Date: Mon, 19 May 2014 12:29:15 +0900 From: "Akinori MUSHA" <knu@iDaemons.org> To: Steve Wills <swills@freebsd.org> Cc: svn-ports-head@freebsd.org, svn-ports-all@freebsd.org, ports-committers@freebsd.org Subject: Re: svn commit: r354025 - in head/textproc/rubygem-nokogiri: . files Message-ID: <86k39itpis.knu@iDaemons.org> In-Reply-To: <20140519013952.GB12777@mouf.net> References: <201405140650.s4E6oOMw059963@svn.freebsd.org> <20140516154153.GA59733@mouf.net> <86ppjcsbii.knu@iDaemons.org> <20140519013952.GB12777@mouf.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--pgp-sign-Multipart_Mon_May_19_12:29:10_2014-1 Content-Type: text/plain; charset=US-ASCII At Mon, 19 May 2014 01:39:52 +0000, Steve Wills wrote: > > Starting from 1.6.2, nokogiri explicitly suggests using bundled > > libxml2/libxslt that are properly patched for the gem including > > security problems instead of using some unknown version provided by > > the platform. > > Thanks for the info, I wasn't aware of that. > > Wouldn't it be better to get the libxml2 from ports updated with the bug fixes > instead of having one buggy version in ports and one non-buggy version bundled > with nokogiri? Libxml2 2.9.x, having had no release for one year and a half, finally rolled out a new release at the timing we (the Team Nokogiri) didn't expect while we were working on long-term release engineering for nokogiri 1.6.2 targetted for a patched libxml2 2.8.0. We do want to take the time to tackle the new release of libxml2. but we currently have to deal with issues reported after 2.9.2, and then 2.9.2.1, so it may take at least a couple of weeks before we can start working on it. > Can you please send me the fixes that libxml2 needs? So far, libxml2 2.9.1 looks like a decent release as it should be, because it includes all it had exclusively in their repository, including bug fixes and security fixes. However, it is confirmed that some test cases in nokogiri's test suite fail, which we are yet to figure out if it's libxml2 that introduced bugs, or nokogiri that had incorrect assumptions about some features of libxml2 or XML specifications. In any case, the ball is now on nokogiri's side. One thing for sure is that nokogiri does not currently have a known security issue at the moment, and all features covered by the test suite should work fine when built with the bundled version of libxml2. > > Hopefully, when nokogiri is finally updated to support libxml2 2.9.1, > > and if libxml2 stops neglecting their new releases, then the situation > > may change, but I just can't recommend that at the moment. > > So are you saying nokogiri doesn't build with libxml2 2.9.1? Or doesn't work at > all with libxml2 2.9.1? Or partially broken? Or is it not supported due to > missing fixes, which we could easily add in ports? It builds with libxml2 2.9.1, but will be partially broken. It is not certain if it's a bug of libxml2's side, or if there are other pieces of software affected by the incompatibilities introduced by an upgrade to 2.9.1. So, until nokogiri rolls out a new release that claims full support for libxml2 2.9.1, I'd recommend using the bundled libraries for the moment. I'll let you posted. -- Akinori MUSHA / https://akinori.org/ --pgp-sign-Multipart_Mon_May_19_12:29:10_2014-1 Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit Content-Description: OpenPGP Digital Signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEABECAAYFAlN5eoYACgkQkgvvx5/Z4e4HwgCfaxzH/Cr+th6+AvjOgeo1OXUZ QNMAn0dd6efthn5vS9D0e8PILHxpSyhg =yPeY -----END PGP SIGNATURE----- --pgp-sign-Multipart_Mon_May_19_12:29:10_2014-1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86k39itpis.knu>