cowboyd has quit [Remote host closed the connection]
adkron has quit [Ping timeout: 252 seconds]
adkron has joined #rubygems
adkron has quit [Client Quit]
adkron has joined #rubygems
adkron has quit [Ping timeout: 276 seconds]
adkron has joined #rubygems
x0F_ has joined #rubygems
x0F has quit [Disconnected by services]
x0F_ is now known as x0F
nirvdrum has joined #rubygems
workmad3 has joined #rubygems
Elhu has joined #rubygems
machty has joined #rubygems
adkron has quit [Ping timeout: 246 seconds]
<machty>
if i have a gem w version 1.0.0.rc3, does rubygems use the 4th number (rc3) in dependency resolution, or is it ignored because it's outside of the Major.Minor.Build scheme?
<alindeman>
It'll be used, but it'll be categorized as a prerelease
<machty>
alindeman: so if i have a few versions of 'agem', '1.0.0.rc1.0', '1.0.0.rc1.1' and '1.0.0.rc2', how do i specify a dependency on anything that is 1.0.0.rc1* but exclude rc2?
<alindeman>
How about you match on '1.0.0.rc1' instead?
Elhu has quit [Quit: Computer has gone to sleep.]
<machty>
alindeman: the problem is that handlebars.js (the JS lib wrapped by this rubygem), has a version rc1, even if they'll progressively make minor improvements to it and push new versions that fall under 1.0.0.rc1
<machty>
but gems can't be yanked/replaced, so the versioning system has to be slightly different for the wrapping gem
<alindeman>
Well, 1.0.0.rc.1 was yanked for handlebars-source
<alindeman>
So you'll run into problems depending on that
benchMark has joined #rubygems
<machty>
yes, that version was a mistake, not because the code was screwed up, but because we shouldn't have separated 'rc' from the number with a period. it was rc.1, but from now on we want rc1.whatever
<machty>
so assuming rcN format, i think the best i can do if i'm writing a gem that depends on hb rc1, and all matching versions, i need to do add_dependency 'handlebars-source', ['>= 1.0.0.rc1', '< 1.0.0.rc2']
<alindeman>
Ah
zyriuse has joined #rubygems
Elhu has joined #rubygems
<machty>
but it seems the ~> never looks past the build number
<machty>
imo it would be more useful / less surprising if it started from the right of whatever version you supplied and reasoned from there
Elhu has quit [Client Quit]
<machty>
gem 'handlebars-source', '~> 1.0.rc1.0.3.5.1.2' would actually match 1.0.9 if it existed
<machty>
(well, it does, but soon to be yanked)
benchMark has quit [Quit: Computer has gone to sleep.]
machty has quit [Ping timeout: 255 seconds]
machty has joined #rubygems
Elhu has joined #rubygems
Elhu has quit [Client Quit]
tbuehlmann has quit [Remote host closed the connection]
listrophy has left #rubygems [#rubygems]
machty has quit [Ping timeout: 276 seconds]
dangerousdave has joined #rubygems
Elhu has joined #rubygems
machty has joined #rubygems
workmad3 has joined #rubygems
Elhu has quit [Quit: Computer has gone to sleep.]
workmad3 has quit [Ping timeout: 245 seconds]
machty has quit [Ping timeout: 260 seconds]
Elhu has joined #rubygems
crandquist has quit [Quit: Leaving...]
machty has joined #rubygems
Elhu has quit [Quit: Computer has gone to sleep.]
havenwood has joined #rubygems
machty_ has joined #rubygems
Elhu has joined #rubygems
machty has quit [Ping timeout: 252 seconds]
machty_ is now known as machty
machty has quit [Quit: machty]
Elhu has quit [Quit: Computer has gone to sleep.]
vertis has joined #rubygems
workmad3 has joined #rubygems
vertis1 has quit [Ping timeout: 260 seconds]
Elhu has joined #rubygems
Elhu has quit [Client Quit]
martinisoft has joined #rubygems
workmad3 has quit [Ping timeout: 260 seconds]
surfichris has quit [Excess Flood]
surfichris has joined #rubygems
Elhu has joined #rubygems
newUser1234 has joined #rubygems
therealadam has joined #rubygems
yerhot has quit [Ping timeout: 248 seconds]
yerhot has joined #rubygems
Elhu has quit [Quit: Computer has gone to sleep.]
yerhot has quit [Remote host closed the connection]
yerhot has joined #rubygems
lsegal has joined #rubygems
newUser1234 has quit [Remote host closed the connection]
newUser1234 has joined #rubygems
workmad3 has joined #rubygems
Elhu has joined #rubygems
Elhu has quit [Client Quit]
Elhu has joined #rubygems
newUser1_ has joined #rubygems
yerhot has quit [Remote host closed the connection]
newUser1234 has quit [Ping timeout: 245 seconds]
yerhot has joined #rubygems
benchMark has joined #rubygems
workmad3 has quit [Ping timeout: 264 seconds]
yerhot has quit [Remote host closed the connection]
havenwood has quit [Remote host closed the connection]
vertis1 has joined #rubygems
vertis has quit [Ping timeout: 252 seconds]
vertis has joined #rubygems
vertis1 has quit [Ping timeout: 264 seconds]
markalanevans has quit [Ping timeout: 248 seconds]
torarne1 has quit [Quit: Leaving.]
yerhot has joined #rubygems
vertis has quit [Ping timeout: 252 seconds]
vertis1 has joined #rubygems
dvu has quit [Remote host closed the connection]
havenwood has joined #rubygems
workmad3 has joined #rubygems
yerhot has quit [Remote host closed the connection]
newUser1_ has quit [Remote host closed the connection]
gearaholic has quit [Remote host closed the connection]
shtirlic has joined #rubygems
workmad3 has quit [Ping timeout: 264 seconds]
shtirlic has quit []
nirvdrum has quit [Ping timeout: 246 seconds]
stevenharman has quit [Ping timeout: 248 seconds]
shtirlic_ has joined #rubygems
shtirlic_ is now known as shtirlic
vertis has joined #rubygems
vertis1 has quit [Ping timeout: 255 seconds]
tbuehlmann has joined #rubygems
surfichris has quit [Excess Flood]
surfichris has joined #rubygems
luxflux has left #rubygems ["Konversation terminated!"]
