spohlenz/tinymce-rails

Any big reason to yank version 7.1.1 released 3 weeks ago?

oboxodo opened this issue · 1 comments

Hi there. Today we had a production deployment halted because at the time of installing the gems in the new servers we had v7.1.1 in Gemfile.lock but it wasn't found in rubygems.org.

I understand you guys released v7.1.2.1 and yanked both 7.1.1 and 7.1.2. There's no changelog or history file but looking at commits history I found this comment: #313 (comment)

So I wonder if yanking those versions was actually necessary or not, considering we might not be the only ones already depending on one of those versions. IIUC the only problem with those versions was that they included unneeded files in the gem, so it's not like they included a trojan or some important security flaw.

This was easy to resolve on our end by reverting to the previous 7.1.0 version until we have time to test with the new 7.1.2.1 version next few days... but it did cause some havoc and we wanted to let you know because we guess it could've affected someone else too.

Again, I'm not against yanking faulty builds when they're dangerous or even in this case if the release was fresh from the day... I just think the problem is that 3 weeks after release means a lot of people might've updated already.

Thanks!

In hindsight, yanking the bulky gem releases was almost certainly an overreaction to the issue. I'll reconsider against doing that in future.