This article originally appeared in issue 86 of Linux User & Developer.
Linux User & Developer, one of the nation’s favourite Linux and Open Source publications, is now part of the award winning Imagine Publishing family. Readers can subscribe and save more than 30% and receive our money back guarantee – click here to find out more.
In December of 2008, the Ruby on Rails community was at a crossroads. The mainline Rails project was losing ground to Merb, an alternative open source MVC framework for building Ruby applications. The community was fragmenting. Yehuda Katz was the creator of the Merb framework, and rather than continue on with that project, he and his fellow contributors decided to merge Merb and Rails. The decision sparked a number of Rails homecomings for other outside projects, and in February the first beta of an integrated Rails 3.0 arrived. We sat down with Katz to discuss the past, present and future of Ruby on Rails.
How have things been on Rails since the merge with Merb?
It’s been good. The interesting thing that’s happened since that is a lot of other Ruby projects have done it. There’s a tool called Webrat, which is a full stack testing tool; and abstraction around HTML Unit. Someone said I can make it better,
they called it Capybara and they pushed it into Rails.
Also, Micronaut. It’s basically guys who said “we can do rspec better”. This has started to happen in the Ruby community, and it makes me happy. I think there is too much in the open source world of people building
software because you want to put your name back out there.
That’s been a positive outcome. Also the Rails core team diversity has been very helpful. Rails core, before, was 37Signals and some people doing client work. Now we have people doing custom development around it. We have people working on problems we didn’t have before. It’s definitely caused us, both people who are new and veteran contributors, to question our assumptions. The conclusions have been almost 100% positive.
The community has gotten a lot healthier since the merge. Like Rails was getting stagnant. A lot of people who are coming back now are coming to Rails to first contribute. A big chunk of the time I spend every day on Rails is cat herding. And trying to balance the need to be involved in the architecture of the thing, and getting things done by real people interested in doing things.
We hear things are being uncoupled, starting with Prototype?
What are the biggest changes for Rails 3.0?
The biggest thing is security. We went through the known remaining security vulnerabilities based on having spoken to Twitter and having them say “your security tools are too manual right now” [to prevent cross-site-scripting vulnerabilities]. Almost every framework says if you use user content, just escape it. It’s easy to forget to escape it. As an attacker, you have to find the places in web applications where they forgot to escape. What we’ve essentially done is made Rails pessimistic by default. If you try to put in a string into HTML at any time, we automatically escape it. We went through all of Rails’s internals and marked the form tags as safe, which means that for the vast majority of cases, users won’t have to do a lot. But there will be cases where they were relying on content input by the user that was unsafe. But it’s now almost impossible to have an accidental XSS attack.
The second big thing is improving interoperability, mainly with other Ruby libraries. We’ve gone through Rails systematically, and found where we were coupling ourselves to ourselves and removed those. Rails controller view code is no longer coupled to the models, so you can use any views you want. We also added support other templating languages. We made it a lot easier to support other testing frameworks. TestUnit was standard, and others had to do a lot of work to strip out our support for TestUnit and add their own. Using rspec felt worse than using TestUnit. TestUnit itself is a plug-in now.