Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Perl>
  3. porters
Updates on recent Perl security releases
leonerd at leonerd
Nov 27, 2023, 6:05 AM
Post #1 of 15 (195 views)
Permalink
Hi all,

At the weekend I attempted three simultaneous maint releases of Perl
5.34.2, 5.36.2 and 5.38.1. Due to the complexity and rarity of the work
involved, I did make a number of mistakes along the way, leading to the
current situation whereby the versions on CPAN fail an installation
test (t/porting/regen.t) for various reasons. Undetected by tests,
there are also mistakes in the copy of Module::CoreList that is shipped
in these.

I have been working fixes for all these issues, and I now have a set of
tarballs for each release that includes all the security updates, and
is correct in regard of the issues mentioned above. Currently lacking a
way to get them to be the actual releases visible on CPAN, I do at
least have them visible on my own personal server, if anyone wishes to
test them out here or download them for a *limited* purpose.

As I said, this is my own personal server so I don't want them to live
here for a long time; they're just here for some folks to test it out
and confirm it's all correct ahead of attempting to get them uploaded
properly onto PAUSE/CPAN for real. I don't guarantee any particular
amount of uptime/availaility or longterm storage here after it's been
put in the right place on CPAN.


For now at least, they are available at

Perl 5.34.2:
https://www.leonerd.org.uk/perl-releases/perl-5.34.2.tar.gz
57804616ac48d50b8e986316fac6f6aea6263d3c perl-5.34.2.tar.gz
6c1147e5be3d3153eb0ed754a3a5705846994b97527ed0a5f16e1b33fdf24644 perl-5.34.2.tar.gz

https://www.leonerd.org.uk/perl-releases/perl-5.34.2.tar.xz
b12e40fab12384a3cef304c1775c71eb1aabe4ae perl-5.34.2.tar.xz
9f84edb119f417c4c1f8438aa88290d856d01c73e3e3db1196c587a5c540839b perl-5.34.2.tar.xz

Perl 5.36.2:
https://www.leonerd.org.uk/perl-releases/perl-5.36.2.tar.gz
a15ad31226e2b6859cdbe2f7ea304e03ba4e4826585992faa84c2de6b7836fad perl-5.36.2.tar.gz

https://www.leonerd.org.uk/perl-releases/perl-5.36.2.tar.xz
44666788262e33ffda1c68a32d1683aea0bbee0efefb2d564f327e369fb92adb perl-5.36.2.tar.xz

Perl 5.38.1:
https://www.leonerd.org.uk/perl-releases/perl-5.38.1.tar.gz
f65fbb71c5b3edd5e3fdf54f1d2de09e997db98dc96fe9806790d32b7f48d1f1 perl-5.38.1.tar.gz

https://www.leonerd.org.uk/perl-releases/perl-5.38.1.tar.xz
fadfb07a02473f25a7ef9cf2df1a35cd7454eec368fbed5c550d415ed5676857 perl-5.38.1.tar.xz

I have also confirmed these install correctly via perlbrew; e.g.

$ perlbrew install -j 2
https://www.leonerd.org.uk/perl-releases/perl-5.36.2.tar.gz


My next steps now will be working out how to get these onto CPAN
properly, following up with some replies to the original release
announcements when they're all sorted, and finally a post-mortem look
at what went wrong and some things we can do to try to avoid it in
future.

Thanks all, and sorry for the trouble,..

--
Paul "LeoNerd" Evans

leonerd@leonerd.org.uk | https://metacpan.org/author/PEVANS
http://www.leonerd.org.uk/ | https://www.tindie.com/stores/leonerd/
Re: Updates on recent Perl security releases [ In reply to ]
marcel at telka
Nov 27, 2023, 7:12 AM
Post #2 of 15 (195 views)
Permalink
On Mon, Nov 27, 2023 at 02:05:44PM +0000, Paul "LeoNerd" Evans wrote:
> https://www.leonerd.org.uk/perl-releases/perl-5.38.1.tar.xz
> fadfb07a02473f25a7ef9cf2df1a35cd7454eec368fbed5c550d415ed5676857 perl-5.38.1.tar.xz

I tested the above and I can confirm that all tests pass.


Thank you.

--
+-------------------------------------------+
| Marcel Telka e-mail: marcel@telka.sk |
| homepage: http://telka.sk/ |
+-------------------------------------------+
Re: Updates on recent Perl security releases [ In reply to ]
jkeenan at pobox
Nov 27, 2023, 10:20 AM
Post #3 of 15 (195 views)
Permalink
On 11/27/23 09:05, Paul "LeoNerd" Evans wrote:
> Hi all,
>
> [snip]


> My next steps now will be working out how to get these onto CPAN
> properly, following up with some replies to the original release
> announcements when they're all sorted, and finally a post-mortem look
> at what went wrong and some things we can do to try to avoid it in
> future.
>

I successfully tested and built from all three *.tar.gz tarballs on
FreeBSD-13 with my usual configuration switches.

