> Define most
:
>
> grep 'dependency' katello.gemspec | wc -l
> 41
> grep 'dependency.[<~]' katello.gemspec | wc -l
> 12
>
> grep 'add_dependency' katello.gemspec | wc -
> 32
> grep 'add_dependency.[<~]' katello.gemspec | wc -l
Your search misses some gem requirements like this one:
https://github.com/Katello/katello/blob/master/katello.gemspec#L66
Also, from my original email:
"I also realize that there's a caveat when it comes to Katello: we require gems that Foreman also supplies. I think it's fine not to have any requirements for those gems. I'm mostly speaking to the gems that Foreman doesn't require."
A number of the gems we have (like rails) I think ought not to have a version requirement since their version is being handled by foreman:
https://github.com/theforeman/foreman/blob/develop/Gemfile#L8
https://github.com/Katello/katello/blob/master/katello.gemspec#L25
But it may not be most. It was just a rough guess. And really I was meaning "any gem requirements" by "locked down".
> In fact, the last issues with deps is an evidence that it makes sense to
> locking
> the deps, see the issues as they appear upstream and being forced to deal
> with
> them as they appear (also congrats on the nice issue number:):
>
> https://github.com/pitr/angular-rails-templates/issues/42
>
> When people release new version of gem, there are usually quite responsive on
> immediate issues and tent to release new version with fixes right away. The
> longer
> the time is, the longer it takes to resolve that (I'm personally guilty of
> doing that).
So adding gem requirements doesn't preclude us from getting upstream releases and fixes. From my original email (s/minor/major):
"I think at the very least we could lock down gems to their major version numbers (e.g. "~> 0.2" or "< 1.0.0", ">= 0.2.1") as major versions almost inevitably bring API changes and thus breakages."
Also, if we're worried about security fixes to gems, relying on Jenkins seems like a horrible solution. What if a security release comes out and our Jenkins job doesn't fail? Take for example the gem hooks. We're still on version 0.2.2:
Which was released last year:
https://github.com/apotonick/hooks/releases
My dev environment is at 0.4. What good does that do? Maybe gem requirements isn't the solution but I still wonder: how do we know when to update the RPM packages with the latest release? Obviously, our current solution isn't working.
David
···
----- Original Message -----
> From: "Ivan Necas"
> To: foreman-dev@googlegroups.com
> Sent: Friday, May 2, 2014 8:04:39 AM
> Subject: Re: [foreman-dev] Gem requirements
>
>
>
> ----- Original Message -----
> > > As much as unpleasant it is, doing this by default is not the best thing
> > > to
> > > do IMO,
> > > as we can easily loose touch with the upstream changes of that gems. Of
> > > course
> > > it will cause some slow down while doing some stuff, but knowing that
> > > we're
> > > not
> > > compatible with the next version (ideally with comments why the gem
> > > version
> > > is lockes on some version range).
> > >
> > > -1 from me
> >
> >
> > Most of our gems are already locked down. We have to track upstream changes
> > for them somehow so why not just do them all the same way?
>
> Define `most`:
>
> grep 'dependency' katello.gemspec | wc -l
> 41
> grep 'dependency.*[<~]' katello.gemspec | wc -l
> 12
>
> grep 'add_dependency' katello.gemspec | wc -
> 32
> grep 'add_dependency.*[<~]' katello.gemspec | wc -l
> 9
>
> -- Ivan
>
> >
> >
> > > That's the purpose of Jenkins - to tell us things are broken. If we
> > > never had broken gems, then the test_develop job would be redundant,
> > > since every PR is code-tested by test_pull_request. Jenkins gives us a
> > > fast heads-up that although all code is tested, something has changed
> > > in our dependencies. In my experience, knowing that it's almost always
> > > a gem which breaks things means you can grab a list of recently
> > > updated gems from Rubygems, and figure out which one was the problem,
> > > in a reasonable timeframe.
> >
> >
> > If my PR breaks in Jenkins though how do I know if it's a gem change or a
> > code change? Also, I've seen the main job break before in Katello when it
> > wasn't gem-related so that's not entirely reliable.
> >
> > David
> >
> > --
> > You received this message because you are subscribed to the Google Groups
> > "foreman-dev" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to foreman-dev+unsubscribe@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
> >
>
> --
> You received this message because you are subscribed to the Google Groups
> "foreman-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to foreman-dev+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>