Patch releases are considered as a normal teeny release.
(Ruby's versioning policy is different from normal one because of
historical reasons)

Therefore it is natural that bundled libraries may change its teeny
versions.


2013/2/17 V=EDt Ondruch <v.ondruch / gmail.com>

> Dne 17.2.2013 1:44, Jeremy Evans napsal(a):
>
>  On 02/14 06:06, V?t Ondruch wrote:
>>
>>> Hi,
>>>
>>> Could you please avoid bumping versions of bundled gems when fixing
>>> security issues? The version bump breaks the promise of point release t=
o
>>> do
>>> not break anything and update safely.
>>>
>>> Consider following simple case:
>>>
>>> $ ruby -v
>>> ruby 1.9.3p374 (2013-01-15 revision 38858) [x86_64-linux]
>>>
>>> $ rdoc --version
>>> rdoc 3.9.4
>>>
>>> $ cat Gemfile
>>> gem 'rdoc'
>>>
>>> $ cat testrdoc.rb
>>> require 'rdoc/rdoc'
>>>
>>> options =3D RDoc::Options.new
>>> options.parse ARGV
>>>
>>> rdoc =3D RDoc::RDoc.new
>>> rdoc.document options
>>>
>>> $ bundle install
>>> Using rdoc (3.9.4)
>>> Using bundler (1.1.4)
>>> Your bundle is complete! Use `bundle show [gemname]` to see where a
>>> bundled
>>> gem is installed.
>>>
>>> $ bundle exec ruby testrdoc.rb -- testrdoc.rb
>>> Parsing sources...
>>> 100% [ 1/ 1]
>>> testrdoc.rb
>>>
>>> Generating Darkfish format into /tmp/test374/doc...
>>>
>>> Files:      1
>>>
>>> Classes:    0 (0 undocumented)
>>> Modules:    0 (0 undocumented)
>>> Constants:  0 (0 undocumented)
>>> Attributes: 0 (0 undocumented)
>>> Methods:    0 (0 undocumented)
>>>
>>> Total:      0 (0 undocumented)
>>>    0.00% documented
>>>
>>> Elapsed: 0.0s
>>>
>>> $ bundle exec ruby testrdoc.rb -- testrdoc.rb
>>> Could not find rdoc-3.9.4 in any of the sources
>>> Run `bundle install` to install missing gems.
>>>
>>> $ sudo yum update 'ruby*' # Or just install somehow new point release o=
f
>>> Ruby
>>>
>>> $ ruby -v
>>> ruby 1.9.3p385 (2013-02-06 revision 39114) [x86_64-linux]
>>>
>>> $ rdoc --version
>>> rdoc 3.9.5
>>>
>>> $ bundle exec ruby testrdoc.rb -- testrdoc.rb
>>> Could not find rdoc-3.9.4 in any of the sources
>>> Run `bundle install` to install missing gems.
>>>
>>> So what worked before update does not work now. This issue was introduc=
ed
>>> by rev39101 and there is another similar breakage rev39218 in the queue
>>> for
>>> release. Yes, this might be wrong design of Bundler, but considering ho=
w
>>> wide is adoption of Bundler, Ruby releases should respect it.
>>>
>> I'm the packager of ruby for OpenBSD, and I disagree with this. The
>> included gems that ship with Ruby releases (including patch releases)
>> should have versions that match the versions of the external gems with
>> the same content.
>>
>
> Actually I agree with you on this. But even more important is to not brea=
k
> existing applications. Breaking application will result in lost of trust
> and therefore not updating, keeping security issues unfixed.
>
>
>  Ruby releases should not violate common sense just to work around
>> design flaws in ruby libraries, no matter how popular those libraries
>> are.
>>
>
> I agree even with this, that is why I am adding Bundler ML on CC. As a
> interim solution, until Bundler gets fixed, I hope that #7869 will get
> accepted.
>
> V=EDt
>
>


--=20
NARUSE, Yui  <naruse / airemix.jp>