Rails is growing up
15 Aug 2006Rails is growing up, indeed. I’m hoping that last week’s security incident with Rails will bring a few needed changes to the Rails world, some of which I’ll detail here. Before I get started, though, rest assured that I’m a very happy Railser. Even before I was completely sold on Rails, I admired what it could do (back in the 0.10 days, even). Now that I have been completely sold on Rails (since 0.13), life just wouldn’t be as good without it. 1.1.6 is a long way from 0.13, though, and now is as good a time as any to make some changes. I hope these thoughts can be be conversation starters for the Rails core team and those interested in the continuing success of the Ruby on Rails framework.
As we learned last week, people can get a little cranky when the framework on which they depend undergoes changes that disrupts their schedules. I myself was frustrated that so little information was initially released that I had to stop what I was doing to diff the subversion branches so I could find out what the problem was. Obviously, change happens, and it’s definitely better to get bugs fixed than not, but there are some things that can be done to improve the Rails development process that should help Rails continue to grow and be the thriving environment we all want it to be. Here are my suggestions that will help people like me, who derive their livelihood from development with Rails, continue to be successful with Rails and continue to be able to recommend it to clients, bosses, and the like.
First, here are some things we need realize about where the Rails community is today, so that we can focus our energies on supporting that community.
1. There is a large and growing community of developers, projects, and businesses that are relying on this framework for their success. Gone are the days that we can just toss out a release and expect everyone to upgrade quickly (or even at all). The events of last week showed there is a significant number of people that either can not or will not upgrade at a moment’s notice, either because their operating environment is too restrictive to move quickly without sufficient justification, or because they have made decisions (for whatever reason) to stick with a particular version of Rails. These people, who are often the champions of Rails in their organizations or among their peers, need to be considered when issues arise with or changes or made to the Rails framework.
2. Quite a community of code has grown up around Rails. There are now more than 300 plugins listed in the plugin directory, a few of which are very widely used, such as Acts as Authenticated and Rails Engines. Regardless of whether the core team uses or even likes the popular add-ons to Rails, the fact is that they are here to stay, and many people depend on them. If these add-ons are going to be broken by a release, we ought to know that before the release happens and have a plan for dealing with that breakage.
Now that we have a couple of ideas about the environment in which we find ourselves, here are my suggestions on how we can best support the Rails community as Rails continues to grow.
1. Have a QA team. This could start as a team of one, but I do feel the QA team needs to include people who are not core contributors, for two reasons. First, it always makes sense to have someone besides the developer verifying changes that are being made to the code. Of course unit testing is great, but you also need a fresh pair of eyes to catch things like a missing set of parentheses in a regular expression. Second, we don’t want to take any of the core team away from their responsibilities of actually building the framework by having them dedicated to QA. Yes, the developers should be reviewing each others work, but we want them to primarily build, not inspect.
2. Have a test matrix. We saw the beginnings of this in #rails-security last week. Let’s continue that good start by making the test matrix a permanent thing, with continuous integration regularly checking changes against various environments. The deployment scenarios should definitely include the plumbing variations like Apache/Mongel, Lighttpd/FastCGI, etc. The matrix should also include commonly-encountered environments, like applications dependent on the most popular plugins and Rails Engines.
3. Follow development best practices. As I mentioned, I was frustrated by having to resort to diff to get even a hint as to the nature of the security hole, but that frustration was compounded when I saw in that diff that additional features had been added to a bug fix release. I’m a big fan of the filter_logged_params plugin, and I’m glad it’s now in core, but a bug fix release is not the time to add it to core. If you are going to make a critical bug fix release and then urge people to immediately install it, the changes in the should be as minimal as possible. No new functionality should be added.
4. Improve the bug/patch submission process. I hesitated to add this item to the list, since I’m not sure I have a good recommendation, but the patch submission / bug reporting process needs some help. Patches languish far too long in Trac, frustrating those who submit them, and the signal-to-noise ratio can be low, frustrating those who review them. Perhaps the new QA team can be the front line of people who review new Trac submissions, thus reducing the noise seen by the core and letting them more quickly get to and incorporate the quality tickets.
