<ReinH>
zenspider: because it's the thing everyone hears
<ReinH>
zenspider: also ITT: people hating on things because it makes them feel good.
cmatheson has left #ruby-lang [#ruby-lang]
<yfeldblum>
zenspider, don't know; isn't the real problem to do with not using a whitelist of tags?
carloslopes has quit [Remote host closed the connection]
carloslopes has joined #ruby-lang
RickHull has left #ruby-lang [#ruby-lang]
<ged>
The real problem is trusting user input. Of any kind.
mephux has quit [Excess Flood]
<yfeldblum>
ged, that would be the general class of problems which includes, as one item among many, the specific problem i mentioned
mephux has joined #ruby-lang
spuk has quit [Ping timeout: 260 seconds]
<zenspider>
yfeldblum: no
sailias has joined #ruby-lang
<zenspider>
latest rubygems issue was caused by rails having an eval in a []= method. previous rails issues were also caused by rails having evals. eval is the problem. stupid/clevar code is the problem.
<zenspider>
yaml has yet to have a plain vanilla exploit against properly designed code that I can see
kain_ has joined #ruby-lang
<zenspider>
plain vanilla == no rails / active_support and no unchecked eval on custom classes
<zenspider>
ReinH: too true
aedorn has quit [Quit: Leaving]
<ReinH>
zenspider: protip: when parsing untrusted input, don't use eval
<ReinH>
just a thought
<zenspider>
thanks... I'll add that to my toolbox :P
<ReinH>
yeah good call
robotmay has quit [Ping timeout: 248 seconds]
<ReinH>
:P
<yfeldblum>
zenspider, ReinH, that doesn't solve any problems
kain has quit [Ping timeout: 276 seconds]
<ReinH>
yfeldblum: ? it solves a lot of problems
<zenspider>
huh?
<ReinH>
it just doesn't solve *all* problems
<yfeldblum>
this was an internal class meant only for internal consumption, and not meant to be instantiated and used willy-nilly
<ReinH>
yfeldblum: what are you talking about?
<yfeldblum>
ReinH, because this is ruby, and we use ruby to do magical things, which often involves eval
<zenspider>
we're clearly not talking about the same thing
<yfeldblum>
zenspider, the exploit i've seen, using an internal class in actiondispatch's routing
<ReinH>
yfeldblum: are you planning on being coherent at some opint?
<yfeldblum>
zenspider, YAML.load shouldn't go and make one of those objects just because a YAML document said it wants one
<ReinH>
YAML shouldn't eval things. But that would change the behavior of YAML.
<yfeldblum>
ReinH, YAML didn't eval anything
<ReinH>
What I want is a new YAML spec that completely precludes embedded objects of any kind
<ReinH>
yfeldblum: it *effectively* evals
<yfeldblum>
ReinH, only when the object it instantiates evals in response to #[]=
<ReinH>
yfeldblum: so yes, it evals
<ReinH>
it doesn't matter if it only sometimes evals
<ReinH>
if it happens at all, it happens. That's enough.
<zenspider>
ReinH: I have to disagree with you on that. it isn't effectively evalling anything.
postmodern has joined #ruby-lang
<zenspider>
it is method dispatching for hash subtypes to []= and that code was evalling the args
<ReinH>
zenspider: YAML per se isn't but the bug allows arbitrary code to be evaluated
<ReinH>
so we can argue semantics if you want
<zenspider>
I just want the blame put where it belongs, and I have yet to see it actually fall on yaml with responsible code
<ReinH>
unless I completely misunderstand what's happening
<ReinH>
zenspider: what does "with responsible code" mean?
<zenspider>
no, I think we're on the same page of HOW this is happening
<zenspider>
I think we just have different goals on the analysis
<ReinH>
ah
<yfeldblum>
zenspider, i'm coming down on YAML.load instantiating objects of document-chosen types, while lacking any ability to whitelist what document-chosen types are allowed
<zenspider>
in the case that I'm describing, yaml is parsing something that specifies a hash subclass, that loader dispatches key/value pairs to []=, which is this case was calling eval
<zenspider>
yfeldblum: meh
<ReinH>
zenspider: ok, that makes sense
<ReinH>
zenspider: where does that eval-ing []= live?
banisterfiend has joined #ruby-lang
<zenspider>
ReinH: it was on tenderlove's editor, and he's run off to j-school for the evening.
<zenspider>
I could possibly chase it down... sec
<ReinH>
it's not super important
<ReinH>
do you remember generally where?
<ReinH>
ActiveSupport?
<yfeldblum>
ReinH, neither one by itself is a problem; the combination of the two without a mediating mechanism (e.g., tags whitelist) is a problem
<ReinH>
yfeldblum: yes, but that's always true
<ReinH>
security isn't a static property of systems
Nisstyre has joined #ruby-lang
<ReinH>
whenever you have a new interaction you have to audit that interaction
<zenspider>
yfeldblum: you keep harping on whitelists... yet whitelists still don't matter if you've got completely shitty irresponsible code running
gjaldon has joined #ruby-lang
<yfeldblum>
zenspider, like what?
