Hi Marcus, Markus Roberts wrote: > 2686 ActiveSupport >= 2.3.3 forces use of defective JSON library > 2615 YAML sometimes modifies the contents of string data > ...and other serialization issues. > > We're addressing these by bundling our own specific version of JSON, > renamed PSON to avoid naming conflicts with Rails, and forbidding > the use of YAML on older versions of Ruby. Code is passing all > existing tests, and will be posted to the list shortly.
Is it possible to work on rails upstream to not force the use of a defective JSON library? I'm surely not well-versed in ruby or rails to fully grok the problems, but from a distro package maintainer's perspective, bundling libraries is a recipe for all sorts of annoying problems. Fedora has a pretty strict policy against bundled libraries, which could cause us some pain if PSON is really just a minor tweak of the ruby JSON library. One example of why Fedora dislikes bundled libraries so much is that in just the past few weeks another bundled zlib was found which is vulnerable to years-old security bugs. How does the pain of getting ActiveSupport fixed (assuming that is even possible) compare to the pain of having to maintain a fork of the library and watch out for security issues over time? Is ActiveRecord shipping their own bundled JSON already? If so, I should bring that to the attention of it's Fedora maintainers and see if they can lean on upstream to stop doing so. Hopefully I've not misunderstood the issue too grossly. If I have, feel free to give me a good whack with the cluestick. And thanks for all the hard work! -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Whenever I feel blue, I start breathing again.
pgpuwyehl7SzH.pgp
Description: PGP signature
