e2
commented
8 years ago How bad is it to be running 2.3.0 or 2.2.4?
ruby-lang org is the best place for security updates - just search CVE to see which patches address them and if you're affected or not.
For 2.3.0, it's not really that bad (as far as it is known):
http://svn.ruby-lang.org/repos/ruby/tags/v2_3_1/ChangeLog
I had a pretty bad crash while using 2.3.0 with Puppet, so I couldn't upgrade to 2.3 until 2.3.1. If you manage to avoid the bug, that's fine.
Personally, I'd prefer that someone forces me to either downgrade to Ruby 2.2.5 or upgrade to 2.3.1 than to let me be bitten by a known bug that won't be fixed with a patch-patch level change.
(Now that I think about it, I could've opened an issue on Ruby to have the bugfix patches backported from 2.3.1 to 2.3.0pX or whatever).
RubyDep doesn't check patch levels, so let me know if implementing it would solve an actual case (so I can prepare a test case).
For 2.2.4, you may be affected by bugs listed here: http://svn.ruby-lang.org/repos/ruby/tags/v2_2_5/ChangeLog
Being hit by a Ruby bug is a time sink much bigger than the time it takes to upgrade. So it's best to pressure Amazon to add updated Rubies (which they're probably doing already, it just takes time) so you can avoid such bugs. It probably helps if you list specific bugs that you're worried about.
As for RubyDep ...
The current required Ruby version constraint is here: https://rubygems.org/gems/ruby_dep It's calculated from what's in the .travis.yml file. So as of today, the supported versions are Ruby >= 2.0.0, ~> 2.0. Those are needed to install ruby_dep at all.
As for showing warnings, if you've checked that you're not affected by anything serious (based on the Ruby changelogs and/or new updates), you can hide the warnings with:
ENV['RUBY_DEP_GEM_SILENCE_WARNINGS'] = '1'Let me know if anything here was insightful, so I can add it to the README.
What solutions do we have?
- Pressure Amazon for releasing AMIs without bad known Ruby bugs or vulnerabilities.
- Hide the RubyDep warnings with an environment variable after checking the list of changes for bugs that may affect you.
- Maybe ask the Ruby core team for backporting patches for bad bugs, so that Amazon can release updated AMI's with hotfixes (so you can conditionally hide the warning based on versions you know have backported patches).
- If you want me to white list a specific version that you know doesn't have bugs, just open a new issue with the details.
jonmchan
So none of the versions that is recommended is on AWS Elastic Beanstalk...
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/concepts.platforms.html#concepts.platforms.ruby
How bad is it to be running 2.3.0 or 2.2.4? As of today, those are the only current versions they support. Isn't the version list a little aggressive especially for services like amazon that does not release new AMIs too quickly. What solutions do we have?