What on earth happened with Perl?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

What on earth happened with Perl?

Dave Horsfall
As the subject sez...

After being bitten by Perl 5.26 apparently being surreptitiously installed
last week and breaking modules[*] in the process (@INC no longer includes
"."), my regular Monday "port upgrade outdated" seemed to deactivate Perl
5.24 (and refusing to break some dependencies) and installed 5.26, which I
thought it already did...

Before I post logs etc, could I please have a short summary as to what the
hell is happening?  I can't be the only one being done over like this...

I note that FreeBSD is still conservatively staying with 5.24, and my
Penguin box seems to be araldited onto 5.20, so why the rush for 5.26 that
is known to be backwards-incompatible?

[*]
At least mine still works after "-I." whilst I'm developing it...

--
Dave Horsfall DTM (VK2KFU)  "Those who don't understand security will suffer."
If you are a Gmail/Yahoo/etc user please see http://www.horsfall.org/spam.html
Reply | Threaded
Open this post in threaded view
|

Re: What on earth happened with Perl?

Ken Cunningham
Looks like it is a security issue, and has been back ported into at least some perl 5.24 versions.


<https://metacpan.org/pod/perl5260delta#Removal-of-the-current-directory-%28%22.%22%29-from-@INC>


<https://nvd.nist.gov/vuln/detail/CVE-2016-1238>

<https://stackoverflow.com/questions/46549671/doesnt-perl-include-current-directory-in-inc-by-default>


You can override this on your own system by setting an environment variable, amongst other methods.

<https://metacpan.org/pod/perl5260delta#Removal-of-the-current-directory-%28%22.%22%29-from-@INC>

Hope this helps at least a bit,

Ken




On 2018-03-11, at 5:52 PM, Dave Horsfall wrote:

> As the subject sez...
>
> After being bitten by Perl 5.26 apparently being surreptitiously installed last week and breaking modules[*] in the process (@INC no longer includes "."), my regular Monday "port upgrade outdated" seemed to deactivate Perl 5.24 (and refusing to break some dependencies) and installed 5.26, which I thought it already did...
>
> Before I post logs etc, could I please have a short summary as to what the hell is happening?  I can't be the only one being done over like this...
>
> I note that FreeBSD is still conservatively staying with 5.24, and my Penguin box seems to be araldited onto 5.20, so why the rush for 5.26 that is known to be backwards-incompatible?
>
> [*]
> At least mine still works after "-I." whilst I'm developing it...
>
> --
> Dave Horsfall DTM (VK2KFU)  "Those who don't understand security will suffer."
> If you are a Gmail/Yahoo/etc user please see http://www.horsfall.org/spam.html

Reply | Threaded
Open this post in threaded view
|

Re: What on earth happened with Perl?

Mojca Miklavec-2
In reply to this post by Dave Horsfall
On 12 March 2018 at 00:52, Dave Horsfall wrote:
> As the subject sez...
>
> After being bitten by Perl 5.26 apparently being surreptitiously installed
> last week and breaking modules[*] in the process (@INC no longer includes
> "."), my regular Monday "port upgrade outdated" seemed to deactivate Perl
> 5.24 (and refusing to break some dependencies) and installed 5.26, which I
> thought it already did...

perl5.24 should not be deactivated per se, but all its modules have
indeed been sent to graveyard.

It is true though that perl5 would be reinstalled to depend on
perl5.26 in case you had it set at 5.24 from before (it was already
set to default months ago, but if you only ran "port upgrade
outdated", it would stick with the old default until recently. If you
installed it on a clean machine or ran "sudo port install perl", you
would get the latest one.)

> Before I post logs etc, could I please have a short summary as to what the
> hell is happening?  I can't be the only one being done over like this...

perl5.26 has been available since nearly a year already and ports
could have switched to using perl5.26 immediately after that, but many
maintainers did not do the upgrade (and many ports have no maintainer
at all).

This ticket has been open for months: https://trac.macports.org/ticket/55208

What happened recently is that we removed all modules for perl5.24 and
made perl5.26 default.

If that broke any ports for you, please file tickets for those
individual port (and maybe post links in this thread as well). If it
broke your own module that resides just on your machine, you will
probably need to adapt the code to become compatible with the latest
version. I did check some failures, but not all of them.

> I note that FreeBSD is still conservatively staying with 5.24, and my
> Penguin box seems to be araldited onto 5.20, so why the rush for 5.26 that
> is known to be backwards-incompatible?

Your Penguin box is shipping software that is no longer supported
upstream. Perl5.20 reached end-of-life some time in May 2017. They are
probably not doing it on purpose, but the release cycles are usually
pretty long and perl developers stop supporting it just two years
after releasing a particular version. I'm not aware of any
(non-rolling) ldistribution that would simply upgrade to a newer
version of perl. You get that with a new release.

We've been providing perl5.26 for nearly a year already. Two months
from now perl5.24 will no longer be supported. And there have indeed
been no complaints before yours about this issue, neither in Trac nor
on the mailing list. We could probably do the hard switch a few months
later, but I'm assuming that this would just postpone the time by
which you would notice the problem and would not buy you any time in
any case.

Perl is hardly ever backwards incompatible in any serious way, but
there are always minor hiccups at each update (some of the thousands
of packages that we package would break, but developers get bug
reports and eventually release new versions). David has been updating
modules on regular basis and he fixed basically all problems in those
modules that were introduced with 5.26. We were not aware of other
major issues that would block full transition to 5.26.

Mojca