
Show HN: Octotrack – automatic dependency and security manager for Ruby apps - alvesjtiago
http://octotrack.com
======
CameronBanga
Was willing to give it a look, but the whole "Sign up and give us full access
to your GitHub account" is a real downer and deal breaker.

It's a big ask, and a lot of trust for some Show HN. I'd like to be able to
get info on pricing, poke around, and test stuff, before I give away the keys
to the castle.

~~~
alvesjtiago
Hi Cameron, thank you for your feedback.

Octotrack is not requesting full access to Github, only to the public
information and inherently public repos. But nothing concerning private
information, that was one of the main objectives.

It would be great if you could try it out. Thank you :)

~~~
detaro
_write access_ to public repos. That's not inherently public.

~~~
alvesjtiago
You're absolutely right. I've just removed all access to public repositories,
including reading.

Now the only information shared is the user's public information.

Thank you

~~~
twohlix_
You also get write access to private profile information:

"This application will be able to read and write all user data. This includes
the following:

Private email addresses Private profile information Followers"

~~~
alvesjtiago
Changed it again to only read access to user email. Thank you for reporting
that issue.

------
avitzurel
I vaguely remember another service like that from the days I was still doing
rails.

The pain is definitely real. We had a 6-year-old rails app that got upgraded
from Rails 2.3 and keeping track of dependency decay was painful.

Looking at your landing page, I could not understand how are you solving the
problem exactly. The screenshots don't expand so I don't really get the
solution.

One very nice feature that you can add and will help a lot is to support
comment parsing in the Gemfile and Gemfile.lock. Something like email:
my@my.com. When you parse the file, send me the report and don't make me
actively visit the page.

Also offer a sample report on your page by submitting a public repo perhaps.

Good luck!

~~~
alvesjtiago
Thank you for your feedback avitzurel!

I'll provide a sample report on the landing page, add a way to expand the
screenshots and provide more information on the sign up process. Octotrack
does not access the repositories directly, that was one of the main
objectives. Only your email and github public information. Once you create a
project, you'll have the option to upload a Gemfile.lock or add a git post-
commit hook to your project. From then on, you'll have access to the security
vulnerabilities that exist and what dependencies need to be updated as well as
other information (such as release notes, etc).

Once again, thank you for the feedback and hope it solves a real pain.

------
AndrewHampton
I'm not sure how it compares with Octotrack, but we've been using bundler-
audit[1] for similar security checks in our dependencies. Here's a sample
Dockerfile[2] for running bundler-audit against your Gemfile and Gemfile.lock

1: [https://github.com/rubysec/bundler-
audit](https://github.com/rubysec/bundler-audit)

2:
[https://gist.github.com/andrewhampton/d78df6952e757fd1038401...](https://gist.github.com/andrewhampton/d78df6952e757fd10384015fdf30a7c4)

~~~
alvesjtiago
Hi Andrew, I was also a bundler-audit user myself. Unfortunately bundler-audit
only provides information about security vulnerabilities and does not help you
keep your dependencies updated.

With Octotrack you'll receive an email digest every morning informing you of
the latest updates of the gems you use as well as possible vulnerabilities
recently discovered.

Please let me know if this is valuable information for you.

Thank you very much for your feedback.

------
IceyEC
Lot of placeholder text on that page :
[https://screenshots.firefox.com/hg5ayGsTXpQ2veoT/www.octotra...](https://screenshots.firefox.com/hg5ayGsTXpQ2veoT/www.octotrack.com)

~~~
alvesjtiago
Thank you, just fixed. Did you have a chance to try it out?

~~~
heliostatic
Is there any way to try it out without giving you access to my full repo? A
Gemfile upload or something similar would be great for testing.

~~~
heliostatic
Ah, it looks like that is how it works. Not obvious until after I signed up...

~~~
alvesjtiago
You're absolutely right, I'll make it more explicit. Thank you so much for the
feedback.

------
filipepina
Hehe... I was going to say “cool”, but now that I’ve uploaded the Gemfile.lock
I realised that I’ve just added a bunch of hours on the maintenance roadmap to
the project... worked like a charm though.

~~~
alvesjtiago
Thank you Filipe :) I hope that not too many hours were added!

------
dsr_
Is it free, cheap, expensive? Does it have a privacy policy?

------
boffinism
Looks neat! What's the difference between this and dependabot[0]?

[0] [https://dependabot.com/](https://dependabot.com/)

~~~
alvesjtiago
Dependabot is an awesome app!

Most of the times I just want to know about a new release and not actually
have a PR created for it. I'm also not sure if dependabot warns about
vulnerabilities. Nevertheless, I believe they can be used in conjunction and
not as a replacement.

------
tobr
Not sure how likely they are to be confused, but there’s a highly regarded
sampler called Octatrack. [https://www.elektron.se/products/octatrack-
mkii/](https://www.elektron.se/products/octatrack-mkii/)

~~~
alvesjtiago
Google still suggests "Octatrack" when typing "Octotrack", but I hope I can
change that in the future :) thanks

------
subie
I couldn't help but notice the wordpress php code on the background image.

~~~
alvesjtiago
You're right. Just changed to simple html not to get everyone distracted :)

------
raresp
So they offer to steal your code for free. No thanks.

~~~
alvesjtiago
Hi raresp, we don't have any access to any of your code, that was the main
objective when compared to other similar services.

You have two ways to update your dependencies:

1\. Manually upload your gemfile.lock.

2\. Intall a post-commit hook which only sends the gemfile.lock in case it was
changed.

It would be great if you could try it out.

Thank you.

~~~
raresp
I'm gald you detailed the functionality. Now my comment is pointless. Sorry
for posting it.

------
bdcravens
How does this compare to Gemnasium?

~~~
alvesjtiago
A couple of differences might be:

1\. Shows dependencies relationships

2\. Automatic updates without the need to request access to the whole project
(via git post-commit hook)

3\. Analysis of most used dependencies on all your projects

4\. Daily emails divided per project instead of dependency / gem

5\. Cheaper and with 1 free private project

This is a new project so all feedback is more than welcome. I'm looking to
develop everything that makes the platform better and helps every developer
and tech team.

------
martinald
No https?

~~~
alvesjtiago
Now forcing https. Thank you for the feedback!

