nirvdrum has quit [Ping timeout: 256 seconds]
Antiarc_ has joined #jruby
Antiarc has quit [Ping timeout: 258 seconds]
Antiarc has joined #jruby
Antiarc_ has quit [Ping timeout: 264 seconds]
pedran[m] has quit [Quit: killed]
walter[m] has quit [Quit: killed]
nikolaos[m] has quit [Quit: killed]
patrice[m] has quit [Quit: killed]
annette[m]1 has quit [Quit: killed]
kai[m] has quit [Quit: killed]
wau[m] has quit [Quit: killed]
alfred[m] has quit [Quit: killed]
jean[m]2 has quit [Quit: killed]
ludolf[m] has quit [Quit: killed]
RomainManni-Buca has quit [Quit: killed]
ChrisSeatonGitte has quit [Quit: killed]
OlleJonssonGitte has quit [Quit: killed]
TimGitter[m]1 has quit [Quit: killed]
UweKuboschGitter has quit [Quit: killed]
rdubya[m] has quit [Quit: killed]
olleolleolle[m] has quit [Quit: killed]
headius[m] has quit [Quit: killed]
rebelwarrior[m] has quit [Quit: killed]
MarcinMielyskiGi has quit [Quit: killed]
eregon[m] has quit [Quit: killed]
FlorianDoubletGi has quit [Quit: killed]
TimGitter[m] has quit [Quit: killed]
daveg[m] has quit [Quit: killed]
pcarlisle[m] has quit [Quit: killed]
rg[m] has quit [Quit: killed]
JesseChavezGitte has quit [Quit: killed]
xipho[m] has quit [Quit: killed]
elisabeth[m] has quit [Quit: killed]
simi[m] has quit [Quit: killed]
CharlesOliverNut has quit [Quit: killed]
chrisseaton[m] has quit [Quit: killed]
afront[m] has quit [Quit: killed]
thomas[m]4 has quit [Quit: killed]
JulesIvanicGitte has quit [Quit: killed]
aoeuiiueoa[m] has quit [Quit: killed]
newalexandria[m] has quit [Quit: killed]
fzakaria[m] has quit [Quit: killed]
christian[m] has quit [Quit: killed]
johnphillips3141 has quit [Quit: killed]
kalenp[m] has quit [Quit: killed]
XavierNoriaGitte has quit [Quit: killed]
lopex[m] has quit [Quit: killed]
alexej[m] has quit [Quit: killed]
carla[m] has quit [Quit: killed]
gisela[m] has quit [Quit: killed]
lc-thp[m] has quit [Quit: killed]
yahonda[m] has quit [Quit: killed]
kares[m] has quit [Quit: killed]
KarolBucekGitter has quit [Quit: killed]
ahorek[m] has quit [Quit: killed]
i8her8oat[m] has quit [Quit: killed]
enebo[m] has quit [Quit: killed]
liamwhiteGitter[ has quit [Quit: killed]
BlaneDabneyGitte has quit [Quit: killed]
JasonRogers[m] has quit [Quit: killed]
MattPattersonGit has quit [Quit: killed]
chrisseaton[m] has joined #jruby
ur5us has quit [Ping timeout: 244 seconds]
lopex[m] has joined #jruby
annette[m] has joined #jruby
jean[m] has joined #jruby
nikolaos[m] has joined #jruby
aoeuiiueoa[m] has joined #jruby
walter[m] has joined #jruby
ludolf[m] has joined #jruby
christian[m] has joined #jruby
alexej[m] has joined #jruby
pedran[m] has joined #jruby
newalexandria[m] has joined #jruby
gisela[m] has joined #jruby
carla[m] has joined #jruby
patrice[m] has joined #jruby
simi[m] has joined #jruby
robert[m]1 has joined #jruby
thomas[m] has joined #jruby
wau[m] has joined #jruby
alfred[m]1 has joined #jruby
kai[m] has joined #jruby
elisabeth[m] has joined #jruby
kares[m] has joined #jruby
rebelwarrior[m] has joined #jruby
olleolleolle[m] has joined #jruby
RomainManni-Buca has joined #jruby
OlleJonssonGitte has joined #jruby
headius[m] has joined #jruby
TimGitter[m] has joined #jruby
JesseChavezGitte has joined #jruby
xipho[m] has joined #jruby
KarolBucekGitter has joined #jruby
kalenp[m] has joined #jruby
BlaneDabneyGitte has joined #jruby
eregon[m] has joined #jruby
FlorianDoubletGi has joined #jruby
MarcinMielyskiGi has joined #jruby
XavierNoriaGitte has joined #jruby
pcarlisle[m] has joined #jruby
enebo[m] has joined #jruby
MattPattersonGit has joined #jruby
