This doesn't surprise me, and I'm not even an experienced Rails developer.
I think a big part of the problem is that there are a ton of gems that are simply hobby projects that gained traction and became popular. They were originally architected by enthusiasts, rather than experts. Some of these projects may also have been abandoned by their authors, but still in use because they may be the only way to accomplish a complex task or integration. You can't expect stuff like that to be very secure. You just have to think carefully about whether the risks of using them are worth the gains made from not having to implement the functionality yourself.
This can be said of any open source library, but it is unfortunately true that the average Ruby gem seems to be more hobby-grade than enterprise-grade.
The fact of the matter is, if you are developing an application and are integrating 3rd-party code, always pay attention to what that 3rd-party code is, how well-maintained it is, and how the project has responded to bugs and vulnerabilities in the past.
Yup. I've done enterprise Rails consulting, which is almost a contradiction in terms. But it's possible and I've brought fixes like net ldap to work with AD.
Edit: Can't take all the credit, client hacked together the first version but we managed to extract it for "the greater good." Also fun stuff like XML-RPC (Xen API -> gem xenapi, VMware (gem rbvmomi)), which wasn't bad and worked OOTB. Wished MS exposed their APIs as RESTful endpoints, because WinRM + gem winrm just doesn't cut it with some products... generated powershell run by an agent instead. For some products, even having the (.someextiforgot) files that describe the API, there's no MS docs on them, so lots of trial-and-error in PowerGUI to find the right objects and methods (Yuck).
Yes, definitely. I got burned by this very recently myself. I'm developing a Rails app (my very first!) in which users need to be able to enter and edit content in a WYSIWYG editor. I found a very popular one that also had a great user experience and started using it. Once I tried to deploy it though, I ran into various issues - turns out the app was quite out of date as its author had moved on to other things a year and a half ago. So I had to rip it out and switch to an alternative.
I'm now much more cognizant about stuff like how many contributors a project has and whether it is in active development.
I think a big part of the problem is that there are a ton of gems that are simply hobby projects that gained traction and became popular. They were originally architected by enthusiasts, rather than experts. Some of these projects may also have been abandoned by their authors, but still in use because they may be the only way to accomplish a complex task or integration. You can't expect stuff like that to be very secure. You just have to think carefully about whether the risks of using them are worth the gains made from not having to implement the functionality yourself.
reply