About the Author

Chris Shiflett

Hi, I’m Chris: entrepreneur, community leader, husband, and father. I live and work in Boulder, CO.


Rails Security and Nondisclosure

Since the announcement of a "serious security concern" in Rails yesterday, many people have taken the opportunity to criticize the Rails project as being too immature for "enterprise" use.

I think that's overly harsh, but there are some very valid concerns about the way this issue has been handled by the Rails team. The original announcement describes the issue as follows:

The issue is in fact of such a criticality that we're not going to dig into the specifics. No need to arm would-be assalients.

A comment on Slashdot responds to this by stating:

I'm not that afraid of kiddies who lack the clue to run diff.

On the Ruby Forum, Paul Legato states:

The handling of the recent vulnerability in Rails has proven somewhat problematic for us. We have recently adopted Rails as our web platform of choice; previously, we used J2EE. We love Rails. We hate J2EE. We don't want to go back. It took a lot of effort and convincing to get the management teams of our various projects to sign off on the use of Rails. The nondisclosure policy in handling this vulnerability has seriously jeopardized our (and many other people's) ability to use Rails in a commercial environment, so we would like to suggest that it be changed.

Others have pointed to explanations from Evan Weaver and Kristian Koehntopp as proof that nondisclosure doesn't keep the details a secret.

I wish the Rails team the best of luck in addressing this issue (the social one), and I hope they can see through some of the pointless criticism without missing the valid points that have been raised.

About this post

Rails Security and Nondisclosure was posted on Thu, 10 Aug 2006. If you liked it, follow me on Twitter or share:

4 comments

1.Davey Shafik said:

I think that non-disclosure for a short *period* is fine. Just like a project should be given a short amount of time to fix a bug and release a fix before its disclosed.

So, the RoR team should tell us, say, in a week, before that, I understand giving people time to upgrade - they should also make it clear this is what's going to happen.

On the whole, I think this just goes to show the immaturity of the project, and thats fine, it *is* a young project, things will get tighter as time goes by, I'm sure.

- Davey

Thu, 10 Aug 2006 at 20:44:02 GMT Link


2.Cyril Doussin said:

Completely agree with Davey. Non-disclosure for a short period is as close as you can get to fixing an issue with causing too much trouble to anyone.

This is what Mozilla does too I believe and it's proven very successfull I think.

Thu, 10 Aug 2006 at 22:03:54 GMT Link


3.Jeremy Moseley said:

It appears that the RoR team listened to their frustrated community and disclosed details on the vulnerability: http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure

Thu, 10 Aug 2006 at 22:45:16 GMT Link


4.Jeremy Moseley said:

Good info here: http://blog.evanweaver.com/articles/2006/08/10/explanation-of-the-rails-security-vulnerability-in-1-1-4-others

Thu, 10 Aug 2006 at 22:49:41 GMT Link


Hello! What’s your name?

Want to comment? Please connect with Twitter to join the discussion.