johnphillips3141 has joined #jruby
TimGitter[m]1 has joined #jruby
ahorek[m] has joined #jruby
rg[m] has joined #jruby
afront[m] has joined #jruby
JasonRogers[m] has joined #jruby
i8her8oat[m] has joined #jruby
liamwhiteGitter[ has joined #jruby
fzakaria[m] has joined #jruby
ChrisSeatonGitte has joined #jruby
daveg[m] has joined #jruby
lc-thp[m] has joined #jruby
CharlesOliverNut has joined #jruby
yahonda[m] has joined #jruby
JulesIvanicGitte has joined #jruby
UweKuboschGitter has joined #jruby
rdubya[m] has joined #jruby
nirvdrum has joined #jruby
robert[m]1 has quit [Quit: Idle for 30+ days]
nieve[m] has joined #jruby
nirvdrum has quit [Ping timeout: 264 seconds]
nirvdrum has joined #jruby
Antiarc has quit [Ping timeout: 240 seconds]
<headius[m]> enebo: hey so 9.2.12
<headius[m]> so there's two security-related PRs, the cherry-picked URLClassLoader workaround, and RubyGems update outstanding right now I believe
Antiarc has joined #jruby
<headius[m]> the webrick security issue is out there too but I am not sure how to proceed... CRuby's shipping webrick doesn't match any released version
<enebo[m]> yeah I saw that above
<enebo[m]> My first comment is: Does anyone use webrick in production?
<enebo[m]> Which is formed as a question but the statement part is clear :)
<headius[m]> well, that's a really good point
<headius[m]> I think that means either leaving it or just bumping all branches to 1.6.0 would both be pretty mundane changes
<enebo[m]> My long term response is once we get clarification we can do a security release if we feel we should but I do not think we are being too unsafe since I do not think anyone uses webrick over puma
<enebo[m]> We could opt to do simple workaround fixes as well but it is just propagating the original issue
<enebo[m]> but it is also an option
<enebo[m]> I did not really see all of the CVE errors other than numeric hashing and tainting / size limits of Pack
<enebo[m]> All of those are in though so I don't know which ones are not
<enebo[m]> Actually the taint one is not right?
<headius[m]> the main webrick issue was that you could embed a newline into a request and cause webrick to split the response and send something back from client
<headius[m]> something like that
<enebo[m]> from another client?
<headius[m]> something like that
<headius[m]> let me dig it up
<enebo[m]> ok
<headius[m]> and here's the ruby-lang description of the issue: https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/
<enebo[m]> Thanks Aaron
<enebo[m]> well there must be a commit for this locally in MRI whether it is in the official gem or not
<headius[m]> so I guess the case would be that client A submits some content with the newline hack in it and if webrick serves that to client B it can trick B into receiving this split header
<enebo[m]> Is there even a fix in the official gem?
<headius[m]> the 1.6.0 gem differs only slightly from Ruby master's webrick
<enebo[m]> This seems as though a commit for header processing probably just keys not containing bad stuff like a newline
<enebo[m]> but no doubt the unofficial fix for this is only a few lines
<enebo[m]> we could apply it manially if it is not clean and then push on them to fix their syncing or lack thereof later so 2.3 has a real version
<enebo[m]> Is it the only remaining fix?
<headius[m]> that's all that differs from CRuby master webrick to WEBrick 1.6.0 release
<headius[m]> so my argument against just applying the relevant patches is that CRuby 2.5's webrick also differs greatly from what we ship
<enebo[m]> haha but how did they fix these in 2.5?
