Date: Sat, 17 May 2014 23:52:37 +0900 From: "Akinori MUSHA" <knu@iDaemons.org> To: Steve Wills <swills@freebsd.org> Cc: svn-ports-head@freebsd.org, svn-ports-all@freebsd.org, ports-committers@freebsd.org Subject: Re: svn commit: r354025 - in head/textproc/rubygem-nokogiri: . files Message-ID: <86ppjcsbii.knu@iDaemons.org> In-Reply-To: <20140516154153.GA59733@mouf.net> References: <201405140650.s4E6oOMw059963@svn.freebsd.org> <20140516154153.GA59733@mouf.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--pgp-sign-Multipart_Sat_May_17_23:52:33_2014-1 Content-Type: text/plain; charset=US-ASCII At Fri, 16 May 2014 15:41:57 +0000, Steve Wills wrote: > This is not the correct fix. Please see attached. Please use this fix and > remove rubygem-mini_portile from ports. The mini_portile gem does it's own > installing of libraries and other things and this is not how we want ports to > work, IMHO, so we really should avoid having it in port if possible. Our libxml2 was updated to 2.9.x after the recent security incidents, but nokogiri does not fully support that version, i.e. some features do not function properly. Using textproc/libxml2 worked only by chance, that is, it was staying still at 2.8.0 while other OS/distributions had migrated to 2.9.x a long time ago. I have to point out that libxml2 is notorious for not releasing a new version even if a critical bug is found, so it's all up to each distributor as to which set of patches they merge to their package, investing their time to track the uptream git repository. Team Nokogiri has suffered so much with this, and concluded that there is no way but to maintain its own version to avoid dealing with every single platform dependent arbitrarily patched libxml2 installation. Nokogiri uses a wide range of libxml2's features, and is thus subject to be affected by a tiny incompatibility or bug/bug-fix in libxml2. Starting from 1.6.2, nokogiri explicitly suggests using bundled libxml2/libxslt that are properly patched for the gem including security problems instead of using some unknown version provided by the platform. Above is all I can tell you on behalf of Team Nokogiri, and if you still believe it's not correct, not the way FreeBSD ports should take, that's fine, you can "fix" it on your own, but please do not expect me to do that against my will. Hopefully, when nokogiri is finally updated to support libxml2 2.9.1, and if libxml2 stops neglecting their new releases, then the situation may change, but I just can't recommend that at the moment. -- Akinori MUSHA / https://akinori.org/ --pgp-sign-Multipart_Sat_May_17_23:52:33_2014-1 Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit Content-Description: OpenPGP Digital Signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEABECAAYFAlN3d7EACgkQkgvvx5/Z4e5HnACgqjLxveqBsFqPe/Oy3K+0tAU2 swAAmwTuEj58tXUyY07RWDfYlGKtlwrX =yxLV -----END PGP SIGNATURE----- --pgp-sign-Multipart_Sat_May_17_23:52:33_2014-1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86ppjcsbii.knu>