Security Concern: Isn't Ruby 2.6 EOL?

[venkatamutyala]

I was looking at deploying this and then noticed: https://github.com/onetimesecret/onetimesecret/blob/develop/Dockerfile#L56

per: https://endoflife.date/ruby I believe 2.6 is EOL. Any thoughts on updating this to the latest stable version?

[basilrormose]

The container image has a high number of severe vulnerabilities including multiple critical and high CVEs in both the OS and Ruby. Are there any plans to update the OS and Ruby?

[venkatamutyala]

@onetimesecret any thoughts?

[Huge]

#256 seems related but it still did not finish the build for me,

--- a/Dockerfile
+++ b/Dockerfile
@@ -53,7 +53,7 @@
 ARG CODE_ROOT=/app
 ARG ONETIME_HOME=/opt/onetime
 
-FROM ruby:2.6-slim AS builder
+FROM ruby:3.0-slim AS builder
 
 # Limit to packages needed for the system itself
 # NOTE: We only need the build tools installed if we need
@@ -84,7 +84,7 @@ ARG ONETIME_HOME
 LABEL Name=onetimesecret Version=0.11.0
 
 # Limit to packages necessary for onetime and operational tasks
-ARG PACKAGES="curl netcat vim-tiny less redis-tools iproute2 iputils-ping iftop pktstat pcp iptraf"
+ARG PACKAGES="curl netcat-traditional vim-tiny less redis-tools iproute2 iputils-ping iftop pktstat pcp iptraf"
 

was what I have tried next, but then compose up still failed with something ending

onetime-app    |        from /usr/local/bundle/gems/bundler-2.4.12/lib/bundler/vendor/thor/lib/thor.rb:392:in `dispatch'              
onetime-app    |        from /usr/local/bundle/gems/bundler-2.4.12/lib/bundler/cli.rb:34:in `dispatch'                                
onetime-app    |        from /usr/local/bundle/gems/bundler-2.4.12/lib/bundler/vendor/thor/lib/thor/base.rb:485:in `start'            
onetime-app    |        from /usr/local/bundle/gems/bundler-2.4.12/lib/bundler/cli.rb:28:in `start'                                   
onetime-app    |        from /usr/local/bundle/gems/bundler-2.4.12/exe/bundle:45:in `block in <top (required)>'                       
onetime-app    |        from /usr/local/bundle/gems/bundler-2.4.12/lib/bundler/friendly_errors.rb:117:in `with_friendly_errors'       
onetime-app    |        from /usr/local/bundle/gems/bundler-2.4.12/exe/bundle:33:in `<top (required)>'                                
onetime-app    |        from /usr/local/bundle/bin/bundle:25:in `load'                                                                
onetime-app    |        from /usr/local/bundle/bin/bundle:25:in `<main>'                                                              
onetime-app exited with code 1     

[itsgps]

I've come across the same issue - Won't install with Ruby below 3 (docker) but when it does get further we get Token errors because the Code is not updated for Ruby 3.
Would really love some movement on this - getting pounded during Security Meetings that the current Server implementation is Not in a good security state.

[venkatamutyala]

@onetimesecret any thoughts? This issue has been open since August. Would it make more sense to look at having someone else maintain this project? There appears to be orgs focused on helping projects like yours stay alive/maintained: https://www.codeshelter.co/

Happy to find more options if this is something that would be of interest to you.

[delano]

At long last I've finally had the time and mindspace to make some actual progress on Ruby 3.1+ support (I'd had a number of false starts over the past few years). @venkatamutyala Thanks for raising this issue and for the follow-up. I hadn't heard about Code Shelter. I am interested in getting some help which I think after the Ruby 3 hurdle will be feasible.

I pushed a final release of the current codebase (release 0.12.0) and started a pristine develop branch for the Ruby 3.1+ work.

I'm working on this in earnest now. One of the pitfalls I'd been getting into was trying to bring some of the dependencies up to this modern era at the same time. I'm giving up on that route so I can focus my attention and not get bogged down again.

[venkatamutyala]

@delano would you take external pull requests for the current work?

If so, I can share this with some Ruby user groups that I am a part of.

[delano]

@venkatamutyala Absolutely. I'd really appreciate that.

[venkatamutyala]

Just spammed a couple of different groups.

As for where I'm capable, if it's related to: DevOps/CI/CD/Platform/Deployment/Containers/Docker/Infrastructure, feel free to tag me on an existing GitHub issue or a new one.

[delano]

Thanks @venkatamutyala!

Initial support for Ruby 3 is live in the develop branch now. There's a basic workflow that runs tests against a matrix of ruby versions:
https://github.com/onetimesecret/onetimesecret/actions/runs/8577324066

Any and all feedback is welcome.

[venkatamutyala]

Hey @delano what's the benefit of supporting multiple versions? It feels like extra overhead given folks can just use a version manager to match whatever this project requires.

[van]

Hey, good question. Supporting multiple Ruby versions helps to accommodate a wider range of operating environments. Even just in terms of operating systems, something like Debian or Centos that value stability over flexibility, the available package manager(s) will intentionally lag behind the latest and greatest versions of most tools. There can also be company constraints that are very prescriptive about what is and isn’t allowed to run on the network. Java shops might not allow MRI Ruby but are fine with JRuby for example. So it’s all a balancing act. When it’s easy enough to keep the requirements flexible, we’re all better off for it in the world of open source.Message ID: ***@***.***>

[venkatamutyala]

Opened a couple issues re: devops here:

#306
#305

Also, one more that is probably worth considering is using a docker base image with less vulnerabilities. Ex. something more hardened. I can look into a couple options for this.