[bradleyland]

Another option is to fork Rails and use the patch files (included with the CVE) that target only the vulnerabilities addressed in the CVE.

The problem with upgrading to mitigate security issues is that the Rails team does not release security patches. They bump the minor-minor and do a release. That release almost always includes commits that are unrelated to the security issue. This is especially true when a lot of time passes between CVEs.

Maintaining your own branch really isn't that difficult, because you can simply merge in from upstream. In most cases, you're really only interested in patching from Rails team issued security fixes, so you won't have conflicts. If you do have conflicts, you can safely overwrite anything in your fork, because you're not developing Rails, you're simply maintaining tighter control over the release that you use.

[kasparloog]

Well - that's enough work to maintain your own app. Maintainging a fork of Rails and drilling through all of the vulnerabilities - that's an extra overhead. It's simpler to regression test your own app, I suppose.

[bradleyland]

I disagree that it's simpler to regression test your own app. The recent minor-minor version upgrade passed Rails core tests, as well as test suites at high profile Rails users, yet it contained a regression that caused the disclosure of some sensitive issues at those same high profile shops.

It's easier, from my viewpoint, to stick it out at a release that you know works for you, applying patches from the files contained in the CVEs. There's still a chance that the security patch will cause a regression, but at least you're not pulling in all the interim commits.

[locofacetwice]

Or don't use Rails.

[myke_cameron]

No matter your stack, you are occasionally going to have to deal with security vulnerabilities. Thankfully, rails at least is quick to issue releases which address security vulnerabilities. Back when I was working on java applets, I remember security issues in Java plugins which would persist for weeks, months, or even years.

[tptacek]

Or Linux, or MySQL.

[bradleyland]

Or Postgres.

[tptacek]

My subtext isn't very clear: there are other projects that haven't totally mastered handling vulnerabilities, but few people will fault you for using them. Rails is different because it has a personality cult, which makes it easy to personalize an issue that is a dry inconvenience for other popular packages.

I'm not sure I'd put Postgres alongside Linux and Rails in terms of handling security issues.

[static_typed]

^^ This is good advice. Maybe they should question their choice of platform - there are other options, some of which seem to have had a bit more forethought in their architecture and engineering.

Remember: Ruby/Rails to pose, Python for pros.

[sbank]

> Remember: Ruby/Rails to pose, Python for pros.

How mature.

[stephenhuey]

...and whitespacephiles. :)