2013 Rails Google Summer of Code Projects

Google has announced the accepted projects for the Summer of Code 2013 and Rails has been granted five slots. Here’s what our students will be working on this summer:

Genadi Samokovarov will be working on adding a web-based console for development, debugging and testing your Rails applications. He will be mentored by Rails Core Team member Guillermo Iguaran.

Łukasz Strzałkowski will be working on seperating Action View from Action Pack and adding support for custom view classes. He will be mentored by Piotr Sarnacki, who was a Rails Summer of Code student in 2010 and has been a consistent contributor to Rails.

Ujjwal Thaakar will be working on adding support to Rails for bulk/collection actions with RESTful resources. He will be mentored by Rails Core Team member Andrew White.

Kasper Timm Hansen will be working on replacing the venerable html-scanner in the Rails HTML Sanitization API with Loofah and adding improvements to the API. He will be mentored by Rails Core Team member Rafael França.

John Wang will be working on refactoring the configuration and initialization of Rails applications. He will be mentored by Rails Core Team member Santiago Pastorino.

We’d like to thank all of the students and mentors who participated in the Summer of Code selection process - it was tough to get down to five projects, considering all the great proposals we had. We’re looking forward to seeing what all of our students bring to Rails this summer and we hope not to lose touch with others who are also excited about the prospects for Rails 4.0.

Rails 4.0: Release Candidate 1 released!

Just in time for the opening of RailsConf, we managed to push out the first release candidate of Rails 4.0. This incorporates no less than 1,368 commits since beta 1. You can see the full list of changes on Github. If you’re interested in a high-level review of what’s in Rails 4.0, please see the announcement we made for beta 1.

As last time, please give this release candidate an honest try. This is pretty much the version we’re going to ship unless people find and report blocking issues. Depending on how much stuff is unearthed, we expect that the final version could drop in as little as 3-4 weeks. Please report all the issues you find on the Rails issue tracker.

We’re still working on the upgrade guide from 3.2 to 4.0, but that’s a good place to start for help on how to do it. We’re also so lucky to have many authors and screencasters ready with material for 4.0. In the books department, you’ll find Rails 4.0-ready versions of Agile Web Development with Rails and Crafting Rails Applications. For screencasts, checkout the new Rails 4: Zombie Outlaws and Mike Clark’s Rails 4 class. There’s new material and books coming out all the time from a variety of other authors and broadcasters, so we’re really in good shape with training material timed for the release this time!

As always, install the release with gem install rails --version 4.0.0.rc1 --no-ri --no-rdoc or depend on the v4.0.0.rc1 tag. We also have a new 4-0-stable branch. Master is now safe to move on to developing features for 4.1.

Go West, friends!

Google Summer of Code 2013

We’re pleased to announce, Ruby on Rails has been accepted into Google Summer of Code 2013 as a mentoring organization. What does this mean to you? Potentially, if you’re the right person, you can get paid to work on Rails this summer! The “right person” in this case is one who is at least 18 years old (sorry, Google’s rule, not ours!) on or before May 27, 2013; a full or part-time college student; and passionate about improving Rails.

We’re building a potential list of project ideas on a GitHub wiki, but we welcome other interesting proposals. If your proposal gets accepted, Google will pay you $5000 over the course of three months to work on the code. If you’re interested, head over to the GSoC site and start reading about the process. Student applications can be submitted starting April 22 and the deadline is May 3.

If you’re wondering what’s involved in becoming a GSoC student then the Google Student Guide has all the details on what’s expected and what you will gain from taking part. Any further questions can be directed either to the mailing list or to me directly.

What if you’re not a student? You can still help out by discussing ideas on the special mailing list we’ve setup for this year’s program. Or if you’ve got previous experience of contributing to Rails and are ready to make a strong commitment to help out the next generation of developers, you can apply to be a mentor.

We’re looking forward to working with this year’s students, and expecting some outstanding contributions to Rails as a result!