<headius[m]> we thought we were installing the same one but they have continued to report 1.4.2 while backporting many patches
<enebo[m]> well I guess I also wonder if it is actually fixed in 2.6
<enebo[m]> yeah I get that we have to accept both are not the same set of files
<enebo[m]> but at some level I assume both versions have something which fixed this CVE
<headius[m]> for 9.2.12 we could just copy what's in the 2.5 branch but it would be a change to how we build
<enebo[m]> 9.2.12 will use 2.5 version of 1.4.2 webrick and 9.3 will use whatever that is
<headius[m]> we build from the gems
<enebo[m]> ah yeah we could do a post process step perhaps and apply it
<headius[m]> we have not versioned our own webrick since 2018
<enebo[m]> I knew them continuing to have the same code in two repos would cause this problem
<headius[m]> of course
<headius[m]> which is part of why I don't want to fall into the same trap and have yet another webrick that doesn't match any release
<headius[m]> I had hoped they'd move quickly to fix this but nobody seems to care so far
<enebo[m]> ok procedurally apply a simple fix whatever that is means doing a but of build work which makes me think fuck it
<enebo[m]> but only because it is webrick
<headius[m]> updating the gem would be trivial, patching after installing is all new logic
<enebo[m]> If this was puma I would say we have to fix it
<enebo[m]> do either of us have commit rights to webrick? :)
<headius[m]> I probably do
<enebo[m]> I have something in ruby's org but I do not know for what
<headius[m]> I'll check the diff from 2.5.x to the webrick gems quick
<enebo[m]> If 2.6 webrick copy solves the issue we could just ship that
<enebo[m]> I mean we should verify they did not add some syntax that is 2.6-only but it is the same version after all :P
<enebo[m]> That diff you showed me did not look like it was a fix for it
<enebo[m]> Feels like the gem source must have it
<headius[m]> it's not huge
<headius[m]> the diff I showed you was the difference between ruby master and webrick 1.6.0
<headius[m]> this diff is from ruby 2.5 HEAD to webrick 1.6.0
<enebo[m]> so far some 2.7 checks and require_relative
<enebo[m]> err quite a bit more
<enebo[m]> bleh
<enebo[m]> Do you actually see that fix in that diff?
<headius[m]> no, this is not the diff for that
<headius[m]> if you want to see that I can show you from our 1.4.2 to webrick's 1.6.0, but it's big
<enebo[m]> no thanks
<headius[m]> well our 1.4.2 and webrick's 1.4.2 are the same
<headius[m]> I believe we would need to go to 1.6.0 to get all the cve fixes
<headius[m]> it's hard to tell where they are because the one I mentioned above never appears in the commit logs
<enebo[m]> webrick-jruby gem for a release? but that messes with default gems
<headius[m]> yes, can't upgrade it then
<enebo[m]> hehe but who does that
<headius[m]> for it to remain a default gem we either need to cheat in the same way CRuby does, or upgrade to 1.6.0
<enebo[m]> I am not saying we should not honor it
<enebo[m]> but it is funny
<enebo[m]> people gem updating webrick and using it in production...HAHAHA
<enebo[m]> ok that is not helpful
<headius[m]> I don't get why it's such a problem for them to leave webrick sources in webrick
<enebo[m]> yeah I really don't get it
<headius[m]> I'd vote to either leave it as is or just update to 1.6.0 for this release
<enebo[m]> Maybe the svn only guy would stop not committing to it
<enebo[m]> yeah I think 1.6.0 would tick all the boxes but potential risk
<enebo[m]> We can test webrick on 9.2 though and at least tell if it works
<headius[m]> so that diff above is from CRuby 2.5 HEAD to webrick 1.6.0
<headius[m]> the diff from us to CRuby 2.5 HEAD is extensive
<headius[m]> so I lean toward just using 1.6.0
<enebo[m]> ok lets examine that diff a little more to see if there is anything weird there
<enebo[m]> yeah I do atm as well
<chrisseaton[m]> This generally represents lack of buy-in on the idea of standard and default gems - which I think we're all supposed to be switching to at some point.
<enebo[m]> If nothing pops out we will try using it and use a little faith
<headius[m]> chrisseaton: funny that JRuby seems to be the only one doing it
<enebo[m]> chrisseaton: when this idea was originally proposed not all the Japenese hackers liked the idea of the source being thrown out into many different repos
<chrisseaton[m]> Yes TruffleRuby just copies whatever bits are in MRI
<headius[m]> enebo: I can do a 1.6.0 update PR
<enebo[m]> I think most were on board
<enebo[m]> headius: sure
<enebo[m]> I feel like any project has personalities where some times you make a compromise vs hurting their feelings
<enebo[m]> The MRI not moving fully to git is one major example
<enebo[m]> it loses support for wasm
<enebo[m]> :)
<headius[m]> they're fully git now though, so that finally happened
Antiarc has quit [Ping timeout: 258 seconds]
<enebo[m]> yeah it happened but took about 5 years over mostly a single personality objecting
<headius[m]> but they host their own canonical repo
<enebo[m]> That is an interesting line
<enebo[m]> It is not for keys but values
<headius[m]> hmmm yes
<enebo[m]> I see nothing obvious which will not work though
<enebo[m]> I see they also process body directly instead of saving to a temp file
<enebo[m]> They removed some readpartial check but the comment implies it happens still
<enebo[m]> I am not reading this so closely as much as making sure nothing from a new Ruby is needed
<enebo[m]> Mostly just looks like clean up too...like leaning on a block API
<headius[m]> yeah there's a lot of that
<headius[m]> I can confirm that 1.6.0 does resolve the security spec failures, fwiw
<enebo[m]> headius: So once ci complete we should just merge that
<headius[m]> I'm good with that
<headius[m]> there's a chance this will fail since the tests are not exactly the same as the 1.6.0 tests but I can update those manually if necessary
<headius[m]> we don't usually run stdlib tests for pure-Ruby gems
Antiarc has joined #jruby
<headius[m]> ok so the other items...
<headius[m]> this updates hash calculation for three core numeric types, incorporating a random seed
<headius[m]> that solves all of the security #hash failures
<headius[m]> I think I should make this something you can opt out of with the same option we added for predictable hashing
<enebo[m]> yeah seems fine not sure if you checked on any obvious perf issues
<headius[m]> not really, no
<headius[m]> the main overhead is getting the random seed, which we might consider making process-global instead of runtime
<headius[m]> but not in 9.2
<enebo[m]> yeah
<enebo[m]> and is this off by default?
<headius[m]> predictable hashes is off by default, yeah
<headius[m]> so I'll make that change and this PR should be good
<headius[m]> it will merge to master also
<headius[m]> this one is trivial and I'll just merge it: https://github.com/jruby/jruby/pull/6306
<enebo[m]> nice
<headius[m]> this one is maybe a bit more of a risk: https://github.com/jruby/jruby/pull/6307
<headius[m]> this is the fix for URLClassLoader closing jar files while they're still in use
<enebo[m]> oh yeah this one worried me a bit
<headius[m]> it's already merged to master and fixes https://github.com/jruby/jruby/issues/6218
<enebo[m]> yeah
<headius[m]> so it's a an active user report
<headius[m]> this is the minimal fix
<enebo[m]> This is a confirmed user problem but I am still concerned
<headius[m]> agree
<enebo[m]> could we option it on 9.1.12 and only tell them
<enebo[m]> hehe 9.2.12
<enebo[m]> toggle it as enabled on 9.3 by default
<enebo[m]> which hopefully we can determine is safe
<headius[m]> hmm perhaps, it's not an easy thing to put behind an option
<enebo[m]> hmm
<headius[m]> avoiding the call to URLClassLoader.close altogether would also fix it but would leak open temp jar files
<headius[m]> this is a compromise... it closes the temp jar files but nothing else
<headius[m]> I think we need something in 9.2.12
<enebo[m]> I am looking at this again
<enebo[m]> What happens when the same jar is requested at the same time here?
<headius[m]> URL is not an open connection, so they should be identical
<headius[m]> it's just a mapping to know what the URL is for a given file path
<headius[m]> that URL is then used to get the JarUrlConnection below and close it
<headius[m]> so basically we put the full URLClassLoader close behind an option (off by default) and only manually close the known temp jar files
<headius[m]> which happens at runtime teardown
<enebo[m]> ah ok so they will both still end up pointing to the same thing
<headius[m]> yeah
<headius[m]> it was good to know this wasn't our bug, but since it's an OpenJDK bug it will take a long time to fix, if it's ever fixed
<enebo[m]> This is not part of your PR but we write out the jar file to a temp location
<headius[m]> yes, this is only for nested jars
<enebo[m]> Your PR will not close it but ignore that for the moment
<headius[m]> any jars normally on the filesystem just go through the normal URLClassLoader logic, and now will not be closed to avoid the bug
<enebo[m]> I wonder if we have ever had issues at this point on windows
<headius[m]> could be yes
<enebo[m]> Will we unconditionally be the only source accessing that file
<enebo[m]> AHA we do have this problem
<headius[m]> it's unpacked to a tempfile so it should be unique
<enebo[m]> HAHA
<headius[m]> closing it as in the PR or before using URLClassLoader should allow it to be deleted
<enebo[m]> I forgot about this. People used to report about how our unpacked I think jffi jars would just collect endlessly in whever that temp dir is on Windows
<enebo[m]> we do nothing on Exception
<enebo[m]> anyways it is not in your PR but it stuck out
<enebo[m]> atavistic memory from maybe forgetting we had some temp jar removal problem in the past (or still) on windows if you run it millions of times
<enebo[m]> Now I am dredging up more memories....Wayne did not want a known location in case the machine was targetted and someone replaces the jar between runs
<enebo[m]> Perhaps we do always have it actually closed now and it will remove...I need to pop over to my windows box...be back in a few
<headius[m]> hmm
<headius[m]> looking at 9.2 I don't see where we close the classloader at all now
<headius[m]> aha right
<headius[m]> this is only used for embedding
<headius[m]> ScriptingContainer calls releaseClassLoader
<enebo[m]> yeah so I was just going to mention this fact
<headius[m]> because it more directly controls the lifecycle of the runtime
<enebo[m]> this will only effect embedding
<headius[m]> so this does not affect normal dist usage at all
<enebo[m]> and those users can toggle off the close/no-close if there is a problem
<enebo[m]> so we have no problems I think
<enebo[m]> It is really about the default value for them but for normal non-embedders there is no issue
<headius[m]> right... so this will basically make the no-close behavior default, but still close temp file jars
<headius[m]> so that will avoid two runtimes stepping on each other for shared jar file references
<enebo[m]> but we will be changing the default for .12?
<headius[m]> enabling the close will return it to previous behavior of closing everything
<enebo[m]> We could not change it and then tell them it will be on default for 9.3 and use this option to not close
<headius[m]> well for .12 it would close everything, which breaks multiple embedded runtimes
<headius[m]> I mean for .11 that's what it does, we're still deciding .12
<headius[m]> the change in .12 would be that it does not close jar files that are likely shared across embedded runtimes, avoiding the bug
<headius[m]> if we merge this
<enebo[m]> yeah we are talking about flipping a switch for one point release vs providing the switch (which is fine)
<enebo[m]> 2 users I hope are not all embedding users but perhaps they all have noticed this
<headius[m]> are you saying we should have it on for 12 to reduce behavior change then?
<headius[m]> on = close like in 11, which would hit the bug
<enebo[m]> we should do what .11 and earlier does but let the users who have the issue know they can fix it by making it not close option
<headius[m]> but with option to turn off to avoid the bug
<headius[m]> so we add option but leave default as .11
<headius[m]> right ok
<headius[m]> I'm fine with that
<enebo[m]> we will tell them it will do this by default in 9.3
<headius[m]> right
<enebo[m]> So it is a workaround for 9.2.12
<enebo[m]> ok
<headius[m]> yes
<enebo[m]> Honestly all the folks are probably not affected but I am leery. I assume emebdders are two cases: 1) lots of ruby runtime evals 2) a single one which maybe jrebels or something some times
<enebo[m]> for 2 probably not evne that
<enebo[m]> s/not/now
<enebo[m]> our reporters are #1 right?
