#ruby - 01 August 2019
« Back 1 day Forward 1 day »
[00:09:00] d9a: Is Eloquent Ruby still highly recommended even though it's old? I've been going through it. I'm new to Ruby but not programming.
[11:44:01] ryouba: how do i get system('ssh somehost ls /tmp/*') to not evaluate the interpolation on the client, but only later, on the server?
[13:50:22] adam12: Abhijit: Not sure about "simulate", but you can raise whatever you want, whenever you want. Did you have a specific example in mind?
[13:51:30] adam12: I'd love to know why this exists. Is it satire? https://github.com/dabit/is_array
[14:51:28] adam12: if you could bring it down to 84 hours, the crowd might be less tired at the end.
[14:54:46] baweaver: They need to appreciate the majestic oration that is a lemur talk to its fullest
[15:37:54] rapha: (very relevant thread imho: https://www.reddit.com/r/ruby/comments/82ubtj/is_it_still_worth_reading_the_pickaxe_manual/)
[15:40:38] rapha: even just https://rubyreferences.github.io/ as a paper book available on amazon would be cool
[15:42:18] havenwood: There are still plenty of undocumented things, but it's getting better every release.
[15:45:49] Ryctolagus: New to Ruby and had not stumbled across https://rubyreferences.github.io/ before. So glad I joined this Channel!! I know it was not directed in my direction, however thank you rapha.
[15:52:40] havenwood: Ryctolagus: We have some good links to other resources here: https://ruby-community.com/pages/links
[15:53:16] havenwood: Ryctolagus: There's some overlap, but there are a few additional resources listed here: https://www.ruby-lang.org/en/documentation/
[15:53:36] havenwood: Ryctolagus: And a list of books we need to merge with the community page: https://gist.github.com/baweaver/57a7c8296ca2c03effbd8fac1e7f6b40
[15:54:52] Ryctolagus: havenwood:Thank you. U have worked through the entire Ruby course on CodeCademy. I must say so far I am really enjoying the language.
[15:54:59] havenwood: Ryctolagus: It's great to be able to explore the stdlib through Pry as well. I'd suggest checking it out if you haven't yet. Here's a talk on REPL-driven development with Pry: https://youtu.be/D9j_Mf91M0I
[15:55:15] ruby[bot]: Pry, the better IRB, provides easy object inspection `ls`, `history`, viewing docs `?`, viewing source `$`, syntax highlighting and other features (see `help` for more). Put `binding.pry` in your source code for easy debugging. Install Pry (https://pryrepl.org/): gem install pry pry-doc
[15:58:02] Ryctolagus: havenwood: I had not head of pry I will look into it. Currently I have a hacked together Vim environment and was beginning to play with RSpec/guard-rspec. Pry may be another tool to add to the toolbox :)
[16:04:19] rapha: havenwood: reference is one thing, and tutorials are another ... the Pickaxe was pretty awesome with respect to guiding one through the language features, do's and better-not-do's, etc.
[16:05:33] havenwood: rapha: I don't have a copy, but I've browsed through it a few times at the book store. I saw an amazing examples book in Japan that I wish I'd bought, even though I can't read the comments.
[16:10:09] rapha: i mean, in japan, there's probably lots of stuff the non-japanese-speaking part of the community isn't even aware of
[16:56:21] havenwood: Ryctolagus: It was the book that introduced Ruby to the English-speaking world.
[18:26:27] srandon111: hello all, questions, how can i get the URL link for the TSV file here https://www.cvedetails.com/vulnerability-list/year-2009/vulnerabilities.html ? since i see some js function call...
[18:49:26] Iambchop: srandon111: the "download" url there is a data: url with the page data dynamically appended; to get the url would need to read the table data in which case you could write the file yourself. something like mechanize or webdriver, for example.
[19:49:55] srandon111: ok Iambchop i don't understand why these guys haven't put everything in a single json
[20:47:22] plujon: I notice that `gem install jekyll -P HighSecurity` doesn't do much because jekyll is unsigned.
[20:56:59] leftylink: I see that https://github.com/rubygems-trust hasn't updated their copyies of the respective repos in more than 6 years. perhaps that means the efforts (if still existing) moved elsewhere
[21:12:33] plujon: "oh no! I typoed while installing rails and later discovered my machine has been rooted for a while"
[21:17:20] qbrd[m]: I guess my first question is why are you manually installing gems in a production system.
[21:23:55] qbrd[m]: I mean, a system with real live data that sees real live workloads. Purely from an academic perspective, if you're developing and testing with mock data, then developing against the `rials` rootkit library really doesn't "matter", in that a bad actor is only getting fake data.
[21:24:22] qbrd[m]: my point is, if your problem is "I typoed while installing rails and my machine has been rooted for 6mos" you probably have bigger process problems at hand.
[21:25:23] havenwood: apotheon: Yes, it's still off by default in favor of default trace instructions.
[21:26:00] havenwood: apotheon: You can use RubyVM::InstructionSequence to compile portions of code with TCO, even if you don't enable it at compile time.
[21:26:34] havenwood: apotheon: Here's an implementation of #require_relative that shows compiling a file with TCO: https://gist.github.com/havenwood/3c5a5e1476c811460992
[21:29:33] havenwood: plujon: Not much of a rootkit: https://github.com/okay-zz/Rials/blob/master/lib/rials.rb#L4-L11
[21:38:44] qbrd[m]: it's a decent editor. and, with the "remote integration", working on VMs (which is where I do 90% of my dev work anyway) is a DREAM
[21:38:55] havenwood: plujon: I do tend to read gem code. Nobody reads the code of the whole stack. It's a trust nightmare, but it's certainly not specific to Ruby.
[21:41:32] havenwood: plujon: Occasionally you'll see someone try to sneak an exploit into an actually used package, and it's no fun when they do. More often than not it's someone getting credentials they shouldn't have.
[21:42:47] havenwood: plujon: Luckily most folk who would want to be malicious hackers seem incapable of coding. There are certainly plenty of folk who could but have no interest in being malicious.
[21:44:36] havenwood: That said, I'd love to see the TUF work for RubyGems be picked up and finished.
[21:45:14] plujon: Granted, the problem is not specific to ruby. I'm not terribly familiar with how this is handled in other places. I know in some places electronic signatures tied to physical human beings is the main "assurance", and others where all code is reviewed.
[21:45:21] qbrd[m]: plujon: did you see https://itnext.io/no-way-to-prevent-this-says-only-development-community-where-this-regularly-happens-8ef59e6836de
[21:45:27] havenwood: If anyone wants to pick up the TUF work, I'd be happy to help you get corporate sponsorship.
[21:48:40] havenwood: qbrd[m]: https://www.theonion.com/no-way-to-prevent-this-says-only-nation-where-this-r-1835173950
[21:49:46] havenwood: qbrd[m]: But it's true, there are a ton of folk who could inject awful stuff into code who just do not.
[22:01:50] plujon: Supposedly, Debian maintainers do [some?] code review when importing from upstream. I'm not sure how consistent or what the details are.
[22:10:56] havenwood: miah: https://medium.com/square-corner-blog/securing-rubygems-with-tuf-part-1-d374fdd05d85
[22:11:56] havenwood: plujon: OpenBSD is the best example of an OS where code is actually reviewed, afaik.
[22:19:44] plujon: "Trust should not be granted forever. Trust should expire if it is not renewed." (Ah, so that's why armagadd-on occurred ...)
[22:27:15] Intelo: havenwood, qbrd[m] so RubyMine EAP and Atom are free? free for ever? VS code is microsoft so I should hate it.. Don't you recommend eclipse?
[22:30:06] qbrd[m]: IDK anything about RubyMine EAP. Atom is currently free and open source(?), VS Code is currently free and also open source. I don't think you should hate a product just because it's a microsoft product... though admittedly I do have a bias aganst them, I try to judge products on their merits alone...
[22:30:49] qbrd[m]: I've never really liked eclipse, but if you're doing Java development, IntelliJ is the way to go.
[22:32:21] qbrd[m]: I also haven't touched java in nearly a decade... ditto for eclipse... so I'm not sure I'm the person to be asking in all honesty.
[22:32:54] qbrd[m]: I was about half kidding when I said "I hate to admit liking a Microsoft product" :P
[22:33:32] qbrd[m]: * I've never really liked eclipse, but if you're doing Java development, I've heard IntelliJ is the way to go.
[23:00:38] apotheon: After getting help with havenwood on TCO, I went on to abuse the crap out of a regex positive lookahead to get results unrelated to the purpose of a positive lookahead.