From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS4713 221.184.0.0/13 X-Spam-Status: No, score=-3.8 required=3.0 tests=AWL,BAYES_00, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS, UNPARSEABLE_RELAY shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75]) by dcvr.yhbt.net (Postfix) with ESMTP id 149211F45A for ; Sun, 19 Apr 2020 01:42:19 +0000 (UTC) Received: from neon.ruby-lang.org (localhost [IPv6:::1]) by neon.ruby-lang.org (Postfix) with ESMTP id D1C5E1209CD; Sun, 19 Apr 2020 10:41:56 +0900 (JST) Received: from xtrwkhkc.outbound-mail.sendgrid.net (xtrwkhkc.outbound-mail.sendgrid.net [167.89.16.28]) by neon.ruby-lang.org (Postfix) with ESMTPS id CCCC81209C9 for ; Sun, 19 Apr 2020 10:41:54 +0900 (JST) Received: by filterdrecv-p3mdw1-6dbfd75bfd-t2sth with SMTP id filterdrecv-p3mdw1-6dbfd75bfd-t2sth-19-5E9BAC70-28 2020-04-19 01:42:08.542762489 +0000 UTC m=+2075682.632458369 Received: from herokuapp.com (unknown) by geopod-ismtpd-6-0 (SG) with ESMTP id 2fqSHU8CQ8aY4TbGHDtYug for ; Sun, 19 Apr 2020 01:42:08.498 +0000 (UTC) Date: Sun, 19 Apr 2020 01:42:08 +0000 (UTC) From: hsbt@ruby-lang.org Message-ID: References: Mime-Version: 1.0 X-Redmine-MailingListIntegration-Message-Ids: 73718 X-Redmine-Project: ruby-master X-Redmine-Issue-Tracker: Misc X-Redmine-Issue-Id: 16778 X-Redmine-Issue-Author: deivid X-Redmine-Issue-Assignee: hsbt X-Redmine-Sender: hsbt X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-SG-EID: =?us-ascii?Q?9+ToIm+BmphpEzrVEr2fqVDpB0VofQNbgfqsVvtPdY1aWThijohXtxZxnMwjSj?= =?us-ascii?Q?7R4hcd82bgGbklQX3QHMKnW73MGhT=2F1IJDQCtV=2F?= =?us-ascii?Q?FjdQM4VzwuhMkN=2Fqt=2FfzNMbp6oZb8xafwKKrSjR?= =?us-ascii?Q?5aLmGnaCXLID6fz+scvUCD6aIVYyUCYoraP9zNW?= =?us-ascii?Q?MpZSvZMtcmeEoNU3uQKCkVjG5kymNunIlqZtpEm?= =?us-ascii?Q?UVdnXNq2fIVLJXN1k=3D?= To: ruby-core@ruby-lang.org X-ML-Name: ruby-core X-Mail-Count: 97957 Subject: [ruby-core:97957] [Ruby master Misc#16778] Should we stop vendoring default gems code? X-BeenThere: ruby-core@ruby-lang.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Ruby developers List-Id: Ruby developers List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Errors-To: ruby-core-bounces@ruby-lang.org Sender: "ruby-core" Issue #16778 has been updated by hsbt (Hiroshi SHIBATA). This issues is too complex and complicated. I and mame and the maintainers = of default gems already considered these topics. 1. Removing the default gems from ruby core repository, It's too hard to ma= intain with the changes of ruby interpreter. Because the ruby commiter shou= ld fix it immediately, not accepted after a few days. = 2. There is no plan to use git submodule for this issues. The ruby commiter= can't push the master branch of the part of default gems contained rubygem= s. We need to push them for fixing CI of ruby interpreter. In fact, rubygem= s and bundler stop to use git submodule for similar issues. 3. There is no plan to use `.patch` management. >In any case, I believe this issue could be workarounded in different ways = so that the final ruby installation includes the security fix. For example,= include a ".patch" file in source control and apply it after downloading t= he default copy of the gem and before installing it. = We already try it. The release team that is about 5 people spend a lot of t= ime. The release works are always in midnight for fixing confilicts with da= ily changes. It's not for the real works. I and the maintainer of the default gems will extract the default gems to t= he bundled gems. After that, We dont't need to care the duplicated code. I already added the `test-bundled-gems` and `test-bundler` and other tasks = for the default gems/bundled gems. Does anyone improve them? For example, t= he name of `test-default-gems` pull the master branch of default gems, fix = conflict, and test. I want the code of these issues, not ideas. = ---------------------------------------- Misc #16778: Should we stop vendoring default gems code? https://bugs.ruby-lang.org/issues/16778#change-85186 * Author: deivid (David Rodr=EDguez) * Status: Assigned * Priority: Normal * Assignee: hsbt (Hiroshi SHIBATA) ---------------------------------------- Currently ruby-core vendors all the code in default gems, and runs the test= s for each of them. Also, ruby-core continuously updates the vendored code of default gems to s= ync with the upstream repos. That's overhead work, not only from syncronizi= ng the code itself, but it also requires perfect syncronization of releases= to avoid including versions of default gems that are different from releas= ed versions. Also, this causes confusion for contributors because the code lives "duplic= ated" in two different places. Some times contributors will open a PR in th= e ruby-core repo, only to find out that they need to go to the upstream rep= o and contribute it in there. And this rule is not even always followed and= sometimes ruby-core contributors apply patches to the vendored code direct= ly (many times to fix test-only issues inherent to the different structure = of the core repository). These patches then need to be contributed back to = the upstream repo. I believe that all of that kind of defeats the point of "gemification" of t= he standard library. Once some ruby code its gemified, it should be the new upstream's responsab= ility to make sure the code works and it's properly tested, and ruby-core s= hould be free'd from that responsability. Maybe ruby-core could do something along the following lines: * Remove all the vendored code from default gems. * When this code is needed for internal tests, manage it as a development d= ependency, clone it as necessary on non source controlled locations, and us= e it from there. * Maybe a file similar to `gems/bundled_gems` can be added for default gems= indicating their versions and upstream repos, to ease things. * Upon `make install`, clone the proper version of each default library and= get it installed in the default $LOAD_PATH. * Maybe add some bare high level CI checks to ensure that all default libra= ries can be properly required after `make install`, and that their executab= les (if they include any) can also be run. This should bring several benefits to the development process: * No more duplicated code. * No more syncronization from upstream to ruby-core. * No more syncronization from ruby-core to upstream. * No more confusion around the canonical place to contribute. * No more complexities derived from the different organization of the code = depending on whether it lives in ruby-core or outside. = I believe jruby already does something like this so it'd be interesting to = get some input from them. If this is a direction the ruby-core team would like to take, I'm happy to = help @hsbt with small steps towards slowly approaching to this high level g= oal. -- = https://bugs.ruby-lang.org/ Unsubscribe: