[prev in list] [next in list] [prev in thread] [next in thread] 

List:       markus-dev
Subject:    Re: Rails upgrading policy
From:       Byron Weber Becker <bwbecker () cs ! uwaterloo ! ca>
Date:       2010-05-14 21:01:40
Message-ID: 1B32FDD4-4259-4CAC-BD1D-345FCC99FDCE () cs ! uwaterloo ! ca
[Download RAW message or body]

I don't have an opinion on this matter.  Given the very limited user base (now) I don't think making a change to require 2.3.5 is a big deal.  If you had 10's or 100's of users it would be different.

Byron

On 2010-05-14, at 3:49 PM, Mike Conley wrote:

> All:
> 
> I guess the only major advantage to upgrading to 2.3.5, is that 2.3.5
> fixes a security hole present in version 2.3.4 and prior:
> http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab
> 
> Karen / Byron - thoughts on the matter?
> 
> -Mike
> 
> On Fri, May 14, 2010 at 6:43 AM, Severin Gehwolf
> <severin.gehwolf@utoronto.ca> wrote:
>> Hi,
>> 
>>> According to this ticket : Ticket
>>> 
>>> 573<https://stanley.cdf.toronto.edu/drproject/csc49x/olm_rails/ticket/573>,
>>> there is already a will to change the version of Rails used in MarkUs. I
>>> agree, and I think it would be better to keep the latest version of Rails.
>>> And I agree with Mike when he thinks that version 2.3.5 of Rails may be
>>> the
>>> last of the 2.x branch.
>>> Rails 3 is already in beta, and if one day we will have to move to the 3.x
>>> branch of Rails, it will be better for us to have already the latest
>>> version
>>> of the 2.x branch.
>>> 
>>> The only thing to do in the MarkUs trunk would be the
>>> config/environment.rb
>>> file to modify, wouldn't it ?
>>> 
>>> On the sandbox, a "gem update rails" would be sufficient, no ?
>> 
>> I am not convinced why we should force users to have Rails 2.3.5 instead of
>>  2.3.2 and up. The _destroy issue might be possible to solve in other ways
>> too. The least invasive thing I can think of migth be to switch back to
>> :_delete and live with the deprication warning for now.
>> 
>> At the moment, upgrading our minimal required Rails version doesn't really
>> make sense to me, because it doesn't "buy" us anything (yet). When Rails 3
>> is out, there might be more compelling reasons (maybe it will have some
>> features we actually want to use for a good reason). This doesn't mean we
>> shouln't support 2.3.3, 2.3.4 and 2.3.5. We know that MarkUs runs on those
>> versions too anyway.
>> 
>> In terms of deployment, it would make sense to me to recommend 2.3.2 and
>> note that it works with 2.3.X.
>> 
>> Doing a major upgrade in terms of Rails each year or so, makes sense to me
>> just because we wouldn't be switching Rails version all the time. I simply
>> don't see a lot of benefit requiring a newer version of Rails for each new
>> release of MarkUs.
>> 
>> The big question is: Is there a good reason, a vital feature or something
>> like that which would make a switch more compelling?
>> 
>> In terms of installation doing a
>> 
>> gem install --version '2.3.2' rails
>> or
>> gem install rails
>> 
>> doesn't make a big difference, does it?
>> 
>> Thoughts?
>> 
>> Severin
>> 
>> 
> 
> 
> 
> -- 
> http://www.mikeconley.ca
> 

---------------------------------------------------------
Byron Weber Becker             Voice: 519-888-4567 x34661
School of Computer Science       Fax: 519-885-1208
University of Waterloo        Office: DC3105
Waterloo, ON  N2L 3G1



[prev in list] [next in list] [prev in thread] [next in thread]