Feel free to ask me for elaboration if you need any, in particular if you have a CTO or other bosscritter who you need help convincing of the importance of this. It will be seriously bad news for you if you stay on unpatched 2.3 over the next several months.
I have several side projects that run on 2.3. I don't have the time to upgrade them or the resources to purchase commercial support for Rails 2.3.
Your comment makes me wonder if you are aware of some undisclosed bugs that will be disclosed in the next few months, or if it's more of just a "4.0 is dropping, 2.3 support is going bye-bye" kind of thing. If the former, I'd appreciate some clarification on that point. I have no problem backporting patches myself (and in fact extensively patch libraries when needed!), but I'm wondering if there's an active-yet-undisclosed threat, or if it's just "people aren't going to do my work for me".
It sounds like a sensible idea, and a nice thing for you to help organise.
No doubt it will get criticised :-)
As an aside, do you think there is a better way Rails could have handled this? Or (less controversially) is there a best practise you think OSS projects should maybe follow in regards to past versions?
Did you consider this as a potential business opportunity for yourself? My reaction on reading this was that someone should be giving you either cash or equity for your roles as both an evangelist and the person who realized this was going to be needed and organized it.
This is awesome, I was really dreading the options before, and $195/mo is totally reasonable for my relatively limited needs. Thanks for finding a good company to support this.
Once that statement is true, Rails will BE the enterprise. Don't bank on it. (And by that I mean we'll continue to release new versions that at times will be backwards incompatible and require work to upgrade to).
Just recently my enterprise retired our Windows 3.1 environment. It was kept running to support a system that supported a system that supported dial-up VPN access for a certain subset of users. And that's not incredibly uncommon...
I was actually surprised reading that statement given Rails' maturity. When the large AD vulnerability was announced and many people were caught in the open for a while I had assumed there were a large number of people running version n-1 Rails.
To disclaim: I submitted this story to HN because people on HN care about patio11's blog, and if someone gets internet points, might as well be me. Do not take this as an endorsement by me or anyone else on the Rails team, thanks.
This is one of the amazing aspects of OSS that so many seem to miss. It opens up the possibility for these types of initiatives that most closed source projects will never receive once the core developers walk away.
Great idea. Hopefully great execution for those still on older versions of Rails.
I have a Rails 2.3x ecommerce app that is not our primary product but still makes us a good amount of money.
Personally, I'd like to upgrade to Rails 3.2x (and eventually 4) so I can take advantage of some newer gems. However, the task is a little daunting given we use some older authentication and file upload libraries. All that to say, if I can't get it done soon, I will definitely go the Rails LTS route.
BTW, If any Rails devs out there want a challenge and have some time, please get in touch with me.
I might be wrong but would the trick maybe be to break it down bit by bit, so for instance break off your existing file upload stuff and replace it with CarrierWave or something different. I don't know what your codebase is like but doing it that way should in theory make it more copable to slowly tick it up to rails 3+
This was a pleasure to read. I really think this is the most intelligent solution to older rails projects.
It's also an eye opening topic for all startups out there, including mine, that rely on rails -- you will need to fight to keep your applications and servers safe. I guess you could say I spend so much time building and breaking to achieve something, that the thought of long term support often slips my mind.
Still, when building I do my best to stay away from '3-in-1' gems (aka, admin-backbone-devise-api-comments-aws) that have a 0% possibility of surviving. I stick to gems that are up there in the star count on github, and try not to touch anything that has been stagnant for 6months+. Obviously this isn't a perfect solution, but I feel a bit more confident in the survival/ longevity of the application.
“Horsepuckey. The hypothetical person saying this is a textbook pathological customer: they’re both deeply irrational (if the app’s security was worth $5 a month then the right answer is probably to shut it off and save the server cost) and likely to be far, far, far too much headache for professional Rails engineers to have to deal with. I’m glad their mail is not going to be in the same inbox as mine when I ask questions about new security issues.”
That being said, one of the good thing about open source software is competition here is possible, unlike say the end of support of WinXP.
