From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS4713 221.184.0.0/13 X-Spam-Status: No, score=-4.1 required=3.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS,UNPARSEABLE_RELAY shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75]) by dcvr.yhbt.net (Postfix) with ESMTP id 938621F5AD for ; Sun, 12 Apr 2020 03:29:24 +0000 (UTC) Received: from neon.ruby-lang.org (localhost [IPv6:::1]) by neon.ruby-lang.org (Postfix) with ESMTP id AF243120BEE; Sun, 12 Apr 2020 12:28:59 +0900 (JST) Received: from xtrwkhkc.outbound-mail.sendgrid.net (xtrwkhkc.outbound-mail.sendgrid.net [167.89.16.28]) by neon.ruby-lang.org (Postfix) with ESMTPS id 388AA120BEC for ; Sun, 12 Apr 2020 12:28:56 +0900 (JST) Received: by filterdrecv-p3iad2-8ddf98858-fmgmf with SMTP id filterdrecv-p3iad2-8ddf98858-fmgmf-19-5E928B0B-5 2020-04-12 03:29:15.121341255 +0000 UTC m=+1477305.526349301 Received: from herokuapp.com (unknown) by ismtpd0053p1iad1.sendgrid.net (SG) with ESMTP id IuzPUKg8TPOfBwgy8H_igw for ; Sun, 12 Apr 2020 03:29:15.030 +0000 (UTC) Date: Sun, 12 Apr 2020 03:29:15 +0000 (UTC) From: mame@ruby-lang.org Message-ID: References: Mime-Version: 1.0 X-Redmine-MailingListIntegration-Message-Ids: 73605 X-Redmine-Project: ruby-master X-Redmine-Issue-Tracker: Misc X-Redmine-Issue-Id: 16778 X-Redmine-Issue-Author: deivid X-Redmine-Issue-Assignee: hsbt X-Redmine-Sender: mame X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-SG-EID: =?us-ascii?Q?EJh2gqwnyqXtd++xo=2FinyA1V0bXouTB4FkWnzNiKb48fMuANfVE7QMtB3a2cmf?= =?us-ascii?Q?zmx+1yw4K+gJfSGqxlqymRkX3S5Czi8AC2pxgzZ?= =?us-ascii?Q?Q75DhZJlQSoMG8n3JovPKOgKnm64+yAay3TLVBS?= =?us-ascii?Q?oIjR=2FlG6neSXk8gZLEEp1USXhAgHYLznFrIzHVo?= =?us-ascii?Q?=2F1voWKu=2FATO8k8uRiZXChXh0rJpL6DfZykMiWKw?= =?us-ascii?Q?k6xXwhfDQlvMgIvFs=3D?= To: ruby-core@ruby-lang.org X-ML-Name: ruby-core X-Mail-Count: 97844 Subject: [ruby-core:97844] [Ruby master Misc#16778] Should we stop vendoring default gems code? X-BeenThere: ruby-core@ruby-lang.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Ruby developers List-Id: Ruby developers List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Errors-To: ruby-core-bounces@ruby-lang.org Sender: "ruby-core" Issue #16778 has been updated by mame (Yusuke Endoh). As a committer who is involved in security release, I'm about the maintenan= ce policy of default gems. Consider a recent vulnerability issue of JSON gem (CVE-2020-10663). It loo= ks that JSON gem maintains its only latest version (2.3). Actually, they r= eleased only JSON gem 2.3 against the vulnerability. However, Ruby 2.5 bundles JSON 2.1. As Ruby's branch maintenance policy, a= new feature is not backported to the released branches. So, even if a vul= nerability is found in JSON gem, Ruby 2.5 cannot bundle JSON 2.3 as-is. Ru= by 2.5 has a copy of source code of JSON, so we could fix the issue directl= y. But if there had been no copy, we couldn't have addressed the issue in = Ruby 2.5. ---------------------------------------- Misc #16778: Should we stop vendoring default gems code? https://bugs.ruby-lang.org/issues/16778#change-85067 * Author: deivid (David Rodr=EDguez) * Status: Assigned * Priority: Normal * Assignee: hsbt (Hiroshi SHIBATA) ---------------------------------------- Currently ruby-core vendors all the code in default gems, and runs the test= s for each of them. Also, ruby-core continuously updates the vendored code of default gems to s= ync with the upstream repos. That's overhead work, not only from syncronizi= ng the code itself, but it also requires perfect syncronization of releases= to avoid including versions of default gems that are different from releas= ed versions. Also, this causes confusion for contributors because the code lives "duplic= ated" in two different places. Some times contributors will open a PR in th= e ruby-core repo, only to find out that they need to go to the upstream rep= o and contribute it in there. And this rule is not even always followed and= sometimes ruby-core contributors apply patches to the vendored code direct= ly (many times to fix test-only issues inherent to the different structure = of the core repository). These patches then need to be contributed back to = the upstream repo. I believe that all of that kind of defeats the point of "gemification" of t= he standard library. Once some ruby code its gemified, it should be the new upstream's responsab= ility to make sure the code works and it's properly tested, and ruby-core s= hould be free'd from that responsability. Maybe ruby-core could do something along the following lines: * Remove all the vendored code from default gems. * When this code is needed for internal tests, manage it as a development d= ependency, clone it as necessary on non source controlled locations, and us= e it from there. * Maybe a file similar to `gems/bundled_gems` can be added for default gems= indicating their versions and upstream repos, to ease things. * Upon `make install`, clone the proper version of each default library and= get it installed in the default $LOAD_PATH. * Maybe add some bare high level CI checks to ensure that all default libra= ries can be properly required after `make install`, and that their executab= les (if they include any) can also be run. This should bring several benefits to the development process: * No more duplicated code. * No more syncronization from upstream to ruby-core. * No more syncronization from ruby-core to upstream. * No more confusion around the canonical place to contribute. * No more complexities derived from the different organization of the code = depending on whether it lives in ruby-core or outside. = I believe jruby already does something like this so it'd be interesting to = get some input from them. If this is a direction the ruby-core team would like to take, I'm happy to = help @hsbt with small steps towards slowly approaching to this high level g= oal. -- = https://bugs.ruby-lang.org/ Unsubscribe: