Home

News: Ruby on Rails experiences serious security breach

  1. A SearchAppSecurity.com story reports that a security vulnerability has forced the creators of Ruby on Rails to issue an immediate upgrade. Version 1.1.5, which is being called a mandatory upgrade, is available now. The vulnerability is so critical that the creators aren't disclosing any details so as to prevent attacks and protect people who are still in the process of upgrading. Coincidentally, the Department of Homeland Security has also issued a warning for Windows users, strongly recommending they patch a worm hole in the Microsoft operating system. In contrast, J2EE servers rarely require such serious updates, although a few such vulnerabilities have been seen. This is the first such exploit gaining widespread publicity for Ruby on Rails, but the lack of information on what the vulnerability is highlights how seriously the authors view the threat.

    Threaded Messages (80)

  2. Welcome to the world of enterprise development...
  3. Welcome to the world of enterprise development...
    Perhaps this will encourage a little less hype and a bit more realism.
  4. Re: for those about to rock, we salute you[ Go to top ]

    Are you for real. Haven't you heard about security holes in java?
  5. Re: for those about to rock, we salute you[ Go to top ]

    Are you for real. Haven't you heard about security holes in java?
    Of course. There are security holes in any framework. That is my point. RoR is just another framework.
  6. Dude, What a Attitude ??? What does that WE mean... Java Community Members or Java Supporters or Java... The issue is just a Exception and they know how to solve (catch) it. I am a strong believer of Java but it doesnt mean I should dislike other languages. I am sure your happiness wouldnt long last...
  7. @prabhu You unfortunate miserable moron. Get a life and a passion. You are zilch otherwise. Welcome to the world of software!!! BTW "THE GROUP" has 146 exploits against rails, all tested and documented. Why? Now, don't hate me, It is seemingly b'coz some guy was barred from posting on the rails forum and on LOUD (S)THINKING.COM Go figure! ENJOY THE RIDE (RAILERS) which will unfold in the next 36 months. No sir, there is NO sleep for the railers.. BTW prabhu, learn to write in English, please...
  8. The vulnerability is so critical that the creators aren't disclosing any details so as to prevent attacks and protect people who are still in the process of upgrading
    Nothing a little 'diff' can't fix. STAY METAL! Roy Russo
  9. I believe it was a flaw which allowed modification to the load path which in turn could allow a malicious user execute arbitrary code.
  10. This is a great news ...[ Go to top ]

    ... and I hope this slows down all the hype surrounding RoR. For those of you who thought RoR is a silver bullet and solves all the world's problems including hunger and war, it's time to start thinking twice. Jan
  11. World Peace not included[ Go to top ]

    Personally, I started building a production app with Rails as a test, and the Lebanese / Israeli conflict started up. Obviously World Peace is not one of its features!
  12. No this isn't great news...[ Go to top ]

    And to be so petty, so childish, so insecure in your own choices that you're happy that someone else's development environment has a major security hole is pathetic. You've just relinquished all right to be upset if Java ever has a serious security issue and someone like Microsoft uses it to push C#.
  13. Re: No this isn't great news...[ Go to top ]

    You've just relinquished all right to be upset if Java ever has a serious security issue and someone like Microsoft uses it to push C#.
    Umm, why? They "hate" us, we "hate" them, someone always "hates" somebody. After all a little bit of taunting is quite human. Aren't you human? ;-)
  14. Re: No this isn't great news...[ Go to top ]

    You've just relinquished all right to be upset if Java ever has a serious security issue and someone like Microsoft uses it to push C#.


    Umm, why? They "hate" us, we "hate" them, someone always "hates" somebody. After all a little bit of taunting is quite human. Aren't you human?

    ;-)
    Umm, that would be why. If it's fair for you to taunt them then it's fair for them to taunt you. By not being a decent yourself, you've given up the right to demand decency from others.
  15. Re: No this isn't great news...[ Go to top ]

    So, what do I exactly conclude out of it? RoR guys hate J2EE and J2EE guys hate RoR? I would rather like to look at RoR as something similar to PHP. Nothing is a silver bullet - and nobody competes with each other. For a project, where I would use PHP - I won't use J2EE (and vice-versa). If at all there is some level of comparison possible - I would imagine PHP guys hate RoR. BR, Viral http://www.c-sam.com P.S. Please don't misinterpret me - I don't believe in hate at at all - count me in World Peace.
  16. Re: No this isn't great news...[ Go to top ]

    And to be so petty, so childish, so insecure in your own choices that you're happy that someone else's development environment has a major security hole is pathetic.

    You've just relinquished all right to be upset if Java ever has a serious security issue and someone like Microsoft uses it to push C#.
    It is not petty and childish to dislike hype. Personally, I am not in the slightest degree happy about a major security hole, no matter what the development environment. However, there has been a lot of false promises and excessive expectations around RoR. There is no doubt that Ruby is a great language, and RoR has some exciting ideas, but a worrying number of developers were adopting Rails while it was still in Beta. But that seemed to be OK, because one of the themes of Web 2.0 was that everything should be in 'perpetual Beta'. A lot more realism is required in some quarters.
  17. Re: No this isn't great news...[ Go to top ]

    And to be so petty, so childish, so insecure in your own choices that you're happy that someone else's development environment has a major security hole is pathetic.

    You've just relinquished all right to be upset if Java ever has a serious security issue and someone like Microsoft uses it to push C#.


    It is not petty and childish to dislike hype. Personally, I am not in the slightest degree happy about a major security hole, no matter what the development environment. However, there has been a lot of false promises and excessive expectations around RoR. There is no doubt that Ruby is a great language, and RoR has some exciting ideas, but a worrying number of developers were adopting Rails while it was still in Beta. But that seemed to be OK, because one of the themes of Web 2.0 was that everything should be in 'perpetual Beta'. A lot more realism is required in some quarters.
    Sorry, but to wish security issues and harm on others because of hype is petty and childish. But hey, at least it gives you a chance to whine about "Web 2.0". And don't let facts stand in your way, reality certainly wouldn't show that some of the biggest perpetual beta "Web 2.0" apps (GMail) are written primarily in Java.
  18. Re: No this isn't great news...[ Go to top ]

    And to be so petty, so childish, so insecure in your own choices that you're happy that someone else's development environment has a major security hole is pathetic.

    You've just relinquished all right to be upset if Java ever has a serious security issue and someone like Microsoft uses it to push C#.


    It is not petty and childish to dislike hype. Personally, I am not in the slightest degree happy about a major security hole, no matter what the development environment. However, there has been a lot of false promises and excessive expectations around RoR. There is no doubt that Ruby is a great language, and RoR has some exciting ideas, but a worrying number of developers were adopting Rails while it was still in Beta. But that seemed to be OK, because one of the themes of Web 2.0 was that everything should be in 'perpetual Beta'. A lot more realism is required in some quarters.


    Sorry, but to wish security issues and harm on others because of hype is petty and childish.

    But hey, at least it gives you a chance to whine about "Web 2.0". And don't let facts stand in your way, reality certainly wouldn't show that some of the biggest perpetual beta "Web 2.0" apps (GMail) are written primarily in Java.
    Not sure where Steve is wishing security issues and harm to the RoR crowd here. I'm pretty sure the RoR group will recover from this. The problem is that the arrogance of DHH and crew is smacking them in the face a bit so unfortunately people are being a wee bit sadistic towards their "crisis". As any framework/language is touched by a wider audience, shtuff is going to happen. Hopefully a little more humility from DHH will be in the offing because of this -- but I doubt it. I think this post http://www.reevoo.com/blogs/bengriffiths/2006/08/10/rails-security-exploit-lessons-to-learn/ from a Rails enthusiast is pretty level-headed on the pluses and minuses of this incident.
  19. Re: No this isn't great news...[ Go to top ]

    And to be so petty, so childish, so insecure in your own choices that you're happy that someone else's development environment has a major security hole is pathetic.

    You've just relinquished all right to be upset if Java ever has a serious security issue and someone like Microsoft uses it to push C#.


    It is not petty and childish to dislike hype. Personally, I am not in the slightest degree happy about a major security hole, no matter what the development environment. However, there has been a lot of false promises and excessive expectations around RoR. There is no doubt that Ruby is a great language, and RoR has some exciting ideas, but a worrying number of developers were adopting Rails while it was still in Beta. But that seemed to be OK, because one of the themes of Web 2.0 was that everything should be in 'perpetual Beta'. A lot more realism is required in some quarters.


