Remove satisfied dependecies from next source lookup #3200
Conversation
When iterating sources and checking for met dependencies, remove the actual specs that were satisified by the source from the lookup of following sources. This prevents lookup of local gems (from `gemspec` or `path` or `git` sources) in rubygems source. fixes #2909
|
👍 Looks about right :) |
| @@ -203,6 +203,7 @@ def index | |||
| sources.all_sources.each do |s| | |||
| s.dependency_names = dependency_names | |||
There was a problem hiding this comment.
This should dup dependency_names, or else each source will be aliasing the instance of the list that gets changed.
There was a problem hiding this comment.
You're right, I'll add it too to that fix.
Note that we "suffer" from the same issue today (on master). Can you think of a test case to reveal this issue?
There was a problem hiding this comment.
If a second source contains the same gem, I guess? So like two git sources that both contain the gem "foo". Bundler should warn about that, I think.
There was a problem hiding this comment.
It would be totally reasonable for two Rubygems sources to contain the same gem.
I'm still not sure whether this whole change could potentially break something there.
There was a problem hiding this comment.
If a gem can appear in both Rubygems sources and we should consider both of them, then the original bug report #2909 in which Bundler requests for a private gem from a public Rubysgems source is not a bug (though I still see an "private information leak" problem in that case; maybe we need a specific :private=>true mark for some gems, which will make sure we don't look for them in other Rubygems sources). Maybe we should move the discussion back to the original issue #2909 and decide what's the appropriate solution (might require new Gemfile syntax?).
There was a problem hiding this comment.
Requesting the gem should (theoretically) be fixed by using a source block. Then the gems in that source block should be requested from that source, and gems outside that source block should not be requested from that source. However, dependencies of that gem will still be requested from other sources.
On Oct 13, 2014, at 7:50 AM, Dov Murik [email protected] wrote:
In lib/bundler/definition.rb:
@@ -203,6 +203,7 @@ def index
sources.all_sources.each do |s|
s.dependency_names = dependency_names
If a gem can appear in both Rubygems sources and we should consider both of them, then the original bug report #2909 in which Bundler requests for a private gem from a public Rubysgems source is not a bug (though I still see an "private information leak" problem in that case; maybe we need a specific :private=>true mark for some gems, which will make sure we don't look for them in other Rubygems sources). Maybe we should move the discussion back to the original issue #2909 and decide what's the appropriate solution (might require new Gemfile syntax?).�
Reply to this email directly or view it on GitHub.
|
I added a fix for the missing @indirect - I don't have an idea for a Gemfile that will cause that missing |
When iterating sources and checking for met dependencies, remove the
actual specs that were satisified by the source from the lookup of
following sources.
This prevents lookup of local gems (from
gemspecorpathorgitsources) in rubygems source.
fixes #2909