Pin dependency versions for Ruby <2.7

[spectrogram]

This change pins the versions of aws-sigv4 and aws-eventstream used with Ruby <2.7. AWS recently dropped support for Ruby 2.5/2.6 and because there is no version pinning for aws-sigv4 in the gemspec otherwise, it tries to download the latest version which is incompatible with these older versions of Ruby.

Without this change, installations fail with something similar to the following:

---- Begin output of /opt/chef/embedded/bin/gem install vault -q --no-rdoc --no-ri -v "0.18.2" --source=https://www.rubygems.org ----
STDOUT:
STDERR: ERROR:  Error installing vault:
The last version of aws-eventstream (~> 1, >= 1.0.2) to support your Ruby & RubyGems was 1.3.2. Try installing it with `gem install aws-eventstream -v 1.3.2` and then running the current command again
aws-eventstream requires Ruby version >= 2.7. The current ruby version is 2.5.0.
---- End output of /opt/chef/embedded/bin/gem install vault -q --no-rdoc --no-ri -v "0.18.2" --source=https://www.rubygems.org ----
Ran /opt/chef/embedded/bin/gem install vault -q --no-rdoc --no-ri -v "0.18.2" --source=https://www.rubygems.org returned 1

[hashicorp-cla-app]

All committers have signed the CLA.

[hashicorp-cla-app]

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

_{Have you signed the CLA already but the status is still pending? Recheck it.}

[khiav223577]

Maybe we should fix the gemspec of aws-sigv4 first, it seems to be the root cause.

gem install aws-sigv4
ERROR:  Error installing aws-sigv4:
        The last version of aws-eventstream (~> 1, >= 1.0.2) to support your Ruby & RubyGems was 1.2.0. Try installing it with `gem install aws-eventstream -v 1.2.0` and then running the current command again
        aws-eventstream requires Ruby version >= 2.7. The current ruby version is 2.4.9.362.

[spectrogram]

Maybe we should fix the gemspec of aws-sigv4 first, it seems to be the root cause.

gem install aws-sigv4
ERROR:  Error installing aws-sigv4:
        The last version of aws-eventstream (~> 1, >= 1.0.2) to support your Ruby & RubyGems was 1.2.0. Try installing it with `gem install aws-eventstream -v 1.2.0` and then running the current command again
        aws-eventstream requires Ruby version >= 2.7. The current ruby version is 2.4.9.362.

I'm not sure I follow - AWS were pretty explicit in dropping support for versions earlier than 2.7. Even if we were to fix the version restrictions for aws-eventstream, aws-sigv4 itself would fail to install due to the Ruby version requirement.

[stanhu]

@khiav223577 Note that this was similar to what was done in #314.

This change ensures Ruby 2.5 and 2.6 will continue to function with this gem. It seems older versions of gem do not consider required_ruby_version: rubygems/rubygems#4110.

[khiav223577]

I’m doubtful that adding an if-condition in vault.gemspec would work as expected. When the gem is built, the .gemspec file is evaluated only once, and the resulting specification is based on the environment of the machine performing the build.

The final gemspec uploaded to RubyGems appears to include only the resolved dependencies from the build-time environment. We can see the vault gem lists only a single runtime dependency: aws-sigv4 >= 0 which reflects the line spec.add_runtime_dependency "aws-sigv4" in the vault.gemspec file.

[stanhu]

I’m doubtful that adding an if-condition in vault.gemspec would work as expected. When the gem is built, the .gemspec file is evaluated only once, and the resulting specification is based on the environment of the machine performing the build.

I thought that too, but it turns out the conditionals are evaluated in Gem::Specification.load: https://github.com/rubygems/rubygems/blob/5d331faa39124fe17364a249478c7fbd7880d2d4/lib/rubygems/specification.rb#L1093

RubyGems only shows one version, but that's probably because it's simpler just to show that. However, when gem install runs, the .gemspec is evaluated.

We have confirmed that this change does do the right thing for Ruby 2.5 and 2.6.

[khiav223577]

The author of PR #314 left a comment here, mentioning that he's still unable to install the gem on Ruby 2.3. If the conditional logic in the gemspec is evaluated at install time, can we confirm whether this issue has been resolved in version 0.18.2?
cc @kumar1202

[stanhu]

Ah, indeed, this conditional doesn't work after all.

I did some testing and found that with a forked gem that has these conditionals (https://rubygems.org/gems/gl-vault), the versions dependencies generated in the resulting .gem metadata are always used whenever gem install <gem> is called. I believe RubyGems indexes that metadata file.

With gem install --verbose, I noticed that the client downloads this file:

https://rubygems.org/quick/Marshal.4.8/gl-vault-0.19.0.gemspec.rz

Using this script, we can decode the dependencies:

require 'net/http'
require 'zlib'

uri = URI('https://rubygems.org/quick/Marshal.4.8/gl-vault-0.19.0.gemspec.rz')
compressed_data = Net::HTTP.get(uri)

decompressed_data = Zlib::Inflate.inflate(compressed_data)

gemspec = Marshal.load(decompressed_data)

puts gemspec.dependencies.map(&:inspect)

The result:

<Gem::Dependency type=:runtime name="aws-sigv4" requirements="= 1.11.0">
<Gem::Dependency type=:runtime name="aws-eventstream" requirements="= 1.3.2">
<Gem::Dependency type=:development name="bundler" requirements="~> 2">
<Gem::Dependency type=:development name="pry" requirements="~> 0.13.1">
<Gem::Dependency type=:development name="rake" requirements="~> 12.0">
<Gem::Dependency type=:development name="rspec" requirements="~> 3.5">
<Gem::Dependency type=:development name="yard" requirements="~> 0.9.24">
<Gem::Dependency type=:development name="webmock" requirements="~> 3.8.3">
<Gem::Dependency type=:development name="webrick" requirements="~> 1.5">

[khiav223577]

I looked deeper into the RubyGems source code to understand what happens when running gem install vault.

It turns out that dependency resolution is handled via the URL: https://index.rubygems.org/info/vault (source code).

From what I can see, any conditional logic in the gemspec doesn’t appear to be reflected in the dependency data returned from that endpoint.

[khiav223577]

I think this approach could help resolve the dependency issues across different Ruby versions:

Release v0.18.2.1 when .gemspec:

• required_ruby_version: >= 2.0, < 2.5
• runtime_dependency: aws-sigv4, = 1.6.0
• runtime_dependency: aws-eventstream, = 1.2.0

Release v0.18.2.2 when .gemspec:

• required_ruby_version: >= 2.5, < 2.7
• runtime_dependency: aws-sigv4, = 1.11.0
• runtime_dependency: aws-eventstream, = 1.3.2

Release v0.18.3 when .gemspec:

• required_ruby_version: >= 2.7
• runtime_dependency: aws-sigv4 (no pinning necessary if newer versions work)

In the future, we might consider dropping support for Ruby versions older than 2.7 to reduce maintenance overhead, since maintaining three parallel releases can become burdensome.

What do you think?

[stanhu]

From what I can see, any conditional logic in the gemspec doesn’t appear to be reflected in the dependency data returned from that endpoint.

Right, that's what I was saying in #347 (comment).

What do you think?

Sounds like a good plan to me.