[tomkin]

Do you know how many Rails developers I've heard pissing on Flash or Java and its security vulnerabilities? Many - until recently. Now suddeningly these faults are an accepted aspect of Rails development. Really. I guess this more of a rant about how unfairly the Rails community (ie. dhh) has been on others, but now expects critics to look away while it happens in the Rails community on a weekly basis.

[knowtheory]

I'm guessing this schadenfreude must be delicious, since everyone keeps coming back for additional helpings.

Look, gloating over other people's security issues is shitty behavior, and frankly responsible developers don't do it. Am I calling DHH an irresponsible developer? Yeah. But the Rails core team has thankfully incorporated a number of smart and responsible developers over the past 4 years, and you see a whole lot less shit like that.

Even better, security issues that have languished silently since 2006 are being identified and quickly addressed.

So, no, nobody is asking anybody to look the other way. There are developers who have been in the Ruby and Rails community for a long time, who make no aspirations to being "rockstars" and are out spending their nights and weekends patching rails, and are not slagging other people off for using Java.

Think of them when you feel the inclination to rant.

(also, incidentally, most of the ranting about Flash and Java development have not focused on security issues, they've mainly focused on how awful it is to use those platforms to do development. Which is why things like JRuby are so wonderful. You get to develop in Ruby, and access the JVM's system of libraries.)

[tomkin]

I agree with most of what you said, but you accuse me of not thinking of the RoR developer community, which is false. My issue lies with extremely critical community leaders suddenly disappearing into the shadows. If you beat others up, expect the same, is all. I don't relish the idea of picking apart the community's hard work, but I do expect some fairness in the dialog.

[tptacek]

The security problems of Flash and Java are not comparable to those of Rails. They're different in magnitude, different in number, and different in circumstance and origin.

I strongly agree with 'knowtheory that gloating about security vulnerabilities is a bad habit. But this Rails/Java comparison is even worse. Nobody personalizes Java insecurity. The Java applet plugin is a mess, responsible for a huge number of compromised desktops, but nobody I know would assume that a developer who worked in Java or on the JVM would be security-illiterate. That's not true of the Rails drama, which is really an opportunity for people to piss on DHH and his personality cult, as you can see in this subthread with 'static_typed's comment.

[static_typed]

Rails became worse than the frameworks and ecosystems it laughed at in it's younger days.

Remember - Rails is Omakase - meaning literally 'leave it to someeone else' - food for thought indeed.

[knowtheory]

Your point (trolling really) doesn't make any sense (and really the Omakase thing never made sense to begin with).

The core value proposition for Rails has always been it incorporates enough of all of the things you need to get a web app up and running quickly, easily, and with sufficient power that your app can continue to grow into the future.

That's what DHH's original blog post screen cast was about certainly. wycats and carllerche's contributions to Rails after the Rails/Merb merge have focused both on better code discipline and ease/simplicity of use for everyone, from beginners to advanced devs.

On top of that the Rails security team has been totally on top of these disclosures and releasing patches that address them. Prominent members of the Rails community have been extraordinarily vocal in advocating that EVERYONE needs to upgrade their apps.

So, please, tell me again how Rails leaves things to others.

P.S. if you really want á la carte, use Sinatra, or Padrino.

P.P.S. Ah, if you look at the actual meaning of omakase (http://en.wikipedia.org/wiki/Omakase ), it basically means, devs entrust the defaults to the Rails team, which is basically how things actually work w/ Rails.

[tptacek]

I don't think I would take things so far as to say that the Rails project has been a model for how to handle security problems.

[knowtheory]

Yep, sorry if I gave that impression.

All I mean to say is that the implication that the Rails community has been particularly lax over security issues is simply false.

Is there room for improvement? Yeah, probably so.