<zenspider>
like rails
<banisterfiend>
zenspider: what's j-school
<zenspider>
ReinH: yeah. I can't find it. don't remember where it was
<zenspider>
banisterfiend: tenderlove studies japanese
<banisterfiend>
oh ok
carloslopes has quit [Remote host closed the connection]
<yfeldblum>
zenspider, like what, more specifically, that couldn't be stopped by a yaml-tags whitelist?
<yfeldblum>
zenspider, and i don't mean something that adds random nonsense to a whitelist
marr has quit [Ping timeout: 252 seconds]
workmad3 has quit [Ping timeout: 264 seconds]
<zenspider>
ReinH: that might have been it. look at route_set.rb and walk down the #add method (aliased to []=)
<zenspider>
boils down to define_url_helper which does a module_eval w/o scrubbing a damn thing
dankest has joined #ruby-lang
<yfeldblum>
what cases are there of trying to hydrate an object tree from yaml where you don't know what finite list of classes would be allowed in that document?
<zenspider>
we toyed with the idea of using taint strictly throughout rails, but it would take manyears to get cleanly working. not even sure if it is possible w/o breaking a huge class of apps the way routes and stuff work
<ReinH>
metasploit code style makes me :(
<zenspider>
ReinH: I know... so painful to read
<ReinH>
where's the Ronin version
<ReinH>
oh god, that doc hash
<ReinH>
o_O
<zenspider>
yfeldblum: anyone can define methods on whitelisted classes. just because you say `Hash` is safe doesn't mean it is.
<postmodern>
ReinH, metasploit code, YOLO
<yfeldblum>
zenspider, that doesn't solve terribly much
<postmodern>
ReinH, you want rails_rce.rb or rails_omakase.rb?
<yfeldblum>
zenspider, if YAML.load isn't even allowed to build hashes, then the rest of us are likely to just go and build hashes from YAML.parse
spuk has joined #ruby-lang
<zenspider>
ReinH: it's stupider than that. if the route arg in #add isn't scrubbed it could contain anything
<zenspider>
ReinH: err... name arg.
<zenspider>
ReinH: that code would be eval'd straight up on the first line of the module_eval of define_url_helper
<ReinH>
zenspider: oh.
kmlawson has joined #ruby-lang
ulisescab has joined #ruby-lang
<zenspider>
stupid simple tainting strategies could have addressed this, but since tainting wasn't a strategy when this code was designed, backfilling will be a serious bitch
<yfeldblum>
zenspider, what would a tainting strategy look like?
<ReinH>
zenspider: it's too bad Ruby's taint is so useless
__BigO__ has joined #ruby-lang
mercwithamouth has quit [Ping timeout: 248 seconds]
__BigO__ has quit [Remote host closed the connection]
<ReinH>
agree taint in general is the way to handle this
<ReinH>
zenspider: the problem is that taint has to be done at library level or below
<ReinH>
and it has to be ubiquitus
<ReinH>
and since Ruby's taint isn't suitable, you have to roll your own and then convince everyone to use it :/
hahuang65 has quit [Ping timeout: 252 seconds]
<epitron>
stop talking about ruby's taint :(
kmlawson has left #ruby-lang [#ruby-lang]
krohrbaugh has joined #ruby-lang
krohrbaugh has quit [Read error: Connection reset by peer]
krohrbaugh has joined #ruby-lang
hahuang65 has joined #ruby-lang
hahuang65 has quit [Max SendQ exceeded]
<ReinH>
...
ulisescab has quit [Remote host closed the connection]
<ReinH>
ok :(
<zenspider>
ReinH: how isn't it suitable in ruby?
<ReinH>
zenspider: you don't have enough control over when it's set/unset
mjio has quit []
<ReinH>
you're overloading it if you use it for this
<ReinH>
imo at least
<zenspider>
... splain?
<ReinH>
maybe it works fine
<ReinH>
zenspider: when are strings marked as tainted in Ruby?
idkazuma has quit [Remote host closed the connection]
<zenspider>
depends on the safe level, iirc. or whenever you call it
<ReinH>
right, so what you're worried about is anything untainting your string
<zenspider>
so, when something comes in from IO, socket, File, etc.
<ReinH>
although false positives could be annoying
<zenspider>
you can't untaint
<ReinH>
ah right
<ReinH>
does taint follow cloning?
s1n4 has quit [Quit: leaving]
<zenspider>
oh. shit. you can. meh. Object.remove_method :untaint
<zenspider>
yeah, it follows
<ReinH>
ok
<ReinH>
so, as long as things you want tainted stay tainted
<zenspider>
but like, it doesn't follow through $1 or other match accessors
<ReinH>
and things you don't want tainted stay untainted
<ReinH>
right
<zenspider>
so safe = $1 if unsafe =~ /.../
<ReinH>
"untainted string" << "tainted string"?
<ReinH>
safe + unsafe ?
<ReinH>
etc?
