Can anyone explain why boosterism gets upvoted so much on these RoR vuln posts?
RoR maintainers should be commended for their ongoing prompt responses to defects, but the likelihood ...that there will be a lot of these things [still to be] found... is not something to celebrate.
Every project has bugs, every framework has it's security problems, but the severity and frequency of the issues is such that many will conclude that RoR is not mature, stable or safe enough for production use.
I can only conclude that a large proportion of HN readers have most of their eggs in the RoR basket, so spinning this into a positive is the best way to convince themselves that "..more work for admins and devs.." is a GOOD thing.
> Can anyone explain why boosterism gets upvoted so much on these RoR vuln posts?
I don't have an answer for that. Not to discount the work people do, but it feels weird to celebrate the existence of severe vulnerabilities because of the effort that goes into patching them. Perhaps the point is that the framework becomes more secure and vetted, but that's not something that can really be measured in that way, and a lot of observers will view the existence of so many high-profile vulnerabilities as a sign of poor design decisions.
I'd be doing the same thing if there was an announcement about Khronos fixing the perennial retardation of the OpenGL API, or of a new batch of bugfixes for some of the Java stuff I used to use, or whatever else--I'd support them all the same.
Anything that helps encourage people to be open about their work and honest in their failings in our industry is, in my book anyways, a Good Thing.
Don't be hating on Ruby folks for trying to encourage good development practices.
From a triage point of view, Ruby/RoR is excellent. I'm not trying to hate on Ruby people - the community is amazing and the inherent openness and transparency is to be lauded.
That's not my issue though. The project's reputation is fiercely protected by it's community - and I wonder at what point this could be damaging. To borrow some terminology, they're not `user-space` bugs like the majority of PHP security flaws (for example). They're bugs in the firmament.
Talking to penetration testers, you often hear this story: if it's .NET, you're going to have a hard time; If it's PHP, you can count on the developer leaving an injection flaw of varying exploitability; If it's RoR, you can count on an out of date package with a critical flaw that bypasses the app entirely. (btw: I'm primarily a python/django person - I won't comment on that!).
This is a classic concern troll. If you're not interested in RoR, don't click on threads about RoR. If you do, don't come in and tell people to stop thanking people for their hard work to fix security issues.
> Talking to penetration testers, you often hear this story: if it's .NET, you're going to have a hard time; If it's PHP, you can count on the developer leaving an injection flaw of varying exploitability; If it's RoR, you can count on an out of date package with a critical flaw that bypasses the app entirely.
Do any real life pentesters here on HN concur with this summary?
I posit the opinion that Rails is a framework in shambles that is good for nothing greater than a contact form far out-ways many others on HN, which is why there is a relativisation.
These discussions are usually filled with snark and people feeling righteous in their own framework choices, smiling and generalizing about the entire Ruby community. So there's a chasm between people saying "your framework sucks and you should feel bad" and people saying "ok this is actually a good thing".
Because the PR machine for Rails is big, and people are slow to admit they sometimes back the wrong horse.
Yes - well done devs for the quick turnaround in fixes.
No - constant sticky plaster patch fixes are not the same as proper design, security concerns, software engineering.
Less magic, and more security thought would be good!
RoR maintainers should be commended for their ongoing prompt responses to defects, but the likelihood ...that there will be a lot of these things [still to be] found... is not something to celebrate.
Every project has bugs, every framework has it's security problems, but the severity and frequency of the issues is such that many will conclude that RoR is not mature, stable or safe enough for production use.
I can only conclude that a large proportion of HN readers have most of their eggs in the RoR basket, so spinning this into a positive is the best way to convince themselves that "..more work for admins and devs.." is a GOOD thing.