Not planned
Description
@kou @nobu, the two most recent releases 3.2.7 and 3.2.8 should be major versions as they introduce strscan
which seems to require some native extensions and compilation on systems. This is breaking my world with folks using Chef. Can you please yank those and make this 4.x.x or something?
For Chef folks looking for a fix, add the following to your cookbooks metadata.rb:
# Temporary Workaround (https://github.com/ruby/rexml/issues/131)
gem 'rexml', '= 3.2.6'
You can also install gcc
in your kitchen using:
lifecycle:
post_create:
# Temporary Workaround (https://github.com/ruby/rexml/issues/131)
- remote: sudo yum install -y gcc
Thanks
Activity
spacefuntus commentedon May 16, 2024
This should be prioritized as impacting many.
igorwwwwwwwwwwwwwwwwwwww commentedon May 16, 2024
Note that the old version of 3.2.6 is subject to a DoS CVE: https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/.
Impact of the vulnerability may be limited, but this may be a reason to favour the "install
gcc
" approach over pinning the old version.elbartostrikesagain commentedon May 16, 2024
+1, or at least 3.3.0 would be acceptable? Would also be nice to see the
gcc
dependency listed in the Readme for this project as well.In my case, the requiring Gem is ruby-dbus which has the following:
s.add_runtime_dependency "rexml"
. Since no version information is listed there, it doesn't actually matter what version was introduced here - it would still have broken for me. My guess is that most Chef users having problems are using the systemd cookbook.I will recommend that ruby-dbus changes their dependency to here to have a version, such as
~> 3.2
for their current version and then they bump their version for a dependency update to the new version here as well.For the sake of those who think they have the same problem (and the web crawlers), here is dependency chain I have that got me here:
hsbt commentedon May 16, 2024
It's impossible. If we yanked them, it breaks the many of Ruby application.
bdwyertech commentedon May 16, 2024
It breaks no one. You released two versions this morning which broke many. I highly doubt anyone pinned the versions to this yet. This is 💯 a major breaking change.
Major minor patch. This is far from a patch or a minor change.
doconnor-clintel commentedon May 17, 2024
Secondary variant with (very old ruby, bundler, probably solvable but surprising):
kou commentedon May 17, 2024
Could you explain why Chef is related to REXML? #131 (comment) ?
Could you also explain what is "kitchen" in Chef context?
elbartostrikesagain commentedon May 17, 2024
@kou the "kitchen" is a test environment for using Chef. It's not really relevant to the problem at hand but it's useful for those with chef/kitchen related problems to see how to install gcc. The solution above is specific to environments using yum but it's enough to get someone going the right direction.
Why Chef is related to REXML: see my dependency chain above - where it starts is the systemd cookbook is widely used, and that uses the dbus-systemd gem.
While I agree the versioning here was bad, this could be fixed this up the dependency chain - for example the version could be locked here: mvidner/ruby-dbus#143, but I'd have to keep looking up the chain for the same problems I guess.
kou commentedon May 17, 2024
Thanks. If this is related to ruby-dbus (via the systemd cookbook) as you explained, the semantic versioning isn't related to this. Because
~> ...
isn't used in ruby-dbus: https://github.com/mvidner/ruby-dbus/blob/5f98ee3cf506ff0bd53b72ce952b1b89881ab64a/ruby-dbus.gemspec#L28If you don't want to use REXML 3.2.7 or later, you must pin REXML 3.2.6 by yourself. (I'm not sure whether Chef uses
Gemfile
for dependency management or not.)In general, I don't recommend it because 3.2.6 or earlier has a security vulnerability: GHSA-vg3r-rm7w-2xgh
If you pin REXML, use it at your own risk.
(We don't need to change ruby-dbus because there isn't any reason that ruby-dbus needs to pin REXML. ruby-dbus can work with any versions of REXML.)
slonopotamus commentedon May 17, 2024
Asciidoctor/Antora user here. 3.2.7/3.2.8 broke our CI as well. Adding dependencies (especially native) in patch-release was not a good idea.
kou commentedon May 17, 2024
This part in the message will fix your CI.
slonopotamus commentedon May 17, 2024
I believe my CI should not have broke in the first place by a patch update of rexml. There's nothing wrong with adding/removing dependencies, but not this way by breaking everyone. I would not say a single word if 3.2.7/3.2.8 was instead called 4.x.x.
kou commentedon May 17, 2024
Could you share your repository for the CI log?
bdwyertech commentedon May 17, 2024
Thumbs downing people with evidence is very immature. I was able to fix my organization but it took "a village" and a monumental effort from my team to come to a resolution.
This is a Ruby core library, consumed by a wide spread of tooling. A simple acknowledgement would be the adult thing to do here.
I agree that upstream needs a better pinning strategy, but this should have been a minor or major.
34 remaining items
kou commentedon May 21, 2024
I'm not familiar with Chef but, in general, needless dependencies should not be included for production.
If Chef users think so too, could you feedback it to Chef?
(CAT-1643) Exclude rexml versions due to issues on Windows
(CAT-1643) Exclude rexml versions due to issues on Windows
(CAT-1871) Pin rexml due to issues on Windows
(CAT-1871) Pin `rexml` due to issues on Windows
rexml
due to issues on Windows puppetlabs/pdk-templates#582jaredbeck commentedon Jun 5, 2024
Just in case it encourages someone else to upgrade .. I had no trouble compiling
strscan
on Debian 11 "bullseye".kou commentedon Jun 9, 2024
REXML 3.2.9 doesn't require strscan 3.0.9 or later. It can use strscan installed as a default gem.
So this problem will be disappeared.
Semantic versioning is unrelated. I close this.
fertrig commentedon Jun 10, 2024
I'm getting this error on 3.2.9:
The error goes away when using 3.2.6.
kou commentedon Jun 10, 2024
@fertrig Thanks for your report. Could you open a new issue for it? It's not related to this issue.