old.kete.net.nz :Help

Glad to see you are paying attention to the Ruby on Rails ecosystem.

Kete "freezes" its version of Rails. Currently to 2.3.5. This means that Kete's source code actually carries the version of Rails that it depends on. This predates Bundler which has a different strategy for managing Ruby software dependencies.

Our included version of Rails also has a small number of customizations.

In other words we are pretty far behind Rails, even within the 2.3 releases. It's a non-trivial bit of work to bring Kete up to date with Rails 2.3.15 unfortunately, though we definitely want to do it.

I've been in talks with a few developers about tackling this work, including Rabid, a Wellington based Rails consultancy. I'm hopeful that they will pick up the mantle.

If you, your organization, or anyone reading this can contribute coding, funding, or other resources that would be helpful.

Tags: Kete 1.4, security, roadmap

Thanks for the info, Walter - I'll take this to my director and see what we can do!

Tags: Kete 1.4, security, roadmap

Update:

I've reviewed the security notices and a few things to keep in mind:

1. The "find_by" SQL injection attack doesn't impact Kete as it only involves Rails 3 and up
2. The parsing attack may not be an avenue for attack for Kete from my quick look, however there is a workaround and a patch

So even if we don't update to 2.3.15 we may be able to patch our frozen version of Rails to address the issues (i.e. we may get the security benefits without the work necessary for a full upgrade).

 In the Rails community there is a huge amount of concern about these possible avenues of attack and rightly so, but this is largely based on most Rails app being on Rails 3 or later at this point. In some ways Kete being behind may be a source of protection.

To use a bad metaphor, the house is not  on fire, but we should probably change the fire alarm's battery...

Having said that, I'm not a security expert nor have I done an indepth security audit for these attacks and I could be wrong.

Tags: Kete 1.4, security, roadmap

Hi Robin,

Sorry to be late to the party on this.     Even if it's not possible to find budget, a conversation with you about improving Kete would be very welcome.   We're still learning a lot about the library domain and uses of Kete, beyond the software itself so it would be good to know the frustrations and benefits you encounter using Kete, as well as your own wishlist.

The first goal of our proposed project that I am drafting a proposal for will be an upgrade of Ruby on Rails, with a path to upgrade existing installations.  I'm glad Walter has covered the security side but I'm not a security analyst and the next couple of months may throw up some other vulnerabilities that may be interesting.  Lets keep our fingers crossed.

Send me an email if you are open to a phone call in the near future  :)

best,

Josh

josh  [ at    ]     rabidtech.co.nz