Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 708768

Summary: dev-ruby/rails-4.2.11.1 add ruby25
Product: Gentoo Linux Reporter: Anton Bolshakov <anton.bugs>
Component: Current packagesAssignee: Gentoo Ruby Team <ruby>
Status: RESOLVED OBSOLETE    
Severity: normal CC: zerochaos
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Anton Bolshakov 2020-02-09 03:15:01 UTC 
according to the upstream rails4 supports ruby25, however it is NOT tagged so in Gentoo. See the following URL:
https://edgeguides.rubyonrails.org/upgrading_ruby_on_rails.html

1.3 Ruby versions
Rails 6 requires Ruby 2.5.0 or newer.
Rails 5 requires Ruby 2.2.2 or newer.
Rails 4 prefers Ruby 2.0 and requires 1.9.3 or newer.

currently, RUBY_TARGETS has both 24 and 25 ruby. However, some packages like net-analyzer/metasploit have ruby24 only listed. That causes massive rails/active* blocks and users would need to mask ruby25 in order to resolve it.

Please add ruby25 to the following packages:
https://github.com/pentoo/pentoo-overlay/commit/84ba1bb56efd259467b23695e9f67e1664935c16
https://github.com/pentoo/pentoo-overlay/commit/5b963dde33239b3dbde8394b6bbf24e21807623c

it's basically all rails:4.2/active*:4.2 and dev-ruby/arel:6.0
Comment 2 Hans de Graaff gentoo-dev Security 2020-02-09 07:18:10 UTC 
Rails 4.2 is no longer supported by upstream so it should really be masked for removal. The reason this has not been done yet is to give metasploit the maximum amount of time to update to a supported Rails version, rather than masking it together with Rails 4.2.

Rails 4.2 will be masked for removal either when a rails security issue is found in supported rails versions, or when ruby24 support runs out at the end of march. 

Given that I don't see any activity upstream I assume the most likely outcome is for metasploit to be masked for removal as well. If it is already clear that this is where we are heading then we can also mask everything now, but I'd like to get Zero_Chaos's opinion on that first.
Comment 3 Anton Bolshakov 2020-02-09 11:33:21 UTC 
I'm not sure that it's not about metasploit only. 

Any package which requires rails:4 (=dev-ruby/activemodel-4 etc) is currently affected. As a wild guess (I'm unable to test right now, since I have pushed the fix), here is the list:

dev-ruby/actionpack-xml_parser
dev-ruby/protected_attributes
dev-ruby/haml-rails
dev-ruby/sprockets-rails
Comment 4 Hans de Graaff gentoo-dev Security 2020-03-30 06:00:55 UTC 
dev-ruby/rails:4.2 (and packages depending on it) has now been masked for removal.