Pinned post

I'm a ruby developer that typically works with data, queues, schemas, csv and json.

Recently I got involved on projects related to SAML/SSO, encryption, security, certificates and all that jazz, that was a big leap on my career.

Been rubyist the last 4 years. Same time I've been also an US immigrant, so if you ever need it, then se habla español.

Currently based on San Francisco Bay Area, USA.

Esparta :ruby: boosted

Peter Eckersley, may his memory be a blessing

I'm devastated to report that Peter Eckersley (@pde), one of the original founders of Let's Encrypt, died earlier this evening at CPMC Davies Hospital in San Francisco.

Peter was the leader of EFF's contributions to Let's Encrypt and ACME over the course of several years during which these technologies turned from a wild idea into an important part of Internet infrastructure. He also took a lot of initiative in coalescing the EFF, Mozilla, and University of Michigan teams into a single team and a single project. He later served on the initial board of directors of the Internet Security Research Group.

#Obituary #PeterEckersley #EFF #LetsEncrypt

Esparta :ruby: boosted

P.S.A: A new vulnerability has been disclosed: CVE-2022-30123: Possible shell escape sequence injection vulnerability in Rack

Carefully crafted requests can cause shell escape sequences to be written to the terminal via Rack’s Lint middleware and CommonLogger middleware. These escape sequences can be leveraged to possibly execute commands in the victim’s terminal.

Our relationship with Rails | Shopify Engineering

A video where some of the Shopify engineers are talking about how their relationship with ruby and with Rails is.

@Kyloma Hi Casey!

Somehow my client (or instance?) didn't notify me of your follow. that's the reason I'm saying hi until today.

Closing Keynote by Vaidehi Joshi talking about the socio-technical aspect of software development with their personal

Crystal Tia Martin is giving the greatest non-techinical Keynote I've seen luve. About people, about drama - and how to fix it or at least have a better outcome.
You can find Crystal on the bird site:

It's public knowledge you can't leave this conference without taking a selfie with Evan Phoenix and publishing it on your preferred social network.
So here we are.

Show thread

The T-shirt I'm wearing today at the conference. I've been told it portrays Pacific Northwest culture - Oregon in particular?

"Just because you can, doesn't mean you should"

-- every single sane person in any context. And Aaron Patterson on the closing Keynote for today

If you see me in the conference, let's talk.
- the only guy with a T-shirt with no logos.

... Xavier Noria continued for almost the whole Keynote thanking everyone who was open to helping him with Zeitwerk because at the end it was a big support for the whole ruby community - not only Rails. Here Sam Saffron, Martin Schurig & Jean Boussier

Show thread

Why is Xavier's keynote better?
Simple: He insists on featuring the community effort instead of making a D*H#H show.
As s proof, a few slides I was able to take where he features the work of Mattewd, Rafael França, Dylan Thacker-Smith & Richard Schneeman work.

Show thread

Having Xavier Noria as the Opening Keynote Speaker instead of that other guy is way, way better!

Show thread

It's time for here where I'm currently with all these wonderful people.

We were still learning about the security issue for rubygems when yet another vulnerability was discovered: CVE-2022-29218

This time Maciel also got another excellent piece of Impact Analysis:

But big Mensfeld didn't stop there, he actually created a tool (a gem in the whole extent of the word) to help you figure out if your bundle was compromised:

Please boost this toot for visibility.

Show thread

I've seen this kind of code more times I'd want to take:

rescue => e
render json: { errors: e.message },
status: :internal_server_error

Capture all the possible exceptions. Why? Is it really needed or convenient?

Do not report the error back to the client, it open a big door to exploits.

Log everything? Looks like a good idea, but it might leak things like tokens, secrets(?) or PII.

If you see on the wild, ask questions, might had a reason.

Please take a moment to review this excellent analysis related to the recent vulnerability found on CVE-2022-29176

The document written by Maciej Mensfeld will give you a better understanding on what happen and a very accurate conclusion about the impact to the whole Ruby's libraries ecosystem.

Maciej has been working for years securing the full supply chain related to rubygems and now has the support of White Source to have even better infrastructure

Show older

A Mastodon instance for Rubyists & friends