[SEC] [ANN] Rails 3.2.13, 3.1.12, and 2.3.18 have been released!

Hi everyone!

Rails versions 3.2.13, 3.1.12, and 2.3.18 have been released. These releases contain important security fixes. It is recommended users upgrade as soon as possible.

Please check out these links for the security fixes:

All versions of Rails are impacted by one or more of these security issues, but per our maintenance policy, only versions 3.2.13, 3.1.12, and 2.3.18 have been released. You can find patches for older versions on each stable branch on GitHub:

as well as with the security advisories.

For other changes in each particular release, please see the CHANGELOG corresponding to that version. For all commits in each release, please follow the links below:

Here are the checksums for the released gems:

3.2.13

[aaron@higgins dist]$ shasum *3.2.13.gem
72b14536f1717121e8b2a5aa5a06c6194e02c87c  actionmailer-3.2.13.gem
a21166f7c364ff7825bf83f9757c33cc44fa0c00  actionpack-3.2.13.gem
9fa309dee3f87a53764db3aaefe3bbf6f9724ad2  activemodel-3.2.13.gem
469f6b4456d7fa1bf0336d488ad5878a6842e2da  activerecord-3.2.13.gem
0c89382354ffc5b4438ed37434b50d7cbc71d569  activeresource-3.2.13.gem
cdf230b698b28ae1cffb325ecbb9e219645ed68b  activesupport-3.2.13.gem
3785dc8d2af1521baddf2d90b67a9b61b2b31604  rails-3.2.13.gem
ff0607812bead596492272e4a4306ae3e950bdf4  railties-3.2.13.gem

3.1.12

[aaron@higgins dist]$ shasum *3.1.12.gem
b3f0ecee33032416170263508ccfb33d5dd65eef  actionmailer-3.1.12.gem
426fcf3f5d4e29ae6bf21f536a97d90d02bf73bb  actionpack-3.1.12.gem
2b01ba8bd85d67ded372f3908b694c1fa1ccb041  activemodel-3.1.12.gem
a3afc58fe3f7448ba09cdacb2046c9e10e474cb4  activerecord-3.1.12.gem
d3402193c0820f016b492162547194f942c96c1a  activeresource-3.1.12.gem
e25ed2f7e055d38b1bed482faf8b563a6b7e3899  activesupport-3.1.12.gem
75c2f85ed1e09d2bd1baa3efab5f097cdaef2a6b  rails-3.1.12.gem
618c5beb85124fbedfe41a72424079700f7a1d2c  railties-3.1.12.gem

2.3.18

[aaron@higgins dist]$ shasum *2.3.18.gem
09e361c4c96104303abad5faa4aec72ebe7c19d1  actionmailer-2.3.18.gem
deca0d8352858f734479b54162269e334faada21  actionpack-2.3.18.gem
e385b4b2e863592f9f06ca3248a67a18ea8c7e6c  activerecord-2.3.18.gem
ff4fb4a62c4d4007a6c596edf8f7055147948e60  activeresource-2.3.18.gem
1b9102fa31a47cf66b0c2583c99b707544d42054  activesupport-2.3.18.gem
f4aff07dce1db10ad6145e358344671cc482de70  rails-2.3.18.gem

Happy Monday!

<3<3<3

[ANN] Rails 3.2.13.rc2 has been released!

Hi everybody.

I’d like to announce that Rails 3.2.13.rc2 has been released.

Rails 3.2.13.rc2 contains fixes for regressions found in rc1. Please test out rc2. If you find regressions between 3.2.13.rc2 and 3.2.12, please email the rails-core mailing list, or file an issue on GitHub.

If there aren’t any major regressions, 3.2.13 final will be released on March 13, 2013.

Changes:

<3<3<3

[ANN] Rails 3.2.13.rc1 has been released!

Hey everyone! I am pumped to announce that Rails 3.2.13.rc1 has been released! If no regressions are found I will release 3.2.13 final in two weeks, on March 13, 2013. If you find one, please Open an Issue on GitHub so that I can fix it before the final release.

