On 2016/08/17 12:14, Theo de Raadt wrote:
> > I'm CC'ing the port maintainer and adding my local patch. Should we mark the
> > binaries as wxneeded and if yes how do we handle configure failing in
> > default
> > pobj location setup?
>
> I suspect ports folk will need to recipe/reconfigure their machines to
> have wxallowed on /usr/pobj.
Yes, this is required for builds of various ports already, nothing new here.
On 2016/08/17 11:35, Jeremy Evans wrote:
> I'm on the fence about this. Basically, you are asking all users of ruby to
> accept additional insecurity, because you want to use an extension that most
> users of ruby are not using.
>
> As an occasional user of therubyracer, I can understand your frustration.
> I think a better solution would be to allow users that want to allow W|X
> to mark such executables themselves, instead of forcing all users to
> accept insecurity for the convenience of a few. However, I'm not
> qualified to determine if that is a feasible idea.
>
> Now, ruby is not a special flower. This issue affects similar software
> such as python, and we made a similar change for python a few days ago.
> For consistency purposes, it would make sense to make this change for
> ruby if we are making it for python. Because of that, if another
> developer OKs it, I will commit it (after testing of course).
There are various ways we can go.
One is as awolk@ has done in his diff, making all W|X-needing ruby
modules work.
The other is to mark therubyracer broken with an explanation, so
people who need it can build a special version of ruby themselves.
This is extra hassle for users but does have an upside, we are more
likely to find out about other extensions that require W|X if they crash
when they fail. (Referring back to python, I never would have guessed
that py-cryptography would be hit by this, so in a way it's good that
it was failing..) So as a result of that, there is some chance we might
find other modules that could be fixed.
(I don't know how to test them but x11/kde4/ruby-qt's qtwebkit.so
might also be affected; but if that's the case then x11/kde4/p5-qt's
QtWebKit4.so might *also* be affected, and there's not much we can do
about that..)
I think at the moment I'm leaning towards having working packages
(i.e. awolk's diff).
> > Index: Makefile.inc
> > ===================================================================
> > RCS file: /cvs/ports/lang/ruby/Makefile.inc,v
> > retrieving revision 1.15
> > diff -u -p -r1.15 Makefile.inc
> > --- Makefile.inc 16 Mar 2016 20:02:11 -0000 1.15
> > +++ Makefile.inc 17 Aug 2016 18:03:26 -0000
> > @@ -19,7 +19,7 @@ CONFIGURE_STYLE ?= gnu
> > CONFIGURE_ARGS += --enable-shared
> > CONFIGURE_ENV += PREFIX="${PREFIX}" \
> > CPPFLAGS="-DOPENSSL_NO_STATIC_ENGINE
> > -I${LOCALBASE}/include" \
> > - LDFLAGS="-L${LOCALBASE}/lib"
> > + LDFLAGS="-L${LOCALBASE}/lib -Wl,-z,wxneeded"
Like with the python diff, I think this should have a comment
explaining that it's for specific extensions and not ruby itself.
Other than that it's OK with me; I'm not 100% happy with it,
but on balance I think it's the most sensible option for the moment.
