Hey folks! Welcome to ruby.social! 🎉
I'm hoping this will become a good, friendly community for Ruby-folks to chat and discover new friends. But for that to happen, you need to sign up!
https://ruby.social -- all are welcome
RT @euruko@twitter.com
We're now accepting applications for diversity/scholarship tickets! These are mostly virtual tickets but we do also have some in-person tickets available too. (1/3) https://2022.euruko.org/tickets/
We were still learning about the security issue for rubygems when yet another vulnerability was discovered: CVE-2022-29218
https://github.com/rubygems/rubygems.org/security/advisories/GHSA-2jmx-8mh8-pm8w
This time Maciel also got another excellent piece of Impact Analysis:
But big Mensfeld didn't stop there, he actually created a tool (a gem in the whole extent of the word) to help you figure out if your bundle was compromised:
https://rubygems.org/gems/bundler-integrity
Please boost this toot for visibility.
I often hear that the increased hosting costs associated with Ruby on Rails' larger than average footprint is more than offset by the increased dev productivity. It follows that Rails salaries being pretty high at the moment is offset by being able to maintain a smaller, more productive team.
Does anyone know of any case studies where someone's actually done the numbers on that?
It "feels right" to me, but I'd be interested to read other's experiences.
Finally a writeup for the http://rubygems.org vuln, CVE-2022-29176. Such a simple mistake. I feel like the take away lessons are:
1. do not query/trust composite columns. Query individual columns.
2. do not trust arbitrary user Strings.
https://greg.molnar.io/blog/rubygems-cve-2022-29176/
#ruby #infosec
P.S.A: Rails have released a new version fixing some issues added on the last security release.
https://rubyonrails.org/2022/5/9/Rails-7-0-3-6-1-6-6-0-5-and-5-2-8-have-been-released
The new stable versions have been pushed to these
- 7.0.3
- 6.1.6
- 6.0.5
- 5.2.8
These are some of the problems I note in my review:
https://ruby.social/@esparta/108211719637031175
As usual, it's recommended to test thoughtfully on your staging environments before proceeding to deploy to production.
RT @RubyInside@twitter.com
What Do You Think of 'Scoped Gems'? https://github.com/rubygems/rfcs/pull/40
🐦🔗: https://twitter.com/RubyInside/status/1521866493826375682
@robbyrussell I see you lurkin'
Figured this would be a good place to soft launch this. I setup a Discord server specifically for the topic of Ruby & InfoSec. The goal of this server is to help answer questions, educate others, highlight other Ruby InfoSec projects, and counter anti-Ruby FUD with information. If you are interested in both Ruby & InfoSec, or just want to help, consider joining. #ruby #infosec
https://discord.gg/CcqkHnuyUK
Is there ever a good time to define a custom `!` method on an object? Seems like setting up a footgun for people relying on the truthy/falsiness in a boolean expression.
class Thing; def !; true; end; end
my_thing = Thing.new
do_thing if my_thing# executes
do_thing if !my_thing # executes
do_thing unless my_thing # does not execute
If you're curious about what's happening elsewhere in the Fediverse, you can use either the "Explore" or "Federated" timelines:
#️⃣ - https://ruby.social/web/explore
🌐 - https://ruby.social/web/public
The "Federated" one is a bit of a firehose, you've been warned!
I regularly check our "Local" timeline to see what people on this instance are talking about:
https://ruby.social/web/public/local
This is a great way of finding people to follow - because you're on the same instance, chances are you have at least one shared interest
Once again, welcome everyone who's joined this week so far, and special thanks to @halfbyte and @andy_twosticks for contributing on our Patreon (https://www.patreon.com/bePatron?u=13237635) 🎉
Loving Ruby since 2002. or 2001. I really ought to figure it out.
I’m the admin for this instance - if you have any questions or problems, let me know!