<ReinH>
it's actually super hard to implement a taint system above the langauge level :/
<ReinH>
so hopefully you can use Ruby's
<zenspider>
ruby -e 'a = "safe"; b = "unsafe"; b.taint; a << b; p a.tainted?' # => true
<ReinH>
zenspider: good, then it works properly :p
<ReinH>
I've never messed with it much tbh
<ReinH>
in Ruby at least
<zenspider>
I believe it does... but like ruby -w, nobody seems to use it or care
<zenspider>
but they sure like to throw a fit when something like these exploits come out
innohero has joined #ruby-lang
<zenspider>
(for the record, I use -w on everything)
<ReinH>
zenspider: well, Ruby doesn't have a good security story tbh
<ReinH>
not compared to, say, Java
innohero has left #ruby-lang [#ruby-lang]
<ReinH>
you might hate the language but they take security seriously
<ReinH>
also low barrier to entry means you get a lot of programmers that wouldn't know what to do with a taint if...
brianpWins has joined #ruby-lang
<ReinH>
I'm not going to finish that sentence
<zenspider>
you mean the language that was forcibly removed from osx because of the security problems and how long they took to fix them?
<havenn>
^
<ReinH>
zenspider: yes, that one
<zenspider>
hah
<ReinH>
we're living in a glass house, gentlemen
<zenspider>
I do agree that low barrier to entry has caused a lot of problems
<zenspider>
yup
AntiTyping has joined #ruby-lang
hahuang65 has joined #ruby-lang
<cored>
I wonder how you guys know about all of this technisim
<cored>
and of course how can I learn all of this :-)
<ReinH>
cored: it's almost like it's our job :)
<zenspider>
I don't think it would have been that hard or that much different if rails was built to be taint safe... but backfilling it into the design? that's not really feasible
<zenspider>
at least... it'll take a looong time to identify and patch all the leaks and get the design feeling right again
<ReinH>
zenspider: true, but is it impossible to introduce incrementally?
<zenspider>
strong params and the like are a step in the right direction.
<ReinH>
I'll write a sed script to find lines that contain eval and insert a "# TODO: check for taint" above them
<zenspider>
ReinH: it's spaghetti code, in a sense. so if you taint params as they come in, you need to ensure everything below it is taint-safe. in rails that's a LOT of code
<ReinH>
right, but there are also hotspots
<ReinH>
routing
<zenspider>
*nod*
<ReinH>
you don't need to cover the entire attack surface at once
<ReinH>
but reducing it at all is a bonus
<zenspider>
or... you have to have the user absolutely positively untaint everything at the beginning of every request before you're allowed to move on. I could see some sort of declarative api added to controllers to say what params are allowed and what formats they can have
<zenspider>
yfeldblum: well... sorta. I'm not talking about types. I'm talking about formats. :name => /\w+/ or somesuch
sn0wb1rd has quit [Quit: sn0wb1rd]
<ReinH>
zenspider: thing about that is
<ReinH>
it's really hard to prove that a given format is safe
<epitron>
zenspider: in 1.9.3, regexp matches ($1, $2, etc.) stay tainted if you match a tainted string
<ReinH>
just think about pathname expansion exploits
<yfeldblum>
ReinH, such as?
<epitron>
open(params[:user_id])
<epitron>
:D
<ReinH>
where is .\\..\.\\...\.\\../etc/hosts
<zenspider>
epitron: kk. then $1.untaint if ...
<ReinH>
etc
tomzx_mac has joined #ruby-lang
<epitron>
eval doesn't warn if you eval a tainted string
<zenspider>
ReinH: I agree. This isn't a fun or easy problem to solve. but the fact that we currently have nothing is more disturbing to me. there's been relatively no thought (until recently) on this subject
<epitron>
that might be a useful thing
<ReinH>
if you give your users the ability to write their own formats to verify input
<ReinH>
for security purposes
<zenspider>
aaron and I were toying with tainting last summer (? I think ?) and it just didn't pan out at all
<ReinH>
you're giving them a gun and pointing at at their feet
<epitron>
zenspider: so you're saying that the tainting is pointless if a hacker can inject some code that intaints itself? :)
<epitron>
*untaints
<zenspider>
if you don't, you're pointing the gun at their head
<ReinH>
zenspider: false dichotomy
<ReinH>
you shouldn't make your users responsible for security
<ReinH>
that doesn't work out very well
<epitron>
we don't have time for security! we're running a business!
<ReinH>
famous last words
<epitron>
we're losing sales!!!!
<epitron>
:)
chimkan___ has joined #ruby-lang
<ReinH>
zenspider: yes, agree the big problem is lack of awareness
<zenspider>
ReinH: I just don't think you can have it both ways. Responsibility comes with the power of the library you're using. and the library CAN'T know what's valid and what's invalid w/o user input
<ReinH>
you don't get secure software without security-conscious software developers
<ReinH>
period
<ReinH>
zenspider: it can know what's secure and insecure
<ReinH>
or we wouldn't be able to secure anything ever
<zenspider>
it can do some stupid simple checks... does this string I'm about to module_eval have a semicolon in it? but beyond that... neigh impossible
<ReinH>
zenspider: it can do way better than that
<ReinH>
never evaluate untrusted strings
wizonesolutions has quit [Ping timeout: 244 seconds]
<ReinH>
asking your users to ensure that the thing that's about to get interpreted is safe
<ReinH>
is such a bad idea
srbaker has joined #ruby-lang
<ReinH>
because if WE aren't thinking about security enough to catch this kind of problem
<zenspider>
srbaker: you never called me in
<ReinH>
the chances that they are are basically zero
<epitron>
heh
chimkan_ has quit [Ping timeout: 276 seconds]
<ReinH>
what we need as library/framework developers is to make security a priority
<ReinH>
check for security vulnerabilities using code reviews and other touch points
<srbaker>
zenspider: hey, today was all gemstone management stuff :/
krohrbaugh has joined #ruby-lang
rsl has quit [Quit: Computer has gone to sleep.]
