Dne 17.2.2013 1:44, Jeremy Evans napsal(a):
> On 02/14 06:06, V?t Ondruch wrote:
>> Hi,
>>
>> Could you please avoid bumping versions of bundled gems when fixing
>> security issues? The version bump breaks the promise of point release to do
>> not break anything and update safely.
>>
>> Consider following simple case:
>>
>> $ ruby -v
>> ruby 1.9.3p374 (2013-01-15 revision 38858) [x86_64-linux]
>>
>> $ rdoc --version
>> rdoc 3.9.4
>>
>> $ cat Gemfile
>> gem 'rdoc'
>>
>> $ cat testrdoc.rb
>> require 'rdoc/rdoc'
>>
>> options = RDoc::Options.new
>> options.parse ARGV
>>
>> rdoc = RDoc::RDoc.new
>> rdoc.document options
>>
>> $ bundle install
>> Using rdoc (3.9.4)
>> Using bundler (1.1.4)
>> Your bundle is complete! Use `bundle show [gemname]` to see where a bundled
>> gem is installed.
>>
>> $ bundle exec ruby testrdoc.rb -- testrdoc.rb
>> Parsing sources...
>> 100% [ 1/ 1]
>> testrdoc.rb
>>
>> Generating Darkfish format into /tmp/test374/doc...
>>
>> Files:      1
>>
>> Classes:    0 (0 undocumented)
>> Modules:    0 (0 undocumented)
>> Constants:  0 (0 undocumented)
>> Attributes: 0 (0 undocumented)
>> Methods:    0 (0 undocumented)
>>
>> Total:      0 (0 undocumented)
>>    0.00% documented
>>
>> Elapsed: 0.0s
>>
>> $ bundle exec ruby testrdoc.rb -- testrdoc.rb
>> Could not find rdoc-3.9.4 in any of the sources
>> Run `bundle install` to install missing gems.
>>
>> $ sudo yum update 'ruby*' # Or just install somehow new point release of
>> Ruby
>>
>> $ ruby -v
>> ruby 1.9.3p385 (2013-02-06 revision 39114) [x86_64-linux]
>>
>> $ rdoc --version
>> rdoc 3.9.5
>>
>> $ bundle exec ruby testrdoc.rb -- testrdoc.rb
>> Could not find rdoc-3.9.4 in any of the sources
>> Run `bundle install` to install missing gems.
>>
>> So what worked before update does not work now. This issue was introduced
>> by rev39101 and there is another similar breakage rev39218 in the queue for
>> release. Yes, this might be wrong design of Bundler, but considering how
>> wide is adoption of Bundler, Ruby releases should respect it.
> I'm the packager of ruby for OpenBSD, and I disagree with this. The
> included gems that ship with Ruby releases (including patch releases)
> should have versions that match the versions of the external gems with
> the same content.

Actually I agree with you on this. But even more important is to not 
break existing applications. Breaking application will result in lost of 
trust and therefore not updating, keeping security issues unfixed.

> Ruby releases should not violate common sense just to work around
> design flaws in ruby libraries, no matter how popular those libraries
> are.

I agree even with this, that is why I am adding Bundler ML on CC. As a 
interim solution, until Bundler gets fixed, I hope that #7869 will get 
accepted.

V?t