[static_typed]

We did. Until a few days ago. IT Security pulled the apps after the recent critical vulns in Rails, and now this vuln with RubyGems.

Still using OpenBSD for hosting, but the apps are being ported to PHP and Python as we speak.

[rjbond3rd]

Whoa, could you elaborate? I'm sure people would love to hear more context for totally rewriting (not second-guessing, just intensely curious).

[static_typed]

Sure. We had a number of Rails apps running in our production environment. The recent weeks have been a very stressful time. A critical Rails or Ruby related vuln is discovered, and then we have to make emergency changes to try avoid the app or server getting compromised.

Of course, given the large number of these critical issues, the business decided to pull and rewrite the apps based on input from the It Security team who described the current Ruby developer culture as being immature, ignorant of software engineering principles, unaware of secure coding, too enamoured with shiny/magic/convenience to care about longer-term implications in their design choices, thinking that constant band-aid fixes are the right way forward rather than acknowledge and fix poor design and implementation, and basically a liability for the company and it's data.

[duaneb]

> Of course, given the large number of these critical issues, the business decided to pull and rewrite the apps based on input from the It Security team who described the current Ruby developer culture as being immature, ignorant of software engineering principles, unaware of secure coding, too enamoured with shiny/magic/convenience to care about longer-term implications in their design choices, thinking that constant band-aid fixes are the right way forward rather than acknowledge and fix poor design and implementation, and basically a liability for the company and it's data.

And you're switching to PHP? Someone should be fired for that decision.

[eric970]

Dude, every one of your posts on HN I've seen has been about how Ruby sucks and should be thrown away. Either you're a troll or you're a very angry and upset person. Either way, I feel sorry for you.

[PommeDeTerre]

I don't mean you any offense, but your response is the kind that makes the entire Ruby community look very bad.

It is perfectly normal for responsible software developers, system administrators and business leaders to get angry or upset by security vulnerabilities. The impact such vulnerabilities can have on an organization is staggering.

When they're exploited, there can be huge sums of money lost. There can be serious legal ramifications. A company's reputation can be destroyed by a single incident. And those are just a few of the consequences.

Even when these vulnerabilities aren't exploited, there are still significant costs associated with fixing them, testing such fixes, deploying the fixes, and so forth.

Software is supposed to bring benefits to its users, not problems and costs. Costly problems with software will make many people angry.

Ruby, Ruby on Rails and some related software have had a very bad time lately. They have caused a lot of problems for a lot of people, and this has indeed resulted in anger and wasted monkey. Some people are making a sensible decision to look toward alternative technologies, to try to minimize their losses.

Instead of labeling such people as "trolls", the Ruby community as a whole needs to engage in some significant self-evaluation. Try to understand why people are expressing what they are, and perhaps even try to learn from what they're saying. Security is important, and the Ruby community needs to learn this fact.

[snogglethorpe]

Er, I'm sure this is true, and I'm no Rails fanboy (indeed I've never even used Rails, and haven't written more than 10 lines of Ruby in my life), but the grand-parent poster really does come off as a troll or someone with an axe to grind.

He's vague and inflammatory, and avoids technical details in favor of generically insulting language ("the 'IT security' team describes ruby culture as immature"), apparently more aimed at denigrating a particular community than clarifying any issues or solutions. Much of what he writes is borderline absurd ["Rewriting in python and PHP"... really? PHP is their choice for a better-"engineered" replacement?!]

Everybody sometimes writes vague and snarky posts, but doing so repeatedly is a warning sign...

[pizzeys]

If Ruby has had a bad time lately, then surely PHP has had a bad decade? It just seems odd to jump out of the frying pan and into the fire, is all.

[duaneb]

I was less confused by his claim that the ruby community isn't security oriented (or whatever) by the fact that they decided to switch to PHP, which has a much, much worse track record.

[csense]

As of this writing, the grandparent was downvoted; this post is a response to that situation.

> Ruby sucks

Ruby actually does suck. I don't like it; that's my personal opinion.

But I can't say that. All the cool startups are using it, so Ruby has become one of HN's sacred cows: There are people on here, like the parent, who take offense when someone dares have anything but the highest praise for Ruby and Rails.

I've looked at Ruby. The syntax is ugly; the language is about as bad as Perl in this regard. I've deployed Ruby applications; it's complex (although, to be fair, this is endemic to Web development). Rails is a nightmare.

A lot of HN'ers seem to like it. That's fine. But we should listen to unpopular opinions; important truths aren't always immediately universally accepted as such.

Problem: Maybe Ruby is actually the best thing since sliced bread, but I don't understand its greatness because I haven't seen the right tutorial. Solution: Write a better tutorial, improve existing ones, or point out your favorite beginning Ruby tutorials on HN or your blog.

Problem: Maybe the syntax of Ruby is really what makes me uncomfortable. Solution: A Python-to-Ruby bridge would let people like me experience the goodness of Rails without the pain of learning Ruby's extensive syntactic "innovations."

Problem: The grandparent's employer was uncomfortable with the number of security vulnerabilities recently found in Rails. Solution: Maybe having a stable branch which didn't innovate quite as fast and focused on security would make enterprise users more comfortable with Rails. Or maybe the Rails community needs more thorough vetting of new features for potential security holes, perhaps through requiring separate reviews for security and functionality before patches are officially accepted.

But if we just dismiss anyone who criticizes Ruby as a troll, how are we supposed to recognize and respond to actual problems like these? The grandparent's issues were a legitimate criticism of Ruby, and should not have been downvoted.

[pizzeys]

The stable branch already exists - the latest vulns were patched for 2.3, which was released in 2009.

[eric970]

Ruby isn't my first or only language. I'm pointing out that there doesn't seem to be much of any analysis or reasoning behind his posts. That's it. It amuses me that people automatically assumed I meant Ruby > all. I haven't claimed that and definitely do not think that. I think this is actually a sign of how people judge other languages really badly.

[begurken]

While you may not agree with static_typed (his name suggests he's probably not a huge Ruby fan), the Rails community (& to some degree the Ruby community) should listen to folks like him. This is because more and more people would agree with static_type's statements.

The high chance that more catastrophic rails exploits will be found in the next month (if all of the paths to YAML.load have been found, I'll eat my hat) will increase the number of people making or agreeing with statements like static_typed's. After an exploit or two have been found in February or March, people will be pointing at Rails and saying 'I told you so'.