@tenderlove@mastodon.social
@tenderlove@mastodon.social avatar

tenderlove

@tenderlove@mastodon.social

Rails Core / Ruby Core.
PGP: 4CE9 1B75 A798 28E8 6B1A A8BB 9531 70BC B4FF AFC6
Switch: SW-6099-0664-6989
He/Him
tfr

This profile is from a federated server and may be incomplete. Browse more on the original instance.

tenderlove, to random
@tenderlove@mastodon.social avatar

Went to the capitol building this morning!

tenderlove, to random
@tenderlove@mastodon.social avatar

Also I just hate thinking like a hacker. "In what ways can I abuse this software in order to hurt someone else" is just not a mindset that I like to have.

I have absolutely no interest in ruining someone's day, let alone thinking about the different ways in which someone's day could be ruined, and in what versions

tenderlove,
@tenderlove@mastodon.social avatar

(I know there are security researchers out there that like finding and reporting these problems. You're doing great work, it's just not my cup of tea)

tenderlove,
@tenderlove@mastodon.social avatar

@trdebunked unfortunately all of the hackerone reports I have to field are ones that manipulate computers in interesting ways that are malicious. I count myself as a hacker, I just prefer non-malicious manipulation (and fielding malicious reports is getting me down)

tenderlove,
@tenderlove@mastodon.social avatar

@bbatsov yes, I consider myself to be a hacker, but I don't know a word for "hacker that does malicious stuff"

tenderlove, to random
@tenderlove@mastodon.social avatar

This quote from @searls's newsletter resonated with me so much I thought there was an earthquake:

> I don't regret sharing so much of my work per se, [but] there were undoubtedly other things I could have been doing with my time that I didn't consider when I first ran git push or npm publish.

https://justin.searls.co/mails/

tenderlove, to random
@tenderlove@mastodon.social avatar

Doing security releases sucks (don't worry, I'm just thinking back to the most recent Rails release). Was thinking about writing a blog post that explains the challenges, but even thinking about it makes me tired

tenderlove,
@tenderlove@mastodon.social avatar

Imagine a development environment where you can't use CI, you need to do code archaeology for an unknown number of revisions. Patches, repros, tests, announcements, must all be done in secret. Then, if you did it right, the absolute best outcome you can hope for is that everyone upgrades and they notice no changes. It's extremely high risk (no CI, done in secret), low reward (nobody is stoked they have to upgrade bc security)

tenderlove,
@tenderlove@mastodon.social avatar

Investigation is a huge pain, and the scope of the problems sometimes makes the process cumbersome and demoralizing. Let's take an example: https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947

For your app to be vulnerable to this, you have to

  • call translate from a controller
  • use a translation key that ends in "_html"
  • use a translation default where the default translation text is untrusted text
  • be missing the specific translation
  • Trick a victim in to seeing this
tenderlove,
@tenderlove@mastodon.social avatar

If you think about this situation as a funnel, the number of apps that are vulnerable to this particular security issue is probably 0. But is it a security issue? Yes.

The ratio of "amount of required effort" (which includes risk of messing up the release) vs "actual impact on the world" is extremely off. "Why do I have to do all this effort / paperwork for something as minor as this?" is what I say to myself.

tenderlove,
@tenderlove@mastodon.social avatar

If the situation were just "high pressure" that would be fine, but if you make mistakes (or even if you don't) people get upset. Working in this kind of environment makes it really hard for me to square the circle of encouraging people to work in Open Source.

tenderlove,
@tenderlove@mastodon.social avatar

I think maybe my best advice is: definitely get involved in open source, just make sure either nobody uses your software or you quit ASAP 😆

tenderlove, to random
@tenderlove@mastodon.social avatar

😳

tenderlove, to random
@tenderlove@mastodon.social avatar

Happy Friday!!

