rubysec.com is not responding #14
Comments
|
Hello, Thanks for writing. The project is still alive - afaik folks are still submitting new advisories, tho I confess that @reedloden does the vast bulk of the PR merging. I allowed the website to die because a) it cost money (that used to be covered by my now defunct startup) and b) it was overly complicated for the limited use it seemed to be getting. Ideally, we should just set up a GitHub Action that recreates a static site on every push, but I haven't had the free time to make that work. If you are so inclined, I would happily discuss this further and accept any PRs. |
|
@phillmv just shot you an e-mail. :-) |
|
I would love the static site to be back, but understand there may not be capacity. I am not sure I have capacity to help with Github Action-based thing personally; I haven't had much luck figuring out Github Actions myself yet. To me, the most useful thing about the site was the Atom feed, which worked well. Of course, the items in the feed need to have URLs to point to, which is the rest of the site too. It's not entirely clear to me how to reproduce that from push callback/hook, since some commits will result in a 'new' item to be included in the feed, others won't. That's the tricky part, although presumably it was solved somehow by the current code. For posterity, if you wanted to put any overview/links to the previous code that created the site here, it might be helpful. Or wait, it's this repo itself? Maybe if you wanted to add any additional orientation/overview in the README it might be helpful to someone who wanted to copy some parts to a new solution. If it might be helpful, I might put the word out to see if anyone else is interested in helping with coding or hosting or other. I think the website was a valuable thing for the ruby community. It's possible some entity would be willing to take care of hosting/platform fees, and/or someone else(s) willing to code up the automation. Since the ruby-advisory-db itself is a public repo, hypothetically it could be done by a third party without any (or only limited) coordination even. If the site is not going to come back, the README for the advisory db should stop trying to refer people to a submission form there, and give only alternate submission instructions. |
Yep, this is the repo that contains the rails app that used to power rubysec.com I've just checked and it should be very easy to drop the existing templates into a middleman/jekyll generator (like we used to do a few years ago) and wire up an Action to generate the GitHub page. So, we should have the website back up in a few days. |
|
Nice, thanks @phillmv , that's great to hear! Thanks for all of rubysec , it's a very important service for the ruby community! If there are resource problems (people or infrastructure) in the future, I think it would be worth investigating getting help from the community, whether that's "ruby together" or putting a call out or whatever. |
Is there currently any progress/hope? Thanks! I think this was a valuable service; would it make sense to put out a call for help/volunteers to get it back, or for funding? |
|
Hi, the static site seems back -- but not the atom feed, which is what I used! Is there any hope? Anything I can do? It's sad to me that we don't have a community source of a feed of security vulnerabilities, but have to rely on various proprietary systems using this db. I would like to list vulnerabilties as they are announced on https://rubyland.news |
@jrochkind I went on parental leave right as you posted the above, and life got weird since then!
if you need something right now
the missing step is to setup a GitHub Actions on https://github.com/rubysec/rubysec.github.io/ to regenerate the index page/rss feed whenever something is committed to the ruby-advisory-db |
|
if you've got the free time, i'm happy to help set up the permissions or w/e |
|
Thanks for the update! That context is super useful! I'll look into that feed you mentioned, and see if I can find time to figure out Github actions. I can play around with it on my own with test data to make sure I know how to do it, before asking for access to the project. Is there already code to generate the index page/rss feed, it just needs to be triggered by github actions? Thanks! |
|
https://github.com/security-advisories is neat... but I of course want something limited to just ruby ones, if I had that from github I'd probably just use it even though community maintained would be ideal... |
|
You can filter out the non-ruby ones 🤷 but yes I agree, not as nice.
