On Fri, 21 Aug 2015 11:15:07 +0200 Jordi Massaguer Pla <jmassaguerpla@suse.de> wrote:
On 08/21/2015 10:18 AM, Andreas Stieger wrote:
Hello,
the SUSE Security team would like to improve tracking of ruby gems bundled into packages, so that these appear in the metadata of binary packages. I am proposing https://build.opensuse.org/request/show/324759 This automatically generates "Provides: bundled(rubygem-foo)" without additional package maintainer action.
Please comment.
I like it a lot :) . It is very simple (which is great) and provides what it is needed.
I'd like to hear Darix opinion :-)
we have 4 options of packages using gems 1. the good way: just requiring system gems and having nothing intree 2. the bad way: Buildrequires for the gems and then copying them into their tree. 3. the ugly: having all gems locally in the package as sources 4. the bad and ugly: a mix of 2 and 3 So let's looks at the options: 1. so the first option is what we actually want. 2. if you really find a valid reason to bundle (and so far none of the packages doing it had that!) we can solve this by maintaining a list of packages which bundle and then tracking their _expanded_ buildrequires list (osc buildinfo) 3. UGH. i guess you could just do "ls" on the source package and have a list of packages doing it. 4. as it is a mix of 2 and 3 you have to use 2 and 3 to solve it. another option might be to look at all the binary rpms and see if you find any gems outside of the system gem dir (gem env gemdir). also keep an eye out for packages which have multiple gem files in their binary rpms. those are probably bundling too. but bundling into the gemdir. HTH darix -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org -- To unsubscribe, e-mail: opensuse-ruby+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-ruby+owner@opensuse.org