rbs
RubyGems
Our great sponsors
rbs | RubyGems | |
---|---|---|
20 | 25 | |
1,866 | 2,291 | |
1.9% | 2.2% | |
9.7 | 9.8 | |
3 days ago | about 15 hours ago | |
Ruby | Ruby | |
GNU General Public License v3.0 or later | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
rbs
-
A decent VS Code and Ruby on Rails setup
I saw no mention of RBS+Steep, the latter providing a LSP. I use it a lot and very much like it, although it's still young and needs love, but it's making good, steady progress! I've been very pleasantly surprised by some of the crazy things Steep can catch, completely statically!
You appear to be working on projects with Sorbet (which I tried to like but found it fell short in practice, notably outside of the app use case i.e it's mostly useless for gems) so it may be a tall order to try on those. Maybe you can give RBS+Steep a shot on some small project?
RBS: https://github.com/ruby/rbs
RBS collection (for those gems that don't ship RBS signatures in `sig`, integrates with bundler): https://github.com/ruby/gem_rbs_collection
Steep: https://github.com/soutaro/steep
VS Code: https://github.com/soutaro/steep-vscode
Sublime Text: https://github.com/sublimelsp/LSP
Vim (I'm working on it): https://github.com/dense-analysis/ale/pull/4671
-
What it was like working for Gitlab
I don't know what you mean by "Static typing is not webscale".
> https://news.ycombinator.com/item?id=39159481
Bugs exist in all code written in all programming languages and you will find bugs in programs written in statically typed languages too as you know. Programming languages are rarely chosen for the absense of bugs alone though or we'd all be using SPARK Ada or something.
> spitting out code as fast as your keyboard works, or is is not having features do weirdo things
This is a straw man. No-one has suggested that "spitting out code as fast as your keyboard works" is what Rails allows you to do, or that Ruby code results in features that "do weirdo things".
In reality engineer productivity is important and Rails enables it in a web environment.
> I have more than once tried to contribute fixes to GitLab's codebase, and every time I open the thing in RubyMine it hurpdurps having no earthly idea where symbols come from or what completions are legal in any given context.
Yes, I prefer writing statically typed languages and I would /greatly/ prefer Ruby to be statically typed for a number of reasons, but it will likely never be so in a way I consider to be usable (see https://github.com/ruby/rbs). Not being able to definitively tell what a method returns or where one is defined is a total PITA, but it's one of the array of up and downsides to Ruby, with each language having a different set.
> I trust JetBrains analysis deeply, so if they can't deduce what's going on, then it must take an impressive amount of glucose to memorize every single surface area one needs to implement a feature.
You don't need to know how all of Rails works to write a Rails app, as I'm sure you know, so this seems like another mis-representation of the truth, just as you don't need to know how the compiler or CPUs work to do a lot of (most?) programming.
> That or, hear me out, maybe "it works on my machine" is a close to correct as the language is going to get without explicit type hints as a pseudo static typing
You seem to be suggesting that Ruby on Rails applications behave unpredictably on a machine to machine basis but that's not really how Ruby works in practice, or matching on my experience.
- Building GitHub with Ruby on Rails
-
Ruby 3.2’s YJIT is Production-Ready
Ruby does have optional type annotations, if you want them:
- Crystal for Rubyists
-
Is anyone using RBS?
Is anyone using RBS? Or, is it still half-baked? I haven't seen any recent posts about it this year. Though, I see the repo has some recent activity.
-
RBS introduced manifest.yaml
Currently rbs collection resolves stdlib dependencies, but rbs -r LIB option doesn't resolve them unfortunately. For instance, logger depends on monitor, but rbs -r logger doesn't load monitor.
-
Catching up on things
Here is link number 1 - Previous text "RBS"
RBS is a nice new feature but what's really cool, and I hope it will be include in the standard library, is Async
-
The future of rbs collection
Partial clone reduces the impact, but it just procrastinates the problems.
RubyGems
-
Phlex is the ruby way to build your views
However, let's examine a typical partial, such as the one from the . rubygems.org search show page
- Chrome considers gems to be dangerous?
-
OOP vs. services for organizing business logic: is there a third way?
github.com/rubygems/rubygems.org (26k lines): Where Ruby gems are hosted.
-
RubyGems now requires MFA for owners of top gems
If anyone is looking to do some open source contributions on a mature, production Ruby on Rails site, I highly recommend contributing to the rubygems.org project. The code is extremely clean and the repo is very, very well run.
-
Making popular Ruby packages more secure
In fact, you can now scope API tokens per-gem as well: https://github.com/rubygems/rubygems.org/pull/2944
RubyGems does have gem signing, but it's not widely used.
There's a proposal for a new "one button" approach using sigstore[0].
Other ecosystems are also looking at sigstore too, and a lot of us are cooperating in the OpenSSF Securing Software Repos WG [1]. Package signing is a regular topic of discussion and there are various efforts underway.
Disclosure: I am involved with both of these.
-
Unauthorized gem takeover for some gems
SSH is such a different use case that the analogies break down. With respect, thinking about this for a few minutes should convince you that while TOFU works fine for immutable artifact signatures, it is unworkable for a system where you ever upgrade packages.
Consider that most nontrivial projects on rubygems have multiple maintainers that can publish a version. Normal collaboration models would imply that they each have a personal signing key; sharing a single signing key per project isn’t realistic (as you mentioned, rotation is another reason for this). And TOFU doesn’t work when there are multiple possible keys, such a system requires an external trust chain.
Assume for the sake of argument the above is solved. What exactly do you do when tooling alerts you that an upgraded dependency has changed keys since the last publish? Either you blindly accept the new key or you investigate. If the latter hopefully you have a way to directly contact the author to verify that the rotation was legitimate. Since you probably don’t you should just compare the diff of the published artifacts. But you should have been doing this anyway, so what has the signature bought you here except false security?
I’m all for pragmatic solutions that measurably improve security. I just think changes like https://github.com/rubygems/rubygems.org/pull/2499 and https://github.com/rubygems/rubygems.org/pull/2242 qualify to a much greater extent than thinking of crypto as magic dust that can be sprinkled on a system to increase its security.
This test seems to be a good example of the vulnerability: https://github.com/rubygems/rubygems.org/commit/58c755a7a62a...
-
Ask HN: How many 2FA tokens do you have?
See https://github.com/rubygems/rubygems.org/pull/2865 for the web part
> From the replies it sounds like this is talking about client software?
Yes the command line is a client to the rubygems server
> An unattended client should not be able to do WebAuthn as the whole point is that a human is present and authorising the authentication step
You either need a PIN, a fingerprint, a press, or no action just owning the device or the software.
> if I have 100% full of Bob's device I still can't touch the sensor or button to authenticate as Bob.
If you have a perfect copy of a Yubikey or the same fingerprint you should be able to authenticate I think
> OpenSSH works with Yubikeys
Nice, I will look into it
What are some alternatives?
dry-validation - Validation library with type-safe schemas and rules
sorbet - A fast, powerful type checker designed for Ruby
Bundler
gemdiff - Find source repositories for ruby gems. Open, compare, and update outdated gem versions
Gem in a Box - Really simple rubygem hosting
gemstash - A RubyGems.org cache and private gem server
passwordless - 🗝 Authentication for your Rails app without the icky-ness of passwords
steep - Static type checker for Ruby
typeprof - An experimental type-level Ruby interpreter for testing and understanding Ruby code
rubygems - Library packaging and distribution for Ruby.
Ruby on Rails - Ruby on Rails
SharpZipLib - #ziplib is a Zip, GZip, Tar and BZip2 library written entirely in C# for the .NET platform.