disappointed

general = { about, articles, links, projects }     meta = { date-posted: 2006-08-11 }

I was quite disappointed with the handling of the rails security vulnerability.

The initial security notice was not the greatest. A release of a security vulnerability, without any information about what the vulnerability is, makes it hard for people who rely on the software to justify a quick upgrade. They are not given the tools to weigh their own options, allow for alternative mitigation, and justify to their customers the downtime.

This issue can be seen in the second announcement, which notes that rails 1.0 was not in fact vulnerable. So, people who were prompted to upgrade from 1.0 (which they initially were) did so, likely in a rush to fill the hole. Then later, they learned that they were not originally vulnerable, but the 1.1.5 version that was released originally to fix it, did not fully fix it. So, they actually made themselves vulnerable, and had to patch quickly again. Not good.

I can understand things up to this point. I can say to myself, "well...at least they released the patches quickly." Upon closer inspection, releasing a notice without releasing what caused it.. caused more problems. As noted in later posts, they had a rewrite rule that would block a large portion of the vulnerability. If people had been provided information earlier, perhaps that information might have come to light sooner. This falls in line with giving people an opportunity to mitigate and weigh their own options. Empowerment.

Telling everyone there is a big security issue, but not telling them what, when people with knowledge and time can just diff the source, makes for a bad situation.

Ok, so it was bad. Yet, as a result, a security list was formed, and people are more aware of rails security. Other frameworks have stood up and taken notice.

What I find most disappointing though, is the reaction of some of the rails community luminaries/members in response to people with valid concerns. Reading many of the comments in the blog posts linked, well..lets just say it isn't too pretty.

I was left with an odd taste in my mouth, and I don't think it was my cooking.