[PATCH 0/1]: Replace ruby with ruby-2.3.2.

all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed

* [PATCH 0/1]: Replace ruby with ruby-2.3.2.
@ 2016-11-18 23:32 Ben Woodcroft
  2016-11-18 23:32 ` [PATCH] gnu: ruby: Replace with 2.3.2 [fixes CVE-2015-3900] Ben Woodcroft
  0 siblings, 1 reply; 5+ messages in thread
From: Ben Woodcroft @ 2016-11-18 23:32 UTC (permalink / raw)
  To: guix-devel

Hi there,

Ruby 2.3.2 was just released, and since it entails >300 rebuilds it is a good
candidate for staging I think.

I do not know of an easy way to check exactly which security fixes have been
applied beyond text searching the CHANGELOG, which isn't optimal so I believe
there are other fixes that have been applied beyond the one mentioned in the
commit message.

In pushing the update to staging, to avoid problems during the merge, is it
best to push this patch and then a second doing the actual update to staging?

Thanks,
ben

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH] gnu: ruby: Replace with 2.3.2 [fixes CVE-2015-3900].
  2016-11-18 23:32 [PATCH 0/1]: Replace ruby with ruby-2.3.2 Ben Woodcroft
@ 2016-11-18 23:32 ` Ben Woodcroft
  2016-11-19 15:28   ` Leo Famulari
  0 siblings, 1 reply; 5+ messages in thread
From: Ben Woodcroft @ 2016-11-18 23:32 UTC (permalink / raw)
  To: guix-devel

* gnu/packages/ruby.scm (ruby)[replacement]: New field.
(ruby-2.3.2): New variable.
---
 gnu/packages/ruby.scm | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index e4c1ef0..f2b5de9 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -47,6 +47,7 @@
 (define-public ruby
   (package
     (name "ruby")
+    (replacement ruby-2.3.2)
     (version "2.3.1")
     (source
      (origin
@@ -101,6 +102,25 @@ a focus on simplicity and productivity.")
     (home-page "https://ruby-lang.org")
     (license license:ruby)))
 
+(define ruby-2.3.2
+  (package
+    (inherit ruby)
+    (version "2.3.2")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "http://cache.ruby-lang.org/pub/ruby/"
+                           (version-major+minor version)
+                           "/ruby-" version ".tar.xz"))
+       (sha256
+        (base32
+         "031g76zxb2wp6988dmrpbqd98i17xi6l8q1115h83r2w0h8z6y2w"))
+       (modules '((guix build utils)))
+       (snippet `(begin
+                   ;; Remove bundled libffi
+                   (delete-file-recursively "ext/fiddle/libffi-3.2.1")
+                   #t))))))
+
 (define-public ruby-2.2
   (package (inherit ruby)
     (version "2.2.6")
-- 
2.10.0

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] gnu: ruby: Replace with 2.3.2 [fixes CVE-2015-3900].
  2016-11-18 23:32 ` [PATCH] gnu: ruby: Replace with 2.3.2 [fixes CVE-2015-3900] Ben Woodcroft
@ 2016-11-19 15:28   ` Leo Famulari
  2016-11-20  7:00     ` Ben Woodcroft
  0 siblings, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2016-11-19 15:28 UTC (permalink / raw)
  To: Ben Woodcroft; +Cc: guix-devel

On Sat, Nov 19, 2016 at 09:32:09AM +1000, Ben Woodcroft wrote:
> * gnu/packages/ruby.scm (ruby)[replacement]: New field.
> (ruby-2.3.2): New variable.
> ---
>  gnu/packages/ruby.scm | 20 ++++++++++++++++++++
>  1 file changed, 20 insertions(+)
> 
> diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
> index e4c1ef0..f2b5de9 100644
> --- a/gnu/packages/ruby.scm
> +++ b/gnu/packages/ruby.scm
> @@ -47,6 +47,7 @@
>  (define-public ruby
>    (package
>      (name "ruby")
> +    (replacement ruby-2.3.2)

Remember that grafted replacements should have a compatible ABI.

