Re: an experiment: ruby-standalone

To: debian-ruby@lists.debian.org
Subject: Re: an experiment: ruby-standalone
From: Eric Wong <normalperson@yhbt.net>
Date: Mon, 25 Aug 2014 00:56:37 +0000
Message-id: <[🔎] 20140825005637.GA16321@dcvr.yhbt.net>
In-reply-to: <[🔎] 20140824171706.GA10922@debian.org>
References: <[🔎] 20140824171706.GA10922@debian.org>

Antonio Terceiro <terceiro@debian.org> wrote:
> People might solve this type of issue by just using
> RVM/ruby-build/chruby and not use the Ruby intepreter provided by Debian
> at all. But then, they have to provide security upgrades for the
> interpreter (arguably one of the most sensitive layers of the stack)
> themselves, while if they were using Debian's interpreter, they would be
> notified about security upgrades for Ruby just as they are for
> everything else that is provided by Debian, and security updates are
> easier and require less effort.

> - what do you think? is this useful? is this a terrible idea?
> 
> - is there anything else that needs to be considered?

I'm not sure this half-solution is better than solution at all.  For web
apps, things like Rails and Rack are just as security-sensitive as Ruby
itself and anybody managing their own installations of those should
already be checking with upstream for updates.  Then Ruby itself becomes
one more upstream out of many.

That said, I'm not sure if there is a solution to the
upstream-moves-too-fast problem and OS distributions :<

(Speaking as a long-time Debian user and occasional Ruby upstream dev,
 keeping up-to-date with Ruby trunk is required of me anyways)

Reply to:

References:
- an experiment: ruby-standalone
  - From: Antonio Terceiro <terceiro@debian.org>

Prev by Date: an experiment: ruby-standalone
Next by Date: 2 diffrent ruby-kakasi implemntations
Previous by thread: an experiment: ruby-standalone
Next by thread: 2 diffrent ruby-kakasi implemntations
Index(es):
- Date
- Thread