As we make the push toward releasing the platform that I'm working on we've installed exception_notification in our Rails app. With the increased visibility of all the exceptions it became apparent quite quickly that there were numerous hits against the server from automated vulnerability scanners. These attempts were causing routing errors as they looked for paths like '/user/soapCaller.bs' – thankfully not targeting Rails applications. 

The arrival of this sort of scan was not particularly surprising to me as I've seen similar scans in the past. I've even actively dabbled in some security research by running a few honeypot projects, I digress.

Even though these scans usually go after large installations such as WordPress, Drupal, Joomla and phpMyAdmin, it isn't stupid to take it as a reminder to keep up to date on security vulnerabilities. In the case of Ruby on Rails the starting point would be the rubyonrails-security google group and the Ruby on Rails blog. 

Another great resource is Rails Inside. Rails Inside usually picks up any serious flaws and relays them to the community. In addition to this, they follow new releases of popular plugins/gems that may form part of your app. The site provides an important service because keeping up-to-date is a good way of reducing the risk of being caught by a vulnerability that has been dutifully patched by the maintainer.

The above is certainly not a complete list, so I'd like to hear if there are any other rails/ruby security resources that you find useful. 

Up until now I’ve been using a fairly standard capistrano deploy.rb. The problem is that as we speak I’m trying to deploy a patch from my Windows work machine and it’s not working. The ethics of fixing one of my project from home aside, this is a problem. When I try and deploy the following error  comes up

can’t convert Net::SSH::Authentication::Pageant::Socket into IO (TypeError)

The change I was trying to deploy stops in its tracks. After quite a bit of searching I found a thread about the error that dates back to Capistrano 2.5.3… from 2008. What a shining example of open source.

To be fair the error isn’t necessarily in Capistrano, it may in fact be in Net::SSH. The sad thing is that we’re over a year later, and nothing has been done to fix the problem. Is the number of people that use Ruby from Windows machines so low that no-one has managed to fix it in a year?

I’m not expecting Jamis to fix it. I get that he has too much to do, and doesn’t have time to give out a bunch of freebie support, but I’m now faced with the choice of either trying to fix the problem, a task I don’t currently have time for, or ditching capistrano.

I’ve considered switching to heroku in the past and just never made the leap. For a start the app in question has to many moving parts for heroku. One thing I did like though was the notion that to deploy all I had to do was ‘git push target master’  and the app would be updated and deployed.

After toying around with rolling my own solution, I stumbled upon mislav’s gem. It lacks some of the features that I’m looking for, but its a good deal closer to the level that I need. It lacks the bloat of capistrano, which is important, because the biggest barrier to me getting in and fixing capistrano would be the size of the library and knowing where to start.

I very quickly migrated my existing application to use git-deploy. It’s not perfect for every problem, particularly if you’re doing multi stage deployments, etc, but at least I’ll be able to do a deployment everywhere I can get access to git now.

I accept planetmcd’s criticism of my previous post. I’m aware that I’m less than eloquent and my arguments less than logical at times.

I can’t say for sure whether anyone has ever done a presentation like that here. I do know that something like that wouldn’t be accepted not just because of the images (sexual or not), but because it doesn’t conform to corporate standards. Ruby/Rails/Web2.0 has no such standards, more,  the culture is one of being risky, on the edge, and of pushing the limits.

There are probably many ways that it could have been done better, but it wasn’t. The problem stems from not going to Matt, and expressing that they didn’t like the presentation. They could have suggested using ‘Fragstar’ next time (via Renae Bair). Instead choosing to drag Rails through the mud publicly, “Here is a professional community that doesn’t respect women”.

I’m aware that Matt has defend his position, and the DHH may have made it worse, but I don’t condone the method this was approached in the first place. It’s sensationalist and unnecessary. Do people actually think they’ve improved the community by acting in this manner?

The dress code is only one facet of what I was trying (albeit poorly) to express. If you asked a programmer whether he would prefer to wear jeans and t-shirt or suit and tie to work which would he pick? What is the dress code at the Web2.0 development houses (not having worked at one I don’t know)? If it is jeans and t-shirts then that workplace is different to mine. My current employers wouldn’t consider them very professional either – This is where it goes to the heart of the community. You can do development the traditional, non agile way, any time you want to put on a suit and tie and forget you know techniques like metaprogramming/bdd/tdd (and don’t forget how to use windows, because that’s what corporate professionals use).

I have worked for a few industrial clients where staff had nudes as desktop wallpapers (we’re not talking partial nudity either), and pinups scattered around the sheds. There were certainly females around, though how they felt about it never came up. They would consider themselves professional, in that they provide top notch solutions to their clients. Warranties & quality assurance, etc. I doubt my current employer would find them very professional either, sweaty, greasy, and not very formal.

One of the things that I’ve heard raised when Australian corporate entities deal with overseas counterparts, is that we’re a good deal less formal and respectful than they are. Socially and culturally Australians are more laid back, some might say unprofessional. Different people are always going to have differing opinions on professionalism, I find it unlikely that Matt felt he was being unprofessional in using the pictures and analogy that he did. I would hazard he still doesn’t feel he was unprofessional, though he undoubtedly realizes that it was a mistake.

Before I launch into my response to Peter Szinek, you need to know some background. Matt Aimonetti made a presentation at GoGaRuCa on CouchDB, which included sexual references and supposedly explicit images. I’ve looked over the presentation (which may or may not have the same content as the one at the event) and I have to say that I found it to be pretty tame considering the hype that had spread before it. When I first read the story (found here and here) it was framed in ‘how to scare women away from your development community’. DHH and probably many others, responded strongly to the controversy. I’m particularly fond of Renae Bair’s post.

This morning when I got to work I was greeted by another story…about how rails is still a ghetto.  I have to disagree with the argument. Yes if you go to India and go to a Hindu temple you should take off your shoes, and you should be refined enough to KNOW to take off your shoes, either that or the shoes at the door should give you the heads up. This line of reasoning isn’t relevant for a rails conference, because there is no guideline anywhere that says, ‘should not show pictures of that nature’. It may well have been a bad decision, but there without precedent, how was he to know.

This is where the argument that professionalism comes in. I certainly wouldn’t dare using a presentation like that at my work, because they’re card holding accountants and lawyers. The development community (in particular web 2.0) has a reputation for riding on the edge, this is not just rails (which has been pointed out by others), but many other frameworks/languages that consider themselves groundbreaking. Clearly there is a disconnect here, between being passionate and fun, and relaxing from corporate strictures. Professionalism should have had everybody there wearing a suit and tie, but I would bet they weren’t.

There has been plenty of coverage about this less than newsworthy event, so I’ll not waste any more time on it. Another couple of days, and it will have disappeared from reddit, digg, etc & and will be forgotten. The majority of people that use Rails don’t care about posturing and hype that people are putting so much effort into…that’s just a way of big noting blogs and looking important. Rails isn’t a ghetto, if anything it’s a train station, with a lot of people getting on and going places and a few people that feel the need to hang around and cause trouble. I’m not saying you don’t have a right to dislike his presentation, but don’t include the rest of us. Don’t pretend like he did something wrong just because you don’t like it. If you don’t like the way he did the presentation put together a better presentation and you be the one standing on stage.

On that note I’m going back to work.

If you’re running rails applications on Windows then you’ll be interested in or already use the mongrel_service gem. When I recently (today) tried to install it on a new computer I had trouble because it didn’t want to install the dependencies. Apparently it requires a version of the win32-service gem >= 0.5.2 but < 0.6.0

Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.  C:\Documents and Settings\Administrator>gem install win32-service -v 0.5.2 C:\Documents and Settings\Administrator>gem install mongrel_service

should do the trick

UPDATE: Apparently using w32-service causes problems whenever you have defined a class named service. Just be aware that its going to cause it to use w32-services service class rather than you’re own, regardless of whether you’re running mongrel as a service (it won’t happen if you don’t run mongrel).

I upgraded my rails sites to use Passenger aka Mod Rails this week. I’d like to say its been all roses, but the truth is that my Typo blog would swear under oath that its not the case. I was quite happy with the out of box Typo + Sqlite combination, and that worked fine under mongrel. Not so under passenger, the website will work perfectly, but I won’t be able to get into the admin section. As you can see I managed to get it working, I switched the database to mysql and its been working fine ever since. I’ll get around to working out WHY it doesn’t work with sqlite at some point (and get around to extracting my lost blog posts).

Other than that small hiccup I’ve been extremely impressed with Passenger. Its certainly a step forward as far a simple rails production hosting. I’m not saying that its time to throw mongrel out the window. But when it comes to trouble free hosting, mongrel is just not there. I want a solution where you can do a simple config and forget about the site. Managing multiple clusters for each of the various sites is something that makes it harder to whip up simple sites.

Passenger allows the user to to configure an apache virtual host with a couple of rails specific parameters (more if you want to take advantage of somecool feature, or do abnormal things), and restart apache and you’re all up and good. Restarting your rails app can be accomplished by running ‘touch tmp/restart.txt’ in your rails root. You’ve then got a very simple solution that will allow you to host multiple sites without doing clustering.