    Sorry, but to wish security issues and harm on others because of hype is petty and childish.

    But hey, at least it gives you a chance to whine about "Web 2.0". And don't let facts stand in your way, reality certainly wouldn't show that some of the biggest perpetual beta "Web 2.0" apps (GMail) are written primarily in Java.


    Not sure where Steve is wishing security issues and harm to the RoR crowd here. I'm pretty sure the RoR group will recover from this.

    The problem is that the arrogance of DHH and crew is smacking them in the face a bit so unfortunately people are being a wee bit sadistic towards their "crisis". As any framework/language is touched by a wider audience, shtuff is going to happen. Hopefully a little more humility from DHH will be in the offing because of this -- but I doubt it.

    I think this post http://www.reevoo.com/blogs/bengriffiths/2006/08/10/rails-security-exploit-lessons-to-learn/
    from a Rails enthusiast is pretty level-headed on the pluses and minuses of this incident.
    I didn't specifically mean to say that Steve was wishing harm on RoR, however the original poster was. And, if you notice, I never said that disliking hype was petty or childish, I was talking about wishing harm on others. That said, the fact that Steve felt it necessary to jump to the defense of someone who is wishing harm on others does not speak well for him. I don't believe in the hype of RoR, but then again, I don't believe in the hype of "enterprise Java" or "transparent ORM" either. Since I actually have to write code that scales to millions of page views a day, I am well aware that nothing really works the way it's advertised and you're going to have to work around problems. It's still petty and childish to think that security holes in any software is a good thing. And defending someone who does speaks just as loudly.
  20. Re: No this isn't great news...[ Go to top ]

    I didn't specifically mean to say that Steve was wishing harm on RoR, however the original poster was. And, if you notice, I never said that disliking hype was petty or childish, I was talking about wishing harm on others. That said, the fact that Steve felt it necessary to jump to the defense of someone who is wishing harm on others does not speak well for him. I don't believe in the hype of RoR, but then again, I don't believe in the hype of "enterprise Java" or "transparent ORM" either. Since I actually have to write code that scales to millions of page views a day, I am well aware that nothing really works the way it's advertised and you're going to have to work around problems.

    It's still petty and childish to think that security holes in any software is a good thing. And defending someone who does speaks just as loudly.
    You seem to be responding to things that weren't posted. I can't see how anyone could read that I or the original poster was 'wishing harm' on anything or anyone. The orginal poster simply hoped that the hype around RoR would slow down. I agreed. Hoping that a security issue has a certain outcome does not imply that you are happy that the security issue happened in the first place.
  21. Re: No this isn't great news...[ Go to top ]

    I didn't specifically mean to say that Steve was wishing harm on RoR, however the original poster was. And, if you notice, I never said that disliking hype was petty or childish, I was talking about wishing harm on others. That said, the fact that Steve felt it necessary to jump to the defense of someone who is wishing harm on others does not speak well for him. I don't believe in the hype of RoR, but then again, I don't believe in the hype of "enterprise Java" or "transparent ORM" either. Since I actually have to write code that scales to millions of page views a day, I am well aware that nothing really works the way it's advertised and you're going to have to work around problems.

    It's still petty and childish to think that security holes in any software is a good thing. And defending someone who does speaks just as loudly.


    You seem to be responding to things that weren't posted. I can't see how anyone could read that I or the original poster was 'wishing harm' on anything or anyone.

    The orginal poster simply hoped that the hype around RoR would slow down. I agreed. Hoping that a security issue has a certain outcome does not imply that you are happy that the security issue happened in the first place.
    The initial poster's subject line was " This is a great news ...". My response was that it's not great news and thinking that it is makes you petty and childish. If you honestly believe that it's cool to think that finding major security holes in a product is "great news" then please speak up. Otherwise, please stop defending the original poster.
  22. Re: No this isn't great news...[ Go to top ]

    The initial poster's subject line was " This is a great news ...". My response was that it's not great news and thinking that it is makes you petty and childish. If you honestly believe that it's cool to think that finding major security holes in a product is "great news" then please speak up. Otherwise, please stop defending the original poster.
    No, I agree, it is not great news by any standards. I am afraid I am somewhat at fault here, as I tend not to pay much (in this case, not enough) attention to the titles of comments, as they are carried forward on to responses and so usually have little relevance to the comment. I should have taken more care. I agree with the comment, but I certainly do not agree with the subject line.
  23. Re: No this isn't great news...[ Go to top ]

    It's still petty and childish to think that security holes in any software is a good thing. And defending someone who does speaks just as loudly.
    Hey Chris, lighten up on the ad hominems. I'm not defending anyone here, wishing ill or stating that security holes in software are a good thing. The fact is I like RoR but the fact there may be childish gloating in the java camp doesn't excuse the equally childish responses from the RoR camp. That's why I thought the RoR blogger in my previous post gave a pretty level-headed "eat crow" assessment of the situation. If DHH is going to maintain his arrogant and flippant stance at all cost, it's going to hurt RoR in the long run with IT managers. The fact of the matter is, the RoR guys f*cked up. Get over it. Brush it off and learn from the experience. They have a solid framework that needs fixing which they're doing although politically they may have screwed up a bit and they're going to have to absorb some trash talking in the short term. If they are going to want to run with the big dogs, they better get thicker skins.
  24. Re: No this isn't great news...[ Go to top ]

    Sorry, but to wish security issues and harm on others because of hype is petty and childish.
    Sorry, but I can't see where you can get the impression that I am wishing security issues on anyone. I certainly am not.
    But hey, at least it gives you a chance to whine about "Web 2.0". And don't let facts stand in your way, reality certainly wouldn't show that some of the biggest perpetual beta "Web 2.0" apps (GMail) are written primarily in Java.
    Of course they are. The problem is that we are often not dealing with facts - we are dealing with perceptions and hype.
  25. Re: No this isn't great news...[ Go to top ]

    Sorry, but to wish security issues and harm on others because of hype is petty and childish.


    Sorry, but I can't see where you can get the impression that I am wishing security issues on anyone. I certainly am not. Of course not Steve. You use the old trick of being an apologist for those that do.
  26. Re: No this isn't great news...[ Go to top ]

    Sorry, but to wish security issues and harm on others because of hype is petty and childish.


    Sorry, but I can't see where you can get the impression that I am wishing security issues on anyone. I certainly am not.

    Of course not Steve. You use the old trick of being an apologist for those that do.
    I do have some objections to RoR. I don't think it is anything like the versatile general-purpose web development system that the well-established Rails marketing movement implies it is. I would require much more of a general-purpose system - better support for internationalisation, better performance, and better portability and ORM. But this does not mean I don't recognise that it has advantages. I would certainly consider using RoR in situations where Java/J2EE was not available or appropriate, in preference to alternatives like PHP, and I have recently suggested its use to a colleage for this purpose. All I wish for in this area is more realism. Fewer claims of the type that appear on the RoR website, such as that RoR is 'a great fit for practically any type of web application', which I believe is (to say the least) a somewhat exaggerated statement. There is no web development system that meets that specification. I am not an apologist for anyone. I simply hope that prospective and current RoR users will now realise that it is simply yet another approach to be evaluated alongside others; a very powerful approach, but one that will require more development and evaluation before it becomes truly mainstream.
  27. Re: No this isn't great news...[ Go to top ]

    Sorry, but to wish security issues and harm on others because of hype is petty and childish.


    Sorry, but I can't see where you can get the impression that I am wishing security issues on anyone. I certainly am not.

    Of course not Steve. You use the old trick of being an apologist for those that do.


    I do have some objections to RoR. I don't think it is anything like the versatile general-purpose web development system that the well-established Rails marketing movement implies it is. I would require much more of a general-purpose system - better support for internationalisation, better performance, and better portability and ORM.

    But this does not mean I don't recognise that it has advantages. I would certainly consider using RoR in situations where Java/J2EE was not available or appropriate, in preference to alternatives like PHP, and I have recently suggested its use to a colleage for this purpose.

