Tech-Angels Blog

Gemnasium, now with 1-click away changelogs

Wed, 15 May 2013 22:28:25 +0200

Tired of spending hours looking for what has changed in your dependencies?

Save your time! Gemnasium brings you 1-click changelogs!

For each of your project’s dependencies you can now quickly check what has changed. Just click on the Changelog viewer icon and start reading!

Gemnasium will automatically aggregate changelog data and scope it to what matters to you: the changes between your current version and the latest stable!

No changelog? We can still help you.

When package’s changelog is not available, Gemnasium still try to make it easier for you. It will indeed try to fall back to a nicely displayed list of commit messages.

At any time you can click on a commit from the list to see it on Github. You can also check the full compare view following the link provided in the header.

Pricing?

Our Changelog viewer is already included in all paid plans without any extra cost and is available to free users during their 30 days trial period.

For all existing free users, you’ll also be able to try it until june, 15th, enjoy!

We hope you’ll appreciate it and your feedback is welcome!

Cheers, Gemnasium Team

What's new in Gemnasium?

Mon, 08 Apr 2013 17:00:44 +0200

We’ve released a bunch a small fixes and improvements to make Gemnasium better! Let’s review them.

Manual monitoring

You now can choose exactly which projects you want to monitor and which one you don’t care about.

Gemnasium will still try to automatically add/remove projects when syncing with Github, but as soon as you manually start or stop monitoring a project, it won’t override your choice anymore.

So you now can freely choose which projects you want to track, and drop the others.

To make it more clear, we’ve also cleaned up the profile view and you’ll now only see the monitored projects there. This will drastically reduce the signal to noise ratio so that you can focus on what matters to you.

You can retrieve all your profile’s projects in the Project’s management page in your settings. There you’ll be able to start/stop monitoring and edit projects settings to fine tune them.

Offline projects

First introduced with our Gemnasium Gem, the offline projects can now be totally managed on Gemnasium.

You can create projects from your profile settings and upload dependency files directly from the UI.

New platinum plan!

As required by our users who have a lot of private stuff, here comes the Platinum plan. It allows to track up to 125 private projects for $100/month!

Improved settings

We’ve changed a bit the settings to make account management easier.

The Settings home now displays the list of your Gemnasium profiles. Here you can manage them and add new ones.

The Github Permissions feature has been improved to give more granularity and now tells you how it affects your Gemnasium account.

Thanks for your support and your feedback that help us improving Gemnasium!

Cheers, Gemnasium Team

Should you upgrade Rails from 3.2.12 to 3.2.13 ?

Mon, 25 Mar 2013 14:49:00 +0100

Rails 3.2.13 was released just a week ago. Since it fixes 4 important security breaches (CVE-2013-1854 for activerecord, CVE-2013-1855 for actionpack, CVE-2013-1856 for activesupport and CVE-2013-1857 for actionpack), you may want to upgrade it asap.
Yet, performance regressions and major bugs has been discovered in this new version of Rails.

What are the risks ?

Upgrading your application to Rails 3.2.13 will make bugs and performance issues popping out.

action_missing function will be broken
ActiveRecord chained scopes will cause bugs such as the one GitHub experienced lately
Assets and views loading time will drastically increase

How to remain safe without upgrading to 3.2.13?

We recommend you to not upgrade to Rails 3.2.13 and to wait for 3.2.14 to be released. But how to do so having in mind the 4 security breaches that still exists ?
Well, that’s simple, first of all, you might not be impacted by all of those issues and second, some monkey patches have been released to help you keep your application secure without upgrading.
So keep calm, create a temporary hotfix branch until 3.2.14 is out and apply the patches you need.

Fixing Symbol DoS vulnerability in Active Record (CVE-2013-1854)

Your application does not use params as a find value for a query? You’re safe!

Impacted code will look like User.where(:name => params[:name]). To fix this issue, you should call to_s method on params used as a find value. Basically, you’ll need to change code that looks like

User.where(:name => params[:name])

to:

User.where(:name => params[:name].to_s)

Patch provided by Rails team

Fixing XSS vulnerability in sanitize_css in Action Pack (CVE-2013-1855)

You don’t use sanitize_css method using user input as parameter? You’re safe!

Impacted code will look like sanitize_css(user_input). The following patch will fix the issue:

module HTML 
  class WhiteListSanitizer 
    # Sanitizes a block of css code. Used by #sanitize when it comes across a style attribute 
    def sanitize_css(style) 
      # disallow urls 
      style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ') 

      # gauntlet 
      if style !~ /\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/ || style !~ /\A(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*\z/ 
        return '' 
      end 

      clean = [] 
      style.scan(/([-\w]+)\s*:\s*([^:;]*)/) do |prop,val| 
        if allowed_css_properties.include?(prop.downcase) 
          clean <<  prop + ': ' + val + ';' 
        elsif shorthand_css_properties.include?(prop.split('-')[0].downcase) 
          unless val.split().any? do |keyword| 
            !allowed_css_keywords.include?(keyword) && 
            keyword !~ /\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/ 
          end 
          clean << prop + ': ' + val + ';' 
        end 
      end 
    end 
    clean.join(' ') 
  end 
end

Patch provided by Rails team

Fixing XML Parsing Vulnerability affecting JRuby users (CVE-2013-1856)

Your application does not use JRuby? Your JRuby application does not use the JDOM backend? You’re safe!

To fix this issue, place this code in an application initializer:

ActiveSupport::XmlMini.backend="REXML"

Patch provided by Rails team

Fixing XSS Vulnerability in the `sanitize` helper (CVE-2013-1857)

Your app doesn’t use sanitize method helper with user input? You’re safe!

To fix this issue, place the following code into a file in your config/initializers folder.

module HTML
  class WhiteListSanitizer
    self.protocol_separator = /:|(&#0*58)|(&#x70)|(&#x0*3a)|(%|&#37;)3A/i

    def contains_bad_protocols?(attr_name, value)
      uri_attributes.include?(attr_name) &&
      (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(&#x0*3a)|(%|&#37;)3A/i &&
      !allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip))
    end
  end
end

Patch provided by Rails team

Gemnasium Gem 1.0 is out! Because security matters

Tue, 05 Mar 2013 16:37:00 +0100

Nothing is more important for us than your data safety, and we’d like to really thank our customers for their trust so far! Anyway, as we are very concerned with security, we find unacceptable to be forced asking you for a full access on your projects. We had a lot of complains regarding this problem, and we fully agree with you:** you should never grant access to your work.**

That’s why we’re proud to unveil today a new way to keep your projects in shape, without lowering your security requirements.

Why did we need a full access to your private repos?

Gemnasium is fully integrated with Github: it automatically fetches your repositories and gets notified about code updates (pushes). But for that, you need to authorize Gemnasium to access your code through Oauth.

Unfortunately, Github only provides a “Read + Write” access for private repos (the “repo” scope), which implies a full trust in the third party service. For freelancers, and agencies, it meant sharing their customer code with us, which is often forbidden by contracts or NDAs (and it’s a good thing!).

If you don’t trust this gem either, keep calm and relax, the source code is fully available: https://github.com/gemnasium/gemnasium-gem

How does it work?

Dependencies can be tracked now without authorizing any access to your application code, just by using that tiny gem!

Drop it in your project (or just install the gem), run install command, fill in the config file and you’re ready to go in a few seconds!

You can also use the provided post-commit Git hook to automatically push updates to Gemnasium when you commit changes on your dependency files.

Alternatively, you can use the “gemnasium” command, the rake task or even call directly Gemnasium’s gem classes from your code. See readme for more details.

Finally, using the Rake task, a CI server can be in charge of pushing the changes for you.

Behind the scene

When executed, Gemnasium gem will calculate SHAs for your dependency files (the same way Git does it) and send them to Gemnasium API to compare with remote ones. If anything changed in the files, SHAs will be different and then Gemnasium gem will upload updated files.

The after-commit Git hook we provide is even smarter as it will only fire SHAs check if your commit contains changes about your dependency files. It’s even faster than with our Github service hook!

One great thing with this gem is that you can check dependencies updates without pushing to the repository! Just update the dependency files, run “gemnasium push” and everything gets updated on gemnasium.com.

Gemnasium Gem is published under the MIT license. It’s compatible with all ruby projects, not only rails app. We’ve made it as light as possible and it doesn’t require any other dependency. Though, it’s only compatible with ruby >=1.9 for now (yes, that mean ruby 2.0 too!).

For Node.js projects owners, please note that this gem is also able to upload package.json and npm-shrinkwrap.json files, as long as you have a running ruby. For others don’t worry, a Npm module is coming!

Please also note that for now the gem only works with existing Gemnasium profiles. So you still need to link your Gemnasium account with Github after registration (with read-only public access at least) and order a plan for one of your Github profiles. You’ll then be able to add your offline projects to the profile of your choice. Offline private projects are taken into account for your plan’s private slots limit.

We’re also working on fully offline profiles to allow non-Github setup. This will come a bit later. Stay tuned!

How to migrate existing project?

If you have already setup your projects to be synchronized automatically with Github, you can switch them to use the gem. Just follow the readme to complete the setup and use the “gemnasium create —force” command. The “—force” option will override the existing setup on gemnasium.com, updating your projects origin attribute from “github” to “offline”. Warning: there is currently no easy way to switch back to Github origin (need to contact support). Use with caution.

You can then update your Github permissions in your settings to use the read-only public access.

No more excuses to not track your dependencies and keep your projects in shape with Gemnasium!

Cheers, Gemnasium Team

Gemnasium's Security Coach on steroids!

Tue, 26 Feb 2013 16:50:48 +0100

As announced last week, we are pleased to release today the new features focusing on security.

Remember: since Gemnasium-2.0 we monitor popular packages, looking for security or critical updates. Once something is detected, all impacted versions are tagged accordingly which ends up to a red color on the projects depending on it.

It’s time to put some steroids in this! Let’s review the new features:

Security advisories

To bring you more information on these critical and security updates, Gemnasium now displays advisories right on the package’s page.

Advisories provide useful informations about security issues or critical updates: description, affected versions, fixed versions, available solutions etc…

Advisories are displayed on each affected versions of a package and also on the ones that fix it.

Alerts

But that’s not enough… Keep calm and let the Security Coach tell you what’s wrong with your projects!

Right from your project page you now can check the security and critical advisories affecting your dependencies.

Open alerts just hang here until your project become safe! They are closed automatically when the dependency is updated to a non-affected version.

If your app has been fixed with a patch, a workaround or is simply not affected by the advisory, you can tell Gemnasium it’s okay and just close the alert.

Notifications and reminder

Gemnasium’s Security Coach will warn you immediately when an advisory is created and will remind you every day until the alert is closed (by an update or using the close button). But if you feel bothered by the reminder and still haven’t fixed the issue, you can acknowledge the alert to stop the notifications. This can be done on the project page or directly from your alert email.

To avoid spamming you when you have a lot of affected projects, notifications are grouped by advisory. Here is a sample alert email:

The security reminder takes your notifications settings into account. So you only receive security emails for projects and packages that have notifications enabled and you won’t be notified at all if you have totally disabled notifications in your settings.

Please note that all old alerts have been automatically acknowledged to avoid spamming you. Feel free to reopen them if you want to be reminded.

The notifications and reminder features are included in all plans starting from Bonzaï (see pricing), and also available as trial during the 1st month of registration for Free plans. As an exceptional offer, the security reminder is also available to all existing Free users until March, 31st!

Side notes

Gemnasium is still growing its changelogs base and advocates for a common format. Your opinion is welcome and you can contribute on the Vandamme open source project to help us defining a convention.

As always, we hope you’ll appreciate these new features and your feedback is welcome!

Cheers, Gemnasium Team

Standard Changelogs

Fri, 15 Feb 2013 13:16:52 +0100

There are thousands of different changelogs (if any) out there, with dozens of different names. It’s almost impossible to fetch and parse them automatically… Gemnasium is using Vandamme to keep each changelog specificities (changelog location, version format, file format).

We really believe in changelogs. Following changes in dependencies is a hard task, and almost impossible by reading commits only.

The open-source world would be so much nicer with full, readable and comprehensive changelogs. As a solution to this problem, we propose a simple set of rules and requirements to follow in order to have a Standard Changelog. Please see the specs here:

https://github.com/tech-angels/vandamme/blob/master/README.md#changelogs-convention

Feedback is welcome!

Gemnasium V3 aka Gemnasium <3

Fri, 15 Feb 2013 11:45:34 +0100

Gemnasium loves you, thank you so much for your support! We are proud today to announce a new exciting release.

We have worked hard in the last months to improve the code base and features, it was also time to put in place a fresh and optimized UI. Each page has been lovingly handcrafted into an amazing new design. Here is an quick insight:

The new UI also comes with a new Dashboard page with gathered statistics about profiles and some info about a pushed package each week, and live events scoped to your account.

We also have lots of surprises for you, so let’s jump right in!

NPM Support

Gemnasium is now able to read your NPM dependencies and monitor them. If your Github profile contains projects with a “package.json” or a “npm-shrinkwrap.json” file, Gemnasium will be able to track the dependencies for you!

This feature is included in all plans (including free plans), with no extra fee! And Gemnasium already monitors more than 22.000 node packages.

Your personal security coach

Need some help to follow important changes and security announcements? Let us introduce you the new “Watchmen” team. Everyday, we’ll be tracking important changelogs and security advisories for you, and will mark as “red” dangerous or broken versions. Don’t spend more time to wonder if your projects are vulnerable because you forgot to update them, let us ping you when we think you should worry about something!

“Watched” packages and each “Checked”versions are marked with these labels:

“Watched” means the project is being manually checked every day. “Checked” is an acknowledge on the package version you are browsing.

The Watchmen feature will evolve continuously to provide better and smarter security announcements so that you can relax and stay focus on your work. Expect a release dedicated to this topic next week!

Packages Improvements

Gemnasium now provides tons of metadata for both Rubygems and Npms packages (owners, maintainers, useful links, etc.). You can also find the dependencies of a package and discover the other packages depending on it.

For those who maintain a changelog, Gemnasium is also able to provide its content for each versions. Though, as there is no standard yet, this feature requires the changelog to be in a supported format. We’ll write more about this soon, stay tuned!

New badges

We’re taking part in the new “Shields” project, and provide clean, consistent and more readable badges for your Readmes. Your project badge can be copied/pasted on your github Readme page in seconds. Just click on the badge on your Gemnasium’s project page and follow instructions!

We still have a lot of terrific ideas to come, stay tuned!

Ho, one more thing

We have a lovely gift for you! As you can see, a lot has changed in the new Gemnasium and the response we’ve gotten from community has been amazing. We’d like to welcome new subscribers with a 50% discount for 3 months (with the 1st month 100% free!)

While creating your subscription on gatekeeper (our account platform), just enter the coupon : VALENTINESDEP

<3<3<3 from the Gemnasium Team

Announcing a Better, Faster and Smoother Support Process

Mon, 28 Jan 2013 14:29:42 +0100

As part of our continuous effort to give you a better experience, we have just migrated our customer support processes to Freshdesk. We strive to take full advantage of the powerful capabilities and best-practices in Freshdesk, to give you a better support experience.

How does this make a difference to you ?

Not a lot changes in terms of how you get in touch with us. You can shoot us an email to support@tech-angels.com, and our support system will automatically create a ticket on your behalf. You will also be notiﬁed of our responses and status changes to your tickets via email as well, and you can send out your replies directly.

The ﬁrst time you send us a support query, you will receive an email with activation instructions to login to our support portal at http://support.tech-angels.com. Going forward, you can check the status or add comments to your support queries here.

We are actively populating our support portal with FAQs and solutions in our knowledge base, so you can help yourself to how-tos and instructions. You can also discuss your ideas and share tips in our community forums.

Each product has now its own support portal

In addition to the top-level support portal http://support.tech-angels.com, each product now features its own support, with online forums and knowledge base:

Gemnasium : http://support.gemnasium.com (support@gemnasium.com)
Spectorus : http://support.spectorus.com (support@spectorus.com)
Jagan : http://support.jagan.io (support@jagan.io)

Talk to us on Social too

Our support team is now listening to conversations on our Twitter handle (@techangels) and Facebook page (facebook.com/TechAngels). In addition to email and through our website, feel free to reach us here as well.

We love hearing from you

We strive to give you an awesome support experience with every query, and your feedback will help us get there faster. We will be sending out satisfaction surveys for you to rate your support experience with us periodically. If you have any doubts or queries regarding our new support tools and policies, please drop us a line at support@tech-angels.com, and we’ll be glad to assist you. And make sure you visit our new support portal at http://support.tech-angels.com.

"Bienvenue à La Conf"

Tue, 22 Jan 2013 20:01:19 +0100

Tech-Angels is a Gold Sponsor @la_conf

We’re very proud and excited to announce today our participation to La-Conf in Paris, France, next 9-10 May 2013! The conference will be held in the heart of Paris, at the four-star Westin Paris - Vendôme (3 Rue de Castiglione, 75001 Paris).

You will find us easily with our t-shirts / sweatshirts:

Please come and meet us, we will surely be good advisors regarding the wine and cheese!

More info: http://2013.la-conf.org/

Projects settings: choose your branch!

Wed, 16 Jan 2013 12:00:10 +0100

As requested, here is a new feature to allow you to choose which branch of your projects you want to monitor.

This setting can be found on the new Projects page of your Settings.

When the branch for a project is changed, Gemnasium automatically syncs with its GitHub’s repository and updates the dependencies as needed.

Prerelease notifications

Thu, 10 Jan 2013 12:00:00 +0100

Since Gemnasium-2.0 has been released, prerelease versions have been relegated to the background. Though it still can be interesting for library maintainers to stay up to date with latest changes and also get notifications when prereleases are published.

For those who want it, there is now a setting for that (disabled by default):

For business plans owner, this setting is also available in Hooks.

New scope for Github authentication

Tue, 08 Jan 2013 23:54:00 +0100

Github released today some new oauth scopes, which are perfect for our authentication system (aka: “Gatekeeper”).

From now on, the new and only scope used for authentication will be user:email (“gives apps read-only access to a user’s private email addresses”). Since the scope changed, you will need to accept again the app, and once done, we will only be able to read your public data + private email:

Reminder /!\

For existing accounts, you must link your account after login into gatekeeper, using the link “Connect Github account” in your account page:

Sweat conferencing

Fri, 04 Jan 2013 16:36:00 +0100

Tech-Angels is a Glassware-Cleaner Sponsor @railsberry

We were so thrilled by the last year event, we couldn’t miss this one.
We’re very proud and excited to be a (Glassware Cleaner) sponsor this year of the Railsberry conference, on April 22-23 2013 in Krakow, Poland.

Please join us in the evening, we’ll be happy to offer drinks!

More info: http://railsberry.com/

Short Gemnasium presentation during Compiegne-rb meetup

Fri, 21 Dec 2012 15:29:11 +0100

Short Gemnasium presentation during Compiegne-rb meetup:

By Olivier Gonzalez (@gonzoyumo).

Gemnasium 2.0

Tue, 04 Dec 2012 17:30:19 +0100

This release marks the end of a big rewrite that lays the foundation of our vision for Gemnasium.

We really aim to make it an essential tool that will help developers save time dealing with dependencies so they can stay focused on their work. We keep hearing your feedbacks and will add more and more useful stuff in the future but this rewrite already comes with a bunch of new things and updates that you may take a look at.

New colors

The colors scheme has been redefined and now follows these rules:

green => dependency is up to date with latest version available

yellow => there is at least one newer stable version available

red => the dependency is behind a security fix or an important update (broken API, deprecation, …)

Why?

First, as app maintainers we eat our own dog food and after a long time using Gemnasium we ended to this new scheme which better suits our needs. It also answers most of our customers feedback about these status colors.

Having some outdated gems isn’t always a very bad thing: you may have missed the minor update about that feature you don’t use, so you’re behind latest. Well, yes but your app is still working great and there’s not threat on it. In such cases, the scary red was a bit too much.

On the other hand, staying just behind a tiny patch can be a very bad thing… you know, this little patch which fixes that big security issue! And here, red is a good color to say: “hey, you really should take a look and update me now”

How?

While green and yellow status updates will stay entirely automatic, the red one will now go through a manual process. For now, our team will take care of this by watching Rubygems updates and flag them as security or important update. Of course, this implies that we can’t do it for every Rubygems and only the most popular ones will be watched at first. But according to the Pareto principle, this should suit most of developers needs. We are also already working on alternative solutions to improve coverage.

Note: Prerelease versions will still be notified when published but they are no longer considered as a leading factor in dependencies status choice.

Locked version awareness

The more you tell to Gemnasium, the more it will show you in return!

If your repository contains a Gemfile.lock (aka lockfile), Gemnasium will now use it and check your dependencies against the versions that you really use in your application. This is a huge improvement and particularly for developers that heavily rely on Optimistic Version Constraint.

Say you have defined the following dependency requirement some times ago :

gem 'library', '>= 2.2.0'

And now library 2.5.0 is out. Your requirement is still matching latest and any new install will get the 2.5.0 version.

But as an app user you certainly use a lockfile to ensure all your environments are using exact same versions of your dependencies. And then, unless you have updated it, you may have something like version 2.3.0 in your lockfile.

So your app is not using the latest version and this dependency is out-of-date! Now Gemnasium will warn you about this.

New badges

Ok they didn’t changed that much actually. The Travis-like style is really appreciated and developers are accustomed to it. So after some brush love and updated wording to match new colors meaning, here we go:

As an alternative, you still can use the dots version, available with just adding ?dots at the end of your badge url.

Gem versions history

Gem page now provides versions history so you can get a quick overview. This place will also receive some nice updates soon to provide you more useful information, so stay tuned.

New settings for personal notifications

The new settings section offers you the ability to choose the email address on which you want to receive personal notifications.

We also added “daily” and “never” frequencies in order to manage the notifications more finely or stop them for all your projects.

The new Hooks feature (available for business plans)

Email or Campfire hooks can now be defined on a per-profile basis that will be fired when a dependency is updated.

The hooks are totally separated from personal notifications, they have their own target (email address or campfire room) and their own frequency. Hooks are also shared among all users who can access the profile they belong to and all of them can add/update/remove the hooks.

We currently only provide Email and Campfire hooks, but feel free to suggest other ones if you need them!

In short

With all these new things combined together, you now have a great tool that will keep an eye on your dependencies 24/7 and warn you the way you want, when it matters to you.

We hope you’ll enjoy these changes and as always, your feedback is welcome!

Gatekeeper sessions handling change

Mon, 26 Nov 2012 10:25:17 +0100

Gatekeeper, the central place for your Tech-Angels account, is adopting new session rules.

Your session will now resist to a browser restart. From now on, you MUST use the logout link if you don’t want your session to stay open on a (public?) computer. To avoid issues with this new behavior, your password will be asked for important changes. If you signed-up with Github, you can still set a password in your account page.

Active Record Identity Map makes it easier to stub Model dependencies

Mon, 19 Nov 2012 08:00:00 +0100

Problem

You want to write a unit test for this AccountController class. In order to test in isolation, you need to stub all the calls AccountController will make to models.

Because of the way ActiveRecord works, it’s tricky to write message expectations or stubs for an Account instance. You end up stubbing find and other AR methods, such as in the following example:

account = mock_model(Account, :id => "37")
Account.stub(:find).with("37") { account }
account.should_receive(:close)
post :close, :account_id => "37"

The problem is that approach leads to fragile tests due to the nature of ActiveRecord Query API. There is almost an “infinite” way of retrieving models. Whenever you change the way you retrieve the model, you’ll need to change your stubbing. For more information, I strongly recommend Avdi Grimm book’s Object on Rails.

IdentityMap to the rescue!

before(:all) { ActiveRecord::IdentityMap.enabled = true }
after(:all) { ActiveRecord::IdentityMap.enabled = false }

account = Factory(:account)
account.should_receive(:close)
post :close, :account_id => account.id

ActiveRecord::IdentityMap ensures that each object gets loaded only once by keeping every loaded object in a map.

When the AccountController retrieves an account, we can be sure it will be exactly the same object as in our test.

One drawback is a slower test. We are now creating an account in the DB only to benefit from Identity Map. It’s a trade off, we hope that more robust tests will save some time in the long run.

An alternative is to use any_instance stubbing, such as:

Account.any_instance.stub :close

But then, we loose the message expectation part and need to test something else. This approach could have side effects. As the name says, any instance of Account is stubbed!

What do you think?

Happy specing!

Github authentication available!

Mon, 12 Nov 2012 14:49:51 +0100

One of the most asked features is being released today: You can now connect to your Tech-Angels account using your Github account! No more password needed, unless you want one. Please read the following before trying the feature:

Existing users

If you already have a Tech-Angels account (ie: to use https://gemnasium.com), you must sign-in first with your current account, and then link it with your Github account:

You can unlink your account from the same location.

New users

New users can simply click on the new “Connect with Github” link in the nav bar. If your public data is complete on Github, your account should be created right away, otherwise you will be invited to fill your missing information.

New password policy

This feature introduce a new policy regarding passwords:

Users coming from Github directly don’t have a password, so it won’t be required to update your account information
Users who linked their existing account have a password, it will be asked to update your account information.

If you don’t have a password, and want to increase the security of your account, you can set-up one after sign-up from Github. It will then be asked to protect modifications on your account (including plans subscriptions very soon).

Why do I have to allow the application twice on Github when I use Gemnasium?

Our account management app (Gatekeeper) is using the smallest scope available on github, it will just fetch your user ID + your public data. While this is enough to create a Tech-Angels account, Gemnasium needs to access to your repositories to check dependencies.

Devise tip: authenticate a user with a password

Thu, 25 Oct 2012 12:00:00 +0200

Have you ever tried to authenticate a user with a password using Devise?

I am afraid using google won’t help on this one: been there, done that. Hopefully, this blog post should help google to find the solution next time.

Devise API is pretty modular, there is actually a #valid_password? method which does exactly what we need:

class UserAuthenticator

  def authenticate(email, unencrypted_password)
    user = User.where(email: email).first
    return false unless user

    if user.valid_password?(unencrypted_password)
      user
    else
      false
    end
  end

end

Link to Devise rubydoc.

The UserAuthenticator service is heavily inspired by this codeclimate blog post, which I strongly recommend you to read and practice.

Please give us some feedback about this blog post and any theme you want us to blog about.

Annoucing npmhooks.org

Thu, 27 Sep 2012 23:28:12 +0200

We’re pleased to announce today the launch of https://npmhooks.org

Npmhooks is similar to rubygems API and enables webhooks on npm packages updates. Once a webhook is registered, it will be pinged in real-time. It is powered by a CouchDB database at http://isaacs.iriscouch.com/registry.

Getting started

It’s very easy, the API is a simple HTTP Restful API. First, you need to register a webhook (a listener URL):

curl -H 'Authorization:YOUR_API_KEY' \
-F 'url=http://requestb.in/171hq0u1' \
https://npmhooks.org/api/v1/web_hooks

Successfully created webhook to http://requestb.in/171hq0u1

(Requestb.in is a good way to test webhooks).
And all updates will fired on this URL right away. Nothing more.

Credits

Npmhooks was developed by Christian Joudrey, is fully open-sourced, and sponsored by Tech-Angels.
Special thanks to Isaacs for the registery.

Tech-Angels Blog

Gemnasium, now with 1-click away changelogs

Save your time! Gemnasium brings you 1-click changelogs!

No changelog? We can still help you.

Pricing?

What's new in Gemnasium?

Manual monitoring

Offline projects

New platinum plan!

Improved settings

Should you upgrade Rails from 3.2.12 to 3.2.13 ?

What are the risks ?

How to remain safe without upgrading to 3.2.13?

Fixing Symbol DoS vulnerability in Active Record (CVE-2013-1854)

Fixing XSS vulnerability in sanitize_css in Action Pack (CVE-2013-1855)

Fixing XML Parsing Vulnerability affecting JRuby users (CVE-2013-1856)

Fixing XSS Vulnerability in the sanitize helper (CVE-2013-1857)

Gemnasium Gem 1.0 is out! Because security matters

Why did we need a full access to your private repos?

How does it work?

Behind the scene

How to migrate existing project?

Gemnasium's Security Coach on steroids!

Security advisories

Alerts

Notifications and reminder

Side notes

Standard Changelogs

Gemnasium V3 aka Gemnasium <3

NPM Support

Your personal security coach

Packages Improvements

New badges

Ho, one more thing

Announcing a Better, Faster and Smoother Support Process

How does this make a difference to you ?

Each product has now its own support portal

Talk to us on Social too

We love hearing from you

"Bienvenue à La Conf"

Tech-Angels is a Gold Sponsor @la_conf

Projects settings: choose your branch!

Prerelease notifications

New scope for Github authentication

Reminder /!\

Sweat conferencing

Tech-Angels is a Glassware-Cleaner Sponsor @railsberry

Short Gemnasium presentation during Compiegne-rb meetup

Gemnasium 2.0

New colors

Locked version awareness

New badges

Gem versions history

New settings for personal notifications

The new Hooks feature (available for business plans)

In short

Gatekeeper sessions handling change

Active Record Identity Map makes it easier to stub Model dependencies

Problem

IdentityMap to the rescue!

Github authentication available!

Existing users

New users

New password policy

Why do I have to allow the application twice on Github when I use Gemnasium?

Devise tip: authenticate a user with a password

Annoucing npmhooks.org

Getting started

Credits

Fixing XSS Vulnerability in the `sanitize` helper (CVE-2013-1857)