[Pdx-pm] Ruby on Rails exploit

Nathan Williams nathan at nathanewilliams.com
Wed Jan 9 12:02:13 PST 2013


I side with this perspective as well; overall, I tend to have a negative 
reaction to the "frameworks", as their use requires relying on someone 
else's determination concerning 'best practice'.

On the flip side, I see some advantage to communities using common 
components and working together to enhance them, whether that be 
security issues or new features... It's definitely something to give 
thorough consideration to before launching a project.

For most of the folks who settle on the frameworks, I think the motives 
tend to center around using a common code base that developers are 
familiar with (most developers these days tend to change projects ever 
year or so), and the ability to get running quickly, where most of the 
scaffolding is done for you, and your team can immediately get to work 
on the bits that make your project unique.

These are understandable motivations, but I think a lot of folks get 
caught by the consequences down the road when things go off the tracks 
and no-one knows why.

Node.js is a whole different beast, and I decline to comment on the 
intelligence of giving frontend engineers control over server-side 
processes.

-- Nathan W

On 01/09/2013 03:02 AM, Ronald Chmara wrote:
> There is raw code. That's usually C. Then there are macro 
> pseudo-language extensions, like C++ and Java, built upon that code. 
> On top of that, there are scripting things, like Perl, PHP, Python, 
> Ruby, etc. Stacked on top of that are things like "frameworks" and 
> "MVC" and other useless crap like Rails and Node.js, which are to 
> programming like an "oil-change technician" is to a "internal 
> combustion engine engineer".
>
> </rant>
>
> -Bop
>
>
> On Tue, Jan 8, 2013 at 8:58 PM, Keith Lofstrom <keithl at gate.kl-ic.com 
> <mailto:keithl at gate.kl-ic.com>> wrote:
>
>     Via my ISP:
>
>     http://arstechnica.com/security/2013/01/extremely-crtical-ruby-on-rails-bug-threatens-more-than-200000-sites/
>     https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion
>     <https://groups.google.com/forum/#%21topic/rubyonrails-security/61bkgvnSGTQ/discussion>
>
>     I don't run Rails, but a lot of sites do.  I wonder if my bank does?
>
>     Keith
>
>     --
>     Keith Lofstrom keithl at keithl.com <mailto:keithl at keithl.com>      
>     Voice (503)-520-1993 <tel:%28503%29-520-1993>
>     _______________________________________________
>     Pdx-pm-list mailing list
>     Pdx-pm-list at pm.org <mailto:Pdx-pm-list at pm.org>
>     http://mail.pm.org/mailman/listinfo/pdx-pm-list
>
>
>
>
> _______________________________________________
> Pdx-pm-list mailing list
> Pdx-pm-list at pm.org
> http://mail.pm.org/mailman/listinfo/pdx-pm-list



More information about the Pdx-pm-list mailing list