

Rails - Security Problem with authenticate_with_http_digest - oscardelben
http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest

======
jrockway
I agree that it is sad how the Rails "team" handled this.

I have always felt that security issues should be treated like any other
defect. It makes me sad that the Rails community tries to obscure its security
problems and "shoot the messenger". The guy that reported the bug is _trying
to help you_ and _trying to help the community_. Getting mad at him isn't
going to make the bug go away, it's just going to make you look like a
childish moron. (Everyone writes buggy code; get over it.)

(The "we don't want hackers to know" argument is often repeated, but
completely meaningless. If the security hole is worth exploiting, the black-
hats found it a long time ago. Pretending that this one bug is somehow
different so it should be treated specially is delusional. Deluding yourself
can feel good, but it doesn't yield good software.)

Anyway, the advantage of full disclosure is that users can take mitigating
actions before there is an official response. Sometimes taking your app down
is better than waiting for some "core team" to make an "official fix". Letting
the users know also lets one of the users contribute a fix -- which is the
whole point of free software. "Many eyes" and all that.

Finally, if you are using un-audited code for important parts of your
infrastructure, you get what you deserve. The Rails team is not to blame; you
are.

------
tialys
So much nerd rage and finger pointing in the comments there... really makes me
dislike being a rails developer. I love RoR, but sometimes I really feel like
the 'community' is just awful...

