Hi everyone:

I recently read this rails security post
https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ
and tried to update a couple of stores in 0.70 in order to fix this
vulnerability, but I couldn't.
It turns out that spree version 0.70.7 is tied to rails 3.1.6 which
has the mentioned problem, are there any issues in spree 0.70 with
newer version of rails that justifies this constraint? Can this
constraint be a bit more relaxed to include the fixed versión of
rails?

Thanks in advance

--
Carlos E. Alarcón
Continuum Developer

--------------------------------------
"Simplicity is the ultimate form of sophistication."
Leonardo da Vinci

--
You received this message because you are subscribed to the Google Groups "Spree" group.
To post to this group, send email to spree-user@googlegroups.com.
To unsubscribe from this group, send email to spree-user+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/spree-user?hl=en.

Search Discussions

  • Paul damer at Jan 10, 2013 at 2:54 pm
    Rather than cloning the whole repo including all spree gems you might
    have better luck if you unpack the gem like this*:

    gem unpack spree_core --target vendor/gems
    and then add this to your gemfile:
    gem 'spree_core', :path => 'vendor/gems/spree_core-0.70.7'

    I did that to use a newer version of paperclip and just updated the
    gemspec to use 3.1.10 rails and it has worked fine.

    Cheers,
    Paul Damer

    *found at:
    http://stackoverflow.com/questions/3646847/how-do-i-vendorize-gems-for-rails3-bundler
    On Wed, Jan 9, 2013 at 5:36 PM, Ryan Bigg wrote:
    If you're using an old version of Spree like that, I would recommend cloning
    the https://github.com/spree/spree repo to your app's directory
    (vendor/gems/spree) and then checking out to the v0.70.7 tag and updating
    the spree_core.gemspec dependency yourself. The Spree core team is no longer
    supporting pre-1.1 versions of Spree to ease maintenance load on us.



    On Thu, Jan 10, 2013 at 3:06 AM, Carlos Eduardo Alarcon
    wrote:
    Hi everyone:

    I recently read this rails security post
    https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ
    and tried to update a couple of stores in 0.70 in order to fix this
    vulnerability, but I couldn't.
    It turns out that spree version 0.70.7 is tied to rails 3.1.6 which
    has the mentioned problem, are there any issues in spree 0.70 with
    newer version of rails that justifies this constraint? Can this
    constraint be a bit more relaxed to include the fixed versión of
    rails?

    Thanks in advance

    --
    Carlos E. Alarcón
    Continuum Developer

    --------------------------------------
    "Simplicity is the ultimate form of sophistication."
    Leonardo da Vinci

    --
    You received this message because you are subscribed to the Google Groups
    "Spree" group.
    To post to this group, send email to spree-user@googlegroups.com.
    To unsubscribe from this group, send email to
    spree-user+unsubscribe@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/spree-user?hl=en.
    --
    You received this message because you are subscribed to the Google Groups
    "Spree" group.
    To post to this group, send email to spree-user@googlegroups.com.
    To unsubscribe from this group, send email to
    spree-user+unsubscribe@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/spree-user?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Spree" group.
    To post to this group, send email to spree-user@googlegroups.com.
    To unsubscribe from this group, send email to spree-user+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/spree-user?hl=en.
  • Carlos Eduardo Alarcon at Jan 10, 2013 at 3:04 pm
    Thank you both for the tips
    On Thu, Jan 10, 2013 at 11:54 AM, paul damer wrote:
    Rather than cloning the whole repo including all spree gems you might
    have better luck if you unpack the gem like this*:

    gem unpack spree_core --target vendor/gems
    and then add this to your gemfile:
    gem 'spree_core', :path => 'vendor/gems/spree_core-0.70.7'

    I did that to use a newer version of paperclip and just updated the
    gemspec to use 3.1.10 rails and it has worked fine.

    Cheers,
    Paul Damer

    *found at:
    http://stackoverflow.com/questions/3646847/how-do-i-vendorize-gems-for-rails3-bundler
    On Wed, Jan 9, 2013 at 5:36 PM, Ryan Bigg wrote:
    If you're using an old version of Spree like that, I would recommend cloning
    the https://github.com/spree/spree repo to your app's directory
    (vendor/gems/spree) and then checking out to the v0.70.7 tag and updating
    the spree_core.gemspec dependency yourself. The Spree core team is no longer
    supporting pre-1.1 versions of Spree to ease maintenance load on us.



    On Thu, Jan 10, 2013 at 3:06 AM, Carlos Eduardo Alarcon
    wrote:
    Hi everyone:

    I recently read this rails security post
    https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ
    and tried to update a couple of stores in 0.70 in order to fix this
    vulnerability, but I couldn't.
    It turns out that spree version 0.70.7 is tied to rails 3.1.6 which
    has the mentioned problem, are there any issues in spree 0.70 with
    newer version of rails that justifies this constraint? Can this
    constraint be a bit more relaxed to include the fixed versión of
    rails?

    Thanks in advance

    --
    Carlos E. Alarcón
    Continuum Developer

    --------------------------------------
    "Simplicity is the ultimate form of sophistication."
    Leonardo da Vinci

    --
    You received this message because you are subscribed to the Google Groups
    "Spree" group.
    To post to this group, send email to spree-user@googlegroups.com.
    To unsubscribe from this group, send email to
    spree-user+unsubscribe@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/spree-user?hl=en.
    --
    You received this message because you are subscribed to the Google Groups
    "Spree" group.
    To post to this group, send email to spree-user@googlegroups.com.
    To unsubscribe from this group, send email to
    spree-user+unsubscribe@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/spree-user?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Spree" group.
    To post to this group, send email to spree-user@googlegroups.com.
    To unsubscribe from this group, send email to spree-user+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/spree-user?hl=en.


    --
    Carlos E. Alarcón
    Continuum Developer

    --------------------------------------
    "Simplicity is the ultimate form of sophistication."
    Leonardo da Vinci

    --
    You received this message because you are subscribed to the Google Groups "Spree" group.
    To post to this group, send email to spree-user@googlegroups.com.
    To unsubscribe from this group, send email to spree-user+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/spree-user?hl=en.
  • Francois at Feb 12, 2013 at 4:54 am
    +1 for re-enabling the 0.70.x branch.

    - Thanks,
    Francois


    On Saturday, January 12, 2013 5:25:20 AM UTC-8, Carlos Eduardo Alarcon
    wrote:
    Great Tomek!,

    Core Team, I second Tomek's motion of reanable 0.70.x branch, at least
    so that the comunity could be able to submit bug fixes & simple
    patches like this one. As Tomek said, a migration to version 1.x is
    not that easy, and version 0.70.7 is not that old, just from
    july-2012.
    Please don't discard this version yet, we aren't asking for new
    functionalities in this branch, there are a lot of stores using it

    Best Regards

    Carlos

    On Sat, Jan 12, 2013 at 9:22 AM, Tomek "Tomash" Stachewicz
    <t.stac...@gmail.com <javascript:>> wrote:
    Thanks for the gem unpack tip, it worked indeed, but after two extra steps:
    1. copy spree_core.gemspec from
    https://github.com/spree/spree/blob/v0.70.7/core/spree_core.gemspec
    2. edit this gemspec and put version = '0.70.7' in place of second line
    (SPREE_VERSION is two directories up in the hierarchy)

    I know that I should update my Spree to one of supported versions.
    But it's not that easy: many Spree extensions and stores are using old API
    and upgrading Spree version might require a cascade of upgrades.

    Core devs, any chance of bringing back the 0.70.x branch just to release
    0.70.8 with dependency on Rails 3.1.10? There are quite a lot of Spree
    stores based on 0.70.x.

    T.
    On Thursday, January 10, 2013 3:54:31 PM UTC+1, paul damer wrote:

    Rather than cloning the whole repo including all spree gems you might
    have better luck if you unpack the gem like this*:

    gem unpack spree_core --target vendor/gems
    and then add this to your gemfile:
    gem 'spree_core', :path => 'vendor/gems/spree_core-0.70.7'

    I did that to use a newer version of paperclip and just updated the
    gemspec to use 3.1.10 rails and it has worked fine.

    Cheers,
    Paul Damer

    *found at:
    http://stackoverflow.com/questions/3646847/how-do-i-vendorize-gems-for-rails3-bundler
    On Wed, Jan 9, 2013 at 5:36 PM, Ryan Bigg wrote:
    If you're using an old version of Spree like that, I would recommend
    cloning
    the https://github.com/spree/spree repo to your app's directory
    (vendor/gems/spree) and then checking out to the v0.70.7 tag and
    updating
    the spree_core.gemspec dependency yourself. The Spree core team is no
    longer
    supporting pre-1.1 versions of Spree to ease maintenance load on us.



    On Thu, Jan 10, 2013 at 3:06 AM, Carlos Eduardo Alarcon
    wrote:
    Hi everyone:

    I recently read this rails security post
    https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ
    and tried to update a couple of stores in 0.70 in order to fix this
    vulnerability, but I couldn't.
    It turns out that spree version 0.70.7 is tied to rails 3.1.6 which
    has the mentioned problem, are there any issues in spree 0.70 with
    newer version of rails that justifies this constraint? Can this
    constraint be a bit more relaxed to include the fixed versión of
    rails?

    Thanks in advance

    --
    Carlos E. Alarcón
    Continuum Developer

    --------------------------------------
    "Simplicity is the ultimate form of sophistication."
    Leonardo da Vinci

    --
    You received this message because you are subscribed to the Google
    Groups
    "Spree" group.
    To post to this group, send email to spree...@googlegroups.com.
    To unsubscribe from this group, send email to
    spree-user+...@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/spree-user?hl=en.
    --
    You received this message because you are subscribed to the Google
    Groups
    "Spree" group.
    To post to this group, send email to spree...@googlegroups.com.
    To unsubscribe from this group, send email to
    spree-user+...@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/spree-user?hl=en.
    --


    --
    Carlos E. Alarcón
    Continuum Developer

    --------------------------------------
    "Simplicity is the ultimate form of sophistication."
    Leonardo da Vinci
    --
    You received this message because you are subscribed to the Google Groups "Spree" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to spree-user+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Carlos Eduardo Alarcon at Feb 12, 2013 at 2:18 pm
    Thanks Ryan:

    That's the attitude! At least I'll be sufficiently satisfied if I
    could just apply the patches to solve latest rails issues, serious
    enough right?

    Thanks again

    Carlos
    On Tue, Feb 12, 2013 at 3:20 AM, Ryan Bigg wrote:
    Done: https://github.com/spree/spree/tree/0-70-stable

    Only *serious* security patches will be accepted for this branch. Nothing
    else.

    On Tue, Feb 12, 2013 at 3:54 PM, Francois wrote:

    +1 for re-enabling the 0.70.x branch.

    - Thanks,
    Francois


    On Saturday, January 12, 2013 5:25:20 AM UTC-8, Carlos Eduardo Alarcon
    wrote:
    Great Tomek!,

    Core Team, I second Tomek's motion of reanable 0.70.x branch, at least
    so that the comunity could be able to submit bug fixes & simple
    patches like this one. As Tomek said, a migration to version 1.x is
    not that easy, and version 0.70.7 is not that old, just from
    july-2012.
    Please don't discard this version yet, we aren't asking for new
    functionalities in this branch, there are a lot of stores using it

    Best Regards

    Carlos

    On Sat, Jan 12, 2013 at 9:22 AM, Tomek "Tomash" Stachewicz
    wrote:
    Thanks for the gem unpack tip, it worked indeed, but after two extra
    steps:
    1. copy spree_core.gemspec from
    https://github.com/spree/spree/blob/v0.70.7/core/spree_core.gemspec
    2. edit this gemspec and put version = '0.70.7' in place of second line
    (SPREE_VERSION is two directories up in the hierarchy)

    I know that I should update my Spree to one of supported versions.
    But it's not that easy: many Spree extensions and stores are using old
    API
    and upgrading Spree version might require a cascade of upgrades.

    Core devs, any chance of bringing back the 0.70.x branch just to
    release
    0.70.8 with dependency on Rails 3.1.10? There are quite a lot of Spree
    stores based on 0.70.x.

    T.
    On Thursday, January 10, 2013 3:54:31 PM UTC+1, paul damer wrote:

    Rather than cloning the whole repo including all spree gems you might
    have better luck if you unpack the gem like this*:

    gem unpack spree_core --target vendor/gems
    and then add this to your gemfile:
    gem 'spree_core', :path => 'vendor/gems/spree_core-0.70.7'

    I did that to use a newer version of paperclip and just updated the
    gemspec to use 3.1.10 rails and it has worked fine.

