Comments (9)
clemens
commented on August 21, 2024
1
Not sure if it helps, but I toyed around with it a bit more and the minimal Gemfile with which I can trigger the problem seems to be this:
source 'https://rubygems.org'
gem 'rails'
gem 'rails-i18n'rails depends on railties, which depends on irb, which depends on rdoc, which depends on psych, which has a dependency on jar-dependencies on the Java platform, but not others.
And rails-i18n has a dependency on rails and then consequently the same transitive dependencies.
When I remove one or the other, the problem doesn't appear. But when I have both in my Gemfile, the problem is there.
The same is true when I replace either of them with vite_rails (= another package that depends on rails).
But the problem doesn't appear when I put in 2 packages that both depend on rdoc, but otherwise don't share transitive dependencies; e.g. this is fine:
source 'https://rubygems.org'
gem 'irb'
gem 'minitest'from ort.
sschuberth
commented on August 21, 2024
Thanks for the sophisticated report. In essence, this is a specific case of #4013.
from ort.
sschuberth
commented on August 21, 2024
I guess part of the problem is this line:
from ort.
clemens
commented on August 21, 2024
I haven't traced the whole call chain and I'm by no means a Kotlin expert, but based on the stack trace, the problem is in this function:
It seems that independent of that Ruby script that uses Bundler's own facilities to resolve dependencies, the RubyGems API is still queried directly, using ORT's HTTP client (at least that's how I'm interpreting okHttpClient.downloadText(url)).
This is also evidenced by the fact that ORT seems to be trying to resolve a dependency for the java version of the psych gem, even though Bundler is set to force the generic (= non-java) version for resolving.
If ORT were to solely rely on Bundler's mechanisms instead of querying the API manually, I think it might generally be fine, but you might want to either remove the Bundler.settings.set_global(:force_ruby_platform, true) (which could cause wrong results for basically any package with native extensions) or at least offer some kind of configuration option to allow to opt out of this. Because Bundler actually behaves correctly by default, IMO – see https://github.com/ruby/ruby/blob/e49d68bf2732cf467a1532283de4a1716e238677/lib/bundler/definition.rb#L634.
from ort.
clemens
commented on August 21, 2024
Further digging: According to the source code of rubygems.org, it is expected behavior that when not explicitly specifying platform, it picks whatever was last created.
For psych, this seems to be the Java version:
curl 'https://rubygems.org/api/v2/rubygems/psych/versions/5.1.2.yaml?platform=ruby'
...
created_at: '2023-12-19T02:06:51.830Z'
...
curl 'https://rubygems.org/api/v2/rubygems/psych/versions/5.1.2.yaml'
...
created_at: '2023-12-19T02:07:03.237Z'
...
Whereas e.g. for nokogiri (another multi-platform gem), it's Ruby:
curl 'https://rubygems.org/api/v2/rubygems/nokogiri/versions/1.16.5.yaml'
...
created_at: '2024-05-13T14:01:29.505Z'
...
curl 'https://rubygems.org/api/v2/rubygems/nokogiri/versions/1.16.5.yaml?platform=java'
...
created_at: '2024-05-13T14:01:04.168Z'
...
This still doesn't explain why sometimes it seems to be fine and sometimes it isn't (see my previous comment), but at least indicates that if ORT wants to have deterministic behavior, the platform needs to always be explicitly specified. (And which platform it is can be derived from Gemfile.lock only.)
from ort.
clemens
commented on August 21, 2024
Any news on this one, @sschuberth ? Can I help with further info?
Also, if the intention was to enforce ruby as a platform and it's just not working for that one part of the codebase, would it make sense to adapt this accordingly until a more elaborate fix (which takes into account all declared platforms) is in place?
from ort.
sschuberth
commented on August 21, 2024
Any news on this one, @sschuberth ? Can I help with further info?
I believe your info is more than sufficient, thank you @clemens. It's just that to be best of my knowledge no one from the community is planning to work on this (for free) in the near future. If you're interested in a commercial ORT support subscription that could accelerate this (also see #8381), feel free to contact any of the mentioned parties directly.
from ort.
clemens
commented on August 21, 2024
That's understandable. :)
Would you accept an MR that appends ?platform=ruby to the problematic URL so that the problem is at least consistent and in line what you apparently intended with
from ort.
sschuberth
commented on August 21, 2024
Would you accept an MR that appends
?platform=rubyto the problematic URL
Sounds reasonable. But for me it's the easiest to tell from the diff of a MR / PR, as that would need to include any necessary changes to the expected test results.
from ort.
Related Issues (20)
- Make vulnerability icons better distinguishable in web app HOT 1
- Bazel: Support `archive_override` HOT 16
- Bazel: Support `local_path_override` HOT 1
- Bazel: disable Bazelisk optional wrapper script when fetching the version of Bazel HOT 4
- OutOfMemoryError while generating 'SpdxDocument' report HOT 3
- Migrate the Opossum reporter from Jackson to kotlinx-serialization (KxS) HOT 3
- Add a JTE reporter
- Add Zeiss to `ADOPTERS.md`
- Curations for direct conan dependency are not being applied (but for transitive dependencies they are working) HOT 2
- Please consider adopting OpenSSF Scorecard HOT 4
- CycloneDX SBOM files (XML,JSON) are empty for packages with empty licenses HOT 8
- config.yml is recognized but not used HOT 4
- Add support for Cargo's virtual workspaces
- Drop support for several old versions of ScanCode HOT 3
- Separate the data model storage format from the API that is supposed to be used
- Replacement for `git://` URLs does not seem to be working for submodules
- C# project references are handled like package references HOT 1
- Enhance Git tag matching to auto resolve ambigous results in some case HOT 1
- Bazel: Support `local_path` type in package metadata
- Path Excludes not working when workspaces are introduced in the code repository based on NPM, PNPM, Yarn2 HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ort.