This is the first result I found when searching for "Ruby ABI compatible"

https://www.ruby-lang.org/en/news/2013/12/21/ruby-version-policy-changes-with-2-1-0/

So, if they've kept that policy, this should be fine.

Thanks for taking care of this!

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] gnu: ruby: Replace with 2.3.2 [fixes CVE-2015-3900].
  2016-11-19 15:28   ` Leo Famulari
@ 2016-11-20  7:00     ` Ben Woodcroft
  2016-11-20 15:28       ` Leo Famulari
  0 siblings, 1 reply; 5+ messages in thread
From: Ben Woodcroft @ 2016-11-20  7:00 UTC (permalink / raw)
  To: Leo Famulari, Ben Woodcroft; +Cc: guix-devel

On 20/11/16 01:28, Leo Famulari wrote:
> On Sat, Nov 19, 2016 at 09:32:09AM +1000, Ben Woodcroft wrote:
>> * gnu/packages/ruby.scm (ruby)[replacement]: New field.
>> (ruby-2.3.2): New variable.
>> ---
>>   gnu/packages/ruby.scm | 20 ++++++++++++++++++++
>>   1 file changed, 20 insertions(+)
>>
>> diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
>> index e4c1ef0..f2b5de9 100644
>> --- a/gnu/packages/ruby.scm
>> +++ b/gnu/packages/ruby.scm
>> @@ -47,6 +47,7 @@
>>   (define-public ruby
>>     (package
>>       (name "ruby")
>> +    (replacement ruby-2.3.2)
> Remember that grafted replacements should have a compatible ABI.
>
> This is the first result I found when searching for "Ruby ABI compatible"
>
> https://www.ruby-lang.org/en/news/2013/12/21/ruby-version-policy-changes-with-2-1-0/
>
> So, if they've kept that policy, this should be fine.
I can't see any evidence to the contrary. I also ran a compatibility 
checker and it seemed to work out (while 2.3.2 vs 2.2.6 did not, as a 
negative control).
https://lvc.github.io/abi-compliance-checker/

I'm not quite finished packaging it yet up to standard just yet, but I 
pushed what I have here, in case it is useful in the meantime.
https://github.com/wwood/guix_mine/blob/master/ben/packages/local.scm

I pushed the graft to master and updated it directly on staging.

ben

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] gnu: ruby: Replace with 2.3.2 [fixes CVE-2015-3900].
  2016-11-20  7:00     ` Ben Woodcroft
@ 2016-11-20 15:28       ` Leo Famulari
  0 siblings, 0 replies; 5+ messages in thread
From: Leo Famulari @ 2016-11-20 15:28 UTC (permalink / raw)
  To: Ben Woodcroft; +Cc: guix-devel

On Sun, Nov 20, 2016 at 05:00:58PM +1000, Ben Woodcroft wrote:
> I can't see any evidence to the contrary. I also ran a compatibility checker
> and it seemed to work out (while 2.3.2 vs 2.2.6 did not, as a negative
> control).
> https://lvc.github.io/abi-compliance-checker/
> 
> I'm not quite finished packaging it yet up to standard just yet, but I
> pushed what I have here, in case it is useful in the meantime.
> https://github.com/wwood/guix_mine/blob/master/ben/packages/local.scm
> 
> I pushed the graft to master and updated it directly on staging.

Thanks!

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2016-11-21 16:06 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-11-18 23:32 [PATCH 0/1]: Replace ruby with ruby-2.3.2 Ben Woodcroft
2016-11-18 23:32 ` [PATCH] gnu: ruby: Replace with 2.3.2 [fixes CVE-2015-3900] Ben Woodcroft
2016-11-19 15:28   ` Leo Famulari
2016-11-20  7:00     ` Ben Woodcroft
2016-11-20 15:28       ` Leo Famulari

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.