GNU bug report logs - #56302
[PATCH] gnu: ruby: Update to 2.7.6 [security fixes].

Previous Next

Package: guix-patches;

Reported by: Remco van 't Veer <remco <at> remworks.net>

Date: Wed, 29 Jun 2022 15:56:02 UTC

Severity: normal

Tags: patch

Done: Marius Bakke <marius <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #40 received at 56302 <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <marius <at> gnu.org>
To: Maxime Devos <maximedevos <at> telenet.be>, Remco van 't Veer
 <remco <at> remworks.net>, 56302 <at> debbugs.gnu.org
Subject: Re: [bug#56302] [PATCH] gnu: ruby: Update to 2.7.6 [security fixes].
Date: Mon, 29 Aug 2022 16:51:47 +0200

[Message part 1 (text/plain, inline)]
Maxime Devos <maximedevos <at> telenet.be> skriver:

> Maxime Devos schreef op wo 29-06-2022 om 20:29 [+0200]:
>> Remco van 't Veer schreef op wo 29-06-2022 om 17:55 [+0200]:
>> > +        
>> "042xrdk7hsv4072bayz3f8ffqh61i8zlhvck10nfshllq063n877"))))
>> 
>> This matches with a local
>> 
>> $ guix download
>> https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.6.tar.gz’
>> 
>> and with all the hashes from
>> <https://www.ruby-lang.org/en/news/2022/04/12/ruby-2-7-6-released/>.
>> 
>> I'll try diffing (*) it with the old tarball for ‘suspiciousness’
>> (e.g.: obvious malware, new bundling, ???).
>
> When scrolling through the diff, nothing looked ‘suspect’ at first
> glance.  However, I did notice something else: some parts are not 
> under the Ruby License, but under 2-clause BSD:
>
> │ ├── +++ ruby-2.7.4/gems/xmlrpc-0.3.0/LICENSE.txt
> │ │┄ Files 26% similar despite different names
> │ │ @@ -1,13 +1,10 @@
> │ │ -test-unit is copyrighted free software by Kouhei Sutou
> │ │ -<kou <at> cozmixng.org>, Ryan Davis <ryand-ruby <at> zenspider.com>
> │ │ -and Nathaniel Talbott <nathaniel <at> talbott.ws>.
> │ │ -
> │ │ -You can redistribute it and/or modify it under either the terms of
> the GPL
> │ │ -version 2 (see the file GPL), or the conditions below:
> │ │ +Ruby is copyrighted free software by Yukihiro Matsumoto
> <matz <at> netlab.jp>.
> │ │ +You can redistribute it and/or modify it under either the terms of
> the
> │ │ +2-clause BSDL (see the file BSDL), or the conditions below:
>
> so it maybe be good to add ‘2-clause BSDL’ to the license field as well
> (though given that it's an old issue, bringing the new version of ruby
> in Guix has priority).

It would be good to do a proper license audit of the bundled gems in
Ruby.  I see the previous version was not the Ruby license either, but
GPL, and it's not listed among the licenses.

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 2 years and 268 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.