Foo

Rails announced a mandatory security patch.

For the third time: This is not like “sure, I should be flossing my teeth”. This is “yes, I will wear my helmet as I try to go 100mph on a motorcycle through downtown in rush hour”. It’s not a suggestion, it’s a prescription. So get to it!

They sound serious so I figured I better update. I’d been using my ISP’s version of Rails since it worked just fine.

rake rails:freeze:gems would work except all the vendor code would need to be checked into subversion since I use Capistrano for deployment. It’s not my code and it’s already under version control so there’s no reason for me to keep it in svn.

I found a better way. Using svn:externals I can link vendor/rails/ to a tagged version of rails 1.1.5 in the rubyonrails repository.

$ cd /path/to/your/app/vendor
$ svn ps svn:externals “rails \
http://dev.rubyonrails.org/svn/rails/tags/rel_1-1-5/” .


UPDATE: Rails 1.1.6 replaces 1.1.5

$ cd /path/to/your/app/vendor
$ svn propset svn:externals “rails \
http://dev.rubyonrails.org/svn/rails/tags/rel_1-1-6/” .
$ svn ci
$ svn up
$ cd ..
$ rake deploy