svn commit: r354025 - in head/textproc/rubygem-nokogiri: . files

Mon May 19 19:48:27 UTC 2014

Hi,

On Mon, May 19, 2014 at 12:29:15PM +0900, Akinori MUSHA wrote:
> At Mon, 19 May 2014 01:39:52 +0000,
> Steve Wills wrote:
> > > Starting from 1.6.2, nokogiri explicitly suggests using bundled
> > > libxml2/libxslt that are properly patched for the gem including
> > > security problems instead of using some unknown version provided by
> > > the platform.
> >
> > Thanks for the info, I wasn't aware of that.
> >
> > Wouldn't it be better to get the libxml2 from ports updated with the bug fixes
> > instead of having one buggy version in ports and one non-buggy version bundled
> > with nokogiri?
> 
> Libxml2 2.9.x, having had no release for one year and a half, finally
> rolled out a new release at the timing we (the Team Nokogiri) didn't
> expect while we were working on long-term release engineering for
> nokogiri 1.6.2 targetted for a patched libxml2 2.8.0.
> 
> We do want to take the time to tackle the new release of libxml2. but
> we currently have to deal with issues reported after 2.9.2, and then
> 2.9.2.1, so it may take at least a couple of weeks before we can start
> working on it.
> 
> > Can you please send me the fixes that libxml2 needs?
> 
> So far, libxml2 2.9.1 looks like a decent release as it should be,
> because it includes all it had exclusively in their repository,
> including bug fixes and security fixes.
> 
> However, it is confirmed that some test cases in nokogiri's test suite
> fail, which we are yet to figure out if it's libxml2 that introduced
> bugs, or nokogiri that had incorrect assumptions about some features
> of libxml2 or XML specifications.  In any case, the ball is now on
> nokogiri's side.
> 
> One thing for sure is that nokogiri does not currently have a known
> security issue at the moment, and all features covered by the test
> suite should work fine when built with the bundled version of libxml2.
> 
> > > Hopefully, when nokogiri is finally updated to support libxml2 2.9.1,
> > > and if libxml2 stops neglecting their new releases, then the situation
> > > may change, but I just can't recommend that at the moment.
> >
> > So are you saying nokogiri doesn't build with libxml2 2.9.1? Or doesn't work at
> > all with libxml2 2.9.1? Or partially broken? Or is it not supported due to
> > missing fixes, which we could easily add in ports?
> 
> It builds with libxml2 2.9.1, but will be partially broken.  It is not
> certain if it's a bug of libxml2's side, or if there are other pieces
> of software affected by the incompatibilities introduced by an upgrade
> to 2.9.1.
> 
> So, until nokogiri rolls out a new release that claims full support
> for libxml2 2.9.1, I'd recommend using the bundled libraries for the
> moment.  I'll let you posted.

Sorry, missed this mail in my mailer. Thanks for the update. Perhaps we should
create a libxml28 port for use until nokogiri supports libxml 2.9?

Steve