Hacker News new | comments | show | ask | jobs | submit login

Another day, another Ruby security bump. Sigh. Serious point - as Ruby seems to attract all the younger generation of programmers these days, and the current trend seems to be dev early, release early, security hole early, could this be turned around by more experienced hands joining the community?

Could the Ruby way become a bit safer and more secure in time?




You know, I'm grateful for all the CVE's lately. Every CVE means another attack vector that the good guys found, and I'm now protected against.

Evaluating the security of a framework is difficult, because not all frameworks receive the same level of scrutiny. I'm considering this Ruby's "Microsoft moment". We're at a period of time where a lot of people are scrutinizing popular Ruby projects like Rails and Rack. I'm hoping that the outcome of this will be:

* Many security vulnerabilities are found and patched

* More Ruby developers will consider security first, because that's what's in the news

Maybe I'm just a little pollyanna in the brain, but there's good work being done in Ruby right now.


Sigh, another day, another post from you bashing the "ruby community". You got you message accross - ruby sucks, you're migrating to php, good for you! I've read like 15 post from you saying the exact same thing. Please, enough already!


You mean Rails and not Ruby.


I think he means ruby.

I'd agree that, in the ruby community in general, or at least the English-speaking ruby community, general cultural values seem to be "dev early, release early, security hole early". Valuing innovation and release-often over stability/reliability. There are certainly some projects/developers that go against this cultural norm, but we are certainly not the first to recognize it as a general cultural norm in rubydom (and it's got benefits as well as disadvantages).


Yes, given we have seen issues in Core Ruby libraries (only recently updating the CSV lib), in Rails, in Ruby Gems, in Rack, it seems to pervade the Ruby Community.

Secure is not cool, nor magic enough, it seems.


I'm going against my better judgement in trying to critically engage you, but what's your background? Are you a security researcher? Have you audited Django? Have you read the Python source code? Why do you think a given language community is going to be more secure than another? Is security one of the tenets of Python?


Rack is not Rails.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: