Urabe Shyouhei wrote:
> Igal Koshevoy wrote:
>   
>> For the sake of protecting Ruby's good image, I believe it's necessary
>> to ship an *official* version that's compatible and addresses these
>> vulnerabilities as soon as possible. After that's shipped, resolving
>> the matter with the API changes in the current code will likely be a
>> priority. If there's anything that we in the Ruby community can help
>> you with, please ask. :)
>>     
>
> Yes.  Please write a patch :)
>   
I'll try to help with the Ruby patches, but I don't know C well enough 
to offer assistance.

>  I know you all need a stable Ruby, rather than abeautifully working Ruby.
I love Ruby because it's beautiful. But the people that pay me don't 
care about beauty, only stability. :/

> But honestly I'm doubtful for urgency of current situation.  If things
> are that dangerous someone might be writing patches, like some people
> did for p230.  I think p230 was dangerous enough.  But now that fixes
> are made,  it seems it's less urgent.
Please release an official fix and soon. The urgency is that it's now 
been 9 days and there's no official solution to the vulnerabilities 
reported and the segmentation faults in p230.

Ruby user's options for resolving this currently are very problematic. 
They either must scour websites and mailing lists for patches, and 
personally decide which of these complex unofficial patches to use, 
which is far beyond most people's ability. Meanwhile, many OS vendors 
have lost patience and are now beginning to ship patched versions, but 
they're also making guesses about how to patch this.

The Ruby community and distros are waiting for an *official* release 
that provides a solution to these problems.

Although p238 breaks some things, it's better than the 
officially-released p230 version. This p238 may be worth releasing 
because it addresses the immediate problems with that failed release and 
passes the Rails and RSpec test suites just as well as the Ubuntu 
patched p111 version that I was comparing it to. But please note that I 
can't evaluate the C code, so I'm entirely depending on your judgment 
about whether it's ready.

Depending on how long it takes to address the compatibility issues 
uncovered by RubySpec, it may make sense to ship p238 now and ship 
another release with the compatibility fixes as soon as they're ready.

-igal