06:14
slyphon has joined #jruby
07:02
KeyJoo has joined #jruby
07:55
KeyJoo has quit [Ping timeout: 246 seconds]
08:09
KeyJoo has joined #jruby
08:18
KeyJoo has quit [Ping timeout: 246 seconds]
08:20
KeyJoo has joined #jruby
08:31
shellac has joined #jruby
08:57
shellac has quit [Quit: Computer has gone to sleep.]
09:23
KeyJoo has quit [Ping timeout: 250 seconds]
09:30
shellac has joined #jruby
09:49
KeyJoo has joined #jruby
09:52
Puffball has quit [Remote host closed the connection]
09:54
Puffball has joined #jruby
09:56
jmalves has joined #jruby
10:06
shellac_ has joined #jruby
10:09
shellac has quit [Ping timeout: 250 seconds]
10:17
drbobbeaty has quit [Ping timeout: 268 seconds]
11:18
KeyJoo has quit [Ping timeout: 272 seconds]
11:44
KeyJoo has joined #jruby
11:53
drbobbeaty has joined #jruby
12:18
shellac_ has quit [Quit: Computer has gone to sleep.]
12:38
KeyJoo has quit [Ping timeout: 250 seconds]
12:40
KeyJoo has joined #jruby
13:13
shellac has joined #jruby
14:05
shellac has quit [Quit: Computer has gone to sleep.]
14:24
KeyJoo has quit [Ping timeout: 268 seconds]
14:37
KeyJoo has joined #jruby
14:37
shellac has joined #jruby
15:14
travis-ci has joined #jruby
15:14
travis-ci has left #jruby [#jruby]
16:03
xardion has quit [Remote host closed the connection]
16:03
xardion has joined #jruby
16:34
Puffball has quit [Remote host closed the connection]
16:59
kitallis has joined #jruby
17:04
shellac has quit [Ping timeout: 252 seconds]
17:16
kitallis has quit [Quit: going, bye]
17:37
shellac has joined #jruby
18:10
shellac has quit [Quit: Computer has gone to sleep.]
18:15
<
headius >
so I'm going to get stdlib updated for 9.2.6
18:16
<
headius >
trying to decide if I should pull HEAD from the MRI 2.5 branch or just align with current release 2.5.3
18:17
travis-ci has joined #jruby
18:17
travis-ci has left #jruby [#jruby]
18:26
<
headius >
oh good, no stdlib updates for 2.5.4 yet anyway
18:26
<
headius >
no worries
18:28
shellac has joined #jruby
18:31
travis-ci has joined #jruby
18:31
travis-ci has left #jruby [#jruby]
18:38
KeyJoo has quit [Ping timeout: 250 seconds]
19:05
travis-ci has joined #jruby
19:05
travis-ci has left #jruby [#jruby]
19:37
subbu is now known as subbu|lunch
19:53
shellac has quit [Quit: Computer has gone to sleep.]
19:55
<
headius >
enebo: hey
19:55
<
headius >
so one of the failures is testing that ARGV values are tainted
19:55
<
headius >
apparently MRI wasn't doing it on windows so they fixed that and added this test
19:55
<
headius >
we don't do it at all, so we fail now
19:56
<
headius >
it's an easy fix either way, but I'm unsure whether to just fix ARGV or to fix all "external" strings
19:56
<
headius >
in MRI this method they use to turn a C string into a Ruby string always tains
19:56
subbu|lunch is now known as subbu
19:56
<
headius >
that's roughly equivalent to the logic we use here for ARGV, newInternalFromJavaExternal
19:56
<
headius >
so I'm on the fence about whether to make all Java strings coming through that method get tainted
19:59
<
enebo >
ARGV is less risky
19:59
<
enebo >
but you may fix more the other way
20:00
<
enebo >
I guess audit existing callers and see if we have obvious calls which do not expect taint
20:00
<
enebo >
./lib/ruby/gems/shared/gems/activerecord-jdbc-adapter-51.1-java/src/java/arjdbc/jdbc/RubyJdbcConnection.java: return RubyString.newInternalFromJavaExternal(runtime, xml.getString());
20:01
<
enebo >
headius: so that may make you a little more nervous
20:01
<
enebo >
of course we can stop using that method and push a new point but any audit maybe should include a github check
20:01
<
headius >
well maybe it does
20:01
<
headius >
but if the native AR adapters are calling this function they're getting tainting too
20:01
<
enebo >
"we ... stop" == arjdbc
20:02
<
headius >
you know we really don't do anything at all with taint so it probably doesn't matter either way
20:02
<
enebo >
I have not looked at what this string is for... "xml.getString()"
20:02
<
enebo >
we mark taint but I am not sure how complete we are
20:02
<
headius >
complete enough to pass tests and no more complete
20:05
<
headius >
yeah I'll just go with argv fix for now
20:05
travis-ci has joined #jruby
20:05
travis-ci has left #jruby [#jruby]
20:05
<
headius >
if someone wants to raise an issue about a specific case of java to Ruby string that ought to be tainted, they can file it
20:05
<
headius >
I thought we had IRC notifiications set up to only come from our repo
20:06
<
headius >
I guess kares results have been showing up too
20:11
<
enebo >
headius: interesting discussion on taint if we actually cared about taint...we cannot really know from a Java call if we got the string from a trusted source
20:11
<
headius >
it's the C of JRuby so in theory we should be tainting
20:11
<
enebo >
We may be able to say for certain in limited ways we directly call some apis but generically they should all be tainted since we cannot know
20:12
<
headius >
but many of the reasons MRI taints don't apply to us (buffer overruns etc)
20:12
<
enebo >
a large part of me believes no one uses JRuby + tainting other than not wanting to see non-green runs on random gems they consume
20:12
<
headius >
what are the other reasons for tainting?
20:12
<
headius >
I mean I've never understood the concept, it seems comically stupid
20:12
<
headius >
so you're going to tell me that this string is evil...riiiiiight
20:12
<
enebo >
yeah it is such a fragile concept from end use and implementation
20:13
<
headius >
MRI basically doesn't do anything with it now either since they don't have safe levels
20:13
<
headius >
so I dunno
20:13
<
headius >
I assume there's some checks for using taint to launch subprocesses or whatever
20:14
<
enebo >
taint is so easy to get wrong I feel like it gives people an improper sense of security
20:14
<
enebo >
but my experience with taint was all with Perl so you know that was a long time ago
20:39
travis-ci has joined #jruby
20:39
travis-ci has left #jruby [#jruby]
21:24
<
headius >
enebo: I don't think anyone else has tried to use tainting as a security mechanism since then
21:51
drbobbeaty has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
22:16
<
headius >
kares: lopex: if you guys want something small to work on there's new failures from updating MRI tests
22:17
<
headius >
enebo is also working on fixes
22:17
<
lopex >
new new failures or new specs ?
22:18
<
lopex >
er, I thought it's something new from stdlib update
23:39
shellac has joined #jruby
23:47
<
headius >
lopex: there were a couple stdlib things but I fixed those...the rest of these are just from updating the tests to 2.5 HEAD
23:47
<
headius >
so they're actual bugs that were fixed in core