amirrajan, to random
@amirrajan@ruby.social avatar

@tenderlove know any core contributors to mRuby that you can give me an intro to? The DragonRuby team has an AOT implementation that’s in a usable state (potentially open sourcing the core machinery, but need feedback)

tenderlove,
@tenderlove@mastodon.social avatar

@amirrajan not really, besides @matz I think he's the most active committer.

tenderlove, to random
@tenderlove@mastodon.social avatar

"Things I wish I had known before getting in to Open Source"

tenderlove, to random
@tenderlove@mastodon.social avatar

Found a really weird looking bird

rafaelfranca, to random
@rafaelfranca@ruby.social avatar

Last year I spent a lot of time deciding if I should stop contributing to open source. The number of bad intentions with community members was astronomic high. It is always the same people and they know who they are. It is funny that they call people jerks or that people are pushing community members away but they don’t look at the mirror.

I’m back to thinking about it it worth spending my time doing free labor to thankless people. I know they are the minority but they are the most vocal.

tenderlove,
@tenderlove@mastodon.social avatar

@rafaelfranca 💯

Many people ask me how to get started in open source, and these types of interactions make me want to tell people "don't bother". I want more people to be involved in open source, but there is a dark side that I don't think most people know

tenderlove, to random
@tenderlove@mastodon.social avatar

Cat loves box

image/jpeg
image/jpeg

tenderlove, to random
@tenderlove@mastodon.social avatar

Really big congrats to the JRuby team! Prism is fast, but I think the real win is that all Ruby implementations will get syntax updates at the same time. Implementers don't have to play "catch up" with CRuby https://mastodon.social/@enebo/111982276642844225

jamiemccarthy, to random
@jamiemccarthy@ruby.social avatar

@tenderlove Hi, there’s a typo in the headline on this post. It should read 7.0.8.1 not 7.0.8.2

The version appears correctly in the post’s URL and text ✨

https://rubyonrails.org/2024/2/21/Rails-Versions-6-1-7-7-7-0-8-1-and-7-1-3-2-have-been-released

tenderlove,
@tenderlove@mastodon.social avatar

@jamiemccarthy It should be fixed now, thank you!

Odaeus, to rails
@Odaeus@vivaldi.net avatar

@tenderlove hi Aaron, thanks for your work on the recent security announcements.

It turns out that I thought was unusually secure in 2023 but instead the RoR security mailing list has been silently(?) discontinued. (https://groups.google.com/g/rubyonrails-security)

I'm hopefully not the only geriatric millennial Rails dev still subscribed to that list. Perhaps you could send out a final message to say that the forum is the new official source?

tenderlove,
@tenderlove@mastodon.social avatar

@Odaeus yes that's a good idea, I'll send an email today

tenderlove, to random Japanese
@tenderlove@mastodon.social avatar

一人で作ったからワンマンパンです

Cut bread

codinghorror, to random

A quality bidet is so choice. If you have the means, I highly recommend it. 🚽💦

tenderlove,
@tenderlove@mastodon.social avatar

@eviltrout @samsaffron @codinghorror TOTO makes a travel bidet which I usually carry. It's not as good as a regular bidet, but it's better than nothing https://www.totousa.com/travel-washlet

tenderlove,
@tenderlove@mastodon.social avatar

@eviltrout @samsaffron @codinghorror (btw I don't recall paying this much for it. I think I bought this one: https://www.amazon.com/TOTO-Travel-Handy-Washlet-YEW350-WH/dp/B005FDJ8SM/ )

  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • kavyap
  • DreamBathrooms
  • khanakhh
  • magazineikmin
  • InstantRegret
  • tacticalgear
  • thenastyranch
  • Youngstown
  • rosin
  • slotface
  • modclub
  • everett
  • ngwrru68w68
  • anitta
  • Durango
  • osvaldo12
  • normalnudes
  • cubers
  • ethstaker
  • mdbf
  • provamag3
  • GTA5RPClips
  • cisconetworking
  • Leos
  • tester
  • megavids
  • lostlight
  • All magazines
    •