Hi,

2010/9/9 Ryan Davis <ryand-ruby / zenspider.com>:
>>  3) advantage for the core team: they not have to do security
>>     release if stdlib has a security issue, because "gem update"
>>     can be used.
>
> I think FreeBSD + ports is a good model here. I see it as
>
>    ruby + core libs : ruby stdlib :: freebsd distro : freebsd ports
>
> When a security announcement is released for freebsd itself, they usually
> provide a workaround + patch that you can apply immediately and then you
> can follow up with an official update. When a security announcement is
> released for a port, you can update the ports tree and update that port
> independent of a freebsd release.

Interesting.  The two announcements for freebsd itself and a port
are released at once, right?  Otherwise it leads to zero-day
attack.

The release manager must release not only full release but also and
push new gems, at once.  This is "Cons 1" I said.


>> cons:
>>  1) disadvantage for the core team: developping style will get
>>     complex.  The core team must care multiple entities: Ruby
>>     package and stdlib gems.
>
> I can see that if ruby is viewed (using the analogy above) as the whole
> freebsd distro, but I don't think that view is necessarily valid. For
> example, why must webrick require a full release cycle (and version
> number--we still have that problem) when it can be addressed with an
> announcement saying "security problem. run gem update webrick to fix it"?
>
> Certainly we'd want future releases of ruby to update the supplied webrick,
> but I don't think it necessitates a full release, esp if the user is
> immediately encouraged to update rubygems + installed gems at ruby install
> time.

I insisted the completely same thing to committers.
If we don't have to do full release when security issue is reported,
it is definitely an advantage for the core team.
But, Urabe san said, full release is needed even if "gem update"
can be used.

I said, the Linux distribution do not update the whole new install
CDs even if some software packages has security issues.
Urabe san said, some Linux distribution (such as Debian) actually
do so.  I didn't confirm if it is true or not, though.

-- 
Yusuke Endoh <mame / tsg.ne.jp>