However, I think you may encounter problems trying to upload these
tarballs to CPAN with the same *.*.* version numbers as are already up
there. Whenever I have tried to upload a tarball without incrementing
$VERSION, CPAN has rejected the upload. It may be simpler and less
confusing in the long run to do the work needed to issue, say,
perl-5.38.2 rather than trying to replace perl-5.38.1.

Andreas, Steve, Rik -- do you have any advice here?
Re: Updates on recent Perl security releases [ In reply to ]
doughera at lafayette
Nov 27, 2023, 10:34 AM
Post #4 of 15 (195 views)
Permalink
On Mon, Nov 27, 2023 at 01:20:06PM -0500, James E Keenan wrote:
> On 11/27/23 09:05, Paul "LeoNerd" Evans wrote:
> > Hi all,

> > My next steps now will be working out how to get these onto CPAN
> > properly, following up with some replies to the original release
> > announcements when they're all sorted, and finally a post-mortem look
> > at what went wrong and some things we can do to try to avoid it in
> > future.

> However, I think you may encounter problems trying to upload these tarballs
> to CPAN with the same *.*.* version numbers as are already up there.
> Whenever I have tried to upload a tarball without incrementing $VERSION,
> CPAN has rejected the upload. It may be simpler and less confusing in the
> long run to do the work needed to issue, say, perl-5.38.2 rather than trying
> to replace perl-5.38.1.

I think Jim is exactly correct here. Especially for a security release, there
should be no possibility of ambiguity. We won't run out of integers.

--
Andy Dougherty doughera@lafayette.edu
Re: Updates on recent Perl security releases [ In reply to ]
fawaka at gmail
Nov 27, 2023, 10:41 AM
Post #5 of 15 (195 views)
Permalink
On Mon, Nov 27, 2023 at 11:50?PM James E Keenan <jkeenan@pobox.com> wrote:

> On 11/27/23 09:05, Paul "LeoNerd" Evans wrote:
> > Hi all,
> >
> > [snip]
>
>
> > My next steps now will be working out how to get these onto CPAN
> > properly, following up with some replies to the original release
> > announcements when they're all sorted, and finally a post-mortem look
> > at what went wrong and some things we can do to try to avoid it in
> > future.
> >
>
> I successfully tested and built from all three *.tar.gz tarballs on
> FreeBSD-13 with my usual configuration switches.
>
> However, I think you may encounter problems trying to upload these
> tarballs to CPAN with the same *.*.* version numbers as are already up
> there. Whenever I have tried to upload a tarball without incrementing
> $VERSION, CPAN has rejected the upload. It may be simpler and less
> confusing in the long run to do the work needed to issue, say,
> perl-5.38.2 rather than trying to replace perl-5.38.1.
>
> Andreas, Steve, Rik -- do you have any advice here?
>

Rereleasing with the same version numbers can also lead to confusion
because checksums have been published.

Leon
Re: Updates on recent Perl security releases [ In reply to ]
perl.p5p at rjbs
Nov 27, 2023, 11:06 AM
Post #6 of 15 (195 views)
Permalink
On Mon, Nov 27, 2023, at 13:34, Andy Dougherty wrote:
> I think Jim is exactly correct here. Especially for a security release, there
> should be no possibility of ambiguity. We won't run out of integers.

Agreed. The value of a version number is that it uniquely identifies a release. If a release is bad, then that version should be stamped with a big *DO NOT USE*, but the version number should not be made to refer to two things. The confusion of a reused version number will vastly outstrip that of a quickly-superceded version.

--
rjbs
Re: Updates on recent Perl security releases [ In reply to ]
Stromeko at nexgo
Nov 27, 2023, 11:09 AM
Post #7 of 15 (195 views)
Permalink
"Paul \"LeoNerd\" Evans" writes:
> My next steps now will be working out how to get these onto CPAN
> properly, following up with some replies to the original release
> announcements when they're all sorted, and finally a post-mortem look
> at what went wrong and some things we can do to try to avoid it in
> future.

To get these out properly, bump the minor numbers please and just
re-release.


