The Art of Science

I’ve been a fan of Ruby for awhile.  It’s a great language, but the implementation of Ruby is pretty terrible.  This was made painfully clear by some recent security vulnerabilities and the way they were handled by the Ruby core team.  The Ruby implementers didn’t disclose the exact nature of the vulnerabilities nor did they disclose the steps they’d taken to correct them.  This leaves people looking at the source as our only way of knowing what actually happened.

Now, this would all be bad enough on its own.  However, the Ruby release process has recently been plagued by massive amounts of changes combined with a painful lack of testing.  The patches fixing the security vulnerabilities were applied to the current development codebase of various versions.  There’s Ruby 1.9, the unstable version of Ruby with massive changes that break backwards compatibility.  There’s Ruby 1.8.7, which contains many changes backported from Ruby 1.9 which break backwards compatibility and cause various random errors as the initial release contained many bugs.  And then there’s 1.8.6, a version which remains mostly compatible with versions of Ruby most current code was developed on.  However, 1.8.6 is an evolving release consisting of many different patchlevels.  And as it happens, at some point someone committed a buggy change to the Ruby 1.8.6 branch which makes the Ruby interpreter crash when running code using the Rails web framework, which remains Ruby’s most popular use case.

The security patch fixing the vunerabilities was applied to Ruby 1.8.6 after the buggy change was introduced.  This leaves you with some painful choices: run a version of Ruby with known security vulnerabilities, install a version which crashes, or update your application to be Ruby 1.8.7 compatible.  This isn’t a good situation to be in.  This is further compounded by the fact that the only version of Rails which runs on Ruby 1.8.7 is Rails 2.1, which also introduces changes which aren’t backwards compatible.

Things like this really make me wonder if the Ruby core team cares at all about the people using their language.

The worst part is many, many people have offered to help improve the Ruby development process.  The Rubyspec team, who have painstakingly specified the Ruby implementation using the excellent RSpec utility, offered to implement automated testing of all commits to the Ruby repository with continuous integration (i.e. every commit is checked for failing specifications).  The core team refused.

Unfortunately, I have no hopes for the Ruby development process improving any time soon.