Ruby & You - Rubyconf PT 2014

Transcript

1. Ruby & You

2. RubyConf Portugal in Review

3. #rubykaraoke

4. #rubykaraoke

5. Case statements === Ranges

6. Program in Confidence

7. Rails is so 2005 @myabc

8. URLs are very important

9. URL DRIVEN DEVELOPMENT ?

10. Macros Turtles all the way down

11. Ruby is an Emergency Instructions Language

12. Fewer objects makes a faster Ruby

13. Ruby isn't going to last forever...

14. Bieber increases programmer productivity

15. Innovation happens through reinventing the wheel

16. None

17. Today is not Friday...

18. But Caleb believes in hugs everyday

19. Terence Lee @hone02

20. Austin, TX

21. @calebthompson

22. None

23. Jacuzzi for your Hands

24. None
25. None
26. None

27. Ruby Task Force

28. Ruby Task Force Member

29. Matz’s Ruby Team

30. ← Matz

31. ← ko1

32. ← ko1 Performance Prince

33. nobu →

34. nobu → Patch Monster

35. Top 5 Committers $ git shortlog -s --since=2012 | sort

    -rn | \ head -6 2739 nobu <--- 867 akr 710 svn 635 ko1 596 naruse 448 zzak

36. Top 5 (Human) Committers $ git shortlog -s --since=2012 |

    sort -rn | \ head -6 2739 nobu 867 akr 710 svn <--- 635 ko1 596 naruse 448 zzak

37. Top 5 (Human) Committers $ git shortlog -s --since=2012 |

    sort -rn | \ head -6 2739 nobu 867 akr 710 svn 635 ko1 596 naruse 448 zzak <---

38. zzak (@_zzak) sensei (せんせい)

39. zzak (@_zzak) for Ruby Hero

40. Agenda • Story Time • Working with Ruby • A

    Potential Future

41. Story Time

42. CVE-2013-4164 November 22, 2013

43. Exploit

44. untrusted_data.to_f Vulnerable Code

45. Venue of Attack JSON.parse untrusted_data

46. Metasploit def digit_pattern @digit_pattern ||= rand(10_000).to_s end def multiplier (500_000

    * (1.0/digit_pattern.size)).to_i end def evil_float_string [digit_pattern, digit_pattern * multiplier].join('.') end JSON.parse("[#{evil_float_string}]")

47. $ ruby repro.rb [BUG] Segmentation fault ruby 2.0.0p247 (2013-06-27 revision

    41674) [x86_64-linux] -- C level backtrace information ---------------------- /../lib/libruby.so.2.0(+0x1ceaa8) [0x7f8787802aa8] /../rubies/ruby-2.0.0-p247/lib/libruby.so.2.0(+0x74e0a) /../lib/libruby.so.2.0(rb_bug+0xb3) [0x7f87876a9af3] /../lib/libruby.so.2.0(+0x14cf66) [0x7f8787780f66]

48. Affected Versions • Ruby 1.8 after 1.8.6p230 • Ruby 1.9

    prior to 1.9.3p484 • Ruby 2.0 prior to 2.0.0p353 • Ruby 2.1 prior to 2.1.0 preview2 • trunk prior to revision 43780

49. Solution... All users are recommended to upgrade to • Ruby

    1.9.3p484 • Ruby 2.0.0p353 • Ruby 2.1.0 preview2

50. What about Ruby 1.8.7? Please note that Ruby 1.8 series

    or any earlier releases are already obsoleted. There is no plan to release new FIXED versions for them.

51. Ruby 1.9.2?

52. Doubts 1. Don’t do anything 2. Patch just once 3.

    Maintain Ruby 1.8.7/1.9.2

53. A Patch in Time Heroku releases two unofficial rubies: 1.

    Ruby 1.9.2p321 2. Ruby 1.8.7p375 github.com/heroku/ruby

54. To: [email protected], [email protected], [email protected], [email protected], [email protected] At Heroku, we’re still

    maintaining security fixes for customers on 1.8.7 and 1.9.2 while we figure out our end of life process. After discussion on the security list, I’d like to apply these patches to the proper branches upstream so things don’t get out of sync. Here are the commits I’d like to apply: https://github.com/ruby/ruby/pull/457 https://github.com/ruby/ruby/pull/458 -Terence
55. None
56. None

57. Getting on Core • Send enough patches • port Ruby

    to non-POSIX platforms • write library brought into stdlib • security backporting

58. Friendly Reminder UPGRADE Your Rubies!!!!!!!!!!!

59. PSA Ruby 1.8.7 / 1.9.2 Support Ended in August

60. None

61. Ruby 1.9.3 support ends 2/23/2015

62. Working with Ruby

63. Why Should You Care?

64. Why Do I Care?

65. None
66. None

67. The people are the most important part.

68. Why Should You Care?

69. Getting the Source (SVN) Trunk: $ svn co http://svn.ruby-lang.org/repos/ruby/trunk ruby

    Branch: $ svn co \ http://svn.ruby-lang. org/repos/ruby/branches/ruby_2_0_0

70. Getting the Source (git-svn) $ git clone [email protected]:ruby/ruby.git $ cd

    ruby $ git svn init \ svn+ssh://[email protected] lang.org/ruby/trunk $ mv .git/refs/remotes/origin/trunk \ . git/refs/remotes/git-svn $ git svn rebase

