[Rubygems-developers] RubyGems 1.3.5 dependency chain installation seems broken?

Luis Lavena luislavena at gmail.com
Thu Dec 31 12:00:02 EST 2009


Hello,

Suddenly it appears that gem dependency in latest RubyGems has been
compromised and is affecting users in different platforms.

There is a bug report from Roger Pack about this here:

http://rubyforge.org//tracker/?func=detail&atid=575&aid=27608&group_id=126

But just in case, to avoid it get dusted as this is turning to be a
big problem, wanted to document my findings.

Let's take the example: thin.

http://gemcutter.org/gems/thin/versions/1.2.5

Version 1.2.5 depends on:

daemons >= 1.0.9
eventmachine >= 0.12.6
rack >= 1.0.0

daemons 1.0.10 suffices the first dependency:
http://gemcutter.org/gems/daemons/versions/1.0.10

eventmachine 0.12.10 does the second:
http://gemcutter.org/gems/eventmachine/versions/0.12.10

rack 1.0.1 completes the chain:
http://gemcutter.org/gems/rack/versions/1.0.1

none of thin dependencies depends on other libraries at runtime. so clearly is:

thin:
- daemons
- eventmachine
- rack

With that scenario, the order gems are supposed to be installed are:

eventmachine, daemons, rack, thin

BUT, for some reason, RubyGems does this:

eventmachine, daemons, thin, rack

And when reaches thin, it fails due missing rack.

After digging into the code, spotted this in
lib/rubygems/dependency_list.rb, starting line 49:

  def dependency_order
    sorted = strongly_connected_components.flatten

which uses TSort to give priorirty to the each gem in the list
collected by @specs.

But, it incorrectly gives them the priorities, putting rack with
priority 3 and thin with priority 2

To prove the bug, I've created the following testcase:

  def test_dependency_order_triplet
    e1 = quick_gem 'e', '1'
    f1 = quick_gem 'f', '1'
    g1 = quick_gem 'g', '1'

    @a1.add_dependency 'e', '>= 1'
    @a1.add_dependency 'f', '>= 1'
    @a1.add_dependency 'g', '>= 1'

    @deplist.add @a1, e1, f1, g1
    order = @deplist.dependency_order

    assert_equal %w[g-1 f-1 e-1 a-1], order.map { |s| s.full_name }
  end

and when executed:

  1) Failure:
test_dependency_order_triplet(TestGemDependencyList)
[test/test_gem_dependency_list.rb:106]:
Expected ["g-1", "f-1", "e-1", "a-1"], not ["a-1", "g-1", "f-1", "e-1"].

===

So far, my knowledge and understanding of the issue ends there.

Any hint?

-- 
Luis Lavena
AREA 17
-
Perfection in design is achieved not when there is nothing more to add,
but rather when there is nothing more to take away.
Antoine de Saint-Exupéry


More information about the Rubygems-developers mailing list