svn commit: r354025 - in head/textproc/rubygem-nokogiri: . files

Mon May 19 17:19:30 UTC 2014

On Mon, May 19, 2014 at 01:39:52AM +0000, Steve Wills wrote:
> On Sat, May 17, 2014 at 11:52:37PM +0900, Akinori MUSHA wrote:
> > At Fri, 16 May 2014 15:41:57 +0000,
> > Steve Wills wrote:
> > > This is not the correct fix. Please see attached. Please use this fix and
> > > remove rubygem-mini_portile from ports. The mini_portile gem does it's own
> > > installing of libraries and other things and this is not how we want ports to
> > > work, IMHO, so we really should avoid having it in port if possible.
> > 
> > Our libxml2 was updated to 2.9.x after the recent security incidents,
> > but nokogiri does not fully support that version, i.e. some features
> > do not function properly.  Using textproc/libxml2 worked only by
> > chance, that is, it was staying still at 2.8.0 while other
> > OS/distributions had migrated to 2.9.x a long time ago.
> > 
> > I have to point out that libxml2 is notorious for not releasing a new
> > version even if a critical bug is found, so it's all up to each
> > distributor as to which set of patches they merge to their package,
> > investing their time to track the uptream git repository.
> > 
> > Team Nokogiri has suffered so much with this, and concluded that there
> > is no way but to maintain its own version to avoid dealing with every
> > single platform dependent arbitrarily patched libxml2 installation.
> > Nokogiri uses a wide range of libxml2's features, and is thus subject
> > to be affected by a tiny incompatibility or bug/bug-fix in libxml2.
> > 
> > Starting from 1.6.2, nokogiri explicitly suggests using bundled
> > libxml2/libxslt that are properly patched for the gem including
> > security problems instead of using some unknown version provided by
> > the platform.
> 
> Thanks for the info, I wasn't aware of that.
> 
> Wouldn't it be better to get the libxml2 from ports updated with the bug fixes
> instead of having one buggy version in ports and one non-buggy version bundled
> with nokogiri?
> 
> Can you please send me the fixes that libxml2 needs?
> 
> > Above is all I can tell you on behalf of Team Nokogiri, and if you
> > still believe it's not correct, not the way FreeBSD ports should take,
> > that's fine, you can "fix" it on your own, but please do not expect me
> > to do that against my will.
> > 
> > Hopefully, when nokogiri is finally updated to support libxml2 2.9.1,
> > and if libxml2 stops neglecting their new releases, then the situation
> > may change, but I just can't recommend that at the moment.
> 
> So are you saying nokogiri doesn't build with libxml2 2.9.1? Or doesn't work at
> all with libxml2 2.9.1? Or partially broken? Or is it not supported due to
> missing fixes, which we could easily add in ports?

Didn't hear from you, but saw some fixes to libxml2 go in. Do you know if those
completely address the issue? If so, can you confirm that nokogiri works
properly? And if so, can we remove rubygem-mini_portile?

Thanks,
Steve