On Thu, 5 Aug 2021 at 02:25, Sam Ruby <ru...@intertwingly.net> wrote: > > On Wed, Aug 4, 2021 at 9:06 PM sebb <seb...@gmail.com> wrote: > > > > On Thu, 5 Aug 2021 at 01:15, Sam Ruby <ru...@intertwingly.net> wrote: > > > > > > On Wed, Aug 4, 2021 at 7:38 PM sebb <seb...@gmail.com> wrote: > > > > > > > > On Thu, 5 Aug 2021 at 00:14, Sam Ruby <ru...@intertwingly.net> wrote: > > > > > > > > > > It looks like sebb disabled security updates on wunderbar, which > > > > > seems unwise. > > > > > > > > Updates were *not* disabled, but updates are no longer automatically > > > > installed. > > > > > > > > This was done because one of the previous updates to Wunderbar broke > > > > things. > > > > > > > > https://lists.apache.org/thread.html/r2d1a2e39bd92390e68efebc5bd53b4594271492468728c1ca45ab895%40%3Cdev.whimsical.apache.org%3E > > > > > > Once whimsy updated to Ruby 2.7, Ruby safety checks were no longer > > > something that could be trusted, and wunderbar was updated to require > > > an opt in to retain the old (insecure) behavior. > > > > > > The version of wunderbar had been pinned before that change, whimsy > > > would have had a security issue. If there is a choice between > > > availability (up time) and security, we need to prioritize security. > > > > > > What you have implemented is unwise, and I therefore am now giving my > > > -1 to that approach and am requesting that it be reverted. > > > > Is it always wise to update to the most recent version of a Gem? > > i.e. does a new release never have a new security issue? > > Should we turn off "apt-get update"?
Possibly. It depends on what checks are made before releases are done through APT. > Meanwhile the secretary workbench is down, and I'm asking you to honor my -1. I already updated the version, so unpinning it won't make a difference at present. > > Note that ruby2js is currently pinned - should that be unpinned also? > > It seems rather odd that you have picked exactly those two gems to > pin. Because updates to both of those Gems broke Whimsy, and the versions had to be back-dated whilst the Gem was fixed. > And yet any fix I personally make directly to whimsy gets > deployed instantly. Yes, and can be reverted or fixed instantly by any Whimsy committer. That is not the case for the 3rd party Gems. > All other gems (and, for that matter, apt-get packages, and any direct > software changes get updated and deployed automatically. > > Wunderbar has been feature complete (and therefore stable) for quite some > time. As I recall, it was feature complete when it was updated to handle a change to Ruby. That change broke Whimsy. > Ruby2JS is quiet at the moment, but there has been significant > development this past year. It is true that Ruby2JS had a regression > which was detected on December 29, and promptly fixed on December 29. > > Since you decided to pin Ruby2JS and not update it for over seven > months - what is your plan to upgrade to the latest version? I've not given it any thought. As far as I know, the current version is working fine. > - Sam Ruby