    All I wish for in this area is more realism. Fewer claims of the type that appear on the RoR website, such as that RoR is 'a great fit for practically any type of web application', which I believe is (to say the least) a somewhat exaggerated statement. There is no web development system that meets that specification.

    I am not an apologist for anyone. I simply hope that prospective and current RoR users will now realise that it is simply yet another approach to be evaluated alongside others; a very powerful approach, but one that will require more development and evaluation before it becomes truly mainstream.
    +1 I totally agree Steve. However if my memory serves me well Java suffered the odd security breach in the early days too! Ruby is still very young and immature in many ways, but it does hold a lot of promise for the future. So yes I agree with what you say but the world doesn't stand still and the Ruby crowd are moving pretty quickly (almost as quickly as Java in the early days). Whilst IMO Java has stagnated somewhat (JPA - yet another ORM, EJB3.0 - Spring but worst etc), Ruby has got some pretty interesting stuff in the pipeline. Just my 2 cents. Paul.
  28. Re: No this isn't great news...[ Go to top ]

    However if my memory serves me well Java suffered the odd security breach in the early days too!
    Yes, who has forgotten the time when princeton told us how to hack a JVM using a lightbulb? http://www.theregister.co.uk/2003/05/16/latest_addition_to_hacker_toolkits/ http://www.cs.princeton.edu/~sudhakar/papers/memerr.pdf Now, if RoR can deal with that, then it is surelly ready for the enterprise. If it cant, then admins must again get ready to get their hands greesy with sunscreen lotion...
  29. Re: No this isn't great news...[ Go to top ]

    Ruby is still very young and immature in many ways, but it does hold a lot of promise for the future. So yes I agree with what you say but the world doesn't stand still and the Ruby crowd are moving pretty quickly (almost as quickly as Java in the early days).
    I am not so sure. Look at the long timescale for the arrival of Ruby 2.0 - makes Java version release dates look fast! If you follow JRuby development, you will see that the lack of a clear way forward in Ruby with things like internationalisation is holding things up.
    Whilst IMO Java has stagnated somewhat (JPA - yet another ORM, EJB3.0 - Spring but worst etc), Ruby has got some pretty interesting stuff in the pipeline.

    Just my 2 cents.

    Paul.
    Although I prefer other techniques, it is unfair to call JPA 'yet another ORM'. It is considerably more powerful than Rails. When Rails includes a rich portable query language like JPAQL and can transparently and efficiently handle very large transactions as many JPA implementations can, then I may be more interested. JPA is a good example of how Java is moving ahead, not stagnating. Ruby needs a similar framework if it is to become anything like ready for enterprise use.
  30. Re: No this isn't great news...[ Go to top ]

    Hi Steve,
    JPA is a good example of how Java is moving ahead, not stagnating. Ruby needs a similar framework if it is to become anything like ready for enterprise use.
    My reference to stagnation was a bit more fundamental then that. If you stand back and look at the big picture, you will see that we have been slowly working our way back to the 1970's. First with C++ we where given objects, sort of, but without message sends and without automatic memory management. Then we got Java, which gaves us automatic memory management and got rid of pointers, but still no message sends or the associated object memory. Now we've got Ruby - a bit green yes, but who remembers Java 1.0? So now with Ruby we've got message sends, object memory and a bunch of goodies that come with it like mixins, metaprogramming etc. This stuff is allowing the Ruby crowd to build some really powerful frameworks that will make RoR look pretty conservative in comparison. Eventually Ruby will get an IDE and that will bring us back to 1980, or should I say Smalltalk-80 :^). From there perhaps dynamic compilation then we'll truly be back to the future, that is if the Squeak guys and Croquet don't get there first :^) You've got to laugh (lol)! Paul.
  31. Re: No this isn't great news...[ Go to top ]

    This stuff is allowing the Ruby crowd to build some really powerful frameworks that will make RoR look pretty conservative in comparison.
    Yes, but will this matter? I am getting the impression that RoR will become for small-scale web development what Visual Basic became for PC apps - useful for some things, deeply flawed in some ways, but pushing out other, better, alternatives (even in Ruby) because of marketing.
    Eventually Ruby will get an IDE and that will bring us back to 1980, or should I say Smalltalk-80 :^). From there perhaps dynamic compilation then we'll truly be back to the future, that is if the Squeak guys and Croquet don't get there first :^)

    You've got to laugh (lol)!

    Paul.
    Squeak is a great demo of what can be done, but I really feel that the project has got stuck in some ways... it has reduced the mighty Smalltalk to a teaching tool. Someone really needs to clean Squeak up, dump all the awful Morphic stuff, and get back to a lean and simple truly multi-windows MVC framework that looks like something that isn't from 1980 like the current Squeak MVC system, and give it a reasonable ORM. If I had the time, this would be tempting. It could make RoR look primitive....
  32. Re: No this isn't great news...[ Go to top ]

    Hi Steve,
    Someone really needs to clean Squeak up... If I had the time, this would be tempting. It could make RoR look primitive....
    Avi Byrant of Seaside fame, as already expressed an interest in porting Ruby to a Smalltalk VM. Algol like syntax (Just like C/C++/Java/C#) and the Smalltalk IDE. So you could pair with him. Unfortunately if you haven't got the marketing dollars to compete with Dave Thomas and the Pragmatic Programmers and also Sun and the Java cartel then plain old Smalltalk is a non starter I'm afraid :^) Having said that Croquet is hoping to pull the rug from under everyone. Once they've got their emersive 3D internet wide operating system "The Matrix", up and running they intend to build cross language support using something called Babel, which could allow you to program Croquet in Java. Now there's a ready market! Like I said, you've got to laught LOL :^). Paul.
  33. Re: No this isn't great news...[ Go to top ]

    Hi Steve,

    Someone really needs to clean Squeak up... If I had the time, this would be tempting. It could make RoR look primitive....


    Avi Byrant of Seaside fame, as already expressed an interest in porting Ruby to a Smalltalk VM. Algol like syntax (Just like C/C++/Java/C#) and the Smalltalk IDE. So you could pair with him.
    Ah, but I am not after Algol-like syntax - I want Smalltalk!
    Unfortunately if you haven't got the marketing dollars to compete with Dave Thomas and the Pragmatic Programmers and also Sun and the Java cartel then plain old Smalltalk is a non starter I'm afraid :^)
    In the same way that Python and Perl and Ruby are non-starters?
    Having said that Croquet is hoping to pull the rug from under everyone. Once they've got their emersive 3D internet wide operating system "The Matrix", up and running they intend to build cross language support using something called Babel, which could allow you to program Croquet in Java. Now there's a ready market!

    Like I said, you've got to laught LOL :^).

    Paul.
    I am not after collaborative on-line multi-user applications. I want to write quality websites. Croquet is targetted at a fundamentally different use case.
  34. Re: No this isn't great news...[ Go to top ]

    Hi Steve, Maybe you missed my sarcastic tone, but I was mostly joking :^). But seriously what systems end up gaining main stream support (and the associated third party libraries and tools) will come down mainly to marketing. I mentioned Dave Thomas as he is largely behind the current marketing of Ruby. As for Croquet, it has everything to do with the web. Croquet is the next generation web, "The Matrix" (if it takes off). Forget Web2.0, AJAX and HTML - welcome replicated 3D objects communicating peer-to-peer with no central servers. It is based on a 1978 PhD thesis and it is a radically different approach. I've been working with Croquet for a while and it works. Who knows it could really take off! Paul.
  35. Re: No this isn't great news...[ Go to top ]

    Hi Steve,

    Maybe you missed my sarcastic tone, but I was mostly joking :^).
    Sorry - I did miss it :)
    As for Croquet, it has everything to do with the web. Croquet is the next generation web, "The Matrix" (if it takes off). Forget Web2.0, AJAX and HTML - welcome replicated 3D objects communicating peer-to-peer with no central servers. It is based on a 1978 PhD thesis and it is a radically different approach.

    I've been working with Croquet for a while and it works. Who knows it could really take off!

    Paul.
    Yes, but let's be practical. No-one is going to build commercial sites for it in the near future.
  36. Re: No this isn't great news...[ Go to top ]

    This stuff is allowing the Ruby crowd to build some really powerful frameworks that will make RoR look pretty conservative in comparison.


    Yes, but will this matter? I am getting the impression that RoR will become for small-scale web development what Visual Basic became for PC apps - useful for some things, deeply flawed in some ways, but pushing out other, better, alternatives (even in Ruby) because of marketing.

    Considering how most Windows apps were written in VB and most web apps are small scale, I think it's a huge win for RoR. Given the choice would you rather then > 90% of the market doing the small scale stuff or the < 10% of the market doing the really large scale stuff? Not to mention that as soon as everyone prefers using you for the small scale stuff, they start to look at how to make you scale up. See the problems Sun is having keeping Solaris competitive in the market against Linux for a similar example of what happens when you dismiss the new guy cause "he doesn't scale".
  37. Re: No this isn't great news...[ Go to top ]

    Considering how most Windows apps were written in VB and most web apps are small scale, I think it's a huge win for RoR.
    Yes, but would it be a big win for the quality of development? The widespread use of VB wasn't.
    Not to mention that as soon as everyone prefers using you for the small scale stuff, they start to look at how to make you scale up.
    Perhaps, but they might be somewhat surprised if you then explained that their site would, as a consequence, have to be either partially or fully re-implemented using a different technology to achieve that. How many developers are likely to have in-depth knowledge of both RoR and Java/J2EE so as to be able to confidently advise a client of the choices? Maybe I am cynical, but I think it is much more likely that many developers will believe the 'a great fit for practically any type of web application' hype and their clients will have to live with the consequences, as happened with Visual Basic.
    See the problems Sun is having keeping Solaris competitive in the market against Linux for a similar example of what happens when you dismiss the new guy cause "he doesn't scale".
    But Linux (increasingly) does scale. That is why it is competitive in areas where Solaris has been dominant.
  38. Re: No this isn't great news...[ Go to top ]

    Hi Steve, What is your difficulty with Ruby? Every new technology needs an headline grabber to get noticed. For Java it was the Internet and Applets and for Ruby it's Rails. I've never used Rails in anger, but apart from the inherent qualities it gets from being written in Ruby, I agree from what I've seen it's nothing special. But any sensible person evaluating Ruby as a language will looks past Rails in the same way that any sensible person (like me :^)) would have looked passed Applets in 1996 when evaluating Java back then. I see history repeating itself. I remember using high end tools like Purify to test for memory leaks in my server-side C++ code, because that's what serious enterprise programmers did. C++ was a serious enterprise strength language, and Smalltalk without static types and wasting valuable CPU cycles on automatic memory management was a toy. Well where is Purify today? Along came Java with automatic memory management and the C++ crowd finally woke up to the fact that tracking down memory leaks wasn't macho, it was just plain stupid :^). In an earlier discussion I listed a number of language features that make Ruby an inherently more productive language then Java (in the same way that Java was inherently more productive than C++). The missing piece of the pie for Ruby is main stream industry adoption. This is why Dave Thomas et al, are marketing Ruby so hard, and using Rails as a vehicle to do so. If the industry catches on to Ruby in the same way that they caught on to Java then Ruby will have a number of sophisticated third party libraries, frameworks and tools to choose from. So it will be out with BEA Weblogic, in the same way that Purify went west :^) and in with new fancy dynamic tools that exploit the dynamic nature of Ruby. To me it seems inevitable, and it is only a matter of time. Just take a look at the economics. Why pay twice as much and wait twice as long to get the job done in Java, when you can get the same results in half the time and at half the costs with Ruby? Paul.
  39. Re: No this isn't great news...[ Go to top ]

    To me it seems inevitable, and it is only a matter of time. Just take a look at the economics. Why pay twice as much and wait twice as long to get the job done in Java, when you can get the same results in half the time and at half the costs with Ruby?

    Paul.
    That is exactly the argument that led to so much work being done in Visual Basic - all that matters is the writing cost, and the results initially look good. The problem is that for a reasonable fraction of projects, much of the cost comes in long-term maintenance and support. There is nothing particularly bad about Ruby in this respect (although I have seen some Ruby code where the developers seem to want to reproduce the wonderful obscurity of some Perl code), but I believe that some aspects of the Rails approach has issues in this area: I believe the ActiveRecord approach is being overused. There may well be far better approaches that mature, but Rails is the current buzzword, and I think they will find it hard to compete.
    In an earlier discussion I listed a number of language features that make Ruby an inherently more productive language then Java (in the same way that Java was inherently more productive than C++).
    I would say that you listed a number of features that might make Ruby more productive for you; I don't they are automatically inherently better for everyone. Also, many of those features are present in some Java environments. I have worked with Java IDEs that certainly allow immediacy of development and editing code while it is still running (this was in the much-missed VisualAge for Java). My view is that approaches such as meta-programming and use of DSLs can potentially obscure what is going on and lead to maintenance problems. Ruby and Java have advantages and disadvantages. Java has speed and internationalisation, Ruby has closures and a more dynamic way of working. Also, development with Java need not be slow - it can be very fast indeed. For example, as I have said before, if you really want to get a database-backed website up and running at very quickly, just open up Studio Creator....
  40. Re: No this isn't great news...[ Go to top ]

    I've never used Rails in anger, but apart from the inherent qualities it gets from being written in Ruby, I agree from what I've seen it's nothing special. But any sensible person evaluating Ruby as a language will looks past Rails in the same way that any sensible person (like me :^)) would have looked passed Applets in 1996 when evaluating Java back then.
    True, but it was Rails that gave cachet to Ruby. Let's not forget Ruby is an older language than java, yet it's taken RoR to have it considered as serious. IMO, it has more to do with Agile as the new management buzz and RoR is usually uttered in the same breath.

    To me it seems inevitable, and it is only a matter of time. Just take a look at the economics. Why pay twice as much and wait twice as long to get the job done in Java, when you can get the same results in half the time and at half the costs with Ruby?

    Paul.
    I've heard this argument time and time again and I have yet to see one objective analysis of these costs. If you could provide any bona fide regarding this statement, I think it would be most helpful to the community in general. I'll subjectively concede that development lifecycle is shorter with RoR than java, but from a deployment and operational lifecycle( where most $$$ reside for an app), I think RoR is severely limited as a viable platform for enterprises as of right now. Let's not forget that with all new technologies, it's the crackers and upper tier developers that tend to push the envelope. The first wave of sample apps have a tendency to be pretty sharp and have mass appeal. It's when adoption comes and the middle tier of resources come into the fold when the problems start to surface. Ruby is pretty esoteric compared to other languages(no flames here, I like Ruby, but it does have a pretty steep learning curve). I've seen the same problems with the VB exodus to java crowd who turned around and complained about JSP versus ASP, etc. Java payed the price for bad PR because wrong resources were allocated to a task. Overall, I find it more interesting that RoR is positioned as a competitor to JEE when in reality the pilot apps being assessed in my space are pissing off the .NET crowd more than anyone else.
  41. Re: No this isn't great news...[ Go to top ]

    Hi Frank,
    I've never used Rails in anger, but apart from the inherent qualities it gets from being written in Ruby, I agree from what I've seen it's nothing special. But any sensible person evaluating Ruby as a language will looks past Rails in the same way that any sensible person (like me :^)) would have looked passed Applets in 1996 when evaluating Java back then.


    True, but it was Rails that gave cachet to Ruby. Let's not forget Ruby is an older language than java, yet it's taken RoR to have it considered as serious. IMO, it has more to do with Agile as the new management buzz and RoR is usually uttered in the same breath.

    Yes and Smalltalk as been available since 1983 and currently it has got very little cachet at all yet it is more productive than Java and Ruby IMO. Ruby has become known to the main stream quite simply because a group of people decided it was time to market something new and they chose Ruby. I agree that the timing of Ruby as more to do with Agile then with Web development but I'll come back to that theme later.
    To me it seems inevitable, and it is only a matter of time. Just take a look at the economics. Why pay twice as much and wait twice as long to get the job done in Java, when you can get the same results in half the time and at half the costs with Ruby?

    Paul.


    I've heard this argument time and time again and I have yet to see one objective analysis of these costs. If you could provide any bona fide regarding this statement, I think it would be most helpful to the community in general.
    I can't convince you, in the same way that Smalltalkers could never convince the C++ community. Programmers are a pretty conservative bunch and tend to stick to what they know. All I can say is try it for yourself.
    I'll subjectively concede that development lifecycle is shorter with RoR than java, but from a deployment and operational lifecycle( where most $$$ reside for an app), I think RoR is severely limited as a viable platform for enterprises as of right now. Let's not forget that with all new technologies, it's the crackers and upper tier developers that tend to push the envelope. The first wave of sample apps have a tendency to be pretty sharp and have mass appeal. It's when adoption comes and the middle tier of resources come into the fold when the problems start to surface. Ruby is pretty esoteric compared to other languages(no flames here, I like Ruby, but it does have a pretty steep learning curve). I've seen the same problems with the VB exodus to java crowd who turned around and complained about JSP versus ASP, etc. Java payed the price for bad PR because wrong resources were allocated to a task.

    Overall, I find it more interesting that RoR is positioned as a competitor to JEE when in reality the pilot apps being assessed in my space are pissing off the .NET crowd more than anyone else.
    This is the real rub. Most main stream programmers are pretty poor. The fact that there is a steep learning curve to Ruby is because our education system leaves most programmers iliterate when it comes to computer science. What do most programmers know about Lisp? or Smalltalk or a number of other significant milestones in computer science? JEE was an attempt to dumb down development to meet the abilities of the main stream, it failed. I've seen several attempts at this over the years and they've all failed (VB, 4GL, CASE, JEE, .NET, etc). The simple fact is that programming is difficult and requires a great deal of skill. And this is where Agile comes in. Agile focuses on developing skills through practice, reflection and continuous improvement. In the right hands an expressive language like Smalltalk or Lisp or Ruby is a highly productive tool. In the wrong hands it's a loaded gun. Then again the dumbed down J2EE has turned out to be a loaded gun too and is just getting in the way of the better programmers who are looking to simpler alternatives. Dave Thomas and the Ruby community are focusing on the right thing: people over tools. I don't see this happening in the Java community to the same degree, which is why I believe that Ruby will prove to be more then just a flash in the pan. Paul.
  42. Re: No this isn't great news...[ Go to top ]

    The fact that there is a steep learning curve to Ruby is because our education system leaves most programmers iliterate when it comes to computer science.
    If most programmers were computer scientists or similar (computer engineers, software engineers by education not title, etc) then I would agree with you. The CS education system is failing. But most have never touched a CS book or taken a CS class, much less actively studied it (in college or otherwise). We can't hold the system accountable for failing to educate those who were never part of it. Other than that, +1.
  43. Re: No this isn't great news...[ Go to top ]

    This is the real rub. Most main stream programmers are pretty poor. The fact that there is a steep learning curve to Ruby is because our education system leaves most programmers iliterate when it comes to computer science.
    Although I agree that majority of computer science programs are pretty poor, especially when taught by professors that never programmed outside of the classroom, I disagree with the fact that that's a make it or break it for programmers. Most good programmers I know are self taught, some with degrees in other disciplines, some without any. I think your comment below about agility is absolutely correct. You become a better programmer through various experiences and your ability to adapt.
    What do most programmers know about Lisp? or Smalltalk or a number of other significant milestones in computer science?
    Well, I don't know how many different milestones in computer science history can be covered in a computer science program. I think they should concentrate more on practical stuff, than theory, but that's my opinion. I think the lack of real world experience in the classroom today is what leaves a lot of CS graduates without a job and/or accepting jobs outside of their major. Experience is king.
    JEE was an attempt to dumb down development to meet the abilities of the main stream, it failed. I've seen several attempts at this over the years and they've all failed (VB, 4GL, CASE, JEE, .NET, etc). The simple fact is that programming is difficult and requires a great deal of skill.
    True, but I don't think those were attempts to dumb anything down, rather abstract developers from various concerns and allow them to deliver software faster in a more productive manner, as well as with better quality. Since the concerns covered by these environments, were resolved in the best way possible, at least in most cases. If you want to write your own application servers and transaction code, that's fine. I want to deliver business IT solutions to customers, more efficiently. I think the problem was not necessarily with these technologies, but rather with the shortage of knowledgeable folks, which forced most companies to accept not so good developers and even non-developers who were willing to learn. I don't think this is getting any better with time, I think the shortage of IT professionals is only going to get bigger and demand for better programmers will continue to grow.
    And this is where Agile comes in. Agile focuses on developing skills through practice, reflection and continuous improvement.

    In the right hands an expressive language like Smalltalk or Lisp or Ruby is a highly productive tool. In the wrong hands it's a loaded gun. Then again the dumbed down J2EE has turned out to be a loaded gun too and is just getting in the way of the better programmers who are looking to simpler alternatives.
    Well said, though I disagree with dumbed down stuff:-) Ilya Sterin
  44. Re: No this isn't great news...[ Go to top ]

    Hi All, Just thought I'd try and clarify a couple of points. I really should have said education in the broadest sense (formal training and on-the-job). Most programmers are sat in a corner on their own and just expected to know stuff. Also in my exprience whether you get the job has more to do with whether you know the latest JSR in exacting detail rather then whether you have a good grounding in fundamental concepts and principles. The other point I want to clarify is what I meant by "dumbed-down", I mean "wizard-programming". The idea that any one can do it. So for example when I was first shown EJB's, the idea was that you wrote a few lines of business logic (if .. then .. else) then you fired up the deployment wizard, and that would add transactions, persistence etc for you. In reality you quickly disarded the wizard and ended up hand coding deployment descriptors in XML and debugging interactions between your bean and the container. Languages like Lisp and Smalltalk and Ruby raise the level of abstraction whilst still providing access to the underlying primitives. So in the case of Smalltalk you can radically change the language all from within Smalltalk, and many people have. Features like Mixins, Traits and Protocols have all been added without changing the compiler or VM. In Lisp the power of a Macro is only available to someone who knows how to write macros themselves, the idea that you can use a macro without knowing how it works just doesn't exist. Another good example of dumbing down was CASE. The idea was that with a couple of bright engineers you could define everything upfront, then get a bunch of grunt coders to do the bulk of the implemention. Agile thinking dispells all these myths and focuses on the most important activity: programming. To get good programs you need good programmers (people). Expressive languages allow good programmers to do more with less lines of code. My limited experience with Ruby has shown me that in this regard it reflects it's Lisp and Smalltalk heritage very well. Paul.
  45. Re: No this isn't great news...[ Go to top ]

    The other point I want to clarify is what I meant by "dumbed-down", I mean "wizard-programming". The idea that any one can do it. So for example when I was first shown EJB's, the idea was that you wrote a few lines of business logic (if .. then .. else) then you fired up the deployment wizard, and that would add transactions, persistence etc for you. In reality you quickly disarded the wizard and ended up hand coding deployment descriptors in XML and debugging interactions between your bean and the container.

    Languages like Lisp and Smalltalk and Ruby raise the level of abstraction whilst still providing access to the underlying primitives. So in the case of Smalltalk you can radically change the language all from within Smalltalk, and many people have. Features like Mixins, Traits and Protocols have all been added without changing the compiler or VM. In Lisp the power of a Macro is only available to someone who knows how to write macros themselves, the idea that you can use a macro without knowing how it works just doesn't exist. Another good example of dumbing down was CASE. The idea was that with a couple of bright engineers you could define everything upfront, then get a bunch of grunt coders to do the bulk of the implemention.

    Agile thinking dispells all these myths and focuses on the most important activity: programming. To get good programs you need good programmers (people). Expressive languages allow good programmers to do more with less lines of code. My limited experience with Ruby has shown me that in this regard it reflects it's Lisp and Smalltalk heritage very well.

