Trusted Computing

Posted on Friday August 11, 2006 in Programming | Software | Web

TSS reaches new low as morons celebrate the recent Rails incident.

I'm still having mixed feelings about the (lack of) full-disclosure on the issue, I'm still unable to tell if a mistake has been made.
Although they should have provided the URL rewriting based workaround in the first place (instead of rushing out a release and force people to upgrade their systems a partial fix), I can understand they didn't want to tell people their site is vulnerable with using simple URL without giving them any change to upgrade...

As soon as you decide to rely on a framework to build your applications, you establish a close relation of trust with the designers and maintainers of that piece of software. On that peculiar case, I have enough confidence in the skills, the experience and, ultimately, the goodwill of the Rails core to know that when I'm being told to upgrade now, I just do it.

Do you ask yourself that many questions when your OS vendor pushes a new security update? It's just a matter of trust between you and your suppliers or delegates.
The most important thing is to constantly (re)evaluate that relation if you don't want yesterday's trust to become today's blind faith...

UPDATE: More ignorance unfolds as someone posted a follow up on the 1.1.6 release. Be warned: some very graphic examples of deep cluelessness are displayed in there...

3 comments

Comments...

Leave a response

sircam said 1 day later:

The fact that the news is relayed on TSS is everything but innocent.

Many comments in the thread are simply childish. Look at them, feeling threatened by a modern framework, convinced that J2EE is the best, fingering RoR for a security issue, and laughing at it the same way they certainly did at .net.

As if we were meant to commit ourselves to one and only one tool or framework or language...

Well, to be honest, I guess you'll find RoR integrists out there too.

People...
Xavier said 1 day later:

Posters on TSS are just pathetic. Those people have probably spent so much time and energy slowly climbing the learning curve of the whole Java Enterprise stack that they obviously want some kind of return on investment... and the whiz kid next door rolling out a new Rails app every 2 weeks is not going to crash the party.

The problem is that most of them simply do not know what Rails is. The last time they looked at it, it was the initial screencast showing how to build a simple blog engine in 10 minutes. Do they really know that Rails is all but a tool to generate CRUD scaffolding code?

Even when the Rails hype machine was going full steam, no one ever said that Rails (or even Ruby for that matter) was a silverbullet. But if RoR is enough for 30%, 50% or even 90% of the case you have to deal with, why would anyone go through the pain and cost of building a Java EE solution for the sake of it?

Back to the TSS, I only skim through the articles 2 times a week or so, looking for a good laugh. The content is so poor and boring. More than half of the posts are about "product" annoucements. And most of the "products" are just useless or nonsensical frameworks that no sane developper would ever dare to use. :)
sircam said 4 days later:

Seen on TSS : "Posting ROR stuff here is just to start flame wars."

That sums it up :-)

Your name	(leave url »)
Your blog
Your message

Xavier Defrang

Trusted Computing

Comments...

live search

categories

projects

media consumption

Mountain Battles

Calabi Yau Space

Metroid Prime 3: Corruption

Super Mario Galaxy

Untrue

blogs

syndicate