From Gentoo Wiki
Jump to:navigation Jump to:search

Perl v5.24




Perl v5.26



  • Added to tree 2017-09-23 03:23:47
  • CVE Fixes bug #630610 for CVE-2017-12883, CVE-2017-12837
  • Upstreams release notes:
  • Adds auto-discovery of all "OLDVERS" in ABI-independent paths. This aims to help smooth over the transition from older perl versions, especially during portage needing to execute Perl based code without properly satisfying the bdeps path. It should still be relied upon that perl-cleaner and portage clean up the mess, but now, a temporary case where old code has a chance of working exists.


  • Added to tree 2017-11-01 21:04:39
  • Added fixes for Glibc w/ xlocale.h changes bug #636206


  • Added to tree 2018-02-22 23:47:52
  • Added fixes to avoid linking to libnsl



This is the "development" ebuild where snap-shots of yet-to-be-released-officially versions of the 5.26.x series get their wings.

Around -RC time, initial changes happen in this ebuild and then get rolled out to a version.

This may also one day fetch directly from git, but that's currently very complicated, and has a really annoying failure mode that triggers immediately after a final release, and lives until somebody fixes it.

If you want to use this version, its recommended you maintain your own virtuals or abuse package.provided.

Known Issues in Perl v5.26


Perl 5.26 brings several incompatible changes, also as a consequence of fixing a security problem (bug #589680. While we have made sure that all resulting build failures within Gentoo are fixed, this may not be the case for runtime issues, and certainly can affect third-party code (e.g., "hand-installed" server applications).

If you use Gentoo as a production server, this will be a good time to set aside a seperate box for testing the side effects of this release on your platform, and you should assume this release will affect you in some way.

Global Deprecations / Breakages

No current directory in library loading path anymore

buildtime and runtime Library path loading (@INC) changes break many (bug #612408) things, see in detail the separate Project:Perl/Dot-In-INC-Removal page.

Typical error messages are

Can't locate inc:: ... in @INC (you may need to install the ... module)
Can't locate t:: ... in @INC (you may need to install the ... module)
do "" failed, '.' is no longer in @INC; did you mean do "./"?

Unescaped { in Regexp

buildtime and runtime Unescaped left braces { in regular expressions have been deprecated already for some time and now cause compilation to fail.

Typical error messages are:

Unescaped left brace in regex is illegal in ...

OP_SIBLING/OP_PARENT internal changes

buildtime Changes in Perl internals breaks code around OP_SIBLING/OP_PARENT (changed in Perl 5.22 via option, default in 5.26).

Typical error messages are:

error: ... has no member named ‘op_sibling'

Removal of POSIX::tmpnam

runtime Removal of tmpname from POSIX causes some issues.

Typical error messages are:

Unimplemented: POSIX::tmpnam()

Encoding support

runtime Lexical encoding support has been removed

Further advice

More information on how to deal with Perl in Gentoo can be found on this wiki's Perl page.

Perl v5.28




This is the development ebuild for the future release of Perl 5.28

Internally, this tracks releases of Perls with versions 5.27.*, and may one day be git based and track blead.

When 5.28.0 ships, 5.28.0 will be peeled out of this ebuild and this ebuild will begin tracking the 5.28 maint series.

If you want to use this version, its recommended you maintain your own virtuals or abuse package.provided.

Known Issues in Perl v5.28

Global Deprecations / Breakages

CV-in-stash optimization breakages

runtime Perl-RT132252

exit 0 in INIT breaks Module::Install::DSL

build bug #645278 Perl-RT2754

In-Place sort weak-ref strengthening breakages

runtime Perl-RT132142 P5P "Patch for AnyEvent::HTTP" -- November 19, 2017 14:08

2016 fiasco

Following CVE-2016-1238 ( Gentoo bug ), Perl upstream deployed a lot of patches to protect code from unintended side effects of accidentally including libraries from paths relative to $CWD.