<kseifried>
hey how does one report a dead/out of date rubygem, and is there any process to deal with them?
<drbrain>
every so often people try to reclaim the namespace of seemingly abandoned gems
yerhot has joined #rubygems
Elhu has quit [Quit: Computer has gone to sleep.]
yerhot has quit [Ping timeout: 252 seconds]
Elhu has joined #rubygems
Elhu has quit [Client Quit]
sbeam has joined #rubygems
<kseifried>
I'm more thinking like "this gem is probably a pile of crap and should not be used" but in a nicer worded way =)
ckrailo has joined #rubygems
<drbrain>
nothing like that
<kseifried>
drbrain: we're trying to figure out how to deal with abandoned/really bad code that is open source and still in use, no good way right now other than assigning CVE's for it that never get fixed so at least it shows up in the CVE database as being crap
* drbrain
nods
<kseifried>
the whole rubygems/wordpress plugins/drupal/django eco system quite frankly scares the shit out of me
<kseifried>
you get things like timthumb.php situations, code embedded on other plugins that allows remote code exec on millions of servers =(
<samkottler>
kseifried: we ran into this issue a few weeks ago with an unresponsive maintainer, there isn't really a process to deal with it
<kseifried>
can we at least mark the gem as abandoned/etc?
<kseifried>
like I just found one, 3 releases over a 2 week period, then dead, github page dead, etc
<samkottler>
kseifried: I'm involved with Drupal security, too and we have a really solid process for granting security engineers access
mockra has joined #rubygems
<kseifried>
yeah I think it was the drupal guy that put it best
<kseifried>
"We have 16,000 plugin devs and half don't speak english. good luck" =)
<drbrain>
I don't see why we can't yank versions on a case-by-case basis when the maintainer is non-responsive
<drbrain>
qrush: evan: ↑
<kseifried>
well yank as a last resort, becuase that breaks code potentially that requires it
<kseifried>
but at least warn/semi retire
<drbrain>
yeah
<evan>
hiya
<drbrain>
we also have the power to assign push rights
mockra has quit [Remote host closed the connection]
<drbrain>
so, if dire, we could fork and push a security fix when the maintainer won't respond
<kseifried>
I'm more worried about the general case of giving hints/info about general code quality/health of the rubygem
<samkottler>
drbrain: one of the problems with that approach is that since every gem doesn't have a repo associated with it, there's no way to get that change into the primary repo
<drbrain>
samkottler: yes :/
<drbrain>
thus the "if dire"
<drbrain>
I can imagine people would be upset if we did such a thing
<evan>
drbrain: we can certainly put forward a policy about the ability to yank abandon gems
<kseifried>
like good example is fedora
<kseifried>
if something doesn't build it gets nuked (eventually)
<evan>
or we could add something less severe than yank
tbuehlmann has quit [Remote host closed the connection]
<evan>
we have that now I guess in the ability since we can unyank a gem
<kseifried>
can you ununyank gems though? ;)
<evan>
sure.
<kseifried>
what about unununyank'ing them?
<Freaky>
a gem audit command would be nice, ala FreeBSD portaudit/pkg audit, match installed gems against a CVE database
<kseifried>
Freaky: that's in the works
<Freaky>
\o/
<drbrain>
kseifried: yank juts makes the gem appear/disappear from the index
<kseifried>
postmodern on #rubygems-trust
<drbrain>
the file stays on S3
<kseifried>
drbrain: you... can't tell when I'm joking huh? =)
<drbrain>
just making sure :D
* evan
waves his hands and makes a gem disappear
<evan>
TADA!
<kseifried>
I need to practice slight of hand. damnit
dvu has quit [Remote host closed the connection]
torarne1 has joined #rubygems
nirvdrum has joined #rubygems
yerhot has joined #rubygems
dangerousdave has quit [Quit: Leaving...]
newUser1234 has joined #rubygems
havenwood has quit [Remote host closed the connection]
therealadam has quit [Remote host closed the connection]
newUser1234 has quit [Remote host closed the connection]
newUser1234 has joined #rubygems
<nirvdrum>
Hi. Does anyone know why "gem install" always fetches http://rubygems.org/latest_specs.4.8.gz, regardless of the --source parameter, as a first step? I was surprised it was accessing that URL instead of my source, and it appears to always be over HTTP, even if my source is HTTPS.
<drbrain>
nirvdrum: maybe you want to use --only-source
<drbrain>
--source is additive
<nirvdrum>
Ahh.
<drbrain>
it is not a replacement
<nirvdrum>
My bad. Thank you.
qmx|away has quit [Ping timeout: 264 seconds]
<nirvdrum>
Is that a master only option? I don't see it is 1.8.25. But using "--clear-sources --source" seems to do the trick.