The Rails Girls Summer of Code needs your support!

4 Jun 2013

The freshly awarded 2013 Ruby Heroes Rails Girls are organizing a Summer of Code in similar fashion to the Google Summer of Code.

If you are not familiar with the concept, in a Summer of Code students and mentors work together on projects for which the students get paid from a fund while their results go back to the community via open source. The Rails project has officially participated in Google Summers of Code since 2009, with some quite familiar names and pieces of software coming out of it.

Rails Girls, the organization that brings more women into tech by organizing free, volunteer-driven workshops all around the world, now set to run their own flavour of this model and are funding the student sponsorships via a community donation campaign.

The campaign is due to end on June 7th - please consider donating a bit for this very well worthy cause - the more money is donated, the more students can be accepted and projects will be launched!

You can find the Rails Girls Summer of Code Campaign here

See you at RailsConf 2013!

29 Apr 2013

Hello everyone,

this is going to be a short one: This week, after five years Railsconf is back to Portland, Oregon, and so am I (@thedeadserious). If you're over as well I'd be happy to meet you at the conference itself or maybe one of the numerous events surrounding it - so feel free to say hi, I'm looking forward to see you all!

Fix your Rails 2.3/3.0 and Devise apps!

28 Jan 2013

Hot on the heels of the recent security problem with YAML, obviously some people figured out how to inject YAML into your JSON when using Rails 2.3 or 3.0 (3.1+ do not seem to be affected). Check out the officai announcement on the rails-security list. Though the announcement is not very specific since it explicitly mentions the injection of a YAML payload into your JSON it is very likely this is just as severe as the recent one. If you're on any of these versions, please upgrade or patch as soon as possible.

While you're at it you probably should also upgrade Devise if you're using it (and do not use postgresql or sqlite as your db) since there's a security hole there as well.

Happy Patching!

Signin bug smashing

26 Jan 2013

In the last months I was repeatedly getting reports of issues with signing in to the Toolbox via Github. Although I already had fixed some problems back in November that update had not resolved all of the issues, so I recently chose to have another shot at it and rewrote the whole process from scratch. Some users were also reporting that after signing in, they were getting errors. This was in fact a bug in the account screen you get to see after signing in successfully. ironically, because of this you had no way to figure out you had signed in correctly.

All of these things should now finally work as you'd expect them to.

In order to get your e-mail addresses more reliably, along with the changes back in November I added the user scope to be requested for your Github account during sign in so I could get rid of the separate handling and verification of e-mail addresses (for notifications and such) in the toolbox itself. This had the major gotcha that Github back then only had one OAuth scope for accessing your profile, and that meant both read + write access for your whole user profile. Bad. (I have been seen criticizing other services for asking for too many permissions myself...)

Thanks to the OAuth read-only user:email scope Github added this month I could finally do away with this. During sign in, the Toolbox now only reads your public profile + your default verified github email address. Of course, there has to be a minor gotcha: When authorizing for the first time, Github currently does not list the email-address permission on their auth screen. You will be informed about what data the Toolbox fetches on sign in before being kicked to Github though.

Cheers, Christoph

Stop what you're doing and fix all your Rails apps right now!

10 Jan 2013

In order to raise awareness of the issue, here's a Rails-security related bit:

TL;DR Stop what you're doing right now and go plug the giant security hole in ALL your Rails apps!

You surely already heard of the security announcement and succeeding Rails patch releases. The issue is very serious and if you haven't updated or patched all your Rails apps anyone can execute any Ruby code (and therefore also system commands) by merely performing a simple, crafted HTTP request against your application!

The Rails security announcement outlines how you can plug the hole fairly easily by disabling the XML request params parser, which probably no uses anyway nowadays. You need to do at least this RIGHT NOW, for any Rails app you have running. Unless you rely on XML params input you should not have to upgrade any gems and your app should not break.

Please note that the popular exploit-framework Metasploit has a working module that exploits this issue, and it is very likely that scanning of the net for attackable applications has been in full swing for hours, if not days as working Proof of Concepts have been floating around the internet already.

You can find a good write up by @brynary on the CodeClimate blog. You can also find a list of possible attacks and further details over here, but read those after FIXING ALL THE APPS!

On a side note, if you accept YAML user input (which is the real offender here because you can embed it in XML params while YAML makes it possible to initialize Ruby objects and call methods on deserialization, and there does not seem to be a way to disable that) via other means than the XML params parser, you should check whether this can be exploited too.

I sincerely hope that before you read to the end of this posting you have already deployed fixed versions of all your Rails applications.

Happy New Year!

1 Jan 2013

Happy new year 2013 everyone! With the upcoming releases of Ruby 2 and Rails 4 I'm sure we're bound for another great year of programming ruby. A big thank you to everyone involved in making Ruby and the ecosystem that surrounds it such a joyful experience!

Featured projects temporarily removed

27 Dec 2012

Just a quick holiday update: I temporarily removed the list of 5 featured projects from the welcome page. They were originally intended to be filled automatically based upon trending projects, but I did not get around to implementing that yet and therefore they've been depending upon my manual flagging, which was pretty laggy in recent months.

In other news I know I'm very bad about keeping you in the loop. I intend to give you at least 2 updates per month on this blog in 2013. Usually it's also a good idea to check out @rubytoolbox and my good self @thedeadserious on twitter.

Hope you're all well!

State of the Toolbox

18 Jul 2012

Hey everyone!

You might have noticed that suggesting projects is currently a bit tricky: When passing in a Github repo path, the form tells you that the repo does not exist. This is due to Github's API v2 killoff. Whenever you try to submit a project it checks whether that repo exists. Unfortunately, because the Github API now 404's, the form thinks you're trying to pass in bogus data...

Since the data updaters are entirely rewritten and work on Github API v3, this particular thing would be easy to fix, but there's two reasons I did not do this:

  1. I'm currently refactoring, rewriting and cleaning up huge chunks of the app and due to this can't deploy a full version since some things might be broken. Among others I chose to ditch the test-unit/shoulda combo in favor of a completely new RSpec test suite. When I started writing the new Toolbox on some Rails 3 prerelease it was not so clear I was betting on the wrong horse there. At least now the test coverage is better than ever, and digging through all of the source code forced me to clean up a lot of stuff. Quite a few "what the hell did I do there?" moments, I can tell you...
  2. Of course I could rollout a fix for this particular bug, but since you guys write so much great OSS I'm already knee-deep in project suggestions and have trouble working through them in the current process.

To address point 2: Part of the next release will be a hugely revamped process for suggesting projects. In a first step, the separation between first-class Projects and mere Rubygems will be removed. All gems will also become projects, though of course without a category by default. This will allow you to post resources on them, like and comment and so on.

On a side note for gem authors: Please make sure your gems have a valid link to their github repo on in the homepage url (via gemspec) or the source code url (via Rubygems admin UI). When the next release arrives, the gems transitioned to projects will automatically be linked against github repos if you have a legit repo link in there. This will save us all a lot of edits, so please do it now.

After this migration is complete, anyone will be able to edit projects. For the sake of simplicity for now I'll still have to review those, but the process will already be much easier and more open (read: visible to anyone, commentable by anyone so you can blame me for being slow etc.). In a next step I'd like to hand this over to the community in a voting process similar to what Musicbrainz does so the process is as open and community-driven as possible.

I can understand some of you get frustrated about their projects not being added to the Toolbox in a reasonable amount of time, and I'm sorry for that. Please understand that I'm a single guy running this site, and the time I can put into it varies. My focus in recent (holiday) weeks was on pushing the things I mentioned above forward, so there was little time for "other stuff".

Ultimately, the current big refactoring will lead us to a state where I feel comfortable with open sourcing the Ruby Toolbox both without feeling ashamed of the pile of ugly or crude codes I wrote and feeling comfortable about the test coverage, which is crucial for accepting pull requests and getting a mighty open source drive behind it.

