[PommeDeTerre]

Your name-calling aside, how do you propose that the Ruby community deal with these inherent problems with their software and their attitudes?

Will they do the responsible thing and throw out all of the existing, poorly-written code?

Will they collectively ditch RubyGems in favor of a system that has some modicum of security built in from the start?

Will they throw out their flawed development philosophies, so that they don't get into the same situation later on?

I'm unfortunately inclined to think that we'll just see more of the same. These problems will be "patched" over, at best, rather than fixed at the root. In fact, proper fixing of these issues would go against everything that the Ruby community stands for.

That's why I think that moving away from Ruby and Ruby on Rails is a responsible approach. Some problems just can't be fixed, and I think we've encountered some of those in this situation.

[moe]

I see your comments on every Ruby-related thread and you sound like a broken record.

Many of us Ruby-users see the problems in a similar way and try to fix them. It's a learning process and it happens right now. The ruby community is also not an uniform blob. We are not 37signals and we are not the rubygems team. Many of us disagree with some decisions made at these places. Most of us also use other languages and are well aware of the trade-offs that Ruby implies.

This is all worth discussing and the specific problems are worth fixing. The rubygems-team happens to be working on their problem, which is a hard problem, right now; https://gist.github.com/4696144

Your mindless bashing on every Ruby HN-thread contributes nothing. Please use your time for something more productive, e.g. you could go to your preferred language community and help them fix their security problems, which they also have plenty of.

[wyuenho]

I'd reeeaally like to see a second group of dedicated maintainers that are more concerned about security to step up to the plate, fast. The guys behind Ronin are doing great, but they are really just 2 guys battling against a community which have a track record of producing a code base that has had 8 code execution and 8 SQL injection vulnerabilities so far.

http://www.cvedetails.com/product/22569/Rubyonrails-Rails.ht...

http://www.cvedetails.com/product/22568/Rubyonrails-Ruby-On-...

[Xylakant]

Ok, serious question: In which ways is rubygems less safe than .deb packages, .rpms, portfiles or ebuilds, python eggs, jars or composer files? All of those are mechanisms to distribute and deploy code. All of those suffer from the same basic vulnerability: They ship code that gets executed. If that code gets compromised, you have a viable attack. Debian saw its developer repositories compromised at least in 2006 [1] and back then, we had the same problem: In the beginning nobody was sure whether the package repositories had been attacked.

There is one critical difference between OS package repos and the programming language repos: For an OS package repo, signing is mandatory. Programming language repos allow that, but don't enforce it. Python is a little ahead here, but this is nothing that can't be fixed. I actually see that gem signing will be mandatory in the foreseeable future.

[1] http://www.debian-administration.org/articles/417

[slurgfest]

Without disagreeing with you substantively, Python eggs have not been the main way Python packages are distributed for years now. This is not to say that PyPI couldn't use some attention to issues like signing!

[knowtheory]

Yeah, see, you can't put the name calling aside. That's what i'm telling you.

Regardless of the merits of a discussion regarding security, open source software, and the ruby community, it's clear that you have an axe to grind, and are not participating in this conversation in a constructive manner.

There is no point in engaging you in a discussion about Ruby security, because you just want people to stop using Ruby. Again, that's your prerogative, but don't try to dress it up as your overwhelming concern for security.

The practical matter is that folks are going to continue using Ruby with 100% certainty for the short term.

So if you were actually interested in security, rather than trolling or gloating, you could actually comment on the technical matters under discussion, instead of just telling people "stop using ruby" and that the "proper fixing of these issues would go against everything that the Ruby community stands for."

[detst]

You might want to stop and consider who's "not participating in this conversation in a constructive manner". You've called him a "software-bigot", "troll", "jerk" and "asshole". You seem to be taking his valid criticism personally. I've re-read the post and cannot see your motivation for the name calling.

The Ruby community may come out of this better and stronger but it's quite valid to suggest that some people may be better off moving on.

[knowtheory]

Right, so this is why I was loathe to call Potato out.

If you take a look at his comments he's been all over these threads about ruby: https://news.ycombinator.com/threads?id=PommeDeTerre

And he really isn't participating in a constructive manner. He gets away with his obnoxious behavior in other threads by intermingling his opinions and generalizations in with the substantive discussion.

I'm not going to engage him on the substance of what's happening in the Rubysphere, because he has made clear that he no intention of helping either move the discussion along, or to solve any problems.

That he occasionally raises legitimate points is irrelevant, others have raised the same points in constructive manners, and there have been fruitful discussions on the topics. Engaging this particular guy is only feeding a troll who is distracting from the conversation.

Regretfully there are two opposing goals that must be served here.

The discussion about how Rubygems is going to move forward is really of vital importance to the ruby community. Making sure that there is a civic engagement with Rubygems and the tooling that Rubyists rely on is something that really does need to be promoted better.

On the other hand, Pomdeterre's trolling is obnoxious and unhealthy behavior that HN shouldn't tolerate. Like I said above. Being right is important, but it's not the only important thing. You can be right and still be an asshole who's being a drag on a community, or an organized effort to do something.

I agree that my criticism of PomDeTerre's behavior does not touch on the heart of the discussion, but I hope you can understand that that was in fact the intention. It is not the subject matter that he is discussing that's the problem. It is his conduct.

It's unfortunate that it's distracting from the substantive discussion, but we shouldn't have to put up with people acting like this, or interfering with efforts to fix problems.