This is a bugfix release, with 287 commits. There is one big thing that is technically a fix but is sort of a feature: Ruby 2.0 support. Big thanks to Prem Sichanugrist for putting that together! Please give your applications a try on Ruby 2.0 and let me know how that goes.

CHANGES since 3.2.12

Action Mailer

No changes.

Action Pack

  • Determine the controller#action from only the matched path when using the shorthand syntax. Previously the complete path was used, which led to problems with nesting (scopes and namespaces). Fixes #7554. Backport #9361.

    Example:

    # this will route to questions#new
    scope ':locale' do
      get 'questions/new'
    end
    

    Yves Senn

  • Fix assert_template with render :stream => true. Fix #1743. Backport #5288.

    Sergey Nartimov

  • Eagerly populate the http method loookup cache so local project inflections do not interfere with use of underscore method ( and we don’t need locks )

    Aditya Sanghi

  • BestStandardsSupport no longer duplicates X-UA-Compatible values on each request to prevent header size from blowing up.

    Edward Anderson

  • Fixed JSON params parsing regression for non-object JSON content.

    Dylan Smith

  • Prevent unnecessary asset compilation when using javascript_include_tag on files with non-standard extensions.

    Noah Silas

  • Fixes issue where duplicate assets can be required with sprockets.

    Jeremy Jackson

  • Bump rack dependency to 1.4.3, eliminate Rack::File headers deprecation warning.

    Sam Ruby + Carlos Antonio da Silva

  • Do not append second slash to root_url when using trailing_slash: true

    Fix #8700. Backport #8701.

    Example: # before root_url # => http://test.host//

    # after
    root_url # => http://test.host/
    

    Yves Senn

  • Fix a bug in content_tag_for that prevents it for work without a block.

    Jasl

  • Clear url helper methods when routes are reloaded by removing the methods explicitly rather than just clearing the module because it didn’t work properly and could be the source of a memory leak.

    Andrew White

  • Fix a bug in ActionDispatch::Request#raw_post that caused env['rack.input'] to be read but not rewound.

    Matt Venables

  • More descriptive error messages when calling render :partial with an invalid :layout argument.

    Fixes #8376.

    render :partial => 'partial', :layout => true
    # results in ActionView::MissingTemplate: Missing partial /true
    

    Yves Senn

  • Accept symbols as #send_data :disposition value. [Backport #8329] Elia Schito

  • Add i18n scope to distance_of_time_in_words. [Backport #7997] Steve Klabnik

  • Fix side effect of url_for changing the :controller string option. [Backport #6003] Before:

    controller = '/projects'
    url_for :controller => controller, :action => 'status'
    
    puts controller #=> 'projects'
    

    After

    puts controller #=> '/projects'
    

    Nikita Beloglazov + Andrew White

  • Introduce ActionView::Template::Handlers::ERB.escape_whitelist. This is a list of mime types where template text is not html escaped by default. It prevents Jack & Joe from rendering as Jack &amp; Joe for the whitelisted mime types. The default whitelist contains text/plain. Fix #7976 [Backport #8235]

    Joost Baaij

  • BestStandardsSupport middleware now appends it’s X-UA-Compatible value to app’s returned value if any. Fix #8086 [Backport #8093]

    Nikita Afanasenko

  • prevent double slashes in engine urls when Rails.application.default_url_options[:trailing_slash] = true is set Fix #7842

    Yves Senn

  • Fix input name when :multiple => true and :index are set.

