Arvados

After being installed (via RVM or building from source), Ruby does not get updated along with other OS packages via "yum update", "apt-get upgrade", etc. This way it can stay stale for years. Possible ways to mitigate this:

• Recommend (and document the process for) regular updates in the install guide.
• Encode the Ruby version as a dependency in our Ruby-based services (perhaps ruby '2.1.6' in Gemfile? bundler docs explicitly say "can't specify patchlevel" and don't mention whether "~>" is supported, so perhaps a different mechanism.)
• Put Ruby packages in our own package repos, and recommend installing those. (Related: if we also support chruby in the places where we already have explicit RVM support, we can accommodate multiple ruby versions on a single machine but leave open the possibility of installing the rubies with the system's native package manager.)

RVM has an additional problem: it lags behind Ruby updates. Currently, even a fresh install gives you Ruby 2.1.5 if you follow the RVM option (which is presented first) even though 2.1.6 fixes security bugs and has been out for months. Possible ways to mitigate this:

• Don't use RVM, or any other ruby-switcher that acts as a Ruby version gatekeeper but isn't updated aggressively. (chruby seems to be the switcher without this problem.)
• Use RVM but tell it to build from source ("rvm install --disable-binary"?). This doesn't seem to help; currently the build recipes are just as outdated as the binary packages.