undefined | Better HN

0 pointsericb14y ago0 comments

He's being an asshole. On the other hand, if the defaults in Rails lead even strong Rails developers into making mistakes, perhaps it is time for Rails to develop an "opinion" about this.

I hope the asshole messenger doesn't obscure the importance of the message because people often push back harder against a message when it is delivered in an obnoxious manner by an obnoxious person.

0 comments

thibaut_barrere14y ago

My thoughts exactly: the "asshole" is 18. People should give him a break already, and consider we're lucky he's getting the word out.

judofyr14y ago

I think it's perfectly fine to not "give him a break." How else is he going to learn manners?

thibaut_barrere14y ago

How else? By showing him how to securely disclose similar issues, for example.

Having the whole internet bashing him isn't good for anyone.

I'm for one very glad he kept pushing it out (but didn't do any real harm). This kind of vulnerability is just so common in Rails apps: I'd like to see safer defaults.

skMed14y ago

I agree the message is the most important part of this despite the immature way he exposed this GitHub security issue.

Rails can certainly adopt an 'opinion' regarding this issue, but if I think if we were to take a look around at heavy web frameworks today, we would see a very similar approach of "let the developer decide" when dealing with Model security and serialization of fields.

These framework devs have no idea how people are going to use their models, so forcing them to whitelist everything by default may cause unnecessary headaches. Instead, they provide tools to prevent this exploit from happening should devs expose the model.

ericbOP14y ago

> if I think if we were to take a look around at heavy web frameworks today, we would see a very similar approach of "let the developer decide" when dealing with Model security and serialization of fields

What everyone else is doing isn't a great justification--if decisions in Rails were based on what everyone else was doing, it would have been written in Java. In terms of Rails opinions, sensible defaults would be one that would suggest this should be rethought. In terms of rewrite-work, the Rails team didn't shy away from that with Rails 3, but I think the cross site scripting protection was worth the work. And even if the default is changed, nothing stops it from being a single line of code to turn it off.

j / k navigate · click thread line to collapse

0 comments

thibaut_barrere14y ago

My thoughts exactly: the "asshole" is 18. People should give him a break already, and consider we're lucky he's getting the word out.

judofyr14y ago

I think it's perfectly fine to not "give him a break." How else is he going to learn manners?

thibaut_barrere14y ago

How else? By showing him how to securely disclose similar issues, for example.

Having the whole internet bashing him isn't good for anyone.

I'm for one very glad he kept pushing it out (but didn't do any real harm). This kind of vulnerability is just so common in Rails apps: I'd like to see safer defaults.

skMed14y ago

I agree the message is the most important part of this despite the immature way he exposed this GitHub security issue.

ericbOP14y ago

j / k navigate · click thread line to collapse