Support for Perl 5.8.x is now deprecated!
Sebastian Riedel
Mojolicious depends a lot on regular expressions, and sadly it is far too easy to get the old regex engine (pre 5.10) to segfault, which in turn opens the door for extremely effective denial of service attacks.
And therefore we've now officially deprecated support for Perl 5.8.x in Mojolicious.
https://github.com/kraih/mojo/commit/51145e47b26f15998f199050655c65a7fac888b1
--
Sebastian Riedel
http://mojolicio.us
http://twitter.com/kraih
http://blog.kraih.com
jay m
this is a pretty big deal for some of us (maybe most of us?) who are
running a lot of sites in "standard" production hosting environments
on centos 5.5/5.6 (or whatever) that have perl 5.8.8.
my servers are already packed full of CGI::Application (or worse)
legacy apps that are chugging along just fine on 5.8.8, and i don't
want to risk regressing them by upgrading my whole perl environment.
so this means that if i want to keep supporting Mojolicious in the
future, i'll need separate-but-equal production AND development
environments... unless someone can convince me that upgrading from
distro-supplied 5.8.8 to cpan-supplied 5.10 would be completely
regression-free (ha!)
frankly, before the advent of virtualization running separate
environments just to supposed Mojolicious would have been out of the
question. these days i'll "only" need some new Xen guests and some
more memory (hello Crucial? it's me again...) and disk space and
sysadmin setup time and the ongoing sysadmin cost of monitoring and
maintaining these environments.
one of the selling points for getting people started with perl (and
probably mojolicious) is "you already have perl". to a fairly large
extent, you're giving that up when you require 5.10 (yes, i know
ubuntu has 5.10, i have that on my desktop, but not on my servers)
jay
Ben van Staveren
there isn't much regression in there. One way or the other it's going to cost
you sysadmin time; either to do the upgrade and fix any regressions in old
code, or to set up a new VM for 5.10.
Or, of course, the option of not upgrading, at which point you doom things to
remain "legacy" forever. In my opinion that is :)
--
Ben van Staveren
phone: +62 81 70777529
email: benvans...@gmail.com
Jason Dixon
-J.
> --
> You received this message because you are subscribed to the Google Groups "Mojolicious" group.
> To post to this group, send email to mojol...@googlegroups.com.
> To unsubscribe from this group, send email to mojolicious...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/mojolicious?hl=en.
>
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/
Ben van Staveren
Pedro Melo
On Tue, May 3, 2011 at 3:01 PM, Jason Dixon <ja...@dixongroup.net> wrote:
> Or use perlbrew.
+1.
My recommendation is always to use a different UNIX uid per app, each
one with its own perlbrew-powered perl installation.
Strong recommendation.
Bye,
--
Pedro Melo
http://www.simplicidade.org/
xmpp:me...@simplicidade.org
mailto:me...@simplicidade.org
Abhijit Menon-Sen
>
> this is a pretty big deal for some of us (maybe most of us?) who are
> running a lot of sites in "standard" production hosting environments
> on centos 5.5/5.6 (or whatever) that have perl 5.8.8.
If it's absolutely necessary for you deploy the latest Mojolicious
features to an ancient environment, you can keep a private branch of
Mojolicious started just before the 5.8.x deprecation, and cherry-pick
only those new patches that you want. As time passes, you will need to
do more and more fixups to eliminate 5.10.x features, but that's just in
the nature of what you're asking for. *Someone* has to do the work.
Either it's you, or it's the Mojolicious developers. The latter have to
draw a line somewhere in order to make progress, and no matter where the
line is actually drawn, someone will probably be inconvenienced.
I don't mean to sound unsympathetic or to trivialise your concerns, by
the way. I have also had to maintain branches of some software for use
on older unsupported platforms, and it was a pain. The point I'm trying
to make is that supporting old (obsolete, really) platforms is a lot of
work, and the more time passes, the less likely it is that other people
will care as much about it as you do or do the work for you.
-- ams
Roland Lammel
Or consider using staticperl to deploy a precompiled perl binary with all required libs compiled in. Or make a real application binary for deployment on your server.
