Issue #16778 has been updated by greggzst (Grzegorz Jakubiak).


mame (Yusuke Endoh) wrote in #note-11:
> As a committer who is involved in security release, I'm concerned about the maintenance policy of default gems.
> 
> Consider a recent vulnerability issue of JSON gem (CVE-2020-10663).  It looks that JSON gem maintains its only latest version (2.3).  Actually, they released only JSON gem 2.3 against the vulnerability.
> 
> However, Ruby 2.5 bundles JSON 2.1.  As Ruby's branch maintenance policy, a new feature is not backported to the released branches.  So, even if a vulnerability is found in JSON gem, Ruby 2.5 cannot bundle JSON 2.3 as-is.  Ruby 2.5 has a copy of source code of JSON, so we could fix the issue directly.  But if there had been no copy, we couldn't have addressed the issue in Ruby 2.5.

With git submodules it”Ēs possible to address that issue by applying patch file with needed changes


----------------------------------------
Misc #16778: Should we stop vendoring default gems code?
https://bugs.ruby-lang.org/issues/16778#change-85068

* Author: deivid (David Rodrguez)
* Status: Assigned
* Priority: Normal
* Assignee: hsbt (Hiroshi SHIBATA)
----------------------------------------
Currently ruby-core vendors all the code in default gems, and runs the tests for each of them.

Also, ruby-core continuously updates the vendored code of default gems to sync with the upstream repos. That's overhead work, not only from syncronizing the code itself, but it also requires perfect syncronization of releases to avoid including versions of default gems that are different from released versions.

Also, this causes confusion for contributors because the code lives "duplicated" in two different places. Some times contributors will open a PR in the ruby-core repo, only to find out that they need to go to the upstream repo and contribute it in there. And this rule is not even always followed and sometimes ruby-core contributors apply patches to the vendored code directly (many times to fix test-only issues inherent to the different structure of the core repository). These patches then need to be contributed back to the upstream repo.

I believe that all of that kind of defeats the point of "gemification" of the standard library.

Once some ruby code its gemified, it should be the new upstream's responsability to make sure the code works and it's properly tested, and ruby-core should be free'd from that responsability.

Maybe ruby-core could do something along the following lines:

* Remove all the vendored code from default gems.
* When this code is needed for internal tests, manage it as a development dependency, clone it as necessary on non source controlled locations, and use it from there.
* Maybe a file similar to `gems/bundled_gems` can be added for default gems indicating their versions and upstream repos, to ease things.
* Upon `make install`, clone the proper version of each default library and get it installed in the default $LOAD_PATH.
* Maybe add some bare high level CI checks to ensure that all default libraries can be properly required after `make install`, and that their executables (if they include any) can also be run.

This should bring several benefits to the development process:

* No more duplicated code.
* No more syncronization from upstream to ruby-core.
* No more syncronization from ruby-core to upstream.
* No more confusion around the canonical place to contribute.
* No more complexities derived from the different organization of the code depending on whether it lives in ruby-core or outside.  

I believe jruby already does something like this so it'd be interesting to get some input from them.

If this is a direction the ruby-core team would like to take, I'm happy to help @hsbt with small steps towards slowly approaching to this high level goal.



-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>