Quoting Josef Reidinger
On Thu, 31 Jan 2013 18:57:34 +0100 Jordi Massaguer Pla
wrote: Quoting Josef Reidinger
: On Thu, 31 Jan 2013 17:41:15 +0100 Cornelius Schumacher
wrote: On Thursday 31 January 2013 15:13:12 Stephan Kulow wrote:
Using bundler/gem just dropped from that list:
http://blog.newrelic.com/2013/01/30/new-relic-and-rubygems-security/
How is this related to the question how gems are packaged? In the end they are all coming from rubygems in any case.
Well, there is one big difference. We control it. So e.g. if OBS is extended to provide also difs for gems, you can review changes from last submit and review it. If you use directly rubygems.org, then you depend on external service, where is no guaranty and as last case show no review. Of course own gem server is different case, but there is other problems like that we must maintain it. It must be public so also we must secure it etc.
"must be public" ?? I do not see why.
Well, maybe my fault. I think that this disqualify solution that zypper can work with rubygems. Because in this case all customer should be able to download from rubygems org or from our gemserver. It is also valid for any solution that do not pack all required gems during build on internal server ( because OBS is in public network, so only IBS can do it ). Josef
Josef, I understand your point. I just want to clarify that we do package gems in an RPM. The difference between my approach and yours is the amount of RPMs. You have one RPM per gem and I have all gems into one RPM, with all the advantages and disadvantages we have discussed.
Josef -- To unsubscribe, e-mail: opensuse-ruby+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-ruby+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-ruby+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-ruby+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-ruby+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-ruby+owner@opensuse.org