RFC: News item: Perl 5.26 update

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

RFC: News item: Perl 5.26 update

Andreas K. Huettel
See plaintext below and identical attached file.


=======================================
Title: Perl 5.26 update: possible breakage
Author: Andreas K. Hüttel <[hidden email]>
Posted: xxxxxxx
Revision: 1
News-Item-Format: 2.0
Display-If-Installed: >=dev-lang/perl-5.26.0

You have just upgraded to Perl 5.26. This release brings several
incompatible changes, also as a consequence of fixing a security
problem [1]. While we have made sure that all resulting build
failures within Gentoo are fixed, this may not be the case for
runtime issues, and certainly can affect third-party code (e.g.,
"hand-installed" server applications).

Typical errors are
   "Can't locate inc/... in @INC (you may need to install the inc::...
module)"
   "error: ... has no member named ‘op_sibling’"
   "Unescaped left brace in regex is illegal in ..."

Please see the pages [2,3] for details and report bugs if you run
into problems during or after the Perl update.

[1] https://rt.perl.org/Ticket/Display.html?id=127834
    https://bugs.gentoo.org/show_bug.cgi?id=589680
[2] https://wiki.gentoo.org/wiki/Project:Perl/Dot-In-INC-Removal
[3] https://wiki.gentoo.org/wiki/Project:Perl/5.26_Known_Issues
=======================================


--
Andreas K. Hüttel
[hidden email]
Gentoo Linux developer (council, perl, libreoffice)

2017-10-xx-perl-526-update.en.txt (1K) Download Attachment
signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: RFC: News item: Perl 5.26 update

Kent Fredric-2
On Sat, 07 Oct 2017 17:03:44 +0200
"Andreas K. Huettel" <[hidden email]> wrote:

> See plaintext below and identical attached file.
>
>
> =======================================
> Title: Perl 5.26 update: possible breakage
> Author: Andreas K. Hüttel <[hidden email]>
> Posted: xxxxxxx
> Revision: 1
> News-Item-Format: 2.0
> Display-If-Installed: >=dev-lang/perl-5.26.0
>
> You have just upgraded to Perl 5.26. This release brings several
> incompatible changes, also as a consequence of fixing a security
> problem [1]. While we have made sure that all resulting build
> failures within Gentoo are fixed, this may not be the case for
> runtime issues, and certainly can affect third-party code (e.g.,
> "hand-installed" server applications).
>
> Typical errors are
>    "Can't locate inc/... in @INC (you may need to install the inc::...
> module)"
>    "error: ... has no member named ‘op_sibling’"
>    "Unescaped left brace in regex is illegal in ..."
>
> Please see the pages [2,3] for details and report bugs if you run
> into problems during or after the Perl update.
>
> [1] https://rt.perl.org/Ticket/Display.html?id=127834
>     https://bugs.gentoo.org/show_bug.cgi?id=589680
> [2] https://wiki.gentoo.org/wiki/Project:Perl/Dot-In-INC-Removal
> [3] https://wiki.gentoo.org/wiki/Project:Perl/5.26_Known_Issues
> =======================================
>
>

Somewhere in here its probably useful to link to
https://wiki.gentoo.org/wiki/Perl under the guise of "general update
advice", as it seems many people *still* don't know about this page and
will predictably come to #gentoo asking for help having not seen it.

So ....

> Please see the pages [2,3] for details and report bugs if you run
> into problems during or after the Perl update.
>
> General purpose advice on updating Perl can be found on page [4]

?

attachment0 (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: RFC: News item: Perl 5.26 update

Andreas K. Huettel
Am Samstag, 7. Oktober 2017, 17:21:13 CEST schrieb Kent Fredric:

> >
> > General purpose advice on updating Perl can be found on page [4]
>

Sounds good, added.


--
Andreas K. Hüttel
[hidden email]
Gentoo Linux developer (council, perl, libreoffice)

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: RFC: News item: Perl 5.26 update

Aaron W. Swenson-2
In reply to this post by Andreas K. Huettel
On 2017-10-07 17:03, Andreas K. Huettel wrote:
> …
> This release brings several incompatible changes, also as a
> consequence of fixing a security problem [1].

This reads kind of awkwardly. Maybe something along this lines of:

    This release brings several incompatible changes as a result of
    deprecations coming to term [#] and mitigating a potential security
    issue [#].

I wouldn’t really consider the security risk eliminated, but
mitigated as the vector of attack remains if program or module adds the
current working directory to @INC on its own. The interpreter just isn’t
adding it to @INC.

> Typical errors are
>    "Can't locate inc/... in @INC (you may need to install the inc::... module)"
>    "error: ... has no member named ‘op_sibling’"
>    "Unescaped left brace in regex is illegal in ..."

I would make this look more like a proper list.

    Typical errors are:
      * Can't locate inc/... in @INC (you may need to install the
        inc::... module)
      * error: ... has no member named ‘op_sibling’
      * Unescaped left brace in regex is illegal in ...

signature.asc (386 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: RFC: News item: Perl 5.26 update

Kent Fredric-2
On Sat, 7 Oct 2017 12:15:14 -0400
"Aaron W. Swenson" <[hidden email]> wrote:

> This reads kind of awkwardly. Maybe something along this lines of:
>
>     This release brings several incompatible changes as a result of
>     deprecations coming to term [#] and mitigating a potential security
>     issue [#].
>
> I wouldn’t really consider the security risk eliminated, but
> mitigated as the vector of attack remains if program or module adds the
> current working directory to @INC on its own. The interpreter just isn’t
> adding it to @INC.
Its probably more accurate to consider this a form of security theatre
than a real security mitigation.

Just phrasing that succinctly is not easy.

Maybe instead of calling it "a security issue", its "a change in
defaults due to potential security concerns"


attachment0 (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: RFC v2: News item: Perl 5.26 update

Andreas K. Huettel
In reply to this post by Andreas K. Huettel
OK so here's the updated version:

=================================
Title: Perl 5.26 update: possible breakage
Author: Andreas K. Hüttel <[hidden email]>
Posted: xxxxxxx
Revision: 1
News-Item-Format: 2.0
Display-If-Installed: >=dev-lang/perl-5.26.0

You have just upgraded to Perl 5.26. This release brings several
incompatible changes, as a result of deprecations coming to term
and of changes in default settings to mitigate a potential
security issue [1].

While we have made sure that all resulting build failures within
Gentoo are fixed, this may not be the case for runtime issues,
and certainly can affect third-party code (e.g., "hand-installed"
server applications).

Typical errors are
* Can't locate inc/... in @INC (you may need to install the inc::... module)
* error: ... has no member named ‘op_sibling’
* Unescaped left brace in regex is illegal in ...

Please see the pages [2,3] for details and report bugs if you run
into problems during or after the Perl update.

General purpose advice on updating Perl can be found on page [4].

[1] https://rt.perl.org/Ticket/Display.html?id=127834
    https://bugs.gentoo.org/show_bug.cgi?id=589680
[2] https://wiki.gentoo.org/wiki/Project:Perl/Dot-In-INC-Removal
[3] https://wiki.gentoo.org/wiki/Project:Perl/5.26_Known_Issues
[4] https://wiki.gentoo.org/wiki/Perl
=================================


--
Andreas K. Hüttel
[hidden email]
Gentoo Linux developer (council, perl, libreoffice)

signature.asc (1000 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: RFC v2: News item: Perl 5.26 update

Aaron W. Swenson-2
On 2017-10-08 14:01, Andreas K. Huettel wrote:
> OK so here's the updated version:
> …
> Typical errors are

Needs a colon.

    Typical errors are:

But the rest looks good to me.

I don’t know how to write “good job” without it sounding
patronizing. But here it is anyway: Good job!

signature.asc (386 bytes) Download Attachment