| Comments

...and nobody knows what it is.  warning: this is a long post, but sit back and read it -- it is quite telling IMO.

while reading some of my email list posts this evening, i came across a post on the ruby on rails forum:

This is a MANDATORY upgrade for anyone not running on a very recent edge (which isn't affected by this). If you have a public Rails site, you MUST upgrade to Rails 1.1.5. The security issue is severe and you do not want to be caught unpatched.

The issue is in fact of such a criticality that we're not going to dig into the specifics. No need to arm would-be assailants.

So upgrade today, not tomorrow. We've made sure that Rails 1.1.5 is fully drop-in compatible with 1.1.4. It only includes a handful of bug fixes and no new features.

For the third time: This is not like "sure, I should be flooshing my teeth". This is "yes, I will wear my helmet as I try to go 100mph on a motorcycle through downtown in rush hour". It's not a suggestion, it's a prescription. So get to it!

probably the most interesting part being the 'such a criticality that we're not going to dig into the specifics.'  this has caused quite a heated debate in the comments on the blog...i've picked some of the interesting comments to repost as i thought were particularly interesting, important and to me shows some of the leadership collisions in that community...here are some of my favorites (you can read the full post and comments on the ruby on rails weblog):

This WARRANTS full explanation! If there is need enough to alarm the
people that use the product then there is certainly a need to provide
disclosure of some sort of what the problem is.

This "attitude" to some degree diminishes the value of Rails. It
suddenly took a very cool framework and set it back because of the
unprofessional way in which a problem was handled. I firmly believe
that you can judge a company (or person or product) not by the way they
handle things when things are going well, but by the way they handle
things when things go wrong. In business, and life, things go wrong.
Handle it properly. This is not the proper way to handle an issue as
serious as it sounds.

Provide the details. COMMUNICATE to people so they know WHAT the
problem is and what their exposure is. NEVER put out a generic
statement like this - it is almost as bad as hiding the problem

Leeto wrote:

A rather humorous patch announcement you have here. Declaring an upgrade as mandatory without offering the public so much as a single glimpse as to what is wrong? You say the security hole is gaping… but you offer no proof of concept or exploit explanation.

No one should be expecting you to be posting pre-compiled code that script kiddies could utilize, but no one should be taking your concern for security seriously without a full disclosure of what is wrong.

FM wrote:

You’ve got to be kidding. When has security through obscurity ever worked? We run quite a few semi-public (ie, heavy-use critical internal applications) here and we can’t afford to just upgrade without knowing what the problem is. Sure we could dig through changesets, and we probably will, but not fully disclosing a critical security problem is very bad practice.

Daniel expressed concern while selling Rails to his organization:

I second the points made by DGM and DW. I’m in the process of convincing my boss about using Rails for our next major project. I have had big hope in the success, but this makes me uncertain if that is a road I can recommend.

perhaps what is somewhat disturbing is the comments from some of the core leadership and the tone...after the infamous 'f-you' slide at railsconf, DHH offers some opinions of his own on the blog, can you spot the sarcasm?:

DHH wrote (speaking of the need to patch):

Daniel, there’s no rush if you don’t mind having the security leak. Just as nobody is forcing you to upgrade Windows every week with the latest security fixes. Of course, not doing so greatly exposes you to the exploits of those holes. I think most people would appreciate the urgency and “rush” to get a fix out and applied in a hurry.

If you are aware of any other web platforms with major adoption that has never seen a security fix release, I’d love to hear about it. That must be a truly fantastic team that we’d love to learn from.

Chris Mear responded:

It’s not the mere fact that there is a security release, it’s the fact that there’s a security release and you won’t tell us what it addresses, so we’re unable to make that decision about whether we should apply it or not.

Instead, we have to take your word that this is super-important.

bougyman comments:

Nothing is abnormal about a framework this large having a vulnerability from time to time. But corporations cannot make decisions for deployment based on the (lack of) information provided in this announcement. We love the rails environment and have been pleased with most aspects of the software delivery. However, when the rubber hits the road (real world security), procedures have been Horrible. Partial disclosure doesn’t give those who are running applications enough information to come up with a workaround (like using a webserver filter language to disallow the malformed request) and certainly not enough ammunition to convince a Suit that an immediate software upgrade is necessary. ... Not maintaining an informative, coherent policy and procedure for releasing these announcements and patches could not only keep rails from being adopted in such managed environments, but flat-out get it pulled and replaced in those which it has already found its way. Including mine.

there are a lot of positive comments as well -- pointing out the patch worked fine, and a few people helping others upgrade (and on windows as well!), but it was very intriguing to me to see some pretty logical posts regarding full disclosure and how the community leadership is reacting to those comments...i wonder if DHH has an f-you post in his draft folder of his blog client :-)

Please enjoy some of these other recent posts...