Bugs item #29236, was opened at 2011-05-30 13:54 You can respond by visiting: http://rubyforge.org/tracker/?func=detail&atid=575&aid=29236&group_id=126
Category: `gem install` command (extensions) Group: next Status: Open Resolution: None Priority: 3 Submitted By: David Chelimsky (dchelimsky) Assigned to: Nobody (None) Summary: native extension installation exposes a back door through which gems can be installed with no management Initial Comment: Per http://rubyforge.org/tracker/?group_id=126&atid=575&func=detail&aid=29229, spork's maintainer used ext/mkrf_conf.rb to install other gems (see https://github.com/timcharper/spork/blob/45675372a2143136705b2ea1b1aa32d420f1caf4/ext/mkrf_conf.rb). This resulted in rake-0.9.0 being installed but it was not reported by the `gem install` command, so we learned about it later. This has been addressed in the spork project, however other projects can still do this. I think this should either be prevented or it should be managed by Rubygems and reported in the output from the `gem install` command. ---------------------------------------------------------------------- Comment By: Steve Klabnik (steveklabnik) Date: 2011-05-30 15:31 Message: I admittedly am not that knowledgeable about Rubygems' internals, so if you say so. That makes sense, but it also seems complicated and error-prone. While that situation kinda sucked (I was bit by it myself), I'm not sure that any software needs to be written to address this. I'd rather use it as a chance to educate gem developers on best practices, as at worst to 'fix' something like this is a 'gem uninstall rake' away. But I can certainly see the advantages of some kind of warning, too. ---------------------------------------------------------------------- Comment By: David Chelimsky (dchelimsky) Date: 2011-05-30 15:27 Message: `gem` is a rubygems command, so rubygems can know when it's being called, even if it's in a separate process (via setting and checking env vars). ---------------------------------------------------------------------- Comment By: Steve Klabnik (steveklabnik) Date: 2011-05-30 14:38 Message: How would one be able to prevent or manage this? mkmf.rb is just a Ruby script, so if it contains a simple `gem install lolz`, it's gonna happen. ---------------------------------------------------------------------- You can respond by visiting: http://rubyforge.org/tracker/?func=detail&atid=575&aid=29236&group_id=126 _______________________________________________ Rubygems-developers mailing list http://rubyforge.org/projects/rubygems [email protected] http://rubyforge.org/mailman/listinfo/rubygems-developers
