[Rubygems-developers] RubyGems 1.3.5 dependency chain installation seems broken?

Luis Lavena luislavena at gmail.com
Thu Dec 31 12:00:02 EST 2009


Suddenly it appears that gem dependency in latest RubyGems has been
compromised and is affecting users in different platforms.

There is a bug report from Roger Pack about this here:


But just in case, to avoid it get dusted as this is turning to be a
big problem, wanted to document my findings.

Let's take the example: thin.


Version 1.2.5 depends on:

daemons >= 1.0.9
eventmachine >= 0.12.6
rack >= 1.0.0

daemons 1.0.10 suffices the first dependency:

eventmachine 0.12.10 does the second:

rack 1.0.1 completes the chain:

none of thin dependencies depends on other libraries at runtime. so clearly is:

- daemons
- eventmachine
- rack

With that scenario, the order gems are supposed to be installed are:

eventmachine, daemons, rack, thin

BUT, for some reason, RubyGems does this:

eventmachine, daemons, thin, rack

And when reaches thin, it fails due missing rack.

After digging into the code, spotted this in
lib/rubygems/dependency_list.rb, starting line 49:

  def dependency_order
    sorted = strongly_connected_components.flatten

which uses TSort to give priorirty to the each gem in the list
collected by @specs.

But, it incorrectly gives them the priorities, putting rack with
priority 3 and thin with priority 2

To prove the bug, I've created the following testcase:

  def test_dependency_order_triplet
    e1 = quick_gem 'e', '1'
    f1 = quick_gem 'f', '1'
    g1 = quick_gem 'g', '1'

    @a1.add_dependency 'e', '>= 1'
    @a1.add_dependency 'f', '>= 1'
    @a1.add_dependency 'g', '>= 1'

    @deplist.add @a1, e1, f1, g1
    order = @deplist.dependency_order

    assert_equal %w[g-1 f-1 e-1 a-1], order.map { |s| s.full_name }

and when executed:

  1) Failure:
Expected ["g-1", "f-1", "e-1", "a-1"], not ["a-1", "g-1", "f-1", "e-1"].


So far, my knowledge and understanding of the issue ends there.

Any hint?

Luis Lavena
Perfection in design is achieved not when there is nothing more to add,
but rather when there is nothing more to take away.
Antoine de Saint-Exupéry

More information about the Rubygems-developers mailing list