From owner-svn-ports-head@FreeBSD.ORG Mon May 19 03:29:25 2014 Return-Path: Delivered-To: svn-ports-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5F68A949; Mon, 19 May 2014 03:29:25 +0000 (UTC) Received: from mail.musha.org (v055125.ppp.asahi-net.or.jp [124.155.55.125]) by mx1.freebsd.org (Postfix) with ESMTP id F25F72758; Mon, 19 May 2014 03:29:24 +0000 (UTC) Received: by mail.musha.org (Postfix, from userid 58) id 3gX5LN3d6tzZ40T; Mon, 19 May 2014 12:29:16 +0900 (JST) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on daemon.musha.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=13.0 tests=BAYES_00, CONTENT_TYPE_PRESENT,FAKEDWORD_ONE,FAKEDWORD_VERTICALLINE,ONLY1HOPDIRECT, RP_MATCHES_RCVD,SPF_HELO_FAIL,SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.0 Received: from daemon.musha.org (daemon.local.idaemons.org [192.168.11.11]) by mail.musha.org (Postfix) with ESMTP id 3gX5LM68zQzZ40R; Mon, 19 May 2014 12:29:15 +0900 (JST) Date: Mon, 19 May 2014 12:29:15 +0900 Message-ID: <86k39itpis.knu@iDaemons.org> From: "Akinori MUSHA" To: Steve Wills Subject: Re: svn commit: r354025 - in head/textproc/rubygem-nokogiri: . files In-Reply-To: <20140519013952.GB12777@mouf.net> References: <201405140650.s4E6oOMw059963@svn.freebsd.org> <20140516154153.GA59733@mouf.net> <86ppjcsbii.knu@iDaemons.org> <20140519013952.GB12777@mouf.net> Organization: Associated I. Daemons X-PGP-Public-Key: finger knu@FreeBSD.org X-PGP-Fingerprint: 081D 099C 1705 861D 4B70 B04A 920B EFC7 9FD9 E1EE MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: multipart/signed; boundary="pgp-sign-Multipart_Mon_May_19_12:29:10_2014-1"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Cc: svn-ports-head@freebsd.org, svn-ports-all@freebsd.org, ports-committers@freebsd.org X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 May 2014 03:29:25 -0000 --pgp-sign-Multipart_Mon_May_19_12:29:10_2014-1 Content-Type: text/plain; charset=US-ASCII At Mon, 19 May 2014 01:39:52 +0000, Steve Wills wrote: > > Starting from 1.6.2, nokogiri explicitly suggests using bundled > > libxml2/libxslt that are properly patched for the gem including > > security problems instead of using some unknown version provided by > > the platform. > > Thanks for the info, I wasn't aware of that. > > Wouldn't it be better to get the libxml2 from ports updated with the bug fixes > instead of having one buggy version in ports and one non-buggy version bundled > with nokogiri? Libxml2 2.9.x, having had no release for one year and a half, finally rolled out a new release at the timing we (the Team Nokogiri) didn't expect while we were working on long-term release engineering for nokogiri 1.6.2 targetted for a patched libxml2 2.8.0. We do want to take the time to tackle the new release of libxml2. but we currently have to deal with issues reported after 2.9.2, and then 2.9.2.1, so it may take at least a couple of weeks before we can start working on it. > Can you please send me the fixes that libxml2 needs? So far, libxml2 2.9.1 looks like a decent release as it should be, because it includes all it had exclusively in their repository, including bug fixes and security fixes. However, it is confirmed that some test cases in nokogiri's test suite fail, which we are yet to figure out if it's libxml2 that introduced bugs, or nokogiri that had incorrect assumptions about some features of libxml2 or XML specifications. In any case, the ball is now on nokogiri's side. One thing for sure is that nokogiri does not currently have a known security issue at the moment, and all features covered by the test suite should work fine when built with the bundled version of libxml2. > > Hopefully, when nokogiri is finally updated to support libxml2 2.9.1, > > and if libxml2 stops neglecting their new releases, then the situation > > may change, but I just can't recommend that at the moment. > > So are you saying nokogiri doesn't build with libxml2 2.9.1? Or doesn't work at > all with libxml2 2.9.1? Or partially broken? Or is it not supported due to > missing fixes, which we could easily add in ports? It builds with libxml2 2.9.1, but will be partially broken. It is not certain if it's a bug of libxml2's side, or if there are other pieces of software affected by the incompatibilities introduced by an upgrade to 2.9.1. So, until nokogiri rolls out a new release that claims full support for libxml2 2.9.1, I'd recommend using the bundled libraries for the moment. I'll let you posted. -- Akinori MUSHA / https://akinori.org/ --pgp-sign-Multipart_Mon_May_19_12:29:10_2014-1 Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit Content-Description: OpenPGP Digital Signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEABECAAYFAlN5eoYACgkQkgvvx5/Z4e4HwgCfaxzH/Cr+th6+AvjOgeo1OXUZ QNMAn0dd6efthn5vS9D0e8PILHxpSyhg =yPeY -----END PGP SIGNATURE----- --pgp-sign-Multipart_Mon_May_19_12:29:10_2014-1--