Regards,
Achim.
--
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

SD adaptation for Waldorf microQ V2.22R2:
http://Synth.Stromeko.net/Downloads.html#WaldorfSDada
Re: Updates on recent Perl security releases [ In reply to ]
leonerd at leonerd
Nov 27, 2023, 1:09 PM
Post #8 of 15 (195 views)
Permalink
On Mon, 27 Nov 2023 14:06:40 -0500
"Ricardo Signes" <perl.p5p@rjbs.manxome.org> wrote:

> On Mon, Nov 27, 2023, at 13:34, Andy Dougherty wrote:
> > I think Jim is exactly correct here. Especially for a security
> > release, there should be no possibility of ambiguity. We won't run
> > out of integers.
>
> Agreed. The value of a version number is that it uniquely identifies
> a release. If a release is bad, then that version should be stamped
> with a big *DO NOT USE*, but the version number should not be made to
> refer to two things. The confusion of a reused version number will
> vastly outstrip that of a quickly-superceded version.

Yes; I think you're right there. The cat is unfortunately out of the
bag now on those three releases, so it's best not to confuse things
further.

Looks like I'll have all the fun of redoing *all* the release steps
again to come up with a whole new set of 5.34.3, 5.36.3 and 5.38.2.

Prepare for much testing all round... I also may call on more
assistance in checking all the steps are done right. Especially with
that pesky Module::CoreList, ensuring it contains the right information.

--
Paul "LeoNerd" Evans

leonerd@leonerd.org.uk | https://metacpan.org/author/PEVANS
http://www.leonerd.org.uk/ | https://www.tindie.com/stores/leonerd/
Re: Updates on recent Perl security releases [ In reply to ]
leonerd at leonerd
Nov 28, 2023, 7:46 AM
Post #9 of 15 (195 views)
Permalink
On Mon, 27 Nov 2023 21:09:51 +0000
"Paul \"LeoNerd\" Evans" <leonerd@leonerd.org.uk> wrote:

> Looks like I'll have all the fun of redoing *all* the release steps
> again to come up with a whole new set of 5.34.3, 5.36.3 and 5.38.2.
>
> Prepare for much testing all round... I also may call on more
> assistance in checking all the steps are done right. Especially with
> that pesky Module::CoreList, ensuring it contains the right
> information.

I now have three possible sets of tarballs for what will become these
new releases. I've not put them on PAUSE yet because I now realise how
much of a one-shot that action actually is. They are all built from
latest code in the maint-5.$V branches in the main perl5 repo, so they
should be reproducible by anyone else. They're living on my test
server, at these URLs:

https://www.leonerd.org.uk/tmp/perl-5.34.3.tar.gz

https://www.leonerd.org.uk/tmp/perl-5.36.3.tar.gz

https://www.leonerd.org.uk/tmp/perl-5.38.2.tar.gz

Please again take note - the filenames and the builds within them do
*look* like official releases but THEY ARE NOT OFFICIAL YET. I took a
calculated risk in *not* marking these as "RC1" internally, because of
how fiddly I found it last time to swap back out of that and messed
them up because of it. If these files are found to be satisfactory,
then these exactly will be the ones that go up on PAUSE, so I don't
have to rebuild them and risk messing it up yet again.

As before - please use them for a limited amount of personal testing,
and let me know if you spot any problems, or if not. I've confirmed at
least on a few simple build options on Linux, that I can install them
just fine with e.g.

$ perlbrew install -j4 https://www.leonerd.org.uk/tmp/perl-5.34.3.tar.gz

The release date built into these claims tomorrow; Nov 29th. So I
definitely won't be uploading them today. But if these all look good by
tomorrow that's when they'll be on PAUSE. And hopefully that will be
the end to this rather long-running saga...

--
Paul "LeoNerd" Evans

leonerd@leonerd.org.uk | https://metacpan.org/author/PEVANS
http://www.leonerd.org.uk/ | https://www.tindie.com/stores/leonerd/
Re: Updates on recent Perl security releases [ In reply to ]
marcel at telka
Nov 28, 2023, 8:12 AM
Post #10 of 15 (195 views)
Permalink
On Tue, Nov 28, 2023 at 03:46:38PM +0000, Paul "LeoNerd" Evans wrote:
> https://www.leonerd.org.uk/tmp/perl-5.34.3.tar.gz
>
> https://www.leonerd.org.uk/tmp/perl-5.36.3.tar.gz
>
> https://www.leonerd.org.uk/tmp/perl-5.38.2.tar.gz

Would you mind to share xz tarballs too please?


Thank you.

--
+-------------------------------------------+
| Marcel Telka e-mail: marcel@telka.sk |
| homepage: http://telka.sk/ |
+-------------------------------------------+
Re: Updates on recent Perl security releases [ In reply to ]
leonerd at leonerd
Nov 28, 2023, 9:43 AM
Post #11 of 15 (184 views)
Permalink
On Tue, 28 Nov 2023 17:12:15 +0100
Marcel Telka <marcel@telka.sk> wrote:

> On Tue, Nov 28, 2023 at 03:46:38PM +0000, Paul "LeoNerd" Evans wrote:
> > https://www.leonerd.org.uk/tmp/perl-5.34.3.tar.gz
> >
> > https://www.leonerd.org.uk/tmp/perl-5.36.3.tar.gz
> >
> > https://www.leonerd.org.uk/tmp/perl-5.38.2.tar.gz
>
> Would you mind to share xz tarballs too please?

Oh; yes they're at the same places just different extensions

https://www.leonerd.org.uk/tmp/perl-5.34.3.tar.xz

https://www.leonerd.org.uk/tmp/perl-5.36.3.tar.xz

https://www.leonerd.org.uk/tmp/perl-5.38.2.tar.xz

--
Paul "LeoNerd" Evans

leonerd@leonerd.org.uk | https://metacpan.org/author/PEVANS
http://www.leonerd.org.uk/ | https://www.tindie.com/stores/leonerd/
Re: Updates on recent Perl security releases [ In reply to ]
Stromeko at nexgo
Nov 28, 2023, 10:24 AM
Post #12 of 15 (184 views)
Permalink
"Paul \"LeoNerd\" Evans" writes:
> https://www.leonerd.org.uk/tmp/perl-5.36.3.tar.gz

Just built without a hitch on Cygwin. Thanks!


Regards,
Achim.
--
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

SD adaptations for KORG EX-800 and Poly-800MkII V0.9:
http://Synth.Stromeko.net/Downloads.html#KorgSDada
Re: Updates on recent Perl security releases [ In reply to ]
jkeenan at pobox
Nov 28, 2023, 11:30 AM
Post #13 of 15 (184 views)
Permalink
On 11/28/23 10:46, Paul "LeoNerd" Evans wrote:
> On Mon, 27 Nov 2023 21:09:51 +0000
> "Paul \"LeoNerd\" Evans" <leonerd@leonerd.org.uk> wrote:
>
>> Looks like I'll have all the fun of redoing *all* the release steps
>> again to come up with a whole new set of 5.34.3, 5.36.3 and 5.38.2.
>>
>> Prepare for much testing all round... I also may call on more
>> assistance in checking all the steps are done right. Especially with
>> that pesky Module::CoreList, ensuring it contains the right
>> information.
>
> I now have three possible sets of tarballs for what will become these
> new releases. I've not put them on PAUSE yet because I now realise how
> much of a one-shot that action actually is. They are all built from
> latest code in the maint-5.$V branches in the main perl5 repo, so they
> should be reproducible by anyone else. They're living on my test
> server, at these URLs:
>
> https://www.leonerd.org.uk/tmp/perl-5.34.3.tar.gz
>
> https://www.leonerd.org.uk/tmp/perl-5.36.3.tar.gz
>
> https://www.leonerd.org.uk/tmp/perl-5.38.2.tar.gz

I have successfully built and tested each of these three tarballs on
FreeBSD-13 with my usual config options. Thanks.
Re: Updates on recent Perl security releases [ In reply to ]
marcel at telka
Nov 28, 2023, 12:26 PM
Post #14 of 15 (184 views)
Permalink
On Tue, Nov 28, 2023 at 05:43:13PM +0000, Paul "LeoNerd" Evans wrote:
> https://www.leonerd.org.uk/tmp/perl-5.38.2.tar.xz

I ran tests for the above and all of them passed.


Thank you.

--
+-------------------------------------------+
| Marcel Telka e-mail: marcel@telka.sk |
| homepage: http://telka.sk/ |
+-------------------------------------------+
Re: Updates on recent Perl security releases [ In reply to ]
marcel at telka
Nov 28, 2023, 12:27 PM
Post #15 of 15 (184 views)
Permalink
On Tue, Nov 28, 2023 at 09:26:05PM +0100, Marcel Telka wrote:
> On Tue, Nov 28, 2023 at 05:43:13PM +0000, Paul "LeoNerd" Evans wrote:
> > https://www.leonerd.org.uk/tmp/perl-5.38.2.tar.xz
>
> I ran tests for the above and all of them passed.

Just for the record: tested on OpenIndiana.

--
+-------------------------------------------+
| Marcel Telka e-mail: marcel@telka.sk |
| homepage: http://telka.sk/ |
+-------------------------------------------+

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal