Hi Pact team, quick query re: ruby version of pact...
# pact-rubym
Milda
09/26/2023, 12:44 PMHi Pact team, quick query re: ruby version of pact ruby standalone. Saw it got bumped to ruby 3.2.2 a few months back, which is fantastic news! My question is, is the pact team gonna track security vulns related to the ruby version and update accordingly? Just need to understand what the maintenance looks like going forward, as our security team will need that info prior to installing the standalone on our end. Thanks a lot!
blobwave 1
y
Yousaf Nabi (pactflow.io)
09/26/2023, 1:03 PM
We are using a fork of the traveling-ruby build system
https://github.com/YOU54F/traveling-ruby
So have the ability to update as and when.
We use dependabot of the pact-ruby-standalone repo to track gem updates.
OSS Software is provided without warranty, given or implied. The source can be updated by anyone and PR’s proposed to patch any vulns.
What is the expectation of the security team?
Yousaf Nabi (pactflow.io)
09/26/2023, 1:04 PM
Pertinent note in the licensing agreement
https://github.com/pact-foundation/pact-ruby-standalone/blob/7d6467e942884cf88f171de34bd1a6b5dbe94100/LICENSE#L15-L21
Yousaf Nabi (pactflow.io)
09/26/2023, 1:05 PM
Now that doesn’t mean we don’t want to ensure it’s fully supported, and patched, but it’s a team effort and users of OSS must be prepared to help support projects they use, and your security team should take this into consideration.
m
Milda
09/26/2023, 1:09 PMHi Yousaf, thanks for the thorough reply. That is absolutely reasonable. We use dependabot also - so likely whatever flags up for us will flag up for you, too. I think expectation is just that it's not left alone/not updated with suggested patches etc. But as it's an active project and you guys are on top of it, we'll make sure to keep an eye out on anything that can be helped with, too. Thanks again for sorting the higher version of ruby in the project, it's making our life much easier! 😄 🌷