Re: Ruby security updates
Pjotr Prins writes: > Ruby 1.8.7 is still being used. For me one of the selling points of > GNU Guix is that we can retain older packages when they are still > useful. The switch from Ruby 1.8 to 1.9 was quite intrusive and not > all software made the switch (similar to the python 2 to 3 > switch). Some people argue that the software should be updated, but it > sometimes proves to be (too) hard or not worth the effort. Ruby 1.8 is > still a nice interpreter (it was the original Ruby by Matz). Given this, there's a good chance that someone will backport the security fix to Ruby 1.8. Maybe it has already been done. Would you like to look? Mark
Re: Ruby security updates
On Sat, Jan 09, 2016 at 03:15:04PM +1000, Ben Woodcroft wrote: > Indeed, but seems it also affects 2.1 < 2.1.8, where we have 2.1.6. I've > attached a trivial patch that updates it - ok to push? Definitely. Andreas
Re: Ruby security updates
On Sat, Jan 09, 2016 at 03:15:04PM +1000, Ben Woodcroft wrote: > In general though it is a shame to remove old packages, Guix seems > well suited to keeping old software usable. Is there a more useful > place for removed packages to go other than the trash? A collection > of exported profiles perhaps? > > ben Cool idea. Can we do that in the context of the Guix project? We could maintain a git repo for that purpose. I would do it anyway, and this way we could share. Pj.
Re: Ruby security updates
On 09/01/16 10:15, Thompson, David wrote: On Fri, Jan 8, 2016 at 6:48 PM, Mark H Weaver wrote: Some of our ruby versions may need security updates. https://bugzilla.redhat.com/show_bug.cgi?id=1248935 Can someone who cares about ruby please investigate? This particular issue is definitely fixed in Ruby 2.2.4 or later, which we upgraded very recently in response to this. Indeed, but seems it also affects 2.1 < 2.1.8, where we have 2.1.6. I've attached a trivial patch that updates it - ok to push? Now, I suspect Pjotr will find issue with this, but I think we really should drop the Ruby 1.8.7 package because it is end-of-life and will *not* receive bug fixes or security updates. In general though it is a shame to remove old packages, Guix seems well suited to keeping old software usable. Is there a more useful place for removed packages to go other than the trash? A collection of exported profiles perhaps? ben >From 4c40fa0229dc2cb479227c16f23abad703101b70 Mon Sep 17 00:00:00 2001 From: Ben Woodcroft Date: Sat, 9 Jan 2016 14:53:58 +1000 Subject: [PATCH] gnu: ruby-2.1: Update to 2.1.8. * gnu/packages/ruby.scm (ruby-2.1): Update to 2.1.8. --- gnu/packages/ruby.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm index 4ac3385..577be18 100644 --- a/gnu/packages/ruby.scm +++ b/gnu/packages/ruby.scm @@ -97,7 +97,7 @@ a focus on simplicity and productivity.") (define-public ruby-2.1 (package (inherit ruby) -(version "2.1.6") +(version "2.1.8") (source (origin (method url-fetch) @@ -106,7 +106,7 @@ a focus on simplicity and productivity.") "/ruby-" version ".tar.bz2")) (sha256 (base32 - "1sbcmbhadcxk0509svwxbm2vvgmpf3xjxr1397bgp9x46nz36lkv" + "11rkbfc90cg9p9mzg32475alf3ddcn9q8a3ar3fwm5xskic0n395" (arguments `(#:test-target "test" #:parallel-tests? #f -- 2.6.3
Re: Ruby security updates
Ruby 1.8.7 is still being used. For me one of the selling points of GNU Guix is that we can retain older packages when they are still useful. The switch from Ruby 1.8 to 1.9 was quite intrusive and not all software made the switch (similar to the python 2 to 3 switch). Some people argue that the software should be updated, but it sometimes proves to be (too) hard or not worth the effort. Ruby 1.8 is still a nice interpreter (it was the original Ruby by Matz). If you run Ruby 1.8 in user space the security concerns are not really relevant. There is no magic, Ruby can not circumvent the Linux kernel's permissions. So, the question here is not about security per se, it is more about what packages do we retain in Guix. I think in this case, because there are users, Ruby 1.8 belongs in Guix. Guix' versioning and isolation allows for using different versions of software and retaining Ruby 1.8's incompatibility with later Ruby's makes it a distinct selling point for Guix. Of course I can do without. But now I can point to others at the incompatiple versions of Ruby we support, as well as Python, Perl and samtools, for example. If you ditch 1.8.7 I won't be upset, but I hope you see my point. There is no real cost attached and plenty upside :) Pj. On Fri, Jan 08, 2016 at 07:15:53PM -0500, Thompson, David wrote: > On Fri, Jan 8, 2016 at 6:48 PM, Mark H Weaver wrote: > > Some of our ruby versions may need security updates. > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1248935 > > > > Can someone who cares about ruby please investigate? > > This particular issue is definitely fixed in Ruby 2.2.4 or later, > which we upgraded very recently in response to this. > > Now, I suspect Pjotr will find issue with this, but I think we really > should drop the Ruby 1.8.7 package because it is end-of-life and will > *not* receive bug fixes or security updates. > > Thoughts? > > - Dave > --
Re: Ruby security updates
On Fri, Jan 8, 2016 at 6:48 PM, Mark H Weaver wrote: > Some of our ruby versions may need security updates. > > https://bugzilla.redhat.com/show_bug.cgi?id=1248935 > > Can someone who cares about ruby please investigate? This particular issue is definitely fixed in Ruby 2.2.4 or later, which we upgraded very recently in response to this. Now, I suspect Pjotr will find issue with this, but I think we really should drop the Ruby 1.8.7 package because it is end-of-life and will *not* receive bug fixes or security updates. Thoughts? - Dave