Dne 15.2.2013 2:49, Luis Lavena napsal(a):
> On Thu, Feb 14, 2013 at 6:06 AM, V?t Ondruch <v.ondruch / gmail.com> wrote:
>> Hi,
>>
>> Could you please avoid bumping versions of bundled gems when fixing security
>> issues? The version bump breaks the promise of point release to do not break
>> anything and update safely.
>>
> The bump is due RDoc be actually 3.9.5, as it was released to rubygems.org:
>
> http://rubygems.org/gems/rdoc/versions/3.9.5
>
> If no bump was produced, how you will differentiate between broken
> 3.9.4 and patched 3.9.4?
>

It is typical in linux distributions, that patches are applied. For 
that, speaking of Fedora, the version of package is extended by release 
number. You trust your distribution in two ways: (1) It cares about 
security and applies security fixes for you (2) It does not break 
existing functionality. For RDoc it means, that patch should be applied 
to RDoc in Ruby and the version must stay. It is typical for example for 
Rails, there is planty of security fixes applied and they are secure on 
Fedora, although there are rails 3.0.11 for example in Fedora 17. It is 
even more visible in RHEL, there is simply no possible to update version 
like this, since it would break applications of our customers, 
therefore, if Ruby patch release should be updated, we would be forced 
to patch/avoid this version bump and therefore create even more confusion!

Sadly, RubyGems does not support the notion of release. Even more sadly, 
Bundler does not respect even ~> version specifications in Gemfile.lock, 
therefore it encourages every user to stay with vulnerable version. 
Actually this was never issue prior Bundler started to be widespread.

So now, there is no better solution then that 3.9.5 was released to 
RubyGems and everybody who don't want to update Ruby, but cares about 
security can update immediately. And as much as I hate it, it is fine 
that it would be the same as 3.9.4 distributed with Ruby. As long as 
such simple security fixes breaks users applications, there will be low 
will to update, therefore users will prefer to stay with vulnerable 
versions. Please don't allow that, ever!

BTW you should understand that not everybody who is running some 
application written in Ruby is Ruby developer who understands what 
Bundler is, etc.


V?t