    Before:

    check_box("post", "comment_ids", { :multiple => true, :index => "foo" }, 1)
    #=> <input name=\"post[foo][comment_ids]\" type=\"hidden\" value=\"0\" /><input id=\"post_foo_comment_ids_1\" name=\"post[foo][comment_ids]\" type=\"checkbox\" value=\"1\" />
    

    After:

    check_box("post", "comment_ids", { :multiple => true, :index => "foo" }, 1)
    #=> <input name=\"post[foo][comment_ids][]\" type=\"hidden\" value=\"0\" /><input id=\"post_foo_comment_ids_1\" name=\"post[foo][comment_ids][]\" type=\"checkbox\" value=\"1\" />
    

    Fix #8108

    Daniel Fox, Grant Hutchins & Trace Wax

Active Model

  • Specify type of singular association during serialization Steve Klabnik

Active Record

  • Reverted 921a296a3390192a71abeec6d9a035cc6d1865c8, ‘Quote numeric values compared to string columns.’ This caused several regressions.

    Steve Klabnik

  • Fix overriding of attributes by default_scope on ActiveRecord::Base#dup.

    Hiroshige UMINO

  • Fix issue with overriding Active Record reader methods with a composed object and using that attribute as the scope of a uniqueness_of validation. Backport #7072.

    Peter Brown

  • Sqlite now preserves custom primary keys when copying or altering tables. Fixes #9367. Backport #2312.

    Sean Scally + Yves Senn

  • Preloading has_many :through associations with conditions won’t cache the :through association. This will prevent invalid subsets to be cached. Fixes #8423. Backport #9252.

    Example:

    class User
      has_many :posts
      has_many :recent_comments, -> { where('created_at > ?', 1.week.ago) }, :through => :posts
    end
    
    a_user = User.includes(:recent_comments).first
    
    # this is preloaded
    a_user.recent_comments
    
    # fetching the recent_comments through the posts association won't preload it.
    a_user.posts
    

    Yves Senn

  • Fix handling of dirty time zone aware attributes

    Previously, when time_zone_aware_attributes were enabled, after changing a datetime or timestamp attribute and then changing it back to the original value, changed_attributes still tracked the attribute as changed. This caused [attribute]_changed? and changed? methods to return true incorrectly.

    Example:

    in_time_zone 'Paris' do
      order = Order.new
      original_time = Time.local(2012, 10, 10)
      order.shipped_at = original_time
      order.save
      order.changed? # => false
    
      # changing value
      order.shipped_at = Time.local(2013, 1, 1)
      order.changed? # => true
    
      # reverting to original value
      order.shipped_at = original_time
      order.changed? # => false, used to return true
    end
    

    Backport of #9073 Fixes #8898

    Lilibeth De La Cruz

  • Fix counter cache columns not updated when replacing has_many :through associations. Backport #8400. Fix #7630.

    Matthew Robertson

  • Don’t update column_defaults when calling destructive methods on column with default value. Backport c517602. Fix #6115.

    Piotr Sarnacki + Aleksey Magusev + Alan Daud

  • When #count is used in conjunction with #uniq we perform count(:distinct => true). Fix #6865.

    Example:

    relation.uniq.count # => SELECT COUNT(DISTINCT *)

    Yves Senn + Kaspar Schiess

  • Fix ActiveRecord::Relation#pluck when columns or tables are reserved words. Backport #7536. Fix #8968.

    Ian Lesperance + Yves Senn + Kaspar Schiess

  • Don’t run explain on slow queries for database adapters that don’t support it. Backport #6197.

    Blake Smith

  • Revert round usec when comparing timestamp attributes in the dirty tracking. Fixes #8460.

    Andrew White

  • Revert creation of through association models when using collection=[] on a has_many :through association from an unsaved model. Fix #7661, #8269.

    Ernie Miller

  • Fix undefined method to_i when calling new on a scope that uses an Array; Fix FloatDomainError when setting integer column to NaN. Fixes #8718, #8734, #8757.

    Jason Stirk + Tristan Harward

  • Serialized attributes can be serialized in integer columns. Fix #8575.

    Rafael Mendonça França

  • Keep index names when using alter_table with sqlite3. Fix #3489. Backport #8522.

    Yves Senn

  • Recognize migrations placed in directories containing numbers and ‘rb’. Fix #8492. Backport of #8500.

    Yves Senn

  • Add ActiveRecord::Base.cache_timestamp_format class attribute to control the format of the timestamp value in the cache key. This allows users to improve the precision of the cache key. Fixes #8195.

    Rafael Mendonça França

  • Add :nsec date format. This can be used to improve the precision of cache key. Please note that this format only works with Ruby 1.9, Ruby 1.8 will ignore it completely.

    Jamie Gaskins

  • Unscope update_column(s) query to ignore default scope.

    When applying default_scope to a class with a where clause, using update_column(s) could generate a query that would not properly update the record due to the where clause from the default_scope being applied to the update query.

    class User < ActiveRecord::Base
      default_scope where(active: true)
    end
    
    user = User.first
    user.active = false
    user.save!
    
    user.update_column(:active, true) # => false
    

    In this situation we want to skip the default_scope clause and just update the record based on the primary key. With this change:

    user.update_column(:active, true) # => true
    

    Backport of #8436 fix.

    Carlos Antonio da Silva

  • Fix performance problem with primary_key method in PostgreSQL adapter when having many schemas. Uses pg_constraint table instead of pg_depend table which has many records in general. Fix #8414

    kennyj

  • Do not instantiate intermediate Active Record objects when eager loading. These records caused after_find to run more than expected. Fix #3313 Backport of #8403

    Yves Senn

  • Fix pluck to work with joins. Backport of #4942.

    Carlos Antonio da Silva

  • Fix a problem with translate_exception method in a non English environment. Backport of #6397.

    kennyj

  • Fix dirty attribute checks for TimeZoneConversion with nil and blank datetime attributes. Setting a nil datetime to a blank string should not result in a change being flagged. Fixes #8310. Backport of #8311.

    Alisdair McDiarmid

  • Prevent mass assignment to the type column of polymorphic associations when using build. Fixes #8265. Backport of #8291.

    Yves Senn

  • When running migrations on Postgresql, the :limit option for binary and text columns is silently dropped. Previously, these migrations caused sql exceptions, because Postgresql doesn’t support limits on these types.

    Victor Costan

  • #pluck can be used on a relation with select clause. Fixes #7551. Backport of #8176.

    Example:

    Topic.select([:approved, :id]).order(:id).pluck(:id)
    

    Yves Senn

  • Use nil? instead of blank? to check whether dynamic finder with a bang should raise RecordNotFound. Fixes #7238.

    Nikita Afanasenko

  • Fix deleting from a HABTM join table upon destroying an object of a model with optimistic locking enabled. Fixes #5332.

    Nick Rogers

  • Use query cache/uncache when using ENV[“DATABASE_URL”]. Fixes #6951. Backport of #8074.

    kennyj

  • Do not create useless database transaction when building has_one association.

    Example:

    User.has_one :profile
    User.new.build_profile
    

    Backport of #8154.

    Bogdan Gusiev

  • AR::Base#attributes_before_type_cast now returns unserialized values for serialized attributes.

    Nikita Afanasenko

  • Fix issue that raises NameError when overriding the accepts_nested_attributes in child classes.

    Before:

    class Shared::Person < ActiveRecord::Base
      has_one :address
    
      accepts_nested_attributes :address, :reject_if => :all_blank
    end
    
    class Person < Shared::Person
      accepts_nested_attributes :address
    end
    
    Person
    #=> NameError: method `address_attributes=' not defined in Person
    

    After:

    Person
    #=> Person(id: integer, ...)
    

    Fixes #8131.

    Gabriel Sobrinho, Ricardo Henrique

Active Resource

No changes.

Active Support

  • Fix DateTime comparison with DateTime::Infinity object.

    Dan Kubb

  • Remove surrogate unicode character encoding from ActiveSupport::JSON.encode The encoding scheme was broken for unicode characters outside the basic multilingual plane; since json is assumed to be UTF-8, and we already force the encoding to UTF-8 simply pass through the un-encoded characters.

    Brett Carter

  • Fix mocha v0.13.0 compatibility. James Mead

  • #as_json isolates options when encoding a hash. [Backport #8185] Fix #8182

    Yves Senn

  • Handle the possible Permission Denied errors atomic.rb might trigger due to its chown and chmod calls. [Backport #8027]

    Daniele Sluijters

Railties

No changes.

Full listing

To see the full list of changes, check out all the commits on GitHub.

SHA-1

If you’d like to verify that your gem is the same as the one I’ve uploaded, please use these SHA-1 hashes:

  • 6a33c2d10abb5512499addb675df658e179f2e79 actionmailer-3.2.13.rc1.gem
  • 11d8303470698c5b0ac68f187a15093c07383c89 actionpack-3.2.13.rc1.gem
  • a72dafd8b1e3372cc4dda9015b93bf5509b25baa activemodel-3.2.13.rc1.gem
  • 3c6463ab11658b5ab0fe6a4ad06eb52968ef4492 activerecord-3.2.13.rc1.gem
  • 06cec200b95dc1f64614cd03432e9ab06742a865 activeresource-3.2.13.rc1.gem
  • 5ff59cacae5295baf30a6fb8fb656037f22af3c2 activesupport-3.2.13.rc1.gem
  • facf4549445922d9dc2a836283ae928fa52df4f8 rails-3.2.13.rc1.gem
  • 55e44f621efbf531d9ccade6d27259f7dabae167 railties-3.2.13.rc1.gem

<3<3<3

Rails 4.0: Beta 1 released!

Hot on the heels of the first production version of Ruby 2.0 comes the first beta version of Rails 4.0. The two form a great pair and are already running in production on a number of applications, including Basecamp Breeze. In fact, Ruby 2.0 is the preferred Ruby to use with Rails 4.0.

The purpose of this beta is to get as many people as possible to try to upgrade from Rails 3.2 and earlier and to get an adventurous few to start new applications directly on Rails 4.0. That’s the only way we’re going to suss out all the issues and ensure that we can launch a solid final release. So please help us with that if you can!

Rails 4.0 is packed with new goodies and farewells to old goodies past their expiration date.

A big focus has been on making it dead simple to build modern web applications that are screaming fast without needing to go the client-side JS/JSON server route. Much of this work was pioneered for Rails in the new version of Basecamp and focuses on three aspects:

  1. Make it super easy to do Russian Doll-caching through key-based expiration with automatic dependency management of nested templates (explored first in the cache_digests plugin).
  2. Speed-up the client-side with Turbolinks, which essentially turns your app into a single-page javascript application in terms of speed, but with none of the developmental drawbacks (except, maybe, compatibility issues with some existing JavaScript packages).
  3. Declarative etags makes it even easier to ensure you’re taking advantage of HTTP freshness.

Rails is of course still a great JSON server for people who want to build client-side JS views, but with the progress we’ve made for Rails 4.0, you certainly won’t need to go down that route just to have a super fast application.

We’ve also added live streaming for persistent connections and Rails 4.0 is now safe for threaded servers out of the box (no more need for config.threadsafe!).

Active Record has received a ton of love as well to make everything related to scoping and the query structure more consistent.

Given all the fun we’ve had with security issues, we have some great updates there as well:

  • Session store is now encrypted by default (formerly just signed).
  • Strong Parameters take over from attr_protected (now a plugin) to guard against foreign parameters.
  • Security headers like X-Frame-Options, X-XSS-Protection, X-Content-Type-Options are on by default with solid values.
  • XML Parameter parsing has been sent to a plugin.

On top of these new features and fixes, we have hundreds more of all sorts. Everything has been combed over, streamlined, simplified, and we’ve extracted out lots of old APIs and things that just don’t fit “most people most of the time”.

Active Resource, Active Record Observers, and Action Pack page and action caching are all examples of things that are no longer in core, but lives on in plugins.

We encourage you to peruse the CHANGELOGs for all the Rails frameworks and delight over the hundreds of improvements we’ve made to Rails 4.0: Action Pack, Active Model, Active Record, Active Support, Rails.