All you need is on dev/build server that will have staticperl installed. There you can build and package to rpm these binaries. Just requires some of your sysadmin time. Btw. I'm facing very similar problem with CentOS 5...
+rl
Roland Lammel
Sent from an Android mobile.
jay m
ancient? obsolete? i guess that depends on your point of view.
centos 5.6 came out less than a month ago, and it's the latest RHEL-
like os supported by popular hosting solutions including linode,
slicehost, rackspace cloud servers, etc.
i appreciate the concerns of the developers. this ain't my first
rodeo. i know they need to draw the line somewhere, but i'd opt for
drawing it somewhere that doesn't exclude a big chunk of today's
current, popular, standard environments.
jay
On May 3, 10:13 am, Abhijit Menon-Sen <a...@toroid.org> wrote:
> If it's absolutely necessary for you deploy the latest Mojolicious
[snip...]
Jason Dixon
understand this has nothing to do with *inconveniencing* users. Stop
bitching and use something like perlbrew already.
-J.
On Tue, May 03, 2011 at 12:08:33PM -0700, jay m wrote:
>
> ancient? obsolete? i guess that depends on your point of view.
>
> centos 5.6 came out less than a month ago, and it's the latest RHEL-
> like os supported by popular hosting solutions including linode,
> slicehost, rackspace cloud servers, etc.
>
> i appreciate the concerns of the developers. this ain't my first
> rodeo. i know they need to draw the line somewhere, but i'd opt for
> drawing it somewhere that doesn't exclude a big chunk of today's
> current, popular, standard environments.
>
> jay
>
> On May 3, 10:13?am, Abhijit Menon-Sen <a...@toroid.org> wrote:
>
> > If it's absolutely necessary for you deploy the latest Mojolicious
> > features to an ancient environment...
>
> [snip...]
>
> > The point I'm trying to make is that supporting old (obsolete, really) platforms is a lot of work,
>
> --
> You received this message because you are subscribed to the Google Groups "Mojolicious" group.
> To post to this group, send email to mojol...@googlegroups.com.
> To unsubscribe from this group, send email to mojolicious...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/mojolicious?hl=en.
>
--
sri
not doing this just for fun.
Take this oneliner for example, deep recursion in the regular
expression will cause a segfault, depending on the length of the input
string. (A similar regex happens to be in Mojo::JSON for example)
perl5.8.9 -e'("a" x 15000) =~ /(((\w|\w(?:\d)))*)/ and print $1'
These values are small enough to fit into HTTP headers, get through
most common web servers and reach just about any regular expression in
Mojolicious.
A small mistake and you are handing your users a remote kill switch
for your application.
Perl 5.8 is no longer supported by the community, RedHat will keep it
compiling on their platform but nothing more, these bugs will never
get fixed in the 5.8 family. (http://rt.perl.org/rt3//Public/Bug/
Display.html?id=49956)
Therefore Perl 5.8 needs to die and we have to move on.
--
sebastian
Yuki Kimoto
Are you going to use new features, for example // operator, in next
next major release,
or try not to use the features for Mojolicious to work in 5.8.x in
user responsibility.
I think it is good for Mojolicious newbie to try Mojolicious in many
rental server in perl 5.8.x.
Mojolicious one great feature is easy to install.
If you use new features, The chance that many people use Mojolicious
will be lost.
2011/5/4 sri <kra...@googlemail.com>:
Sebastian Riedel
--
Sebastian Riedel
http://mojolicio.us
http://twitter.com/kraih
http://blog.kraih.com
sri
Perl web frameworks a competitive advantage.
We will keep Mojolicious "working" on Perl 5.8.x as long as we have
to, but there will be serious warnings because it puts your
applications at risk.
https://github.com/kraih/mojo/blob/master/lib/Mojo/Base.pm#L9
--
sebastian
sri
become a competitive disadvantage, therefore we are reverting it in
Mojolicious 1.31.
https://github.com/kraih/mojo/commit/47c4a95d91569fb9b32c8dc54cde8d8bb757f504
See also the FAQ entry for more details.
http://mojolicio.us/perldoc?Mojolicious/Guides/FAQ#Why_is_using_Perl_52E82Ex_such_a_bad_idea3F
--
sebastian