Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 253276

Summary: dev-lang/ruby bundles a copy of syck
Product: Gentoo Linux Reporter: Diego Elio Pettenò (RETIRED) <flameeyes>
Component: New packagesAssignee: Gentoo Ruby Team <ruby>
Status: RESOLVED OBSOLETE    
Severity: normal CC: esigra
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://redmine.ruby-lang.org/issues/show/2340
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 251464    

Description Diego Elio Pettenò (RETIRED) gentoo-dev 2008-12-31 17:55:43 UTC 
When dev-libs/syck is installed, dev-lang/ruby will build the YAML parser based on syck as /usr/lib/ruby/1.8/i686-linux/syck.so .

The bad part is that the extension does not link against it dynamically but instead statically (thus will require an explicit rebuild after a security issue).

Not only we should look for a way to link to the shared object but it should be tied to an USE flag, or always be depended upon, since automagic is bad.
Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev 2008-12-31 17:58:01 UTC 
No, silly me, no automagic dep, just it couldn't hit on my system since syck is not installed.

Still bad.
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-01-16 21:45:03 UTC 
Upstream has planned to remove syck in the future and replace it with another yaml library as the original maintainer (why) has vanished.
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-02-18 16:28:41 UTC 
From: Aaron Patterson <aaron@tenderlovemaking.com>
To: ruby-core@ruby-lang.org
Subject: [ruby-core:28215] Removing Syck from ruby
Date: Thu, 18 Feb 2010 16:22:06 +0900

[...]
I would like to move my replacement (Psych[1]) in to ruby's svn so that
people can start migrating to the new API.

Psych has a *mostly* compatible API with Syck.  Since Psych uses
libyaml, that means it follows the YAML spec more closely than Syck
does.  This means that switching from Syck to Psych /will/ break things.

I would like to remove Syck from ruby, and release it as a gem that I
will maintain.  That way people depending on the legacy behaviors of
Syck will not be let down, though they will be highly encouraged to
upgrade.
[...]
Comment 4 Hans de Graaff gentoo-dev Security 2012-04-30 06:29:58 UTC 
Ruby 1.9 uses psych (and thus libyaml), but we still have this situation for ruby 1.8, and I'm pretty sure upstream is not going to make these changes.
Comment 5 Vít Ondruch 2012-11-17 18:19:13 UTC 
I am afraid that you will have similar issues with Ruby 2.0 soon: https://bugs.ruby-lang.org/issues/7375
Comment 6 Hans de Graaff gentoo-dev Security 2015-07-07 06:59:50 UTC 
All versions of ruby that use syck for YAML support have been removed from the tree.