At this point I'm seriously considering dropping Rails as my framework of choice and reverting back to ASP.Net MVC.
Why?
1. Security fixes are released very quickly (good thing), but more often then not they break existing code (bad thing) - and while you _can_ wait for the next patch to fix those break points, you're left wide open since everybody can see what was broken and how to exploit it.
2. I'm not nearly smart enough with Ruby to apply 'band-aids' I read people write in Rails source code. I just don't have the time and energy to fix code in the actual framework when I need to be fixing _my_ code.
======
So there you have it; I'm bailing.
It was a fantastic ride, Ruby is a beautiful language, but Rails is just a clusterfuck (_for me_).
I need stability and predictable behavior. If that means releases every 6 month to 1 year, so be it.
I've been running Java and Rails since 2006 in my company (large), we use C# for a small number of desktop applications.
This will come out harsh, but I'm being honest: If you are not willing to fix/adapt/improve the framework you are using, you better not be using ASP.NET also (try a google search on asp.net issues), or any framework at all. In fact, developing larger more complex software might not even be possible without adapting frameworks for your specific problems.
That said, our run so far with Rails and Java (we are still using 2.3!!!):
It's really nice being able to trace into the guts of hibernate, spring, etc to see what the heck is actually going on and fix it if it's broken. When I used to do Microsoft stuff, I'd run into bugs in the stack that I couldn't fix. This was enormously frustrating and time wasting. The typical advice given out by support was re-install or buy the latest upgrade. There were also a lot of deliberately imposed architectural limitations to prevent you from working around lack of "enterprise" features in the basic versions which were incredibly frustrating and the enterprise version pricing was astronomical.
The open-source situation at Microsoft has really improved. Source is available for a lot of their web stack, contributions are accepted, and there are some nice open-source frameworks (like Nancy, MIT-licensed, inspired by Sinatra) that run on IIS or another Owin-compatible server these days.
I generally prefer Ruby-based things myself - this post isn't trying to sway anybody to the MS side; just wanted to give a bit of credit where it's due and perhaps a bit of news to those who haven't looked over onto that side of the fence in a long time.
>If you are not willing to fix/adapt/improve the framework you are using, you better not be using ASP.NET also (try a google search on asp.net issues), of any framework at all. In fact, developing larger more complex software might not even be possible without adapting frameworks for your specific problems.
Huh what? Stack Overflow with it's extreme load works quite well with ASP.NET.
We've configured route registration a little bit specially* to speed up some common cases and we don't necessarily use every feature in the framework; but we're far from a proper fork.
ASP.NET MVC performs well enough that we get more bang from focusing on our own code basically.
*This amounts to registering our highest traffic routes _first_, and checking left-hand matches before Regex'ing (since we have a ton of "/foo/\d+/bar"-ish routes).
I don't know about Vanilla ASP.NET but they are pretty much using stock config'd IIS and Servers. So I would be very surprised if they weren't using stock ASP.NET (with their own filters, etc using public APIs I'm sure)
Wow, you're either one of those incredibly rare ruby devs who actually run windows, or you're going to switch your entire environment in order to switch frameworks. Something doesn't smell right
I'm a polyglot. I don't encase myself in any 1-thing. I use Mac at work, Windows at home for media and games, and Linux Mint 13 on my laptop for Ruby/Rails. I only used Linux because of Rails, but since I'm switching back (I have Visual Studio 2012 downloading as I type this), I'll have no need for Linux on my end-user machines anymore.
If you do not know your language/framework well enough to adapt it to your circumstances, you certainly are not well qualified enough with said software to list it as something you "know".
This is one of the largest lies perpetuated on this site. If you know just enough of something to follow some tutorials and crank out cookie-cutter sites using Rails/Django/Asp/Grails/CodeIgniter/etc, but fail the moment you encounter basic ecosystem problems, you aren't a polygot. You're a liability to your team for not understanding anything well enough to work around common issues. You're probably curious and love to try new things, but the implied part of being able to proficiently wield whatever tool is correct, or at least on hand, is something escaping you.
