Ruby on Rails | Screencasts | Download | Documentation | Weblog | Community | Source

Ticket #8511 (assigned enhancement)

Opened 1 year ago

Last modified 5 months ago

[PATCH] Gems loaded from vendor/gems like plugins

Reported by: marcel Assigned to: nzkoz (accepted)
Priority: normal Milestone: 2.x
Component: Railties Version: edge
Severity: normal Keywords:
Cc: nicwilliams, thewoolleyman@gmail.com, rsanheim+rails@gmail.com

Description (Last modified by marcel)

Gem files (e.g. some_gem.gem) go into vendor/gems. On start-up they are unpacked into vendor/gems/home (unless already unpacked) and loaded in dependency order.

Attachments

gems_loaded_from_vendor_like_plugins.diff (29.9 kB) - added by marcel on 05/29/07 23:10:09.
gems_loaded_from_vendor_like_plugins.2.diff (30.6 kB) - added by josh on 09/18/07 21:17:17.
Tidied against [7513].

Change History

05/29/07 23:03:10 changed by marcel

  • description changed.

05/29/07 23:10:09 changed by marcel

  • attachment gems_loaded_from_vendor_like_plugins.diff added.

05/30/07 01:57:47 changed by josh

Related ticket #8087.

06/23/07 15:28:26 changed by nicwilliams

Works well in testing for me. Gems get included in Gem::cache etc, which is awesome.

06/25/07 12:10:30 changed by nicwilliams

Discussion of this patch on Dr Nic's blog

06/29/07 02:14:00 changed by vesaria

"On start-up they are unpacked into vendor/gems/home" Most deployment scenarios will *NOT* have the src tree writeable by the app - this is considered quite poor security.

07/18/07 23:00:51 changed by nicwilliams

@vesaria - I'm currently committing the exploded gems (/vendor/gems/home) into the repo, so they are part of the src at commit time.

07/18/07 23:08:46 changed by nicwilliams

Or similarly, do 

cd vendor/gems
gem unpack xxx

And the gem is now in your $LOAD_PATH.

09/10/07 09:16:11 changed by nicwilliams

I've been using this on several projects and it works well, and is highly preferred to other solutions to vendor/gems

09/18/07 07:43:09 changed by chadfowler

+1

09/18/07 08:41:10 changed by drbrain

This patch won't work with the next release of RubyGems.

Gem::manage_gems is gone. Use require 'gem/blah' instead.

gem_home is the wrong name to use for the configuration entry. Use gem_path instead (has to do with GEM_HOME vs GEM_PATH env vars and the use of Gem::set_path).

Storing the gems in "gems/" then installing them into "gems/home" will result in two copies of the gem hanging around. A better way to do this is to install gem files into "gems/cache" and install into "gems".

Your DependencyList code is duplicated in the upcoming Gem::DependencyInstaller.

09/18/07 14:33:14 changed by ivey

+1

09/18/07 21:17:17 changed by josh

  • attachment gems_loaded_from_vendor_like_plugins.2.diff added.

Tidied against [7513].

09/18/07 21:18:05 changed by josh

  • keywords set to verified.

+1

09/19/07 07:24:56 changed by nicwilliams

Woohoo!

09/19/07 10:15:34 changed by chadfowler

Eric, do you think you could whip up the changes you suggest against Josh's revision of the patch? I actually led us down the gem_home path. If it's something quick, you're probably the freshest on the code these days. If not I'll do it.

09/20/07 08:29:00 changed by drbrain

Not at present, I'm too busy trying to get RubyGems working on 1.9 and then have a beta shipped (and thus get RubyGems in 1.9).

09/20/07 22:55:38 changed by david

  • keywords deleted.

Sounds like this need a bit more work, so I'm taking it off report #12 for now.

10/07/07 02:28:02 changed by nzkoz

  • owner changed from core to nzkoz.
  • status changed from new to assigned.

This would be a nice solution to get in for 2.0, if this can get tidied up and made 'gem internal friendly', I'm happy to apply it

10/10/07 18:07:45 changed by vesaria

I still think there is a serious security issue here.

In general, on a production box, you set the src code to be readonly (by the RoR user). You use a different account to actually update the code. That way, if a hack should occur, you've contained the problem from actually manipulating your code, installing changes, and the like.

This is standard security practice. Rails is about doing the right thing by default.

Keeping app src writeable by the app itself is a major security no-no.

10/15/07 17:16:27 changed by bitsweat

vesaria, it's no different than having your source in app. Make the directories readonly as you like.

11/29/07 06:32:35 changed by thewoolleyman

  • cc changed from nicwilliams to nicwilliams, thewoolleyman@gmail.com.

02/18/08 14:42:54 changed by rsanheim

  • cc changed from nicwilliams, thewoolleyman@gmail.com to nicwilliams, thewoolleyman@gmail.com, rsanheim+rails@gmail.com.

+1, would love to see something enable gems as plugins to "just work" in 2.1+