    Cheers,
    Paul Damer

    *found at:


    http://stackoverflow.com/questions/3646847/how-do-i-vendorize-gems-for-rails3-bundler

    On Wed, Jan 9, 2013 at 5:36 PM, Ryan Bigg <ry...@spreecommerce.com>
    wrote:
    If you're using an old version of Spree like that, I would recommend
    cloning
    the https://github.com/spree/spree repo to your app's directory
    (vendor/gems/spree) and then checking out to the v0.70.7 tag and
    updating
    the spree_core.gemspec dependency yourself. The Spree core team is
    no
    longer
    supporting pre-1.1 versions of Spree to ease maintenance load on us.



    On Thu, Jan 10, 2013 at 3:06 AM, Carlos Eduardo Alarcon
    wrote:
    Hi everyone:

    I recently read this rails security post


    https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ
    and tried to update a couple of stores in 0.70 in order to fix this
    vulnerability, but I couldn't.
    It turns out that spree version 0.70.7 is tied to rails 3.1.6 which
    has the mentioned problem, are there any issues in spree 0.70 with
    newer version of rails that justifies this constraint? Can this
    constraint be a bit more relaxed to include the fixed versión of
    rails?

    Thanks in advance

    --
    Carlos E. Alarcón
    Continuum Developer

    --------------------------------------
    "Simplicity is the ultimate form of sophistication."
    Leonardo da Vinci

    --
    You received this message because you are subscribed to the Google
    Groups
    "Spree" group.
    To post to this group, send email to spree...@googlegroups.com.
    To unsubscribe from this group, send email to
    spree-user+...@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/spree-user?hl=en.
    --
    You received this message because you are subscribed to the Google
    Groups
    "Spree" group.
    To post to this group, send email to spree...@googlegroups.com.
    To unsubscribe from this group, send email to
    spree-user+...@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/spree-user?hl=en.
    --


    --
    Carlos E. Alarcón
    Continuum Developer

    --------------------------------------
    "Simplicity is the ultimate form of sophistication."
    Leonardo da Vinci
    --
    You received this message because you are subscribed to the Google Groups
    "Spree" group.
    To unsubscribe from this group and stop receiving emails from it, send an
    email to spree-user+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.

    --
    You received this message because you are subscribed to the Google Groups
    "Spree" group.
    To unsubscribe from this group and stop receiving emails from it, send an
    email to spree-user+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.


    --
    Carlos E. Alarcón
    Continuum Developer

    --------------------------------------
    "Simplicity is the ultimate form of sophistication."
    Leonardo da Vinci

    --
    You received this message because you are subscribed to the Google Groups "Spree" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to spree-user+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Ryan Bigg at Feb 12, 2013 at 8:28 pm
    Yes. Please submit a patch to do the Rails bump.

    On Wed, Feb 13, 2013 at 1:18 AM, Carlos Eduardo Alarcon wrote:

    Thanks Ryan:

    That's the attitude! At least I'll be sufficiently satisfied if I
    could just apply the patches to solve latest rails issues, serious
    enough right?

    Thanks again

    Carlos
    On Tue, Feb 12, 2013 at 3:20 AM, Ryan Bigg wrote:
    Done: https://github.com/spree/spree/tree/0-70-stable

    Only *serious* security patches will be accepted for this branch. Nothing
    else.

    On Tue, Feb 12, 2013 at 3:54 PM, Francois wrote:

    +1 for re-enabling the 0.70.x branch.

    - Thanks,
    Francois


    On Saturday, January 12, 2013 5:25:20 AM UTC-8, Carlos Eduardo Alarcon
    wrote:
    Great Tomek!,

    Core Team, I second Tomek's motion of reanable 0.70.x branch, at least
    so that the comunity could be able to submit bug fixes & simple
    patches like this one. As Tomek said, a migration to version 1.x is
    not that easy, and version 0.70.7 is not that old, just from
    july-2012.
    Please don't discard this version yet, we aren't asking for new
    functionalities in this branch, there are a lot of stores using it

    Best Regards

    Carlos

    On Sat, Jan 12, 2013 at 9:22 AM, Tomek "Tomash" Stachewicz
    wrote:
    Thanks for the gem unpack tip, it worked indeed, but after two extra
    steps:
    1. copy spree_core.gemspec from
    https://github.com/spree/spree/blob/v0.70.7/core/spree_core.gemspec
    2. edit this gemspec and put version = '0.70.7' in place of second
    line
    (SPREE_VERSION is two directories up in the hierarchy)

    I know that I should update my Spree to one of supported versions.
    But it's not that easy: many Spree extensions and stores are using
    old
    API
    and upgrading Spree version might require a cascade of upgrades.

