[ruby-core:97957] [Ruby master Misc#16778] Should we stop vendoring default gems code?

[hsbt@ruby-lang.org]

Issue #16778 has been updated by hsbt (Hiroshi SHIBATA).


This issues is too complex and complicated. I and mame and the maintainers of default gems already considered these topics.


1. Removing the default gems from ruby core repository, It's too hard to maintain with the changes of ruby interpreter. Because the ruby commiter should fix it immediately, not accepted after a few days. 

2. There is no plan to use git submodule for this issues. The ruby commiter can't push the master branch of the part of default gems contained rubygems. We need to push them for fixing CI of ruby interpreter. In fact, rubygems and bundler stop to use git submodule for similar issues.

3. There is no plan to use `.patch` management.

>In any case, I believe this issue could be workarounded in different ways so that the final ruby installation includes the security fix. For example, include a ".patch" file in source control and apply it after downloading the default copy of the gem and before installing it. 

We already try it. The release team that is about 5 people spend a lot of time. The release works are always in midnight for fixing confilicts with daily changes. It's not for the real works.

I and the maintainer of the default gems will extract the default gems to the bundled gems. After that, We dont't need to care the duplicated code.

I already added the `test-bundled-gems` and `test-bundler` and other tasks for the default gems/bundled gems. Does anyone improve them? For example, the name of `test-default-gems` pull the master branch of default gems, fix conflict, and test. I want the code of these issues, not ideas. 

----------------------------------------
Misc #16778: Should we stop vendoring default gems code?
https://bugs.ruby-lang.org/issues/16778#change-85186

* Author: deivid (David Rodríguez)
* Status: Assigned
* Priority: Normal
* Assignee: hsbt (Hiroshi SHIBATA)
----------------------------------------
Currently ruby-core vendors all the code in default gems, and runs the tests for each of them.

Also, ruby-core continuously updates the vendored code of default gems to sync with the upstream repos. That's overhead work, not only from syncronizing the code itself, but it also requires perfect syncronization of releases to avoid including versions of default gems that are different from released versions.

Also, this causes confusion for contributors because the code lives "duplicated" in two different places. Some times contributors will open a PR in the ruby-core repo, only to find out that they need to go to the upstream repo and contribute it in there. And this rule is not even always followed and sometimes ruby-core contributors apply patches to the vendored code directly (many times to fix test-only issues inherent to the different structure of the core repository). These patches then need to be contributed back to the upstream repo.

I believe that all of that kind of defeats the point of "gemification" of the standard library.

Once some ruby code its gemified, it should be the new upstream's responsability to make sure the code works and it's properly tested, and ruby-core should be free'd from that responsability.

Maybe ruby-core could do something along the following lines:

* Remove all the vendored code from default gems.
* When this code is needed for internal tests, manage it as a development dependency, clone it as necessary on non source controlled locations, and use it from there.
* Maybe a file similar to `gems/bundled_gems` can be added for default gems indicating their versions and upstream repos, to ease things.
* Upon `make install`, clone the proper version of each default library and get it installed in the default $LOAD_PATH.
* Maybe add some bare high level CI checks to ensure that all default libraries can be properly required after `make install`, and that their executables (if they include any) can also be run.

This should bring several benefits to the development process:

* No more duplicated code.
* No more syncronization from upstream to ruby-core.
* No more syncronization from ruby-core to upstream.
* No more confusion around the canonical place to contribute.
* No more complexities derived from the different organization of the code depending on whether it lives in ruby-core or outside.  

I believe jruby already does something like this so it'd be interesting to get some input from them.

If this is a direction the ruby-core team would like to take, I'm happy to help @hsbt with small steps towards slowly approaching to this high level goal.



-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>