This Week in Rails (June 26, 2008)

Posted by Antonio Cangiano June 26, 2008 @ 12:45 AM

Welcome to the second edition of This Week in Rails, a weekly report with highlights from the Rails community.

Ruby Vulnerabilities

As previously reported by Jeremy Kemper, serious vulnerabilities have been discovered for the main Ruby implementations. The official advisory suggests an upgrade path, but there have been several reports of segmentation faults when using Rails with the patched Ruby 1.8.5 and 1.8.6 versions. The Phusion team has published a patch for Ruby 1.8.6-p111, but as things stand now, it hasn’t been included by the Ruby core team (yet).

If you are using Rails 2.1, Ruby 1.8.7-p22 seems the way to go. Unfortunately, Ruby 1.8.7 is not compatible with previous versions of Rails. If you decide that it’s time to upgrade your applications to Rails 2.1, this article features some handy tips, while this other one warns you about a few gotchas.

Those of you who’re running a version of Ruby that shipped with Mac OS X should wait for the next Apple’s Software Update.

Ajax

Rails is opinionated software, but its support for plugins clearly demonstrates a certain openness to diverging opinions on non-core issues. So while most of us mainly use Protoype, it is fairly common to see folks adopting other JavaScript frameworks as well, particularly jQuery.

Last week Jim Neath published a nice overview which compares jQuery with Prototype, and provides information about using jQuery with Rails through the jRails plugin.

Whatever your Ajax framework of choice is, you may be interested in the new Google Ajax Library API to improve the performance of your applications. Thanks to the tutorial Using Google Ajax Libraries API with Ruby on Rails (soon to be incorporated into a plugin) you can start adopting the API with Rails right now.

MVC

Rails 2.1 adds named scopes, which greatly simplify writing “find logic” within your Active Record models. It’s an extremely useful feature which is well explained in this write-up aptly titled, Named Scopes Are Awesome (we agree). Checkout also Ryan Bates’ railscasts on the subject: named_scope and Anonymous Scopes. You may also be interested in this week’s railscast about Caching in Rails 2.1.

Three other compelling Active Record related posts were, Smart Model, Dumb Controller, Bulk insertion of data with ActiveRecord and Timestamped Migrations on how to make “classic migrations” an available option (see ticket).

Michael Bleigh published a tutorial about dealing with subdomains in Rails applications through the SubdomainFu plugin (which appears to be flexible and very straightforward to use).

XP programming practices such as Test-Driven Development are very popular within the Rails community, but there are still many developers who see testing as a chore. Josh Nichols wrote an overview called A walk through of test-driven development with shoulda that shows you how easy it is to apply TDD to your Rails projects. In this specific case, he adopted the Shoulda plugin which seamlessly adds some assertions, helpers and macros on top of the Test::Unit framework.

Documentation

Aside from api.rubyonrails.org there are many alternatives for quickly visualizing the documentation of the Rails’ API. Last week a new one was launched: rails-doc.org. The current version features rapid searches and user annotations. This last feature in particular has the potential to become truly useful.

Deployment

If you are using Apache and mod_rails, you may want to read this article which provides information about a newly released module called apache-upload-progress.

Finally, Jason Crystal wrote a tutorial for packaging Rails applications for offline use on Mac OS X 10.5.


We’re done for this week. If you’d like to read more updates from the Ruby side of things, please head over to This Week in Ruby.

Posted in General | 19 comments

Comments

Leave a response

  1. Brian on 26 Jun 05:09:

    “If you are using Rails 2.1, Ruby 1.8.7-p22 seems the way to go.”

    Where can a Windows user find the compiled binaries for patchlevel 22?

    They aren’t here: ftp://ftp.ruby-lang.org/pub/ruby/binaries/mswin32.

  2. Antonio Cangiano on 26 Jun 05:15:

    Brian, I’m afraid they are not available yet for Windows.

  3. Robert Thau on 26 Jun 06:08:

    Possible correction - I believe the Phusion patch set is for 1.8.6-p111, and tries to add only the security fixes from other releases. Ref. here:

    http://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue/

    Those who want a minimal patch against p230 instead might want to look here:

    http://dev.smartleaf.com/misc/p230_fixit_patch.txt

    This reverts one particular problematic changeset from the 1.8.6 branch, and also does seem to be working for people.

  4. Antonio Cangiano on 26 Jun 06:33:

    Thanks Robert, I have updated the post.

  5. Vesan on 26 Jun 09:10:

    Both links on the testing chapter are pointing to http://thoughtbot.com/projects/shoulda but the first should point to http://technicalpickles.com/posts/a-walk-through-of-test-driven-development-with-shoulda .

  6. Geir on 26 Jun 09:32:

    What a great addition to the Rails weblog. The two “This week in Rails” posts have both been incredibly informative and useful IMHO.

  7. Robert Thau on 26 Jun 12:05:

    BTW, if people are curious about what broke in 1.8.6-p230, here’s a short script that segfaults that release (at least on 32-bit x86 Debian Etch):

    obj = Object.new

    class << obj def meth(x, y) end end

    10000.times do obj = obj.clone end

  8. Robert Thau on 26 Jun 12:11:

    Ooops… the last comment has a significant newline folded away; better try this:

    obj = Object.new class << obj; def meth(x, y) end end 10000.times do obj = obj.clone end

  9. Robert Thau on 26 Jun 12:13:

    ... or better yet, this. Apologies.

    obj = Object.new

    class << obj; def meth(x, y) end end

    10000.times do obj = obj.clone end

  10. Luis Alejandro Masanti on 26 Jun 14:50:

    As for AJaX frameworks?

    Do somebody try/use SproutCore? Any experiences?

  11. Antonio Cangiano on 26 Jun 19:30:

    Good catch, Vesan. I’ve fixed it now.

  12. Joseph Riesen on 29 Jun 18:08:

    Just some random feedback – I don’t appear to have any problems with Rails 1.2.6 on Ruby 1.8.7-p22 (built from source) under Mac OS X 10.5.2, which I find rather surprising. Works fine with 2.1 as well. I can’t vouch for any other platforms or Rails versions though, however. (Seems like most people are stuck on 2.0.2 from what I’ve read here.)

    I’m still not having any luck getting Ruby 1.8.7-p22 to build on Windows, however… or rather, it builds fine, but the zlib extension (required for RubyGems) segfaults every time it’s touched. Still no clue if I’m doing something wrong or if it’s a problem with 1.8.7. Later this week I’ll try and build an older version and compare.

    Another point for other Windows users: I’ve heard that the cygwin Ruby is patched up (though YMMV). I’m not yet willing to take the production performance hit of downgrading from native Ruby to cygwin Ruby, though, but we’ll see.

  13. Brian on 30 Jun 00:58:

    I really don’t understand this “compile it yourself” approach to patches.

    Once the Ruby maintainers have fixed the Ruby source code and all the tests pass (i.e. ruby core, gems, rails), why can’t they simply compile it for all major platforms and publish the binaries. Is this hard to do? Am I missing something?

  14. Joseph Riesen on 01 Jul 00:39:

    FYI, for anyone reading this, looks like the discussion about the security vulnerabilities is still carrying on at: http://weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilities

    ...and that’s probably the best place to get info.

    (Sorry to cross-post.)

    Also, for anyone looking for a Windows build, see: http://mikehodgson.com/archives/2008/6/30/updated_unofficial_ruby_oneclick_installer (from the above thread).

    As for the ‘compile it yourself’ problem, it doesn’t seem like the issue is as widespread on other platforms; although my Mac’s in the shop for hardware problems, I believe Apple just released 10.5.4 today with an update to Ruby, the Debian guys are already over this, etc. In my mind, the problem is simply that Ruby developers hate Windows a la http://www.rubyinside.com/is-windows-a-first-class-platform-for-ruby-823.html. But if you’re on a UNIX environment it’s not so bad.

  15. Drogomir on 02 Jul 19:02:

    Hi,

    If you installed apache upload progress module, please upgrade to at least 0.1 version: http://github.com/drogus/apache-upload-progress-module/commits/0.1

    I fixed 2 nasty bugs which could stop reporting progress in some cases.

  16. Don on 03 Jul 19:17:

    Does Ruby on Rails work in windows server 2003, asp, asp.net, sql server?

    If not, is there anything similiar that will run using the specs aboce. I’m looking for a blog/comment plug in

  17. Offtopic on 04 Jul 12:26:

    Sorry for the offtopic comment but… nobody has noticed that the RoR Api and Wiki are down for one week?

    Precondition Failed

    The precondition on the request for the URL / evaluated to false.

  18. Marcel on 12 Jul 20:34:

    Ruby seems so complicated!

  19. klimatizace on 21 Jul 08:32:

    I really do not understand this “compile it yourself” approach patches.

    When Maintainers Ruby have fixed the source of Ruby and passed all tests (that is central ruby, jewelry, rails), why can not only collect on all the major platforms and publish the binaries. Is it difficult to do?

Ruby on Rails was created by David Heinemeier Hansson, a partner at 37signals,
then extended and improved by a core team of committers and hundreds of open-source contributors.

Rails is released under the MIT license. Ruby under the Ruby License.

"Rails", "Ruby on Rails", and the Rails logo are trademarks of David Heinemeier Hansson. All rights reserved.

Sponsored by

 37signals