Now let’s all work together to ensure the release is final and enjoy the bad-ass combination of Ruby on Rails 24! (Or 42?). Please report all the issues you find on the Rails issue tracker. We’re still working on the upgrade guide from 3.2 to 4.0, but that’s a good place to start for help on how to do it. As always, install betas with gem install rails --version 4.0.0.beta1 --no-ri --no-rdoc (–pre and ri generation is busted on RubyGems 2.0 at the moment) or depend on the v4.0.0.beta1 tag.

Maintenance policy for Ruby on Rails

Since the most recent patch releases there has been some confusion about what versions of Ruby on Rails are currently supported, and when people can expect new versions. Our maintenance policy is as follows.

Support of the Rails framework is divided into four groups: New features, bug fixes, security issues, and severe security issues. They are handled as follows, all versions in x.y.z format:

New Features

New Features are only added to the master branch and will not be made available in point releases.

Bug fixes

Only the latest release series will receive bug fixes. When enough bugs are fixed and its deemed worthy to release a new gem, this is the branch it happens from.

Currently included series: 3.2.z

After the Rails 4 release: 4.0.z

Security issues:

The current release series and the next most recent one will receive patches and new versions in case of a security issue.

These releases are created by taking the last released version, applying the security patches, and releasing. Those patches are then applied to the end of the x-y-stable branch. For example, a theoretical 1.2.3 security release would be built from 1.2.2, and then added to the end of 1-2-stable. This means that security releases are easy to upgrade to if you’re running the latest version of Rails.

Currently included series: 3.2.z, 3.1.z

After the Rails 4 release: 4.0.z, 3.2.z

Severe security issues:

For severe security issues we will provide new versions as above, and also the last major release series will receive patches and new versions. The classification of the security issue is judged by the core team.

Currently included series: 3.2.z, 3.1.z, 2.3.z

After the Rails 4 release: 4.0.z, 3.2.z

Unsupported Release Series

When a release series is no longer supported, it’s your own responsibility to deal with bugs and security issues. We may provide back-ports of the fixes and publish them to git, however there will be no new versions released. If you are not comfortable maintaining your own versions, you should upgrade to a supported version.

You should also be aware that Ruby 1.8 will reach End of Life in June 2013, no further Ruby security releases will be provided after that point. If your application is only compatible Ruby 1.8 you should upgrade accordingly.

[SEC][ANN] Rails 3.2.12, 3.1.11, and 2.3.17 have been released!

Hi everybody.

I’d like to announce that Rails 3.2.12, 3.1.11, and 2.3.17 have been released.

3.2.12 and 3.1.11 contain one security fix, and 2.3.17 contains two security fixes. It is recommended that you update immediately.

You can read about the security fixes by following these links:

Please note that today a new JSON gem was released, and it also contains an important security fix. You should update the JSON gem as soon as possible. You can read about the security issue in the JSON gem here:

In order to ease upgrading, the only major changes in each gem is the security fix. To see the detailed changes for each version, follow the links below:

Thanks to the people who responsibly reported these security issues.

Please note that per our maintenance policy there will be no 3.0.x version released.

Here are the SHA-1 checksums for each gem:

Rails 3.2.12

[aaron@higgins dist]$ shasum *3.2.*
5627c6d044cc52876128459d960f8805006b5f97  actionmailer-3.2.12.gem
336f76c045b6bcbd204831897131182cff82ddf8  actionpack-3.2.12.gem
89bec5d68861ad5d79ca776ef5d6df7c1cfc2b11  activemodel-3.2.12.gem
7d4327c54900f45c60947a63350e865843e193ef  activerecord-3.2.12.gem
4b8ed4190f98a85b800ee7893bae5afd1bee0874  activeresource-3.2.12.gem
c9e44eed288140f556e6543b93fc45f8dd57a415  activesupport-3.2.12.gem
24b3b4633d7f131e61e50decc3aa11590941c6e2  rails-3.2.12.gem
a84262f1968e83141d290c034b20a28d38886d10  railties-3.2.12.gem

Rails 3.1.11

[aaron@higgins dist]$ shasum *3.1.*
d80816e69614c1f0d96cb7d0f4a38bfdc8d84ff5  actionmailer-3.1.11.gem
f65cea0682b6051869d4125f7b441a7c6f59fcbe  actionpack-3.1.11.gem
549ec2b67d4332b38cef1620b23e00e50e0774e6  activemodel-3.1.11.gem
3d342764b7ba3bae05190f15bcb35d401cd8121e  activerecord-3.1.11.gem
19bd70bad6c4e4a555127a7738e71ac4829e6f61  activeresource-3.1.11.gem
7267b2f87bea5bd285f5d1bfe49bb2ba19df7c94  activesupport-3.1.11.gem
ca57e1243451385689343dbe2bb42e23058284df  rails-3.1.11.gem
48cc801bdb7c31c4b6939235a60ef3e5008f5dbb  railties-3.1.11.gem

Rails 2.3.17

[aaron@higgins dist]$ shasum *2.3.*
5df1fe13db46ac10dec8bb607ef515881dcf09c5  actionmailer-2.3.17.gem
d1165517a185ae73ca8a4ac89549e695a23fedfa  actionpack-2.3.17.gem
b24ff71e46b798d7c38504531cb7622955d9a20c  activerecord-2.3.17.gem
9cc2a7bd60a959dcba099425954a1b9c53235ce5  activeresource-2.3.17.gem
4ccc935fdc4d7ede78a1c376453ecb502e48b7ed  activesupport-2.3.17.gem
9613a97cb726f00de59ad6d0f901f7434f9c4733  rails-2.3.17.gem

<3<3<3

[SEC][ANN] Rails 3.0.20, and 2.3.16 have been released!

Hi everybody.

I’d like to announce that 3.0.20, and 2.3.16 have been released. These releases contain one extremely critical security fix so please update IMMEDIATELY.

You can read about the security fix by following this link:

In order to ease upgrading, the only major changes in each gem is the security fix. To see the detailed changes for each version, follow the links below:

Thanks to the people who responsibly reported these security issues.

Please note that per our maintenance policy this will be the last release for the 3.0.x series.

Here are the SHA-1 checksums for each gem:

3.0.20

[aaron@higgins dist]$ shasum *3.0.20*
c5b1a446d921dbd512a2d418c50f144b4540a657  actionmailer-3.0.20.gem
79ec243f6ec301b0a73ad45f89d4ea2335f90346  actionpack-3.0.20.gem
80c7d881ed64ed7a66f4d82b12c2b98b43f6fbde  activemodel-3.0.20.gem
d8fc6e02bf46f9b5f86c3a954932d67da211302b  activerecord-3.0.20.gem
e465e7d582c6d72c487d132e5fac3c3af4626353  activeresource-3.0.20.gem
5bc7b2f1ad70a2781c4a41a2f4eaa75b999750e4  activesupport-3.0.20.gem
ba9fb9dba41ce047feef11b4179cd9c3f81b2857  rails-3.0.20.gem
42b0025e4cb483d491a809b9d9deb6fd182c2a57  railties-3.0.20.gem

2.3.16

[aaron@higgins dist]$ shasum *2.3.16*
ab1a47a08d42352d9e8c276d28e6ed6990c23556  actionmailer-2.3.16.gem
f81ac75eb9edbb363a6d7bbe175a208e97ea3d4f  actionpack-2.3.16.gem
4ce36062f1f0b326b16e42b9fde5f1ab0610bffc  activerecord-2.3.16.gem
3698787f9ab8432f0c10268e22fbfcf682fa79cc  activeresource-2.3.16.gem
90490f62db73c4be9ed69d96592afa0b98e79738  activesupport-2.3.16.gem
239253159f9793e2372c83dcf9d0bd7bff343f7d  rails-2.3.16.gem

<3<3<3