-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove the BundlerVersionFinder / "Bundler version switcher" #3879
Comments
The current issue/PR is at #3073 |
I wonder why you didn't use |
There are arguments for that in the RFC and blog post.
|
@colby-swandale Thanks, I searched issues and not PRs so I missed it. Let's wait for @deivid-rodriguez to back and see what he thinks. |
Interesting. I also faced the old verion of rails, nokogiri, bundler and other stuffs everydays. But I did install them if I hope to contribute the some project. Why You avoid to install only bundler? |
In practice I still install Bundler 1 since I have no choice while the BundlerVersionFinder is still there. My concern specifically here is Bundler 1 seems unmaintained (including security-wise). |
A concrete example: https://github.com/ruby/setup-ruby (and I would think other CIs) have pretty complicated logic, all due to the BundlerVersionFinder. For instance, it needs to read There is no major incompatibility in Bundler 2, so it should IMHO require no special action from the user, and specifically not need to change the Gemfile.lock with an extra command. Another typical annoyance I often run into: while testing gems I run the tests on CRuby and TruffleRuby. CRuby might have Bundler 2 installed and so will create a Gemfile.lock |
To be honest I don't know why I detail this so much here. Maybe to illustrate the urgency of removing it? |
Got it. But In my understanding, After Bundler 1.17 didn't have an security issues. Because we didn't release the new version of Bundler 1. The critical vulnerability was found in Bundler, We may release the new version of Bundler 1. In my experience, I sometimes got the frustration of bundler version. But I did install the each bundler version and share them each Ruby versions, I leave from the issues of
Really? I didn't get it.
We still wait above proposal. |
https://github.com/rubygems/rfcs/blob/master/text/0000-lockfile-versions.md has all the details isn't it? Specifically https://github.com/rubygems/rfcs/blob/master/text/0000-lockfile-versions.md#reference-level-explanation
I agree, it causes pain and it gains basically nothing. There is only one lockfile version right now, so we don't need any kind of lockfile version handling yet. And anyway since it would be all about the lockfile version, there should never be a need to use a older Bundler version or automatically switch versions or any magic. |
Thanks. I missed it. We need to how move to step.3 before doing step.2. |
I'm sorry I never commented on the RFC. In my opinion, the RFC and the idea of versioning lockfiles is nice, but it solves a "future problem" (there's no current lockfile format incompatibilities accross versions) and I'm not sure it justifies removing the Even though I proposed #3073 at the time, and said what was quoted, I don't think I want to remove the In general, I agree with most things @hsbt has said in this thread, and I would like to focus on making the Like @hsbt said, sometimes we install lockfiles with old versions of gems, and that's fine. The right way to fix that is to encourage applications to upgrade, not to introduce tricks to version managers to opt-out of version locking. I don't think |
If we don't remove it can we agree we at least agree we need to fix it? So that using a more recent major Bundler version is always allowed, and Nobody wants to maintain Bundler 1, so people should eventually use Bundler 2+, without first forcing every project to manually update their Gemfile (notably some projects want to keep compat with EOL Rubies so they cannot update). Having to install 2 Bundler versions (and more in the future) is a hassle.
The answer should be, as long as you use a non-EOL Ruby, "the latest release of Bundler, which works for all previous Gemfile.lock". With a given Gemfile.lock, which gems to install is very clear, there is no ambiguity and so I think there is no point to install an older version. If we have that, IMHO it doesn't make sense to ever use Bundler 1 (even if installed), if Bundler 2 is installed. Also from experience it's very clear that any Bundler-specific in RubyGems is total nightmare to maintain because it depends on the RubyGems version but really it needs to be customized by Bundler based on how Bundler deals with backward/forward compat so it can be fixed without updating RubyGems (remember when BundlerVersionFinder was too picky and wanted the exact same Bundler x.y.z?). Ideally, if it's the same lockfile version, then using an older major version should be allowed too. This would be nice when e.g. a new Bundler version with the same lockfile version just comes out, yet not everyone might want to update at once. Basically it avoid needlessly breaking things when there is no need. But I think it's less important.
I think most people don't care about that, and we shouldn't force them to. As said above, if there is a Gemfile.lock, no matter which Bundler version those exact gems and versions will be installed. If there is no Gemfile.lock, then the argument is moot (no Gemfile.lock, so no BUNDLED WITH). What people want is a way to install gems and run with those gems. RubyGems just works, no matter the version, why should Bundler need N installed versions to be usable and pick a seemingly random different version for each project? |
Which feature? |
This conversation is a bit muddy for me. I want to get context over where we're at. I spoke with Andre and Coby at RubyConf last year and my understanding was that going forwards the existing failure/error behavior was going to be removed and that any incompatibility in the lock file would be solved by maintaining multiple lock file parsers internally in Bundler. I.e. bundler version 9000 that ships with lock file v9, all would have a lock file parser that could understand v1-v8. This buys us (platform providers) the ability to move back to only providing one bundler version that is compatible with a range of projects. Is what I described above still the active plan? |
I talked with @deivid-rodriguez, @indirect, and @segiddins and I think I now have enough information to clear things up here:
There's still some internal discussion ongoing, but that's a summary of the state of things. 🙂 EDIT: Accidentally implied more of a consensus than there is. Sorry about that. 😅 |
We're taking several steps to improve the ability to lock the bundler version, so I don't think it makes sense to keep this issue open. Let's discuss things in other tickets. |
I think we've discussed this several times and agreed on it, but I couldn't find an issue on the tracker.
Bundler 1 seems no longer maintained, the last release of Bundler 1 was in 2018.
Therefore it seems important, notably for security reasons and to increase Bundler 2 adoption, that Bundler 2 is used for all cases if installed, even if the Gemfile.lock still has
BUNDLED WITH 1.x.y
.There are many reasons why a Gemfile.lock might still have
BUNDLED WITH 1.x.y
, either it wasn't updated in some time, or maintainers didn't want to force people using Bundler 2, or the I think the main reason: due toBundlerVersionFinder
, if the Gemfile.lock wasBUNDLED WITH 1.x.y
it would always remain so, becauseBundlerVersionFinder
would force using Bundler 1 even if you did not want to.Also I think the general Bundler version autoswitcher mechanism has confused more than helped.
bundler
would again act like a regular gem in that if you run the executable, you use the latest version again.That's intuitive, and it's good for security and to get the latest release's bug fixes.
Also the current situation makes it hard or potentially annoying to deprecate APIs that Bundler 1 might still use:
https://github.com/rubygems/rubygems/pull/3817/files#r453293031
I don't know what's the current status regarding unification of RubyGems and Bundler, but it seems for now Bundler is still a separate gem? Any place to read the vision and progress on that?
Regarding multiple lockfile parsers, etc, my understand is Bundler 2's Gemfile.lock syntax is a strict superset of Bundler 1's Gemfile.lock syntax. They both use
lockfile v1
according to https://github.com/rubygems/rfcs/blob/master/text/0000-lockfile-versions.md.So I think there is no need for versioning the parser yet, and it doesn't seem a prerequisite to remove the BundlerVersionFinder.
Relates to https://github.com/rubygems/rfcs/blob/master/text/0000-lockfile-versions.md
Related to #3275.
cc @indirect @deivid-rodriguez @colby-swandale @schneems @duckinator
The text was updated successfully, but these errors were encountered: