Hello,
I’d like to ask why is Rails fixing it’s version, like gem ‘rails’,
‘3.2.12’ ?
Given the recent attacks on Rails - wouldn’t it be more secure to not
fix
the version?
Maybe have something like ‘~>3.2.12’ ?
On 02/16/2013 07:07 AM, Slava Vishnyakov wrote:
I’d like to ask why is Rails fixing it’s version, like gem ‘rails’, ‘3.2.12’ ?
Given the recent attacks on Rails - wouldn’t it be more secure to not fix the
version?
Maybe have something like ‘~>3.2.12’ ?
While I agree, I don’t see a valid complaint considering you should be
running bundle outdated yourself a couple of times a week and manually
adjusting your Gemfile, even if it has ~> that is not an excuse not to
manually adjust your versions so that if you have to start with a blank
Gemfile.lock you don’t end up with the older version first.
That said that’s just me, I would never update without updating my
Gemfile too. If you really feel like having this issue fixed please file
a ticket at Sign in to GitHub · GitHub