example.
If you ditch 1.8.7 I won't be upset, but I hope you see my point. There is no
real cost attached and plenty upside :)

Pj.

On Fri, Jan 08, 2016 at 07:15:53PM -0500, Thompson, David wrote:
> On Fri, Jan 8, 2016 at 6:48 PM, Mark H Weaver <mhw@netris.org> wrote:
> > Some of our ruby versions may need security updates.
> >
> >   https://bugzilla.redhat.com/show_bug.cgi?id=1248935
> >
> > Can someone who cares about ruby please investigate?
> 
> This particular issue is definitely fixed in Ruby 2.2.4 or later,
> which we upgraded very recently in response to this.
> 
> Now, I suspect Pjotr will find issue with this, but I think we really
> should drop the Ruby 1.8.7 package because it is end-of-life and will
> *not* receive bug fixes or security updates.
> 
> Thoughts?
> 
> - Dave
> 

-- 

Re: Ruby security updates

[Ben Woodcroft]

[-- Attachment #1: Type: text/plain, Size: 976 bytes --]



On 09/01/16 10:15, Thompson, David wrote:
> On Fri, Jan 8, 2016 at 6:48 PM, Mark H Weaver <mhw@netris.org> wrote:
>> Some of our ruby versions may need security updates.
>>
>>    https://bugzilla.redhat.com/show_bug.cgi?id=1248935
>>
>> Can someone who cares about ruby please investigate?
> This particular issue is definitely fixed in Ruby 2.2.4 or later,
> which we upgraded very recently in response to this.
Indeed, but seems it also affects 2.1 < 2.1.8, where we have 2.1.6. I've 
attached a trivial patch that updates it - ok to push?
> Now, I suspect Pjotr will find issue with this, but I think we really
> should drop the Ruby 1.8.7 package because it is end-of-life and will
> *not* receive bug fixes or security updates.

In general though it is a shame to remove old packages, Guix seems well 
suited to keeping old software usable. Is there a more useful place for 
removed packages to go other than the trash? A collection of exported 
profiles perhaps?

ben

[-- Attachment #2: 0001-gnu-ruby-2.1-Update-to-2.1.8.patch --]
[-- Type: text/x-patch, Size: 1077 bytes --]

From 4c40fa0229dc2cb479227c16f23abad703101b70 Mon Sep 17 00:00:00 2001
From: Ben Woodcroft <donttrustben@gmail.com>
Date: Sat, 9 Jan 2016 14:53:58 +1000
Subject: [PATCH] gnu: ruby-2.1: Update to 2.1.8.

* gnu/packages/ruby.scm (ruby-2.1): Update to 2.1.8.
---
 gnu/packages/ruby.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index 4ac3385..577be18 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -97,7 +97,7 @@ a focus on simplicity and productivity.")
 
 (define-public ruby-2.1
   (package (inherit ruby)
-    (version "2.1.6")
+    (version "2.1.8")
     (source
      (origin
        (method url-fetch)
@@ -106,7 +106,7 @@ a focus on simplicity and productivity.")
                            "/ruby-" version ".tar.bz2"))
        (sha256
         (base32
-         "1sbcmbhadcxk0509svwxbm2vvgmpf3xjxr1397bgp9x46nz36lkv"))))
+         "11rkbfc90cg9p9mzg32475alf3ddcn9q8a3ar3fwm5xskic0n395"))))
     (arguments
      `(#:test-target "test"
        #:parallel-tests? #f
-- 
2.6.3

Re: Ruby security updates

[Pjotr Prins]

On Sat, Jan 09, 2016 at 03:15:04PM +1000, Ben Woodcroft wrote:
> In general though it is a shame to remove old packages, Guix seems
> well suited to keeping old software usable. Is there a more useful
> place for removed packages to go other than the trash? A collection
> of exported profiles perhaps?
> 
> ben

Cool idea. Can we do that in the context of the Guix project? We could
maintain a git repo for that purpose. I would do it anyway, and this
way we could share.

Pj.

Re: Ruby security updates

[Andreas Enge]

On Sat, Jan 09, 2016 at 03:15:04PM +1000, Ben Woodcroft wrote:
> Indeed, but seems it also affects 2.1 < 2.1.8, where we have 2.1.6. I've
> attached a trivial patch that updates it - ok to push?

Definitely.

Andreas

Re: Ruby security updates

[Mark H Weaver]

Pjotr Prins <pjotr.public12@thebird.nl> writes:

> Ruby 1.8.7 is still being used.  For me one of the selling points of
> GNU Guix is that we can retain older packages when they are still
> useful. The switch from Ruby 1.8 to 1.9 was quite intrusive and not
> all software made the switch (similar to the python 2 to 3
> switch). Some people argue that the software should be updated, but it
> sometimes proves to be (too) hard or not worth the effort. Ruby 1.8 is
> still a nice interpreter (it was the original Ruby by Matz).

Given this, there's a good chance that someone will backport the
security fix to Ruby 1.8.  Maybe it has already been done.  Would you
like to look?

      Mark