<ReinH>
this is why I gave a talk at RubyConf last year called "Making Security Priority Zero"
<yfeldblum>
using a regexp to validate evalable code in a Turing-complete language for malignancy doesn't sound like a good strategy
<srbaker>
and we got a late start
<ReinH>
Maybe people will start to listen to me now...
<zenspider>
ReinH: give a talk "I told you so"
<ReinH>
I certainly could.
<epitron>
hahah
<ReinH>
yfeldblum: it's the blacklist problem
<epitron>
the year after: "You idiots never listen" by ReinH
<ReinH>
using a finite set of rules to deal with an infinite set of inputs
<ReinH>
yfeldblum: it's a failure of requisite variety
<ReinH>
which is a technical failure
<ReinH>
but it's also a people failure
<ReinH>
by forcing the people who care least about security to be responsible for it
<ReinH>
epitron: I could keep that up for yaers
<yfeldblum>
or, it's basing one's security on solving the halting problem
<ReinH>
yfeldblum: possibly true but not very useful
<epitron>
"Users considered harmful"
<ReinH>
a failure of requisite variety has two options:
wizonesolutions has joined #ruby-lang
wizonesolutions has quit [Changing host]
wizonesolutions has joined #ruby-lang
<ReinH>
expand the solution space
mercwithamouth has joined #ruby-lang
<ReinH>
contract the problem space
<ReinH>
I'm suggesting the latter
<ReinH>
which is also generally regarded as a good security principle
<ReinH>
every place you remove an eval is one less vulnerability
<zenspider>
but would rails have even taken off if it weren't for its liberal use of eval? I'm not so sure. As much as railz0rs have diluted our culture, it is obvious that a lot of money and opportunity came with them
unlikely_monkey has joined #ruby-lang
srbaker has quit [Ping timeout: 245 seconds]
<ReinH>
zenspider: maybe 90% of Rails' eval use is strictly internal metarogramming
<ReinH>
that's true
<epitron>
ruby's squishiness is quite nice
<ReinH>
but the problem is: which 90%
<yfeldblum>
ReinH, for sure, eliminating calls to #eval improves security ... but that can't be the panacea because there's always going to be one more place that calls eval and someone else is going to find it
<epitron>
i never use eval when metaprogramming though
phlipper is now known as phlipper_
<ReinH>
yfeldblum: I never said I was looking for total solutions
<epitron>
maybe sometimes i use instance_eval &block
<ReinH>
there aren't any to begin with
<ReinH>
yfeldblum: security is a process
ivanoats has quit [Remote host closed the connection]
<zenspider>
ReinH: even that "Strictly Internal" thing needs to be locked down tho... because there's nothing really strict about ruby
<ReinH>
but the problem is: which 90%
<ReinH>
zenspider: yes, exactly
hahuang65 has quit [Quit: Computer has gone to sleep.]
<zenspider>
it isn't just eval that is the problem... it is indiscriminate eval.
<zenspider>
in the example I originally gave, just making sure name didn't contain ';' would have done a ton
gregmoreno has quit [Ping timeout: 252 seconds]
<zenspider>
it was being used as a symbol and a method name. those have strict parseable definitions. If something was used to vet the arg before passed off to module_eval, this exploit would not be possible
<epitron>
indeed. with something as widely used as rails, you should think hard about what you're doing with eval :)
<ReinH>
zenspider: right, but that's the framework author's responsibility
<ReinH>
not the user's
<ReinH>
zenspider: the flip side of this 'vetting' approach is that it provides a false sense of security
<zenspider>
ReinH: we're talking about DHH and cohort. There are about 3 people I can think of that actually take their coding responsibility on that library seriously
<zenspider>
and they're burning out, if anything
sush24 has quit [Quit: This computer has gone to sleep]
<ReinH>
fair
<ReinH>
zenspider: by false sense of security, what I mean is:
<epitron>
in production mode, all the metaprogramming/evalling should happen at startup time anyways.. you could probably just remove the eval method after startup :)
<ReinH>
you won't know if that vetting code you wrote is correct
<ReinH>
but you're going to operate as if it is
<ReinH>
which means that when it's proved to be incorrect, you'll probably be more at risk
havenn has quit [Ping timeout: 248 seconds]
<ReinH>
because you probably wrote less secure code based on that assumption
<ReinH>
it's the same problem as a taint false negative
<zenspider>
ReinH: in the general case, yes. in the case I described above, I believe there is a legitimate and easy way to vet it.
<ReinH>
zenspider: it's definitely safer in that specific case
<ReinH>
but I think in the larger context it could have adverse effects
<epitron>
eval(sanitize(params[:query])) :D
<ReinH>
if people start thinging "Oh I can use eval now because I used the sanitize library"
<ReinH>
when they wouldn't have before
<ReinH>
now the sanitize library is your new weak link
<yfeldblum>
zenspider, is there not some clever way around it which avoids injecting a ; character but accomplishes the same result?
