Today is Leopard day!

OS X 10.5 is shipping today under the Leopard moniker. Besides being a great upgrade to a wonderful operating system, it's also the first version of OS X that ships with Rails in the package. Apple has done a phenomenal job including all the good stuff from the Ruby and Rails world into the developer tools that come with the OS.

So out of the box you get Ruby 1.8.6, Rails 1.2.3 (which is just a "gem update rails" call away from being 1.2.5), Capistrano, SQLite-bindings, and so much more. No more need for compiling your own Ruby. It's great. See all the changes in What's New in Leopard.

The only minor snag is that in order to install the MySQL C bindings for Ruby, you have to be quite particular on the command line. Here's the cheat line you need to install (read more at macosforge):

sudo env ARCHFLAGS="-arch i386" gem install mysql -- --with-mysql-config=/usr/local/mysql/bin/mysql_config

So happy Leopard day, folks!

MicroPlace Launches

MicroPlace, a site that lets you make small loans to workers in developing countries and receive a return, just recently launched. Josh Susser, one of the contractors that worked on it, wrote a great introduction to the project.

“As far as I am aware, MicroPlace is the first SEC-registered online brokerage implemented in Ruby on Rails. We had to go through an extensive security audit, and there were a lot of regulatory requirements for us to meet… But the bottom line is that we didn’t have any significant problems with either Ruby or Rails in passing those hurdles.”

Josh also mentioned that MicroPlace is owned by eBay, making this the first Rails project at an otherwise all-Java shop. Awesome, high-fives all around guys. I hope to see more posts about the development aspect of the site.

Capistrano 2.1

After a much larger delay than I would have liked, Capistrano 2.1 is now available! (Capistrano is a utility for executing commands on multiple remote machines in parallel, and is the tool of choice for many Rails developers for automating deployment.) There is a lot going on in this release, including some pretty exciting changes. As ever, install it via RubyGems with:

  gem install capistrano

Here’s what’s new, roughly in order of magnitude:

No default PTY. Prior to 2.1, Capistrano would request a pseudo-tty for each command that it executed. This had the side-effect of causing the profile scripts for the user to not be loaded. Well, no more! As of 2.1, Capistrano no longer requests a pty on each command, which means your .profile (or .bashrc, or whatever) will be properly loaded on each command! Note, however, that some have reported on some systems, when a pty is not allocated, some commands will go into non-interactive mode automatically. If you’re not seeing commands prompt like they used to, like svn or passwd, you can return to the previous behavior by adding the following line to your capfile:

  default_run_options[:pty] = true

Disable sh wrapping. Some shared hosts do not allow the POSIX shell to be used to execute arbitrary commands, which is what Capistrano has done since 2.0. If you’re on such a host, you can add the following line to your capfile:

  default_run_options[:shell] = false

Capistrano will then run the command directly, rather than wrapping it in an “sh -c” command. Note, though, that this means that your own user shell on the remote hosts must be POSIX compatible, or you’ll get cryptic errors.

Git SCM support. Many thanks to Garry Dolley, Geoffrey Grosenbach, and Scott Chacon for their work on the new Git SCM module for Capistrano. If you’re a user of Git, you can now do:

  set :scm, :git

Accurev SCM support. Thanks to Doug Barth, all you Accurev users can now enjoy Capistrano, too. Just do:

  set :scm, :accurev

Rails’ Plugin Support. Capfile’s generated via the “capify” utility will now include a line that will autoload all recipes from vendor/plugins/*/recipes/*.rb. If you want this feature and you’ve already got a Capfile (and you don’t mind losing any changes you might have made to your Capfile), you can delete the Capfile and re-run “capify .”. Or, you can just add the following line to your Capfile, before the line that loads ‘config/deploy’:

  Dir['vendor/plugins/*/recipes/*.rb'].each { |plugin| load(plugin) }

Windows-safe reads. Any time Capistrano needs to read a file’s contents, it will now use the “b” flag, so that binary reads on Windows do not corrupt the file.

Cap shell and sudo. The Capistrano shell now properly recognizes sudo commands and prompts for the password correctly.

Use `match’ to check dependencies. There is a new remote dependency method for deploy:check: “match”. You can now look for arbitrary regular expressions in the output of various commands to see if things are set up correctly:

  depend :remote, :match, "rake -V", /version 0\.7/

Namespaces#top. Sometimes you’ll find yourself wanting to execute a task from within another task, but the parent namespace of the target task is conflicting with a similarly-named namespace, and things are breaking. You can now use the “top” method to jump to the top of the namespace hierarchy:

  namespace :apache do
    namespace :deploy do
      task :restart do
        run "restart apache"

Other changes. There are lots of other, smaller bug fixes and changes, too:

  • Default to 0664 instead of 0660 on upload.
  • Fix deploy:pending to query SCM for the subsequent revision so that it does not include the last deployed change.
  • Prefer ‘Last Changed Rev’ over ‘Revision’ when querying latest revision via Subversion.
  • Explicitly require ‘stringio’ in copy_test.
  • When Subversion#query_revision fails, give a more sane error.
  • Don’t run the upgrade:revisions task on non-release servers.
  • Use the —password switch for subversion by default, but add :scm_prefer_prompt variable for those who’d rather not send the password on the command-line.
  • Use sudo -p switch to set sudo password prompt to something predictable.
  • Allow independent configurations to require the same recipe file within the same Ruby process.
  • Allow auth-caching of subversion credentials to be enabled via :scm_auth_cache.
  • Don’t let a task trigger itself when used as the source for an “on” hook.
  • Add version_dir, current_dir, and shared_dir variables for naming the directories used in deployment.
  • Use the :runner variable to determine who to sudo as for deploy:restart.
  • Change the “-h” output so that it does not say that “-q” is the default.

Enjoy! And please report any bugs on the Rails trac, with the component set to “Capistrano”.

Rails 1.2.5: Security and maintenance release

This release closes a JSON XSS vulnerability, fixes a couple of minor regressions introduced in 1.2.4, and backports a handful of features and fixes from the 2.0 preview release.

All users of Rails 1.2.4 or earlier are advised to upgrade to 1.2.5, though it isn’t strictly necessary if you aren’t working with JSON. For more information the JSON vulnerability, see CVE-2007-3227.

Summary of changes:

  • acts_as_list: fixed an edge case where removing an item from the list then destroying the item leads to incorrect item positioning
  • deprecated calling .create on has_many associations with an unsaved owner (like post =; post.comments.create)
  • backport array and hash query parameters
  • fix in place editor’s setter action with non-string fields
  • updated config/boot.rb to correctly recognize RAILS_GEM_VERSION

To upgrade, `gem install rails`, set RAILS_GEM_VERSION to ‘1.2.5’ in config/environment.rb, and `rake rails:update:configs`.

acts_as_conference in Florida

Rails For All is doing a Rails conference under the banner of acts_as_conference in Florida from February 8th through 9th. They’re currently open for proposals and you can sign up already too. It’s $100 for the two days.

Rails 1.2.4: Maintenance release

This release contains additional deprecation notices, security fixes and some minor performance improvements. All users of 1.2.3 are advised to upgrade.

Deprecation Notices

If you intend to upgrade to 2.0 you should run your tests to and fix any errors that are displayed. The warnings will become errors with the release of 2.0.

If you’re using RESTful routing, pay special attention to the changes to route generation and recognition. The previous use of the semicolon in URLs has been replaced with a regular /. For instance /person/1;edit has become /person/1/edit. This change was made as several libraries, including mongrel, mistakenly treated semi-colons as query string seperators and some browsers and http libraries misbehaved.

Your old ;-based URLs will be continued to be recognized, though. They’re just no longer generated.

Security Enhancements

1.2.4 fixes several potential security issues:

  • Session fixation attacks are mitigated by removing support for URL-based sessions
  • Changed the JSON encoding algorithms to avoid otential XSS issues when using ActiveRecord::Base#to_json
  • Potential Security and performance problems with XmlSimple have been fixed by disabling certain dangerous options by default.

Upgrade with the standard gem install rails command. Rails 1.2.4 serves as a drop-in replacement for 1.2.3.

Update: please see the latest 1.2.5 stable release

Handheld video of the RailsConf EU keynote

Best Tech Videos is hosting a hand-held video of the keynote I gave at RailsConf EU. The majority of the talk was a live coding session, though, which is kinda hard to follow from the angle of this shot. But in case you don’t want to wait for the official O’Reilly copy, here’s something in the meanwhile.