Does anyone know when Rails will be updated for Ruby 1.8.3? ruby-lang.org today notified of a security issue with Ruby 1.8.2 and recommended users upgrade to 1.8.3. However, Rails 0.13.1 has significant problems with Ruby 1.8.3 that have only been fixed in a beta release. <http://www.ruby-lang.org/en/20051003.html> <http://weblog.rubyonrails.com/archives/2005/09/21/ruby-1-8-3-has- been-released> I''m surprised and concerned at this situation. It appears Rails is not tested with beta versions of Ruby (otherwise this problem might have been found earlier - Robby identified it by simply running a Rails app with 1.8.3), that Rails has not yet been updated with the fix given the length of time and the security issue, that there''s no a clear statement prominently displayed on the Rails web site explaining how the Ruby security issue affects Rails and what options Rails users have.
On Mon, 2005-10-03 at 15:49 +1000, Dale Gillard wrote:> Does anyone know when Rails will be updated for Ruby 1.8.3? > > ruby-lang.org today notified of a security issue with Ruby 1.8.2 and > recommended users upgrade to 1.8.3. However, Rails 0.13.1 has > significant problems with Ruby 1.8.3 that have only been fixed in a > beta release. > > <http://www.ruby-lang.org/en/20051003.html> > > <http://weblog.rubyonrails.com/archives/2005/09/21/ruby-1-8-3-has- > been-released> > > I''m surprised and concerned at this situation. It appears Rails is > not tested with beta versions of Ruby (otherwise this problem might > have been found earlier - Robby identified it by simply running a > Rails app with 1.8.3), that Rails has not yet been updated with the > fix given the length of time and the security issue, that there''s no > a clear statement prominently displayed on the Rails web site > explaining how the Ruby security issue affects Rails and what options > Rails users have.Yes, this should be a bigger concern for the Ruby/Rails community. This means that us Rails people need to be testing the beta/rc''s for Ruby before they release the new version. This should have been found by us much in advance and not the night[1] of the release. [1] http://rubyurl.com/LYm I''m not sure when the next version of Rails is going to be released, but I am know that in the future I will personally be more active in testing the upcoming Ruby releases with Rails so that these situations are less likely to occur. My two cents, -Robby -- /****************************************************** * Robby Russell, Owner.Developer.Geek * PLANET ARGON, Open Source Solutions & Web Hosting * Portland, Oregon | p: 503.351.4730 | f: 815.642.4068 * www.planetargon.com | www.robbyonrails.com * Programming Rails | www.programmingrails.com *******************************************************/
reading the advisory it looks like this is only an issue in apps that allow the execution of user-supplied (or otherwise untrusted) Ruby code... On 03/10/2005, at 3:49 PM, Dale Gillard wrote:> Does anyone know when Rails will be updated for Ruby 1.8.3? > > ruby-lang.org today notified of a security issue with Ruby 1.8.2 > and recommended users upgrade to 1.8.3. However, Rails 0.13.1 has > significant problems with Ruby 1.8.3 that have only been fixed in a > beta release. > > <http://www.ruby-lang.org/en/20051003.html> > > <http://weblog.rubyonrails.com/archives/2005/09/21/ruby-1-8-3-has- > been-released> > > I''m surprised and concerned at this situation. It appears Rails is > not tested with beta versions of Ruby (otherwise this problem might > have been found earlier - Robby identified it by simply running a > Rails app with 1.8.3), that Rails has not yet been updated with the > fix given the length of time and the security issue, that there''s > no a clear statement prominently displayed on the Rails web site > explaining how the Ruby security issue affects Rails and what > options Rails users have. > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails > >
On Mon, 3 Oct 2005 15:56:54 +1000, russm wrote:> reading the advisory it looks like this is only an issue in apps that > allow the execution of user-supplied (or otherwise untrusted) Ruby > code...That''s correct. It doesn''t seem like an issue that would affect a large number of Ruby users or Rails apps. But then I''m new to both Ruby and Rails, so I could be dead wrong. That this is a limited security issue doesn''t mean a lot to me. What it does mean to me as a new Rails user is that there isn''t a process to deal with new Ruby releases, or with security issues in Ruby. I think we need to address these issues because confidence in Rails is important to its growth. The beauty of open-source is that Robby was able to raise the issue and others were able to quickly find and fix the problem. Am I right in assuming it''s now up to David and the Rails core developers to work out how and when to communicate these issues to everyone else, and when we get a stable Rails build that incorporates the fixes? Dale> On 03/10/2005, at 3:49 PM, Dale Gillard wrote: > >> Does anyone know when Rails will be updated for Ruby 1.8.3? >> >> ruby-lang.org today notified of a security issue with Ruby 1.8.2 >> and recommended users upgrade to 1.8.3. However, Rails 0.13.1 has >> significant problems with Ruby 1.8.3 that have only been fixed in a >> beta release. >> >> <http://www.ruby-lang.org/en/20051003.html>
In article <1128319012.8376.139.camel@linus>, robby.lists-/Lcn8Y7Ot69QmPsQ1CNsNQ@public.gmane.org says...> This > means that us Rails people need to be testing the beta/rc''s for Ruby > before they release the new version.Personally, I know I would have been much more likely (even eager!) to install the betas if there had been some sort of short, English "What''s New" changelog other than the long, obtuse list of cvs commits. Even now, with 1.8.3 released, I have *NO* idea what changed that actually affects developers of Ruby *apps*, as opposed to developers of Ruby itself. IIRC, the 1.8.3 release notes said "we don''t have release notes yet but someone''s thinking about working on them." This is a sad state... Mats needs a tech writer! -- Jay Levitt | Wellesley, MA | I feel calm. I feel ready. I can only Faster: jay at jay dot fm | conclude that''s because I don''t have a http://www.jay.fm | full grasp of the situation. - Mark Adler
Sounds like a volunteer to me! Matthew On 10/3/05, Jay Levitt <jay-news-WxwZQdyI2t0@public.gmane.org> wrote:> This is a sad state... Mats needs a tech writer! > > -- > Jay Levitt | > Wellesley, MA | I feel calm. I feel ready. I can only > Faster: jay at jay dot fm | conclude that''s because I don''t have a > http://www.jay.fm | full grasp of the situation. - Mark Adler > > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >_______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
Hehe.. yes, I''d volunteer, but of course I''d need someone to explain it to me first, so that wouldn''t make me a very useful tech writer... In article <a9e7748c0510030938g165f7a6evd2edb27ded9e002-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>, matthew.newhook-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org says...> Sounds like a volunteer to me! > > Matthew > > On 10/3/05, Jay Levitt <jay-news-WxwZQdyI2t0@public.gmane.org> wrote: > > > This is a sad state... Mats needs a tech writer! > > >-- Jay Levitt | Wellesley, MA | I feel calm. I feel ready. I can only Faster: jay at jay dot fm | conclude that''s because I don''t have a http://www.jay.fm | full grasp of the situation. - Mark Adler