The whole "2.3.x is not getting any more security updates" statement is disingenuous at best. While "Security Updates" might not be coming out, "Severe Security Updates" will still be released.
That combined the the "Do nothing and, with probability of 100%, get your server owned." statement makes this pretty much just a F.U.D. piece designed to trump up business for these guys, and by proxy yourself.
> Many of the gems/plugins which you might be using with your current application will not be compatible with Rails 3.
I'm genuinely curious what gems people are using that are not yet compatible with Rails 3, given that it was released almost three years ago. Maybe my use cases for Rails don't match the most common ones, but I have yet to run into this issue.
I am interested in helping gems that are not Rails 4 compatible get so, so if you can point me towards some that aren't, I'll reach out to the maintainers.
I helped my friend upgrade a 2.x app to 3.x about a year ago, and attachment_fu wasn't compatible. The Internet seemed to be pointing to other alternatives but they required database schema migrations (no drop-in replacements).
Very nice of them to have a free community version (security patches 10 days after normal release - this seems fair to me).
I could have used this a year or so ago, but I rewrote an old 2.3 Rails app in Clojure (cookingspace.com if you are curious). Now I am glad it is in Clojure though.
I had previously updated another Rails app from 2.x to 3.x and I was surprised how much trouble it was to do that.
This seems pretty obvious and applies to most popular web frameworks. From a quick Google search, one can see rails 2.3 came out in 2009. That is 4 years ago - in the context of web frameworks that is quite a while.
That is a partial option, but there are ways in which it is inadequate. For example, with the January Rails vulnerabilities, dropping an IMG tag with a well-constructed URL on a site on the public internet was likely enough to suborn a developer's browser into connecting to and rooting a Rails box that was firewalled from external traffic. You still want to patch things, to prevent that and similar issues.
I think there's only one reason why a company would run Rails 2.3 in 2013: greed.
There's no way you absolutely cannot somehow find a way in about 4 years to migrate even a big code base to at least Rails 3. It's not like the migration was that complicated, there are countless guides around, a devoted community, IRC channels, consultants aplenty and even tools to hold your hand along the way.
> It's not like the migration was that complicated
Really? If that was your experience, you are fortunate, but it does not match that of many.
For me, the migration of several apps from Rails 2.3 to 3 was THAT COMPLICATED. The last one I finally got finished about 9 months ago.
If someone was complaining about, say, Rails 3.0 to 3.2 -- sure, i'd agree, it's not really that complicated, just do it.
But 2.3 to 3? So very many of us found that experience to be highly unpleasant and quite that complicated. I'm glad you didn't, but your experience is not even typical, let alone universal.
[+] [-] patio11|12 years ago|reply
[+] [-] cheald|12 years ago|reply
Your comment makes me wonder if you are aware of some undisclosed bugs that will be disclosed in the next few months, or if it's more of just a "4.0 is dropping, 2.3 support is going bye-bye" kind of thing. If the former, I'd appreciate some clarification on that point. I have no problem backporting patches myself (and in fact extensively patch libraries when needed!), but I'm wondering if there's an active-yet-undisclosed threat, or if it's just "people aren't going to do my work for me".
Can you elaborate?
[+] [-] InclinedPlane|12 years ago|reply
[+] [-] gadders|12 years ago|reply
No doubt it will get criticised :-)
As an aside, do you think there is a better way Rails could have handled this? Or (less controversially) is there a best practise you think OSS projects should maybe follow in regards to past versions?
[+] [-] GavinB|12 years ago|reply
[+] [-] ericd|12 years ago|reply
[+] [-] JshWright|12 years ago|reply
"... only benefit the our companies ..."
[+] [-] hvs|12 years ago|reply
Once this statement is no longer true, Rails will be ready for the enterprise.
[+] [-] dhh|12 years ago|reply
[+] [-] freehunter|12 years ago|reply
[+] [-] prawks|12 years ago|reply
[+] [-] steveklabnik|12 years ago|reply
[+] [-] tptacek|12 years ago|reply
[+] [-] purephase|12 years ago|reply
Great idea. Hopefully great execution for those still on older versions of Rails.
[+] [-] callmeed|12 years ago|reply
Personally, I'd like to upgrade to Rails 3.2x (and eventually 4) so I can take advantage of some newer gems. However, the task is a little daunting given we use some older authentication and file upload libraries. All that to say, if I can't get it done soon, I will definitely go the Rails LTS route.
BTW, If any Rails devs out there want a challenge and have some time, please get in touch with me.
[+] [-] signifiers|12 years ago|reply
[+] [-] ryanmacg|12 years ago|reply
[+] [-] thomas_|12 years ago|reply
Feel free to ask us at makandra anything you'd like to know about Rails LTS.
[+] [-] relix|12 years ago|reply
[+] [-] film42|12 years ago|reply
It's also an eye opening topic for all startups out there, including mine, that rely on rails -- you will need to fight to keep your applications and servers safe. I guess you could say I spend so much time building and breaking to achieve something, that the thought of long term support often slips my mind.
Still, when building I do my best to stay away from '3-in-1' gems (aka, admin-backbone-devise-api-comments-aws) that have a 0% possibility of surviving. I stick to gems that are up there in the star count on github, and try not to touch anything that has been stagnant for 6months+. Obviously this isn't a perfect solution, but I feel a bit more confident in the survival/ longevity of the application.
[+] [-] rmoriz|12 years ago|reply
[+] [-] yuhong|12 years ago|reply
That being said, one of the good thing about open source software is competition here is possible, unlike say the end of support of WinXP.
[+] [-] chadr|12 years ago|reply
[+] [-] patio11|12 years ago|reply
[+] [-] messick|12 years ago|reply
That combined the the "Do nothing and, with probability of 100%, get your server owned." statement makes this pretty much just a F.U.D. piece designed to trump up business for these guys, and by proxy yourself.
[+] [-] steveklabnik|12 years ago|reply
"Severe Security Updates" => "After the Rails 4 release: 4.0.z, 3.2.z"
[+] [-] Aqua_Geek|12 years ago|reply
I'm genuinely curious what gems people are using that are not yet compatible with Rails 3, given that it was released almost three years ago. Maybe my use cases for Rails don't match the most common ones, but I have yet to run into this issue.
For Rails 4, well, that's another matter =)
[+] [-] steveklabnik|12 years ago|reply
[+] [-] caw|12 years ago|reply
[+] [-] mark_l_watson|12 years ago|reply
I could have used this a year or so ago, but I rewrote an old 2.3 Rails app in Clojure (cookingspace.com if you are curious). Now I am glad it is in Clojure though.
I had previously updated another Rails app from 2.x to 3.x and I was surprised how much trouble it was to do that.
[+] [-] smoyer|12 years ago|reply
[+] [-] zallarak|12 years ago|reply
[+] [-] wtracy|12 years ago|reply
[+] [-] patio11|12 years ago|reply
[+] [-] VeejayRampay|12 years ago|reply
There's no way you absolutely cannot somehow find a way in about 4 years to migrate even a big code base to at least Rails 3. It's not like the migration was that complicated, there are countless guides around, a devoted community, IRC channels, consultants aplenty and even tools to hold your hand along the way.
[+] [-] jrochkind1|12 years ago|reply
Really? If that was your experience, you are fortunate, but it does not match that of many.
For me, the migration of several apps from Rails 2.3 to 3 was THAT COMPLICATED. The last one I finally got finished about 9 months ago.
If someone was complaining about, say, Rails 3.0 to 3.2 -- sure, i'd agree, it's not really that complicated, just do it.
But 2.3 to 3? So very many of us found that experience to be highly unpleasant and quite that complicated. I'm glad you didn't, but your experience is not even typical, let alone universal.
[+] [-] sneak|12 years ago|reply
That's not greed.
[+] [-] jiggy2011|12 years ago|reply