| Sorry. I do not believe you deploy ruby apps of any significance. Your opinions are way out of alignment with the rest of the community. You're trying to paint yourself as some kind of "voice of sanity" security-wise but it is unavailing IMO. Convenience vs security is always a tradeoff. You advocate a total lack of convenience, for a minimal, at best, gain in security (any issues are likely to be at a far higher level). I find your arguments unconvincing, to say the least, and I would decline to implement your suggestions at the 4 or so companies my opinions hold sway. > it's down to Rubyists to demonstrate why it's better, for instance, to gem install directly to production rather than build packages Great, an easy one. Ruby has its own packaging system and uses bundler to determine dependencies. Using this system I can install the dependencies - which may include complex custom compilations against local libraries - immediately and conveniently. I can update it any time I want. You can't. You have some crazy manual system of packaging these compiled libraries then distributing them via some private repo. For what? You gain nothing. Now all deployments are some house of cards game of trying to get the sysadmin to package up the right X when you need it. Instead of the devs being able to deploy directly. Why would you even bother? > I get that it's comforting to travel in a herd. Stop trying to paint yourself as the sole voice of reason in an insane world. In this case, the herd is doing the right thing. > We can, and do, push out several ruby app deployments a day via apt-get, when we want to Bullshit. Sorry, but I don't believe a word you say. You have never deployed apps for a company who cares about speed and efficiency, like a startup. If you had, you wouldn't hold these ridiculous beliefs. |
Wow. Appeal to authority and ad hominem in the first line. Good start!