    Paul.
    Firstly, there is nothing to prevent Agile development with Java (not that you were saying this). Secondly, it is all very well to say 'get good programmers', but that is probably unrealistic. And what happens to those companies that don't or can't? What is wrong with an inexperienced developer firing up Studio Creator to get a few data-driven pages up? Whether we like it or not, a considerable amount of programming is 'dumbed down', and will always be. Thirdly, I worry a lot about the power of languages like Smalltalk and Ruby. Having been an on-and-off Smalltalk user for more than 20 years, I have seen the lack of restrictions of the language result in many unsupportable tangles of code. Ruby seems to me to be potentially even more expressive, but with so many abilities to perform 'clever tricks', that although the language syntax may conform to the principle of least surprise, the operation of many programs may not. You have omitted one of the influences on Ruby - a language that can least to some of the most obscure code imaginable - Perl. Finally, I disagree that programming is the most important activity. What is most important is analysis and design, whether or not this is up-front or not.
  46. Re: No this isn't great news...[ Go to top ]

    H Steve, What you say comes down to corporate culture and whether you value people over tools. All I'm suggesting is that in companies were they prefer to invest in their people rather than bang-whiz tools then expressive languages are desirable. As to where you get good programmers. Well in my experience most programmers have a lot more potential then is actually realised. That is one of the reasons why we program in pairs so that the experienced peopl can coach the junior guys and the junior programmers get to keep the senior people honest :^). So in answer to your question you develop your people to be the best they can be. They do this in all other mature professions so why not Software?
    Finally, I disagree that programming is the most important activity. What is most important is analysis and design, whether or not this is up-front or not.
    This statement highlights the difference in culture that I'm trying to explain. When I program I perform Analysis, Design, Coding, Peer Review, Unit Testing, QA etc all at the same time. My definition of programming is just different to yours. Paul.
  47. Re: No this isn't great news...[ Go to top ]

    What you say comes down to corporate culture and whether you value people over tools. All I'm suggesting is that in companies were they prefer to invest in their people rather than bang-whiz tools then expressive languages are desirable.
    I believe you are setting false divisions, and looking for opposites where they don't exist. Sometimes providing good tools is an indication of respect for developers and their skills. There is a recognised (well, at least by me!) issue with much current development using dynamic languages which is the lack of quality tools. By tools I mean facilities to interactively examine code, objects, profile code, automatically generate and run tests, analyse code coverage, refactor, generate and maintain code behind forms and so on. There was a recent review of Ruby debuggers, and most of the products were sloppy and buggy. Good tools don't have to get in the way of quality development - they can hugely assist it, as shown in environments like Smalltalk. Given the richness of the toolsets in Smalltalk, and that it is a language you rate highly, I find it difficult to follow your argument.
    As to where you get good programmers. Well in my experience most programmers have a lot more potential then is actually realised. That is one of the reasons why we program in pairs so that the experienced peopl can coach the junior guys and the junior programmers get to keep the senior people honest :^). So in answer to your question you develop your people to be the best they can be. They do this in all other mature professions so why not Software?
    They usually don't do it like this in other professions. In other professions there are professional qualifications and a series of training steps before inexperienced people get to do major work. Unlike architects, lawjers and doctors, just about anyone can call themselves a 'software engineer'. (This is one of the reasons we need very safe languages like Java)
    Finally, I disagree that programming is the most important activity. What is most important is analysis and design, whether or not this is up-front or not.


    This statement highlights the difference in culture that I'm trying to explain. When I program I perform Analysis, Design, Coding, Peer Review, Unit Testing, QA etc all at the same time. My definition of programming is just different to yours.

    Paul. There is no difference in culture, as now that you have explained things more clearly we agree on this.
  48. Re: No this isn't great news...[ Go to top ]

    Hi Steve,
    I believe you are setting false divisions, and looking for opposites where they don't exist. Sometimes providing good tools is an indication of respect for developers and their skills. There is a recognised (well, at least by me!) issue with much current development using dynamic languages which is the lack of quality tools. By tools I mean facilities to interactively examine code, objects, profile code, automatically generate and run tests, analyse code coverage, refactor, generate and maintain code behind forms and so on. There was a recent review of Ruby debuggers, and most of the products were sloppy and buggy. Good tools don't have to get in the way of quality development - they can hugely assist it, as shown in environments like Smalltalk. Given the richness of the toolsets in Smalltalk, and that it is a language you rate highly, I find it difficult to follow your argument.
    This is why I mentioned wizards. I agree that the Smalltalk IDE is a great programming environment and IRB and the Ruby Debugger doesn't come close. But I don't see the Smalltalk development environment as a wizard or as an attempt to dumb down programming.
    They usually don't do it like this in other professions. In other professions there are professional qualifications and a series of training steps before inexperienced people get to do major work. Unlike architects, lawjers and doctors, just about anyone can call themselves a 'software engineer'. (This is one of the reasons we need very safe languages like Java)
    Are you sure? Go down to your nearest hospital and see how they train Junior Doctors. There is a great deal of hands-on mentorship by senior consultants. The same with lawyers. Either way, practical skills is the name of the game not just academic knowledge.
    There is no difference in culture, as now that you have explained things more clearly we agree on this.
    Agreed. There is value in the points you've raised too. All I'm arguing for is choice. Both Java and C# take pretty much the same approach. If Ruby becomes mains stream then that will provide a contrasting alternative. Paul.
  49. Re: No this isn't great news...[ Go to top ]

    This is why I mentioned wizards. I agree that the Smalltalk IDE is a great programming environment and IRB and the Ruby Debugger doesn't come close. But I don't see the Smalltalk development environment as a wizard or as an attempt to dumb down programming.
    Why not? What makes a tool acceptable or otherwise? A typical smalltalk development environment is full things that automate things that you would otherwise have to do manually. And why 'wizards'? Are tools only bad if they take you step-by-step through a process? And what is wrong 'wizards'? Fortunately, I have been in a position to choose my own tools for a long time, but if I was has to design a modern GUI without tools that allowed me to visually design the GUI and that generated much of the code for me, I would not consider that 'programmer rather than tool centred' - I would consider it primitive and unproductive. I like a Wizard that asks 'click here to generate a Swing dialog box'.
    Are you sure? Go down to your nearest hospital and see how they train Junior Doctors. There is a great deal of hands-on mentorship by senior consultants. The same with lawyers. Either way, practical skills is the name of the game not just academic knowledge.
    Yes, but the point is that those practical skills will have been backed up by a substantial amount of formal training and learning. Development methodologies can be a useful part of that training. That is all I am saying.
    All I'm arguing for is choice.
    You seem to put forward based on contrasts - dynamic/static, programmer-focused/tool-based, agile/non-agile, with Ruby on one side and Java on the other, with one set of approaches having supposedly intrinsic advantages. I am also for choice, but also for a realisation that things are far more complex: you can be agile and programmer-focussed with Java, and static typic does have benefits. I work with a mix of languages. I take advantage of the supposedly 'failed' JEE to give my web development robustness and performance, but I use groovy and other very dynamic approaches to give me agile development (although not strictly 'Agile').
  50. Re: No this isn't great news...[ Go to top ]

    Thirdly, I worry a lot about the power of languages like Smalltalk and Ruby. Having been an on-and-off Smalltalk user for more than 20 years, I have seen the lack of restrictions of the language result in many unsupportable tangles of code. Ruby seems to me to be potentially even more expressive, but with so many abilities to perform 'clever tricks', that although the language syntax may conform to the principle of least surprise, the operation of many programs may not.
    That's the pitfall of languages that have many powerful features. Your main body of programmers never understand half of it, period. There are some people, who I think are smart enough to understand the power and wield it, but in their enthusiasm they can easily forget the consequences - everyone else must understand how it works to maintain it. I am waiting for the "bitter ruby" series next. After that is written, I am going to try Ruby.
  51. Re: No this isn't great news...[ Go to top ]

    I am waiting for the "bitter ruby" series next. After that is written, I am going to try Ruby.
    Ok, it has to be called the "Flawed Ruby".
  52. Re: No this isn't great news...[ Go to top ]

    That's the pitfall of languages that have many powerful features. Your main body of programmers never understand half of it, period. There are some people, who I think are smart enough to understand the power and wield it, but in their enthusiasm they can easily forget the consequences - everyone else must understand how it works to maintain it.
    I think we should humble be enough to accept our own failings - it is not just everyone else who must understand how these things work, it could be ourselves who have to re-visit our own code after many years. Unfortunately, I speak from personal experience, as I have to deal with my own clever Smalltalk tricks from the early 90s, and maintain that code. When I see read through blogs and articles about all the tricks that can be done with Ruby, this takes me back to the late 80s, when Smalltalk was in exactly the same situation. When I see so many jumping on the Ruby bandwagon, it reminds me a quote from George Santayana: "Those who cannot learn from history are doomed to repeat it"
  53. Re: No this isn't great news...[ Go to top ]

