

Shopify's path to Rails 3 - xal
http://blog.shopify.com/2010/11/16/our-upgrade-to-rails-3

======
speleding
I'm almost done with upgrading myself and the XSS stuff does take a lot of
effort. I am very surprised the Shopify blog says they checked for XSS error
manually though because it's very easy to add something to your test helper
that checks every @response.body for sequences like "&amp;lt;" and runs the
result through HTML tidy. That catches 95%.

By the way, a patch of mine is in rails 3.0.3 that just came out and now you
can just do a global replace of <%= with <%== and be mostly done with it. But
that would be cheating.

~~~
xal
Man that's a nice idea. I wish we would have had it ourselves during the
process.

~~~
speleding
In case it helps anyone, this is the helper I used:
<https://gist.github.com/703175>

The tidy lib is installed by default on the Mac. It's very fast (written in C)
so it only adds a few seconds to my tests. (I'm leaving it in after the
conversion.)

Another tip: it helps to put a lot of <&bad"> tags in your fixtures, that will
trigger a bunch of errors in the above test if you are not doing your escaping
properly.

------
davidw
I'm in the middle of upgrading some code and It Is Not Easy.

I think it's best to think of Rails 3 as a separate project that happens to
share some code with Rails 2.

I hope it's worth it in the end...

~~~
ludicast
Keep pluging away, it's way worth it :).

Rather than use the upgrade gem I started a new project, copied/converted what
I could, and then let my tests tell me what was missing. First the models,
then controllers, and finally the integration tests.

Without automated testing you're fucked of course, but as long as you have a
decent safety net in place you'll get there.

------
ludicast
The article brings up a great point wrt XSS. I'd say the new XSS stuff was
responsible for 2/3 of the upgrade-errors my automated testing didn't catch,
so pre-fixing this like they did would have had big rewards. But I was too
impatient so after the upgrade I let my client feedback cover the edgecases
:).

I'd actually say upgrading to Ruby 1.9.2 gave me more headaches than upgrading
Rails.

~~~
xal
Cool that you managed to upgrade to 1.9.2. The encoding issues have us scared.
We do have a few special purpose webapps that run 1.9.2 because of very high
performance requirements.

~~~
aaronblohowiak
Why aren't you on jruby if you have serious performance requirements? A
sufficiently warmed-up jvm will outpace 1.9.2

~~~
xal
with shopify's code size jruby needs 2gb of memory per process and we found
that it spends almost all the time in GC.

~~~
aaronblohowiak
which version of jruby? is 2gb per process an issue if you can run it
multithreaded?

------
cpg
> Boot up Shopify in my development environment and click around

Hmm! With a staff of 11 FTE developers ... you would think they would put more
weight on this aspect of the transition. But yeah, other priorities take over.

