
 If Your Business Uses Rails 2.3 You Need To Move To A Supported Option ASAP - steveklabnik
http://www.kalzumeus.com/2013/06/17/if-your-business-uses-rails-2-3-you-need-to-move-to-a-supported-option-asap/
======
patio11
Feel free to ask me for elaboration if you need any, in particular if you have
a CTO or other bosscritter who you need help convincing of the importance of
this. It will be _seriously_ bad news for you if you stay on unpatched 2.3
over the next several months.

~~~
InclinedPlane
Given all the security problems with rails lately would you still recommend
rails for a green field project?

~~~
mey
I personally have been turned off from it. Not that they have security issues,
everyone does, it's the time required to roll out changes basically requires
not just updating a library, but updating your framework since the line
between your code and the framework can be extremely blurred.

This means that if you have multiple rails sites with limited or no timely dev
support you may not be readily able to upgrade your site to resolve issues.

This is why I took down my personal blog I had built in rails since I didn't
want to be exposed to these issues and didn't have the time or desire to
uplift the site onto more recent versions of rails.

~~~
xentronium
They normally release patches and workarounds for those who can't upgrade
immediately.

------
hvs
_I know many folks in the Rails community wonder why anybody could still be
using a years-old system._

Once this statement is no longer true, Rails will be ready for the enterprise.

~~~
dhh
Once that statement is true, Rails will BE the enterprise. Don't bank on it.
(And by that I mean we'll continue to release new versions that at times will
be backwards incompatible and require work to upgrade to).

~~~
eduardordm
Already is! I've submitted talks a few times about my experiences with Rails
in an enterprise environment, no luck. Anyway, We run rails since 2006, we got
large and became a bank.

Numbers: 5032 models, 42 gems, 16 submodules, lots of C extensions and
eventmachine servers running in threads. From our website to ATM servers, it's
everything inside a single rails application. We managed to upgrade from 2.3
to 3.2 in 6 months. Already running 4 (took only a few hours). We just
completed our migration from Oracle DB to Postgres.

~~~
rurounijones
5032...models...I, whu... ONE application?!

I would never have thought that was actually possible. A write-up regarding
your architecture / challenges / solutions / future plans in a blog post would
be extremely interesting.

(How long does the test suite take to run!?)

~~~
Capoferro
This is enterprise. What test suite?

------
steveklabnik
To disclaim: I submitted this story to HN because people on HN care about
patio11's blog, and if someone gets internet points, might as well be me. Do
not take this as an endorsement by me or anyone else on the Rails team,
thanks.

~~~
tptacek
Wow, the non-drama drama comment. Very slick.

~~~
steveklabnik
I'm sorry if you thought this was 'drama,' just trying to make sure that
someone doesn't think that this is officially supported by the Rails team or
that I'm speaking for anyone. Frankly, I've been running around at Ruby
conferences saying "If you want old versions of Rails supported, you should be
paying someone to do it," and I think Rails LTS is great, in a personal
capacity.

That said, since I posted this,
[https://twitter.com/rails/status/346671286149337088](https://twitter.com/rails/status/346671286149337088)

~~~
tptacek
You know what? That was a dumb comment for me to write. I plead "commenting
while I have the flu", and you're not the first person to get an egregiously
snippy comment from me over the past couple days.

I apologize. I'll be more vigilant about what I'm posting while I'm not at my
best.

I'm with you on LTS, by the way; it's a great idea.

~~~
sneak
Feel better!

~~~
tptacek
I'LL KILL YOU GO TO HELL

er, thanks.

:)

~~~
sneak
Between this and your crypto-cage-match with Colin, I think that HNers should
chip in and send you a whole shit-ton of Dayquil on the regular or something.
Been enjoying your comments more than in recent memory. :D

------
purephase
This is one of the amazing aspects of OSS that so many seem to miss. It opens
up the possibility for these types of initiatives that most closed source
projects will never receive once the core developers walk away.

Great idea. Hopefully great execution for those still on older versions of
Rails.

------
callmeed
I have a Rails 2.3x ecommerce app that is not our primary product but still
makes us a good amount of money.

Personally, I'd like to upgrade to Rails 3.2x (and eventually 4) so I can take
advantage of some newer gems. However, the task is a little daunting given we
use some older authentication and file upload libraries. All that to say, if I
can't get it done soon, _I will definitely go the Rails LTS route_.

BTW, If any Rails devs out there want a challenge and have some time, please
get in touch with me.

