Re: [ruby-112] deciding on what versions of ruby and rails

From: Clayton C.
Sent on: Sunday, February 3, 2013 12:17 PM
sure! who watch dogs the gems still in the system that are inactive, no longer useable etc? why arent they removed from the gem repos??
CPAN for perl does this sort of check, if a perl module fails it isnt allowed to be searched and used, but one can still download at their own peril, its just not available through cpan interface


moving to 3.2 isnt always a choice. clients are running what they are running and moving to a new version of rails is a daunting task for some and sometimes time and money are involved 

there has to be a less confusing way to evaluate these issues?


On Sun, Feb 3, 2013 at 11:30 AM, Godfrey Chan <[address removed]> wrote:
If the gems you depend on does not work on new versions of rails, then it might be a sign that they are no longer actively being developed and maintained, which is probably a red flag for security. (Do you know which of your gems uses Yaml.load on potentially unsafe user input?)

Also, if you look at this (https://groups.google.com/forum/m/?fromgroups#!topic/rubyonrails-security/G4TTUDDYbNA), Rails 3.0 is actually NOT among the list of Rails versions that the core team currently issues security updates for. They have been taking care of 3.0 users for the last few severe CVEs, but as far as I can tell, there's no guarantee that it'll keep happening. And since Rails 4 is on the radar, even 3.1 would be bumped off some off those lists pretty soon. Also, as noted in the linked thread, Ruby 1.8 is reaching EOL soon. 

So security wise, I think there's no question about Rails 3.2 + Ruby 1.9 + gems active maintained by trusted developers would be the best combo. You just gotta decided if you could afford to invest the time in upgrading. In light of the recent security issues, it probably is. 

Godfrey

On Sunday, February 3, 2013, Clayton Cottingham wrote:
with all the security issues lately , and my own battling of different gems that have worked on rails3.0 and not on new versions , I've been trying to figure out how to evaluate which combination of ruby and rails to use

any insight appreciated



--
Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])
http://www.meetup.com/vancouver-ruby/
This message was sent by Clayton Cottingham ([address removed]) from Vancouver Ruby Meetup Group.
To learn more about Clayton Cottingham, visit his/her member profile: http://www.meetup.com/vancouver-ruby/members/48163692/
Set my mailing list to email me

As they are sent
http://www.meetup.com/vancouver-ruby/list_prefs/?pref=1

In one daily email
http://www.meetup.com/vancouver-ruby/list_prefs/?pref=2

Don't send me mailing list messages
http://www.meetup.com/vancouver-ruby/list_prefs/?pref=0
Meetup, POB 4668 #37895 NY NY USA 10163 | [address removed]





--
Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])
This message was sent by Godfrey Chan ([address removed]) from Vancouver Ruby Meetup Group.
To learn more about Godfrey Chan, visit his/her member profile
Set my mailing list to email me As they are sent | In one daily email | Don't send me mailing list messages

Meetup, POB 4668 #37895 NY NY USA 10163 | [address removed]



--
Clayton Cottingham - WinterMarket Networks
Phone: (604)[masked] (702)[masked]
http://www.wintermarket.net
aim: drfrogrx msn: [address removed]
gmail: [address removed]

Our Sponsors

  • Brewhouse

    Vancouver's leading Rails development agency

  • CodeCore

    Build Rails Apps in 9 Weeks! Full-Time and Part-Time Development Program

  • Clio

    A suite of web-based tools to help manage your law firm

  • SocialChorus

    Keeping employees connected with their brand & their networks

People in this
Meetup are also in:

Sign up

Meetup members, Log in

By clicking "Sign up" or "Sign up using Facebook", you confirm that you accept our Terms of Service & Privacy Policy