<ReinH>
and you're reducing defense in depth
<epitron>
i wanna see what happens if i remove all the eval methods after rails initialization
<zenspider>
yfeldblum: && || . any operator really
<zenspider>
but... if you guaranteed that the shape of the parse tree matched expectations before you evalled it? I don't think you CAN break through that
<zenspider>
then again... I'm hungry :)
srbaker has joined #ruby-lang
<epitron>
zenspider: that would be awesome
<epitron>
i like the idea of AI pattern-analysis as a security tripwire
<yfeldblum>
just make proc-based metaprogramming faster and we could stop resorting to eval-based metaprogramming ...
<zenspider>
(call because a bare word will look like a message send to a virginal parser)
<ReinH>
zenspider: anything that makes people thing they are more secure when they aren't is a bad thing
<ReinH>
just keep that in mind
<epitron>
it would also be awesome if you could then sandbox all that user's changes somehow, into a parallel universe, so you can roll them back... like a transaction :)
<yfeldblum>
epitron, an ACID version of the many-worlds interpretation of QM?
<chekcmate>
are you one of those guys coming to work at saturday, wondering why everyone's absent?
<havenn>
just turned friday here
ryanf has quit [Quit: leaving]
gnufied1 has joined #ruby-lang
<thisboy>
haha :)
dcwu has quit [Quit: Leaving.]
gnufied has quit [Ping timeout: 252 seconds]
<chekcmate>
thisboy: can you tell me something?
<thisboy>
chekcmate: like what?
endy_c has joined #ruby-lang
<chekcmate>
got a string and I want to check if the first word matches & I want the last char of the string as $1
<chekcmate>
I know how to do that in 2 steps
<thisboy>
nah sorry im not that good :/
* chekcmate
's nemesis is called regex
<thisboy>
heheh
duckinator has joined #ruby-lang
chimkan__ has joined #ruby-lang
<chekcmate>
I thought using this would work: test\()\/([^*])\z
jxie has quit [Quit: leaving]
endy_c has left #ruby-lang [#ruby-lang]
maxmanders has joined #ruby-lang
<gnufied1>
hi
<chekcmate>
hu
lsegal has quit [Quit: Quit: Quit: Quit: Stack Overflow.]
chimkan_ has quit [Ping timeout: 244 seconds]
<chekcmate>
gnufied1: can I ask you a regex question?
poga has joined #ruby-lang
sandbags has joined #ruby-lang
sandbags has joined #ruby-lang
gnufied has joined #ruby-lang
<chekcmate>
hu?
<certainty>
chekcmate: what exactly are you trying to achieve?
<chekcmate>
I want to check if the first 5 chars match and then have the ability to use the last char of the string as $1
<gnufied>
that is quite simple
<chekcmate>
I know how to achieve this, but only in two steps
noReligion has joined #ruby-lang
<gnufied>
are those 5 characters fixed?
<chekcmate>
the only thing I don't know is how to combine them
<certainty>
the last char of the matched string?
<chekcmate>
yes
<chekcmate>
no
<chekcmate>
yes @ gnufied and no@ certainty
<chekcmate>
the last char of the whole string
<certainty>
(.)
<gnufied>
then - /foobar.*(.)\z/
gnufied1 has quit [Ping timeout: 252 seconds]
<chekcmate>
but the stuff between first 5 chars and last char is not fixed
<gnufied>
sure
<gnufied>
try the regexp I put
<certainty>
possibly at an anchor to word start if you need that too
<chekcmate>
yay
<chekcmate>
is (.) != (...)?
<chekcmate>
I thought every dot was "one char"
<gnufied>
nope.
<certainty>
matches a single "anything" and captures it
<chekcmate>
but I could use \d{1,x} at that point too?
<gnufied>
and yeah, certainty is right, put beginning of string anchor for first match
bzalasky has quit [Remote host closed the connection]
<gnufied>
is last character digit?
<chekcmate>
yes
<gnufied>
\d{1}
<certainty>
\d
<certainty>
is enough
<chekcmate>
yup :)
<chekcmate>
well, not sure if its always sonly 1 char ^^
<chekcmate>
so better do 1,2 I thought
zmack has joined #ruby-lang
<gnufied>
sure it should match
<chekcmate>
so (.) does the trick here?
<manveru>
>> "foobar1"[/^foobar(\d+)$/, 1]
<manveru>
=> "1"
<chekcmate>
anything between foobar and the last char is ignored?
<certainty>
yes
<certainty>
well not ignored
<certainty>
it must match but .* always succeeds
<chekcmate>
alright, that's great - thanks a lot guys!
<gnufied>
enough regular expressions for a day, I say!
<chekcmate>
I wish, heh
<gnufied>
btw - I need to write a streaming events server. where once client authenticates and subscribes, events are streamed to the browser in real time
<gnufied>
choice is as hard as 5 years ago
<gnufied>
:(
<ggreer>
uhh... use socket.io?
srbaker has quit [Ping timeout: 255 seconds]
socialcoder has joined #ruby-lang
mercwithamouth has quit [Ping timeout: 248 seconds]
<gnufied>
We will eventually release this as public API
<socialcoder>
if x = Oliver y = Denton puts x + y -> it prints OliverDenton. How do I get the space in between
<gnufied>
if I had to use websocket I would defenitely consider faye.
