Possible bug in Rails 2.3.14, controller tests always seem to rescue action with handler

[Sam Grönblom]

Here's basically what I did to get a minimal reproduction of the
problem:
rvm install 1.8.7
rvm use 1.9.8
gem install rails -v=2.3.14
rails blargh
cd blargh
./script/generate controller blargh

Contents of blargh_controller.rb:
class BlarghController < ApplicationController
rescue_from Exception do puts 'Caught it' end

def index
raise 'blargh'
end
end

Contents of blargh_controller_test.rb
require 'test_helper'

class BlarghControllerTest < ActionController::TestCase
# Replace this with your real tests.
test "exception handling" do
rescue_action_in_public!
get :index
end
end

Running ruby -I test test/functional/blargh_controller_test.rb gives
me a lot of blaha but also the output that indicates that the
exception was handled even though I didn't change the
@request.remote_addr.

Changing the def rescue_action_without_handler line in module
RaiseActionExceptions to def rescue_action seems to solve the problem
though.

Is anyone still integrating fixes for 2.3?

[Michael Koziarski]

Is anyone still integrating fixes for 2.3?

No, 2.3. is out of maintenance and out of security support too.  There may be 3rd party patches tracked somewhere, but it's a dead branch from our POV sorry.

--

Cheers,

Koz 

[Anthony Richardson]

Hi,

I would like to be able to direct the pointy haired bosses at a url to show them the "support" status of rails 2.3 (so I can argue for an upgrade path).

Currently this url http://rubyonrails.org/security still refers to 2.3 as being supported with security patches. "Fixes are prepared for all releases which are still under maintenance (at present 2.2.x, 2.3.x, master)."

Would be good tt get this updated (maybe a generic statement about what versions are supported without specific version numbers). 

Also is there another location on the website that explicitly states the supported versions or policy?

Cheers,

Anthony Richardson

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To post to this group, send email to rubyonra...@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-co...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.

[Steve Schwartz]

It seems like it would be beneficial to have a page for rails similar to Ubuntu's wiki page for releases, which includes the release date and "end of life" date for each release (https://wiki.ubuntu.com/Releases).

-- Steve Schwartz

[Michael Koziarski]

I'll see if I can get that page updated.  The short version is that we support the most recent release for bug fixes, and N-1 for security fixes. Everything else is out of maintenance.

-- 

Cheers,

Koz

[Steve Schwartz]

Just to clarify for everyone, N and N-1 refer to the minor version number, right? As in, currently 3.2 for bug fixes and 3.1 for security fixes.

-- Steve Schwartz

[Michael Koziarski]

On Friday, 9 March 2012 at 11:38 AM, Steve Schwartz wrote:

Just to clarify for everyone, N and N-1 refer to the minor version number, right? As in, currently 3.2 for bug fixes and 3.1 for security fixes.

-- Steve Schwartz

Exactly

-- 

Cheers,

Koz

[kristian]

so no security fixes for 3.0.x ? that comes at a big surprise and
feels like being in the rains.

regards,
Kristian

[Michael Koziarski]

On Friday, 9 March 2012 at 4:11 PM, kristian wrote:

so no security fixes for 3.0.x ? that comes at a big surprise and

feels like being in the rains.

Depending on the issue, we generally try and ship a backported patch, and given the similarity between 3.0 and 3.1 it's pretty unlikely that it won't be able to be backported.  However we can't guarantee that, you should upgrade to 3.1 to reduce the risk for your application.

[Thibaut Barrère]

Hi! 

Just to clarify for everyone, N and N-1 refer to the minor version number, right? As in, currently 3.2 for bug fixes and 3.1 for security fixes.

-- Steve Schwartz

Exactly

So that means 3.0.12, released March 1, 2012 is out of maintenance, is that right? (no pun intended, I'm trying to ensure I can advise my clients accordingly).

-- Thibaut 

[Michael Koziarski]

In that case the back port was really easy, and so we did it.  The next time a vulnerability comes up it may be just that simple, however you shouldn't be relying on that.

Fundamentally we're not going to refuse to spend 10 minutes with git cherry-pick in order to 'stick with policy'.  However if it's something hairy, we're not staking our reputation on it.

[Thibaut Barrère]

So that means 3.0.12, released March 1, 2012 is out of maintenance, is that right? (no pun intended, I'm trying to ensure I can advise my clients accordingly).

In that case the back port was really easy, and so we did it.  The next time a vulnerability comes up it may be just that simple, however you shouldn't be relying on that.

Fundamentally we're not going to refuse to spend 10 minutes with git cherry-pick in order to 'stick with policy'.  However if it's something hairy, we're not staking our reputation on it.

It makes sense; thanks for clarifying this!

-- Thibaut

[Anthony Richardson]

Thank you for clarifying this, much appreciated.

Cheers,

Anthony

--