rvm: Manage Your Rubies With an Ill-Managed Manager
rvm is a tool for maintaining multiple versions of ruby
, as well as maintaining project-specific sets of gem dependencies. When I first learnt about it this week it sounded like a very useful tool, although it’s unfortunate that gems are so awkward to manage that it should be necessary in the first place.
Yesterday my first task was to update rspec
. Which in turn required an update to rubygems
before it would install. But who manages rubygems
? It could be rvm
, or rubygems
itself, or apt
, or even maybe bundler
.
I looked through the documentation, and the most appropriate answer seemed to be that rvm
should manage rubygems
. I quote from the documentation:
rvm action [interpreter] [flags] [options]
where update
is an action, and one of the flags is --rubygems
:
--rubygems - with update, updates rubygems for selected ruby
So I diligently typed
rvm update --rubygems
And what did rvm
do? It proceeded to attempt to update itself, instead of rubygems
. If you want to upgrade rubygems
, you’re supposed to type:
rvm --rubygems update
(note that this is incorrect according to the above documentation, but is how I eventually coerced it into upgrading rubygems
(this bug has since been fixed))
The accidental upgrade might have been okay, if its upgrade process were anything but Completely Insane. It goes thusly:
- download a file from an unsecured HTTP location
- without verifying any sort of checksum, signature or even HTTP status code, pipe the output directly into a bash shell
- this script clones a github repository, and proceeds to install the absolute latest revision, whatever that might be
Hilarity ensues. I got a bash syntax error, but evidently not early enough in the process to stop rvm
from destroying itself, requiring me to delete everything related to it and install from scratch.
Security? ignored.
Sanity checking? skipped.
Dependencies? get them yourself.
Update management? The website says “make sure you run this command frequently”.
I don’t know that I want such a tool trying to manage my dependencies, thank you very much…
The most painful thing, of course, is that it’s yet another buggy, language-specific implementation of the principals that zero-install does so much better (and simpler). If you don’t have global state, suddenly it’s really not that hard to keep things from interfering with each other.
Oh, and did I mention how rvm
integrates with your shell, so that when you cd
into a project directory, it automatically sets up your ruby version and gems? Except that when you open a new shell in the same location, you have to cd
out of your project directory and then back in or else you’ll see the system version of ruby and your gems, and things will be broken in very odd ways. Splendid.