LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

GitHub incidents spawns Rails security debate

GitHub incidents spawns Rails security debate

Posted Mar 8, 2012 10:34 UTC (Thu) by hawk (subscriber, #3195)
In reply to: GitHub incidents spawns Rails security debate by jzbiciak
Parent article: GitHub incidents spawns Rails security debate

If you take a Github perspective:
It's absolutely a good thing that the vulnerability in Github was fixed.
However, it seems very aggressive to only give Github two days (assuming it was even the same problem he had contacted them about) before starting to mess with their service to prove his point.

To me that seems like probably the single biggest problem with this stunt; it wasn't directly aimed at Rails alone but at a third party using Rails.

(Log in to post comments)

GitHub incidents spawns Rails security debate

Posted Mar 9, 2012 17:27 UTC (Fri) by n8willis (editor, #43041) [Link]

Based on his comments in the various issues, it seems to me that GitHub was only the "target" because it happened to be where Rails master was hosted (and, of course, demonstrated the vulnerability). It seems like if Rails had self-hosted, Homakov would have demonstrated the problem there instead.

But enough mind-reading for one day.
Nate

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds