Marcus Rückert email@example.com wrote:
On Fri, 21 Aug 2015 11:15:07 +0200 Jordi Massaguer Pla firstname.lastname@example.org wrote:
On 08/21/2015 10:18 AM, Andreas Stieger wrote:
the SUSE Security team would like to improve tracking of ruby gems bundled into packages
An explanation of exactly what you mean by "gems bundled into packages" would have been helpful. I guess you mean
but the devil is in the details.
so that these appear in the metadata of binary packages. I am proposing https://build.opensuse.org/request/show/324759 This automatically generates "Provides: bundled(rubygem-foo)" without additional package maintainer action.
Based on that, I see
So it seems you are talking about using Bundler to install multiple gems into vendor/bundle/ at package build-time. Is that right? As Jordi already noted elsewhere in this thread, it's not safe to assume the presence of the packed .gem files.
I like it a lot :) . It is very simple (which is great) and provides what it is needed.
I'd like to hear Darix opinion :-)
we have 4 options of packages using gems
- the good way: just requiring system gems and having nothing intree
By "system" gems, I guess you mean the packages from d:l:r:e which provide one gem per package? And "intree" means a package containing multiple vendor/bundle/ gems? In other words:
- the bad way: Buildrequires for the gems and then copying them into their tree.
Blegh :) Why would anyone do that?
- the ugly: having all gems locally in the package as sources
By "as sources" you mean unpacked gems? Is there any other way to have them "in tree"?
- the bad and ugly: a mix of 2 and 3
So let's looks at the options:
- so the first option is what we actually want.
- if you really find a valid reason to bundle (and so far none of the packages doing it had that!) we can solve this by maintaining a list of packages which bundle and then tracking their _expanded_ buildrequires list (osc buildinfo)
Not sure I understand fully but this sounds nasty to me.
UGH. i guess you could just do "ls" on the source package and have a list of packages doing it.
as it is a mix of 2 and 3 you have to use 2 and 3 to solve it.
another option might be to look at all the binary rpms and see if you find any gems outside of the system gem dir (gem env gemdir). also keep an eye out for packages which have multiple gem files in their binary rpms. those are probably bundling too. but bundling into the gemdir.
I guess I am maybe missing some context so I'm not sure I can contribute more to the discussion immediately, other than to make a plea:
Whichever way this discussion goes, please can everyone take collective responsibility to ensure that
is properly maintained with correct and up-to-date info. Thanks!