Hello, Suddenly it appears that gem dependency in latest RubyGems has been compromised and is affecting users in different platforms.
There is a bug report from Roger Pack about this here: http://rubyforge.org//tracker/?func=detail&atid=575&aid=27608&group_id=126 But just in case, to avoid it get dusted as this is turning to be a big problem, wanted to document my findings. Let's take the example: thin. http://gemcutter.org/gems/thin/versions/1.2.5 Version 1.2.5 depends on: daemons >= 1.0.9 eventmachine >= 0.12.6 rack >= 1.0.0 daemons 1.0.10 suffices the first dependency: http://gemcutter.org/gems/daemons/versions/1.0.10 eventmachine 0.12.10 does the second: http://gemcutter.org/gems/eventmachine/versions/0.12.10 rack 1.0.1 completes the chain: http://gemcutter.org/gems/rack/versions/1.0.1 none of thin dependencies depends on other libraries at runtime. so clearly is: thin: - daemons - eventmachine - rack With that scenario, the order gems are supposed to be installed are: eventmachine, daemons, rack, thin BUT, for some reason, RubyGems does this: eventmachine, daemons, thin, rack And when reaches thin, it fails due missing rack. After digging into the code, spotted this in lib/rubygems/dependency_list.rb, starting line 49: def dependency_order sorted = strongly_connected_components.flatten which uses TSort to give priorirty to the each gem in the list collected by @specs. But, it incorrectly gives them the priorities, putting rack with priority 3 and thin with priority 2 To prove the bug, I've created the following testcase: def test_dependency_order_triplet e1 = quick_gem 'e', '1' f1 = quick_gem 'f', '1' g1 = quick_gem 'g', '1' @a1.add_dependency 'e', '>= 1' @a1.add_dependency 'f', '>= 1' @a1.add_dependency 'g', '>= 1' @deplist.add @a1, e1, f1, g1 order = @deplist.dependency_order assert_equal %w[g-1 f-1 e-1 a-1], order.map { |s| s.full_name } end and when executed: 1) Failure: test_dependency_order_triplet(TestGemDependencyList) [test/test_gem_dependency_list.rb:106]: Expected ["g-1", "f-1", "e-1", "a-1"], not ["a-1", "g-1", "f-1", "e-1"]. === So far, my knowledge and understanding of the issue ends there. Any hint? -- Luis Lavena AREA 17 - Perfection in design is achieved not when there is nothing more to add, but rather when there is nothing more to take away. Antoine de Saint-Exupéry _______________________________________________ Rubygems-developers mailing list http://rubyforge.org/projects/rubygems Rubygems-developers@rubyforge.org http://rubyforge.org/mailman/listinfo/rubygems-developers
