being confused about libraries

[Ruby Newbee]

Hello,

When running gem I always need to add this lib and that lib (I'm using
an ubuntu desktop linux).

For example, for sqlite3, sometime I installed it:
gem install sqlite3-ruby

While some other time I installed it:
apt-get install sqlite3

So what's the relation between the system "sqlite3" and (most likely)
ruby's "sqlite3-ruby"?

Thanks.
Jenn.

 

[Phillip Gawlowski]

Hello,

When running gem I always need to add this lib and that lib (I'm using
an ubuntu desktop linux).

For example, for sqlite3, sometime I installed it:
gem install sqlite3-ruby

While some other time I installed it:
apt-get install sqlite3

So what's the relation between the system "sqlite3" and (most likely)
ruby's "sqlite3-ruby"?

Ubuntu (and other distros) package gems within their own package
management system. The reasons are many, but for example this allows
more fine-grained dependency tracking than RubyGems provides, and allows
the distribution to make a gem fit into the distribution's file system
layout.

Another (side) benefit is that bugfixes are applied at the same time as
the whole system updates. One step, instead of two.

 

[Marvin Gülker]

Ubuntu (and other distros) package gems within their own package
management system.

That's true, but the sqlite3 package isn't a Ruby one:
"
A command line interface for SQLite 3

SQLite is a C library that implements an SQL database engine.
Programs that link with the SQLite library can have SQL database
access without running a separate RDBMS process.
"

The Ruby packages (for Ubuntu) are:
libsqlite3-ruby1.8
libsqlite3-ruby1.9

Marvin

 

[Roger Braun]

Hi,

So what's the relation between the system "sqlite3" and (most likely)
ruby's "sqlite3-ruby"?

Usually, the Ubuntu package is the library written in C (or some other
language) and the gem provides a ruby wrapper for these libraries.
That's why you need both.

 

[Ruby Newbee]

I have the following sqite3 for ruby installed:

$ gem list *sqlite3*

*** LOCAL GEMS ***

dbd-sqlite3 (1.2.5)
sqlite3 (0.0.6)
sqlite3-ruby (1.2.5)


And these system libraries:

$ dpkg -l *sqlite3*

ii libsqlite3-0 3.6.16-1ubuntu1
SQLite 3 shared library
ii libsqlite3-dev 3.6.16-1ubuntu1
SQLite 3 development files
ii libsqlite3-ruby 1.2.4-2
SQLite3 interface for Ruby
ii libsqlite3-ruby1.8 1.2.4-2
SQLite3 interface for Ruby 1.8
ii sqlite3 3.6.16-1ubuntu1
A command line interface for SQLite 3


So what's the relations among them? Thanks again.

 

[Phillip Gawlowski]

I have the following sqite3 for ruby installed:

$ gem list *sqlite3*

*** LOCAL GEMS ***

dbd-sqlite3 (1.2.5)
sqlite3 (0.0.6)
sqlite3-ruby (1.2.5)


And these system libraries:

$ dpkg -l *sqlite3*

ii libsqlite3-0 3.6.16-1ubuntu1
SQLite 3 shared library
ii libsqlite3-dev 3.6.16-1ubuntu1
SQLite 3 development files
ii libsqlite3-ruby 1.2.4-2
SQLite3 interface for Ruby
ii libsqlite3-ruby1.8 1.2.4-2
SQLite3 interface for Ruby 1.8
ii sqlite3 3.6.16-1ubuntu1
A command line interface for SQLite 3

libsqlite3-ruby* is the sqlite3-ruby gem (the first one seems to be a
meta package, once Ubuntu switches to Ruby 1.9 by default, so that 1.9
versions of gems get pulled by apt-get / synaptic).

libsqlite3-0 and libsqlite3-dev are the plain old C based SQLite3
binaries and development packages, unrelated to Ruby, unless you build
the native extension of the gem (which only needs the -dev package,
technically speaking).

 

[Brian Candler]

Hi,



Usually, the Ubuntu package is the library written in C (or some other
language) and the gem provides a ruby wrapper for these libraries.
That's why you need both.

Not exactly.

If you "apt-get install libsqlite3-ruby", then you get Ubuntu's package
containing the ruby library which talks to the C library (libsqlite3-0).
The C library is automatically installed as a dependency. This is not a
gem; the code is installed under ruby's site library directory.

If you install the gem ("gem install sqlite3-ruby") then rubygems
fetches, builds and installs its own version of this ruby library. In
order for this to work, not only does the C library have to be present,
but also the C library's header files (libsqlite3-dev), the Ruby header
files (ruby-dev) and the C compiler (build-essential)

You only need one or other of these to access sqlite3 from ruby.

The advantage of the gem approach is you can easily update it if a new
version of the sqlite3-ruby gem is released. Ubuntu won't update their
package unless there's a security issue, or until you move to the next
version of Ubuntu.

 

[Phillip Gawlowski]

If you "apt-get install libsqlite3-ruby", then you get Ubuntu's package
containing the ruby library which talks to the C library (libsqlite3-0).
The C library is automatically installed as a dependency. This is not a
gem; the code is installed under ruby's site library directory.

While not the gem per se, it is the same code used as if you would do a
sudo gem install sqlite3-ruby

The advantage of the gem approach is you can easily update it if a new
version of the sqlite3-ruby gem is released. Ubuntu won't update their
package unless there's a security issue, or until you move to the next
version of Ubuntu.

<rant>
The disadvantage of the gem approach is security:

For one, RubyGems pretty much requires root access to some directories,
for another, it makes no distinction between compile- and install-time,
so the compiler runs as root, allowing me to potentially exploit a
vulnerability in the compiler to get a backdoor installed.

Or just do a "rm -rf /", if I were unimaginative.

RubyGems will happily overwrite anything in /usr/bin/, so I can include
a /usr/bin/less file that grants me root access:
https://bugs.gentoo.org/show_bug.cgi?id=278566

And yes, the issue is known:
http://redmine.ruby-lang.org/issues/show/1800

And unless you check certificates (against what? Is there a default
keystore, like a "rubyist-keyring"?), you cannot verify the integrity of
a package.

So, trading convenience against security. Be aware of the risks that
carries with it.

Oddly this is less of an issue on Windows, since Ruby is self-contained
there, and happily so, and wreaking a Windows isntall is exceptionally
difficult by now.
</rant>