Phil Pirozhkov
Phil Pirozhkov
CommandSocket is evil and not EM aware (unless you monkeypatch TCPSocket). Same can be achieved using Listener::Inbound.
> suggest to upgrade For the user standpoint? Practically, it's often easier said than done. See e.g. [GitLab 2.5.3 -> 2.6.3](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/57323). From maintainers' standpoint? `rspec` supports Ruby down to 1.8.7...
> the advantages of "hard-yanking" over this Hard-yanking should stay for cases like - mistakenly introduced severe security vulnerabilities or [bugs that could irreversibly corrupt data](https://rubygems.org/gems/devise/versions/3.5.0) [[1](https://github.com/heartcombo/devise/pull/5044)] - [hijacking](https://rubygems.org/gems/strong_password/versions/0.0.7) IANAL,...
> Can you explain on your examples why releasing new version isn't enough to fix the problem Easy. ```ruby # Gemfile gem 'rspec-rails' ``` Releasing `rspec-rails` 4.0.1 didn't help because...
You got straight to the point. One `gem soft-yank rspec-rails -v 4.0.0` command issued by one gem maintainer vs thousands of projects having to specify version constraints in their `Gemfile`s.
I apologize for making this point, but I'm speaking not just as a developer of a project who is too lazy to update Ruby version, but as one of RSpec...
> the advantages of "hard-yanking" over this Speaking of hard-yanking, I stick to the belief this should be reserved exclusively to the scenario when this is coordinated with the RubyGems...
@sonalkr132 Nice, thanks for the heads-up. I'm not a security specialist, but to me it's related to risk management, and whether to allow bundling certain gems or not should be...
Any conclusion? I can send an RFC PR, but would like to know that it's preliminarily agreed on. I see two options: 1. Introduce soft-yanking as a new feature. 2....
[Another case](https://github.com/rubocop/rubocop-rspec/commit/eed7439be0c90c7d79e264240f91ad0a924d5a80#r96342863) where soft-yanking or yanking with an alternate version would help mitigate a loose dependency mistake.