    The fact that there is a steep learning curve to Ruby is because our education system leaves most programmers iliterate when it comes to computer science.
    I'm finding quite the opposite. I can train a Java developer on Ruby on Rails far quicker than I can train the same Java developer on the traditional open source stack: Spring plus Hibernate or JPA, and WebWork, Struts, Tapestry or JSF. It's no contest, really. What's interesting to me is the different levels that you can consume Ruby. You can effectively use Ruby as a client of a framework, learning it very quickly, and never touch method missing, open classes, or any of the other hardcore metaprogramming techniques. But you can also get into the metaprogramming techniques far more quickly on Rails than you can in Java. It's far easier to open up a class with a framework and bolt on an interceptor with Ruby than it is to learn AOP, dynamic proxies, or one of the interceptor frameworks, like JBoss. And with Ruby, you can continue to grow as a developer, and the path to grow is much more linear to the effort you apply. These are just my observations. I do believe that it's harder to get a Java or C# developer to see the value of Ruby. But it's not one-size-fits-all. If you have to drive a screw, use a screwdriver. Ironically, I think Java's applied to the wrong problem far more often than any other language, and Java developers tend to complain the loudest when others point out that Java should probably not be applied to a certain class of problems.
  54. Re: No this isn't great news...[ Go to top ]

    The fact that there is a steep learning curve to Ruby is because our education system leaves most programmers iliterate when it comes to computer science.


    I'm finding quite the opposite. I can train a Java developer on Ruby on Rails far quicker than I can train the same Java developer on the traditional open source stack: Spring plus Hibernate or JPA, and WebWork, Struts, Tapestry or JSF. It's no contest, really.

    What's interesting to me is the different levels that you can consume Ruby. You can effectively use Ruby as a client of a framework, learning it very quickly, and never touch method missing, open classes, or any of the other hardcore metaprogramming techniques.

    But you can also get into the metaprogramming techniques far more quickly on Rails than you can in Java. It's far easier to open up a class with a framework and bolt on an interceptor with Ruby than it is to learn AOP, dynamic proxies, or one of the interceptor frameworks, like JBoss.

    And with Ruby, you can continue to grow as a developer, and the path to grow is much more linear to the effort you apply. These are just my observations.

    I do believe that it's harder to get a Java or C# developer to see the value of Ruby. But it's not one-size-fits-all. If you have to drive a screw, use a screwdriver. Ironically, I think Java's applied to the wrong problem far more often than any other language, and Java developers tend to complain the loudest when others point out that Java should probably not be applied to a certain class of problems.
    +1 I've experienced this too. We had a couple of graduates up and running with Ruby in days. Paul.
  55. Re: No this isn't great news...[ Go to top ]

    Considering how most Windows apps were written in VB and most web apps are small scale, I think it's a huge win for RoR.


    Yes, but would it be a big win for the quality of development? The widespread use of VB wasn't.

    Hey, if you're going to pass up 90% of the market over "quality of development" I'd be happy to take it. Quality of development means nada when no one is paying you anymore because someone else can get it done cheaper.
    Not to mention that as soon as everyone prefers using you for the small scale stuff, they start to look at how to make you scale up.


    Perhaps, but they might be somewhat surprised if you then explained that their site would, as a consequence, have to be either partially or fully re-implemented using a different technology to achieve that. How many developers are likely to have in-depth knowledge of both RoR and Java/J2EE so as to be able to confidently advise a client of the choices? Maybe I am cynical, but I think it is much more likely that many developers will believe the 'a great fit for practically any type of web application' hype and their clients will have to live with the consequences, as happened with Visual Basic.
    Well, now you've missed the point I had about Linux. 5, 6 years ago Sun could make the honest claim that Linux couldn't scale. But the people using it decided that they liked it on the small end so much they wanted it on the high end too. Being open source, that was reasonable easy to achieve. Now Linux does scale and the dismissive attitude Sun had about Linux 5 years ago may end up being Solaris's downfall. To assume that RoR won't scale to J2EE heights (which isn't saying much considering how much open source code like Hibernate and Spring was written to get J2EE to scale to J2EE heights) is not something I'd bet on. But, hey, if you want to assume that the world will continue to stay the same and that giving up 90% of the market is ok as long as it's for "quality of development", be my guest. But then in a few years, like Sun and Solaris, you're going to be looking at the backend of the bus, not riding in it.
  56. Re: No this isn't great news...[ Go to top ]

    Hey, if you're going to pass up 90% of the market over "quality of development" I'd be happy to take it. Quality of development means nada when no one is paying you anymore because someone else can get it done cheaper.
    You are welcome to it :) I have worked for a range of companies where quality has been promoted, even at a higher price. My experience is that potential clients often go for quality when the benefits are explained, and you get to build up a good reputation.
    Well, now you've missed the point I had about Linux. 5, 6 years ago Sun could make the honest claim that Linux couldn't scale. But the people using it decided that they liked it on the small end so much they wanted it on the high end too. Being open source, that was reasonable easy to achieve. Now Linux does scale and the dismissive attitude Sun had about Linux 5 years ago may end up being Solaris's downfall. To assume that RoR won't scale to J2EE heights (which isn't saying much considering how much open source code like Hibernate and Spring was written to get J2EE to scale to J2EE heights) is not something I'd bet on. But, hey, if you want to assume that the world will continue to stay the same and that giving up 90% of the market is ok as long as it's for "quality of development", be my guest. But then in a few years, like Sun and Solaris, you're going to be looking at the backend of the bus, not riding in it.
    But you are making my point. If someone had tried to use Linux for a major enterprise project many years ago, the results may well have been failure because it was then an inappropriate technology. Linux did improve, but that was a complex task, and to claim that this was reasonably easy to achieve is mistaken. There is no predicting what will happen to RoR, and to use it now for potentally large-scale propjects in the hope that in a few years it will improve is not a wise step to take. Much of what allows Java to scale is not the software itself, but the high performance and tunability of the VM. That is the hard thing to achieve, and it has taken a very long time. This may happen with VMs for Ruby, but who knows? (What is more likely in my opinion is that JRuby will gain traction on the JVM as a result of a future open-sourcing of Java, and as a consequence will get good performance that way. But again, who can tell?)
  57. Re: No this isn't great news...[ Go to top ]

    And don't let facts stand in your way, reality certainly wouldn't show that some of the biggest perpetual beta "Web 2.0" apps (GMail) are written primarily in Java.
    Are GMail written in Java ? Any references ?
  58. And don't let facts stand in your way, reality certainly wouldn't show that some of the biggest perpetual beta "Web 2.0" apps (GMail) are written primarily in Java.
    T H A N K Y O U! Enough said. P.S. Free speech is a right, not a privilege.
  59. Re: No this isn't great news...[ Go to top ]

    Java developers have no room to complain about "hype". Java technologies have generated significant amounts of hype in the past and will continue to do so into the future. Also, lest we forget, early releases of Java had multiple serious security issues which Sun had to address - ultimately by creating a whole new security model for the language. I know this because I helped a couple of companies adopt Java while it was still essentially in beta - much to the chagrin of some Microsoft account reps. I honestly didn't think I'd be in the industry long enough to hear Java stalwarts uttering the same epithets about a new language that C++ true believers directed at Java. I guess it's true that the more things change the more they stay the same.
  60. Re: No this isn't great news...[ Go to top ]

    Java developers have no room to complain about "hype". Java technologies have generated significant amounts of hype in the past and will continue to do so into the future. Also, lest we forget, early releases of Java had multiple serious security issues which Sun had to address - ultimately by creating a whole new security model for the language. I know this because I helped a couple of companies adopt Java while it was still essentially in beta - much to the chagrin of some Microsoft account reps.