<manveru>
i see you can polyfill SSE, so that'd make it worth it
<ggreer>
gnufied: yeah.... you might want to bite the bullet and use socket.io. if you really wanted to avoid writing much js you could have a socket.io server connect to say.... rabbitmq
<GarethAdams>
x + ' ' + y
<socialcoder>
ah I see
<GarethAdams>
is there somewhere else you expect it to get the space from?
<manveru>
ggreer: srsly
<manveru>
do i have to get my cane?
<ggreer>
heh
<socialcoder>
I am not sure Gareth
<socialcoder>
just wanted it to look natural
<socialcoder>
and was scratching my head
<GarethAdams>
other options include `"%s %s" % [x, y]` or [x, y].join(' ')`
<manveru>
ggreer: he has a simple problem, you give him 3 additional pieces of infrastructure to maintain, patch, admin, setup, config, and learn :P
<gnufied>
ggreer: sorry, but we don't want to deploy node apps yet. our deployment environment is well built for ruby. some day we may bite the bullet but not now
<GarethAdams>
(obviously the bcakticks are intended as delimiters there, not part of the code)
<socialcoder>
right
<socialcoder>
gotcha
wallerdev has quit [Quit: wallerdev]
<ggreer>
manveru: I've seen people try to reimplement a bunch of socket.io in their language of choice. it's not pretty
<ggreer>
there's *so* much you have to deal with, since browsers are insane
<epitron>
gnufied: does latency of event updates matter? :)
<ggreer>
and then throw in mobile connections where you're likely to drop the socket... bleh
<epitron>
because, polling is way easier, given all your constraints
vmoravec_ has joined #ruby-lang
<gnufied>
it matters somewhat yes.
<epitron>
are the events pretty infrequent?
<gnufied>
I am honestly considering faye (http://faye.jcoglan.com/) which is very close to socket.io,
<gnufied>
but don't want to marry to bayeux protocol
<gnufied>
i mean, if you are using chunked encoding and with right connection setting it can split data and stuff. chrome/webkit's xhr2 connections keep all data around, until you close the connection
<gnufied>
promise of HTML5 is a damned lie! :-)
noReligion has joined #ruby-lang
srbaker has joined #ruby-lang
poga has quit [Remote host closed the connection]
noReligion has quit [Client Quit]
<epitron>
i think browsers are just too complicated
<epitron>
it's so much work to change things
<epitron>
you ever downloaded the chrome source code?
<epitron>
it's like 2 gigs
<manveru>
chromium you mean... chrome must be even bigger
<epitron>
yes.. :)
<epitron>
chromium/chrome binaries are basically the same size
<epitron>
isn't the major difference the auto-updater in chrome?
<manveru>
also builtin flash and codecs
<epitron>
pepperflash \o/
<epitron>
chromium is linked to ffmpeg
<epitron>
i'd imagine they do the same with chrome
<epitron>
google probably has to pay license fees tho
<duckinator>
should i be concerned that i'm enjoying embedding a ruby interpreter into a language which compiles down to C? :P
<manveru>
i thought embedding ruby has all kinds of issues with locking
<duckinator>
only issue i'm having trouble with is that after calling the equivalent of ruby_load_file(), i can't get it to actually *run* that code without segfaulting :P
<duckinator>
well i know 1.8 didn't like being outside of the main thread. no clue what 1.9 thinks of that.
<epitron>
whoa, OOC lets you monkeypatch types
<epitron>
that's very un-C-like
vmoravec_ has joined #ruby-lang
<epitron>
or un-static
<duckinator>
yea, the name was originally a shortening of 'Object Oriented C', but that doesn't really apply anymore :P
<duckinator>
but it compiles down to C and the generated code makes kittens cry
<epitron>
i like the pascal variable definitions too
<epitron>
like... func(var1, var2: type)
bzalasky has quit [Read error: Connection reset by peer]
<duckinator>
there is a reason i put that in a separate file :D
<duckinator>
along with the other....17 of them, i believe it is?
<epitron>
yep
<manveru>
no varargs?
hakunin_ has quit [Remote host closed the connection]
<ggreer>
whaat
<duckinator>
it has varargs, but not for Funcs that you're passing as an arg
<gnufied>
duckinator: so what you are doing with this language? morbid curiosity?
hakunin has joined #ruby-lang
<duckinator>
manveru: basically: foo: func(args: ...) {} works, foo: func(fn: Func(args: ...)) { } does not. not sure of the details of that. the workings of Func are the part of the compiler i'm scared to touch ;)
<duckinator>
gnufied: basically, yea. using it as an excuse to learn about both ooc/C interop and C/ruby interop at the same time
<ggreer>
duckinator: have you looked at how some other languages behave when embeded in C?
<ggreer>
(like lua)
<duckinator>
i messed with embedding lua and some other thing i can't remember the name of in C++ at one point, but that was like 3 years ago
JonnieCache has quit [Quit: leaving]
<chekcmate>
injekt ? mind answering my last regex-problem question? i'm finished except for that one part ^^
<gnufied>
chekcmate: you have another regex question?
<chekcmate>
well not really regex
<chekcmate>
the one expression you guys helped me make
<chekcmate>
it does not work with the input it gets, which is weird, because I very similar regexp in other places too and they work flawless
<gnufied>
what does input look like?
<chekcmate>
line =~ /(open).*(\d{1,3})\z/ && $2.to_i >= 3 and line =~ /write\((\d+)/ && $1.to_i >= 3 for example
<epitron>
i could never get the strace output and the stdout to interleave properly, unfortunately
<epitron>
some kind of buffering issue
<chekcmate>
epitron: heh, some guys here already showed me some, but it's a task I got from my boss in order to learn a bit, tinker around... get used to it
<chekcmate>
kinda like that
<chekcmate>
i know connected the file-descriptor numbers to each operation
<chekcmate>
so you can see which open()-fd points to which write,unlink,read,... op
<chekcmate>
that's my way of knowing which fd# was used in the operation
<chekcmate>
and which file was touched
Miraks has joined #ruby-lang
<chekcmate>
nite epitron
JohnBat26 has joined #ruby-lang
endy_c has joined #ruby-lang
<endy_c>
What should I do if I receive this error: You have already activated rack 1.5.1, but your Gemfile requires rack 1.4.4. Using bundle exec may solve this. (Gem::LoadError)
<workmad3>
endy_c: if 'bundle update' didn't bring you up to 1.5.1, then that means bundler couldn't create a consistent bundle with that version (probably a gem that's locked to ~> 1.4.0 or something)
KillerFox has quit [Ping timeout: 248 seconds]
KillerFox has joined #ruby-lang
dr_bob has joined #ruby-lang
ahf has quit [Quit: Reconnecting]
ahf has joined #ruby-lang
ahf has joined #ruby-lang
<injekt>
chekcmate: sorry was at the gym :)
<injekt>
one does not simply bundle update
JohnBat26 has quit [Ping timeout: 276 seconds]
havenn has quit [Remote host closed the connection]
MaddinXx has joined #ruby-lang
<chekcmate>
injekt: ah, training for my enjoyment, that's ok, heh! Solved the problem, thanks to gnufied
srbaker has quit [Ping timeout: 245 seconds]
JohnBat26 has joined #ruby-lang
<injekt>
chekcmate: :)
srbaker has joined #ruby-lang
dhruvasa1ar has quit [Read error: Connection reset by peer]
<injekt>
bzb: @layout = "foo" or self.layout = "foo"
lun_ has joined #ruby-lang
matti has joined #ruby-lang
matti has quit [Changing host]
bluepojo has quit [Read error: Connection reset by peer]
stardiviner has quit [Ping timeout: 256 seconds]
bluepojo_ has joined #ruby-lang
kleech has joined #ruby-lang
<kleech>
Anyone know of a class which represents just a time (as in a HH:MM clock)?
<whitequark>
no such thing
<whitequark>
not a class, nor "just a time"
cultureulterior_ has joined #ruby-lang
<whitequark>
because, for example, 02:00 + 1.second might be 03:15.
<zenspider>
kleech: Time.now should do you fine
<kleech>
whitequark: I mean outside of stdlib, e.g a gem. I'll just just a simple class which delegates a subset to a DateTime if not.
EvilJStoker has quit [Excess Flood]
<kleech>
I just want less API than Time/DateTime :)
<zenspider>
so USE less
<zenspider>
Time.now
<zenspider>
done
<whitequark>
^ that
<kleech>
With respect I don't agree, I don't want the date part of the object to be used further down the line. Somewhere else in the system you pass in an object, it has a date and that gets used instead the correct date (returned by a different method).
<whitequark>
kleech: what are you trying to accomplish?
cardoni has joined #ruby-lang
<GarethAdams>
Ruby doesn't have one built in, but `class ClockTime < Struct.new(:hour, :minute, :second)` would be a good start
<kleech>
GarethAdams: Thats what I'm going to go for.
<zenspider>
there is no "date part"
<zenspider>
it's just a point in time
<zenspider>
and anyone who worries about "used further down the line" probably shouldn't be using ruby to begin with. control issues don't belong here
<kleech>
wow
<GarethAdams>
Time objects e.g. can't be compared (with > and <) in an intuitive clock-time way if there's a 'hidden' date part
<zenspider>
just as easy to use composition instead of reinventing everything `class ClockTime; def initialize; @t = Time.now; end; ... rest of public interface; end`
<zenspider>
s/just as easy/easier/
EvilJStoker has joined #ruby-lang
<kleech>
I'm using a class which delegates just the "time" related methods to a DateTime object passed in to the constructor
vesan has quit [Read error: Connection reset by peer]
<thisboy>
anybody know of any examples of people using ruby instead of spreadsheets for advanced financial models? i.e. for the planning of complex business operations, the governing of entire countries etc.?
<banisterfiend>
thisboy: r u going to govern a country with ruby lulz
<thisboy>
curious whether to drop openoffice.org calc and BASIC and go for something like ruby on rails
<injekt>
chekcmate: you're using regex for stuff nokogiri can give you already :)
<thisboy>
banisterfiend: maybe :P
<chekcmate>
injekt: the href?
<banisterfiend>
thisboy: strange guy
<injekt>
chekcmate: of course
<chekcmate>
like instead of .text there is .href?
<injekt>
chekcmate: [:href]
<banisterfiend>
thisboy: use this API: Country.govern!
<whitequark>
thisboy: that is most certainly done with Java and COBOL.
<whitequark>
mostly.
<chekcmate>
lol banisterfiend
<injekt>
href is an attribute, chekcmate. attributes are fetched via obj[:foo]
blacktulip has quit [Remote host closed the connection]
krohrbaugh has quit [Quit: Leaving.]
havenwood has joined #ruby-lang
thone_ has quit [Ping timeout: 264 seconds]
snk has joined #ruby-lang
yalue has quit [Quit: Leaving]
sn0wb1rd has joined #ruby-lang
<bcardarella>
io/console is part of the ruby stdlib, right?
<mistym>
bcardarella: Yes, as of 1.9.3
<bcardarella>
ok, that is the issue. Guy with 1.9.2 isn't getting it
<bcardarella>
thank you
carloslopes has quit [Remote host closed the connection]
slyphon_ has joined #ruby-lang
sandbags has quit [Remote host closed the connection]
slyphon_ has quit [Client Quit]
bradland has quit [Quit: bradland]
sandbags has joined #ruby-lang
sandbags has quit [Changing host]
sandbags has joined #ruby-lang
<bcardarella>
mistym: do you happen to know if the io-console gem is OK for 1.9.3 or do I have to selectively set the gem dependency?
slyphon has quit [Ping timeout: 252 seconds]
wyhaines has joined #ruby-lang
<mistym>
bcardarella: Afraid I don't know; I've never used the gem.
<mistym>
The gem is by nobu and the homepage is ruby-lang.org, so I'm going to assume it's a pure duplicate of the builtin functionality from 1.9.3. I'd suggest selectively setting the dependency based on that, but maybe worth testing?
cored has quit [Read error: Operation timed out]
cultureulterior_ has joined #ruby-lang
<bcardarella>
good enough for me!
cultureulterior_ has quit [Client Quit]
cored has joined #ruby-lang
jonahR has quit [Ping timeout: 260 seconds]
sandbags1138 has joined #ruby-lang
sandbags has quit [Read error: Connection reset by peer]
jonahR has joined #ruby-lang
theoros is now known as lrnt
lrnt is now known as theoros
krohrbaugh has joined #ruby-lang
hackeron has quit [Ping timeout: 255 seconds]
hackeron has joined #ruby-lang
<zenspider>
yorickpeterse: arbitrary
<zenspider>
I've got mine in ./templates/*
<yorickpeterse>
hmm
<yorickpeterse>
I'll go with lib/gem/templates for now
<zenspider>
if they're not valid ruby (because they're erb or whatever) then (I think) they shouldn't go in lib
<yorickpeterse>
Hm, good point (they're not ruby files)
sandbags has joined #ruby-lang
sandbags1138 has quit [Ping timeout: 244 seconds]
krohrbaugh has quit [Quit: Leaving.]
krohrbaugh has joined #ruby-lang
peppyheppy has quit [Quit: peppyheppy]
jrafanie has quit [Quit: jrafanie]
havenwood has quit [Remote host closed the connection]
slyphon has joined #ruby-lang
krohrbaugh has quit [Read error: Connection reset by peer]
ivanoats has quit [Remote host closed the connection]
krohrbaugh has joined #ruby-lang
yfeldblum has quit [Ping timeout: 245 seconds]
forrest has quit [Quit: Leaving]
sandbags has quit [Remote host closed the connection]
Rarrikins_l has quit [Remote host closed the connection]
cored has quit [Ping timeout: 260 seconds]
cored has joined #ruby-lang
cored has joined #ruby-lang
cored has quit [Changing host]
Rarrikins_l has joined #ruby-lang
krohrbaugh has quit [Quit: Leaving.]
krohrbaugh has joined #ruby-lang
chimkan_ has quit [Ping timeout: 255 seconds]
chimkan_ has joined #ruby-lang
mistym has quit [Remote host closed the connection]
thufir_ has joined #ruby-lang
slyphon has joined #ruby-lang
chimkan_ has quit [Read error: Connection reset by peer]
outoftime has quit [Quit: Leaving]
Mon_Ouie has quit [Ping timeout: 245 seconds]
maxmanders has quit [Quit: Computer has gone to sleep.]
chimkan has joined #ruby-lang
krohrbaugh has quit [Quit: Leaving.]
Bearproof has joined #ruby-lang
banisterfiend has quit [Ping timeout: 276 seconds]
chimkan has quit [Ping timeout: 245 seconds]
vlad_starkov has quit [Remote host closed the connection]
chimkan has joined #ruby-lang
workmad3 has quit [Ping timeout: 244 seconds]
Bearproof has quit [Quit: Leaving.]
<andrewvos>
rubygems still readonly :(
chimkan has quit [Read error: Connection reset by peer]
<andrewvos>
You guys must not be having fun.
chimkan has joined #ruby-lang
solars has quit [Ping timeout: 245 seconds]
<drbrain>
andrewvos: a few hours ago the word in #rubygems was that push would be up later today, I haven't been listening in #rubygems-aws for up to the minute status