<headius[m]> it would only affect people that are churning through and tearing down embed runtimes
<headius[m]> yeah the reporter is in that group
<headius[m]> they use and throw away runtimes enough that they triggered this
<enebo[m]> so default for #2 will not be noticed but for #1 it seems only some of those people ever notice?
<enebo[m]> Maybe a lot of people just do not do full isolation and use pools of runtimes
<headius[m]> well the reporter actually said they worked around it somehow but it's fairly hard to trigger
<headius[m]> his test case burns through thousands of runtimes very fast and only fails about 50% of the time
<enebo[m]> heh ok well we have a solution for .12
<enebo[m]> and a carrot for 9.3 I guess
<headius[m]> ok
<headius[m]> updating issues
<headius[m]> webrick PR appears to be fine in CI
<headius[m]> so the remaining item is from kares update of RubyGems but that's still in flux
<headius[m]> and it occurs to me now... if someone's running into the issues he wants to fix, they can still update rubygems in JRuby
<headius[m]> so maybe we punt on that after all
<enebo[m]> assume default gems work properly yeah
<headius[m]> kares: I don't suppose you're around right now but maybe you could explain why you think we need to ship updated RG rather than just letting users update
<enebo[m]> I would prefer that to the risk of shipping it without any bake
<headius[m]> RG isn't a default gem, the updater actually overwrites stdlib
<headius[m]> Ruby installers may even be doing this already as part of the install process
<enebo[m]> system-update thing? I guess it is a chicken-egg thing?
<headius[m]> yeah `gem update --system`
<enebo[m]> yeah I forgot about rg being special (which makes sense)
<headius[m]> so let's defer on that for another day and see what kares has to say
<headius[m]> I don't like updating under duress and I like shipping a patched RG even less
<enebo[m]> yeah kares speak up by my time tomorrow morning (I am 7 hours behind you) if it is something important otherwise I will test bits in the morning and hopefully just get it out
<headius[m]> I will proceed to merge in the security fixes, webrick 1.6.0, and URLClassLoader fix with .11 behavior
<headius[m]> ahh, and put the random seed behind the same option
<headius[m]> ok I see the option actually changes how the random seed is acquired so that part's done
<headius[m]> when it's off it uses static values
<headius[m]> it will still use the new hash calculation logic, which might improve distributione
<chrisseaton[m]> Why did all those people just leave?
<headius[m]> IRC bridge may have gone down
<chrisseaton[m]> They must really not like hash calculation logic
<headius[m]> or that
den_d has quit [Ping timeout: 256 seconds]
Iambchop has quit [Read error: Connection reset by peer]
Iambchop has joined #jruby
den_d has joined #jruby
travis-ci has joined #jruby
<travis-ci> jruby/jruby (jruby-9.2:3b4766d by Charles Oliver Nutter): The build passed. https://travis-ci.org/jruby/jruby/builds/703682147 [176 min 20 sec]
travis-ci has left #jruby [#jruby]
ur5us has joined #jruby
nirvdrum has quit [Ping timeout: 246 seconds]
<headius[m]> enebo: everything of mine is merged and 9.2 is merged to master (with URLClassLoader close turned OFF)
<headius[m]> I also removed the defunct mac build from azure so that should stop showing up as a failure on 9.2 branch
<headius[m]> we still have windows builds running there but probably should consider dropping azure
travis-ci has joined #jruby
travis-ci has left #jruby [#jruby]
<travis-ci> jruby/jruby (master:d15e24b by Charles Oliver Nutter): The build was broken. https://travis-ci.org/jruby/jruby/builds/703698225 [197 min 5 sec]
travis-ci has joined #jruby
<travis-ci> jruby/jruby (master:01e8efe by Charles Oliver Nutter): The build is still failing. https://travis-ci.org/jruby/jruby/builds/703715891 [196 min 40 sec]
travis-ci has left #jruby [#jruby]
<headius[m]> hmm
<headius[m]> bleh, sonatype error
ur5us has quit [Ping timeout: 244 seconds]
ur5us has joined #jruby