    I honestly didn't think I'd be in the industry long enough to hear Java stalwarts uttering the same epithets about a new language that C++ true believers directed at Java. I guess it's true that the more things change the more they stay the same.
    This is far too simplistic an analysis. Just because some of us use Java does not mean that we don't object to hype about Java and some of its aspects. For example I am on record on various forums in the mid 90s with complaints about the very poor performance of early Java implementations. Current Java developers who wisely avoided the early hype about Java have plenty of room to complain.
  61. I honestly didn't think I'd be in the industry long enough to hear Java stalwarts uttering the same epithets about a new language that C++ true believers directed at Java. I guess it's true that the more things change the more they stay the same.
    Sorry, "new"? How Ruby is "new"? It's older than Java itself! I think the major problem is not new technologies gaining acceptance, that happens all the time and will continue happening, the problem is Ruby zealots using every single and possible opportunity to bash Java and Java developers in some way. I personally think they have a LOOOOONG way to go, before "taking" Java they first need to beat Python, Perl and PHP in both number of developers and projects.
  62. so we're the bad guys?[ Go to top ]

    maybe you should look over at loudthinking.com where DHH is telling his rapt audience to "spite them just because you can"
  63. Re: Ruby On the Ground (RoG)[ Go to top ]

    And to be so petty, so childish, so insecure in your own choices that you're happy that someone else's development environment has a major security hole is pathetic.

    You've just relinquished all right to be upset if Java ever has a serious security issue and someone like Microsoft uses it to push C#.
    No, this is not being childish, but the fact of the matter is that Ruby has slid off her rails and fell onto the ground. So no more RoR but RoG, meaning Ruby On the Ground ;-). Jan
  64. Re: Ruby On the Ground (RoG)[ Go to top ]

    No, this is not being childish, but the fact of the matter is that Ruby has slid off her rails and fell onto the ground. So no more RoR but RoG, meaning Ruby On the Ground ;-).
    Oh please. This security breach has NOTHING to do with: Ruby, its paradigms and methodologies, or any of the core reasons why RoR is popular. The breach could have occurred in any interpreted system, and in fact, it could have occured in a badly written JSP system. In any system where something specified in the request results in loading code from the file system and executing it on the fly. This is a GOOD THING for the RoR community as it gives them motivation to perhaps be a bit more diligent with security. It places a small dark cloud over the project itself, but not what the project "preaches" or how it works. Folks aren't using RoR for RoR, they're using it because of the real benefit they believe it brings them. Much like if we found a breach in, say, Spring MVC, would folks abandon Spring or IoC containers or Java entirely? No. Hell no. How stupid would that be? They'd fix it, update their systems and move on. Just like RoR will. The RoR group now has the burden of ensuring its users of the security of their code. That's a political and technical issue. But, again, that has nothing to do with Ruby as a language, or the tenets promoted by a framework such as RoR. In the end, adoptees will simply let them "fix" RoR, rather than someone running out and doing it all over again from scratch. Mind, the Security Through Obscurity part is simply wrong. They just dug that hole deeper by not providing details with the patch so that folks who may not be able to patch immediately could perhaps take precautions. That's a politcal gaff on their part.
  65. And to be so petty, so childish, so insecure in your own choices that you're happy that someone else's development environment has a major security hole is pathetic.

    You've just relinquished all right to be upset if Java ever has a serious security issue and someone like Microsoft uses it to push C#.
    Chris, the source of that "childness" is actually fear for job-security. As RoR (or any other alternative) gains popularity people who can not adapt may well find themselves jobless. Prime instinct is what hatred is and so is fear. P.S. I do share ironic approach to any hype, including RoR one but there is other side of the coin, as well...
  66. RoR is too much magic![ Go to top ]

    Java can be as simple as RoR. It is not easy to get TSS to publish any news about this framework, so check it out for yourself: http://www.mentaframework.org/ If MVC can be mmore simple and joyful than that, please tell us how!
  67. Re: RoR is too much magic![ Go to top ]

    Java can be as simple as RoR.

    It is not easy to get TSS to publish any news about this framework, so check it out for yourself:

    http://www.mentaframework.org/

    If MVC can be mmore simple and joyful than that, please tell us how!
    Wow, this is actually pretty cool. I mean, it took me 2 minutes to read the starter page and understand the way it functions, etc... This is the most straight forward implementation I've ever seen. Of course, this doesn't mean it's feasable for large scale apps, nor scalable, etc... I might find some time to investigate it a bit further in the following weeks and will report back. Ilya
  68. Re: RoR is too much magic![ Go to top ]

    Wow, this is actually pretty cool. I mean, it took me 2 minutes to read the starter page and understand the way it functions, etc... This is the most straight forward implementation I've ever seen. Of course, this doesn't mean it's feasable for large scale apps, nor scalable, etc... I might find some time to investigate it a bit further in the following weeks and will report back.
    Don't forget to check what people have said about Mentawai here: http://forum.mentaframework.org/posts/list/157.page Yes, Java Web Development can be pretty simple and straighforward. It is just a matter of abstraction and CoC (Convention over Configuration) like RoR. !!! AND PLEASE NO XML AT ALL !!! Sergio
  69. Re: RoR is too much magic![ Go to top ]

    Please take a look at Stripes framework at: http://mc4j.org/confluence/display/stripes/Home
  70. Re: RoR is too much magic![ Go to top ]

    Sergio, we announced the releases of Mentawai as they came out. What exactly were you looking for?
  71. Re: RoR is too much magic![ Go to top ]

    Hi Joseph, Some of my posts about Mentawai never made it to the news section. However doing a quick search I see that the last major release (1.4) is there. So I myself must have missed this one, because it was not posted by me. Sorry about that. And thanks for your reply. :-)
  72. No this isn't great news...[ Go to top ]

    And to be so petty, so childish, so insecure in your own choices that you're happy that someone else's development environment has a major security hole is pathetic.

    You've just relinquished all right to be upset if Java ever has a serious security issue and someone like Microsoft uses it to push C#.
    +1 Marc
  73. RoR ...[ Go to top ]

    ... the next PHP? S.
  74. http://blog.evanweaver.com/articles/2006/08/10/explanation-of-the-rails-security-vulnerability-in-1-1-4-others
  75. obscurity?[ Go to top ]

    There is no such thing as obscurity in an open source project... anyone could have done the same 'diff' and found it and exploited it. RoR team is being silly and short-sighted by not fully disclosing the problem and developers using RoR in enterprises will get a managerial spanking for it. (Aside from all that, look at the Ruby code in question... I know you can create unreadable code in Java but at least Java gives you the ability _to_ create readable code. -- I've tried to get on the Ruby bandwagon but I keep coming back to 'what makes sense', otoh I'd love something like groovy to become finalized.)
  76. why are you making sense?[ Go to top ]

    I know you can create unreadable code in Java but at least Java gives you the ability _to_ create readable code. -- I've tried to get on the Ruby bandwagon but I keep coming back to 'what makes sense'
    The modern paradigm is to complain Java doesn't support continuations and generators! If you don't ask for this you aren't a "beautiful" developer! God forbid you try to enter a coolness competition! You need to a take a drink of the "disruptive technology" juice and "call out bullshit on the enterprise astronauts"!
  77. Hey you ruby loving ladies!!. Go back to Journalism with your rounded divs and yellow fades. And DHH has the balls to say "You know, we're a *FULL* stack just like Apple." Yeah right.. You are no better than a worm in an apple. Now *STOP* the loud farting and *DO* some thinking for a change. Hehehehehehe.... security patch for a web framework.....LOL... the tragedy.. First they think HTTP *means* GET (Until Google smashes through their starry eyed simplicity GET dreams with, ironically a GET) and nothin else, then they think they are Apple....wow! Maybe for once Bruce Almighty is missing JAVA's security. 2 years and the RAILS are broke. Now get back to STRUTS you morons. PS: Henceforth, Rails is Enterprise Ready. Get your training from Bruce Almighty! He'll show you how your bank can lose its customers yet WOW them with yellow fade techniques.
  78. Best post ever!
  79. Hey you ruby loving ladies!!. Go back to Journalism with your rounded divs and yellow fades.
    etc, etc
    At last. The voice of reason...
  80. I like rounded divs. Other than that, I can't bring too much emotion to this topic. I almost never even think about Ruby, and--when not at work--I strive (unsuccessfully) to not think about Java. Is it not at all impressive, though, that the security fix has been made available rather quickly? Or was the flaw known internally for a longer period of time?
  81. Ruby can't even win Python[ Go to top ]

    By the way, I prefer Python to Ruby, if must choose a scripting language for some cases. I was initially a C# developer. It was the beauty of Jython that suddenly made me "move back" to the Java world. Bruce Tate's introduction of Spring & Hibernate made me love Java more, but I just don't like Ruby the language in my guts.