Todd, The short answer is that there is no way to fix this in Rails (let alone to ensure that everyone upgrades their Rails installs to get the fix) and no way to get around it with the standard ruby JSON library.
The two potential fixes are a) get rid of Rails; and b) use a non-standared JSON library that doesn't get clobbered by Rails. A is potentially possible (and something I would like to pursue) in the future, but certainly not in this release. B presents its own difficulties (eg. licensing), but it's the one we are forced to pursue if we want this fixed in a reasonable timeframe. In regard to the licensing concern, Puppet already includes things that might be considered "bundled libraries" (like EventLoop), and yet are apparently not causing us licensing problems. This JSON library would be considered similarly, I expect. On Tue, Oct 13, 2009 at 6:19 PM, Todd Zullinger <[email protected]> wrote: > Hi Marcus, > > Markus Roberts wrote: >> 2686 ActiveSupport >= 2.3.3 forces use of defective JSON library >> 2615 YAML sometimes modifies the contents of string data >> ...and other serialization issues. >> >> We're addressing these by bundling our own specific version of JSON, >> renamed PSON to avoid naming conflicts with Rails, and forbidding >> the use of YAML on older versions of Ruby. Code is passing all >> existing tests, and will be posted to the list shortly. > > Is it possible to work on rails upstream to not force the use of a > defective JSON library? I'm surely not well-versed in ruby or rails > to fully grok the problems, but from a distro package maintainer's > perspective, bundling libraries is a recipe for all sorts of annoying > problems. > > Fedora has a pretty strict policy against bundled libraries, which > could cause us some pain if PSON is really just a minor tweak of the > ruby JSON library. One example of why Fedora dislikes bundled > libraries so much is that in just the past few weeks another bundled > zlib was found which is vulnerable to years-old security bugs. > > How does the pain of getting ActiveSupport fixed (assuming that is > even possible) compare to the pain of having to maintain a fork of the > library and watch out for security issues over time? > > Is ActiveRecord shipping their own bundled JSON already? If so, I > should bring that to the attention of it's Fedora maintainers and see > if they can lean on upstream to stop doing so. > > Hopefully I've not misunderstood the issue too grossly. If I have, > feel free to give me a good whack with the cluestick. And thanks for > all the hard work! > > -- > Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Whenever I feel blue, I start breathing again. > > -- Rein Henrichs http://reductivelabs.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en -~----------~----~----~----~------~----~------~--~---
