-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fpm 1.14.2 seems broken on RHEL8 / ruby <= 2.5.x #1918
Comments
Same Problem with Debian 10 / buster and ruby 2.5.5p157 (2019-03-15 revision 67260) [x86_64-linux-gnu] |
dotenv dropped support for ruby 2.4, 2.5 and 2.6: |
dotenv 2.8.1 release has resolved this issue for me. |
Yep, I just saw that dotenv's release resolved this issue for me as well. Based on the release notes that makes sense. I'm going to close this issue as it's no longer a problem. @therealplato - Feel free to open a new issue about pinning dependencies! |
This is an overly broad statement and without specifics on a particular threat model, it's hard to respond in the context of fpm and its use cases. That said, it's worth looking into why fpm often doesn't pin dependencies. Historically, there's been a conflict between "pin dependencies" and "works on multiple versions of ruby" because of changes exactly like the dotenv 2.8.0 change and highlighted in the dotenv issue reporting a similar issue. Another example is ffi which fpm depended on until recently -- there was no way easily depend on a specific version of ffi that worked for many ruby versions. Ultimately, I ended up removing the dependency on ffi to resolve this problem - #1795 because I couldn't find any other way. I'm open to discussing pinning, ruby versions, etc on a new issue :) |
Thanks @jordansissel, I didn't mean to sound combative and I recognize that pinning introduces different security risks |
I didn’t feel it was combative. It’s a complex problem sometimes with no easy answers. I’m glad for your input :)
…On Wed, Jul 27, 2022, at 11:33 AM, Isaac Rogers wrote:
Thanks @jordansissel <https://github.com/jordansissel>, I didn't mean to sound combative and I recognize that pinning introduces different security risks
—
Reply to this email directly, view it on GitHub <#1918 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AABAF2TTL74JYWP7ZYU7VSTVWF6HTANCNFSM54XVHQ3Q>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
With correct semantic versioning the breaking change in dotenv 2.8.0 must result in a 3.0.0 instead of 2.8.0. But this also requires that fpm limits the dependencies to the same major version to not run into such conflicts. I don't know if ruby supports that and of course all transitive dependencies have to be conform to semantic versioning and limit their dependencies as well. |
I filed a followup to find a way to help reduce risk of dotenv changes in the future: #1919 |
Hi!
Installing fpm on ruby 2.5.x looks broken due to dotenv dependency. The upgrade from 2.7.6 to 2.8.0 of dotenv seems to be the problem as it uses the endless iterator syntax introduced in Ruby 2.6 https://bugs.ruby-lang.org/issues/12912
My workaround was to pin the dotenv gem to 2.7.6
The text was updated successfully, but these errors were encountered: