Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist
On Tue, 19 Sep 2017 14:44:44 +0100 Tony Vroonwrote: > We have similar workflow issues with this, and as a consequence our > software team has asked me to step up. I can present an at least vaguely > maintainable ebuild on: > https://bugs.gentoo.org/572824 > > I am aware that some of the patches are rather large, so I will pack > them up into an Asterisk-style patchset that is downloaded from the mirrors. > For the avoidance of doubt, I am not proposing to remove the > package.mask entry but I am looking to prevent package removal. Most excellent :) >>> www-client/phantomjs-2.1.1 merged :D pgpccxllradi7.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist
On 06/06/17 10:11, Kent Fredric wrote: > I'm sort of hoping that we can delay at least until it becomes viable > to use newer stuff on travis. Good afternoon Kent, We have similar workflow issues with this, and as a consequence our software team has asked me to step up. I can present an at least vaguely maintainable ebuild on: https://bugs.gentoo.org/572824 I am aware that some of the patches are rather large, so I will pack them up into an Asterisk-style patchset that is downloaded from the mirrors. For the avoidance of doubt, I am not proposing to remove the package.mask entry but I am looking to prevent package removal. Regards, Tony V. signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist
On Sun, 11 Jun 2017 08:38:26 +0200 Hans de Graaffwrote: > I've updated the proposed timeframe in the mask to 90 days. That's reasonable. Thanks :) pgpFU7aP7HlSq.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist
On Tue, 2017-06-06 at 21:11 +1200, Kent Fredric wrote: > > Just 30 days to overhaul things on top of other work is a serious > problem for anyone with time issues already. I've updated the proposed timeframe in the mask to 90 days. > ( I only consider my own use of this "amateur" at best right now, and > even with such a low usage I have a hard time working out what I need > to do to stay current, I'd hate to know what its like for people > relying on this in their production testing toolchain :/ ) As someone who used this in production we were already aware for some time that this was an issue. E.g. not getting updates when all other webkit packages did get updates was a clear indicator of future trouble. Hans signature.asc Description: This is a digitally signed message part
Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist
On Tue, 06 Jun 2017 07:28:00 +0200 Hans de Graaffwrote: > What kind of timeframe do you propose? > > > 1.5 Months from "We're not working on this" to "its dead jim, kill > > it from orbit" > > is a bit fast for anything entrenched. > > The problems were there a lot longer so for me at least it still feels > slow. The fact that Chromium is now an alternative finally made it > easier to mask this, but really we should have masked this months ago. > If not for security reasons than for all the QA violations such as > tons of bundled code. > > > Chromium 59 is also, similarly, quite new. > > It has hit stable upstream so we should see stable versions in Gentoo > soon, I expect. I'm sort of hoping that we can delay at least until it becomes viable to use newer stuff on travis. That way when all the underlying ecosystem things are updated to work with chromium-headless, and it becomes viable to actually test this in a consistent way the same way on every target, the need to maintain phantomjs goes away. But at this time, the context that matters is: Seeing the last-riting was the *first* indication I received that any changes were being done that I needed to pay attention to. So making sure everything is up-to-scratch on top of all the other stuff I have to do Gentoo side ( *cough* bug 613764 ) just means I haven't had any of the sort of time I need to to respond to this that quickly. I'm fine with it living in pmask as long as its "insecure, but usable". Just 30 days to overhaul things on top of other work is a serious problem for anyone with time issues already. But as to how long is a reasonable time frame before tree-cleaning, I hope other responders can give a better depiction of this. ( I only consider my own use of this "amateur" at best right now, and even with such a low usage I have a hard time working out what I need to do to stay current, I'd hate to know what its like for people relying on this in their production testing toolchain :/ ) pgppdswOh5YkZ.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist
El lun, 05-06-2017 a las 13:42 -0400, Michael Orlitzky escribió: > On 06/05/2017 07:06 AM, Kent Fredric wrote: > > On Mon, 05 Jun 2017 09:11:27 +0200 > > Hans de Graaffwrote: > > > > > # Hans de Graaff (05 Jun 2017) > > > # Bundles obsolete and vulnerable webkit version. > > > # Upstream has stopped development and recommends using > > > # headless mode in >=www-client/chromium-59. > > > # Masked for removal in 30 days. Bug #589994. > > > www-client/phantomjs > > > > Can phantomjs be simply masked for a longer period until the development > > world has had an opportunity to catch up? > > > > The real reason for the mask is that it bundles an ancient version of > qtwebkit with a ton of known security vulnerabilities. Hans was > attempting to fix it, but now that upstream is dead, it will remain > insecure forever. > Also, current stable version cannot be built with stable gcc, and latest version also have lots of unresolved bugs (some building bugs) apart of the security issues affecting all versions
Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist
On Mon, 2017-06-05 at 18:38 +0700, Vadim A. Misbakh-Soloviov wrote: > > > Although, in-tree version is obsolete anyway, and upstream made few > next > releases with brain-exploding buildsystem, so I just pushed > version to my > "public sandbox" overlay, and happy with it on the projects that > depends on > phantomjs. I have been tracking the upstream git repository for some time. It was going in the right direction by dropping all bundled code and use system qtwebkit. Unfortunately it either did not build correctly or if it did it would crash on 80% of the included test suite. Otherwise I would have added a snapshot. Hans signature.asc Description: This is a digitally signed message part
Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist
On Mon, 2017-06-05 at 23:06 +1200, Kent Fredric wrote: > > Can phantomjs be simply masked for a longer period until the > development > world has had an opportunity to catch up? What kind of timeframe do you propose? > 1.5 Months from "We're not working on this" to "its dead jim, kill it > from orbit" > is a bit fast for anything entrenched. The problems were there a lot longer so for me at least it still feels slow. The fact that Chromium is now an alternative finally made it easier to mask this, but really we should have masked this months ago. If not for security reasons than for all the QA violations such as tons of bundled code. > Chromium 59 is also, similarly, quite new. It has hit stable upstream so we should see stable versions in Gentoo soon, I expect. Hans signature.asc Description: This is a digitally signed message part
Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist
On Mon, 5 Jun 2017 13:42:50 -0400 Michael Orlitzkywrote: > Hans was > attempting to fix it, but now that upstream is dead, it will remain > insecure forever. IME, as long as that's clear from the pmask, and its clear what those security vectors are, as long as an end user makes sure those vectors can't happen, having an insecure-in-theory-but-not-in-practice phantomjs is better than having no phantomjs. pgpTvAqhrhnTO.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist
On 06/05/2017 07:06 AM, Kent Fredric wrote: > On Mon, 05 Jun 2017 09:11:27 +0200 > Hans de Graaffwrote: > >> # Hans de Graaff (05 Jun 2017) >> # Bundles obsolete and vulnerable webkit version. >> # Upstream has stopped development and recommends using >> # headless mode in >=www-client/chromium-59. >> # Masked for removal in 30 days. Bug #589994. >> www-client/phantomjs > > Can phantomjs be simply masked for a longer period until the development > world has had an opportunity to catch up? > The real reason for the mask is that it bundles an ancient version of qtwebkit with a ton of known security vulnerabilities. Hans was attempting to fix it, but now that upstream is dead, it will remain insecure forever.
Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist
> Can phantomjs be simply masked for a longer period until the development > world has had an opportunity to catch up? Just exactly what I thought. Although, in-tree version is obsolete anyway, and upstream made few next releases with brain-exploding buildsystem, so I just pushed version to my "public sandbox" overlay, and happy with it on the projects that depends on phantomjs. By the way, headless chrome, well, work a bit different in comparsion with "analogs" (including wkhtmlto{img,pdf}), so, it needs much more time than a month to get full analogs. So, I'm disagree with monthly dropping in this context too (well, I disagree with the idea. As I just said, I by myself is in safe from being affected by it).
Re: [gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist
On Mon, 05 Jun 2017 09:11:27 +0200 Hans de Graaffwrote: > # Hans de Graaff (05 Jun 2017) > # Bundles obsolete and vulnerable webkit version. > # Upstream has stopped development and recommends using > # headless mode in >=www-client/chromium-59. > # Masked for removal in 30 days. Bug #589994. > www-client/phantomjs Can phantomjs be simply masked for a longer period until the development world has had an opportunity to catch up? There's still respectable amounts of JS based testing code dependent on phantomjs and all removing this means is "people who want to do this have to work this out themselves" 1.5 Months from "We're not working on this" to "its dead jim, kill it from orbit" is a bit fast for anything entrenched. Chromium 59 is also, similarly, quite new. pgp9r4awBntUu.pgp Description: OpenPGP digital signature
[gentoo-dev] Last rites: www-client/phantomjs and dev-ruby/poltergeist
# Hans de Graaff(05 Jun 2017) # Bundles obsolete and vulnerable webkit version. # Upstream has stopped development and recommends using # headless mode in >=www-client/chromium-59. # Masked for removal in 30 days. Bug #589994. www-client/phantomjs dev-ruby/poltergeist signature.asc Description: This is a digitally signed message part