Marcus Rückert <[email protected]> wrote: > On Fri, 21 Aug 2015 11:15:07 +0200 > Jordi Massaguer Pla <[email protected]> wrote: > > On 08/21/2015 10:18 AM, Andreas Stieger wrote: > > > the SUSE Security team would like to improve tracking of ruby gems > > > bundled into packages
An explanation of exactly what you mean by "gems bundled into packages" would have been helpful. I guess you mean https://en.opensuse.org/openSUSE:Ruby_Gem_Strategies#Bundle_all_gems_into_one_rpm but the devil is in the details. > > > so that these appear in the metadata of > > > binary packages. I am proposing > > > https://build.opensuse.org/request/show/324759 This automatically > > > generates "Provides: bundled(rubygem-foo)" without additional > > > package maintainer action. > > > > > > Please comment. Based on that, I see %__bundledgems_path ^.*/vendor/bundle/ruby/[^/]*/cache/[^/]*\.gem So it seems you are talking about using Bundler to install multiple gems into vendor/bundle/ at package build-time. Is that right? As Jordi already noted elsewhere in this thread, it's not safe to assume the presence of the packed .gem files. > > I like it a lot :) . It is very simple (which is great) and provides > > what it is needed. > > > > I'd like to hear Darix opinion :-) > > we have 4 options of packages using gems > > 1. the good way: just requiring system gems and having nothing intree By "system" gems, I guess you mean the packages from d:l:r:e which provide one gem per package? And "intree" means a package containing multiple vendor/bundle/ gems? In other words: https://en.opensuse.org/openSUSE:Ruby_Gem_Strategies#One_gem_per_rpm > 2. the bad way: Buildrequires for the gems and then copying them into > their tree. Blegh :) Why would anyone do that? > 3. the ugly: having all gems locally in the package as sources By "as sources" you mean unpacked gems? Is there any other way to have them "in tree"? https://en.opensuse.org/openSUSE:Ruby_Gem_Strategies#Bundle_all_gems_into_one_rpm > 4. the bad and ugly: a mix of 2 and 3 > > > So let's looks at the options: > > 1. so the first option is what we actually want. Yep. > 2. if you really find a valid reason to bundle (and so far none of the > packages doing it had that!) we can solve this by maintaining a list > of packages which bundle and then tracking their _expanded_ > buildrequires list (osc buildinfo) Not sure I understand fully but this sounds nasty to me. > 3. UGH. i guess you could just do "ls" on the source package and have a > list of packages doing it. > > 4. as it is a mix of 2 and 3 you have to use 2 and 3 to solve it. > > another option might be to look at all the binary rpms and see if you > find any gems outside of the system gem dir (gem env gemdir). also keep > an eye out for packages which have multiple gem files in their binary > rpms. those are probably bundling too. but bundling into the gemdir. I guess I am maybe missing some context so I'm not sure I can contribute more to the discussion immediately, other than to make a plea: Whichever way this discussion goes, please can everyone take collective responsibility to ensure that https://en.opensuse.org/openSUSE:Ruby_Gem_Strategies is properly maintained with correct and up-to-date info. Thanks! -- To unsubscribe, e-mail: [email protected] To contact the owner, e-mail: [email protected]
