Rails Security and Nondisclosure
I think that's overly harsh, but there are some very valid concerns about the way this issue has been handled by the Rails team. The original announcement describes the issue as follows:
The issue is in fact of such a criticality that we're not going to dig into the specifics. No need to arm would-be assalients.
I'm not that afraid of kiddies who lack the clue to run diff.
On the Ruby Forum, Paul Legato states:
The handling of the recent vulnerability in Rails has proven somewhat problematic for us. We have recently adopted Rails as our web platform of choice; previously, we used J2EE. We love Rails. We hate J2EE. We don't want to go back. It took a lot of effort and convincing to get the management teams of our various projects to sign off on the use of Rails. The nondisclosure policy in handling this vulnerability has seriously jeopardized our (and many other people's) ability to use Rails in a commercial environment, so we would like to suggest that it be changed.
I wish the Rails team the best of luck in addressing this issue (the social one), and I hope they can see through some of the pointless criticism without missing the valid points that have been raised.