Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The response to this makes me feel that HackerNews is now populated by a bunch of pretenders. This "bug" has been in Rails since Day 1, and any remotely experienced Rails developer is aware of this functionality. You can argue for a different default, but it's not a bug.

Github did have a bug and noone knowledgeable about Rails appears to have made even a cursory inspection of the security of their controllers - which is where attribute protection actually belongs, since different controllers and different users change different attributes. Protected attributes is a blunt tool for simple situations, which is why it's not enabled by default. Github had a pretty terrible bug, discovered, and fixed it. They may not have handled it perfectly, but the certainly don't deserve this sort of mon hatred - any competitor you go to is likely to have security flaws as well, perhaps more severe and subtle.

@homako didn't just expose the bug in github, he exploited it to make an unauthorized commit to Rails master. His account most certainly should have been at least temporarily suspended as GitHub had no idea what else he might do to prove his point.

So basically, most of the comments here are glaringly wrong or ignorant bandwagoning, and it makes me wonder about the accuracy of information here about topics I'm less familiar with. A sad day when you realize all this intelligent discussion you thought you'd been reading about new topics was probably just grandstanding by eloquent fools.



> Github did have a bug and noone knowledgeable about Rails appears to have made even a cursory inspection of the security of their controllers > Github had a pretty terrible bug > but the certainly don't deserve this sort of mon hatred

For all the free fun you can have on github, they are in the business of selling private repositories. What could possibly have been worse than someone finding a bunch of bugs in a matter of days just to prove a point about Rails?


What could possibly be worse? Anything actually malicious or greedy.

For all that GitHub has given to the developer community, an innocent mistake even of this proportion of incompetence is still should not evoke such hatred. And those upset about someone's account being suspended who was actively misusing security holes - well, maybe you should use a provider who looks positively upon reporting security holes by vandalizing customer data. And they suspended his account for only a few hours! Unreasonable? Hate inspiring? Outrageous? I think not.

And by the way, the fact the "issue" of the default had been reported 4 days earlier in a github issue tracker for Rails (which is certainly not followed, let alone on weekends, by github employees) does not in any way impact whether GitHub should have been aware of this vulnerability, and to suggest so is intellectually dishonest.


Normally I respond negatively to this type of post, but you've captured my feelings perfectly. The facts here are nothing that should be blown so far out of proportion. I can't help but detect a hint of schadenfreude at the idea that Rails core or Github are not infallible.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: