2) The patch provided by rails core doesn't work on 2.3.2-2.3.4 due to
form_authenticity_param being missing and doesn't work on 2.3.5 due to
the lack of the html_safe method. Applying the patch to vendored
rails, in this case, would have resulted in a broken app (which even
if fixed may not work as expected).
Which versions of rails are considered supported with regard to
security fixes, then? That's a compelling reason to upgrade with every
patch release.
2 = Major version3. = Minor version5 = Patch number
---------- Forwarded message ----------
From: fowlduck <nathan...@gmail.com>
Date: Thu, Feb 10, 2011 at 10:55 AM
Subject: Re: Security Patches and Rails 2.3.11/3.0.4
To: Jason King <j...@handle.it>> I think you're misunderstanding what the last number in 2.3.2, 2.3.4 etc.
> means. And everyone is using the word "version" to mean two different
> things here.
>
> The *versions* of Rails supported are 2.3 and 3.0 (although José says 2.11) Semantic Versioning calls them versions and it's part of the
> and 2.2 as well) - which is why both had a patch release with the security
> patches. In the proper sense of the word, "upper-case V" Version if you
> like, 2.3.5 is not a *version* of Rails, it's patch release 5 of version
> 2.3.
>
> 2 = Major version
> 3. = Minor version
> 5 = Patch number
version number.
2) The post on the new releases disagrees with your usage of the term:
http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4
3) http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails
calls what you're calling "versions," the 2.3 and 3.0 "release
series." This makes it unclear which patches are supported.
4) On top of it all, rails patch versions often introduce backwards
incompatible changes, so they're closer to minor versions than
patches.
So if you want to get into semantics, I think it's clear that they're
versions or at least called versions. The treatment of them as simple
patches that are trivial to upgrade (meaning no changes to your app)
is unfounded.
Rather than getting mired in some semantic argument about versions
versus patches, I'll just outline the security policy (and update the
website once I figure out how to log in).
We support the current release branch (3-0-stable) for bugfixes and
the release branch before that (2-3-stable) for severe bug fixes and
security issues. *all other branches* are unsupported.
Now in reality it's often quite straightforward for us to backport
security fixes to 2-2-stable and 2-1-stable so depending on the
severity and the work involved, I'll usually do that. However that's
a 'best effort' thing, there's absolutely no promises there. Once 3.1
ships officially we wouldn't be supporting 2-3-stable, however given
the magnitude of the upgrade I'll personally commit to keeping
2-3-stable support throughout the 3.1 lifetime. If I'm hit by a bus
though, that may not be something the others can do.
What this means is that you should always be running the latest point
release of your release series, for 2.3 users that means you should be
on 2.3.11. I realise that sometimes we fuck up a release or ... 4...
and it can be a bit of a rough ride, however 2.3.11 should have
finally resolved all the backwards incompatible changes we were
notified about.
I don't want to sound like a matyr but to put things in perspective,
those two security releases took about 60 hours of my time.
backporting the patches, verifying the fixes, making sure other
versions weren't affected etc. Doing that for every point release in
a support series is infeasible.
If there's something blocking you from running 2.3.11 please make sure
there's a lighthouse ticket describing it so we can fix it. Otherwise
you'll be stuck backporting your own patches.
--
Cheers
Koz
This has always been the case. we have *never* released bug fixes for
specific earlier versions. You should basically always upgrade unless
you have a reason not to, and your reason had better be a good one :)
--
Cheers
Koz
Right, in that case people needed to wait for upstream packagers etc,
and the monkeypatch was like 5 lines ;)
> We'll definitely upgrade patch versions from now on....or wait a few
> days, and then upgrade. ;)
Even better, track 2-3-stable and 3-0-stable with your app and let us
know when we break something :)
--
Cheers
Koz
Ha, well, I'm sure our users who depend on us would appreciate that. ;)