[PATCH 0/1] Perl 5.24.0 update

[PATCH 0/1] Perl 5.24.0 update

[Leo Famulari]

This updates Perl to 5.24.0.

I tested it by creating perl-next on master, and building that. I also
made perl-boot0 use perl-next and built that perl-boot0 successfully.

The patches for CVE-2015-8607 and CVE-2016-2381 are removed, since those
issues have been fixed in this release, in Perl commits 0b6f93036 and 
ae37b791a7, respectively.

The perl-source-date-epoch patch was meant to prevent the encoding of
timestamps in man pages by the Pod::Man module. Podlators, which is the 
source of Pod::Man, has been updated to 4.07 in this release of Perl
[0], and Pod::Man was made to respect the SOURCE_DATE_EPOCH environment
variable in 4.03 [1]. So this patch is removed.

And the perl-no-build-time patch deactivated the code that embedded the
compilation timestamp that is normally printed by `perl -V`. Perl 5.24.0
can take this value from the macro PERL_BUILD_DATE [2], so I removed the
old patch and added perl-reproducible-build-date.patch.

I don't love this patch... we could instead do something like what
happens in the Erlang package. There we instead get SOURCE_DATE_EPOCH
from the environment and do some format string transformations to make a
pretty date string.

Thoughts?

[0]
https://metacpan.org/pod/distribution/perl/pod/perldelta.pod

[1]
https://metacpan.org/pod/Pod::Man#date

[2]
https://metacpan.org/pod/distribution/perl/pod/perldelta.pod#Configuration-and-Compilation

Leo Famulari (1):
  gnu: perl: Update to 5.24.0.

 gnu/local.mk                                       |   5 +-
 gnu/packages/patches/perl-CVE-2015-8607.patch      |  68 ------------
 gnu/packages/patches/perl-CVE-2016-2381.patch      | 116 ---------------------
 gnu/packages/patches/perl-no-build-time.patch      |  26 -----
 .../patches/perl-reproducible-build-date.patch     |  17 +++
 gnu/packages/patches/perl-source-date-epoch.patch  |  19 ----
 gnu/packages/perl.scm                              |   9 +-
 7 files changed, 21 insertions(+), 239 deletions(-)
 delete mode 100644 gnu/packages/patches/perl-CVE-2015-8607.patch
 delete mode 100644 gnu/packages/patches/perl-CVE-2016-2381.patch
 delete mode 100644 gnu/packages/patches/perl-no-build-time.patch
 create mode 100644 gnu/packages/patches/perl-reproducible-build-date.patch
 delete mode 100644 gnu/packages/patches/perl-source-date-epoch.patch

-- 
2.9.3

[PATCH 1/1] gnu: perl: Update to 5.24.0.

[Leo Famulari]

