Doing security releases sucks (don't worry, I'm just thinking back to the most recent Rails release). Was thinking about writing a blog post that explains the challenges, but even thinking about it makes me tired

4
Share
Share on Mastodon
Share on Twitter
Share on Facebook
Share on Linkedin
Aaron Patterson ✅

Imagine a development environment where you can't use CI, you need to do code archaeology for an unknown number of revisions. Patches, repros, tests, announcements, must all be done in secret. Then, if you did it right, the absolute best outcome you can hope for is that everyone upgrades and they notice no changes. It's extremely high risk (no CI, done in secret), low reward (nobody is stoked they have to upgrade bc security)

3
9mo
John Hawthorn :ruby:

@tenderlove I've also wanted^Wmeant to write a similar blog post for like 5 years so safe to say I'm not going to

0
9mo
Trevor Vallender

@tenderlove Firstly: thank you. Secondly: I presume the challenge to have a CI pipeline run locally is a huge one for a project as big as Rails?

0
9mo
Greg Donald

@tenderlove Thank goodness the job pays well.

0
9mo
Replies