Rails developers got a little flak these days because they discovered a security problem with Rails and promptly published a patch for its users, but without saying what it did or which vulnerability it fixed, because they thought it was too critical to tell.
Open source and free software projects traditionally favor immediate and full disclosure of security issues, so many developers seem to have felt a betrayal of sorts when the Rails team refused to specify the details (or even the gist) of the flaw. It didn't help that a new patch had to be released the next day because the original one didn't solve the issue completely.
To their credit, they created the patches very quickly and responded to the community as they usually do, but it has to be admitted that their handling of the situation was a little awkward.
Some say that the posture they assumed could jeopardize Rails' future on the enterprise, but I think they overreact. Rails has been growing very fast for two years and you have to expect some growing pains in a process which has been far more successful than problematic.
Even so, young web frameworks, like Django are looking at this incident to learn and decide how to deal with these problems when they face them in the future (they already had a security policy outlined on their site, which means they had put some thought on the problem before this).
In the Zope world, we are so used to the security hot fixes that come from time to time (which are posted on various mailing lists and feeds), that the announcement of one seldom causes discussion. These are the signs of maturity of a project that sometimes go unnoticed.
Read: Urgent! Upgrade now and don't ask questions
Previous Topic
