I had attempted to keep the drama and subjective language out of my post and communication about this.
I think the developers working on Rails including you, Koz :) does a killer job at making the best development framework we got. I am very grateful for your work.
But I feel you and the other members that were notified of this were the ones who acted irresponsibly - to use your words in your other communication I now have from you.
I began this over a week ago (May 26 to be exact) with a report, tests, and a fix for the problem to the security list, which is the official channel that has been provided to us.
I felt that this was a large enough deal that I wrote another core member (Core Member A) (I'm leaving names out of this) the next day (May 27) because I had heard nothing. I alerted him that I had not heard from the security list. I received no response again in 24 hours.
So I emailed a third time the security list as well as the core member from May 27 as well as another core member (Core Member B) on May 28 with
"Hey guys, just trying one more time before I make this a more public issue. This seems like a MAJOR deal. "
I also included a working example just to make it easier to see in 2 seconds something was wrong.
I finally got a response from Core Member A on May 28 that this would be looked into over the weekend.
I felt it was a poor decision to take days before someone even "looks into it", days after you've been notified about a security problem. But I kept my lips sealed and hoped for the best, and now it's over a week later and felt it was now irresponsible on my part for letting this go this long.
No one seemed to actually be taking this seriously, and this appeared to be a serious problem. And already a public one.
Here's a guy complaining about what might appear to be the same thing:
People needed a fix and the knowledge that something was wrong ASAP.
I apologize for not being a security flaw reporting expert, but I have seen other responsible security flaw reporters have given anywhere from 24 hours to a week of time to a vendor or open source core to fix a vulnerability before publicly releasing.
I gave you guys that, and even told you my 3rd email would be my last attempt at getting your help with this. And like I said, this looks like it was already knowledge in the public domain, I just provided a fix and made people aware they might be getting their ass kicked while I try and try and try without effect at getting a new point release or announcement mention from anyone in Rails core.
There is also a tangential issue. One of the core members (Core Member B) I've emailed about this, I've also emailed privately a couple times about a security flaw in their applications (I've received 2 responses about looking into it, but no action has been taken to fix the problem). The behavior in that case made me feel that there was a trend in the Core team that enough attention is not being paid to security problems.
This behavior from the core team led me to think that the responsible thing was to take this to the next level. And since the next level is to tell some more people, you better tell as many people as possible so that we can all protect ourselves.
As I've mentioned publicly and privately to you so far. All that it would have taken to prevent this difficulty would be a single reply to the email you received saying "just checking that you're working on this". That would have highlighted the fact that pratik forgot to tell you what was going on.
Instead we find ourselves here. I'm sorry that you feel so let down by the process, and I realise that you feel you've followed the right process. But fundamentally you've assumed malice where there was in fact a simple error. Had you taken a few minutes to check before doing this, we'd all have been better off.
Having said all that, we obviously need a more clearly documented "what to do when you don't get a reply" policy. We also need to move the email.
But fundamentally you've assumed malice where there was in fact a simple error.
No, he assumed incompetence, which you seem to be intent on proving by continuing to attack him and give this non-apology apology.
Had you taken a few minutes to check before doing this, we'd all have been better off.
Or you could've resolved this a week ago had you had a more mature process. The guy laid out the issue, presented a fix, and e-mailed you and the rest of the Core Team several times. How many more "few minutes" does he need to take before it stops being his fault in your opinion?
Stop attacking the guy, it's really poor form. Just admit you guys screwed up and move on.
Yup - I'm amazed. The Rails community has gotten some flack for this kind of issue before, but rather than listen to the criticism and learn from it, they make the same mistake over and over.
It's as if they feel that Rails is a direct product of their personalities, and that because Rails is so successful, anything they do is vindicated by that success. That's just the wrong approach.
I think the developers working on Rails including you, Koz :) does a killer job at making the best development framework we got. I am very grateful for your work.
But I feel you and the other members that were notified of this were the ones who acted irresponsibly - to use your words in your other communication I now have from you.
I began this over a week ago (May 26 to be exact) with a report, tests, and a fix for the problem to the security list, which is the official channel that has been provided to us.
I felt that this was a large enough deal that I wrote another core member (Core Member A) (I'm leaving names out of this) the next day (May 27) because I had heard nothing. I alerted him that I had not heard from the security list. I received no response again in 24 hours.
So I emailed a third time the security list as well as the core member from May 27 as well as another core member (Core Member B) on May 28 with
"Hey guys, just trying one more time before I make this a more public issue. This seems like a MAJOR deal. "
I also included a working example just to make it easier to see in 2 seconds something was wrong.
I finally got a response from Core Member A on May 28 that this would be looked into over the weekend.
I felt it was a poor decision to take days before someone even "looks into it", days after you've been notified about a security problem. But I kept my lips sealed and hoped for the best, and now it's over a week later and felt it was now irresponsible on my part for letting this go this long.
No one seemed to actually be taking this seriously, and this appeared to be a serious problem. And already a public one.
Here's a guy complaining about what might appear to be the same thing:
http://osdir.com/ml/RubyonRailsTalk/2009-04/msg01035.html
Back in April.
People needed a fix and the knowledge that something was wrong ASAP.
I apologize for not being a security flaw reporting expert, but I have seen other responsible security flaw reporters have given anywhere from 24 hours to a week of time to a vendor or open source core to fix a vulnerability before publicly releasing.
I gave you guys that, and even told you my 3rd email would be my last attempt at getting your help with this. And like I said, this looks like it was already knowledge in the public domain, I just provided a fix and made people aware they might be getting their ass kicked while I try and try and try without effect at getting a new point release or announcement mention from anyone in Rails core.
There is also a tangential issue. One of the core members (Core Member B) I've emailed about this, I've also emailed privately a couple times about a security flaw in their applications (I've received 2 responses about looking into it, but no action has been taken to fix the problem). The behavior in that case made me feel that there was a trend in the Core team that enough attention is not being paid to security problems.
This behavior from the core team led me to think that the responsible thing was to take this to the next level. And since the next level is to tell some more people, you better tell as many people as possible so that we can all protect ourselves.