Matthew Smillie
8/9/2006 7:03:00 PM
On Aug 9, 2006, at 19:41, khaines@enigo.com wrote:
> On Thu, 10 Aug 2006, David Heinemeier Hansson wrote:
>
>> This is a MANDATORY upgrade for anyone not running on a very recent
>> edge (which isn't affected by this). If you have a public Rails site,
>> you MUST upgrade to Rails 1.1.5. The security issue is severe and you
>> do not want to be caught unpatched.
>>
>> The issue is in fact of such a criticality that we're not going to
>> dig
>> into the specifics. No need to arm would-be assailants.
>
> This seems misguided to me. One of the things that I have always
> appreaciated about the general open source environment is that when
> there is a security vulnerability it is announced. It is
> described. And it is fixed.
>
> The process is open, and it works because someone can go and look
> at the information about the vulnerability and learn from it, and
> they can have faith in the advice to upgrade because the
> vulnerability announcement is clear about what the exploit is and
> the risk from it.
There are competing interests at stake beyond adhering to general
open-source philosophy. If, for example, a vulnerability is very
easily exploited, and could cause data loss or other significant
damage, there's a very strong case to be made for fixing first and
giving explicit documentation later.
In other words, if you lose your entire database two hours after the
announcement (because it was announced at 2am local time, say), it's
pretty cold comfort that the vulnerability was openly discussed and
evaluated according to all the best practices of the open-source
community.
In any case, the only thing missing is a spoon-fed description of the
vulnerability. The fix itself is public, and if you're into that
sort of thing, I'm sure you could get a good idea of the exploit by
examining changes to the source code.
matthew smillie.