cygwin perl updated from 5.10 to 5.14
I switched perl and all its dependencies on cygwin from 5.10 to 5.14 today.
Thanks to all involved maintainers and authors!
This was my announcement mail:
perl has now been updated from 5.10.1-5 to 5.14.2-3.
Most of the dependant official cygwin perl packages containing XS code
have also been updated.
All other packages containing or referencing perl code should just
work, except ming and postgresql.
See below for updating your self-compiled XS modules.
I've got practical and conceptual problems with perl 5.16,
so 5.14 it will be stable for the time being, at least until 5.16.1
will come out.
But it looks like only 5.18 will have inherent security problems with binary
names in 5.16 fixed. I consider using 5.16 too risky. (not only on windows).
No CVE's yet.
Changes
------------
I added a new optional subpackage perl_vendor which includes all formerly
shipped vendor_perl modules, which are mainly required to build and
test and report test results of other CPAN modules. So maintaining
hundreds of cygwin perl packages is not required.
I also added a new subpackage perl_debuginfo which includes stripped
debug symbols as in fedora and cygports. They might come handy if you
want to debug into perl or perl XS modules.
The archname and some minor internals changed.
mymalloc is gone.
threads are still unstable.
cc is gcc-4.
There is a new Cygwin::sync_winenv function.
The old 5.10 and 5.8 non-arch module paths are kept in @INC, so there
is less need to update.
rebase errors still happen, but are much less common than with 5.10.
Please continue to use perlrebase on problems with self-compiled XS modules.
There's special code in the EUMM (ExtUtils::MakeMaker) installer to
re-use previous
image base addresses on cpan updated dll's. For Module::Build not.
With a full cpan re-install I usually get only 1-2 rebase problems,
which is 100 times
better than with 5.10. TIP: Try to close bigger dll hogs such the MS
Internet Explorer or
SQL Server when doing cpan updates. BTW: Also with python and ruby.
Support for Achim Gratz new rebase -O flag will be added later.
Updated packages:
----------------------------
perl
perl_vendor (new)
perl_debuginfo (new)
perl_manpages
perl-Win32-GUI
perl-libwin32
perl-Locale-gettext
perl-DBD-mysql
perl-DBI (with an outstanding security problem not yet fixed upstream)
perl-Tk
Broken = Outstanding, will be updated ASAP:
perl-ming (Volker is on holidays)
postgresql-perl (Reini was busy with other stuff)
Update recommendations from 5.10:
--------------------------------------------------
Since 5.14 is not installed in parallel to 5.10, all your old 5.10 binary XS
modules will need to be reinstalled for 5.14.
BEFORE INSTALLATION of this 5.14
# get the list of your installed 5.10 modules
$ perl -MExtUtils::Installed \
-e'print join("\n", new ExtUtils::Installed->modules)' > module.list
AFTER INSTALLATION of 5.14
# install all previous modules for 5.10 and older
$ cpan `cat module.list`
Parallel installation with 5.10:
-----------------------------------------
There are only 2 clashes for a parallel perl-5.10 and perl-5.14 installation,
/usr/bin/a2p.exe and /usr/bin/perl.exe
You can simply untar the old perl-5.10.1-5 package into -C / and
reinstall perl-5.14.
To be on the safe side use perl5.14.2 or perl5.10.1.
Using /usr/bin/perl as shebang works fine.
Call the other perl scripts in /usr/bin or your own in /usr/local/bin
with the perl "-S" flag, e.g. "perl5.10.1 -S cpan" to get the 5.10 version.
$ cd
$ tar xfj release/perl/perl-5.10.1-5.tar.bz2 -C /
or
$ tar xfj release/perl/perl-5.14.2-3.tar.bz2 -C /
There is a new postinstall script, but it only initializes ~/.cpan and ask's
for your metabase-profile to be created to be able to upload CPAN test reports
automatically. CPAN authors are very happy about those automatic installation
reports, which help in cygwin support.
New CPAN::Reporter initialization for perl_vendor (optional)
-------------------------------------------------------------------------------------
$ metabase-profile
Enter full name: John Doe
Enter email address: jdoe at example.com
Enter password/secret: zqxjkh
Writing profile to 'metabase_id.json'
$ mkdir ~/.cpanreporter
$ cp metabase_id.json ~/.cpanreporter/
$ chmod 400 ~/.cpanreporter/metabase_id.json
$ vi ~/.cpanreporter/config.ini
email_from = John Doe
transport = Metabase uri https://metabase.cpantesters.org/api/v1/
id_file ~/.cpanreporter/metabase_id.json
Known Problems:
-------------------------
threads became more unstable than with 5.10 due to some perl internal changes,
which are not yet understood, resp. only fixed lately.
Automatic rebase got much better in EUMM, and will get even better
with rebase-4.3.0 which is not yet added to the new EUMM logic. Module::Build is not yet
supported for automatic rebasing.
libtool has an artificial problem to link a static library together
with shared libs.
perl comes with Win32CORE.a as static extension. Extensions which use
libtool must patch the linker line to add /usr/lib/perl5/5.14/i686-cygwin-threads-64int/auto/Win32CORE/Win32CORE.a seperately. (Sorry Yaakov)
Working at cPanel on cperl, B::C (the perl-compiler), parrot, B::Generate, cygwin perl and more guts, keeping the system alive.
Can you say any more about the security problems you see in 5.16? Or point to where you might have already said?
More importantly, WHO did you talk to about your security concern?
perldoc perlsec
SECURITY VULNERABILITY CONTACT INFORMATION
If you believe you have found a security vulnerability in Perl, please email
perl5-security-report@perl.org with details. This points to a closed subscription, unarchived mailing list. Please only use this address for security issues in the Perl core, not for modules independently distributed on CPAN.
It's no matter for the general public. I haven't had time to write actual exploits, I only described in detail how to exploit it and what holes still exists in 5.16. There are more important things for me than to write exploits, and I haven't have time to file CVE's. I hoped that the most holes would have been fixed in the meantime. Lot of them have been fixed already. Most of the authors are cooperative.
I also had to explain the decision in public now, because people were expecting a cygwin 5.16 release from me, not 5.14.
He did talk to the right people about it, but he didn't convince them there's an actual issue.
Yeah. The security folks were a bit handicapped understanding any issue, nevertheless the authors and me fixed most issues in between. I gave up explaining the obvious twice to this group.
Seems that JSON.pm is missing now, and there is nothing to install from cygwin.
I don't want to install gcc,.... on all machines running my scripts so: Are there any plans to re-introduce the JSON module - either bundled or as an extra cygwin download?
In the meantime I reinstalled 5.10 :-(
Reini: "When you can keep your head while all those around you are losing theirs, you obviously do not understand the situation." But: This also applies in the inverse.
Your "security problem" is as real as Russell's tea set orbiting the sun out there, somewhere. We can't disprove it exists, but sane people must assume it does not.
Reini: have you gotten perlbrew to work on cygwin? With the latest install of cygwin (with perl5.14.2), trying to install perl-5.14.2 with the latest perlbrew, I get a hang after ../dist/threads-shared/t/shared_attr.t. This is on WinXP Pro 2002 SP3. BTW, thanks for your work on perl in cygwin -- I use it constantly.