diff mbox

gnu: ruby: Replace with 2.3.2 [fixes CVE-2015-3900].

Message ID 20161118233209.28746-2-donttrustben@gmail.com
State New
Headers show

Commit Message

Ben Woodcroft Nov. 18, 2016, 11:32 p.m. UTC
* gnu/packages/ruby.scm (ruby)[replacement]: New field.
(ruby-2.3.2): New variable.
---
 gnu/packages/ruby.scm | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

Comments

Leo Famulari Nov. 19, 2016, 3:28 p.m. UTC | #1
On Sat, Nov 19, 2016 at 09:32:09AM +1000, Ben Woodcroft wrote:
> * gnu/packages/ruby.scm (ruby)[replacement]: New field.
> (ruby-2.3.2): New variable.
> ---
>  gnu/packages/ruby.scm | 20 ++++++++++++++++++++
>  1 file changed, 20 insertions(+)
> 
> diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
> index e4c1ef0..f2b5de9 100644
> --- a/gnu/packages/ruby.scm
> +++ b/gnu/packages/ruby.scm
> @@ -47,6 +47,7 @@
>  (define-public ruby
>    (package
>      (name "ruby")
> +    (replacement ruby-2.3.2)

Remember that grafted replacements should have a compatible ABI.

This is the first result I found when searching for "Ruby ABI compatible"

https://www.ruby-lang.org/en/news/2013/12/21/ruby-version-policy-changes-with-2-1-0/

So, if they've kept that policy, this should be fine.

Thanks for taking care of this!
Ben Woodcroft Nov. 20, 2016, 7 a.m. UTC | #2
On 20/11/16 01:28, Leo Famulari wrote:
> On Sat, Nov 19, 2016 at 09:32:09AM +1000, Ben Woodcroft wrote:
>> * gnu/packages/ruby.scm (ruby)[replacement]: New field.
>> (ruby-2.3.2): New variable.
>> ---
>>   gnu/packages/ruby.scm | 20 ++++++++++++++++++++
>>   1 file changed, 20 insertions(+)
>>
>> diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
>> index e4c1ef0..f2b5de9 100644
>> --- a/gnu/packages/ruby.scm
>> +++ b/gnu/packages/ruby.scm
>> @@ -47,6 +47,7 @@
>>   (define-public ruby
>>     (package
>>       (name "ruby")
>> +    (replacement ruby-2.3.2)
> Remember that grafted replacements should have a compatible ABI.
>
> This is the first result I found when searching for "Ruby ABI compatible"
>
> https://www.ruby-lang.org/en/news/2013/12/21/ruby-version-policy-changes-with-2-1-0/
>
> So, if they've kept that policy, this should be fine.
I can't see any evidence to the contrary. I also ran a compatibility 
checker and it seemed to work out (while 2.3.2 vs 2.2.6 did not, as a 
negative control).
https://lvc.github.io/abi-compliance-checker/

I'm not quite finished packaging it yet up to standard just yet, but I 
pushed what I have here, in case it is useful in the meantime.
https://github.com/wwood/guix_mine/blob/master/ben/packages/local.scm

I pushed the graft to master and updated it directly on staging.

ben
Leo Famulari Nov. 20, 2016, 3:28 p.m. UTC | #3
On Sun, Nov 20, 2016 at 05:00:58PM +1000, Ben Woodcroft wrote:
> I can't see any evidence to the contrary. I also ran a compatibility checker
> and it seemed to work out (while 2.3.2 vs 2.2.6 did not, as a negative
> control).
> https://lvc.github.io/abi-compliance-checker/
> 
> I'm not quite finished packaging it yet up to standard just yet, but I
> pushed what I have here, in case it is useful in the meantime.
> https://github.com/wwood/guix_mine/blob/master/ben/packages/local.scm
> 
> I pushed the graft to master and updated it directly on staging.

Thanks!
diff mbox

Patch

diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index e4c1ef0..f2b5de9 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -47,6 +47,7 @@ 
 (define-public ruby
   (package
     (name "ruby")
+    (replacement ruby-2.3.2)
     (version "2.3.1")
     (source
      (origin
@@ -101,6 +102,25 @@  a focus on simplicity and productivity.")
     (home-page "https://ruby-lang.org")
     (license license:ruby)))
 
+(define ruby-2.3.2
+  (package
+    (inherit ruby)
+    (version "2.3.2")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "http://cache.ruby-lang.org/pub/ruby/"
+                           (version-major+minor version)
+                           "/ruby-" version ".tar.xz"))
+       (sha256
+        (base32
+         "031g76zxb2wp6988dmrpbqd98i17xi6l8q1115h83r2w0h8z6y2w"))
+       (modules '((guix build utils)))
+       (snippet `(begin
+                   ;; Remove bundled libffi
+                   (delete-file-recursively "ext/fiddle/libffi-3.2.1")
+                   #t))))))
+
 (define-public ruby-2.2
   (package (inherit ruby)
     (version "2.2.6")