~~~
signifiers
The backporting involved here is non-trivial. If the past 9 months are any
indication, I would expect we haven't seen the last of the serious YAML
vulnerabilities yet: [http://www.cvedetails.com/vulnerability-
list/vendor_id-12043...](http://www.cvedetails.com/vulnerability-
list/vendor_id-12043/product_id-22568/Rubyonrails-Ruby-On-Rails.html)

~~~
tomjen3
My guess is that mostly no apps depend on that idiotic YAML can parse and
execute anything anybody sends us feature, so wouldn't you forward secure
rails (harden it?) by replacing YAML with a parser that _only_ parse things?

~~~
rst
One of the few things Rails LTS adds to prior 2.3 branches is a "hardened" set
of security settings that turns off rarely-used and potentially vulnerable
arg-parsing code.

------
thomas_
First of all, thanks for the nice article, Patrick!

Feel free to ask us at makandra anything you'd like to know about Rails LTS.

------
relix
Previous HN thread on this, which was not quite as popular:
[https://news.ycombinator.com/item?id=5794632](https://news.ycombinator.com/item?id=5794632)

------
film42
This was a pleasure to read. I really think this is the most intelligent
solution to older rails projects.

It's also an eye opening topic for all startups out there, including mine,
that rely on rails -- you will need to fight to keep your applications and
servers safe. I guess you could say I spend so much time building and breaking
to achieve something, that the thought of long term support often slips my
mind.

Still, when building I do my best to stay away from '3-in-1' gems (aka, admin-
backbone-devise-api-comments-aws) that have a 0% possibility of surviving. I
stick to gems that are up there in the star count on github, and try not to
touch anything that has been stagnant for 6months+. Obviously this isn't a
perfect solution, but I feel a bit more confident in the survival/ longevity
of the application.

------
rmoriz
If you still don't accept that software is _a process_ not _a product_ you're
going to have a bad time. With _every technology stack_ on this planet.

------
yuhong
“Horsepuckey. The hypothetical person saying this is a textbook pathological
customer: they’re both deeply irrational (if the app’s security was worth $5 a
month then the right answer is probably to shut it off and save the server
cost) and likely to be far, far, far too much headache for professional Rails
engineers to have to deal with. I’m glad their mail is not going to be in the
same inbox as mine when I ask questions about new security issues.”

That being said, one of the good thing about open source software is
competition here is possible, unlike say the end of support of WinXP.

------
chadr
How long do they plan on supporting this fork? Hopefully for multiple years? I
didn't see it mentioned on the site.

~~~
patio11
They're contractually obligated to support it for at least a year for me, and
after that commercially viable software is commercially viable software.

~~~
chadr
You've sold me on it. It is well worth the money considering the time/effort
it saves.

------
messick
The whole "2.3.x is not getting any more security updates" statement is
disingenuous at best. While "Security Updates" might not be coming out,
"Severe Security Updates" will still be released.

That combined the the "Do nothing and, with probability of 100%, get your
server owned." statement makes this pretty much just a F.U.D. piece designed
to trump up business for these guys, and by proxy yourself.

~~~
steveklabnik
Please see [http://weblog.rubyonrails.org/2013/2/24/maintenance-
policy-f...](http://weblog.rubyonrails.org/2013/2/24/maintenance-policy-for-
ruby-on-rails/)

"Severe Security Updates" => "After the Rails 4 release: 4.0.z, 3.2.z"

------
Aqua_Geek
> Many of the gems/plugins which you might be using with your current
> application will not be compatible with Rails 3.

I'm genuinely curious what gems people are using that are not yet compatible
with Rails 3, given that it was released almost three years ago. Maybe my use
cases for Rails don't match the most common ones, but I have yet to run into
this issue.

For Rails 4, well, that's another matter =)

