Hacker News new | past | comments | ask | show | jobs | submit login

how is applying patches more difficult? I would think it is normally easier because one can RVM install a new release that has the patches applied.



This might be true, but it does depend on how the release management is done. What else is part of that new release? Is it guaranteed to be a set of minimalist patches to fix security issues, or do the developers also take the opportunity to "tidy up" the API, or take out some of those "deprecated" features, or (god help us) introduce new functionality? [1]

Much of what we see here is a dev/ops culture clash. Sysadmins like well-established system-level packaging systems like .deb and .rpm. They like them because they have well-established semantics ("this thing is obviously a security patch; that thing is probably a feature upgrade"), and they like them because these systems abstract away the need for the admin to understand the details of the release model of five or ten or a hundred different open-source ecosystems.

Part of OP's complaint is that (from his perspective) the Ruby community has release semantics that he doesn't understand. Is that patch to Ruby 1.8.7 really just a "security fix"? Can it probably be safely applied to 1,000 production servers without causing downtime?

---

[1] I should note: I'm not accusing Ruby developers, or any other developers, of ever having done any of these things. But these are the dark thoughts that keep engineers up at night. Especially when managing codebases built on ecosystems that they don't intimately understand.


It's yet another way of installing software on my system. Currently I:

* Use apt-get for pretty much everything.

* Locally install a few project specific things. These often are installed locally, not system-wide, and have nothing to do with root.

* Use rubygems. It's nice, but I don't have the same level of confidence in it regarding security that I do about Debian and Ubuntu. It seems to just give me 'updates' to gems, without much of a way of knowing which updates are security fixes and which are simply improved versions of the packages in question.

RVM adds one more thing. And for each Ruby instance in there, I might have various versions of gems floating around. This does not make me happy from a security point of view.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: