> Sounds like an awful lot of work for no good reason I can think of.
Perfectly reproducible deploys and shutting down attack vectors are both very good reasons.
> You'll need a compiler, anyway, once you start trying to use any number of libraries requiring compiled C extensions.
Only if you're doing `gem install` in production. Guess what? That's not a particularly good idea either.
> "No compilers on production!" might be true elsewhere but I can't see any reason it applies for ruby deployments.
Ruby isn't special, or magic. It doesn't get a free pass "just because." If you've got reasons it should be exempt from the best practices that have been learnt elsewhere, let's hear them.
In the real world, we don't have unlimited time, so we have to try to balance effort required versus the outcomes we desire in order to get the best "bang for buck" out of our time. Your suggestions are incompatible with this imperative.
> Perfectly reproducible deploys and shutting down attack vectors are both very good reasons.
No they're not. Firstly, I already have good enough deploys. Secondly, the attack vector you're talking about - having a compiler installed (!) - is almost not worth mentioning and certainly does not justify the huge extra effort. We're running a business here.
> Only if you're doing `gem install` in production. Guess what? That's not a particularly good idea either.
Says you, and pretty much only you. Anything else is a massive inconvenience. Everyone does this. It may not be "perfect" but again, we are running businesses here.
> If you've got reasons it should be exempt from the best practices that have been learnt elsewhere
No, it doesn't work like that. "Best practice" does not mean a blind adherence to some decade-old set of irrelevant rules ahead of all practical operational priorities. What the ruby community has is a practical balance - workable, efficient, fast. What you suggest rings of a disconnected IT department with no incentive to make life easy for those trying to iterate fast. It smacks of ass-covering and excuses; I know it well.
You've not made any points I find compelling in the least. Anyway, I don't wish to argue about it, I simply wish to point out, to any others reading this, that your opinion on best practise for ruby deployments is controversial, to say the least.
Anyway, I doubt you've actually done any deployments at all in accordance with the ridiculous "best practise" you've outlined. I doubt anyone has. I, on the other hand, have had great success with my approach, as have countless others. As usual, the armchair quarterback has any number of wise-sounding criticisms, but is not actually in the game.
> Secondly, the attack vector you're talking about - having a compiler installed (!) - is almost not worth mentioning
I would mention "reducing the attack surface" and "privilege escalation", but you've already decided you know best on that front. Given the choice between "running a business" and "running a business securely"... well, you're happy with where you are on that spectrum, clearly.
>> If you've got reasons it should be exempt from the best practices that have been learnt elsewhere
> No, it doesn't work like that.
I'm afraid it does. Ruby may have a "practical balance", as you put it, but unless you can demonstrate, in specific, why it's better than established practice, the best practice stays. Otherwise you can't possibly understand the trade-off you're making. Blind adherence has no place here, in either direction.
I know Ruby has shiny tools for doing this stuff, but you're trading getting it done right for getting it done now when you don't actually know how much work doing it right would take. I can tell, because you seem to think ("huge extra effort"? Seriously?) packaging is hard.
> Everyone does this.
The Ruby ecosystem is the one claiming exceptionalism here, it's down to Rubyists to demonstrate why it's better, for instance, to gem install directly to production rather than build packages, and why it's worth risking rubygem's failure modes in addition to those which might affect the packaging system.
I get that it's comforting to travel in a herd. It's valuable to stop and question where that herd is going, and ask why the grass under your feet isn't better trampled.
> your opinion on best practise for ruby deployments is controversial, to say the least.
As an opinion on deployments in general, it really isn't. Now, tell me again why ruby deployments are special?
> As usual, the armchair quarterback has any number of wise-sounding criticisms, but is not actually in the game.
Heh. Cute. Wrong, but still cute :-) We can, and do, push out several ruby app deployments a day via apt-get, when we want to. Nothing stops us from iterating fast. You can have your cake and eat it too.
Sorry. I do not believe you deploy ruby apps of any significance. Your opinions are way out of alignment with the rest of the community. You're trying to paint yourself as some kind of "voice of sanity" security-wise but it is unavailing IMO.
Convenience vs security is always a tradeoff. You advocate a total lack of convenience, for a minimal, at best, gain in security (any issues are likely to be at a far higher level). I find your arguments unconvincing, to say the least, and I would decline to implement your suggestions at the 4 or so companies my opinions hold sway.
> it's down to Rubyists to demonstrate why it's better, for instance, to gem install directly to production rather than build packages
Great, an easy one. Ruby has its own packaging system and uses bundler to determine dependencies. Using this system I can install the dependencies - which may include complex custom compilations against local libraries - immediately and conveniently. I can update it any time I want.
You can't. You have some crazy manual system of packaging these compiled libraries then distributing them via some private repo. For what? You gain nothing. Now all deployments are some house of cards game of trying to get the sysadmin to package up the right X when you need it. Instead of the devs being able to deploy directly. Why would you even bother?
> I get that it's comforting to travel in a herd.
Stop trying to paint yourself as the sole voice of reason in an insane world. In this case, the herd is doing the right thing.
> We can, and do, push out several ruby app deployments a day via apt-get, when we want to
Bullshit. Sorry, but I don't believe a word you say. You have never deployed apps for a company who cares about speed and efficiency, like a startup. If you had, you wouldn't hold these ridiculous beliefs.
> Sorry. I do not believe you deploy ruby apps of any significance. Your opinions are way out of alignment with the rest of the community. You're trying to paint yourself as some kind of "voice of sanity" security-wise but it is unavailing IMO.
Wow. Appeal to authority and ad hominem in the first line. Good start!
You'll need a compiler, anyway, once you start trying to use any number of libraries requiring compiled C extensions.
"No compilers on production!" might be true elsewhere but I can't see any reason it applies for ruby deployments.