~~~
steveklabnik
I am interested in helping gems that are not Rails 4 compatible get so, so if
you can point me towards some that aren't, I'll reach out to the maintainers.

~~~
ilikepi
We're tracking Rails 4 compatibility for the major gems we use, based on a bit
of skimming GitHub Issues and Pull Requests. Here are the highlights from that
list:

CanCan[1] has a '2.0' branch where Rails 4 support is being worked on. It also
has PR #838 open for supporting strong_parameters in the current stable 1.6
tree.

Devise[2] pushed 3.0.0.rc about a month ago with Rails 4 support.

FriendlyId[3] seems to have work in progress on their master branch.

Acts-as-taggable-on[4] states in their README that they are compatible in
version 2.4.1, but there seem to be a couple open issues related to Rails 4.

edit: formatting

[1]: [https://github.com/ryanb/cancan/](https://github.com/ryanb/cancan/)

[2]:
[https://github.com/plataformatec/devise/](https://github.com/plataformatec/devise/)

[3]:
[https://github.com/FriendlyId/friendly_id](https://github.com/FriendlyId/friendly_id)

[4]: [https://github.com/mbleigh/acts-as-taggable-
on](https://github.com/mbleigh/acts-as-taggable-on)

~~~
voltagex_
I mean this in a friendly way, but it's nice to see that it's not just Python
that has issues with major version bumps.

------
mark_l_watson
Very nice of them to have a free community version (security patches 10 days
after normal release - this seems fair to me).

I could have used this a year or so ago, but I rewrote an old 2.3 Rails app in
Clojure (cookingspace.com if you are curious). Now I am glad it is in Clojure
though.

I had previously updated another Rails app from 2.x to 3.x and I was surprised
how much trouble it was to do that.

------
smoyer
I've got an application running Rails and my easiest path is to eliminate it
entirely.

------
zallarak
This seems pretty obvious and applies to most popular web frameworks. From a
quick Google search, one can see rails 2.3 came out in 2009. That is 4 years
ago - in the context of web frameworks that is quite a while.

------
wtracy
I didn't see "Firewall that thing off from the Internet" mentioned as an
option. Not all web apps are public-facing, after all.

~~~
patio11
That is a partial option, but there are ways in which it is inadequate. For
example, with the January Rails vulnerabilities, dropping an IMG tag with a
well-constructed URL on a site on the public internet was likely enough to
suborn a developer's browser into connecting to and rooting a Rails box that
was firewalled from external traffic. You still want to patch things, to
prevent that and similar issues.

------
VeejayRampay
I think there's only one reason why a company would run Rails 2.3 in 2013:
greed.

There's no way you absolutely cannot somehow find a way in about 4 years to
migrate even a big code base to at least Rails 3. It's not like the migration
was that complicated, there are countless guides around, a devoted community,
IRC channels, consultants aplenty and even tools to hold your hand along the
way.

~~~
jrochkind1
> It's not like the migration was that complicated

Really? If that was your experience, you are fortunate, but it does not match
that of many.

For me, the migration of several apps from Rails 2.3 to 3 was THAT
COMPLICATED. The last one I finally got finished about 9 months ago.

If someone was complaining about, say, Rails 3.0 to 3.2 -- sure, i'd agree,
it's not really that complicated, just do it.

But 2.3 to 3? So very many of us found that experience to be highly unpleasant
and quite that complicated. I'm glad you didn't, but your experience is not
even typical, let alone universal.

~~~
pimeys
It is very complicated. I upgraded one of our apps from 2.3 to 3.2 recently.
The nicest thing was that the app didn't have any views and even the
controller layer was slim; we had only one!

The update took around two weeks of time from two developers. The app is one
of our core apps and runs very important tasks. Probably the best thing is to
remove Rails completely from there.

