Rails Security and Nondisclosure

10 Aug 2006

Since the announcement of a "serious security concern" in Rails yesterday, many people have taken the opportunity to criticize the Rails project as being too immature for "enterprise" use.

I think that's overly harsh, but there are some very valid concerns about the way this issue has been handled by the Rails team. The original announcement describes the issue as follows:

The issue is in fact of such a criticality that we're not going to dig into the specifics. No need to arm would-be assalients.

A comment on Slashdot responds to this by stating:

I'm not that afraid of kiddies who lack the clue to run diff.

On the Ruby Forum, Paul Legato states:

The handling of the recent vulnerability in Rails has proven somewhat problematic for us. We have recently adopted Rails as our web platform of choice; previously, we used J2EE. We love Rails. We hate J2EE. We don't want to go back. It took a lot of effort and convincing to get the management teams of our various projects to sign off on the use of Rails. The nondisclosure policy in handling this vulnerability has seriously jeopardized our (and many other people's) ability to use Rails in a commercial environment, so we would like to suggest that it be changed.

Others have pointed to explanations from Evan Weaver and Kristian Koehntopp as proof that nondisclosure doesn't keep the details a secret.

I wish the Rails team the best of luck in addressing this issue (the social one), and I hope they can see through some of the pointless criticism without missing the valid points that have been raised.