[gentoo-dev] RFC: News item: Perl 5.26 update

[gentoo-dev] RFC: News item: Perl 5.26 update

[Andreas K. Huettel]

[-- Attachment #1.1: Type: text/plain, Size: 1373 bytes --]

See plaintext below and identical attached file.


=======================================
Title: Perl 5.26 update: possible breakage
Author: Andreas K. Hüttel <dilfridge@gentoo.org>
Posted: xxxxxxx
Revision: 1
News-Item-Format: 2.0
Display-If-Installed: >=dev-lang/perl-5.26.0

You have just upgraded to Perl 5.26. This release brings several 
incompatible changes, also as a consequence of fixing a security 
problem [1]. While we have made sure that all resulting build 
failures within Gentoo are fixed, this may not be the case for
runtime issues, and certainly can affect third-party code (e.g.,
"hand-installed" server applications).

Typical errors are 
   "Can't locate inc/... in @INC (you may need to install the inc::... 
module)"
   "error: ... has no member named ‘op_sibling’"
   "Unescaped left brace in regex is illegal in ..."

Please see the pages [2,3] for details and report bugs if you run
into problems during or after the Perl update.

[1] https://rt.perl.org/Ticket/Display.html?id=127834
    https://bugs.gentoo.org/show_bug.cgi?id=589680
[2] https://wiki.gentoo.org/wiki/Project:Perl/Dot-In-INC-Removal
[3] https://wiki.gentoo.org/wiki/Project:Perl/5.26_Known_Issues
=======================================


-- 
Andreas K. Hüttel
dilfridge@gentoo.org
Gentoo Linux developer (council, perl, libreoffice)

[-- Attachment #1.2: 2017-10-xx-perl-526-update.en.txt --]
[-- Type: text/plain, Size: 1133 bytes --]

Title: Perl 5.26 update: possible breakage
Author: Andreas K. Hüttel <dilfridge@gentoo.org>
Posted: xxxxxxx
Revision: 1
News-Item-Format: 2.0
Display-If-Installed: >=dev-lang/perl-5.26.0

You have just upgraded to Perl 5.26. This release brings several 
incompatible changes, also as a consequence of fixing a security 
problem [1]. While we have made sure that all resulting build 
failures within Gentoo are fixed, this may not be the case for
runtime issues, and certainly can affect third-party code (e.g.,
"hand-installed" server applications).

Typical errors are 
   "Can't locate inc/... in @INC (you may need to install the inc::... module)"
   "error: ... has no member named ‘op_sibling’"
   "Unescaped left brace in regex is illegal in ..."

Please see the pages [2,3] for details and report bugs if you run
into problems during or after the Perl update.

[1] https://rt.perl.org/Ticket/Display.html?id=127834
    https://bugs.gentoo.org/show_bug.cgi?id=589680
[2] https://wiki.gentoo.org/wiki/Project:Perl/Dot-In-INC-Removal
[3] https://wiki.gentoo.org/wiki/Project:Perl/5.26_Known_Issues

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] RFC: News item: Perl 5.26 update

[Kent Fredric]

[-- Attachment #1: Type: text/plain, Size: 1908 bytes --]

On Sat, 07 Oct 2017 17:03:44 +0200
"Andreas K. Huettel" <dilfridge@gentoo.org> wrote:

> See plaintext below and identical attached file.
> 
> 
> =======================================
> Title: Perl 5.26 update: possible breakage
> Author: Andreas K. Hüttel <dilfridge@gentoo.org>
> Posted: xxxxxxx
> Revision: 1
> News-Item-Format: 2.0
> Display-If-Installed: >=dev-lang/perl-5.26.0
> 
> You have just upgraded to Perl 5.26. This release brings several 
> incompatible changes, also as a consequence of fixing a security 
> problem [1]. While we have made sure that all resulting build 
> failures within Gentoo are fixed, this may not be the case for
> runtime issues, and certainly can affect third-party code (e.g.,
> "hand-installed" server applications).
> 
> Typical errors are 
>    "Can't locate inc/... in @INC (you may need to install the inc::... 
> module)"
>    "error: ... has no member named ‘op_sibling’"
>    "Unescaped left brace in regex is illegal in ..."
> 
> Please see the pages [2,3] for details and report bugs if you run
> into problems during or after the Perl update.
> 
> [1] https://rt.perl.org/Ticket/Display.html?id=127834
>     https://bugs.gentoo.org/show_bug.cgi?id=589680
> [2] https://wiki.gentoo.org/wiki/Project:Perl/Dot-In-INC-Removal
> [3] https://wiki.gentoo.org/wiki/Project:Perl/5.26_Known_Issues
> =======================================
> 
> 


Somewhere in here its probably useful to link to
https://wiki.gentoo.org/wiki/Perl under the guise of "general update
advice", as it seems many people *still* don't know about this page and
will predictably come to #gentoo asking for help having not seen it.

So ....

> Please see the pages [2,3] for details and report bugs if you run
> into problems during or after the Perl update.
>
> General purpose advice on updating Perl can be found on page [4]

?

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] RFC: News item: Perl 5.26 update

[Andreas K. Huettel]

[-- Attachment #1: Type: text/plain, Size: 272 bytes --]

Am Samstag, 7. Oktober 2017, 17:21:13 CEST schrieb Kent Fredric:

> > 
> > General purpose advice on updating Perl can be found on page [4]
> 

Sounds good, added.


-- 
Andreas K. Hüttel
dilfridge@gentoo.org
Gentoo Linux developer (council, perl, libreoffice)

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] RFC: News item: Perl 5.26 update

[Aaron W. Swenson]

[-- Attachment #1: Type: text/plain, Size: 1137 bytes --]

On 2017-10-07 17:03, Andreas K. Huettel wrote:
> …
> This release brings several incompatible changes, also as a
> consequence of fixing a security problem [1].

This reads kind of awkwardly. Maybe something along this lines of:

    This release brings several incompatible changes as a result of
    deprecations coming to term [#] and mitigating a potential security
    issue [#].

I wouldn’t really consider the security risk eliminated, but
mitigated as the vector of attack remains if program or module adds the
current working directory to @INC on its own. The interpreter just isn’t
adding it to @INC.

> Typical errors are 
>    "Can't locate inc/... in @INC (you may need to install the inc::... module)"
>    "error: ... has no member named ‘op_sibling’"
>    "Unescaped left brace in regex is illegal in ..."

I would make this look more like a proper list.

    Typical errors are:
      * Can't locate inc/... in @INC (you may need to install the
        inc::... module)
      * error: ... has no member named ‘op_sibling’
      * Unescaped left brace in regex is illegal in ...

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 376 bytes --]

Re: [gentoo-dev] RFC: News item: Perl 5.26 update

[Kent Fredric]

[-- Attachment #1: Type: text/plain, Size: 841 bytes --]

On Sat, 7 Oct 2017 12:15:14 -0400
"Aaron W. Swenson" <titanofold@gentoo.org> wrote:

> This reads kind of awkwardly. Maybe something along this lines of:
> 
>     This release brings several incompatible changes as a result of
>     deprecations coming to term [#] and mitigating a potential security
>     issue [#].
> 
> I wouldn’t really consider the security risk eliminated, but
> mitigated as the vector of attack remains if program or module adds the
> current working directory to @INC on its own. The interpreter just isn’t
> adding it to @INC.

Its probably more accurate to consider this a form of security theatre
than a real security mitigation.

Just phrasing that succinctly is not easy.

Maybe instead of calling it "a security issue", its "a change in
defaults due to potential security concerns"


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] RFC v2: News item: Perl 5.26 update

[Andreas K. Huettel]

[-- Attachment #1: Type: text/plain, Size: 1512 bytes --]

OK so here's the updated version:

=================================
Title: Perl 5.26 update: possible breakage
Author: Andreas K. Hüttel <dilfridge@gentoo.org>
Posted: xxxxxxx
Revision: 1
News-Item-Format: 2.0
Display-If-Installed: >=dev-lang/perl-5.26.0

You have just upgraded to Perl 5.26. This release brings several 
incompatible changes, as a result of deprecations coming to term
and of changes in default settings to mitigate a potential
security issue [1].

While we have made sure that all resulting build failures within 
Gentoo are fixed, this may not be the case for runtime issues, 
and certainly can affect third-party code (e.g., "hand-installed" 
server applications).

Typical errors are 
* Can't locate inc/... in @INC (you may need to install the inc::... module)
* error: ... has no member named ‘op_sibling’
* Unescaped left brace in regex is illegal in ...

Please see the pages [2,3] for details and report bugs if you run
into problems during or after the Perl update.

General purpose advice on updating Perl can be found on page [4].

[1] https://rt.perl.org/Ticket/Display.html?id=127834
    https://bugs.gentoo.org/show_bug.cgi?id=589680
[2] https://wiki.gentoo.org/wiki/Project:Perl/Dot-In-INC-Removal
[3] https://wiki.gentoo.org/wiki/Project:Perl/5.26_Known_Issues
[4] https://wiki.gentoo.org/wiki/Perl
=================================


-- 
Andreas K. Hüttel
dilfridge@gentoo.org
Gentoo Linux developer (council, perl, libreoffice)

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 981 bytes --]

Re: [gentoo-dev] RFC v2: News item: Perl 5.26 update

[Aaron W. Swenson]

[-- Attachment #1: Type: text/plain, Size: 307 bytes --]

On 2017-10-08 14:01, Andreas K. Huettel wrote:
> OK so here's the updated version:
> …
> Typical errors are 

Needs a colon.

    Typical errors are:

But the rest looks good to me.

I don’t know how to write “good job” without it sounding
patronizing. But here it is anyway: Good job!

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 376 bytes --]