This post originated from an RSS feed registered with Python Buzz
by Carlos de la Guardia.
Original Post: Urgent! Upgrade now and don't ask questions
Feed Title: I blog therefore I am
Feed URL: http://blog.delaguardia.com.mx/feed.atom
Feed Description: A space to put my thoughts into writing.
Rails developers got a little flak these days because they discovered a security problem with Rails and promptly published a patch for its users, but without saying what it did or which vulnerability it fixed, because they thought it was too critical to tell.
Open source and free software projects traditionally favor immediate and full disclosure of security issues, so many developers seem to have felt a betrayal of sorts when the Rails team refused to specify the details (or even the gist) of the flaw. It didn't help that a new patch had to be released the next day because the original one didn't solve the issue completely.
To their credit, they created the patches very quickly and responded to the community as they usually do, but it has to be admitted that their handling of the situation was a little awkward.
Some say that the posture they assumed could jeopardize Rails' future on the enterprise, but I think they overreact. Rails has been growing very fast for two years and you have to expect some growing pains in a process which has been far more successful than problematic.
In the Zope world, we are so used to the security hot fixes that come from time to time (which are posted on various mailing lists and feeds), that the announcement of one seldom causes discussion. These are the signs of maturity of a project that sometimes go unnoticed.
Previous Topic
