On 9/22/05, Eric Hodel <drbrain / segment7.net> wrote:
> There's plenty of discussion on ruby-dev, see [ruby-dev:27251].  But
> since it is Japanese, you may not be able to read it.  Similarly, Guy
> won't have much use of an English description of the vulnerability.

The point is not whether or not *I* can figure out what the root cause
of the vulnerability is, but rather the issue of including more
detailed information in vulnerability advisories. There are consumers
of the information in vulnerability advisories that do not necessarily
have the time or knowledge to decode root causes from diffs nor do
they know about all the developer mailing lists for every piece of
software, but if they have the information it is yields benefits for a
broad audience. Often it is not too difficult for the person issuing
the security advisory to include more detailed information. This is my
only point, and I was just trying to bring it up as something to think
about for *future* advisories.

> Please don't call people names, you're just being rude.

Guy was being intentionally short in answer (rude), with the standard
"read the source" answer to a question that is not answered by reading
the source. I was attempting to make a light-hearted, rhetorical point
to that end. I love Ruby, use it often, and have been doing security
research and development for over a decade. I was simply *suggesting*
that the Ruby community provide more detail in vulnerability reports.

Dom