Also, in the next weeks I plan to add a couple of folks to the team as reviewers for the aforementioned project change requests. I already have a couple of guys who'd like to do it, but if you're interested drop me a line to christoph at ruby-toolbox com or via @rubytoolbox or @thedeadserious so we can get this going soon!

I'll also launch a mailing list for interested contributors, be it as coders or community reviewers. Please check back here or on Twitter for updates on this.

I hope you're doing fine, cheers!

Christoph (@thedeadserious)

Login currently broken

15 Jun 2012

Unfortunately, I waited with the updates of the Github API client until they ultimately killed API v2 earlier this week. Since this is required to fetch your data after successfully signing in to the Toolbox via OAuth, you currently won't be able to sign in to the Toolbox via Github.

I have the fix in the pipes and should manage to finish and roll it out within the next 32 hours or so.

Sorry for the inconvenience!

By the way, if you want to keep updated on current Toolbox news you may want to follow @rubytoolbox on Twitter.

Update 13:25 UTC: Existing users should be able to log in again. If you are trying to get sign in for the first time, it might fail, but I'm on it :)

The Resources need some Love

13 Apr 2012

The resources section of the Toolbox is something I put quite a bit of effort into trying to "get it right" and make it really easy to submit articles to as I think this can be a very useful part of the Toolbox.

Unfortunately, there's very few people submitting resources so far. Except for the odd blog/project author, only a few people keep the stuff pouring in most of the time (I'm looking at you Ezekiel and Daniel...)

I'd love to know why that is! If you think the process can be improved, please leave a comment! If you haven't tried it yet, it really is easy: Either click the "Submit a Resource" thing in the sidebar of the Resources page, or even simpler add the Bookmarklet to your, eh, Bookmarks... It will directly lead you to the submit page for any blog post, screencast etc. you're currently viewing and also tries it's best to automatically guess the referenced projects.

I'm also aware of the fact that while submitting resources is quite simple, the accessibility of available resources needs to be improved, lowering the incentive to submit your latest and greatest blog post (or article you stumbled upon). There are three major things I've had planned for ages but have not got around to implement yet that should improve this:

  • A weekly mail newsletter for users containing all resources for their "Loved" projects (also available as a feed)
  • Incorporating votes into the ordering (currently strictly by submission date) - though this one is tricky, since it would need some age vs. votes ratio - ideas welcome here as well!
  • Most importantly, resources will soon be added to the site-wide search, so you'll be able to search for any available content on adding Presenter-based gravatar widgets to your Devise-backed Rails application, not only depending on project author's gem descriptions being correct.

All of these things still need a good foundation of available content linked up, so it would be really great if more people would get into the habit of submitting anything they read or saw and found useful.

I'd love to hear from you whether you think this stuff is worthwhile at all, or whether I should focus on other parts of the site. If you like the overall idea of the thing, but would like to suggest something else that needs to be improved, I'm also eager to hear your thoughts! As I mentioned I think this can become an awesome, well, resource to learn.

So you don't care

10 Mar 2012

But I do.

My long-time friend, brother-in-arms, co-worker and all-around-nice-guy(tm) Sebastian Georgi (@j3z_hh) had an apoplectic stroke last Saturday.

He's on his (good) way of recovery, and actually the docs taking care of him are quite amazed of his quick progress. But still, of course, it's a long way for him to get back to full health.

Also, today is his 30th birthday.

So I figured: With the worldwide community this site has, it would be nice to have people from all around the world to send him a birthday/well-wishes card on this special day.

TL;DR: Write I love you (or some other nice thing ;) on a postcard and send it to:

Edit 2012-04-16: He's back at work :)

A little category spring cleaning

1 Mar 2012

Goodbye CSS and JS

TL;DR: Twitter Bootstrap is more popular than Rails and therefore is not listed any more

You may have noticed that Twitter put out a rather popular (and awesome!) CSS framework. Turns out it got so popular that it was by far outscoring all Ruby projects on this site with it's 21k watchers and 5k forks (as of today). Having a CSS framework as the most popular project on a mostly Ruby-focused library catalog seemed somewhat irritating, so it had to leave.

