* [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist @ 2017-06-05 7:11 Hans de Graaff 2017-06-05 11:06 ` Kent Fredric 0 siblings, 1 reply; 13+ messages in thread From: Hans de Graaff @ 2017-06-05 7:11 UTC (permalink / raw To: gentoo-dev-announce; +Cc: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 295 bytes --] # Hans de Graaff <graaff@gentoo.org> (05 Jun 2017) # Bundles obsolete and vulnerable webkit version. # Upstream has stopped development and recommends using # headless mode in >=www-client/chromium-59. # Masked for removal in 30 days. Bug #589994. www-client/phantomjs dev-ruby/poltergeist [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 228 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist 2017-06-05 7:11 [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist Hans de Graaff @ 2017-06-05 11:06 ` Kent Fredric 2017-06-05 11:38 ` Vadim A. Misbakh-Soloviov ` (2 more replies) 0 siblings, 3 replies; 13+ messages in thread From: Kent Fredric @ 2017-06-05 11:06 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 838 bytes --] On Mon, 05 Jun 2017 09:11:27 +0200 Hans de Graaff <graaff@gentoo.org> wrote: > # Hans de Graaff <graaff@gentoo.org> (05 Jun 2017) > # Bundles obsolete and vulnerable webkit version. > # Upstream has stopped development and recommends using > # headless mode in >=www-client/chromium-59. > # Masked for removal in 30 days. Bug #589994. > www-client/phantomjs Can phantomjs be simply masked for a longer period until the development world has had an opportunity to catch up? There's still respectable amounts of JS based testing code dependent on phantomjs and all removing this means is "people who want to do this have to work this out themselves" 1.5 Months from "We're not working on this" to "its dead jim, kill it from orbit" is a bit fast for anything entrenched. Chromium 59 is also, similarly, quite new. [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist 2017-06-05 11:06 ` Kent Fredric @ 2017-06-05 11:38 ` Vadim A. Misbakh-Soloviov 2017-06-06 5:31 ` Hans de Graaff 2017-06-05 17:42 ` Michael Orlitzky 2017-06-06 5:28 ` Hans de Graaff 2 siblings, 1 reply; 13+ messages in thread From: Vadim A. Misbakh-Soloviov @ 2017-06-05 11:38 UTC (permalink / raw To: gentoo-dev > Can phantomjs be simply masked for a longer period until the development > world has had an opportunity to catch up? Just exactly what I thought. Although, in-tree version is obsolete anyway, and upstream made few next releases with brain-exploding buildsystem, so I just pushed 9999 version to my "public sandbox" overlay, and happy with it on the projects that depends on phantomjs. By the way, headless chrome, well, work a bit different in comparsion with "analogs" (including wkhtmlto{img,pdf}), so, it needs much more time than a month to get full analogs. So, I'm disagree with monthly dropping in this context too (well, I disagree with the idea. As I just said, I by myself is in safe from being affected by it). ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist 2017-06-05 11:38 ` Vadim A. Misbakh-Soloviov @ 2017-06-06 5:31 ` Hans de Graaff 0 siblings, 0 replies; 13+ messages in thread From: Hans de Graaff @ 2017-06-06 5:31 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 660 bytes --] On Mon, 2017-06-05 at 18:38 +0700, Vadim A. Misbakh-Soloviov wrote: > > > Although, in-tree version is obsolete anyway, and upstream made few > next > releases with brain-exploding buildsystem, so I just pushed 9999 > version to my > "public sandbox" overlay, and happy with it on the projects that > depends on > phantomjs. I have been tracking the upstream git repository for some time. It was going in the right direction by dropping all bundled code and use system qtwebkit. Unfortunately it either did not build correctly or if it did it would crash on 80% of the included test suite. Otherwise I would have added a snapshot. Hans [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 228 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist 2017-06-05 11:06 ` Kent Fredric 2017-06-05 11:38 ` Vadim A. Misbakh-Soloviov @ 2017-06-05 17:42 ` Michael Orlitzky 2017-06-05 17:49 ` Kent Fredric 2017-06-06 8:30 ` Pacho Ramos 2017-06-06 5:28 ` Hans de Graaff 2 siblings, 2 replies; 13+ messages in thread From: Michael Orlitzky @ 2017-06-05 17:42 UTC (permalink / raw To: gentoo-dev On 06/05/2017 07:06 AM, Kent Fredric wrote: > On Mon, 05 Jun 2017 09:11:27 +0200 > Hans de Graaff <graaff@gentoo.org> wrote: > >> # Hans de Graaff <graaff@gentoo.org> (05 Jun 2017) >> # Bundles obsolete and vulnerable webkit version. >> # Upstream has stopped development and recommends using >> # headless mode in >=www-client/chromium-59. >> # Masked for removal in 30 days. Bug #589994. >> www-client/phantomjs > > Can phantomjs be simply masked for a longer period until the development > world has had an opportunity to catch up? > The real reason for the mask is that it bundles an ancient version of qtwebkit with a ton of known security vulnerabilities. Hans was attempting to fix it, but now that upstream is dead, it will remain insecure forever. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist 2017-06-05 17:42 ` Michael Orlitzky @ 2017-06-05 17:49 ` Kent Fredric 2017-06-06 8:30 ` Pacho Ramos 1 sibling, 0 replies; 13+ messages in thread From: Kent Fredric @ 2017-06-05 17:49 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 439 bytes --] On Mon, 5 Jun 2017 13:42:50 -0400 Michael Orlitzky <mjo@gentoo.org> wrote: > Hans was > attempting to fix it, but now that upstream is dead, it will remain > insecure forever. IME, as long as that's clear from the pmask, and its clear what those security vectors are, as long as an end user makes sure those vectors can't happen, having an insecure-in-theory-but-not-in-practice phantomjs is better than having no phantomjs. [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist 2017-06-05 17:42 ` Michael Orlitzky 2017-06-05 17:49 ` Kent Fredric @ 2017-06-06 8:30 ` Pacho Ramos 1 sibling, 0 replies; 13+ messages in thread From: Pacho Ramos @ 2017-06-06 8:30 UTC (permalink / raw To: gentoo-dev El lun, 05-06-2017 a las 13:42 -0400, Michael Orlitzky escribió: > On 06/05/2017 07:06 AM, Kent Fredric wrote: > > On Mon, 05 Jun 2017 09:11:27 +0200 > > Hans de Graaff <graaff@gentoo.org> wrote: > > > > > # Hans de Graaff <graaff@gentoo.org> (05 Jun 2017) > > > # Bundles obsolete and vulnerable webkit version. > > > # Upstream has stopped development and recommends using > > > # headless mode in >=www-client/chromium-59. > > > # Masked for removal in 30 days. Bug #589994. > > > www-client/phantomjs > > > > Can phantomjs be simply masked for a longer period until the development > > world has had an opportunity to catch up? > > > > The real reason for the mask is that it bundles an ancient version of > qtwebkit with a ton of known security vulnerabilities. Hans was > attempting to fix it, but now that upstream is dead, it will remain > insecure forever. > Also, current stable version cannot be built with stable gcc, and latest version also have lots of unresolved bugs (some building bugs) apart of the security issues affecting all versions ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist 2017-06-05 11:06 ` Kent Fredric 2017-06-05 11:38 ` Vadim A. Misbakh-Soloviov 2017-06-05 17:42 ` Michael Orlitzky @ 2017-06-06 5:28 ` Hans de Graaff 2017-06-06 9:11 ` Kent Fredric 2 siblings, 1 reply; 13+ messages in thread From: Hans de Graaff @ 2017-06-06 5:28 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 807 bytes --] On Mon, 2017-06-05 at 23:06 +1200, Kent Fredric wrote: > > Can phantomjs be simply masked for a longer period until the > development > world has had an opportunity to catch up? What kind of timeframe do you propose? > 1.5 Months from "We're not working on this" to "its dead jim, kill it > from orbit" > is a bit fast for anything entrenched. The problems were there a lot longer so for me at least it still feels slow. The fact that Chromium is now an alternative finally made it easier to mask this, but really we should have masked this months ago. If not for security reasons than for all the QA violations such as tons of bundled code. > Chromium 59 is also, similarly, quite new. It has hit stable upstream so we should see stable versions in Gentoo soon, I expect. Hans [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 228 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist 2017-06-06 5:28 ` Hans de Graaff @ 2017-06-06 9:11 ` Kent Fredric 2017-06-11 6:38 ` Hans de Graaff 2017-09-19 13:44 ` Tony Vroon 0 siblings, 2 replies; 13+ messages in thread From: Kent Fredric @ 2017-06-06 9:11 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 2069 bytes --] On Tue, 06 Jun 2017 07:28:00 +0200 Hans de Graaff <graaff@gentoo.org> wrote: > What kind of timeframe do you propose? > > > 1.5 Months from "We're not working on this" to "its dead jim, kill > > it from orbit" > > is a bit fast for anything entrenched. > > The problems were there a lot longer so for me at least it still feels > slow. The fact that Chromium is now an alternative finally made it > easier to mask this, but really we should have masked this months ago. > If not for security reasons than for all the QA violations such as > tons of bundled code. > > > Chromium 59 is also, similarly, quite new. > > It has hit stable upstream so we should see stable versions in Gentoo > soon, I expect. I'm sort of hoping that we can delay at least until it becomes viable to use newer stuff on travis. That way when all the underlying ecosystem things are updated to work with chromium-headless, and it becomes viable to actually test this in a consistent way the same way on every target, the need to maintain phantomjs goes away. But at this time, the context that matters is: Seeing the last-riting was the *first* indication I received that any changes were being done that I needed to pay attention to. So making sure everything is up-to-scratch on top of all the other stuff I have to do Gentoo side ( *cough* bug 613764 ) just means I haven't had any of the sort of time I need to to respond to this that quickly. I'm fine with it living in pmask as long as its "insecure, but usable". Just 30 days to overhaul things on top of other work is a serious problem for anyone with time issues already. But as to how long is a reasonable time frame before tree-cleaning, I hope other responders can give a better depiction of this. ( I only consider my own use of this "amateur" at best right now, and even with such a low usage I have a hard time working out what I need to do to stay current, I'd hate to know what its like for people relying on this in their production testing toolchain :/ ) [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist 2017-06-06 9:11 ` Kent Fredric @ 2017-06-11 6:38 ` Hans de Graaff 2017-06-11 17:41 ` Kent Fredric 2017-09-19 13:44 ` Tony Vroon 1 sibling, 1 reply; 13+ messages in thread From: Hans de Graaff @ 2017-06-11 6:38 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 742 bytes --] On Tue, 2017-06-06 at 21:11 +1200, Kent Fredric wrote: > > Just 30 days to overhaul things on top of other work is a serious > problem for anyone with time issues already. I've updated the proposed timeframe in the mask to 90 days. > ( I only consider my own use of this "amateur" at best right now, and > even with such a low usage I have a hard time working out what I need > to do to stay current, I'd hate to know what its like for people > relying on this in their production testing toolchain :/ ) As someone who used this in production we were already aware for some time that this was an issue. E.g. not getting updates when all other webkit packages did get updates was a clear indicator of future trouble. Hans [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 228 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist 2017-06-11 6:38 ` Hans de Graaff @ 2017-06-11 17:41 ` Kent Fredric 0 siblings, 0 replies; 13+ messages in thread From: Kent Fredric @ 2017-06-11 17:41 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 179 bytes --] On Sun, 11 Jun 2017 08:38:26 +0200 Hans de Graaff <graaff@gentoo.org> wrote: > I've updated the proposed timeframe in the mask to 90 days. That's reasonable. Thanks :) [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist 2017-06-06 9:11 ` Kent Fredric 2017-06-11 6:38 ` Hans de Graaff @ 2017-09-19 13:44 ` Tony Vroon 2017-09-21 4:57 ` Kent Fredric 1 sibling, 1 reply; 13+ messages in thread From: Tony Vroon @ 2017-09-19 13:44 UTC (permalink / raw To: gentoo-dev [-- Attachment #1.1: Type: text/plain, Size: 672 bytes --] On 06/06/17 10:11, Kent Fredric wrote: > I'm sort of hoping that we can delay at least until it becomes viable > to use newer stuff on travis. Good afternoon Kent, We have similar workflow issues with this, and as a consequence our software team has asked me to step up. I can present an at least vaguely maintainable ebuild on: https://bugs.gentoo.org/572824 I am aware that some of the patches are rather large, so I will pack them up into an Asterisk-style patchset that is downloaded from the mirrors. For the avoidance of doubt, I am not proposing to remove the package.mask entry but I am looking to prevent package removal. Regards, Tony V. [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 281 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist 2017-09-19 13:44 ` Tony Vroon @ 2017-09-21 4:57 ` Kent Fredric 0 siblings, 0 replies; 13+ messages in thread From: Kent Fredric @ 2017-09-21 4:57 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 642 bytes --] On Tue, 19 Sep 2017 14:44:44 +0100 Tony Vroon <chainsaw@gentoo.org> wrote: > We have similar workflow issues with this, and as a consequence our > software team has asked me to step up. I can present an at least vaguely > maintainable ebuild on: > https://bugs.gentoo.org/572824 > > I am aware that some of the patches are rather large, so I will pack > them up into an Asterisk-style patchset that is downloaded from the mirrors. > For the avoidance of doubt, I am not proposing to remove the > package.mask entry but I am looking to prevent package removal. Most excellent :) >>> www-client/phantomjs-2.1.1 merged :D [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2017-09-21 4:58 UTC | newest] Thread overview: 13+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-06-05 7:11 [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist Hans de Graaff 2017-06-05 11:06 ` Kent Fredric 2017-06-05 11:38 ` Vadim A. Misbakh-Soloviov 2017-06-06 5:31 ` Hans de Graaff 2017-06-05 17:42 ` Michael Orlitzky 2017-06-05 17:49 ` Kent Fredric 2017-06-06 8:30 ` Pacho Ramos 2017-06-06 5:28 ` Hans de Graaff 2017-06-06 9:11 ` Kent Fredric 2017-06-11 6:38 ` Hans de Graaff 2017-06-11 17:41 ` Kent Fredric 2017-09-19 13:44 ` Tony Vroon 2017-09-21 4:57 ` Kent Fredric
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox