Hello, I'd like to ask why is Rails fixing it's version, like gem 'rails', '3.2.12' ? Given the recent attacks on Rails - wouldn't it be more secure to not fix the version? Maybe have something like '~>3.2.12' ?
on 2013-02-16 17:32
on 2013-02-16 17:38
On 02/16/2013 07:07 AM, Slava Vishnyakov wrote: > I'd like to ask why is Rails fixing it's version, like gem 'rails', '3.2.12' ? > Given the recent attacks on Rails - wouldn't it be more secure to not fix the > version? > Maybe have something like '~>3.2.12' ? While I agree, I don't see a valid complaint considering you should be running bundle outdated yourself a couple of times a week and manually adjusting your Gemfile, even if it has ~> that is not an excuse not to manually adjust your versions so that if you have to start with a blank Gemfile.lock you don't end up with the older version first. That said that's just me, I would never update without updating my Gemfile too. If you really feel like having this issue fixed please file a ticket at http://github.com/rails/rails/issues/new
Enable email notification
Enable multi-page viewPlease log in before posting. Registration is free and takes only a minute.
Existing account
(Switch to SSL-encrypted connection)
NEW: Do you have a Google/GoogleMail or Yahoo account? No registration required!
Log in with Google account | Log in with Yahoo account
Log in with Google account | Log in with Yahoo account
No account? Register here.