Past Articles
Today marks three years of PeepCode Screencasts and the beginning of the fourth. So were running a one-day sale!
Last week I recorded a presentation for the Oxente Rails where I pontificate on some of the things Ive learned about business over the past few years. Heres the presentation video (its about 30 minutes long):
Transcript
Introduction
I am Geoffrey Grosenbach and my company is PeepCode Screencasts.
Thank you for inviting me to speak over video at Oxente Rails today. Its an honor to be asked to speak and Im flattered to be able to speak on what Ive learned about business. Over the last few years Ive frequently been asked to be a paid sponsor for conferences, which seems to imply that people think Im running a business that makes money. But this is the first time Ive been asked to talk about it.
I guess thats not too surprising. Up until a few months ago I was the only person working at PeepCode daily. When people want to learn how to run a successful business, they probably want to hear from someone with dozens of employees and tens of millions of dollars a year in revenue.
But heres the first thing I want to tell you: Maybe thats not the kind of business you want to run. One of you asked How has your professional success improved your personal life? Honestly, its made it more stressful and less predictable than before! Its the difference between driving a motorcycle and riding one as a passenger.
As the owner of a business, youre the one who determines whether or not you keep your job. If you make good decisions, youll profit and the business stays alive. If you make bad decisions, youll see your bank account start to head south. But I can honestly say that I love that part of running a business. The things I do every day matter and have a real effect.
And yet its often unclear what should be done each day. There are a thousand little things that could be done, but they arent equally important. Creating new products, making connections with other businesses, working with subcontractors, advertising.
One of the successful businesspeople I admire is Adam Wiggins, currently co-founder of Heroku.com web hosting. He recently wrote a blog post where he compared video game skills to business skills and I think each of them were profound. The one I want to mention is Planning for an Uncertain Future. In games, in business, and in life, youre better off if you make plans for the future. But the kicker is that you dont know what future you should plan for. So you have two problems right away: guessing what will happen in the future, and then figuring out what you need to do to succeed against it.
I chose my unofficial company title of Senior Visionary with humor, but living up to it has become my daily goal. I encourage you to take the same title, and think of that as your role in your business.
Another thing you might not expect to hear from someone who claims to be a successful businessperson is that Im actually a bit surprised that Ive been able to run a business for this long. PeepCode starts its fourth year this month. Combined with a few years of consulting, Ive worked for my own company longer than Ive worked for any other single company.
Why am I surprised? Growing up I was not very good at board games or video games. Put me against most anyone in Monopoly, Risk, Settlers of Catan, or any other board game and Ill probably lose. At the time I was convinced that mastering these games was equivalent to mastering business in real life.
One of the most successful businesspeople I know personally is a friend from high school. He started a few businesses and has sold at least one for a million dollars. He was the first investor in ICanHasCheezeburger.com, so he is at least a visionary in terms of cat humor. He was fantastic at all kinds of strategy and board games, all the way down to how he operated the snack bar during school sporting events.
Fortunately those skills didnt turn out to be necessary to run a business. I can say that I won the first house poker tournament I entered a few years ago, so maybe theres a lesson. Learn to play poker!
One skill that is important is being able to respond to change. I frequently think back to a quote I saw in a skateboarding video from a few years ago where photographer Grant Brittain talked about the changes he had seen in the sport and business of skateboarding over the past 30 years. He said that everything changes, and if it stops changing, it dies. I think thats part of the stress and unpredictability of running a business: you can almost guarantee that a success one month or one year wont be successful the next year. Your skill as a businessperson isnt about finding one hit and riding it out, its about learning the skill of understanding the present, looking to the future, and making bets about what might happen.
True & False
Giving and receiving business advice is one of the most deceptive practices around. There are so many factors involved in starting and running a business that most people dont really know what initially made their business successful. And I usually suspect anyone who gives business advice because I assume they are holding back their best ideas for themselves. So lets start with two blatant falsehoods. Im limiting myself to Internet-based businesses of non-tangible goods. Software, digital products, websites.
Paid Products:
First, many people who try to start an Internet business are scared by the vocal, apparent majority who refuse to pay for anything online. When people learn what I do, they often say People pay for that? You often see this sentiment expressed on news aggregator sites or in comments on 99 iPhone apps complaining that they should be free. The easy conclusion is that no one should try to start an Internet business that charges for a product. Over the last three years Ive found this to be absolutely false.
There are two things to say here. First, the free product market is completely separate from the paid product market. I havent done a sociological study of this, but as far as I can tell from my business, there is an Internet economy made of people who dont pay for things and theres another entirely separate one made of people and businesses who have no problem with paying for products (an even prefer it).
This isnt a criticism of people who prefer free. I use many services that are free. But building a business on the free product market is very difficult, as has been shown repeatedly by startups that build a huge user base but cant figure out how to profit from it.
Second, charging a price for something changes the way people perceive it. We expect more from products and services we pay for. If I subscribe to a service and it doesnt fulfill my needs, I change to another one. Businesses have budgets that they need to spend on products that cost something. People give gifts and usually want them to have monetary value. People who try your free services might like them so much that they want to upgrade to a paid plan. This creates a responsibility for you, the entrepreneur, but its also a benefit because you know that the people who repeatedly buy your products find them to be useful.
So my advice is: if you are starting a business, build it around a product that you sell directly to people rather than trying to earn money on advertising or other means.
Instant Success:
A second falsehood is that products succeed or fail quickly. We like overnight success stories.
But, as has often been illustrated, inspirational success stories often have more history behind them.
The Flip video camera became the best-selling camera on Amazon.com from the first day it launched in 2007. The company was bought by Cisco earlier this year for almost $600 million. But the company had a long history of near failures or modest successes for the four years previous. They first sold a disposable still camera in 2003. Then they tried a disposable video camera that could be converted to a DVD. Then finally they made the USB-based Flip video camera that became a hit. (ref)
In contrast, one of my first products failed because I abandoned it while it was still popular. In 2002 I wrote a desktop RSS reader for the Mac. There werent many available at the time and mine had some advanced features such as the ability to use regular expressions to monitor a site that didnt yet publish an RSS feed. Cory Doctorow of Boing Boing tried it and wrote back with some feedback. But as a novice, I released one version, bought some advertising on a Mac news site, sold a couple dozen copies, and never touched it again. I have no idea if it could have been more successful because I stopped working on it before it had a chance.
So theres no shame in changing your product or the way you sell it, but stick with it. A business needs at least a few years of fine tuning to build momentum.
Products
So lets talk about products. There are several ways to sell software. You can sell a one-time product, usually a downloadable software application such as TextMate (39) or TaskPaper ($30).
Or you can sell a recurring service, usually on a website. Recurring services I use include Backpack calendar, Highrise address book, Blinksale invoicing, GitHub source code control, Sifter issue tracking, in addition to web hosting, DNS hosting and email hosting.
A third option is a one-time product that is released frequently such as PeepCode screencasts, books, magazines, etc.
Creating a product and fine-tuning it is one of the hardest things youll have to do when starting a business. Here are my personal goals for any product I create
- Sell an investment. By this I mean that your product should help the buyer make more money than was spent to acquire your product. When I sell a PeepCode screencast for $9, the customer should learn information that can be used to earn more than $9. Given the fact that a one-hour screencast takes several weeks to research and produce, I think this is pretty likely.
- Second, sell to businesses instead of consumers. This includes everything from one person businesses to universities, corporations, and even governments. People obviously make money selling to consumers, but Ive chosen to target businesses. This is partly because of point 1 and partly because businesses have budgets set aside for training, education, etc.
The type of product you choose to sell determines what goes into building it. A frequently released product probably requires less initial effort to build the first time. I spent one month on the very first PeepCode screencast. Recently I started a side project with a friend in Seattle. Its a desktop application and we expect to spend several months building the first version. A website or service could be anywhere in that range, all the way up to several years.
As a software developer, you have an incredible resources available to you, namely your mind and your time. A non-technical businessperson would need to hire a developer at expensive hourly rates, but you have those skills already. Areas you may need to invest real money into might be legal, accounting, and artistic/UI. Which leads to people.
People
In 1975, Fred Brooks wrote a book titled The Mythical Man-Month. One of the lesser known essays from that book suggests that software teams work like a surgical team. The surgeon performs the critical actions during surgery, but is assisted by specialists. The surgeon could prepare the patient for surgery, or reach over and grab a scalpel, or monitor vital signs, but this would be a waste of time. Instead, the surgeon focuses on what a surgeon does best.
In my experience, this is the first part of scaling a business. You could do the accounting, the front end web design, and the legal paperwork to get the business started, but it would be a waste of your time. My lawyer costs close to $300/hour, but he does great work and does it much more quickly than I could. My accountant helps me save thousands of dollars a year by figuring out when to pay taxes on time and how to do it. I have several outsourced assistants that transcribe audio, do research, reply to support emails, and other tasks. Post a job on your blog, or use a service like ODesk.com.
Business Partner:
Another person that you should think about is a business partner. This is a friend who has an interest in the success of the business and can complement your skills. I started PeepCode on my own and I think it would have gone much more smoothly if I had found someone to start it with. On the other hand, it could have been worse, too! A business partner should be someone you know well because youll be making many important decisions together.
Ideally, it would be a person who understands the technical side of the business but who skills that you dont: business management, artistic, usability, financial.
Running a business involves both macro-decisions (such as what product to create or what to call the business) and micro-decisions (such as what shade of pink to use for the logo or what to work on today).
Paul Graham recently wrote an essay contrasting the daily schedule of managers vs. creative individuals. Managers and businesspeople might do 20 different things in a day and have no problem adding another thing to their schedule. Creators need at least a half day or even a full day to build momentum. If youre the only one working on the business, youll have to do both. So split your week into alternating days of managing and making, or get a business partner who can do the managing so you can focus on creating.
The Rest of Life
One more thing before I address some questions. Dont forget about the rest of your life.
I work very hard on PeepCode, but I limit myself to about 10 hours a day maximum. If youre always at the computer, you miss out on other ways of thinking. A nap can be useful in the middle of the day both to recharge your body and to let your subconscious mind focus on a problem.
Get exercise. I interviewed a brain researcher who observed that the mind is less active when the body is sedentary. And not just weight lifting eitheryou need to get your heart rate up. I run or bike a few times a week and I notice a huge difference when I do it.
Conclusion
In conclusion,
- Charge a fair price for your product.
- Stick with it for at least a year, maybe a few years.
- Choose a type of product that matches the time, effort, and money that you want to invest.
- Surround yourself with specialists.
- Start the business with one other person that you know well.
- Work reasonable hours and get exercise.
Questions
A few questions that were sent in previously.
How did you decide to start making money with screencasts, something that nobody (or almost nobody) used to do before PeepCode?
The most straightforward answer is that I wanted to buy quality screencasts on technical topics and no one else was doing it. I made a product that I wanted to use myself.
I knew that screencasts were popular. You have the original Build a Rails Blog in 10 Minutes screencast. Other people were posting screencasts to their blogs in those early days but they would often mumble into the microphone and they werent very well presented.
I knew that screencasts could make money. At MacWorld a few years ago, Lynda.com had one of the biggest booths on the entire show floor. They produce top notch screencasts on Adobe Photoshop, After Effects, and other visual applications. And they run a profitable business doing it.
So the last step was just experimentation. I literally started out with just a blog, a link to a third-party shopping cart, and a video I had spent a month on. It was nowhere near to the visual quality of the screencasts we make today, but people loved the content and they bought enough copies to tell me that I should keep doing it.
Since then, several other publishers have gotten into the screencasting business. Ryan Bates started his excellent RailsCasts blog with a huge following (I was the first paying advertiser on his site for its first year).
So you have to start with an idea and try it. Hypothesis, experimentation, evaluation.
Was it an extra challenge to convince people to buy something digital? Non concrete?
I knew that some people would never pay for digital products, so my goal wasnt to convince them to pay for a digital product.
If your business depends on convincing people to do something they dont want to do, it will fail. Think of any popular or successful business. Its probably because they help people do something they already want to do.
My goal was to find out if there were people who wanted what I wanted and could make a mental calculation to figure out that its actually a better investment of their time and money to pay $9 for a screencast that will save them days of hunting for that information. It turns out that there are a lot of those people.
One of my favorite books is Information Anxiety by Richard Saul Wurman, founder of the TED conferences. He talks about the flood of information available to us and the value of consuming a filtered stream of information that tells us just what we need to know. Theres actually a value in filtering the available information, reducing it down to the essentials in a format that can be consumed quickly. Thats what Im offering.
Even now, you can probably find some leaked PeepCode products on BitTorrent if you spend enough time hunting. But many people have told me that they discovered PeepCode there and later came to buy it at my site, so I call that a win.
What were the biggest mistakes you commited at PeepCode? What did you learn with them?
Thats a great question. Mistake: a wrong or misguided action, sometimes because of inexperience. My whole experience has been a process of going from inexperience to learning how things should be done!
I started PeepCode with blog software and a third party shopping cart that took a 20% fee. Theres no way I could run the business now if I still used that system. But it helped me start and I dont regret it.
I put a lot of time, money, and development into building a PDF publishing system, but it turns out that people want video from PeepCode. The publishing system is really great for publishing on code-related topics. Authors write in Textile or Markdown, like a blog article. But other than a few titles that sold really well, it turns out to be better for me to take the same content and publish video instead.
I waited way too long to buy decent software. A quality video editing suite was US$1,300 at the time and seemed like a lot of money, so I edited by cutting and pasting into the Quicktime Player for the first year of PeepCode. Since then Ive bought over $5,000 of software for editing, effects and compression. It has been worth every penny. But when youre starting, youre worried about spending too much money and dont want to go nuts with every piece of hardware and software that catches your eye. For example, I bought a MacBook Air which is horrible machine for video editing (even though many developers use it daily for coding).
Some mistakes may still be in process! Last month I signed a contract to distribute some PeepCode content through a third-party publisher. I have no idea if this will turn out to be a good idea or a bad one. But I can cancel on short notice, without which I wouldnt have signed it. So like many other ideas, its a hypothesis and Im testing it against the real world.
What did you use to do before becoming an entrepreneur? And why did you decide to become one?
My university degree is in Philosophy. Ive hacked on computers since I was 10 years old and worked at a startup writing software in Java and old-school ASP while I was still at the university. Afterward I worked at a few other startups writing Perl, taught computer-related topics at an American school in Taiwan, and worked as a Rails freelancer and workshop instructor.
I wanted to become an entrepreneur because I thought I could run a business better than the other businesses I had worked for. Most of them made horrible mistakes and still survived in some form. So I thought if I could operate a business without making mistakes of that magnitude, I could do well.
I also wanted to see if my ideas were worthwhile or not.
What is the current statistics for Brasil and Latin America regarding PeepCode products?
Last year Brasil was the 6th highest purchaser of PeepCode products. So far this year it has been overtaken by France, Sweden, and Holland, but the year isnt over yet!
About half of PeepCode products are bought in the USA, a quarter go to other English speaking countries like the UK, Canada, and Australia. The rest is split between 100 other countries led by Germany, France, Sweden, Holland, and Brasil.
Weve published translations of a few PDFs but people were mostly interested in the English versions.
PeepCode Screencasts Learn Ruby on Rails and Javascript! Hour-long screencasts for $9.
Some of the smartest programmers I know are also the most well rounded.
No one can deny that Why the Lucky Stiff is a strong advocate for Ruby, yet he knows Python well enough to write a bytecode converter that targets it.
Last year I switched to zsh because Christian Neukirchen recommended it, yet he is conversant with the next version of Bash, comparing and contrasting their features with ease.
Over the last few weeks Ive been using the Mercurial distributed source code management system. I had encountered it when checking out a few open source projects like BWToolkit and wanted to become more familiar. Most blog posts that champion Git feature a few Mercurial commenters claiming that Mercurial is easier to use. Is this true? Why do they say that?
This isnt an attempt to convince you to use Mercurial exclusively. And Im intentionally skipping any mention of Mercurials shortcomings. I want to see these features in upcoming versions of Git. If Ive missed something and that feature is already available, then Id love to know about it! Leave a comment even though it wont show publicly (Im dealing with spam problems).
So here are 5 features Git should steal from Mercurial.
An Intelligent Setup Command
Mercurial (command hg) has a much smarter command for creating repositories. You can create both a directory and initialize a new repository with one command.
hg init my_projectGit assumes that you are in an existing directory and will squawk otherwise.
Accomplishing this in Git would take something like this:
mkdir my_project cd my_project git initIn addition, you can clone an empty repository. Imagine creating a new repository on GitHub and being taken immediately to your new project page with a link to clone the repository. Thats the experience you get with Mercurial.
No local setup is required. No editing of your .git/config file. Just clone and start adding files.
Put these together and you get a Bash function like this to create a private remote SSH repository and clone it locally:
function new-hg { ssh user@example.com "hg init $1" hg clone ssh://user@example.com/$1 }Call it like this:
new-hg my_projectRight now Git requires that you commit one changeset before it will let you clone a repository. A simple solution is to add a .gitignore to the project. In fact, that would be a great feature request for the GitHub workflow!
Branches Everywhere
Git makes branching easy. Much easier than it was with Subversion.
But good luck trying to use those branches! Once you go beyond the local machine youll encounter cryptic commands abounding with switches and options that are weird but commonly used:
# Delete a Git branch git push origin :refs/heads/feature-tweakMercurial branches are not only easy to make, they are also easy to use! They go everywhere the repository does. You dont have to worry about tracking branches or weird pushes to get them onto your remote repository.
hg branch feature-tweak hg commit hg pushOnce youre done, close the branch and they disappear.
hg commit --close-branchIm sure someone will counter with the argument from Linus that this requires coordination between developers to avoid branch name clashes. First, this isnt really a problem unless youre on a large team that shares a single repository.
And even in that case, why not use your name as a namespace?
git branch topfunky-feature-tweakGit branches are already separated by the name of the remote repository. Why not just prepend the developers name to it as well? Then let me checkout a branch with that identifier and commit to it.
git checkout topfunky/feature-tweakQuick Local References
Mercurial provides a nice local shortcut for referring to commits. Instead of making ASCII art with specifiers like master^_^, you can use a nice integer:
# 18:a432bc hg checkout 18These numbers dont travel across clones, but they make it much easier on the local machine.
Sensible Defaults
You can use Mercurial for a long time without using command flags. Most commands can be used without requiring knowledge of the underlying guts of the SCM.
hg revert .Compare this to:
git reset --hard ORIG_HEADCommits happen Subversion-style. Yes, this is a feature! No need to add files before every commit or use a flag. Just commit and any changes since the last one will be included.
The incremental commit feature of Git has always confused me. I understand the theoretical beauty of being able to commit just one part of a file, but that means youre committing a changeset that youve never used, never run tests against.
Easy Serving
Serving files happens easily without any arguments via the built-in webserver:
hg serveYou can visit the site at http://localhost:8000. As a bonus, you can clone it directly over HTTP:
hg clone http://localhost:8000 my_projectAgain, simple and straightforward. No post-commit-hook tweaking is required.
Conclusion
Ive intentionally left out any of the nasty bits of Mercurial, preferring to feature Gits instead.
The good news is that most of these features could be implemented as surface-level improvements. I already use a handful of scripts to manage the otherwise unsavory tasks involved with using Git daily. Perhaps a few more could make it even better.
Product Placement
My pal and co-worker Dan Benjamin has prepared a fantastic PeepCode screencast on Mercurial. I assume that most readers of this blog are probably comfortable with Git. But if youre like me and are continually looking for ways to improve your tools or adopt new ones, I think youll find it satisfying.
PeepCode Screencasts Learn Ruby on Rails and Javascript! Hour-long screencasts for $9.
On Thursday I presented remotely at RubyFest about MacRuby. I put together a 30 minute video and short demo app.
Download MacRuby Presentation at RubyFest, 46 MB
Im also putting the final tweaks on a MacRuby screencast at PeepCode, prepared by Alex Vollmer with technical review by Laurent Sansonetti. Look for it on Monday!
NOTE: The full tutorial screencast is now available here: PeepCode Meet MacRuby
PeepCode Screencasts Learn Ruby on Rails and Javascript! Hour-long screencasts for $9.
The first question most people ask me about PeepCode Screencasts is How many employees do you have?
Maybe its a more polite way of asking What was your gross revenue for the most recent fiscal quarter? At any rate, I now have something to tell them.

Two weeks ago, I started a collaboration with Dan Benjamin. He will be working half time at PeepCode, hopefully moving to full time in the near future.
Dan has made a name for himself many times over. He developed the CMS for A List Apart, the authoritative online magazine for people who make websites. He developed and sold Corkd, a social wine review website. And hes a perfect fit for PeepCode, given his multimedia and business experience starting The Talk Show with John Gruber and the Tack Sharp podcast with James Duncan Davidson. He also runs a popular blog at Hivelogic.
Dan is one of the most connected people I know, and I wouldnt be surprised if he is only two degrees away from Kevin Bacon. So Im especially flattered that he wanted to work with me. However, he is available for part-time consulting in the meantime, so contact him now if you want to work with him while hes still on the market.
April Sale!
What does this mean for PeepCode? New ideas. A better workflow. More content!
In two weeks weve already refined parts of the PeepCode screencast production workflow that will make it easier to work with other authors and keep the quality top notch.
For you it means an April sale! Get a year of PeepCode for only $129 (save $20). Or get one free credit with a 5 pack.
If youre an existing Unlimited subscriber, you can renew or extend your subscription at any time for only $109.
Comments are temporarily disabled, but will return.
PeepCode Screencasts Learn Ruby on Rails and Javascript! Hour-long screencasts for $9.
And with my handheld portable all-purpose lightweight doohickey I fuse thoughts and try not to be too picky. Buck65
Im personally offended that you enjoy the software you work with ;)al3x
Update: Full 60-minute screencast now available at PeepCode!
A few weeks ago I decided to try out Emacs. I wasnt especially dissatisfied with TextMate but felt that I had neglected to educate myself about a major part of computer science history. Somewhat like a DJ who has never heard Grandmaster Flash (who purportedly invented much of the hardware used to create music with multiple turntables). I felt that I needed to try out one of the classic text editors still used by many today.
My history with text editors over the last 10 years goes something like:
- BBEdit
- vim (for about 6 months)
- Smultron
- TextMate
Screencast
Ive assembled a short screencast of my initial impressions:
Initial Impressions
The Good Stuff
Heres a short list of what Im enjoying about it so far:
- Efficiently keyboard driven. No need to use the mouse at all.
- Window splits for viewing multiple files (and shells) at once.
- Powerful editing.
- The ease with which one can work with dozens of files without getting confused.
- Super customizable.
- Easy to keep settings, snippets, plugins, etc. synchronized between desktop and laptop with Git.
- Quality plugins from the community.
- The aha moment when parts of code make more sense given the fact that Emacs was used by Matz, Ryan Davis, Nathan Weizenbaum, etc. to author them.
- That unidentifiable elitist feeling you get from using a tool thats too difficult or awkward for most people.
The Awkward Bits
- No GUI for preferences.
- Mac OS X integration is just barely good enough to get by. For example, I cant get Hide Others to work except by using the mouse.
- Its assumed that youll do most work from within Emacs itself rather than piping text to it.
- Crashes when trying to switch color themes. This may be a problem with the color theme plugin Im using.
- Its difficult to think about content and files instead of icons and buttons.
Getting Started
Installing, learning, and configuring Emacs is unfortunately not easy. Im working on a PeepCode screencast with Phil Hagelberg that I hope to finish within the next few weeks. In the meantime, here are some resources I used to get started on Mac OS X:
- Install from Git mirror of the source
- See the nextstep/INSTALL file for Mac installation instructions.
- Phil Hagelbergs starter kitTremendously useful.
- My current configUse at your own risk. Yes, I use a huge font size.
Useful Plugins
- yasnippet.elTextMate-style tab trigger snippets with mirroring, defaults, etc.
- textmate.elProvides tremendously useful keyboard shortcuts for TextMate switchers. Ive modified it to work with my setup.
- magitGit integration.
See Also
- Full 60-minute screencast now available at PeepCode!
- Alex Payne on the flight to old text editors
- Phil Hagelberg on learning emacsPlus links to other blog articles about recent adopters
And a word from our sponsor
New hot-selling PeepCode Screencast authored by Lars Pind.
PeepCode Screencasts Learn Ruby on Rails and Javascript! Hour-long screencasts for $9.
Im always impressed by the continuous flow of innovation from the Rails community. Below are just a few of the highlights from the past month. These stories all came from the Ruby5 Podcast, which covers all the news from the Ruby and Rails community twice weekly.
Authentication

The talented Brazilian guys over at Plataformatec released the Devise gem this week, a new authentication option for your Rails app. Devise is a Rails Engine which sits on top of Warden, a Rack authentication framework. This makes Devise a little more flexible then other Rails authentication libraries, and is definitely worth a look.
On the otherhand if your application needs something more simple, check out Terry Heaths OpenID Rails Engine. It should take you about 10 minutes to have an authentication system up and running, and you wont have to worry about storing your users passwords.
Helpful Libraries

Thanks to Twitters new Streaming API we no longer have to poll every 5 seconds to discover new tweets. To start using it today check out the TweetStream Gem by Intridea.
With Rails 2.3 we gained the ability to utilize Rack Middleware in our Rails apps. If you dont know what Rack middleware is yet go watch this screencast. Also, if youd like some idea on how to use it, check out the CodeRack Middleware Contest, a competition to develop more useful and top quality Rack middleware.
A few weeks ago I heard about a javascript library called Validatious, which provides unobtrusive javascript for doing client side form validations. I know what youre thinking though, if I do both client side and server side validations Ill have code which duplicates validation logic, and that makes me want to hurl. Dont hurl quite yet, first check out Jonas Grimfelts Validatious on Rails plugin which will auto-generate client-side validations using your existing model validations.
Optimization & Performance

If your Rails app needs to be able to handle many users uploading files at the same time (think Flickr), then you may want to look at ModPorter, an Apache module and Rails plugin created by Pratik Naik and Michael Koziarski. ModPorter parses incoming multipart requests storing the file to disk before it reaches your Rails app, so your Rails processes dont get held up. We hear there is also support for nginx through a 3rd party module.
When youre dealing with a database abstraction like ActiveRecord, its very important to ensure youre writing optimal database queries. If youre worried that your app may be doing more queries then it should or isnt using eager loading properly, you may want to checkout the Bullet plugin by Richard Huang. Bullet can actually give you growl notifications when youre missing an :include or should be using a counter cache.
Do you have mongrels that are consuming more then 150 Megs of RAM and you dont know why? Do you suspect that it might be Ruby leaking all over the place? Then youd probably be wrong, and Sudara Williams will tell you Thats not a Memory Leak, Its Bloat. Its more likely that youre instantiating thousands of ActiveRecord objects, and Sudara gives you a few suggestions on how to find them.
Cleaning up code

The presenter pattern is very useful for encapsulating code that may be making your controller look fat, code that may not belong in your model. Dmyto Shteflyuk wrote up a great introduction to using presenters thats worth a read if youre not using them already.
Sending complex data-sets between Ruby and Javascript isnt always easy. Dont you wish there was a way to take that Ruby hash and just have it automatically transform into a javascript Map? If yes, then you may want to look at jsvars by Erick Schmitt, thats what it does.
Deployment
You may already know about Chef (the system integration framework) but did you know that you can also deploy your Ruby app from chef using chef-deploy? Ezra Zygmuntovich created this gem which allows you to run your chef recipes and then if they pass (and only if they pass) deploy your code in a capistrano like fashion.
If youre deploying a Rails cluster to Amazon EC2, then another solution aside from using Chef is a gem called rubber by Matthew Conway. Rubber keeps deployment a first class citizen, storing all your server configuration files inside your Rails app where they can quickly be tweaked under version control. It comes with many deployment best practices out of the box and can scale up or down at a moments notice.
Media

Have you ever wanted to run a Rails tutorial in your city, but youre discouraged by the thought of writing all the course material? Then you need to checkout the Rails Bridge Open Workshop project where they have all the course material youre going to need, for free! You have no excuse not to spread the word of Rails anymore.
Lastly, if youre looking for additional Rails screencasts, you may want to checkout Teach Me To Code, and if youre looking for additional Rails reading, then check out the past few issues of the Rails Magazine by Olimpiu Metiu.
Thanks for reading, and if you have any Ruby or Rails news youd like to spread the word about, please send it into the Ruby5 podcast by emailing ruby5@envylabs.com.
Image Credit: Blue Sky on Rails by ecstaticist, Analog Solutions 606 Mod by Formication, Rainbow by One Good Bumblebee. Orange County Security by henning, Broom by fatman, remember by tochis, Darwin Was Right About Media Players! by Neeku.

So, Edge Rails is still chugging right along. There are new and interesting fixes, changes, and refactors going on all of the time. So, lets take a look at just a few that've gone in since the last post (it's been a while, I know, I'm sorry!).
ActionView and Helpers
XSS escaping is now enabled by default. This means that if you want to explicitly output HTML to your views, you'll probably have to mark it as html_safe! before sending it through.
<%= 'my <a href="http://www.rubyonrails.org">safe</a> string'.html_safe! %>Many of the built-in helpers have been updated for this change and if you see an issues with the Rails helpers being incorrectly sanitized, you should create a new ticket.
distance_of_time_in_words has gained 'over', 'about', and 'almost' keywords, thanks to Jay Pignata and John Trupiano. This provides you with an improved level of granularity when approximating the amount time passed. So, instead of just "2 years ago", it can now also report "almost 2 years ago," "about 2 years ago," and "over 2 years ago," depending on the proximity to being exactly 2 years old.
assert_equal "almost 2 years", distance_of_time_in_words(from, to + 2.years - 3.months + 1.day)assert_equal "about 2 years", distance_of_time_in_words(from, to + 2.years + 3.months - 1.day)assert_equal "over 2 years", distance_of_time_in_words(from, to + 2.years + 3.months + 1.day)assert_equal "over 2 years", distance_of_time_in_words(from, to + 2.years + 9.months - 1.day)assert_equal "almost 3 years", distance_of_time_in_words(from, to + 2.years + 9.months + 1.day)The HTML form helper, fields_for - generally used for nesting additional model forms - now allows for explicit collections to be used, thanks to Andrew France. So, instead of just including all of your blog.posts, you should have it only display your published blog.posts, for example. Or:
<% form_for @person, :url => { :action => "update" } do |person_form| %> ... <% person_form.fields_for :projects, @active_projects do |project_fields| %> Name: <%= project_fields.text_field :name %> <% end %><% end %>API Change for content_tag_for: The third argument - being the optional CSS prefix - will now also affect the generated CSS class. This prefix will now be appended to the generated element's CLASS attribute.
<%= content_tag_for(:li, @post, :published) %># => <li id="published_post_123" class="published_post">...</li>ActiveResource and ActiveRecord
Taryn East has added update_attribute(s) methods to ActiveResource. These methods act very similarly to the ActiveRecord methods we already know and love.
Building or creating an object through a has_one association that contains conditionals will now automatically append those conditions to the newly created object, thanks to Luciano Panaro.
class Blog has_author :commit_author, :class_name => 'Author', :conditions => {:name => "Luciano Panaro"}end@blog.build_commit_author# => #<Author name: "Luciano Panaro" ... >Pratik Naik added a new option to ActiveRecord's accepts_nested_attributes_for to :limit the number of records that are allowed to be processed. Also, while we're covering accepts_nested_attributes_for, Jos Valim as renamed the _delete option to _destroy to better follow what is actually occurring. A deprecation warning has been added to _delete, for the time being.
Jacob Burkhart updated the new autosave option in Rails 2.3 to allow for an :autosave => false, which will disallow saving of associated objects, even when they are new_record?s.
Some Internals
Previously, CDATA elements could be ignored when converting from XML to a Hash, so now, thanks to John Pignata, Hash#from_xml will now properly parse and include CDATA elements values.
Josh Peek has relocated global exception handling into ActionDispatch::Rescue. So, this is now being handled at the Rack middleware level.
And finally, Yehuda Katz and Carl Lerche began work on a Rails::Application object to better encapsulate some of the application start up and configuration details. Also, a good bit of initialization has now gone on to move into this new object.
Remember, if you prefer to have a shorter audio summary of some of this content and more, you should check out the Ruby5 podcast over at Envy Labs; it's released every Tuesday and Friday with the latest news in the Ruby and Rails community.
Photo: Clock Tower by Brian Taylor
RubyEnRails 2009 goes down this 30/31 October in Amsterdam. Talks are in English and Dutch.
RubyEnRails has been all-volunteer for four years running, building on a history of sweet venues, good talks, and great company. Its gradually grown from a local gathering to a full-fledged European event, and this year its also stepping up to fill the shoes of RailsConf EU.
Yehuda and I are speaking and will be mixing a potent batch of Rails 3 kool-aid. Please join us for a sip!

It's been a bit over two weeks since the last WNiER ("winner"?) post and in the time since our last visit, Ruby on Rails 2.3.4 was released to fix some reported security issues. It is important that you try to upgrade your applications as soon as possible, or even just apply the provided patches if a full upgrade isn't easily accomplished in your situation.
Along with this release, you're also going to see several bug fixes and enhancements to the Rails framework, coming from many contributors, that have been discussed here over the previous weeks and even a few that are mentioned just below.
Security updates
Michael Koziarski posted fixes (here and here) for cleaning and verifying multibyte (unicode) strings. The problem was reported by Brian Mastenbrook and Manfred Stienstra provided input for the fix. These changes should disallow malformed unicode strings from getting past the HTML escaping logic provided by the form helpers.
Coda Hale reported and also added a patch to Rails, fixing a timing attack vulnerability in ActiveSupport::MessageVerifier. Although not likely to be exploited in the wild, the vulnerability may allow an attacker to forge the signatures which encode your application's cookie store. If successfully broken, an attacker could modify their session objects without altering your application to the change.
There have been some issues reported around the Rails 2.3.4 release, specifically with regard to Ruby 1.9 support. While they have not all yet been fully substantiated, this certainly underscores the importance of having proper test coverage and both a staging and production environment for your applications.
Down to the metal
Yehuda Katz and Carl Lerche put in quite a bit of work around ActionController::Metal and Rack's Middleware, recently. ActionController::Metal now acts as a Rack middleware and at the same time, there is a new ActionController::Middleware class that operates as normal Rack middleware.
And, if that wasn't enough, Yehuda went on to add ActiveModel::Lint. ActiveModel::Lint allows you to determine whether or not an object is compliant with the ActiveModel API, via:
ActiveModel::Compliance.test(object)The output is similar to a Test::Unit output and will indicate with which portions of the ActiveModel API the given object is - or more importantly is not - compliant.
If Metal is your thing, you may want to take a look at Yehuda Katz's recent blog post, How to Build Sinatra on Rails 3.
Pour some sugar on me
Quite a few changes, small and large, occurred around ActiveRecord and friends. Most of these cleaned up some existing functionality, either making it easier to use, perform more closely to what would be expected, or even adding some new features that will soon feel like old friends.
Taryn East added a little ActiveRecord-like love to ActiveResource. In this patch, ActiveResource received the familiar first, last, and all shortcut methods for wrapping the basic find method.
Proc and symbol support was added to the validates_numericality_of ActiveRecord validation, by Kane.
For those of you who use the :anchor option when generating URLs, you may notice that after this patch by Jeffrey Hardy, Rails will now execute the to_param method on the object provided as an :anchor.
@post = Post.first @comment = Comment.first post_url(@post, :anchor => @comment) # => http://www.example.com/posts/1#comment-1Well, something similar to that, anyway. :) This updates the :anchor options to follow a similar functionality as the other options provided when generating URLs.
Jos Valim cleaned up some bits in the Rails scaffold. The generated new and edit views will now reference a new _form partial. This is a much DRYer way to go about it, and more closely follows what would likely happen if you were to code it yourself. Also, while he was there, he removed a bit of inline CSS (specifically, a green flash message), in favor of a CSS class and updating the default scaffold stylesheet.
And, probably the most interesting change in this group is the addition of a new ActivRecord#previous_changes method, by Scott Barr. previous_changes allows you to see what changed before the last save in your local ActiveRecord object instance. This is particularly useful when calling after_save methods which might need to know what exactly had changed. I'll let him give you a code sample:
person = Person.find_by_name('bob') person.name = 'robert' person.changes # => {'name' => ['bob, 'robert']} person.save person.changes # => {} person.previous_changes # => {'name' => ['bob, 'robert']} person.reload person.previous_changes # => {}Okay, let's do it your way
While a lot of us prefer US English, we (begrudgingly) recognize that we aren't always the center of the universe. As such, there are some more localization updates to report in Edge Rails:
Sven Fuchs added localization support to the ActiveRecord::RecordInvalid exception's error message. Then, Akira Matsuda followed Sven with support for localizing the SELECT tag helper's prompt text (the default being, "Please select").
Finally, this is certainly a welcome addition and potentially a major player in localization support within Rails: Antonio Tapiador del Dujo added a patch which allows Rails plugins to define and maintain their own locale files. All that is necessary for the plugin developer to do is to provide a config/locales/ directory within their plugin and then create their own .rb or .yml files (i.e. en.yml). That means that plugins can now be much more responsible for their own localization support and do not have to modify the application's locale files after installation.
Food for thought
Finally, just a small note that the default, preferred table collation for MySQL has been changed. Previously, Rails defaulted to utf8_general_ci when either the database or the table creation script did not dictate otherwise. Now, that has been changed to utf8_unicode_ci. Certainly worth a note with so many Rails applications using MySQL in their back-end.
Update: Set the attribution of previous_changes to Scott Barr. Sorry, Scott!
Photo: Security at the Hoover Dam by Alex E. Proimos
Weve released Ruby on Rails 2.3.4, this release fixes bugs and introduces a few minor features. Due to the inclusion of two security fixes, all users of the 2.3 series are recommended to upgrade as soon as possible.
Security Fixes
2.3.4 contains fixes for two security issues which were reported to us. For more details see the security announcements:
Bug Fixes
Thanks to the success of the BugMash we have around 100 bug fixes as part of this release. Of particular not is the fix to reloading problems related to rack middleware and rails metals when running in development mode.
New Features

PeepCode has teamed up with Gregg Pollack, Jason Seifer, and David A. Black of Envycasts to provide you with their current library of screencasts!
Jump into the future of Ruby with part 2 of this two part series on the distinguishing new features of Ruby 1.9. Topics covered in this 35-minute screencast include:
- Block Variables
- Strings
- Encoding
- Object-wide Newness
Start with Part I if you havent seen it yet!
Available to PeepCode Unlimited subscribers, or with your PeepCode credits, or as a single purchase for only US$9!





PeepCode has teamed up with Gregg Pollack, Jason Seifer, and David A. Black of Envycasts to provide you with their current library of screencasts!
Jump into the future of Ruby with this two part series on the distinguishing new features of Ruby 1.9. Topics covered in this 41-minute screencast include:
- Hashes
- Arrays
- Symbols
- Enumerators
- Enumerable
- RubyGems
Part II completes the series and is available now.
Available to PeepCode Unlimited subscribers, or with your PeepCode credits, or as a single purchase for only US$9!




With technical assistance from Sinatra creator Blake Mizerany.
As a developer, youre always looking for ways to write faster applications with less code. The Sinatra framework hits a sweet spot for writing small, fast web applications and web services with Ruby.
In this 64 minute screencast, Dan Benjamin teaches the basics of Sinatra: configuration, handlers, blocks, and templates. Youll master these techniques by writing a simple ad server to manage and deliver images, Javascript, and HTML. Youll enhance the application to track clicks using DataMapper and Sqlite3 to store and manage the data.
This screencast is for you whether youre a beginning programmer with knowledge of Ruby or an experienced Rails developer looking to explore the Sinatra framework!
Chapters include:
- Meet Sinatra
- A Simple App
- App Structure
- DataMapper
- Sqlite3
- Styling
- Forms & Interactivity
- Displaying Ads
- Tracking Clicks
- Authentication
- Deployment
- Advanced Topics: Haml, Routing, Exceptions, Sinatra::Base, Rack, Heroku
Available to PeepCode Unlimited Subscribers or as a single purchase for only $9!







Co-authored by Alex Vollmer, author of the Evri iPhone app and the PeepCode Screencast on MacRuby.
Our first iPhone View Controllers screencast (Part I) was an instant hit. This screencast completes it and continues the momentum in our new series of iPhone development screencasts.
In this tutorial youll become confident using the simple yet powerful table view controller. Youll learn about layout, interaction, workflow, capabilities, and tips for working with tables.
We go beyond simple usage to show how to use a custom cell that dynamically displays multiline text. And youre free to use it in your own projects, too!
Rotation and modal controllers are explained with a sample project included. Explanation is enhanced by the informative diagrams and motion graphics youre used to seeing at PeepCode.
We conclude with a priceless tour of troubleshooting tips that will help you write more reliable applications with much less pain.
This 57 minute screencast covers:
- Table View Controllers
- DataSource & Delegate
- Accessories & Callbacks
- Reusing Cells
- Cell Styles
- Code: Table List Controller
- Table View Methods
- Populating the Cell
- Connecting to the Nib
- Bonus: KVO for Cell Images
- Code: Grouped Table Detail Controller
- Handling Row Selection
- Using an Enum
- The Table Footer View
- Autoresizing
- Dynamic Height Cells
- Using a Custom Cell
- Device Rotation
- Presenting Modally
- Troubleshooting
- Expect Blood
- Deploy Early
- Zombies are your Friends
- Threading Issues
- Memory & Instruments
- Non-Events
- The Unexpected
- Performance
- Clang
See the graphic below for a full list of chapters and sub-sections.
Available to PeepCode Unlimited Subscribers or alone for only US$9!












Uses icons by Joseph Wain / glyphish.com and the HTTPRiot REST library.

Co-authored by Alex Vollmer, author of the Evri iPhone app and the PeepCode Screencast on MacRuby.
After months of production and over a year of anticipation, its the first PeepCode Screencast on native iPhone application development!
The iPhone is possibly the most revolutionary computer device of the last few years. The good news is you can learn to write native applications for it!
Programming applications for the iPhone is radically different from writing web applications, but well take you through both the high-level concepts and the line-by-line code to understand it. While many tutorials show only fragmentary examples or trivial applications, well walk through a visual news application that fetches data from a web service and displays it with both custom and stock views.
This 78 minute screencast covers:
- Conceptual Overview
- View Controller Basics
- Callbacks
- Code: Setup
- Tab Bar Controller Concepts
- Code: Tab Bar Controller
- Navigation Controller Concepts
- Code: Thumbnail Navigation Controller
- Code: Web View Controller
- To Be Continued
See the graphic below for a full list of chapters and sub-sections.
Youll do best if youve watched our Objective-C screencast first.
Part II is now available!
Available to PeepCode Unlimited Subscribers or alone for only US$9!








Uses icons by Joseph Wain / glyphish.com and the HTTPRiot REST library.
Oct 13 2009
So far the only gotchas were, I was using the MySQL plugin and not the gem. I’ve since configured my Site5 account to use gems so that’s not a problem and I had a few outdated conventions that I fixed. I’m hoping that I got everything, I mean, after all, my tests passed so everything should be fine! If you guys come across anything out of the ordinary, any error, anything I’d love it if you’d please let me know
Also, I’ve got 6 pounce invites if anyone still is looking for those. :)
I caught up with this thread on Joel’s discussion board today. We software developers will take any opportunity to rant about the bass-ackwards code we have to deal with on a regular basis. For passionate developers, it’s understandable that most code wouldn’t live up to our standardsonly a select few projects have the amount of resources necessary to truly pursue perfection. Over time the exposure to imperfect code can condition us with unfair knee-jerk reaction to new code.
How bad is the code really?
The world is full of terrible code. Usually that becomes painfully obvious at maintenance time. When an existing project is opened up for the first time by a new team member, I think the instinct is to see the flaws before the brilliance. What kinds of things make code stinky? Well it depends who you ask, but some possible reasons are:
- Unnecessary duplication of code (under-abstracted)
- Overly complicated code (over-abstracted or unnecessarily clever)
- Too many files/classes
- Giant monolithic classes
- Wrong design patterns applied
- Stupid algorithms
- Failure to use appropriate libraries or framework features (reinventing the wheel)
- Inconsistency (lack of conventions)
- Numerous obvious comments
- No documentation
Anyone whose done their share of code maintenance has probably been annoyed by most of the things on this list one time or another. “If only they had done it this way.” It’s easy to just assume the code sucks based on a first impression. Once you jump to that conclusion, every minor flaw affirms your prejudice.
Pet peeves
Let’s step back a minute and give ourselves an ego check. To an experienced developer there are hundreds of nuances that will stick out like a sore thumb, but they are likely to annoy you far more than they actually impact your productivity were you to consider them objectively.
If you’re not careful, your concern for the code boils over into judgement of the previous programmers. Maybe the last guy wasn’t up to snuff in this language, maybe his pet peeves were different, maybe he was just a blathering idiot. Whatever the case, why dwell on it?
I’ve managed to make it through a lot of bad code without slowing down much. Every once and a while a refactoring or straight-up delete and rewrite was necessary, but most of the time I was able to grit my teeth and get some changes done relatively quickly.
Real reasons code “sucks”
The problem facing you is likely to be different from what the last programmer faced. It would be foolish to assume that the software was designed with the same requirements that you have in front of you today. Who’s to say the business goals haven’t changed drastically since then?
You and the last developer have different information. Even after you’ve spent a lot of time on the code and understand all the intricacies and business goals, you still may not know the history of the project. Maybe the code has grown and shrunk and morphed into something completely different from when it started. If it’s time to refactor, maybe that’s your job.
It’s also quite possible that refactoring is not worth it. Good developers innately want maintainable and aesthetically pleasing code, but there is a cost. We can’t write perfect software before we understand it, and we can’t refactor without spending time. The developer is usually in a better position than the manager to assess the long-term cost of not refactoring, but he also has a vested interested in exaggerating that cost. To make a fair assessment, the developer must have a direct business interest. Even then there’s a great deal of uncertainty. It’s always a gamble.
Cognitive dissonance
Developers are conditioned to be right. Our job requires a fiercely logical thought process and the ability to make absolute assertions. Being wrong means things are broken, sometimes spectacularly so. And because we think so hard about things in this way, our conclusions are usually well-reasoned. But we are still human, and we still have the same defense mechanisms around our belief systems as everybody else. The insidious thing is that our reasoning blinds us to our own subjectivity. Our open-mindedness is a badge of pride, but also a set of subconscious blinders.
The only really objective thing about software is its output.
Software engineering is about making choices. Some choices are pragmatic (C++ for performance), some are philosophical (Ruby vs Python), but most are an intangible mixture of past experience and future expectations. When you see some code for the first time, the chances that it will mesh with your experience and philosophy are pretty slim. Eventually you may come to appreciate it for what it is, but in the meantime every tradeoff that didn’t follow your current line of thought will irk you.
Software is messy
None of this is to say that there aren’t real quality problems in the software industryof course there are. But I think it’s worth carefully considering our own motivations and biases before judging how bad the problem really is.
We may not like dealing with inadequately-funded balls of mud, but that’s probably where most of the paying work is. Even in relatively clean code bases, reasonable people can disagree on style or architecture points. Regardless of initial code quality, there will always be difficult and inelegant maintenance that needs to be done. My goal is to keep emotion out of it, and just fix problems. Refactoring is great if a business case can be made, otherwise just slog through as fast as possible without complaining.
Easier said than done, I know.
The RubyWorld Conference will be held at the Shimane Prefectural Convention Center Kunibiki Messe, Shimane Prefecture, during September 7th 8th , 2009.
The talks at the International Conference Hall will be live broadcasted at the official web site.
Stay tuned!
The Call for Proposals for presenting at RubyConf 2009 is now open.
The deadline for proposals is August 21, 2009.
You need to sign up for an account at rubyconf.org, and then you can submit your proposal.
RubyConf 2009 will take place November 19-21 2009, at the Embassy Suites Hotel at the San Francisco Airport, California, USA.
Ruby 1.9.2 preview 1 has been released.
This is a preview for the 1.9.2 series. It is just a snapshot. It still have some known bugs, is sometimes unstable. Let us know your view on it.
- Socket API was more objectified.
- Time was reimplemented and enhanced. Now Time has no max/min value, no year 2038 problem.
- New Random class for random number sequence.
- Good news for merb users: Method#parameters
see the NEWS and the ChangeLog for more detail.
Location
<!-- RDLabel: "Location" -->- <URL:ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.2-preview1.tar.bz2><dl>
- SIZE
<!-- RDLabel: "SIZE" -->- 7487008 bytes
- MD5
<!-- RDLabel: "MD5" -->- 0b8f27ea78afcdc54d5d23e569aa0150
- SHA256
<!-- RDLabel: "SHA256" -->- 0681204e52207153250da80b3cc46812f94107807458a7d64b17554b6df71120
</dl> - <URL:ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.2-preview1.tar.gz><dl>
- SIZE
<!-- RDLabel: "SIZE" -->- 9422226 bytes
- MD5
<!-- RDLabel: "MD5" -->- e2b8cdbf300f53472be09699a5837fd1
- SHA256
<!-- RDLabel: "SHA256" -->- 7f29ab3b1d5f0074bb82a6bf398f1cacd42fe508a17fc14844560c4d906786b6
</dl> - <URL:ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.2-preview1.zip><dl>
- SIZE
<!-- RDLabel: "SIZE" -->- 10741739 bytes
- MD5
<!-- RDLabel: "MD5" -->- 253b5845e4b0f8250ae79c328b94e049
- SHA256
<!-- RDLabel: "SHA256" -->- cb132277476856535ee31e85929a3041877b0912868b7f64d1cf911a79463cdf
</dl>
Ruby 1.9.1-p243 has been released.
This is a patch level release in the 1.9.1 series. It includes bug fixes.
see the ChangeLog for more details.
Location
<!-- RDLabel: "Location" -->- <URL:ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p243.tar.bz2><dl>
- SIZE
<!-- RDLabel: "SIZE" -->- 7191348 bytes
- MD5
<!-- RDLabel: "MD5" -->- 66d4f8403d13623051091347764881a0
- SHA256
<!-- RDLabel: "SHA256" -->- 39c9850841c0dd5d368f96b854f97c19b21eb28a02200f8b4e151f608092e687
</dl> - <URL:ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p243.tar.gz><dl>
- SIZE
<!-- RDLabel: "SIZE" -->- 9043825 bytes
- MD5
<!-- RDLabel: "MD5" -->- 515bfd965814e718c0943abf3dde5494
- SHA256
<!-- RDLabel: "SHA256" -->- 31598e37b3962643bec722921644957be6f8fb9a26f6c91fa627bd668ea68be4
</dl> - <URL:ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p243.zip><dl>
- SIZE
<!-- RDLabel: "SIZE" -->- 10307868 bytes
- MD5
<!-- RDLabel: "MD5" -->- 7086675f78185d72719132231b810e4d
- SHA256
<!-- RDLabel: "SHA256" -->- 68a9847299269c5251dc61f7aad8482ab6022a6b1be13635d607fb593208b226
</dl>
A denial of service (DoS) vulnerability was found on the BigDecimal standard library of Ruby. Conversion from BigDecimal objects into Float numbers had a problem which enables attackers to effectively cause segmentation faults.
ActiveRecord relies on this method, so most Rails applications are affected by this. Though this is not a Rails-specific issue.
Impact
An attacker can cause a denial of service by causing BigDecimal to parse an insanely large number, such as:
BigDecimal("9E69999999").to_s("F")Vulnerable versions
1.8 series
- 1.8.6-p368 and all prior versions
- 1.8.7-p160 and all prior versions
1.9 series
- All 1.9.1 versions are not affected by this issue
Solution
1.8 series
Please upgrade to 1.8.6-p369 or ruby-1.8.7-p174.
- ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p369.tar.gz
- ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p174.tar.gz
Updates
- Ruby 1.8.7-p173 had a problem. If you have already downloaded it, please get a newer one. Ruby 1.8.6-p369 do not have this bug.











