X-Recipient:	archive-cygwin AT delorie DOT com
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 1CC303857709
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1697188577;
	bh=f9J4qWprx6mML1DcjXa2X2tgSNUrgzSMHUuv+QT0Bew=;
	h=Date:To:Subject:References:In-Reply-To:List-Id:List-Unsubscribe:
	List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	From;
	b=f29hsxnBsBLvmmNqeubi+2llwHFEyPhqa4RrnR3HjH13cNuCBo1cBLTUax7dDkouK
	qkJtzRkpM0dXZWyZncs8WXg/exSHzivZHNWZjkZOHBM/bo8I093XyvtejMxMTecYwC
	CnIq4S1kEW+Cg9HD4W2X5z+e1vtHcfoywOOcSWGc=
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.4.2 sourceware.org EE9E43858D1E
Date:	Fri, 13 Oct 2023 10:15:21 +0100
To:	Eric Hendrickson <ericdavidhendrickson AT gmail DOT com>
Subject:	Re: Ruby EOL in Cygwin 3.4.9?
Message-ID:	<20231013091521.lgar5ry6rbxqhtxe@lucy.dinwoodie.org>
References:	<PH7PR22MB31209C697AD372E36AD384ABAFCCA AT PH7PR22MB3120 DOT namprd22 DOT prod DOT outlook DOT com>
	<8cae1a30-cc92-cbea-4599-d7d550850ac5 AT cs DOT umass DOT edu>
	<PH7PR22MB3120ED5DF8EB2AA48EB8C436AFCCA AT PH7PR22MB3120 DOT namprd22 DOT prod DOT outlook DOT com>
	<d5eb20bc-bbe9-327f-bafc-e56dacfb23b8 AT cs DOT umass DOT edu>
	<CAByPD9=cE_-cuS8BXYv9EPy7_VNqhyXHj=2HMQ_ro4+V5t+sng AT mail DOT gmail DOT com>
	<ZSdvEv7Ds2UY72FG AT xps13>
	<CAByPD9kifZGr+N2oS6sgGieJHfsp2Wr_SNFqs_uDb+w14Cbz5A AT mail DOT gmail DOT com>
	<CA+kUOanDv2cfTc8UJXx9L_-SOc=74AVP4FD3OXta5D9X_3xwkg AT mail DOT gmail DOT com>
	<CH0P223MB0316CF982B3E50079E19B363F8D3A AT CH0P223MB0316 DOT NAMP223 DOT PROD DOT OUTLOOK DOT COM>
MIME-Version:	1.0
In-Reply-To:	<CH0P223MB0316CF982B3E50079E19B363F8D3A@CH0P223MB0316.NAMP223.PROD.OUTLOOK.COM>
X-Spam-Status:	No, score=-2.0 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS,
	SPF_HELO_PASS, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version:	SpamAssassin 3.4.6 (2021-04-09) on
	server2.sourceware.org
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.30
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe:	<https://cygwin.com/mailman/options/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<https://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From:	Adam Dinwoodie via Cygwin <cygwin AT cygwin DOT com>
Reply-To:	Adam Dinwoodie <adam AT dinwoodie DOT org>
Cc:	"Hendrickson, Eric D" <edh AT optum DOT com>, cygwin AT cygwin DOT com
Errors-To:	cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com
Sender:	"Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com>
X-MIME-Autoconverted:	from base64 to 8bit by delorie.com id 39D9GItW031903

On Thu, 12 Oct 2023, 22:46 Eric Hendrickson wrote:
> The comparison to Debian Stable - I hear you but I don’t think that is a
> fair comparison. Debian Stable is not shipping EOL packages at the time it
> was released.

To pick a fairly high-profile example, Debian Bullseye was released as
Debian Stable on 14 August 2021.  It included Python 2.7, which by that
time had been EOL for more than 18 months, with the EOL date having been
announced over seven years earlier.

https://www.debian.org/releases/bullseye/
https://packages.debian.org/bullseye/python2
https://peps.python.org/pep-0373/

More generally, lots of OSS projects don't provide support for anything
other than their most recent release, and Debian Stable includes lots of
that software at releases other than the most recent release.  If Debian
had the policy you're asserting it has, the concept of Debian Stable
would be impossible.

> And your point about the effort involved and no known bugs is well taken
> of course but Cygwin is still distributing EOL software.  This is why I
> asked, would it make sense to just not release new non emergency versions
> of Cygwin with EOL packages, until that can be remedied.

Here, the comparison with Debian Stable *is* unhelpful.  The concept of
"versions of Cygwin" that you're using doesn't make sense: unlike
Debian, Cygwin doesn't have an overarching version scheme.  There's no
such thing as "a version of Cygwin" that we could stop releasing because
of problems with a particular package.

We could implement a block on releasing any packages while one package
has a problem.  That seems like a terrible idea to me; I'd be happy to
discuss it -- I might be wrong! -- but I'm much more interested in
having that discussion with people who have been actively contributing
to Cygwin for some time, as they're the folk who are most likely to
understand what the advantages and disadvantages might be, and who I
trust to be willing to provide practical contributions towards the
additional work they're proposing.  At the very least, I'd want that
discussion to be based on something more significant than a nebulous
concept of the project's reputation.

> Security scans are only increasing in scrutiny and frequency - this came
> to my attention because in my environment we are running Cygwin 3.1.6 -
> which admittedly is 3+ years old - and the version of Ruby packaged in it
> got identified in a security scan as EOL.
>
> My first thought was to update the internal Cygwin package to the latest
> but i checked and that too is provisioned with an EOL version of Ruby.
> (2.6.4)

What do you mean by "provisioned"? What do you mean by "the Cygwin
package"?

If you download the Cygwin installer from the Cygwin website, and ask it
to install Ruby, it will install 3.2.2. You *can* install 2.6.4, but
you'd have to deliberately select that version.

If you are seeing the Cygwin installer trying to install Ruby 2.6.4 by
default, that sounds like an installer bug.  If that's what's happening,
please give us a useful bug report so we can work out what's going
wrong.

However, if your concern is merely that it's *possible* to install EOL
software, I don't think that concern will be widely shared.  If someone
wants to install old software, or configure an SSH server with a root
password of "password1", or otherwise go out of their way to do
something that's not ideal from a security perspective, I don't think we
have a responsibility to stop them.

You might have better luck petitioning the Ruby project to remove the
download links for out-of-support software from their releases page,
which offers versions of Ruby that have been out of support for over a
decade.

https://www.ruby-lang.org/en/downloads/releases/

Thankfully, as you say, security scans are only increasing in frequency
and scrutiny, and they are evidently capable of catching scenarios where
someone has deliberately installed out-of-date software.

> Anyway, just wanted to bring this to your attention and ask if there is
> anything that can or should be done about this, again toward the reputation
> of Cygwin.

I say this because I think your concern is genuine: you are coming
across as concern trolling.

Some of your logic is demonstrably false, as with your claims about
Debian project policies.  Some of your problems are unclear, as with
your explanation of "the Cygwin package" being "provisioned with an EOL
version of Ruby".  I understand that you've not found many of the
replies to you to be kind, but that's largely because you haven't shown
us the kindness of clearly explaining your issue or showing you've done
any research into the issue yourself.

If you are concerned about the reputation of Cygwin, I'd suggest you
follow Glenn's excellent advice from earlier in this thread: provide
specific offers to help improve Cygwin, rather than merely expressing
concerns and asserting we should eject people who have spent years
actively contributing to improve Cygwin's reputation.  There have been
several suggestions of ways you can support the project throughout this
email chain.

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

- Raw text -