OpenSSL versions in Ruby

[Jamie Orchard-Hays]

Today I discovered that releases of Ruby prior to this week have the heartbleed-vulnerable versions of OpenSSL linked.

What are the ramifications of this if we're connecting to anything using SSL with Ruby, if any.

Also, which of the Major/Minor versions does Moonshine currently support?

I'd love to move up to 2.1.1, but IIRC there were Puppet issues with > 2.0.x

Cheers,

Jamie

[Kevin Lawver]

We're not planning on moving to 2.1 until 2.1.2 comes out because of some GC issues and Hash issues in 2.1.0 and 2.1.1.

The heartbleed vulnerability is with people connecting to you, not you connecting to other people, and I'm assuming you're using Apache to handle your SSL things, so unless you've found a CVE that says otherwise, heartbleed shouldn't apply to ruby at all.

> --
> You received this message because you are subscribed to the Google Groups "Moonshine" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to railsmachine-moon...@googlegroups.com.
> To post to this group, send email to railsmachin...@googlegroups.com.
> Visit this group at http://groups.google.com/group/railsmachine-moonshine.
> For more options, visit https://groups.google.com/d/optout.

[Jamie Orchard-Hays]

Thanks, Kevin. That was my understanding, but I wanted a sanity check.

So, 1.9.3 or 2.0.x? I've been on 1.9.3, but want to get up to the 2.x world soon.

Jamie

[Kevin Lawver]

We haven't noticed a huge difference between 1.9.3 and 2.0 in the apps we've upgraded to, but I don't see a reason not to upgrade.

[Jarin Udom]

I haven't put it into production yet, but I've tested it with Vagrant and Moonshine seems to work ok with Ruby 2.1.1. Here's what I put in my deploy.rb (I set rubygems and bundler to higher versions too):

namespace :ruby do

  task :src211 do

    remove_ruby_from_apt

    libyaml.install

    pv = "2.1.1"

    p = "ruby-#{pv}"

    run [

      'cd /tmp',

      "sudo rm -rf #{p}* || true",

      'sudo mkdir -p /usr/lib/ruby/gems/2.1.1/gems || true',

      "wget -q http://ftp.ruby-lang.org/pub/ruby/2.1/#{p}.tar.gz",

      "tar xzf #{p}.tar.gz",

      "cd /tmp/#{p}",

      './configure --prefix=/usr',

      'make',

      'sudo make install'

    ].join(' && ')

    set :rubygems_version, fetch(:rubygems_version, '2.2.2')

    set :bundler_version, fetch(:bundler_version, '1.6.2')

  end

end

You also need to change this line in vendor/plugins/moonshine/lib/moonshine/capistrano_integration.rb from

            sudo 'gem install rake --no-rdoc --no-ri' unless fetch(:ruby).start_with?('src200')

to

            sudo 'gem install rake --no-rdoc --no-ri' unless fetch(:ruby).start_with?('src2')

or else it will try to install rake and stall during cap ruby:upgrade.

I haven't checked out the GC/Hash issues that Kevin pointed out, but I believe they're fixed in Github's Ruby fork: https://github.com/github/ruby

Jarin