Ruby Security Vulnerabilities 25 Jun 08

Some of you will have noticed the kerfuffle regarding the recent Ruby security vulnerabilities.  Fixed version of Ruby were released over the weekend but they are causing crashes in applications.  Until working fixes are available we’re all a bit stuck.

Details of the bugs have been kept officially secret but people are figuring it out for themselves (thanks to Zed in particular).  This secrecy has just contributed to the fear, uncertainty and doubt surrounding the issues and hasn’t helped the situation at all.

We currently recommend sitting tight until proper fixes are available.  When this happens, distros will release new packages in the usual manner.  Brightboxes are based on the Ubuntu distro and their security team are aware of the problem and are working on it (see the bug status here).

For those of you using the standard Ruby from Dapper (most of you) you should be able to just upgrade  using aptitude as soon as Ubuntu release new packages.  For those of you using the backported Ruby 1.8.6 packages, you’ll need to wait for us to backport the fixes once they’re released.  We’ll obviously be doing this asap.

We’ll update the blog as we know more.

UPDATE: Ubuntu have fixed ruby1.8 packages available now. They have already appeared in the Ubuntu security repository and are available for install.  Preliminary testing of the Dapper packages has been successful (gems with native libraries too).  We’re re-backporting the Hardy 1.8.6 packages right now and they’ll be available soon.

UPDATE: We have the fixed Hardy packages (1.8.6-p111) backported to Dapper available on the Brightbox testing apt repository.  They’ve passed a lot of preliminary tests but have not been tested extensively in production yet.  Please report any problems  with them (segfaults etc.) to support@brightbox.co.uk.

NGINX 0.6 for Ubuntu Dapper 11 Apr 08

We’ve backported NGINX 0.6.29 packages from Debian experimental to Ubuntu Dapper and included the fair proxy balancer module.

It’s in our testing repository at the moment so give it a whirl (it will of course install on any Ubuntu Dapper box, not just Brightboxes).  We have a page on the Brightbox wiki on how to configure NGINX for your Brightbox apps too (which can easily be adjusted to any NGINX install really).

If you’re playing with any of this beta stuff (like these packages or the Brightbox gem) and have feedback or need help, feel free to discuss it on the Brightbox-beta Google group that i just set up.

Ruby 1.8.6 and ImageMagick 6.3 for Ubuntu 6.06 Dapper 20 Mar 08

We’ve backported some packages useful for Ruby on Rails deployment to the long term support Ubuntu Dapper distro.  They’ve been available for a while but it only just ocurred to us this might be useful to others!

Dapper has Ruby 1.8.4 (though labelled as 1.8.2 in the package list) and ImageMagick 6.2.  Ruby 1.8.4 has some known problems that are fixed in 1.8.6 and the rmagick gem recently updated to version 2, reportedly fixing the memory leaks, but it requires ImageMagick 6.3.

We backported Ruby 1.8.6 p111 and ImageMagick 6.3 from the latest development version of Ubuntu (Hardy Heron) to Dapper.  They’ve been in use on a few boxes and no problems so far.  Feel free to make use of them.  We’ll be backporting any security updates as they come.

General details of the repository are here, with specific information about Ruby 1.8.6 and ImageMagick 6.3 on their own pages.

Ubuntu Hardy Heron is due out in the next few month, which brings a lot of this stuff with it.  Some of you might have the luxury of being able to upgrade to it, but some may need to stick with Dapper for a while – hopefully these packages will help you out.

When Brightbox met Kodefoo 17 Aug 07

I popped over to the GeekUp Leeds event on Wednesday at The Lounge. It’s a fairly new event (in Leeds anyway) and it was my first time, but it was fun to catch up with Rob Lee (of Kodefoo). We’ve been using the now infamous Apache 2.2 package that Rob backported from Ubuntu Feisty to Dapper for quite some time now, but completely unaware that Rob/Kodefoo is based only a couple of miles away in Otley!

Such a small world, eh?

Why we chose Ubuntu Dapper Drake 3 Aug 07

We’ve had a few beta testers ask about why we chose Ubuntu 6.06 (Dapper Drake) as our primary Xen guest installation, as opposed to one of the more recent releases such as Edgy or Feisty. We chose it primarily because of its support contract.

Ubuntu’s release schedule sees a new version released roughly every 6 months. These releases contain the very latest versions of the software packaged with it and are supported for only 18 months. Once in a while a version is selected as Long Term Support release (LTS) which gets 5 years of server support (3 years for desktop). By support, I mean the Ubuntu team are committed to releasing security upgrades in a timely manner. Dapper was the first LTS version and is support through to June 2011.

If we’d chosen Edgy, security upgrades wouldn’t be available to us after April 2008, forcing all of our Brightboxers to upgrade to Feisty, and so on every 18 months. With the speed that the Rails community jump deployment strategy ships some might say this isn’t a problem, but most installations do need long term stability and Dapper provides that.

There are some issues though, mainly that Dapper’s version of Apache is too old to support the nice proxy balancing stuff that’s used for Mongrel deployments¹. To solve this, we chose to use a backported Apache package². This does mean that we have to commit to backporting all security fixes, but this is trivial compared to all our guest machines needing a full upgrade every 18 months. We still get the Ubuntu team working for us on the other 99.9% of packages.

For our users who like to ride the bleeding edge, they can still upgrade to Feisty themselves if they know what they are doing but for most, this isn’t what Brightbox is all about.

¹ A beta tester pointed us in the direction of this bug report requesting an official Apache backport for Dapper. The more people testing these packages and voicing their support, the more likely this might happen.

² We’re using the backported Apache package provided by kodefoo.com at the moment (http://www.kodefoo.com/2007/2/18/deploying-rails-on-ubuntu-dapper/) but are ready to roll our own if necessary.