Of course, there is a bit more to that, so bear with me for a minute: Developing web apps has changed quite a bit over the last couple of years, particularily with the advent of (even more) client side JS and frameworks like Ember and Backbone (and so many more) becoming increasingly more important for Ruby developers too, it is getting increasingly hard to draw the line between what's relevant from the Ruby developer's view.

Back in the day when Prototype was bundled with Rails and jQuery started to become what everybody was actually using it made sense to have a Javascript Frameworks category that listed those options, even if only to make Rails developers aware of the fact that there are other choices.

Nowadays we have an incredibly huge and ever-growing JS framework landscape, that each complement the other's functionality, and they surely don't all fit into a generic JS Framework category anymore. On the other hand, The Ruby Toolbox is about Ruby after all, so starting to categorize and try to list all those is out of scope for this site. So I decided to drop the Javascript Frameworks listing altogether.

What does that have to do with dropping Bootstrap? Well, the same thing applies there as well. There is a plethora of CSS Frameworks, all offering different things and aiming at a different target. Originally, the category started out with Blueprint CSS, which somewhat evolved from a Ruby context. But just as with JS frameworks, the landscape here is way too complex to adequately sum it up within a generic CSS Frameworks category within the Ruby Toolbox.

What will soon be available though is a category for Sprockets / Rails Asset Pipeline plugins, so bootstrap is due for a (proxied) comeback.

Testing frameworks

The general-purpose Testing frameworks category used to be quite a pile of mixed apples and oranges as well. Cucumber alongside RSpec alongside extensions to Test::Unit like Contest. Actually, these tools are quite often used alongside each other, and are not "competition". Therefore, I split the category into Unit Test Frameworks and Acceptance Test Frameworks to more accurately reflect the realities in most Ruby development environments.

In other news I've worked through about 200 of your project suggestions in the last 2 weeks, so there should still be enough on the site to explore :) There's still a lot of suggestions in the backlog though, so please be patient if yours haven't been added yet.

Cheers, Christoph

Nominate your Ruby Heroes!

10 Feb 2012

Every year at RailsConf, a selection of people who have made exceptional contributions to the Ruby community get some well-deserved acknowledgement by the means of a Ruby Heroes award - and the best part of it is that you get to nominate them!

Here's what they say:

Ruby Heroes was created to show some gratitude and give these people the recognition they deserve. Hopefully the type of recognition that keeps them doing what they’re doing, and continuing to make our community stronger.

If you haven't done so yet, don't forget to nominate yours. By the way, I hear Sven Fuchs is a promising candidate for all the awesome work he and the rest of the team have been doing on Travis CI ;)

Server move complete

21 Jan 2012

The server move went on without problems and if you can read this obviously your DNS provider already adjusted to the new addresses.

The servers are now based in Germany so there might be a minor difference in latency from overseas, but in general the site should be a whole lot faster now as it is backed by much mightier hardware now :)

Should you notice any regressions or other problems please post a comment, tweet @rubytoolbox or send me an e-mail to christoph (at) ruby-toolbox dot com.

Brace yourselves: Server move!

21 Jan 2012

Today, January 21st starting at 1pm UTC the Ruby Toolbox will be doing a server move.

Although I expect the move itself to go smoothly it unfortunately involves updating DNS records, so until the DNS propagates there might be an interruption in availability.

Please check out @rubytoolbox on Twitter for further status updates.

Follow @rubytoolbox on Twitter!

23 Nov 2011

TL;DR: You can now find and follow short news bits and status information from and about the Toolbox on Twitter: @rubytoolbox

That's actually everything, you read all of it.

Thanks to this month's sponsors!

7 Nov 2011

A big thank you to this month's sponsors for helping me run this site. Please check out the fine services they offer!



DocRaptor generates high quality PDF and XLS documents without expensive upfront server license cost or time-consuming open source conversion libraries. An awesomely simple API makes it easy to implement features like report and proposal downloads within your app. XLS and PDF docs are notoriously hard to work with. DocRaptor eviscerates the conversion process so that you get the docs you want without the hassle.



