Github compromised, or not?!
Posted Mar 5, 2012 14:23 UTC (Mon) by tetromino
In reply to: Github compromised, or not?!
Parent article: Github compromised
> It's a real compromise because that was the real rails github. If he'd created a test account on github and then messed with it, that would just be a proof of concept. Same demonstration value, but less disruptive, the difference between proving a point and rubbing it in someone's face. Suspending his account seems to me, for that reason, to be an acceptable penalty.
Messing with the rails github was a reasonable action on Homakov's part. He filed a bug explaining that rails was insecure by default. The bug was closed with little discussion ("There was a proposal about changing that flag in #4062 and the consensus is the pros of the default configuration outweigh the pros of the alternative"). So what could he do, as an ordinary bug reporter, to shift the rails core team's established consensus about the default configuration? Further comments would be likely to fall on deaf ears. On the other hand, creating a bug from 1001 years in the future in the official rails bugtracker wouldn't cause damage to anyone, but would have a pretty good chance of convincing the rails core team that their insecure defaults result in real-world problems.
to post comments)