Here’s a perfect example of the problem: Classifier gem breaks Rails.

** Original question: **

One thing that concerns me as a security professional is that Ruby doesn’t have a parallel of Java’s package-privacy. That is, this isn’t valid Ruby:

public module Foo   public module Bar     # factory method for new Bar implementations     def self.new(...)       SimpleBarImplementation.new(...)     end     def baz       raise NotImplementedError.new('Implementing Classes MUST redefine #baz')     end   end    private class SimpleBarImplementation     include Bar     def baz       ...     end   end end 

It’d be really nice to be able to prevent monkey-patching of Foo::BarImpl. That way, people who rely on the library know that nobody has messed with it. Imagine if somebody changed the implementation of MD5 or SHA1 on you! I can call freeze on these classes, but I have to do it on a class-by-class basis, and other scripts might modify them before I finish securing my application if I’m not very careful about load order.

Java provides lots of other tools for defensive programming, many of which are not possible in Ruby. (See Josh Bloch’s book for a good list.) Is this really a concern? Should I just stop complaining and use Ruby for lightweight things and not hope for ‘enterprise-ready’ solutions?

(And no, core classes are not frozen by default in Ruby. See below:)

require 'md5' # => true MD5.frozen? # => false