* gnu/packages/perl.scm: Update to 5.24.0.
[source]: Add and remove patches.
* gnu/packages/patches/perl-reproducible-build-date.patch: New file.
* gnu/packages/patches/perl-CVE-2015-8607.patch,
gnu/packages/patches/perl-CVE-2016-2381.patch,
gnu/packages/patches/perl-no-build-time.patch,
gnu/packages/patches/perl-source-date-epoch.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Add and remove patches.
---
 gnu/local.mk                                       |   5 +-
 gnu/packages/patches/perl-CVE-2015-8607.patch      |  68 ------------
 gnu/packages/patches/perl-CVE-2016-2381.patch      | 116 ---------------------
 gnu/packages/patches/perl-no-build-time.patch      |  26 -----
 .../patches/perl-reproducible-build-date.patch     |  17 +++
 gnu/packages/patches/perl-source-date-epoch.patch  |  19 ----
 gnu/packages/perl.scm                              |   9 +-
 7 files changed, 21 insertions(+), 239 deletions(-)
 delete mode 100644 gnu/packages/patches/perl-CVE-2015-8607.patch
 delete mode 100644 gnu/packages/patches/perl-CVE-2016-2381.patch
 delete mode 100644 gnu/packages/patches/perl-no-build-time.patch
 create mode 100644 gnu/packages/patches/perl-reproducible-build-date.patch
 delete mode 100644 gnu/packages/patches/perl-source-date-epoch.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 314f40b..9fc5067 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -695,8 +695,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/patch-hurd-path-max.patch		\
   %D%/packages/patches/pcre-CVE-2016-3191.patch			\
   %D%/packages/patches/pcre2-CVE-2016-3191.patch		\
-  %D%/packages/patches/perl-CVE-2015-8607.patch			\
-  %D%/packages/patches/perl-CVE-2016-2381.patch			\
   %D%/packages/patches/perl-autosplit-default-time.patch	\
   %D%/packages/patches/perl-deterministic-ordering.patch	\
   %D%/packages/patches/perl-finance-quote-unuse-mozilla-ca.patch \
@@ -705,10 +703,9 @@ dist_patch_DATA =						\
   %D%/packages/patches/perl-net-amazon-s3-moose-warning.patch	\
   %D%/packages/patches/perl-net-ssleay-disable-ede-test.patch	\
   %D%/packages/patches/perl-net-dns-resolver-programmable-Fix-broken-interface.patch	\
-  %D%/packages/patches/perl-no-build-time.patch			\
   %D%/packages/patches/perl-no-sys-dirs.patch			\
   %D%/packages/patches/perl-module-pluggable-search.patch	\
-  %D%/packages/patches/perl-source-date-epoch.patch		\
+  %D%/packages/patches/perl-reproducible-build-date.patch	\
   %D%/packages/patches/pidgin-add-search-path.patch		\
   %D%/packages/patches/pinball-const-fix.patch			\
   %D%/packages/patches/pinball-cstddef.patch			\
diff --git a/gnu/packages/patches/perl-CVE-2015-8607.patch b/gnu/packages/patches/perl-CVE-2015-8607.patch
deleted file mode 100644
index 4c25d41..0000000
--- a/gnu/packages/patches/perl-CVE-2015-8607.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From 3a629609084d147838368262171b923f0770e564 Mon Sep 17 00:00:00 2001
-From: Tony Cook <tony@develop-help.com>
-Date: Tue, 15 Dec 2015 10:56:54 +1100
-Subject: ensure File::Spec::canonpath() preserves taint
-
-Previously the unix specific XS implementation of canonpath() would
-return an untainted path when supplied a tainted path.
-
-For the empty string case, newSVpvs() already sets taint as needed on
-its result.
-
-This issue was assigned CVE-2015-8607.
-
-Bug: https://rt.perl.org/Ticket/Display.html?id=126862
-Bug-Debian: https://bugs.debian.org/810719
-Origin: upstream
-Patch-Name: fixes/CVE-2015-8607_file_spec_taint_fix.diff
----
- dist/PathTools/Cwd.xs    |  1 +
- dist/PathTools/t/taint.t | 19 ++++++++++++++++++-
- 2 files changed, 19 insertions(+), 1 deletion(-)
-
-diff --git a/dist/PathTools/Cwd.xs b/dist/PathTools/Cwd.xs
-index 9d4dcf0..3d018dc 100644
---- a/dist/PathTools/Cwd.xs
-+++ b/dist/PathTools/Cwd.xs
-@@ -535,6 +535,7 @@ THX_unix_canonpath(pTHX_ SV *path)
-     *o = 0;
-     SvPOK_on(retval);
-     SvCUR_set(retval, o - SvPVX(retval));
-+    SvTAINT(retval);
-     return retval;
- }
- 
-diff --git a/dist/PathTools/t/taint.t b/dist/PathTools/t/taint.t
-index 309b3e5..48f8c5b 100644
---- a/dist/PathTools/t/taint.t
-+++ b/dist/PathTools/t/taint.t
-@@ -12,7 +12,7 @@ use Test::More;
- BEGIN {
-     plan(
-         ${^TAINT}
--        ? (tests => 17)
-+        ? (tests => 21)
-         : (skip_all => "A perl without taint support")
-     );
- }
-@@ -34,3 +34,20 @@ foreach my $func (@Functions) {
- 
- # Previous versions of Cwd tainted $^O
- is !tainted($^O), 1, "\$^O should not be tainted";
-+
-+{
-+    # [perl #126862] canonpath() loses taint
