Archive: posts from November 2008

Passenger package for Ubuntu Hardy updated 28 Nov 08

I’d just like to announce the new version (2.0.3-1bbox4) of our Phusion Passenger/mod_rails package for Ubuntu Hardy (first announced back in May).

The previous version was faulty and resulted in mod_passenger.so being installed in the root dir (doh!) - I’m not sure when that bug crept in.

I’ve also updated the dependencies slightly - it will no longer require the rubygems package.  This helps those of you who have installed gems manually and would rather not use the Ubuntu packages.  If you didn’t install gems manually, you’ll need to explicitly specify the package now.

This, and a little more information can be found on our Passenger wiki page.

If you need help using these packages, or would like to feed back your experiences, go on over to the discussion forum.

Accepted into Ubuntu Intrepid Ibex

And if you weren’t aware, our package was accepted into the official Ubuntu repository (in the universe component) so if you’re using Ubuntu Intrepid Ibex, you can use it straight away! (though it does require the packages rubygems).  Another step towards Ubuntu being the perfect rails stack. The source package page can be found here.

Next up, Ruby Enterprise Edition packages…

Leeds Ruby Thing 24 Nov 08

If you’re in or around Leeds this Thursday (27th November), pop along to Mr Foleys Cask Ale House at 7pm for yet another Leeds Ruby Thing. Its a fun and informal social event for anyone interested in the Ruby programming language. You don’t have to be an expert in Ruby—we’re just a friendly bunch who enjoy beer and geeky chat.

And this month Brightbox is giving away our famous t-shirts and stickers, as well as plenty of beer!

Add yourself to the event on upcoming, or just feel free to turn up on the night.

http://upcoming.yahoo.com/event/1337490/

Using RSpec, Cucumber and User stories to build our internal systems 21 Nov 08

Here at Brightbox we are making heavy use of RSpec and Cucumber as we develop our next generation internal systems. These let us write specifications, in English and in code, for how the systems should behave. The specifications document the system for future reference and provide an automated test suite to prove that things are working as they should.

We chose RSpec because of its philosophy of “getting the words right”; code is often easier to write than it is read. As these specifications are also our internal documentation they must be easy to read as well.

However, as some of this Behaviour-Driven and Story-Driven development is pretty new, there isn’t much guidance on best practice, especially when it comes to the “User Stories” (which form the basis of the system’s acceptance tests). With that in mind, we thought we’d share our basic process we follow for each new feature.

(Download the original presentation here)

By the way, there’s a very subtle bug in the code; no prizes if you spot it!

Ruby Manor 20 Nov 08

I’ll be down at Ruby Manor in London this coming Saturday. Would love to meet any Brightbox customers or anyone else who’s just plain friendly and wants to say hello. I’ll bring down a few bits and bobs of Brightbox schwag, some t-shirts and stickers to hand out for anyone who wants them.

I’m really looking forward to what I hope will be a very successful day and hopefully the start of a regular event for UK Rubyists.

Rails CSRF Security Vulnerability 19 Nov 08

Users of Rails 2.1 and 2.2 need to be aware of a vulnerability in Rails’ CSRF forgery protection.

For those that don’t know, Rails generates an authentication token within your forms and verifies this token when the form is submitted back to your application. This prevents attackers from crafting malicious requests whilst pretending to be your authenticated user.

However, for certain types of request (supposedly those that cannot be generated from a browser) this authentication token is ignored - in order to make it simpler for automated API access to your application (using JSON, XML or a few other data transport types). Unfortunately, text/plain is wrongly included as one of these types.

Luckily, the fix is simple. The long-term solution is to upgrade your application to Rails 2.1.3 or 2.2.2 (when they are released); the quick fix is even easier - tell Rails to verify text/plain requests by creating a file (called mime_type_csrf_fix.rb) in your config/initializers folder:


# temporary fix for http://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html
Mime::Type.unverifiable_types.delete(:text)


Beta testers required to trial new Content Delivery Network (CDN) service 5 Nov 08

We’re currently working on offering a Content Delivery Network (CDN) service for Brightbox customers.  This will accelerate the serving of your static assets, distributing them around the globe and serving from the closest server to the user.  We’re trialling a partnership with Panther Express to provide this service, who provide CDN services for some pretty huge sites, such as LiveJournal, The Guardian and Shopping.com.

It can be used with the built-in Rails asset host system too, so no heavy modifications or fancy plugins.  We’re looking for some beta-testers, so if you’re interested please drop us an email to hello at the brightbox address and provide us details of your current static asset bandwidth usages if possible. All customers are welcome!

New Office 2 Nov 08

With new team members coming on board, our old office was becoming a little cramped, so last week we moved to a larger space. We didn’t move far though - just down a flight of stairs at Leeds Media Centre :)