Posted by Bryan Larsen | February 25, 2011
One Response
This is a security release. All applications that use the reset password functionality or are on versions of Rails prior to version 2.3.4 should upgrade.
To patch the reset password vulnerability, two changes have been made.
First of all, the lifecycle key hash mechanism has been changed. Existing lifecycle keys will become invalid after you upgrade. Lifecycle keys are typically short lived, so this is unlikely to be a problem for most applications.
Secondly, lifecycle keys are now cleared on every transition to avoid
replay vulnerabilities. This new behaviour may be avoided by added
the :keep_key => true option to a transition.
More information about the vulnerability can be viewed on the bug report.
Other changes:
The text input tag (<textarea>) has a security hole with versions of
Rails prior to 2.3.4. This release makes using textarea safe on old versions of Rails, although it is highly recommended that you upgrade to
Rails 2.3.11 because of other security vulnerabilities.
The “include” automatic scope has been aliased to “includes” to increase future compatibility with Rails 3. Future versions of Hobo will remove support for “include”.
This release increases compatibility with Ruby v1.9.2.
Hobo 1.0.2 introduced a major problem with chained scopes. This has been fixed.
All code changes may viewed on the github log
Posted by Bryan Larsen | November 15, 2010
7 Responses
On Friday I released three new Hobo gems: 1.0.2, 1.1.0.pre0 and 1.1.0.pre2. (1.1.0.pre1 was a glitch).
Here are the notes for 1.0.2 from CHANGES.txt:
1.0.2 is almost identical to 1.0.1 except that it updates the version requirements to exclude Rails3. (Rails3 support is being worked on in the 1.3 branch).
This release silences some warnings produced when running with Rails 2.3.10.
This release contains preliminary support for Ruby 1.9.2, although you may encounter problems if you use Single Table Inheritance (STI) models.
A few very minor bug fixes have also been included. See the github log for more details.
1.1.0.pre0 is essentially a packaging of Hobo trunk as it existed a month ago. (So it does not include the improvements added for 1.0.2) This version has been stable for people, and has been known to be used in production use.
The biggest difference between 1.0.X and 1.1.X is that Dryml has been split out into its own gem. There are also some very minor incompatibilities that affect things like CSS class names. The delta between 1.0.2 and 1.1.0.pre2 can be viewed on github
1.1.0.pre2 merges in fixes that have accumulated on several vendor branches of Hobo, as well as the 1.0.2 fixes. 1.1.0.pre2 requires the “–pre” option to be installed:
gem install hobo -v 1.1.0.pre2 --pre
As always when upgrading hobo versions, you will probably want to run
ruby script/generate hobo_rapid
or
rake hobo:symlink_assets
to ensure that you get the latest versions of the javascript and CSS files copied into your application.
Which version of Hobo should you use?
If you are currently using 1.0.0 or 1.0.1 in production, you only need to upgrade to 1.0.2 if you are also upgrading your version of Ruby or Rails or need one of the bugfixes listed here
If you have a Rails 2.3 project currently under active development, we recommend 1.1.0.pre2 (or the github master branch). Hopefully we have 1.1.0 released before you go to production — but even if we don’t, we do not believe that there are any issues that would prevent 1.1.0.pre2 from being usable in production.
If you are developing a new project and/or wish to use Rails 3, the 1.3 branch of Hobo currently being developed by Domizio is definitely stabilizing and becoming useful. The major issues preventing the release of 1.3 are all related to documentation.
Posted by Bryan Larsen | July 28, 2010
3 Responses
Although the blog has been quiet of late, one only has to look at the mailing list to see how busy the Hobo world is. I’d like to give a shout-out to Matt and Kevin and everybody else who are patiently answering questions there. The Hobo user community rocks! But a quiet blog does give the wrong impression sometimes.
I’ve got a few other things Hobo related that I hoped to blog about but aren’t ready yet, but there’s nothing stopping me from using this blog to point out tools that will make your Hobo experience better, is there?
Most of the Hobo and Ruby on Rails community uses git for version control. Git is awesome, but there are two common pain points: its learning curve, and submodules.
I won’t go into the problems with git submodules here. If you’ve got a small project with only one developer and you never need to modify your submodules, you’re unlikely to run into problems, but as you add developers and start modifying the modules, hassles quickly creep in.
In the past, when you added a plugin to your project, you basically had two options: copy the files into your project with script/plugin or link the files in using git submodules.
Now you can get the best of both worlds. With git subtree you get the behaviour of a copy, but you can still easily update the plugin and even extract changes to the plugin to push the changes upstream.
For instance, to add Hobo as a plugin to your project:
git subtree add --squash --prefix=vendor/plugins/hobo git://github.com/tablatom/hobo.git master
You can then update the plugin with:
git subtree pull --squash --prefix=vendor/plugins/hobo git://github.com/tablatom/hobo.git master
If you make changes to the Hobo in your app, you can extract them and send them to us with:
git subtree split --prefix=vendor/plugins/hobo --branch hobo-master
git push git@github.com:someuser/hobo.git hobo-master:master
(Replace someuser with your github username). And then send us a pull request.
Git subtree is not yet part of git itself, but hopefully it soon will be. Even if it does not, it isn’t doing anything crazy or unorthodox to your repository, so I wouldn’t worry about using it.
Two other alternatives to git subtree are Braid and Piston. They use similar strategies under the hood. However, I’ve found git subtree to work better for me.
Posted by Bryan Larsen | January 26, 2010
One Response
We fixed a few minor bugs, so I’ve put out a new release candidate. Please try it in your application so we can release 1.0 as soon as possible. Thanks. See the change log for the details.
