Am 08.12.2008 um 19:32 schrieb Richard Hurt:
Richard,I completely agree with your proposal. I am in the process of packaging Redmine and am at a loss for what to do with current and/ or future GEM dependencies. Debian needs a clear Ruby/Rails direction and someone to push it forward. Since I have built my business around Debian and am using Rails quite heavily this is a fairly important topic for me. :)
Regarding the last statement: me too. :)
On Dec 8, 2008, at 1:23 PM| Dec 8, 2008, Richard Laager wrote:On Sat, 2008-12-06 at 18:17 +0100, Lucas Nussbaum wrote:Thus, if a gem is installed system-wide via APT/dpkg, it will Just Work.However, if you install a gem using "gem install ...", that'll Just Work. Imagine these scenarios:
...
3. A security bug is found in a gem that Bob is using and Richard wantsto install an even newer, patched version system-wide and have it override Bob's version.
#3 has a lesser priority for me than the other points. Richard could sent an email announcing the newer version fixing the security bug to his customers. I think it might create problems for customer's installations if the hoster can upgrade gems that automatically override a customer-specific version – you can never be quite sure if it's 100% compatible and not possibly breaking customer's apps. The longer I think about it, the more I'm convincing myself that this looks like a hosting policy issue which should not be solved by technical means. So Bob would be responsible for the security of gems he installed himself, whereas he could rely on Richard if he used system-wide gems.
Best regards, Christof -- ______________________________________________________________________ gl.aser - software & gestaltung Riemannstrasse 38 . 04107 Leipzig . Germany Phone +49.341.303 20 51 . http://gl.aser.de/