Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 23, 2013
An "enum" for Python 3
An unexpected perf feature
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
Apparently this would not have happened otherwise, but that is not Hormakov's fault.
GitHub incidents spawns Rails security debate
Posted Mar 8, 2012 8:39 UTC (Thu) by jzbiciak (✭ supporter ✭, #5246)
Based on the description of the situation, it seems like two outcomes were likely: Homakov could have just kept complaining until he was blue in the face or got bored and gave up. Or, he could be provocative and effectively publicly shame the developers into realizing they truly had a problem.
Sure, boiling it down to those two likely outcomes misses a sea of other possible outcomes. I'm not trying to commit the fallacy of false dichotomy here. But given an apparent choice between these likely outcomes, I can understand why public shaming in this way seemed attractive to Homakov.
It all feels a little childish, really, but at least the defaults are saner and the glaring hole in GitHub is closed. Now all the other Rails sites need to go fix themselves. Wheee....
Posted Mar 8, 2012 10:34 UTC (Thu) by hawk (subscriber, #3195)
To me that seems like probably the single biggest problem with this stunt; it wasn't directly aimed at Rails alone but at a third party using Rails.
Posted Mar 9, 2012 17:27 UTC (Fri) by n8willis (editor, #43041)
But enough mind-reading for one day.
Posted Mar 8, 2012 15:12 UTC (Thu) by cate (subscriber, #1359)
He should fill some CVE reports. It will give the same shame to programmers, some more time to fix vulnerabilities to site owners, but also it give an additional pressure to programmers from all CVE subscribers.
Posted Mar 8, 2012 17:51 UTC (Thu) by nix (subscriber, #2304)
It will give the same shame to programmers
Posted Mar 8, 2012 21:47 UTC (Thu) by bronson (subscriber, #4806)
The value in what Homakov did was demonstrating that even extremely competent, experienced Rails developers don't always follow the docs. I'm not sure how anyone could do that without actually showing it in the wild.
Posted Mar 15, 2012 15:07 UTC (Thu) by rqosa (subscriber, #24136)
> This bug would never merit a CVE.
Do you mean the Rails default behavior, or the GitHub vulnerability? It seems like the GitHub vulnerability would have merited a CVE — if it weren't for the GitHub software being purely in-house (not distributed outside of GitHub, Inc.), correct?
Posted Mar 26, 2012 20:29 UTC (Mon) by bronson (subscriber, #4806)
But, while I've done a fair amount of Rails, I'm not the most in touch with CVEs.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds