[ic] [interchange] Fix potential "use of uninitialized value" if called during startup
jon at endpoint.com
Mon Jun 26 22:18:27 UTC 2017
On Fri, 23 Jun 2017, Mike Heins wrote:
>> David makes a good point: Because TLS 1.2 is required for PCI DSS, and
>> because older Perl systems are built on older OS/distros with old
>> OpenSSL, and because almost all Interchange usage is for ecommerce, it
>> is probably a good time for us to consider raising the minimum Perl
>> version. We have not done this for many years, so it's a good time
>> anyway. We should increase the Interchange release to 5.12 to indicate
>> the break in backward compatibility.
>> RHEL/CentOS 6 is the oldest supported in that family, and include TLS
>> 1.2 and Perl 5.14.1. RHEL/CentOS 7 comes with Perl 5.16.3.
>> Debian 7 is the oldest supported in its family, in its LTS phase. It
>> came with Perl 5.14.2. Debian 8 comes with Perl 5.20.2, and 9 with
>> Ubuntu 14.04 is the oldest supported, with Perl 5.18.2. Ubuntu 16.04
>> has 5.22.1.
>> Based on the lowest common denominator of the above, I propose we
>> increase the minimum Perl version to 5.14.1. That's still 6 years old,
>> from 2011!
> I am against this unless there is significant feature content added by
> increasing the minimum version. Allowing // in one or two places doesn't
> meet that bar to me.
I certainly understand the desire to avoid change for change's sake. It's
tedious dealing with upgrades anyway, without adding unnecessary pain.
There's a balance to be struck between bleeding-edge and dead.
This is a lot bigger than // - that's just one example of an over
decade-old basic Perl operator that we still can't use in core
Interchange. Even without making a big list of desired newer Perl features
we want to use, it's tiresome to be stuck on such ancient perls and have
to keep track of what syntax worked in the old days and what didn't.
The only supported versions of Perl right now are 5.24 and 5.26.
Everything else is end of life. The reason we can sanely support back to
5.14 is the long-term support Linux distros maintain their old versions
with backported patches, so at least serious security and bug fixes are
covered there. Anyone building their own perl should be watching those
Linux perl maintainers' release notes to see if there are important things
that should be backported to their own perl.
By way of comparison:
Perl 5.6.0 was released in March 2000, and less than 3 years later in
early 2003 Interchange began requiring 5.6 or later.
Perl 5.8.5 was released in July 2004, and about 4 years later in late 2008
Interchange began requiring it.
If we bump our minimum version requirement only up to 5.14.1, that will be
the most tolerant we've ever been upon requiring a newer version: a full 6
years old. We can't use OpenSSL that old. Web servers that old won't
support HTTP/2. OpenSSH that old doesn't work with newer key types. Etc.
Imagine if, in the year 2008, we had still been trying to support a
13-year-old Perl version. That would mean Perl 5.002. Anyone who was
around back then can imagine what a pain that would be. To those who are
used to more recent Perl versions now, it's the same feeling. Lots of
little annoyances that add up.
> If you go above 5.8, you are basically consiging yourself to using
> global Perl, as you will have myriad runtime require problems introduced
> by 5.10 and above.
That is true, and it is highly annoying. Since it's clearly not a
temporary blip, I think we need to cope with it and completely make the
move as a group. Most of us have already had to do that during upgrades,
and we're not doing the rest of the userbase any favors by not having
Interchange work comfortably with current Perl.
The old OS versions are dead. Moving to a new supported OS version should
mean getting a more current Perl build. Most people on an old Perl would
also have an end of life distro, Perl, and CPAN modules. If that's what
someone wants, they're of course free to do that, and can just as well use
an unsupported older version of Interchange. And even backport later fixes
if they want.
I didn't think I cared that much about this but apparently I do, based on
how long this is getting. I feel it is becoming urgent for Interchange to
get with the times on the Perl front.
Interchange is nothing without Perl. If everything has to be global to
work with newer Perl versions, then we should just accept that's the way
things have gone with Perl and deal with it. We should do what we can to
make working with a current OS, Perl, CPAN modules, as easy as possible,
since most people on ancient versions aren't upgrading their Interchange
So everyone please speak up on this: Who is still using Interchange with
Perl older than 5.14.1 and why?
If the only reason is that it's running on an end-of-life server OS that
you need to migrate away from anyway: Have you tried to keep using the
outdated, unsupported Perl on a newer server OS? Have you gotten the old
CPAN modules to work with newer glibc and other libraries?
End Point Corporation
More information about the interchange-users