71. Protips

72. Did you know... the patchlevel no. is incremented by hand

73. all dates are in JST (UTC +9) github.com/zzak/dotvim/blob/master/.vimrc#L12-L20

74. Top 5 (Human) Committers $ git shortlog -s --since=2012 |

    sort -rn | \ head -6 2739 nobu 867 akr 710 svn <--- 635 ko1 596 naruse 448 zzak
75. None

76. Running Tests $ mkdir build $ autoconf $ cd build

    $ ./configure --prefix=~/tmp/xxx --enable-shared \ --with-openssl-dir=/path/to/openssl \ --with-readline-dir=/path/to/readline \ --with-zlib-dir=/path/to/zlib $ make test-all TESTS=-v

77. Running Individual Test Files $ make test-all TESTS=drb/test_drb.rb

78. Creating a Patch $ diff -pu original/ changed/ \ >

    ruby-changes.patch $ svn diff > ruby-changes.patch $ git diff > ruby-changes.patch

79. Communication

80. Mailing Lists (ruby-lang.org) →

81. • Ruby-Talk • Ruby-Core • Ruby-Doc • Ruby-CVS

82. Twitter is not a bug tracker

83. Issue Tracker (bugs.ruby-lang.org)

84. Filing Issues • Bugs are fixed on trunk first •

    Can request backport once committed to trunk • bugs.ruby-lang.org/projects/ruby-trunk/issues/new

85. Create an Account / Login →

86. Search for Existing Issues →

87. →

88. Issue List

89. →

90. None

91. github.com/ruby/ruby/blob/trunk/doc/maintainers.rdoc Maintainer’s List

92. None
93. None

94. Security • Email [email protected] • Responsible Disclosure • Vulnerability/Use cases

    • Affected Rubies

95. Story: Insecure SSL Defaults • Ruby get it’s default from

    OpenSSL • Who’s responsibility is it?
96. None

97. Ruby Core Developer Meetings • Draft an agenda • Pick

    a date (estimate) • Ask Matz • Ask ruby-core
98. None
99. None

100. More Protips...

101. English is not everyone’s primary language

102. Nor is Japanese

103. People on Ruby Core speak Ruby

104. Issues are often consumed over e-mail

105. A Potential Future

106. Goals • Trust • Transparency • Onboarding

107. None

108. Moving to Git • Backport Tools • Redmine • Version

     Log • Others? • Convince Core • Profit…?

109. Supporting Legacy Rubies

110. Improve Onboarding Materials

111. For Katrina, Chris, and Phil

112. Testing Ruby 2.1.x https://bugs.ruby-lang.org/issues/9607

113. None
114. None

115. Ruby 2.2

116. Symbol GC

117. Incremental GC https://bugs.ruby-lang.org/issues/10137

118. vfork()

119. Dedupe String Keys in Hashes https://bugs.ruby-lang.org/issues/9382

120. BEGIN { ObjectSpace.count_objects } def count_string before = ObjectSpace.count_objects[:T_STRING] yield

     after = ObjectSpace.count_objects[:T_STRING] puts "Increasing String object is: #{after - before}" end count_string{'a' + 'b'} #=> 3

121. in Ruby 2.1.3 hash = { "jeremy" => "julius caesar"

     } count_string { 1000.times { hash["jeremy"] } #=> 1000 }

122. in Ruby 2.2 hash = { "jeremy" => "julius caesar"

     } count_string { 1000.times { hash["jeremy"] } #=> 0 }

123. Frozen Ruby: "Ruby"f https://bugs.ruby-lang.org/issues/8923

124. Frozen Ruby: "Ruby"f https://bugs.ruby-lang.org/issues/8923 Soggy

125. None

126. Schedule • Sep 13: Ruby 2.2.0.preview1 • Sep 30: Large

     Feature Freeze • Oct 29: Preview 2 Meeting • Nov: Feature Freeze, Ruby 2.2.0.preview2 • Dec: Release Candidate • Dec 25: 2.2.0 Release!

127. Ruby 3.0 http://brewhouse.io/blog/2014/09/19/ruby-kaigi-2014-day-2

128. Concurrency?

129. None

130. JIT Compiler?

131. RuJIT https://github.com/imasahiro/rujit

132. Static Typing?

133. None

134. Static Annotations def connect(r -> Stream, c -> Client) ->

     Fiber … end

135. Why Static Typing?

136. Why Static Typing? • Performance

137. Why Static Typing? • Performance • Compile Time Check

138. Why Static Typing? • Performance • Compile Time Check •

     Documentation

139. Why Not?

140. Why Not Static Typing? • It works™ without it

141. Why Not Static Typing? • It works™ without it •

     It is against duck typing

142. Why Not Static Typing? • It works™ without it •

     It is against duck typing • It will be optional

143. Why Not Static Typing? • It works™ without it •

     It is against duck typing • It will be optional • DRY

144. Wrapup

145. Anybody can contribute to Ruby

146. There’s more to contribution than C code

147. Documentation?

148. Discussion?

149. Data?

150. May the Ruby be with you

151. Thank You ありがとがざいます @hone02 [email protected]