Posted Mar 8, 2012 14:00 UTC (Thu) by man_ls
Parent article: GitHub incidents spawns Rails security debate
Thanks for a complete and balanced explanation. If anything it is a bit biased for Homakov, but I can't see how it might be otherwise.
The whole affair is a strong argument for full disclosure, but also for publishing exploits instead of "concept code". A gaping hole goes unfixed for 3+ years; framework developers even justify its existence and shift blame to application developers. Then it is exposed and tested in practice by an enterprising user, and suddenly it is closed in the target application -- and in the framework. If we are to judge actions solely by their consequences there is no doubt in this case, and the means used were quite mild too, even amusing.
github, after the initial denial, has answered quickly and thoroughly: it has requested its users to do a key audit for all the repos (I received mine late last night). It appears that they have done a complete security assessment, forward looking and also including the possible consequences.
I cannot help but remember how in a recent article some commenters were disparaging PHP and recommending Rails or other "sane" frameworks. It is ironic how PHP closed this particular hole years ago, but PHP devs downplayed a similar problem for 3+ years. I for one am glad to be using PHP right now, and to be aware of its security problems; while Rails users just had a sense of false security all this time.
to post comments)