No, unfortunately it's just a placeholder. You'd have to convert the templates from this rails app into something that jekyll will process. I'm 90% sure someone can set up a GitHub Action that:
|
|
OK, it sounds like migrating the templates is the first step, before looking at github actions. I'll see if I can find time to do that, and now at least this exists as some documentation if anyone else feels called to do it. Obviously appreciate if anyone else has time too. I think it's an important marker of the ruby community's current state if we collectively can allocate the resources to maintain rubysec.com (a very important resource that I am so grateful to everyone who has made it happen) -- but the current state is what it is, it's apparently "not enough resources to restore the rubysec.com RSS feed" at the moment! |
|
Doesn't seem like an RSS feed will be coming back to the rubysec.com project. :( And rubysec.com currently says "This page is currently being rebuilt. Please bear with us in the meantime." And I think has for a while? :( I am left to conclude this is another community project that sadly does not have the resources for sustainability. :( I wonder if it would be worth talking to Ruby Together about support? Something like rubysec.com (with working tools) seems like an important part of a healthy ruby community. |
|
@jrochkind fwiw i believe most folks either consume the yaml directly or use We can write a github action to generate an rss feed and push it to a github page whenever new files come in to the advisory-db by either moving gh-pages to that repo or by using a repository_dispatch event. If you want to set this up happy to review & approve 😄. |
|
On second thought, it can be a tall order to figure all that stuff out. By complete coincidence, I recently got fairly adept at generating static github pages using github actions. If you're willing to write a script that takes the yaml content of the ruby-advisory-db and outputs an rss file to a given i can string the rest together |
|
Thanks for that, that is a more reasonable chunk. And I don't know if I have time to do it either. I understand you may not have time to do it either. Like I said, what it says to me is that rubysec.com sadly lacks the resources for sustainability. It is not meant to be a personal dig on you or how you prioritize your time. But the message "This page is currently being rebuilt. Please bear with us in the meantime" that has been there for over a year is also part of what makes me think that. Is that sentence true? IS the page "currently being rebuilt"? What is the time scale of "the meantime"? If it is not true, perhaps it makes sense to take it off the home page? A "under construction" message like that up there for a year+ with no other changes is what makes it look like "rubysec.com lacks the resources to maintain itself sustainably." |
|
Good point. I went ahead and deleted that section. |
|
Could we just bring back https://github.com/rubysec/rubysec.github.io/tree/old-jekyll-site for the time being? It wasn't great, but It Worked(TM). |
I think we've been doing a dece job merging PRs (and by "we" I mean, mostly Reed) but with regard to the website specifically I don't disagree, tho otoh I do think the use-case has changed since we first started this project. In the 2.5 years the full site was up, no one really used the the "report a new vulnerability" button. so really it's just about adding an rss feed?
Still have to edit the templates to delete the lol irc channel mention & the mailing list we don't maintain. For me it's just a low ROI task, but I wouldn't oppose it. Maybe easiest way out is to copy over the current index.html to that template & hook up the old atom.xml template? |
|
I mean, I guess the other option is just to get rid of rubysec.com as a human-readable website, intentionally, with an announcement or something, so it looks intentional, explaining why. I found rubysec.com (and rss feed) really useful, and a good signal of "wow, ruby is a mature community with good community tools" -- but if it doesn't actually get much use, maybe that's just me. If the opinion of rubysec maintainers is "most folks either consume the yaml directly or use bundle-audit", and that the focus of the project is on those, and there is no need for a human-readable website or RSS feed, or at least not enough need for it when there isn't labor to maintain it... just sunset it gracefully with an announcement? Or if rubysec.com is working just fine, and it's just an RSS feed, and it's just me that found it useful but the team doesn't consider it of general enough utility to be wroth bringing back and it's not coming back -- then just say so and close this ticket I guess! And I'll finally remove the broken feed from https://rubyland.news haha. |
|
ok, https://rubysec.com/ is back. PRs welcome to improve it. I suck at CSS (frontend stuff in general). |
|
Thank you so much! And working in http://rubyland.news again! |
Nothing is responding at https://rubysec.com/
Not sure if it this is expected/intentional or what?
Rubysec.com is still listed on the README for https://github.com/rubysec/ruby-advisory-db, specifically link on "use this form" in "Open an issue, submit a PR, or use this form", to https://rubysec.com/advisories/new .
I appreciate and use rubysec.com, specifically the atom feed at https://rubysec.com/atom.xml, to provide ruby security news on my https://rubyland.news.
I am not sure how long it has been down for. It looks like rubyland.news succesfully got an item from the atom feed on 17 Nov 2019, but it doesn't keep records for how long after that it may have been getting correct responses with no new items.
Hmm, I see somehow reported #11 even earlier though, in Sep 2019, with no response. However, 5 months before that in April, someone did respond to fix SSL expiry problem.
Is the rubysec.com website no longer a maintained project? Are other rubysec projects, like the advisory db itself, still maintained? Please advise, thanks!
The text was updated successfully, but these errors were encountered: