# upgraded perl from perl5.18 to perl5.24 having issues



## tony33 (Aug 15, 2016)

Hi, I upgraded perl and now p5-Net-SSLeay is not installing. I had this working under perl5.18 and perl5.16 which I had before and it was working perfectly. I had p5-Net-SSLeay installed before but it stopped working after the upgrade to v 24. I deleted it and tried to reinstall it but I get errors. The error message says that  file SSLeay.so doesn't exist. How can I have the installation create this file?


----------



## youngunix (Aug 15, 2016)

security/p5-Net-SSLeay is compatible with lang/perl5.20. So try using the latter first.


----------



## tony33 (Aug 15, 2016)

youngunix said:


> security/p5-Net-SSLeay is compatible with lang/perl5.20. So try using the latter first.


 I did delete perl5.24 and tried to install perl5.20 etc. I still get the same issue. Even if going back to perl5.18 it's a pain in the ass. I need this for webmin. In order for webmin to support ssl logins. How come it doesn't work with the latest version?


----------



## youngunix (Aug 15, 2016)

If that didn't work, now we need some more information such as the output of `uname -a` and the port build error(s).
This might or might not work, but try removing the ports and install the packages using pkg(7).


----------



## Murph (Aug 15, 2016)

Both 5.22 and 5.24 killed off some important old Perl 5 behaviour, so many old scripts and modules will fail when upgrading, if they have not been appropriately modified to use newer behaviour.  See the perldelta for each release for details, there's a long list of incompatibilities and deprecations for 5.22.0 and 5.24.0.  5.20 also had similar, but it's been out for long enough that most modules caught up with it a while ago.

5.24 is very recent, and not something I would particularly recommend for production use at this point in time, simply because it is very rare for a Perl installation to exist without a large number of extra modules, and it takes time for the modules to become stable on a new stable release of the core.  5.22 is somewhere between the two, as you would expect, not quite "so old that everything now works, if the module hasn't been completely abandoned", but no longer "bleeding edge, with lots of broken stuff".  All of the most popular stuff should now generally be good on 5.22, but you could easily run into the odd module which is still in need of an update.

Either 5.20 or 5.22 are the safer options, but be aware that they (inappropriately and unnecessarily, in my opinion) euthanised CGI.pm in 5.22, which may cause significant problems for many web-related scripts.

5.20 is still the FreeBSD default version (defined in Mk/bsd.default-versions.mk).  5.20 in ports is patched for the latest (not actually all that important, or urgent, for many use cases, in my opinion) CVE.

You are correct in wanting to migrate forwards from 5.18, as it's really getting to be "too old" now.


----------



## tony33 (Aug 15, 2016)

Murph said:


> Both 5.22 and 5.24 killed off some important old Perl 5 behaviour, so many old scripts and modules will fail when upgrading, if they have not been appropriately modified to use newer behaviour.  See the perldelta for each release for details, there's a long list of incompatibilities and deprecations for 5.22.0 and 5.24.0.  5.20 also had similar, but it's been out for long enough that most modules caught up with it a while ago.
> 
> 5.24 is very recent, and not something I would particularly recommend for production use at this point in time, simply because it is very rare for a Perl installation to exist without a large number of extra modules, and it takes time for the modules to become stable on a new stable release of the core.  5.22 is somewhere between the two, as you would expect, not quite "so old that everything now works, if the module hasn't been completely abandoned", but no longer "bleeding edge, with lots of broken stuff".  All of the most popular stuff should now generally be good on 5.22, but you could easily run into the odd module which is still in need of an update.
> 
> ...


The only reason I want to use perl5.24 is just to avoid having to keep updating stuff every month. I recently upgraded freebsd 10.2 to 10.3 in May 2016. There's a Freebsd 11 coming out in Sep. Again I own a couple websites and use freebsd on a server and really want to just focus on working on my website rather than keep worrying about security issues with software and doing upgrades or updates for the server.

So, I want to update everything and get it done now and be able to wait a couple of years to do an update or upgrade again.


----------



## Murph (Aug 15, 2016)

tony33 said:


> The only reason I want to use perl5.24 is just to avoid having to keep updating stuff every month. I recently upgraded freebsd 10.2 to 10.3 in May 2016. There's a Freebsd 11 coming out in Sep. Again I own a couple websites and use freebsd on a server and really want to just focus on working on my website rather than keep worrying about security issues with software and doing upgrades or updates for the server.
> 
> So, I want to update everything and get it done now and be able to wait a couple of years to do an update or upgrade again.



11.0 and Perl 5.24 will not experience security issues and receive updates any slower than 10.3 and Perl 5.20 or 5.22.  If anything, there may be more frequent important updates for the newer versions, until they properly mature.

It would most certainly be a very bad idea to plan on running 11.0 and Perl 5.24 for "a couple of years" without updates.  Both of them are almost certain to have published security vulnerabilities long before that time.

As far as FreeBSD versions go, you are good through to April 2018 with 10.3, although there will be the usual steady stream of security and errata updates to react to discovered issues.  11.0 will probably be end-of-life before then.


----------



## tony33 (Aug 15, 2016)

I fixed it by running  cpan -u  and using cpan to install the module.


----------



## youngunix (Aug 16, 2016)

Murph said:


> Either 5.20 or 5.22 are the safer options, but be aware that they (inappropriately and unnecessarily, in my opinion) euthanised CGI.pm in 5.22, which may cause significant problems for many web-related scripts.
> 
> 5.20 is still the FreeBSD default version (defined in Mk/bsd.default-versions.mk).  5.20 in ports is patched for the latest (not actually all that important, or urgent, for many use cases, in my opinion) CVE.



I wouldn't recommend you recommending those perl versions, please see this thread.


----------



## Murph (Aug 16, 2016)

youngunix said:


> I wouldn't recommend you recommending those perl versions, please see this thread.



I stand by everything I have said here.  There's nothing at all in that thread to suggest that 5.22 should not be used.  As for 5.20, it is still the default version for FreeBSD ports, and still very much a valid choice today.


----------



## SirDice (Aug 16, 2016)

Some confusion perhaps, 


> We "officially" support the two most recent stable release series. 5.20.x and earlier are now out of support. As of the release of 5.26.0, we will "officially" end support for Perl 5.22.x, other than providing security updates as described below.


Perl 5.26 however hasn't been released yet. Which means 5.22 is still supported.

With or without the release of 5.26, there's still:


> To the best of our ability, we will provide "critical" security patches / releases for any major version of Perl whose 5.x.0 release was within the past three years. We can only commit to providing these for the most recent .y release in any 5.x.y series.


Perl 5.20 was released in May 2014. Which means they'll provide security updates at least until May 2017 or the release of 5.26 (which ever comes first).


----------



## youngunix (Aug 16, 2016)

SirDice said:


> Some confusion perhaps,
> 
> Perl 5.26 however hasn't been released yet. Which means 5.22 is still supported.
> 
> ...


Perl 5.20 still has a lingering vulnerability and I don't think it's a good idea to add the worry of a problematic version to the development cycle. However, everyone is free to use whatever they like as long as they know what they are doing. For instance, I've seen a lot of threads (here and else where) where users are complaining about their -RELEASE having issues with packages, configuration, etc. But it turns out they were unaware that the -RELEASE has already reached the EOL.
Security patches won't always come in time, because the devs are busy working on the next release(s).


----------



## Murph (Aug 16, 2016)

youngunix said:


> Perl 5.20 still has a lingering vulnerability…


If you mean CVE-2016-1238 or CVE-2016-6185, FreeBSD's lang/perl5.18 and lang/perl5.20 include fixes for both of those, and the vulnerabilities were essentially a non-issue for a great many use cases.

In the commercial world, ActiveState provide support all the way back to Perl 5.8.  Apple still support 5.18 on OS X 10.10.  I don't feel like digging out all of the other examples, but I'm confident that you will find plenty of cases of 5.20 and older being supported by various commercial Unix and Linux vendors.


----------