Postmark is the easiest, fastest, and most reliable way to be sure your important transactional emails get to the inbox. Enjoy simple API or SMTP access, bounce & spam analytics, and fast, friendly, expert customer support. We handle things like whitelisting, ISP throttling, reverse DNS, feedback loops, content scanning, and delivery monitoring to ensure your emails get to the inbox.

Also thanks a lot to Heroku for sponsoring hosting for this site in the last two years and to Tender for running the support site.

If your company would like to support the Toolbox and get word about their service to thousands of Ruby developers around the world, please get in touch via sponsoring (at)

The new Ruby Toolbox is ready!

7 Oct 2011

After a (too) long private beta period, the new, completely rewritten Ruby Toolbox is finally ready!

There's a huge amount of great new features to be explored and explaining all of them would probably bore you to death, so here's just a quick and surely incomplete list of what you might want to look for while browsing the new site:

  • New relative scoring system that treats Rubygem downloads equal to Github popularity. Click on a project's score to find out how it's calculated.
  • Projects do not have to be hosted on Github any more - any Rubygem is just as good.
  • Much more detail provided for all projects, including gem releases, first and last commit dates and much more
  • All Rubygems included, with urls equal to those at - for example /gems/simplecov-html
  • Finally, a search! You can search for Projects and Rubygems easily. OpenSearch integration is provided too, so you should be able to add it to your browser's search engines with one click.
  • Categories are now assorted in groups so browsing the site gets easier
  • Better project and category popularity graphs. Project graphs show the popularity score over the last 12 months so you can see how popularity has changed over time.
  • Easy sign-in using your Github account via OAuth
  • Anyone can post Resources like Blog Posts, Screencasts or Presentations on projects either via our form or the bookmarklet. Find them on the (new...) individual pages of each project or on the Resources list and it's corresponding RSS feed. You can vote resources up, which will eventually be incorporated into the ordering of resources.
  • A project suggestion form so it is easier for y'all to get your projects listed.
  • Like projects. Right now this only lists them on your account profile page, but you can expect customized feeds and much more from this soon - For now pile up what you like so you're ready to go once the new stuff arrives.

Since starting to build the new site, project additions to the old one were very rare, so apart from all the new functionality, you will also find a lot of projects and categories that have been missing from the old one. Just to give you some rough directions, the old site had 778 projects in 112 categories, while currently the new site has over 1000 projects in 142 categories.

One major painpoint that I did not manage to fix yet is the overall too big appearance of the site. Please use your browser to zoom out one or two steps. From the usage data of the previous site I figured I could go for a 1200px width layout with the new one, but actually ended up building a too-large 960px thing out of that nasty 960px habit. I'm well aware of the issue, but resizing all the paddings, margins and font sizes across the site is quite a hassle at this point. It will be fixed though, it's just not something I want to postpone the release any further for. Thanks :)

The site is now completely using SSL. It's possible that the DNS records have not updated all over the world yet, so if you bump into trouble, please try again a little later. Also, on Android the GeoTrust SSL certificate used will throw an error. This is pretty stupid, but after ignoring the warning you should be fine. I'll look into how to avoid this from popping up.

Finally a note for everyone who sent me a mail suggesting a new project over the last couple of months and did not get a reply: Sorry! I usually try to reply to every single mail as soon as possible, but I eventually grew a bit tired of disappointing people telling that ActiveAdmin is present on the new site and the old one is not being updated. If your project is not listed on the new site or something else is wrong, please send me your mail again or try the new project suggestion form right away!

I hope building this thing was worthwile and the new site proves useful to you. Now please go ahead and fill it with life!


In order to continue, you must be signed in using your Github account.

If you're signing in using this account for the first time Github will ask for your permission to give access to your public user data to the Ruby Toolbox.

Although the Github Authorization page does not mention it, the request includes read-only access to your verified email address (user:email OAuth scope). This is neccessary so there's a way to notify you about comments, information about your accepted project edits and the like. You can review your notification settings on your account page once you're signed in.