Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add
doc/distribution.md
to help reduce some of the confusion. #6856Add
doc/distribution.md
to help reduce some of the confusion. #6856Changes from 4 commits
06908e9
0e72cb6
e15057d
104aa1d
7d41ffe
541a27e
9f528d6
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Building
ruby
from the source itself is not necessary, ifruby
is available already.Simply
ruby ./tool/make-snapshot tmp
can work.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But most distributions build ruby in an environment where ruby is not yet available.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why needs to make tarballs in such environment, instead of installing?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
First of all, working
ruby
(currently >= 2.2) is required to buildruby
from a git-cloned source tree, andtool/make-snapshot
works only on a git-cloned source tree.Although this sounds like chicken-and-egg,
make dist
is not intended for all Ruby developers, but for only the Ruby release managers.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We use
https://cache.ruby-lang.org/pub/ruby/3.0/ruby-3.0.4.tar.xz
to build ruby from and it doesn't like like we need ruby for that.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, this section is useful for building snapshot packages. And I am using tool/make-snapshot for that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ioquatix I agree that it is a good idea, but it probably is not "for operating system distributions".
@voxik You're creating tarballs by yourself and then building packages?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, we don't. For official Fedora releases, we always use official tarballs. I don't remember any exception for past decade.
However, I am using self prepared tarballs for test builds, especially closer to the major upstream releases. I could use a nightly snapshots, but if there is some fast turnaround with fixes, the nightly snapshots are not flexible enough. And since I already have script which prepares the tarball as well as adjusts patches we are carrying around and updates part of the .spec file, I am using them always.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was very confusing, the first section of this document was basically something package managers should rarely if ever do (they should use release tarballs for packaging). I fixed it in 826067b.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately, this suggestion would not work in practice. If distribution wanted to fix some issue, then it would be fixed by applying patch. Because as it is stated above "The standard way to build a package for distribution is to build a tarball." If there was a way to modify the tarball or override parts of the expanded tarball, then this could be different discussion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should try to get clarity on this because IIUC, if a vulnerability is found in a gem, this is the current process. If the process does not work well, let's propose a better way.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From distro POV, the vulnerable code needs to be fixed. And the fix does not mean shipping the fixed gem but keeping the vulnerable version around. Distro also promises that security fixes won't break the user code. This is hard to achieve with dependencies locked in Gemfile (or possibly not locked, because who would specify e.g. dependency on cgi gem, when it is part of StdLib and this causes various other issues). All in all, patching is the way to go. The vulnerability is fixed, the vulnerable code is not shipped anymore, the Gemfile.lock files are still valid.
Now, of course I could imagine some improvements. E.g. one problem is, that the default gems are not kept as a gems in the StdLib. This basically disallows to remove the vulnerable code. Quite some time ago, I have proposed this change:
https://bugs.ruby-lang.org/issues/14737
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Who is the target audience of this paragraph? The Ruby maintainers od the distribution package maintainers? This kind of speaks to the former, while it should provide explanations to latter.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe the question about the target audience should be generalized to the whole document, because it is not clear anymore, after re-reading this document
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The target audience is downstream maintainers, but it's explaining the process by which they would receive or need to make changes.