summary refs log tree commit homepage
diff options
context:
space:
mode:
authorEric Wong <normalperson@yhbt.net>2009-10-16 13:46:18 -0700
committerEric Wong <normalperson@yhbt.net>2009-10-16 13:54:57 -0700
commit580d242fbfe95ea2ce7709f90f25e655bc2d93ac (patch)
tree19dd8da1e1f3d3d346a042bf0470b9af17b6e914
parent370cb0670d1b1841ae19e871e7aee4fec167d4e8 (diff)
In short: upgrade to Rails 2.3.4 (or later)

ref: http://mid.gmane.org/20091014221552.GA30624@dcvr.yhbt.net
Note: the workaround described in the article above only made
the issue more subtle and we didn't notice them immediately.
-rw-r--r--KNOWN_ISSUES13
-rw-r--r--unicorn.gemspec4
2 files changed, 17 insertions, 0 deletions
diff --git a/KNOWN_ISSUES b/KNOWN_ISSUES
index 436997d..979ac9d 100644
--- a/KNOWN_ISSUES
+++ b/KNOWN_ISSUES
@@ -1,5 +1,18 @@
 = Known Issues
 
+* Rails 2.3.2 bundles its own version of Rack.  This may cause subtle
+  bugs when simultaneously loaded with the system-wide Rack Rubygem
+  which Unicorn depends on.  Upgrading to Rails 2.3.4 (or later) is
+  strongly recommended for all Rails 2.3.x users for this (and security
+  reasons).  Rails 2.2.x series (or before) did not bundle Rack and are
+  should be unnaffected.  If there is any reason which forces your
+  application to use Rails 2.3.2 and you have no other choice, then
+  you may edit your Unicorn gemspec and remove the Rack dependency.
+
+  ref: http://mid.gmane.org/20091014221552.GA30624@dcvr.yhbt.net
+  Note: the workaround described in the article above only made
+  the issue more subtle and we didn't notice them immediately.
+
 * Installing "unicorn" as a system-wide Rubygem and using the
   {isolate}[http://github.com/jbarnette/isolate] gem may cause issues if
   you're using any of the bundled application-level libraries in
diff --git a/unicorn.gemspec b/unicorn.gemspec
index c5b4422..063b313 100644
--- a/unicorn.gemspec
+++ b/unicorn.gemspec
@@ -43,6 +43,10 @@ Gem::Specification.new do |s|
 
   s.test_files = test_files
 
+  # for people that are absolutely stuck on Rails 2.3.2 and can't
+  # up/downgrade to any other version, the Rack dependency may be
+  # commented out.  Nevertheless, upgrading to Rails 2.3.4 or later is
+  # *strongly* recommended for security reasons.
   s.add_dependency(%q<rack>)
 
   # s.licenses = %w(GPLv2 Ruby) # licenses= method is not in older Rubygems