

Padrino Framework 0.11 is here - DAddYE
http://www.padrinorb.com/blog/padrino-0-11-0-released-padrino-lives

======
dinedal
Congrats on the release! Excited about the new http_router, and the new app as
a gem feature!

When I saw you guys at the meetup in SF, there was some chatter about
concurrency features being added, did these make it into this release?

~~~
DAddYE
Not yet, is planned for 1.0

------
ronnqvist
Thankyou so much! I've been waiting for this release in order to get Twitter
bootstrap for a project that I'll just have to get out the door! Give me a
bitcoin address and I'll tip you one. :)

------
pspeter3
Congrats on the release! I wish there was a node version of you guys.

~~~
DAddYE
I think you shouldn't wait so long ;)

~~~
pspeter3
I used to use padrino for my projects. I'm one of the few people who actually
finds thinking in callbacks easier and I like using the same language in both
the client and server so I switched to node. I think you guys are a fantastic
project though!

~~~
DAddYE
Thanks, I actually think the same of you, I'm one of few lovers of callbacks
and reactor pattern so, stay tuned ;)

~~~
pspeter3
Sorry for taking so long to respond. That would be fantastic if Padrino got
that as well.

------
ams6110
Padrino is a Ruby web framework, for those who are not familar with it.

------
ortuna
Looks good, congrats!

------
satyap
Yay! We use padrino. Yay!

------
tekacs
Whilst I think that the Padrino framework is an excellent effort, I would like
to remind everyone (chiefly the project organisers) that as things stand, the
framework has no meaningful notion of security for the admin interface.

I flagged this up about two years ago, now, but stopped using the framework
shortly thereafter and never pushed any fixes of my own. The complete lack of
meaningful authentication appears to still be there all this time later.

For reference, see:

<https://github.com/padrino/padrino-framework/issues/384>

and

<http://tkcs.in/Nlrc>

Though I would hope that Padrino admin isn't in fact being used in production
by anybody who hasn't read the source, a quick search at the time showed
otherwise.

~~~
DAddYE
Tekacs:

1) We use bcrypt: [https://github.com/padrino/padrino-
framework/blob/master/pad...](https://github.com/padrino/padrino-
framework/blob/master/padrino-admin/lib/padrino-
admin/generators/templates/account/activerecord.rb.tt#L32)

2) Auth is an API we generate that for YOU, but you can change the code
generated to fit your needs.

~~~
DAddYE
3) session_id is different from session_secret (generated also for you with
SecureRandom, but also there you can change it)

~~~
tekacs
I would be very glad to hear that a session_secret is being used to encrypt
session cookies (which would prevent the (working-at-the-time) 'attack' I
posted in the abovementioned issue).

I can't tell at a glance whether this change was made after the issue and if
the problem is now overcome, but I'm glad to hear that security is at least on
your minds! Just switching to BCrypt from the old DES'd passwords is a
wonderful step!

Best of luck and thanks for the great project!

~~~
DAddYE
Thanks! BTW, I'm far to be that is 'secure' nothing is 'secure', but we are
putting a lot of efforts in that way, crf tokens, rack-protection and so on
... so jump in the community and help us to improve security aspects.

Thanks for all!