Most of these took the form of limiting shipped scripts which had no inherent need for this behaviour, and could be safely removed without consequences to end users.

However, one change that was not strictly necessary, ( or mentioned in the CVE ), was the modification of a very commonly used module, who's implementation means that it is mostly a proxy for a core language feature that has been present ( and depended upon ) for the last 20 years.

Upstream saw it fit that they must break any and all user code that intentionally relied on this effect, while not actually fixing the underlying problem, Perl's require implementation, which is still subject to this risk, and will be until at least Perl 5.26.

And then upstream got stuck in a 6 month long conflict, while upstream tried to work out how to break this aspect of while limiting the number of side effects that broke API, insistent that breaking API in a stable, bugfix point release was the way to proceed.

Meanwhile, the nature of the security hole was the internets worst kept secret, and all the identified and quantifiable risks were sitting there in the repo, fixed, but not distributed.

And 6 months on sitting on your hands when the CVE warrants a reaction in under a week is not good.

Subsequently, 5.22.3_rc4 was shipped to Gentoo, with Gentoo stripping out upstreams changes so we could actually deploy the security fixes that mattered.

And 5.24.1_rc4 was shipped to Gentoo with preserved, in order to use it as a testing target to smoke out anything that broke.

Later, upstream came around, and themselves reverted the changes so they could get the security release out.

As a side effect, this means that Gentoo's 5.22.3_rc4 was essentially upstreams 5.22.3, modulo some cosmetic changes

And there is subsequently no real need to ship a 5.22.3, though we could just to reduce confusion.

However, 5.24.1_rc4 should continue to ship as-is, with the " might break your tools" fixes, as upstream are tempted to replicate the same mistake in 5.24.2 ( and maybe 5.22.4 ), as shipping upstreams 5.24.1 final would revert this change ( just like they did for 5.22.3 ), which would reduce our ability to test for this bug before we got around to stabilizing it.

In short

Don't read too much in the _rc suffix when it comes to tracking perl stuff, they're mostly used for tracking downstream-vs-upstream versions, and your impressions of stability should be based on Gentoo Keywording, not upstream versioning, as the Perl Project apparently care more about not breaking your stuff than upstream do.

5.22.3_rc4 is just as safe as 5.22.3

Historical Versions


  • 5.22.3_rc4 added to tree at 9a8385af1b345197d7da96a147c1f5e60735f628: Tue Dec 6 18:37:40 2016
  • First stable: alpha at 3e6ed60cddd0e6643ebdcfa9eeb5bca4e30b6c92: Mon Dec 12 13:33:24 2016
  • Released to Gentoo early to get security issues resolved, but with changes reverted.
  • Logically equivalent to upstreams 5.22.3 final.



  • 5.24.1_rc4 added to tree at dd93ffde2df55a6d990cc05dcefe5ac83e96d961: Wed Nov 23 10:31:12 2016
  • Released to Gentoo early to get security issues resolved, and to get API breakage into testing.
  • Not equivalent to upstreams 5.24.1 final as upstream reverted changes.



  • Upgrade patchset to latest for testing
  • Fix compilation with GCC6 and -fltobug #583532
  • Properly fix compilation against newer zlibs bug #606374 by backporting changes to ZLib.xs from Compress-Raw-Zlib 2.074
  • Fix related to bug bug #608966 under crossdev where "touch" on a path would fail because the parent path did not exist
  • Fix patching failure under crossdev due to SHA1Sums changing
  • Upgrade perl-cross to 1.1.4
  • Fix makefile ordering issue when compiling unicore/ parts before has been compiled
  • Ensure miniperl is built with the right target arch for bootstrap


  • Update PDEPEND to pull newer File::Path for CVE-2017-6512 bug #620304



  • 5.26.0 added to tree at 8269609a0ae39382be5d7e0f666951e02e5a9d29: Tue May 30 21:11:52 2017