svn commit: r354025 - in head/textproc/rubygem-nokogiri: . files
Akinori MUSHA
knu at iDaemons.org
Mon May 19 03:29:25 UTC 2014
At Mon, 19 May 2014 01:39:52 +0000,
Steve Wills wrote:
> > Starting from 1.6.2, nokogiri explicitly suggests using bundled
> > libxml2/libxslt that are properly patched for the gem including
> > security problems instead of using some unknown version provided by
> > the platform.
>
> Thanks for the info, I wasn't aware of that.
>
> Wouldn't it be better to get the libxml2 from ports updated with the bug fixes
> instead of having one buggy version in ports and one non-buggy version bundled
> with nokogiri?
Libxml2 2.9.x, having had no release for one year and a half, finally
rolled out a new release at the timing we (the Team Nokogiri) didn't
expect while we were working on long-term release engineering for
nokogiri 1.6.2 targetted for a patched libxml2 2.8.0.
We do want to take the time to tackle the new release of libxml2. but
we currently have to deal with issues reported after 2.9.2, and then
2.9.2.1, so it may take at least a couple of weeks before we can start
working on it.
> Can you please send me the fixes that libxml2 needs?
So far, libxml2 2.9.1 looks like a decent release as it should be,
because it includes all it had exclusively in their repository,
including bug fixes and security fixes.
However, it is confirmed that some test cases in nokogiri's test suite
fail, which we are yet to figure out if it's libxml2 that introduced
bugs, or nokogiri that had incorrect assumptions about some features
of libxml2 or XML specifications. In any case, the ball is now on
nokogiri's side.
One thing for sure is that nokogiri does not currently have a known
security issue at the moment, and all features covered by the test
suite should work fine when built with the bundled version of libxml2.
> > Hopefully, when nokogiri is finally updated to support libxml2 2.9.1,
> > and if libxml2 stops neglecting their new releases, then the situation
> > may change, but I just can't recommend that at the moment.
>
> So are you saying nokogiri doesn't build with libxml2 2.9.1? Or doesn't work at
> all with libxml2 2.9.1? Or partially broken? Or is it not supported due to
> missing fixes, which we could easily add in ports?
It builds with libxml2 2.9.1, but will be partially broken. It is not
certain if it's a bug of libxml2's side, or if there are other pieces
of software affected by the incompatibilities introduced by an upgrade
to 2.9.1.
So, until nokogiri rolls out a new release that claims full support
for libxml2 2.9.1, I'd recommend using the bundled libraries for the
moment. I'll let you posted.
--
Akinori MUSHA / https://akinori.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP Digital Signature
URL: <http://lists.freebsd.org/pipermail/svn-ports-head/attachments/20140519/389d27c7/attachment.sig>
More information about the svn-ports-head
mailing list