-+    my $tainted = substr($ENV{PATH}, 0, 0);
-+    # yes, getcwd()'s result should be tainted, and is tested above
-+    # but be sure
-+    ok tainted(File::Spec->canonpath($tainted . Cwd::getcwd)),
-+        "canonpath() keeps taint on non-empty string";
-+    ok tainted(File::Spec->canonpath($tainted)),
-+        "canonpath() keeps taint on empty string";
-+
-+    (Cwd::getcwd() =~ /^(.*)/);
-+    my $untainted = $1;
-+    ok !tainted($untainted), "make sure our untainted value is untainted";
-+    ok !tainted(File::Spec->canonpath($untainted)),
-+        "canonpath() doesn't add taint to untainted string";
-+}
diff --git a/gnu/packages/patches/perl-CVE-2016-2381.patch b/gnu/packages/patches/perl-CVE-2016-2381.patch
deleted file mode 100644
index 99d1944..0000000
--- a/gnu/packages/patches/perl-CVE-2016-2381.patch
+++ /dev/null
@@ -1,116 +0,0 @@
-Fix CVE-2016-2381 (ambiguous handling of duplicated environment variables).
-
-Copied from upstream:
-http://perl5.git.perl.org/perl.git/commit/ae37b791a73a9e78dedb89fb2429d2628cf58076
-
-References:
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2381
-http://www.nntp.perl.org/group/perl.perl5.porters/2016/03/msg234747.html
-https://security-tracker.debian.org/tracker/CVE-2016-2381
-
----
-
-From 1237ea93fb2475a5ae576d5ee1358a5bb4ebe426 Mon Sep 17 00:00:00 2001
-From: Tony Cook <tony@develop-help.com>
-Date: Wed, 27 Jan 2016 11:52:15 +1100
-Subject: remove duplicate environment variables from environ
-
-If we see duplicate environment variables while iterating over
-environ[]:
-
-a) make sure we use the same value in %ENV that getenv() returns.
-
-Previously on a duplicate, %ENV would have the last entry for the name
-from environ[], but a typical getenv() would return the first entry.
-
-Rather than assuming all getenv() implementations return the first entry
-explicitly call getenv() to ensure they agree.
-
-b) remove duplicate entries from environ
-
-Previously if there was a duplicate definition for a name in environ[]
-setting that name in %ENV could result in an unsafe value being passed
-to a child process, so ensure environ[] has no duplicates.
-
-Patch-Name: fixes/CVE-2016-2381_duplicate_env.diff
----
- perl.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++--
- 1 file changed, 49 insertions(+), 2 deletions(-)
-
-diff --git a/perl.c b/perl.c
-index 67d32ce..26aeb91 100644
---- a/perl.c
-+++ b/perl.c
-@@ -4277,23 +4277,70 @@ S_init_postdump_symbols(pTHX_ int argc, char **argv, char **env)
- 	}
- 	if (env) {
- 	  char *s, *old_var;
-+          STRLEN nlen;
- 	  SV *sv;
-+          HV *dups = newHV();
-+
- 	  for (; *env; env++) {
- 	    old_var = *env;
- 
- 	    if (!(s = strchr(old_var,'=')) || s == old_var)
- 		continue;
-+            nlen = s - old_var;
- 
- #if defined(MSDOS) && !defined(DJGPP)
- 	    *s = '\0';
- 	    (void)strupr(old_var);
- 	    *s = '=';
- #endif
--	    sv = newSVpv(s+1, 0);
--	    (void)hv_store(hv, old_var, s - old_var, sv, 0);
-+            if (hv_exists(hv, old_var, nlen)) {
-+                const char *name = savepvn(old_var, nlen);
-+
-+                /* make sure we use the same value as getenv(), otherwise code that
-+                   uses getenv() (like setlocale()) might see a different value to %ENV
-+                 */
-+                sv = newSVpv(PerlEnv_getenv(name), 0);
-+
-+                /* keep a count of the dups of this name so we can de-dup environ later */
-+                if (hv_exists(dups, name, nlen))
-+                    ++SvIVX(*hv_fetch(dups, name, nlen, 0));
-+                else
-+                    (void)hv_store(dups, name, nlen, newSViv(1), 0);
-+
-+                Safefree(name);
-+            }
-+            else {
-+                sv = newSVpv(s+1, 0);
-+            }
-+	    (void)hv_store(hv, old_var, nlen, sv, 0);
- 	    if (env_is_not_environ)
- 	        mg_set(sv);
- 	  }
-+          if (HvKEYS(dups)) {
-+              /* environ has some duplicate definitions, remove them */
-+              HE *entry;
-+              hv_iterinit(dups);
-+              while ((entry = hv_iternext_flags(dups, 0))) {
-+                  STRLEN nlen;
-+                  const char *name = HePV(entry, nlen);
-+                  IV count = SvIV(HeVAL(entry));
-+                  IV i;
-+                  SV **valp = hv_fetch(hv, name, nlen, 0);
-+
-+                  assert(valp);
-+
-+                  /* try to remove any duplicate names, depending on the
-+                   * implementation used in my_setenv() the iteration might
-+                   * not be necessary, but let's be safe.
-+                   */
-+                  for (i = 0; i < count; ++i)
-+                      my_setenv(name, 0);
-+
-+                  /* and set it back to the value we set $ENV{name} to */
-+                  my_setenv(name, SvPV_nolen(*valp));
-+              }
-+          }
-+          SvREFCNT_dec_NN(dups);
-       }
- #endif /* USE_ENVIRON_ARRAY */
- #endif /* !PERL_MICRO */
diff --git a/gnu/packages/patches/perl-no-build-time.patch b/gnu/packages/patches/perl-no-build-time.patch
deleted file mode 100644
index 5d78e8f..0000000
--- a/gnu/packages/patches/perl-no-build-time.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-Do not record the configuration and build time so that builds can be
-reproduced bit-for-bit.
-
---- perl-5.22.0/Configure	1970-01-01 01:00:00.000000000 +0100
-+++ perl-5.22.0/Configure	2015-12-13 00:14:43.148165080 +0100
-@@ -3834,6 +3817,7 @@ esac
- 
- : who configured the system
- cf_time=`LC_ALL=C; LANGUAGE=C; export LC_ALL; export LANGUAGE; $date 2>&1`
-+cf_time='Thu Jan  1 00:00:01 UTC 1970'
- case "$cf_by" in
- "")
- 	cf_by=`(logname) 2>/dev/null`
-
---- perl-5.22.0/perl.c	2015-12-13 00:25:30.269156627 +0100
-+++ perl-5.22.0/perl.c	2015-12-13 00:25:38.265218175 +0100
-@@ -1795,7 +1795,7 @@ S_Internals_V(pTHX_ CV *cv)
-     PUSHs(Perl_newSVpvn_flags(aTHX_ non_bincompat_options,
- 			      sizeof(non_bincompat_options) - 1, SVs_TEMP));
- 
--#ifdef __DATE__
-+#if 0
- #  ifdef __TIME__
-     PUSHs(Perl_newSVpvn_flags(aTHX_
- 			      STR_WITH_LEN("Compiled at " __DATE__ " " __TIME__),
-
diff --git a/gnu/packages/patches/perl-reproducible-build-date.patch b/gnu/packages/patches/perl-reproducible-build-date.patch
new file mode 100644
index 0000000..d5bd25d
--- /dev/null
+++ b/gnu/packages/patches/perl-reproducible-build-date.patch
@@ -0,0 +1,17 @@
+Don't encode the current timestamp.
+
+This affects the output of `perl -V`, specifically the message "Compiled
+at [...]".
+
+diff --git a/perl.c b/perl.c
+index 228a0d8..ed38313 100644
+--- a/perl.c
++++ b/perl.c
+@@ -1825,6 +1825,7 @@ S_Internals_V(pTHX_ CV *cv)
+     PUSHs(Perl_newSVpvn_flags(aTHX_ non_bincompat_options,
+ 			      sizeof(non_bincompat_options) - 1, SVs_TEMP));
+ 
++#define PERL_BUILD_DATE "Jan  1 1970 00:00:00"
+ #ifndef PERL_BUILD_DATE
+ #  ifdef __DATE__
+ #    ifdef __TIME__
diff --git a/gnu/packages/patches/perl-source-date-epoch.patch b/gnu/packages/patches/perl-source-date-epoch.patch
deleted file mode 100644
index 37330c9..0000000
--- a/gnu/packages/patches/perl-source-date-epoch.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Adapted from <https://bugs.debian.org/801621>.
-Make Pod::Man honor the SOURCE_DATE_EPOCH environment variable.
-
---- perl-5.22.0/cpan/podlators/lib/Pod/Man.pm	2015-12-12 22:33:03.321787590 +0100
-+++ perl-5.22.0/cpan/podlators/lib/Pod/Man.pm	2015-12-12 22:36:33.367361338 +0100
-@@ -884,7 +884,12 @@ sub devise_date {
-     my ($self) = @_;
-     my $input = $self->source_filename;
-     my $time;
--    if ($input) {
-+
-+    if (defined($ENV{SOURCE_DATE_EPOCH}) &&
-+        $ENV{SOURCE_DATE_EPOCH} !~ /\D/) {
-+        $time = $ENV{SOURCE_DATE_EPOCH};
-+    }
-+    elsif ($input) {
-         $time = (stat $input)[9] || time;
-     } else {
-         $time = time;
diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm
index aef92f4..0a26e51 100644
--- a/gnu/packages/perl.scm
+++ b/gnu/packages/perl.scm
@@ -44,22 +44,19 @@
   ;; Yeah, Perl...  It is required early in the bootstrap process by Linux.
   (package
     (name "perl")
-    (version "5.22.1")
+    (version "5.24.0")
     (source (origin
              (method url-fetch)
              (uri (string-append "http://www.cpan.org/src/5.0/perl-"
                                  version ".tar.gz"))
              (sha256
               (base32
-               "09wg24w5syyafyv87l6z8pxwz4bjgcdj996bx5844k6m9445sirb"))
+               "00jj8zr8fnihrxxhl8h936ssczv5x86qb618yz1ig40d1rp0qhvy"))
              (patches (search-patches
                        "perl-no-sys-dirs.patch"
                        "perl-autosplit-default-time.patch"
-                       "perl-source-date-epoch.patch"
                        "perl-deterministic-ordering.patch"
-                       "perl-no-build-time.patch"
-                       "perl-CVE-2015-8607.patch"
-                       "perl-CVE-2016-2381.patch"))))
+                       "perl-reproducible-build-date.patch"))))
     (build-system gnu-build-system)
     (arguments
      '(#:tests? #f
-- 
2.9.3

Re: [PATCH 0/1] Perl 5.24.0 update

[Leo Famulari]

On Tue, Aug 16, 2016 at 06:43:57PM -0400, Leo Famulari wrote:
> And the perl-no-build-time patch deactivated the code that embedded the
> compilation timestamp that is normally printed by `perl -V`. Perl 5.24.0
> can take this value from the macro PERL_BUILD_DATE [2], so I removed the
> old patch and added perl-reproducible-build-date.patch.
> 
> I don't love this patch... we could instead do something like what
> happens in the Erlang package. There we instead get SOURCE_DATE_EPOCH
> from the environment and do some format string transformations to make a
> pretty date string.

We could also just keep the perl-no-build-time patch in place. There is
not much point in doing work just to make `perl -V` print a nonsense
date (Unix epoch) IMO.

Re: [PATCH 0/1] Perl 5.24.0 update

[Ricardo Wurmus]

Leo Famulari <leo@famulari.name> writes:

> On Tue, Aug 16, 2016 at 06:43:57PM -0400, Leo Famulari wrote:
>> And the perl-no-build-time patch deactivated the code that embedded the
>> compilation timestamp that is normally printed by `perl -V`. Perl 5.24.0
>> can take this value from the macro PERL_BUILD_DATE [2], so I removed the
>> old patch and added perl-reproducible-build-date.patch.
>> 
>> I don't love this patch... we could instead do something like what
>> happens in the Erlang package. There we instead get SOURCE_DATE_EPOCH
>> from the environment and do some format string transformations to make a
>> pretty date string.
>
> We could also just keep the perl-no-build-time patch in place. There is
> not much point in doing work just to make `perl -V` print a nonsense
> date (Unix epoch) IMO.

What you sent looks good.  It is important to let “perl -V” print a date
(even if it is useless) to avoid breaking third-party software that
expects a date to be printed.

Your patch to just define the date as the epoch seems fine to me.

~~ Ricardo