    Core devs, any chance of bringing back the 0.70.x branch just to
    release
    0.70.8 with dependency on Rails 3.1.10? There are quite a lot of
    Spree
    stores based on 0.70.x.

    T.
    On Thursday, January 10, 2013 3:54:31 PM UTC+1, paul damer wrote:

    Rather than cloning the whole repo including all spree gems you
    might
    have better luck if you unpack the gem like this*:

    gem unpack spree_core --target vendor/gems
    and then add this to your gemfile:
    gem 'spree_core', :path => 'vendor/gems/spree_core-0.70.7'

    I did that to use a newer version of paperclip and just updated the
    gemspec to use 3.1.10 rails and it has worked fine.

    Cheers,
    Paul Damer

    *found at:

    http://stackoverflow.com/questions/3646847/how-do-i-vendorize-gems-for-rails3-bundler
    On Wed, Jan 9, 2013 at 5:36 PM, Ryan Bigg <ry...@spreecommerce.com>
    wrote:
    If you're using an old version of Spree like that, I would
    recommend
    cloning
    the https://github.com/spree/spree repo to your app's directory
    (vendor/gems/spree) and then checking out to the v0.70.7 tag and
    updating
    the spree_core.gemspec dependency yourself. The Spree core team is
    no
    longer
    supporting pre-1.1 versions of Spree to ease maintenance load on
    us.


    On Thu, Jan 10, 2013 at 3:06 AM, Carlos Eduardo Alarcon
    wrote:
    Hi everyone:

    I recently read this rails security post

    https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ
    and tried to update a couple of stores in 0.70 in order to fix
    this
    vulnerability, but I couldn't.
    It turns out that spree version 0.70.7 is tied to rails 3.1.6
    which
    has the mentioned problem, are there any issues in spree 0.70
    with
    newer version of rails that justifies this constraint? Can this
    constraint be a bit more relaxed to include the fixed versión of
    rails?

    Thanks in advance

    --
    Carlos E. Alarcón
    Continuum Developer

    --------------------------------------
    "Simplicity is the ultimate form of sophistication."
    Leonardo da Vinci

    --
    You received this message because you are subscribed to the
    Google
    Groups
    "Spree" group.
    To post to this group, send email to spree...@googlegroups.com.
    To unsubscribe from this group, send email to
    spree-user+...@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/spree-user?hl=en.
    --
    You received this message because you are subscribed to the Google
    Groups
    "Spree" group.
    To post to this group, send email to spree...@googlegroups.com.
    To unsubscribe from this group, send email to
    spree-user+...@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/spree-user?hl=en.
    --


    --
    Carlos E. Alarcón
    Continuum Developer

    --------------------------------------
    "Simplicity is the ultimate form of sophistication."
    Leonardo da Vinci
    --
    You received this message because you are subscribed to the Google
    Groups
    "Spree" group.
    To unsubscribe from this group and stop receiving emails from it, send
    an
    email to spree-user+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.

    --
    You received this message because you are subscribed to the Google Groups
    "Spree" group.
    To unsubscribe from this group and stop receiving emails from it, send an
    email to spree-user+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.


    --
    Carlos E. Alarcón
    Continuum Developer

    --------------------------------------
    "Simplicity is the ultimate form of sophistication."
    Leonardo da Vinci

    --
    You received this message because you are subscribed to the Google Groups
    "Spree" group.
    To unsubscribe from this group and stop receiving emails from it, send an
    email to spree-user+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.

    --
    You received this message because you are subscribed to the Google Groups "Spree" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to spree-user+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupspree-user @
categoriesrubyonrails
postedJan 9, '13 at 4:06p
activeFeb 12, '13 at 8:28p
posts6
users4
websitespreecommerce.com
irc#RubyOnRails

People

Translate

site design / logo © 2022 Grokbase