Ruby on Rails security flap

Monday 21 August 2006

Earlier this month, Ruby on Rails reached a milestone: they issued a security advisory:

This is a MANDATORY upgrade for anyone not running on a very recent edge (which isn't affected by this). If you have a public Rails site, you MUST upgrade to Rails 1.1.5. The security issue is severe and you do not want to be caught unpatched.

The issue is in fact of such a criticality that we're not going to dig into the specifics. No need to arm would-be assalients.

24 hours later, they explained the whole situation. Unfortunately, it turned out that the mandatory 1.1.5 patch not only was not sufficient, requiring a 1.1.6 patch, but if you had been running 1.0 or 1.1.3, then upgrading to 1.1.5 made your system less secure!

This naturally engendered a great deal of discussion on the Ruby blog. As you may have guessed, the opinions there run the gamut. On the plus side, Matt Van Dusen said:

As far as I can tell, the Ruby team did what any good development group would do if they had a potentially crippling problem in their fundamental code: Rolled out a fix as fast as they could and warning their users.

Compare that to Microsoft, where it takes months to get ANY kind of disclosure, and it takes a massive attack for them to admit they f*cked up their code, and to have them tell us it's gonna be at least 2 weeks before they could possibly fix it - thanks guys, you've just told the entire cracker community how to break any Windoze box in the world, and no fixes for 2 weeks?

and Jon Shea said:

I don't understand any of this griping. I think the Rails team's response was flawless. I can't think of even a single example of a commercial software package's security flaw being handled as well.

DHH et al., thanks a million times over for all your hard work. Rails is an inspired piece of software.

On the other hand, "Upset Commercial Rails User" said:

I understand this is an open source project, but if you want to continue to see the adoption grow, especially by commercial users, do us a favor and be more thorough before you rush out to tell the world that disaster is moments away.

It's bad enough to deal with this type of thing from Microsoft. Now I have to spend time and resources for this update as well.

Get your act together, I'm sure you guys have professional development or IT jobs as well, and one massive deployment to fix a problem that should have been solved in yesterday's massive deployment should upset you as well.

I'm not concerned that there was a security problem in Rails, that happens. What bothers me is the haste in which the first "fix" was rushed.

to which DHH (the creator of Rails) unfortunately replied:

I'm puzzled, what's a commercial Rails user? I don't recall there being a sticker price on the box. We care equally for all users since everyone is paying the same price: zilch.

Okay, that's not true. We actually care more about users who don't feel the need to hide behind aliases like "Commercial Rails user".

If you have something to say, please stand by your words by signing it with your real name. Anything else is a surefire way to get anything you have to say discounted as trolling.

The tone of the discussion became a bit more controversial. One of the last comments (by Tom Barrick) is:

DHH: Grow up.

As I said, it's a milestone for Ruby on Rails. They've had a pheneomenal success, a huge adoption rate, and tremendous press. This security patch was a real-world hiccup. All software has security issues and bugs. What determines success is how the team deals with them.

I think the 24 hour turnaround was very good, and the full (eventual) disclosure was also very good. Keeping the vulnerability secret for a day was bad, especially since this is an open-source project, so the details were publically available, but only to those able to diff and grok the code. The inadvertent lowering of security with a mandatory patch was very bad, as was the sniping at your customers in the blog comments. Growing pains all around.

I'm not a Rails user, but I'm hoping they weather this storm well. I'd like projects like Rails to succeed and make inroads into the big guys' markets.


Add a comment:

Ignore this:
not displayed and no spam.
Leave this empty:
not searched.
Name and either email or www are required.
Don't put anything here:
Leave this empty:
URLs auto-link and some tags are allowed: <a><b><i><p><br><pre>.