If by polygot you mean you know some syntax, the basics of the ecosystem, and generic system design, algorithms, etc while expecting to dive as deep as necessary into any given environment, you're still failing the definition. This would be the point where you RTFS so you know where to override/monkeypatch/workaround.
I don't know who you are, but this comment embodies the bad side of HN. "You" is in the above comment 15+ times - it's so personally insulting and unnecessary. Belittling some stranger's worth to their team is unproductive, toxic behavior. I'm upset I can't downvote this into completely matching the site's bg color.
+1 to you and -1 to the aggressive and insulting comment that prompted you to comment.
I see this a lot on HN too: people who've experience some level of success (as pg would say the first thing you learn when you get rich is that there are many levels of rich : ) and who hence think they know it all about everything and can constantly try to diminish others.
There's a lot of negativity here but, thankfully, there are also others who are here to share, educate and learn.
Would you really be willing to give up the productivity benefits and developer happiness over a few mishaps? Also, it's generally a good idea not to upgrade to the next software version until seeing the repercussions its had.
That's the thing! I find myself ping-ponging in my mind between "But Ruby and ActiveRecord are so beautiful and easy to use." and "But what happens if the 'magic' breaks?"
Trust me, I have been thinking about what you say every day for the past 5 days.
You're thinking too much. Unless it's a "the world is ending" level security fix like the recent yaml stuff, wait a couple weeks for this stuff to come out and get fixed. Then upgrade.
While that may be a passive aggressive comment, sinatra is bloody brilliant all the same. You can basically pretend you're writing rails code, but with a tiny fraction of the dependencies, and actual fast response times.
Sinatra, sequel and postgresql is a dream combo. I wouldn't use rails for a new project these days, I got bored of the un-navigable code a while ago. These patches and regressions are the icing on the cake.
You're on the cutting edge of an extremely popular framework.
If you want, you're welcome to use Rails 2.3 or older and you'll encounter many fewer changes. I imagine the 3.0 branch will have much the same stability once major development moves to 4.0.
FWIW, the Rails security team says they're about to drop suport for 2.3, and this time they really mean it. (They say.) The current announced security policy is that once 4.0 gets released, they'll only be doing security patches for 4.0 and 3.2; 2.3 will be left out in the cold.
It's quite possible that someone will pick up the baton, as there still are a number of production 2.3 apps out there, and porting to 3.0+ --- more a "port" than an "upgrade" --- is a real pain. But I'm not sure anyone has stepped forward yet, and until someone does, you're taking your chances.
You should seriously consider running mono>=2.10 with asp.net mvc. It completely fixes your rails security issues, while still letting you use ruby as your main languages.
Also you gain a _lot_ in security by obscurity and hipster points. I don't know about stability, haven't tried this myself.
You are now in the place I was recently -- the decision we tool was to migrate onto Python and their web ecosystem.
We haven't looked back since -- well, we have given an glance or two back since, and viewing the slow-motion car crash that is Rails today, we just feel sorry for those left behind that are discovering 'The Rails Way'.
Ironically, given DHH's comment on Rails about it being 'Omakase', I should point out that it translates as "I'll leave it to you" -- security, I'll leave it to you, software engineering, I'll leave it to you.
Why?
1. Security fixes are released very quickly (good thing), but more often then not they break existing code (bad thing) - and while you _can_ wait for the next patch to fix those break points, you're left wide open since everybody can see what was broken and how to exploit it.
2. I'm not nearly smart enough with Ruby to apply 'band-aids' I read people write in Rails source code. I just don't have the time and energy to fix code in the actual framework when I need to be fixing _my_ code.
======
So there you have it; I'm bailing.
It was a fantastic ride, Ruby is a beautiful language, but Rails is just a clusterfuck (_for me_).
I need stability and predictable behavior. If that means releases every 6 month to 1 year, so be it.
So long and thanks for all the gems.