Bugs item #29236, was opened at 2011-05-30 06:54 You can respond by visiting: http://rubyforge.org/tracker/?func=detail&atid=575&aid=29236&group_id=126
Category: `gem install` command (extensions) Group: next >Status: Closed Resolution: Rejected Priority: 3 Submitted By: David Chelimsky (dchelimsky) Assigned to: Ryan Davis (zenspider) Summary: native extension installation exposes a back door through which gems can be installed with no management Initial Comment: Per http://rubyforge.org/tracker/?group_id=126&atid=575&func=detail&aid=29229, spork's maintainer used ext/mkrf_conf.rb to install other gems (see https://github.com/timcharper/spork/blob/45675372a2143136705b2ea1b1aa32d420f1caf4/ext/mkrf_conf.rb). This resulted in rake-0.9.0 being installed but it was not reported by the `gem install` command, so we learned about it later. This has been addressed in the spork project, however other projects can still do this. I think this should either be prevented or it should be managed by Rubygems and reported in the output from the `gem install` command. ---------------------------------------------------------------------- >Comment By: Ryan Davis (zenspider) Date: 2011-05-31 16:44 Message: I talked to tenderlove who sent Tim a pull request to change his build/release process entirely and he accepted it. Tim was unaware that you could build platform specific gems and that solves all his issues. ---------------------------------------------------------------------- Comment By: Ryan Davis (zenspider) Date: 2011-05-31 16:41 Message: I think this is a simple case where the spork gem shouldn't do that and it is easy enough to work with the authors to find a solution that works for them. ---------------------------------------------------------------------- Comment By: Luis Lavena (luislavena) Date: 2011-05-30 08:40 Message: By nature building extensions is a dangerous process. Before rvm-era, doing gem installation involved 'sudo' elevation. extconf.rb is executed directly from Ruby and actions like FileUtils.rm_rf or shell out to `rm` is also possible. The nature of the extconf configuration and compilation make it hard to run on a sandbox/safe level environment. We end trusting gem authors do the right thing, but the problem is knowing that is right and what is wrong, and that is exposed by the lack of documentation and good practices in relation to this. Nick Quaranto started the RubyGems guides with the aim of educate people: http://guides.rubygems.org/ I suck at copy writing (english or my native spanish) so I leave it the ones that are more verse on it. ---------------------------------------------------------------------- Comment By: Steve Klabnik (steveklabnik) Date: 2011-05-30 08:31 Message: I admittedly am not that knowledgeable about Rubygems' internals, so if you say so. That makes sense, but it also seems complicated and error-prone. While that situation kinda sucked (I was bit by it myself), I'm not sure that any software needs to be written to address this. I'd rather use it as a chance to educate gem developers on best practices, as at worst to 'fix' something like this is a 'gem uninstall rake' away. But I can certainly see the advantages of some kind of warning, too. ---------------------------------------------------------------------- Comment By: David Chelimsky (dchelimsky) Date: 2011-05-30 08:27 Message: `gem` is a rubygems command, so rubygems can know when it's being called, even if it's in a separate process (via setting and checking env vars). ---------------------------------------------------------------------- Comment By: Steve Klabnik (steveklabnik) Date: 2011-05-30 07:38 Message: How would one be able to prevent or manage this? mkmf.rb is just a Ruby script, so if it contains a simple `gem install lolz`, it's gonna happen. ---------------------------------------------------------------------- You can respond by visiting: http://rubyforge.org/tracker/?func=detail&atid=575&aid=29236&group_id=126 _______________________________________________ Rubygems-developers mailing list http://rubyforge.org/projects/rubygems [email protected] http://rubyforge.org/mailman/listinfo/rubygems-developers
