If the gems in question have updates available via RubyGems, I would
recommend that the major versions on these be bumped so that restrictions
can be handled better for applications. I _never_ hard-drop a Ruby version
without changing the major on any of the gems that I support.

-a

On Thu, Oct 17, 2019 at 11:52 AM <merch-redmine / jeremyevans.net> wrote:

> Issue #16131 has been updated by jeremyevans0 (Jeremy Evans).
>
>
> The blocker on merging the pull request is that test-bundled-gems is
> failing due to the `rake` test failure.
> https://github.com/ruby/rake/pull/329 needs to be merged (and I don't
> have permissions to merge it), and a new rake released and bundled with
> Ruby.
>
> I checked and Bundler and Rubygems are the only libraries affected that
> use external upstreams.  All other affected libraries (default gems) are
> under the ruby organization on GitHub.  We need to decide how we want to
> handle these:
>
> Default gems without extensions
>
> ```
> fileutils
> irb
> reline
> rexml
> rss
> webrick
> ```
>
> Default gems with extensions:
>
> ```
> bigdecimal
> date
> dbm
> etc
> fiddle
> gdbm
> io-console
> openssl
> psych
> stringio
> strscan
> zlib
> ```
>
> Are we OK with just removing the calls to taint/untaint?  I'm not sure,
> but I believe that may cause issues when using previous versions of Ruby.
> The simplest fix here is to set the required ruby version in the related
> gemspecs to 2.6.99 to allow 2.7.0 preview/beta versions and above to work.
> That will mean older versions of Ruby cannot install newer versions of the
> gems. Is that acceptable?
>
> ----------------------------------------
> Feature #16131: Remove $SAFE, taint and trust
> https://bugs.ruby-lang.org/issues/16131#change-82110
>
> * Author: naruse (Yui NARUSE)
> * Status: Open
> * Priority: Normal
> * Assignee:
> * Target version:
> ----------------------------------------
> Ruby had Taint checking which is originally introduced in Perl.
> https://en.wikipedia.org/wiki/Taint_checking
>
> It was intended to provide a useful tool for handle objects which are come
> from outside.
> Input data is set as tainted by default and call untaint if you checked or
> filtered the value.
> Some people used this feature in the age of CGI.
>
> But these days, no one use the mechanism and input libraries usually
> doesn't support it.
> For example rack, as following shows its input is not tainted and the
> mechanism is unusable.
>
> ```
> % cat foo.ru
> run ->(env) do
>   ['200', {'Content-Type' => 'text/plain'}, ["Is QUERY_STRING tainted?:
> #{env["QUERY_STRING"].tainted?}"]]
> end
> % rackup foo.ru
> [51724] Puma starting in cluster mode...
> [51724] * Version 3.12.1 (ruby 2.6.3-p62), codename: Llamas in Pajamas
> [51724] * Min threads: 3, max threads: 3
> [51724] * Environment: development
> [51724] * Process workers: 1
> [51724] * Preloading application
> [51724] * Listening on tcp://localhost:9292
> [51724] Use Ctrl-C to stop
> [51737] + Gemfile in context: /Users/naruse/work/td-cdp-api/Gemfile
> [51724] - Worker 0 (pid: 51737) booted, phase: 0
> ```
>
> ```
> % curl http://localhost:9292/\?foo=1
> Is QUERY_STRING tainted?: false
> ```
>
> Therefore I think Taint checking mechanism is unusable on the current Ruby
> ecosystem.
>
> On the other hand we experienced multiple vulnerability around $SAFE and
> taint mechanism.
>
> https://cse.google.com/cse?q=taint&cx=008288045305770251182%3Afvruzsaknew&ie=UTF-8
> The cost of maintaining it is expensive.
>
> In conclusion, I think the taint mechanism is too expensive to maintain
> for the merit of it.
> I suggest to remove it.
>
>
>
> --
> https://bugs.ruby-lang.org/
>
> Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
> <http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>
>


-- 
Austin Ziegler  halostatue / gmail.com  austin / halostatue.ca
http://www.halostatue.ca/  http://twitter.com/halostatue
(supressed text/html)
Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>