[gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist

[gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist

[Hans de Graaff]

[-- Attachment #1: Type: text/plain, Size: 295 bytes --]

# Hans de Graaff <graaff@gentoo.org> (05 Jun 2017)
# Bundles obsolete and vulnerable webkit version.
# Upstream has stopped development and recommends using
# headless mode in >=www-client/chromium-59.
# Masked for removal in 30 days. Bug #589994.
www-client/phantomjs
dev-ruby/poltergeist

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist

[Kent Fredric]

[-- Attachment #1: Type: text/plain, Size: 838 bytes --]

On Mon, 05 Jun 2017 09:11:27 +0200
Hans de Graaff <graaff@gentoo.org> wrote:

> # Hans de Graaff <graaff@gentoo.org> (05 Jun 2017)
> # Bundles obsolete and vulnerable webkit version.
> # Upstream has stopped development and recommends using
> # headless mode in >=www-client/chromium-59.
> # Masked for removal in 30 days. Bug #589994.
> www-client/phantomjs

Can phantomjs be simply masked for a longer period until the development
world has had an opportunity to catch up?

There's still respectable amounts of JS based testing code dependent on phantomjs
and all removing this means is "people who want to do this have to work this out
themselves"

1.5 Months from "We're not working on this" to "its dead jim, kill it from orbit"
is a bit fast for anything entrenched.

Chromium 59 is also, similarly, quite new.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist

[Vadim A. Misbakh-Soloviov]

> Can phantomjs be simply masked for a longer period until the development
> world has had an opportunity to catch up?

Just exactly what I thought.

Although, in-tree version is obsolete anyway, and upstream made few next 
releases with brain-exploding buildsystem, so I just pushed 9999 version to my 
"public sandbox" overlay, and happy with it on the projects that depends on 
phantomjs.

By the way, headless chrome, well, work a bit different in comparsion with 
"analogs" (including wkhtmlto{img,pdf}), so, it needs much more time than a 
month to get full analogs.

So, I'm disagree with monthly dropping in this context too (well, I disagree 
with the idea. As I just said, I by myself is in safe from being affected by 
it).

Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist

[Michael Orlitzky]

On 06/05/2017 07:06 AM, Kent Fredric wrote:
> On Mon, 05 Jun 2017 09:11:27 +0200
> Hans de Graaff <graaff@gentoo.org> wrote:
> 
>> # Hans de Graaff <graaff@gentoo.org> (05 Jun 2017)
>> # Bundles obsolete and vulnerable webkit version.
>> # Upstream has stopped development and recommends using
>> # headless mode in >=www-client/chromium-59.
>> # Masked for removal in 30 days. Bug #589994.
>> www-client/phantomjs
> 
> Can phantomjs be simply masked for a longer period until the development
> world has had an opportunity to catch up?
> 

The real reason for the mask is that it bundles an ancient version of
qtwebkit with a ton of known security vulnerabilities. Hans was
attempting to fix it, but now that upstream is dead, it will remain
insecure forever.

Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist

[Kent Fredric]

[-- Attachment #1: Type: text/plain, Size: 439 bytes --]

On Mon, 5 Jun 2017 13:42:50 -0400
Michael Orlitzky <mjo@gentoo.org> wrote:

> Hans was
> attempting to fix it, but now that upstream is dead, it will remain
> insecure forever.

IME, as long as that's clear from the pmask, and its clear what those
security vectors are, as long as an end user makes sure those vectors
can't happen, having an insecure-in-theory-but-not-in-practice
phantomjs is better than having no phantomjs. 

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist

[Hans de Graaff]

[-- Attachment #1: Type: text/plain, Size: 807 bytes --]

On Mon, 2017-06-05 at 23:06 +1200, Kent Fredric wrote:
> 
> Can phantomjs be simply masked for a longer period until the
> development
> world has had an opportunity to catch up?

What kind of timeframe do you propose?

> 1.5 Months from "We're not working on this" to "its dead jim, kill it
> from orbit"
> is a bit fast for anything entrenched.

The problems were there a lot longer so for me at least it still feels
slow. The fact that Chromium is now an alternative finally made it
easier to mask this, but really we should have masked this months ago.
If not for security reasons than for all the QA violations such as tons
of bundled code.

> Chromium 59 is also, similarly, quite new.

It has hit stable upstream so we should see stable versions in Gentoo
soon, I expect.

Hans

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist

[Hans de Graaff]

[-- Attachment #1: Type: text/plain, Size: 660 bytes --]

On Mon, 2017-06-05 at 18:38 +0700, Vadim A. Misbakh-Soloviov wrote:
> > 
> Although, in-tree version is obsolete anyway, and upstream made few
> next 
> releases with brain-exploding buildsystem, so I just pushed 9999
> version to my 
> "public sandbox" overlay, and happy with it on the projects that
> depends on 
> phantomjs.

I have been tracking the upstream git repository for some time. It was
going in the right direction by dropping all bundled code and use
system qtwebkit. Unfortunately it either did not build correctly or if
it did it would crash on 80% of the included test suite. Otherwise I
would have added a snapshot.

Hans

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist

[Pacho Ramos]

El lun, 05-06-2017 a las 13:42 -0400, Michael Orlitzky escribió:
> On 06/05/2017 07:06 AM, Kent Fredric wrote:
> > On Mon, 05 Jun 2017 09:11:27 +0200
> > Hans de Graaff <graaff@gentoo.org> wrote:
> > 
> > > # Hans de Graaff <graaff@gentoo.org> (05 Jun 2017)
> > > # Bundles obsolete and vulnerable webkit version.
> > > # Upstream has stopped development and recommends using
> > > # headless mode in >=www-client/chromium-59.
> > > # Masked for removal in 30 days. Bug #589994.
> > > www-client/phantomjs
> > 
> > Can phantomjs be simply masked for a longer period until the development
> > world has had an opportunity to catch up?
> > 
> 
> The real reason for the mask is that it bundles an ancient version of
> qtwebkit with a ton of known security vulnerabilities. Hans was
> attempting to fix it, but now that upstream is dead, it will remain
> insecure forever.
> 

Also, current stable version cannot be built with stable gcc, and latest version
also have lots of unresolved bugs (some building bugs) apart of the security
issues affecting all versions

Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist

[Kent Fredric]

[-- Attachment #1: Type: text/plain, Size: 2069 bytes --]

On Tue, 06 Jun 2017 07:28:00 +0200
Hans de Graaff <graaff@gentoo.org> wrote:

> What kind of timeframe do you propose?
> 
> > 1.5 Months from "We're not working on this" to "its dead jim, kill
> > it from orbit"
> > is a bit fast for anything entrenched.  
> 
> The problems were there a lot longer so for me at least it still feels
> slow. The fact that Chromium is now an alternative finally made it
> easier to mask this, but really we should have masked this months ago.
> If not for security reasons than for all the QA violations such as
> tons of bundled code.
> 
> > Chromium 59 is also, similarly, quite new.  
> 
> It has hit stable upstream so we should see stable versions in Gentoo
> soon, I expect.

I'm sort of hoping that we can delay at least until it becomes viable
to use newer stuff on travis.

That way when all the underlying ecosystem things are updated to work
with chromium-headless, and it becomes viable to actually test this in
a consistent way the same way on every target, the need to maintain
phantomjs goes away.

But at this time, the context that matters is:

Seeing the last-riting was the *first* indication I received that any
changes were being done that I needed to pay attention to.

So making sure everything is up-to-scratch on top of all the other
stuff I have to do Gentoo side ( *cough* bug 613764 ) just means I
haven't had any of the sort of time I need to to respond to this that
quickly.

I'm fine with it living in pmask as long as its "insecure, but usable".

Just 30 days to overhaul things on top of other work is a serious
problem for anyone with time issues already.

But as to how long is a reasonable time frame before tree-cleaning, I
hope other responders can give a better depiction of this.

( I only consider my own use of this "amateur" at best right now, and
even with such a low usage I have a hard time working out what I need
to do to stay current, I'd hate to know what its like for people
relying on this in their production testing toolchain :/ )


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist

[Hans de Graaff]

[-- Attachment #1: Type: text/plain, Size: 742 bytes --]

On Tue, 2017-06-06 at 21:11 +1200, Kent Fredric wrote:
> 
> Just 30 days to overhaul things on top of other work is a serious
> problem for anyone with time issues already.

I've updated the proposed timeframe in the mask to 90 days.

> ( I only consider my own use of this "amateur" at best right now, and
> even with such a low usage I have a hard time working out what I need
> to do to stay current, I'd hate to know what its like for people
> relying on this in their production testing toolchain :/ )

As someone who used this in production we were already aware for some
time that this was an issue. E.g. not getting updates when all other
webkit packages did get updates was a clear indicator of future
trouble.

Hans

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist

[Kent Fredric]

[-- Attachment #1: Type: text/plain, Size: 179 bytes --]

On Sun, 11 Jun 2017 08:38:26 +0200
Hans de Graaff <graaff@gentoo.org> wrote:

> I've updated the proposed timeframe in the mask to 90 days.

That's reasonable.

Thanks :)

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist

[Tony Vroon]

[-- Attachment #1.1: Type: text/plain, Size: 672 bytes --]

On 06/06/17 10:11, Kent Fredric wrote:
> I'm sort of hoping that we can delay at least until it becomes viable
> to use newer stuff on travis.

Good afternoon Kent,

We have similar workflow issues with this, and as a consequence our
software team has asked me to step up. I can present an at least vaguely
maintainable ebuild on:
https://bugs.gentoo.org/572824

I am aware that some of the patches are rather large, so I will pack
them up into an Asterisk-style patchset that is downloaded from the mirrors.
For the avoidance of doubt, I am not proposing to remove the
package.mask entry but I am looking to prevent package removal.

Regards,
Tony V.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 281 bytes --]

Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist

[Kent Fredric]

[-- Attachment #1: Type: text/plain, Size: 642 bytes --]

On Tue, 19 Sep 2017 14:44:44 +0100
Tony Vroon <chainsaw@gentoo.org> wrote:

> We have similar workflow issues with this, and as a consequence our
> software team has asked me to step up. I can present an at least vaguely
> maintainable ebuild on:
> https://bugs.gentoo.org/572824
> 
> I am aware that some of the patches are rather large, so I will pack
> them up into an Asterisk-style patchset that is downloaded from the mirrors.
> For the avoidance of doubt, I am not proposing to remove the
> package.mask entry but I am looking to prevent package removal.

Most excellent :)

>>> www-client/phantomjs-2.1.1 merged

:D

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]