Again, let me say how much I enjoy using Rails and how much I appreciate the effort put in by all those who contribute code, documentation, support, etc. This is why I felt I had to write this, as the better Rails is, the happier I’ll be. If these suggestions are followed, I know we’ll be on the track to a more reliable and predictable development and release process for Rails, and that will only make life better for all of us who use it.
Great suggestions, well reasoned. I wholeheartedly second them. Particularly the “languishing patches” issue…
I am sure the rails community would welcome your efforts at forming a QA team. Lead by example!
If I were qualified to lead that effort, I just might throw my hat in the ring. :)
Re: #3 – I was thinking about the awkward release process due to SVN. Perhaps someone who has a best practise for integrating/releasing bug fixes, and for managing a major release path, could write up what their best practise is. E.g. branching and merging? etc
I also believe rails is growing up, but in short, that is stating the obvious. It is changing and maturing and due to the large incorporation of it in the last year and a half in web 2.0 projects, it’s excelled the development. However… it still is stunted by a grid-iron management team in the sense that it doesn’t feel like a completely open-source project all the time, even though anyone can contribute. It seems still very core-dev team specific, but I think that team is slowly growing and many people are becoming more interested in contributions.
- ben @ http://rubyonrailsblog.com/
@Dr. Nic: That’s a good point. If I can dig up a link that goes into more detail about how to use SVN for release management, I’ll post it. If not, I’ll write something up.
[...] 5. Ruby/Tk Client for SOAP Server by Satish Talim. 6. Ruby-Prof and Call Graphs by Pat Eyler. 7. Profile and Ruby-Prof: Getting Specific by Pat Eyler. 8. Security Threat Last Week by Nick Seiger (some insight into the 1.1.4->1.1.6 kerfuffle). 9. Finding Out Who Called a Partial in Rails by Michael Mahemoff. 10. A Perl of Great Price by Rick DeNatale (a look at some of how Perl has influenced Ruby). 11. Scriptaculous Rails from TechKnow Zenze. 12. Rails Is Growing Up by Ben Curtis. 13. 3 Skills to Make You A More Valuable Rails Developer by Matt Margolis. 14. Ruby or Rails Cheat Sheets from TechCheatSheets.com. 15. PuneRuby’s SOAP Server and Client by Satish Talim. 16. Ruby/Tk by Satish Talim. [...]
I’d love to see: 1) better documentation (if your method takes a hash – document it!) and 2) a way to release Rails apps that doesn’t require you to be Linus Torvalds’ first child… Rails is super easy but, unless you’re a Linux guru, forget about getting it running in production on a non-webbrick server. Where’s the “apt-get rails-production-box”? I can’t believe this still doesn’t exist.
Still WAY better than .Net though.
[...] 1. Setting Up a Rails Development Environment and Deploying to Textdrive by Jordan McKible. 2. Anatomy of an Attack Against Rails 1.1.4 by Evan Weaver. 3. Top 13 Ruby on Rails Presentations from TechKnow Zenze. 4. Noobies First Impression of His First RoR Project by Shane Thomas. 5. Ruby/Tk Client for SOAP Server by Satish Talim. 6. Ruby-Prof and Call Graphs by Pat Eyler. 7. Profile and Ruby-Prof: Getting Specific by Pat Eyler. 8. Security Threat Last Week by Nick Seiger. 9. Finding Out Who Called a Partial in Rails by Michael Mahemoff. 10. A Perl of Great Price by Rick DeNatale. 11. Scriptaculous Rails from TechKnow Zenze. 12. Rails Is Growing Up by Ben Curtis. 13. 3 Skills to Make You A More Valuable Rails Developer by Matt Margolis. 14. Ruby or Rails Cheat Sheets from TechCheatSheets.com. 15. PuneRuby’s SOAP Server and Client by Satish Talim. 16. Ruby/Tk by Satish Talim. 17. 10 Reasons Why Rails Will Succeed by Larry Myers. 18. Ruby Isn’t Always Dynamic by Chris Carter. 19. Using Simile Timeline with Ruby on Rails views by Duncan Beevers. 20. Writing a Typo Sidebar Test First in Rails by Paul Ingles. 21. How Dynamic Finders Work by Josh Susser. 22. Magic Join Model Creation by Josh Susser. 23. Migration Wars: The Model Strikes Back by Jon Leighton. 24. Lite Rails: The DBA’s Toolkit by Chris Carter. [...]