addressalign-toparrow-leftarrow-rightbackbellblockcalendarcameraccwcheckchevron-downchevron-leftchevron-rightchevron-small-downchevron-small-leftchevron-small-rightchevron-small-upchevron-upcircle-with-checkcircle-with-crosscircle-with-pluscontroller-playcrossdots-three-verticaleditemptyheartexporteye-with-lineeyefacebookfolderfullheartglobegmailgooglegroupshelp-with-circleimageimagesinstagramFill 1light-bulblinklocation-pinm-swarmSearchmailmessagesminusmoremuplabelShape 3 + Rectangle 1ShapeoutlookpersonJoin Group on CardStartprice-ribbonprintShapeShapeShapeShapeImported LayersImported LayersImported Layersshieldstartickettrashtriangle-downtriangle-uptwitteruserwarningyahoo

Re: [ruby-112] deciding on what versions of ruby and rails

From: Godfrey C.
Sent on: Sunday, February 3, 2013 11:30 AM
If the gems you depend on does not work on new versions of rails, then it might be a sign that they are no longer actively being developed and maintained, which is probably a red flag for security. (Do you know which of your gems uses Yaml.load on potentially unsafe user input?)

Also, if you look at this (https://groups.google.com/forum/m/?fromgroups#!topic/rubyonrails-security/G4TTUDDYbNA), Rails 3.0 is actually NOT among the list of Rails versions that the core team currently issues security updates for. They have been taking care of 3.0 users for the last few severe CVEs, but as far as I can tell, there's no guarantee that it'll keep happening. And since Rails 4 is on the radar, even 3.1 would be bumped off some off those lists pretty soon. Also, as noted in the linked thread, Ruby 1.8 is reaching EOL soon. 

So security wise, I think there's no question about Rails 3.2 + Ruby 1.9 + gems active maintained by trusted developers would be the best combo. You just gotta decided if you could afford to invest the time in upgrading. In light of the recent security issues, it probably is. 

Godfrey

On Sunday, February 3, 2013, Clayton Cottingham wrote:
with all the security issues lately , and my own battling of different gems that have worked on rails3.0 and not on new versions , I've been trying to figure out how to evaluate which combination of ruby and rails to use

any insight appreciated



--
Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])
http://www.meetup.com/vancouver-ruby/
This message was sent by Clayton Cottingham ([address removed]) from Vancouver Ruby Meetup Group.
To learn more about Clayton Cottingham, visit his/her member profile: http://www.meetup.com/vancouver-ruby/members/48163692/
Set my mailing list to email me

As they are sent
http://www.meetup.com/vancouver-ruby/list_prefs/?pref=1

In one daily email
http://www.meetup.com/vancouver-ruby/list_prefs/?pref=2

Don't send me mailing list messages
http://www.meetup.com/vancouver-ruby/list_prefs/?pref=0
Meetup, POB 4668 #37895 NY NY USA 10163 | [address removed]

Our Sponsors

People in this
Meetup are also in:

Sign up

Meetup members, Log in

By clicking "Sign up" or "Sign up using Facebook", you confirm that you accept our Terms of Service & Privacy Policy