
Rails 5.0.1 has been released - CoachRufus87
http://weblog.rubyonrails.org/2016/12/21/Rails-5-0-1-has-been-released/
======
tinco
If you're using Rails 5 ActionCable and you're not on Passenger, I would
recommend upgrading to this release as soon as possible. Phusion[0] and other
Rails 5 users[1] found a slow client issue with its implementation that was
not protected against by the default app server Puma.

We contacted the Rails team early on about this issue and worked closely with
them to have this issue solved. Now that 5.0.1 is released we are at liberty
to disclose details about this security issue.

I've written a blog post[2] on the problem, using OS X network shaping tools
and a simple app to demonstrate it. Rails apps running on Passenger were never
affected as Passenger implements response buffering for regular requests as
well as websockets connections. Note that even popular reverse proxies like
Nginx don't perform response buffering for websockets as far as I know, so
this is something to be aware of if you're running on other frameworks than
Rails as well.

[0] GH merge of patch:
[https://github.com/rails/rails/pull/26646](https://github.com/rails/rails/pull/26646)

[1] GH related issue:
[https://github.com/rails/rails/issues/26409](https://github.com/rails/rails/issues/26409)

[2] Blog post: [https://blog.phusion.nl/2016/12/21/actioncable-under-
stress-...](https://blog.phusion.nl/2016/12/21/actioncable-under-stress-
protecting-your-application-against-slow-clients-using-passenger/)

------
jph
TLDR: Definitely worth upgrading.

Approximately hundreds of small bug fixes, across much of Rails. The fixes
include some important ones for database types, time comparisons, thread
issues, record reloading, etc.

IMHO these fixes address dozens of bugs that could cause major puzzlement for
a typical Rails developer.

Thanks to all the contributors for excellent work on this release.

~~~
sfilargi
> IMHO these fixes address dozens of bugs that could cause major puzzlement
> for a typical Rails developer.

That has been the reason I always avoid huge frameworks like RoR.

If I was to hit a bug like this, I wouldn't know where to start debugging. How
do people deal with obscure bugs in the framework with something like RoR?

~~~
inopinatus
You start by boiling it down to an executable test case, for which there are
templates here here:
[http://guides.rubyonrails.org/contributing_to_ruby_on_rails....](http://guides.rubyonrails.org/contributing_to_ruby_on_rails.html#creating-
a-bug-report)

Then you share the test case in a bug report, and collaborate to fix it.
Fixing it usually involves a source code dive.

With Rails's reasonably well documented and reasonably well written codebase
it's usually possible to grok the source and dependencies even coming to it
cold. With the possible exception of arel.

Ruby's dirty tricks department (monkey-patching third-party objects) and duck
typing together are a real boon to debugging.

~~~
rmchugh
Interesting, my experience is the opposite: liberal use of ruby's dirty tricks
often makes code hard to understand and thus debug.

~~~
epidemian
That's a separate statement, and they are not contradictory.

Using Ruby's dirty tricks on shipped code -> hard for debugging/understanding.
Using Ruby's dirty tricks while debugging -> boon.

The grandparent didn't claim the former to be false, only the later to be
true.

~~~
inopinatus
This is a correct reading of my remark. I happen to agree with the opinion of
the followup as well, monkey-patching in production is a code stench.

Still I plead guilty to having occasionally monkey-patched prod code out of
urgent necessity. My recommendation is to view it like an advanced and
undesirable form of configuration; for my rails apps, each such hack always
goes in an initializer file named for the library it is patching. If you are
replacing third-party methods (or undermining the behaviour of a third-party
method) and those methods are not called very frequently then judicious use of
log noise e.g. through the deprecation mechanism will help at debug time.

------
Sivart13
If anyone's been holding off on upgrading to 5.x because of the deprecation
warnings you get about requiring `params` as w keyword argument in keyword
tests, I wrote a gem that could help:
[https://github.com/tjgrathwell/rails5-spec-
converter](https://github.com/tjgrathwell/rails5-spec-converter)

~~~
urs2102
This is awesome.

Are there other gems and resources available for accelerating the migration
from 4 to 5? Been thinking about doing it for a project for a little while.

------
martijn_himself
Slightly off-topic: is learning Rails still a good career choice? I'm not
particularly keen on JavaScript on the server and I think I am slightly tired
using .NET on a daily basis.

~~~
isaac_is_goat
Where I'm from (Toronto, Canada), Rails development pays significantly more
than any other stack and there is substantially more work available.

~~~
gavingmiller
I'd love to DM you with some questions about Toronto. Can you ping me via my
profile info?

------
JelteF
Serving the SHA-1 hashes over an HTTP connection doesn't really seem useful at
all to me. If you're worried about MITM the hashes could easily be changed as
well.

~~~
IanCal
It does still allow you to check for corruption though.

------
nickjj
If anyone is using Rails together with Docker, I just updated orats[1] to use
Rails 5.0.1.

[1]: [https://github.com/nickjj/orats](https://github.com/nickjj/orats)

------
pandafoo
How is Rails still doing in the world of NodeJS, Microservices and React?

~~~
TheSmoke
react-rails is really good.

~~~
idra
react_on_rails is even better.

~~~
debaserab2
Not really. Depends completely on what you need. Not integrating with your
existing asset pipeline isn't necessarily a plus depending on what your goals
are.

There's also a weird amount of self promotion going on with that repo. Not
sure what it is about that but it's kind of been a turn off to me.

~~~
ch4s3
Its not so different from thoughtbot's repos, just a different personality.

------
wjossey
Anyone have a tl;dr?

~~~
hartator
JQuery is not by default anymore.

~~~
faitswulff
I think you might be thinking of the upcoming 5.1 release.

~~~
hartator
Yes, my bad.

------
sergioocon
Updated and testing...

Thanks!

------
sergioocon
Updated and testing.

Thanks!

