well, amidst the scurry and comments of yesterday's rails security issue and resulting patch debacle, today, yet another new version is released and patches for the previous versions.

the *MUST UPGRADE* patch of yesterday didn't even appear to fix the issue.  sure, this happens, but maybe if some subtlty was exhibited and some of the feedback (unfortunately after the fact) was leveraged, it could have been avoided and a correct patch along with the full disclosure could have been implemented.

with today's new release, it caused me pause of the growing pains of this rails community.  several things happened today: a notice of a new release (second w/in < 24 hours), a notice of a move of the trac server, and a notice of a security mailing list (a suggestion from a community member).  the rails community is growing and this incident and the way it was/was not handled (depending on who you ask) is evidence of the struggles we all face, regardless of technology, in building communities around open source projects and the unfortunate byproducts at times of design/lead by community.

...and nobody knows what it is.  warning: this is a long post, but sit back and read it -- it is quite telling IMO.

while reading some of my email list posts this evening, i came across a post on the ruby on rails forum:

This is a MANDATORY upgrade for anyone not running on a very recent edge (which isn't affected by this). If you have a public Rails site, you MUST upgrade to Rails 1.1.5. The security issue is severe and you do not want to be caught unpatched.

The issue is in fact of such a criticality that we're not going to dig into the specifics. No need to arm would-be assailants.

So upgrade today, not tomorrow. We've made sure that Rails 1.1.5 is fully drop-in compatible with 1.1.4. It only includes a handful of bug fixes and no new features.

For the third time: This is not like "sure, I should be flooshing my teeth". This is "yes, I will wear my helmet as I try to go 100mph on a motorcycle through downtown in rush hour". It's not a suggestion, it's a prescription. So get to it!

probably the most interesting part being the 'such a criticality that we're not going to dig into the specifics.'  this has caused quite a heated debate in the comments on the blog...i've picked some of the interesting comments to repost as i thought were particularly interesting, important and to me shows some of the leadership collisions in that community...here are some of my favorites (you can read the full post and comments on the ruby on rails weblog):

This WARRANTS full explanation! If there is need enough to alarm the
people that use the product then there is certainly a need to provide
disclosure of some sort of what the problem is.

This "attitude" to some degree diminishes the value of Rails. It
suddenly took a very cool framework and set it back because of the
unprofessional way in which a problem was handled. I firmly believe
that you can judge a company (or person or product) not by the way they
handle things when things are going well, but by the way they handle
things when things go wrong. In business, and life, things go wrong.
Handle it properly. This is not the proper way to handle an issue as
serious as it sounds.

Provide the details. COMMUNICATE to people so they know WHAT the
problem is and what their exposure is. NEVER put out a generic
statement like this - it is almost as bad as hiding the problem
entirely.

Leeto wrote:

A rather humorous patch announcement you have here. Declaring an upgrade as mandatory without offering the public so much as a single glimpse as to what is wrong? You say the security hole is gaping… but you offer no proof of concept or exploit explanation.

No one should be expecting you to be posting pre-compiled code that script kiddies could utilize, but no one should be taking your concern for security seriously without a full disclosure of what is wrong.

FM wrote:

You’ve got to be kidding. When has security through obscurity ever worked? We run quite a few semi-public (ie, heavy-use critical internal applications) here and we can’t afford to just upgrade without knowing what the problem is. Sure we could dig through changesets, and we probably will, but not fully disclosing a critical security problem is very bad practice.

Daniel expressed concern while selling Rails to his organization:

I second the points made by DGM and DW. I’m in the process of convincing my boss about using Rails for our next major project. I have had big hope in the success, but this makes me uncertain if that is a road I can recommend.

perhaps what is somewhat disturbing is the comments from some of the core leadership and the tone...after the infamous 'f-you' slide at railsconf, DHH offers some opinions of his own on the blog, can you spot the sarcasm?:

DHH wrote (speaking of the need to patch):

Daniel, there’s no rush if you don’t mind having the security leak. Just as nobody is forcing you to upgrade Windows every week with the latest security fixes. Of course, not doing so greatly exposes you to the exploits of those holes. I think most people would appreciate the urgency and “rush” to get a fix out and applied in a hurry.

If you are aware of any other web platforms with major adoption that has never seen a security fix release, I’d love to hear about it. That must be a truly fantastic team that we’d love to learn from.

Chris Mear responded:

It’s not the mere fact that there is a security release, it’s the fact that there’s a security release and you won’t tell us what it addresses, so we’re unable to make that decision about whether we should apply it or not.

Instead, we have to take your word that this is super-important.

bougyman comments:

Nothing is abnormal about a framework this large having a vulnerability from time to time. But corporations cannot make decisions for deployment based on the (lack of) information provided in this announcement. We love the rails environment and have been pleased with most aspects of the software delivery. However, when the rubber hits the road (real world security), procedures have been Horrible. Partial disclosure doesn’t give those who are running applications enough information to come up with a workaround (like using a webserver filter language to disallow the malformed request) and certainly not enough ammunition to convince a Suit that an immediate software upgrade is necessary. ... Not maintaining an informative, coherent policy and procedure for releasing these announcements and patches could not only keep rails from being adopted in such managed environments, but flat-out get it pulled and replaced in those which it has already found its way. Including mine.

there are a lot of positive comments as well -- pointing out the patch worked fine, and a few people helping others upgrade (and on windows as well!), but it was very intriguing to me to see some pretty logical posts regarding full disclosure and how the community leadership is reacting to those comments...i wonder if DHH has an f-you post in his draft folder of his blog client :-)

okay, i'm slightly ashamed to admit it, but today i finally saw the visual studio team edition for database professionals in action.  vsts expert rich Hundhausen was demoing to a customer and i wanted to tag along to see this new feature set available to the team system family.

after 40 minutes of seeing some of the simple features all i could say was: cool.

seriously.  it was so simplistic, yet so necessary and needed for the db developer world.  here's a run-down of some of the features i saw today:

• creating db schemas by reverse engineering
• diff'ing schemas to other projects *and* other databases (note: you can do this without having to setup a project, reverese engineer anything etc)
• schema compares
• build and deploy implementations with msbuild
• data generation plans -- this was cool, a true data gen built into the product (which can be a part of a build plan as well to always start with a consistent state) -- can use static info, or retrieve data from a database, or you can set parameters, regex, etc., etc.
• unit testing of db scripts (pre, test, post scripts)
• source control integration with the vsts policies, etc.

it seriously put a little geeky grin on my face.  i got back to the office and downloaded it immediately (you can get ctp4 from here).  i'd encourage you to take a look and play around with it.

and as we know, the easiest way to learn is to teach.  i'm giving a demo at the next sql server user group meeting in my area!

i've been reading about the aol snafu about releasing search data.  if you haven't caught that yet, aol released some search data from 650K subscribers (wow, i didn't even realize people used aol search -- i'm assuming that is all from aol subscribers only) for research purposes.  while they removed account-identifying information, it was clear that any intuitive person would be able to sift through the search results and identify trenst based on same user -- thus increasing probability of identifying that person.

aol has retracted and removed the data and offered an apology without trying to evade their logic -- they admitted what they did was wrong.  kudos.

i couldn't help it and read more, and saw some links to the mirrors of the data.  hey, i'm curious as well.  on one of the sites i couldn't stop laughing when i read this:

Please mirror this file, and send me an Internet down the tubes by dialing <removed> so that I can include your link here.

lol, referring to senator stevens' comments about the internet tubes and when one of his staffers 'sent him an internet' -- holy crap i was laughing out loud reading someone starting to use that.

universal studios is filming a movie near my house the past few months.  well, okay, they've been building the set (which i originally thought was some serious low-rent housing) since april, and started filming in june.

what's been interesting about this whole process is a few things.  first, queen creek isn't exactly the mecca that attracts stardom.  we've been trying to figure out *where* they stars (which namely are jennifer garner and jamie foxx) are staying when they are here -- surely they aren't at the la quinta (which is the closest hotel to the set).  i've noticed a very interesting helicopter parked at a new helipad on a new hospital just nearby -- i suspect they are staying in scottsdale and flying over each day.  i offered to host jennifer garner (as long as affleck didn't come along) at my house...we have an extra room and baby toys...but her agent didn't call me back.

anyhow, the experience has been a bit surreal...watching the set being built and now watching some serious action scenes being filmed.  the movie is called the kingdom and is supposed to be about counter terrorism or something -- i haven't figured it out yet.  they are also using the gilbert, az jail as a set for their prison scenes (the gilbert jail got paid $12K for the use).

here's some shots from the set (from my phone sorry):

they really built a little city/apartment complex complete with school, soccer fields, etc. - as well as what looks like a foreign version of it with satellite dishes all over it, etc. -- rumor has it the whole set will be blown up, which should be cool.

the only thing that sucks is now that they are filming more, traffic sucks arse.  they close roads often (and there aren't that many main ones out here).  apparently i missed the garner/foxx duet at the local italian restaurant the other night -- argh.